nhrpd: Retry IPSec if NHRP is repeatedly failing

This prevents a failed IPSec connection from preventing DMVPN from working.
A failure situation can be reproduced using a Cisco peer, and and disabling then
re-enabling the tunnel IPSec protection (after the IPSec connection has
already been established).

Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>

diff --git a/nhrpd/nhrp_nhs.c b/nhrpd/nhrp_nhs.c
index 9ed03098ac1afe016d7337faa8ce84cba8698dd1..31f20c0677263c4950231e4c05a2fe0c763769fd 100644 (file)
--- a/nhrpd/nhrp_nhs.c
+++ b/nhrpd/nhrp_nhs.c
@@ -117,7 +117,15 @@ static int nhrp_reg_timeout(struct thread *t)
 
        r->timeout <<= 1;
        if (r->timeout > 64)
+       {
+               //Remove the ipsec connection if it is there, it can get re-established later
+               if(r->peer && r->peer->vc && r->peer->vc->ike_uniqueid)
+               {
+                       debugf(NHRP_DEBUG_COMMON, "Terminating IPSec Connection for %d\n", r->peer->vc->ike_uniqueid);
+                       vici_terminate_vc(r->peer->vc->ike_uniqueid);
+               }
                r->timeout = 2;
+       }
        thread_add_timer_msec(master, nhrp_reg_send_req, r, 10, &r->t_register);
 
        return 0;

diff --git a/nhrpd/nhrpd.h b/nhrpd/nhrpd.h
index a36d0c445db8412c215577f92383a03063cdcb86..37a9e338cda07b04b8830ca6635f29253b1aa993 100644 (file)
--- a/nhrpd/nhrpd.h
+++ b/nhrpd/nhrpd.h
@@ -125,6 +125,7 @@ enum nhrp_notify_type {
 struct nhrp_vc {
        struct notifier_list notifier_list;
        uint32_t ipsec;
+       uint32_t ike_uniqueid;
        uint8_t updating;
        uint8_t abort_migration;
 
@@ -399,6 +400,7 @@ void nhrp_vc_reset(void);
 
 void vici_init(void);
 void vici_terminate(void);
+void vici_terminate_vc(unsigned int ike_id);
 void vici_request_vc(const char *profile, union sockunion *src,
                     union sockunion *dst, int prio);
 

diff --git a/nhrpd/vici.c b/nhrpd/vici.c
index 86554f53dc3a0748500cfc7f023325b0ad5fc5c3..2b5e0e56ca2b97c9e5496b3eb65fbb3dfc119c9d 100644 (file)
--- a/nhrpd/vici.c
+++ b/nhrpd/vici.c
@@ -200,6 +200,7 @@ static void parse_sa_message(struct vici_message_ctx *ctx,
                                                nhrp_vc_ipsec_updown(
                                                        sactx->child_uniqueid,
                                                        vc);
+                                       vc->ike_uniqueid = sactx->ike_uniqueid;
                                }
                        } else {
                                nhrp_vc_ipsec_updown(sactx->child_uniqueid, 0);
@@ -521,6 +522,18 @@ void vici_terminate(void)
 {
 }
 
+void vici_terminate_vc(unsigned int ike_id)
+{
+       struct vici_conn *vici = &vici_connection;
+       char ike_id_str[10]={0};
+       snprintf(ike_id_str, sizeof(ike_id_str), "%d", ike_id);
+       debugf(NHRP_DEBUG_VICI,"ike_id_str = %s", ike_id_str);
+
+
+       vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike-id",
+                   strlen(ike_id_str), ike_id_str, VICI_END);
+}
+
 void vici_request_vc(const char *profile, union sockunion *src,
                     union sockunion *dst, int prio)
 {