stf_status dpd_init(struct state *st)
{
/**
* Used to store the 1st state
*/
#ifdef HAVE_LABELED_IPSEC
if (st->st_connection->loopback) {
libreswan_log(
"dpd is not required for ipsec connections over loopback");
return STF_OK;
}
#endif
struct state *p1st;
/* find the related Phase 1 state */
p1st = find_state_ikev1(st->st_icookie, st->st_rcookie, 0);
if (p1st == NULL) {
loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD");
/*
* if the phase 1 state has gone away, it really should have
* deleted all of its children.
* Why would this happen? because a quick mode SA can take
* some time to create (DNS lookups for instance), and the phase 1
* might have been taken down for some reason in the meantime.
* We really can not do anything here --- attempting to invoke
* the DPD action would be a good idea, but we really should
* do that outside this function.
*/
return STF_FAIL;
}
/* if it was enabled, and we haven't turned it on already */
if (p1st->hidden_variables.st_dpd) {
time_t n = now();
libreswan_log("Dead Peer Detection (RFC 3706): enabled");
if (st->st_dpd_event == NULL ||
(st->st_connection->dpd_delay + n) <
st->st_dpd_event->ev_time) {
if (st->st_dpd_event != NULL)
delete_dpd_event(st);
event_schedule(EVENT_DPD, st->st_connection->dpd_delay,
st);
}
} else {
libreswan_log(
"Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it");
}
if (p1st != st) {
/* st was not a phase 1 SA, so kill the DPD_EVENT on the phase 1 */
if (p1st->st_dpd_event != NULL &&
p1st->st_dpd_event->ev_type == EVENT_DPD)
delete_dpd_event(p1st);
}
return STF_OK;
}
stf_status dpd_init(struct state *st)
{
/**
* Used to store the 1st state
*/
struct state *p1st;
/* find the related Phase 1 state */
p1st = find_state_ikev1(st->st_icookie, st->st_rcookie, 0);
if (p1st == NULL) {
loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD");
/*
* if the phase 1 state has gone away, it really should have
* deleted all of its children.
* Why would this happen? because a quick mode SA can take
* some time to create (DNS lookups for instance), and the phase 1
* might have been taken down for some reason in the meantime.
* We really cannot do anything here --- attempting to invoke
* the DPD action would be a good idea, but we really should
* do that outside this function.
*/
return STF_FAIL;
}
/* if it was enabled, and we haven't turned it on already */
if (p1st->hidden_variables.st_peer_supports_dpd) {
DBG(DBG_DPD, DBG_log("Dead Peer Detection (RFC 3706): enabled"));
if (st->st_dpd_event == NULL || ev_before(st->st_dpd_event,
st->st_connection->dpd_delay)){
if (st->st_dpd_event != NULL)
delete_dpd_event(st);
event_schedule(EVENT_DPD,
deltasecs(st->st_connection->dpd_delay),
st);
}
} else {
loglog(RC_LOG_SERIOUS,
"Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support");
}
if (p1st != st) {
/* st was not a phase 1 SA, so kill the DPD_EVENT on the phase 1 */
if (p1st->st_dpd_event != NULL &&
p1st->st_dpd_event->ev_type == EVENT_DPD)
delete_dpd_event(p1st);
}
return STF_OK;
}
