From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 16 Nov 2015 16:01:46 +0000 (+0100)
Subject: ike: Don't send NAT keepalives if we have no path to the other peer
X-Git-Tag: 5.4.0dr8~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34f7d3b7aea5b5989ad28e93cc25d978a2e1ba01;p=thirdparty%2Fstrongswan.git

ike: Don't send NAT keepalives if we have no path to the other peer

If there is no path to the other peer there is no point in trying to
send a NAT keepalive.

If the condition changes back and forth within the keepalive interval there
is a chance that multiple jobs get queued.
---

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index dcf9d5f2c3..3632d62a81 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -487,9 +487,12 @@ METHOD(ike_sa_t, send_keepalive, void,
 	send_keepalive_job_t *job;
 	time_t last_out, now, diff;
 
-	if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0 ||
-		this->state == IKE_PASSIVE)
-	{	/* disable keep alives if we are not NATed anymore, or we are passive */
+	if (!this->keepalive_interval || this->state == IKE_PASSIVE)
+	{	/* keepalives disabled either by configuration or for passive IKE_SAs */
+		return;
+	}
+	if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
+	{	/* disable keepalives if we are not NATed anymore, or the SA is stale */
 		return;
 	}
 
@@ -590,6 +593,9 @@ METHOD(ike_sa_t, set_condition, void,
 								  has_condition(this, COND_NAT_THERE) ||
 								  has_condition(this, COND_NAT_FAKE));
 					break;
+				case COND_STALE:
+					send_keepalive(this);
+					break;
 				default:
 					break;
 			}