From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 21 Jan 2025 16:08:44 +0000 (+0100)
Subject: ike-sa: Only query last use time of CHILD_SAs if UDP-encap is used
X-Git-Tag: 6.0.1rc1~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=882b19c1df04c3cf1fbdcf319aa53e1450c2d019;p=thirdparty%2Fstrongswan.git

ike-sa: Only query last use time of CHILD_SAs if UDP-encap is used

Without UDP-encapsulation, the IKE and ESP traffic is not directly related
(other than via IPs), so firewalls might no keep the state for IKE traffic
alive if there is no IKE traffic for a while and constant ESP traffic
prevents DPDs from being exchanged because inbound ESP traffic is
considered.

Closes strongswan/strongswan#1759
---

diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 83865635d9..4a88e7ee55 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -369,14 +369,18 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
 		use_time = this->stats[STAT_OUTBOUND];
 	}
 
-	enumerator = array_create_enumerator(this->child_sas);
-	while (enumerator->enumerate(enumerator, &child_sa))
+	/* only consider IPsec traffic if we use UDP-encapsulation and they take
+	 * the same path */
+	if (this->public.has_condition(&this->public, COND_NAT_ANY))
 	{
-		child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
-		use_time = max(use_time, current);
+		enumerator = array_create_enumerator(this->child_sas);
+		while (enumerator->enumerate(enumerator, &child_sa))
+		{
+			child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
+			use_time = max(use_time, current);
+		}
+		enumerator->destroy(enumerator);
 	}
-	enumerator->destroy(enumerator);
-
 	return use_time;
 }