This is my first time submitting patch, hopefully it can assist your
work.
The attached patch adds an configuration option “keepalivetime” after
“lifetime” to allow IKED_IKE_SA_ALIVE_TIMEOUT became configurable. If
not specified, it will be defaulted to IKED_IKE_SA_ALIVE_TIMEOUT.
An option of 0 will disable keepalive packets and its relevant timer.
Sorry but I don’t have any experience with man page changes so if
someone can modify the manage it would be good.
Rgds, Michael
Index: iked/iked.h
===================================================================
RCS file: /cvs/src/sbin/iked/iked.h,v
retrieving revision 1.96
diff -u -p -u -r1.96 iked.h
--- iked/iked.h 1 Jun 2016 11:16:41 -0000 1.96
+++ iked/iked.h 22 Aug 2016 15:00:34 -0000
@@ -274,6 +274,7 @@ struct iked_policy {
uint32_t pol_rekey; /* ike SA lifetime */
struct iked_lifetime pol_lifetime; /* child SA lifetime */
+ uint32_t pol_keepalivetime;
struct iked_sapeers pol_sapeers;
Index: iked/ikev2.c
===================================================================
RCS file: /cvs/src/sbin/iked/ikev2.c,v
retrieving revision 1.131
diff -u -p -u -r1.131 ikev2.c
--- iked/ikev2.c 2 Jun 2016 07:14:26 -0000 1.131
+++ iked/ikev2.c 22 Aug 2016 15:00:35 -0000
@@ -1110,8 +1110,10 @@ ikev2_init_done(struct iked *env, struct
ret = ikev2_childsa_enable(env, sa);
if (ret == 0) {
sa_state(env, sa, IKEV2_STATE_ESTABLISHED);
- timer_set(env, &sa->sa_timer, ikev2_ike_sa_alive, sa);
- timer_add(env, &sa->sa_timer, IKED_IKE_SA_ALIVE_TIMEOUT);
+ if (sa->sa_policy->pol_keepalivetime) {
+ timer_set(env, &sa->sa_timer, ikev2_ike_sa_alive, sa);
+ timer_add(env, &sa->sa_timer,
sa->sa_policy->pol_keepalivetime);
+ }
timer_set(env, &sa->sa_rekey, ikev2_ike_sa_rekey, sa);
if (sa->sa_policy->pol_rekey)
timer_add(env, &sa->sa_rekey, sa->sa_policy->pol_rekey);
@@ -2305,8 +2307,10 @@ ikev2_resp_ike_auth(struct iked *env, st
ret = ikev2_childsa_enable(env, sa);
if (ret == 0) {
sa_state(env, sa, IKEV2_STATE_ESTABLISHED);
- timer_set(env, &sa->sa_timer, ikev2_ike_sa_alive, sa);
- timer_add(env, &sa->sa_timer, IKED_IKE_SA_ALIVE_TIMEOUT);
+ if (sa->sa_policy->pol_keepalivetime) {
+ timer_set(env, &sa->sa_timer, ikev2_ike_sa_alive, sa);
+ timer_add(env, &sa->sa_timer,
sa->sa_policy->pol_keepalivetime);
+ }
timer_set(env, &sa->sa_rekey, ikev2_ike_sa_rekey, sa);
if (sa->sa_policy->pol_rekey)
timer_add(env, &sa->sa_rekey, sa->sa_policy->pol_rekey);
@@ -2953,8 +2957,10 @@ ikev2_ikesa_enable(struct iked *env, str
log_debug("%s: activating new IKE SA", __func__);
sa_state(env, nsa, IKEV2_STATE_ESTABLISHED);
- timer_set(env, &nsa->sa_timer, ikev2_ike_sa_alive, nsa);
- timer_add(env, &nsa->sa_timer, IKED_IKE_SA_ALIVE_TIMEOUT);
+ if (nsa->sa_policy->pol_keepalivetime) {
+ timer_set(env, &nsa->sa_timer, ikev2_ike_sa_alive, nsa);
+ timer_add(env, &nsa->sa_timer,
nsa->sa_policy->pol_keepalivetime);
+ }
timer_set(env, &nsa->sa_rekey, ikev2_ike_sa_rekey, nsa);
if (nsa->sa_policy->pol_rekey)
timer_add(env, &nsa->sa_rekey, nsa->sa_policy->pol_rekey);
@@ -3266,7 +3272,7 @@ ikev2_ike_sa_alive(struct iked *env, voi
__func__,
csa->csa_dir == IPSP_DIRECTION_IN ? "incoming" : "outgoing",
print_spi(csa->csa_spi.spi, csa->csa_spi.spi_size), diff);
- if (diff < IKED_IKE_SA_ALIVE_TIMEOUT) {
+ if (diff < sa->sa_policy->pol_keepalivetime) {
if (csa->csa_dir == IPSP_DIRECTION_IN) {
foundin = 1;
break;
@@ -3285,7 +3291,7 @@ ikev2_ike_sa_alive(struct iked *env, voi
}
/* re-register */
- timer_add(env, &sa->sa_timer, IKED_IKE_SA_ALIVE_TIMEOUT);
+ timer_add(env, &sa->sa_timer, sa->sa_policy->pol_keepalivetime);
}
int
Index: iked/parse.y
===================================================================
RCS file: /cvs/src/sbin/iked/parse.y,v
retrieving revision 1.57
diff -u -p -u -r1.57 parse.y
--- iked/parse.y 6 Aug 2016 07:08:59 -0000 1.57
+++ iked/parse.y 22 Aug 2016 15:00:36 -0000
@@ -333,7 +333,7 @@ int create_ike(char *, int, uint8_t,
struct ipsec_hosts *, struct ipsec_mode *,
struct ipsec_mode *, uint8_t,
uint8_t, char *, char *,
- uint32_t, struct iked_lifetime *,
+ uint32_t, struct iked_lifetime *, uint32_t,
struct iked_auth *, struct ipsec_filters *,
struct ipsec_addr_wrap *);
int create_user(const char *, const char *);
@@ -382,7 +382,7 @@ typedef struct {
%token PASSIVE ACTIVE ANY TAG TAP PROTO LOCAL GROUP NAME CONFIG EAP USER
%token IKEV1 FLOW SA TCPMD5 TUNNEL TRANSPORT COUPLE DECOUPLE SET
%token INCLUDE LIFETIME BYTES INET INET6 QUICK SKIP DEFAULT
-%token IPCOMP OCSP IKELIFETIME
+%token IPCOMP OCSP IKELIFETIME KEEPALIVETIME
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.string> string
@@ -404,7 +404,7 @@ typedef struct {
%type <v.ikekey> keyspec
%type <v.mode> ike_sa child_sa
%type <v.lifetime> lifetime
-%type <v.number> byte_spec time_spec ikelifetime
+%type <v.number> byte_spec time_spec ikelifetime keepalivetime
%type <v.string> name
%type <v.cfg> cfg ikecfg ikecfgvals
%%
@@ -458,11 +458,11 @@ user : USER STRING STRING {
;
ikev2rule : IKEV2 name ikeflags satype af proto hosts_list peers
- ike_sa child_sa ids ikelifetime lifetime ikeauth ikecfg
+ ike_sa child_sa ids ikelifetime lifetime keepalivetime
ikeauth ikecfg
filters {
if (create_ike($2, $5, $6, $7, &$8, $9, $10, $4, $3,
- $11.srcid, $11.dstid, $12, &$13, &$14,
- $16, $15) == -1)
+ $11.srcid, $11.dstid, $12, &$13, $14, &$15,
+ $17, $16) == -1)
YYERROR;
}
;
@@ -919,6 +919,13 @@ ikelifetime : /* empty */
{
$$ = $2;
}
+keepalivetime : /* empty */ {
+ $$ = IKED_IKE_SA_ALIVE_TIMEOUT;
+ }
+ | KEEPALIVETIME time_spec {
+ $$ = $2;
+ }
+
keyspec : STRING {
uint8_t *hex;
@@ -1110,6 +1117,7 @@ lookup(char *s)
{ "inet", INET },
{ "inet6", INET6 },
{ "ipcomp", IPCOMP },
+ { "keepalivetime", KEEPALIVETIME },
{ "lifetime", LIFETIME },
{ "local", LOCAL },
{ "name", NAME },
@@ -2344,6 +2352,8 @@ print_policy(struct iked_policy *pol)
print_verbose(" lifetime %llu bytes %llu",
pol->pol_lifetime.lt_seconds, pol->pol_lifetime.lt_bytes);
+ print_verbose(" keepalive %u", pol->pol_keepalivetime);
+
if (pol->pol_auth.auth_method == IKEV2_AUTH_SHARED_KEY_MIC) {
print_verbose(" psk 0x");
for (i = 0; i < pol->pol_auth.auth_length; i++)
@@ -2412,7 +2422,7 @@ create_ike(char *name, int af, uint8_t i
struct ipsec_hosts *peers, struct ipsec_mode *ike_sa,
struct ipsec_mode *ipsec_sa, uint8_t saproto,
uint8_t flags, char *srcid, char *dstid,
- uint32_t ikelifetime, struct iked_lifetime *lt,
+ uint32_t ikelifetime, struct iked_lifetime *lt, uint32_t keepalivetime,
struct iked_auth *authtype, struct ipsec_filters *filter,
struct ipsec_addr_wrap *ikecfg)
{
@@ -2540,6 +2550,8 @@ create_ike(char *name, int af, uint8_t i
if (ikelifetime)
pol.pol_rekey = ikelifetime;
+
+ pol.pol_keepalivetime = keepalivetime;
if (lt)
pol.pol_lifetime = *lt;
