ike: Disable NAT keepalives in state PASSIVE

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 6ffbd55bd515e78c1f4f72ed9d0a1bb1c3c6be3b..3bfd149f2592a0342c05cd57e4eba59b5668a369 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -487,8 +487,9 @@ METHOD(ike_sa_t, send_keepalive, void,
        send_keepalive_job_t *job;
        time_t last_out, now, diff;
 
-       if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
-       {       /* disable keep alives if we are not NATed anymore */
+       if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0 ||
+               this->state == IKE_PASSIVE)
+       {       /* disable keep alives if we are not NATed anymore, or we are passive */
                return;
        }
 
@@ -651,7 +652,7 @@ METHOD(ike_sa_t, get_state, ike_sa_state_t,
 METHOD(ike_sa_t, set_state, void,
        private_ike_sa_t *this, ike_sa_state_t state)
 {
-       bool trigger_dpd = FALSE;
+       bool trigger_dpd = FALSE, keepalives = FALSE;
 
        DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
                 get_name(this), this->unique_id,
@@ -722,6 +723,10 @@ METHOD(ike_sa_t, set_state, void,
                                         * so yet, so prevent that. */
                                        this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
                                }
+                               if (this->state == IKE_PASSIVE)
+                               {
+                                       keepalives = TRUE;
+                               }
                        }
                        break;
                }
@@ -742,6 +747,10 @@ METHOD(ike_sa_t, set_state, void,
                        DBG1(DBG_IKE, "DPD not supported by peer, disabled");
                }
        }
+       if (keepalives)
+       {
+               send_keepalive(this);
+       }
 }
 
 METHOD(ike_sa_t, reset, void,