From: Tobias Brunner Date: Mon, 18 May 2020 12:17:24 +0000 (+0200) Subject: charon-nm: Set DPD/close action to restart and enable indefinite keying tries X-Git-Tag: 5.9.0rc1~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=10a913685fcb5a62fa135f5e650c308d6c6b8b43;p=thirdparty%2Fstrongswan.git charon-nm: Set DPD/close action to restart and enable indefinite keying tries We don't track CHILD_SA down events anymore and rely on NM's initial timeout to let the user know if the connection failed initially. So we also don't have to explicitly differentiate between initial connection failures and later ones like we do an Android. Also, with the default retransmission settings, there will only be one keying try as NM's timeout is lower than the combined retransmission timeout of 165s. There is no visual indicator while the connection is reestablished later. Fixes #3300. --- diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c index 4ea20f9905..83fcaf898d 100644 --- a/src/charon-nm/nm/nm_service.c +++ b/src/charon-nm/nm/nm_service.c @@ -307,22 +307,12 @@ METHOD(listener_t, child_updown, bool, NMStrongswanPluginPrivate *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) { - if (this->ike_sa == ike_sa) + if (this->ike_sa == ike_sa && up) { - if (up) - { /* disable initiate-failure-detection hooks */ - this->listener.ike_state_change = NULL; - this->listener.child_state_change = NULL; - signal_ip_config(this->plugin, ike_sa, child_sa); - } - else - { - if (ike_sa->has_condition(ike_sa, COND_REAUTHENTICATING)) - { /* we ignore this during reauthentication */ - return TRUE; - } - signal_failure(this->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED); - } + /* disable initiate-failure-detection hooks */ + this->listener.ike_state_change = NULL; + this->listener.child_state_change = NULL; + signal_ip_config(this->plugin, ike_sa, child_sa); } return TRUE; } @@ -618,7 +608,6 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, peer_cfg_create_t peer = { .cert_policy = CERT_SEND_IF_ASKED, .unique = UNIQUE_REPLACE, - .keyingtries = 1, .rekey_time = 36000, /* 10h */ .jitter_time = 600, /* 10min */ .over_time = 600, /* 10min */ @@ -632,6 +621,8 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, }, }, .mode = MODE_TUNNEL, + .dpd_action = ACTION_RESTART, + .close_action = ACTION_RESTART, }; /**