From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 27 Feb 2025 08:37:25 +0000 (+0100)
Subject: charon-nm: Use a DPD to check the current path
X-Git-Tag: 6.0.1rc1~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e97e20642d065cc86b6d5425b0db494156b6c7b;p=thirdparty%2Fstrongswan.git

charon-nm: Use a DPD to check the current path

If the client's network goes down for a while but the same IP address
is assigned later, it won't be aware if the server killed the IKE_SA
while it wasn't reachable.  This way, a DPD is triggered and the client
can reestablish the SA if necessary.  When roaming to a different IP,
a MOBIKE update is triggered with the same effect.

References strongswan/strongswan#2696
---

diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index 4217db2e08..283454a28a 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -217,6 +217,10 @@ int main(int argc, char *argv[])
 	lib->settings->set_default_str(lib->settings,
 				"charon-nm.plugins.kernel-netlink.fwmark", "!210");
 
+	/* trigger a DPD to verify the current path is working */
+	lib->settings->set_default_str(lib->settings,
+				"charon-nm.check_current_path", "yes");
+
 	DBG1(DBG_DMN, "Starting charon NetworkManager backend (strongSwan "VERSION")");
 	if (lib->integrity)
 	{