ike-sa: Only query last use time of CHILD_SAs if UDP-encap is used

Without UDP-encapsulation, the IKE and ESP traffic is not directly related
(other than via IPs), so firewalls might no keep the state for IKE traffic
alive if there is no IKE traffic for a while and constant ESP traffic
prevents DPDs from being exchanged because inbound ESP traffic is
considered.

Closes strongswan/strongswan#1759

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 83865635d9be3628c7de6c4142517c17012f48ec..4a88e7ee55cb6643c8f666cd490c641fb1016221 100644 (file)
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -369,14 +369,18 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
                use_time = this->stats[STAT_OUTBOUND];
        }
 
-       enumerator = array_create_enumerator(this->child_sas);
-       while (enumerator->enumerate(enumerator, &child_sa))
+       /* only consider IPsec traffic if we use UDP-encapsulation and they take
+        * the same path */
+       if (this->public.has_condition(&this->public, COND_NAT_ANY))
        {
-               child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
-               use_time = max(use_time, current);
+               enumerator = array_create_enumerator(this->child_sas);
+               while (enumerator->enumerate(enumerator, &child_sa))
+               {
+                       child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
+                       use_time = max(use_time, current);
+               }
+               enumerator->destroy(enumerator);
        }
-       enumerator->destroy(enumerator);
-
        return use_time;
 }