charon-nm: Set DPD/close action to restart and enable indefinite keying tries

We don't track CHILD_SA down events anymore and rely on NM's initial timeout
to let the user know if the connection failed initially.  So we also don't
have to explicitly differentiate between initial connection failures and
later ones like we do an Android.  Also, with the default retransmission
settings, there will only be one keying try as NM's timeout is lower than
the combined retransmission timeout of 165s.

There is no visual indicator while the connection is reestablished later.

Fixes #3300.

diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 4ea20f990592c9bb983ebb5476de018464f9c206..83fcaf898d3d12e12a26710da76703296c91fcc2 100644 (file)
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -307,22 +307,12 @@ METHOD(listener_t, child_updown, bool,
        NMStrongswanPluginPrivate *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
        bool up)
 {
-       if (this->ike_sa == ike_sa)
+       if (this->ike_sa == ike_sa && up)
        {
-               if (up)
-               {       /* disable initiate-failure-detection hooks */
-                       this->listener.ike_state_change = NULL;
-                       this->listener.child_state_change = NULL;
-                       signal_ip_config(this->plugin, ike_sa, child_sa);
-               }
-               else
-               {
-                       if (ike_sa->has_condition(ike_sa, COND_REAUTHENTICATING))
-                       {       /* we ignore this during reauthentication */
-                               return TRUE;
-                       }
-                       signal_failure(this->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
-               }
+               /* disable initiate-failure-detection hooks */
+               this->listener.ike_state_change = NULL;
+               this->listener.child_state_change = NULL;
+               signal_ip_config(this->plugin, ike_sa, child_sa);
        }
        return TRUE;
 }
@@ -618,7 +608,6 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
        peer_cfg_create_t peer = {
                .cert_policy = CERT_SEND_IF_ASKED,
                .unique = UNIQUE_REPLACE,
-               .keyingtries = 1,
                .rekey_time = 36000, /* 10h */
                .jitter_time = 600, /* 10min */
                .over_time = 600, /* 10min */
@@ -632,6 +621,8 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
                        },
                },
                .mode = MODE_TUNNEL,
+               .dpd_action = ACTION_RESTART,
+               .close_action = ACTION_RESTART,
        };
 
        /**