Howdy,
I'm trying to discover how strongswan ikev1 dpd is implemented. The
docs are generally great, but I have a specific question which I don't see
covered in the docs. I started reading code, but being new to the code base,
I'm not sure I'm reading it right.
My question is if ikev1 dpd is sensitive to ipsec-sa (those ipsec-sas
known to be children of 'this' ike-sa) traffic as a proof of peer liveness. I'm
very much hoping the answer is yes. But I don't see it in the code...
I think that the sending of a dpd packet only depends upon if we have recently
received ike traffic, not if we have recently received ipsec traffic. There is
a strong chance I understand the code wrong.
In strongswan/src/libcharon/sa/ike_sa.c
METHOD(ike_sa_t, send_dpd, status_t,
private_ike_sa_t *this)
{
job_t *job;
time_t diff, delay;
bool task_queued = FALSE;
if (this->state == IKE_PASSIVE)
{
return INVALID_STATE;
}
delay = this->peer_cfg->get_dpd(this->peer_cfg);
if (this->task_manager->busy(this->task_manager))
{
/* an exchange is in the air, no need to start a DPD check */
diff = 0;
}
else
{
/* check if there was any inbound traffic */
time_t last_in, now;
last_in = get_use_time(this, TRUE);
now = time_monotonic(NULL);
diff = now - last_in;
if (!delay || diff >= delay)
{
/* too long ago, initiate dead peer detection */
DBG1(DBG_IKE, "sending DPD request");
this->task_manager->queue_dpd(this->task_manager);
task_queued = TRUE;
diff = 0;
}
The relevant call to get_use_time above looks at a stat named STAT_INBOUND on
the ike sa which records the last time traffic was observed. The calls to
set_statistic(STAT_INBOUND) only occur in ike message processing, as far as I
can tell.
--
Ricky Charlet
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
