charon-nm: Use a DPD to check the current path

If the client's network goes down for a while but the same IP address
is assigned later, it won't be aware if the server killed the IKE_SA
while it wasn't reachable.  This way, a DPD is triggered and the client
can reestablish the SA if necessary.  When roaming to a different IP,
a MOBIKE update is triggered with the same effect.

References strongswan/strongswan#2696

diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index 4217db2e08608034bca98f8fa278a625d9bd51ff..283454a28a9417f44cfbf0e54ec6c8c5fda838c9 100644 (file)
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -217,6 +217,10 @@ int main(int argc, char *argv[])
        lib->settings->set_default_str(lib->settings,
                                "charon-nm.plugins.kernel-netlink.fwmark", "!210");
 
+       /* trigger a DPD to verify the current path is working */
+       lib->settings->set_default_str(lib->settings,
+                               "charon-nm.check_current_path", "yes");
+
        DBG1(DBG_DMN, "Starting charon NetworkManager backend (strongSwan "VERSION")");
        if (lib->integrity)
        {