}
else
{
- /* destroy IKE_SA did not complete connecting phase */
+ /* destroy IKE_SA only if it did not complete connecting phase */
if (ike_sa->get_state(ike_sa) != IKE_CONNECTING)
{
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
}
+ else if (ike_sa->get_version(ike_sa) == IKEV1 &&
+ ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
+ { /* as initiator we waited for the peer to initiate e.g. an
+ * XAuth exchange, reauth the SA to eventually trigger DPD */
+ DBG1(DBG_JOB, "peer did not initiate expected exchange, "
+ "reestablishing IKE_SA");
+ ike_sa->reauth(ike_sa);
+ charon->ike_sa_manager->checkin_and_destroy(
+ charon->ike_sa_manager, ike_sa);
+ }
else
{
DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
#include <sa/ikev1/tasks/informational.h>
#include <sa/ikev1/tasks/isakmp_delete.h>
#include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
typedef struct private_aggressive_mode_t private_aggressive_mode_t;
case AUTH_XAUTH_INIT_PSK:
case AUTH_XAUTH_INIT_RSA:
case AUTH_HYBRID_INIT_RSA:
- /* wait for XAUTH request */
+ { /* wait for XAUTH request, since this may never come,
+ * we queue a timeout */
+ job_t *job = (job_t*)delete_ike_sa_job_create(
+ this->ike_sa->get_id(this->ike_sa), FALSE);
+ lib->scheduler->schedule_job(lib->scheduler, job,
+ HALF_OPEN_IKE_SA_TIMEOUT);
break;
+ }
case AUTH_XAUTH_RESP_PSK:
case AUTH_XAUTH_RESP_RSA:
case AUTH_HYBRID_RESP_RSA:
#include <sa/ikev1/tasks/informational.h>
#include <sa/ikev1/tasks/isakmp_delete.h>
#include <processing/jobs/adopt_children_job.h>
+#include <processing/jobs/delete_ike_sa_job.h>
typedef struct private_main_mode_t private_main_mode_t;
case AUTH_XAUTH_INIT_PSK:
case AUTH_XAUTH_INIT_RSA:
case AUTH_HYBRID_INIT_RSA:
- /* wait for XAUTH request */
+ { /* wait for XAUTH request, since this may never come,
+ * we queue a timeout */
+ job_t *job = (job_t*)delete_ike_sa_job_create(
+ this->ike_sa->get_id(this->ike_sa), FALSE);
+ lib->scheduler->schedule_job(lib->scheduler, job,
+ HALF_OPEN_IKE_SA_TIMEOUT);
break;
+ }
case AUTH_XAUTH_RESP_PSK:
case AUTH_XAUTH_RESP_RSA:
case AUTH_HYBRID_RESP_RSA: