diff options
| author | Gaurav Goyal <gaurav.goyal@4rf.com> | 2021-03-11 13:46:37 +1300 |
|---|---|---|
| committer | Reuben Dowle <reuben.dowle@4rf.com> | 2021-03-17 16:56:46 +1300 |
| commit | 4cbaf956f6d711d5ec39b7e62bf0ee1085d96a16 (patch) | |
| tree | 608d00d8825ff88a2c97e17ff2c71777e5ccb8b7 | |
| parent | 4d7ae2c0ddc439c0409b04d8b68efa18d4ceeed2 (diff) | |
nhrpd: Retry IPSec if NHRP is repeatedly failing
This prevents a failed IPSec connection from preventing DMVPN from working.
A failure situation can be reproduced using a Cisco peer, and and disabling then
re-enabling the tunnel IPSec protection (after the IPSec connection has
already been established).
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
| -rw-r--r-- | nhrpd/nhrp_nhs.c | 8 | ||||
| -rw-r--r-- | nhrpd/nhrpd.h | 2 | ||||
| -rw-r--r-- | nhrpd/vici.c | 13 |
3 files changed, 23 insertions, 0 deletions
diff --git a/nhrpd/nhrp_nhs.c b/nhrpd/nhrp_nhs.c index 9ed03098ac..31f20c0677 100644 --- a/nhrpd/nhrp_nhs.c +++ b/nhrpd/nhrp_nhs.c @@ -117,7 +117,15 @@ static int nhrp_reg_timeout(struct thread *t) r->timeout <<= 1; if (r->timeout > 64) + { + //Remove the ipsec connection if it is there, it can get re-established later + if(r->peer && r->peer->vc && r->peer->vc->ike_uniqueid) + { + debugf(NHRP_DEBUG_COMMON, "Terminating IPSec Connection for %d\n", r->peer->vc->ike_uniqueid); + vici_terminate_vc(r->peer->vc->ike_uniqueid); + } r->timeout = 2; + } thread_add_timer_msec(master, nhrp_reg_send_req, r, 10, &r->t_register); return 0; diff --git a/nhrpd/nhrpd.h b/nhrpd/nhrpd.h index a36d0c445d..37a9e338cd 100644 --- a/nhrpd/nhrpd.h +++ b/nhrpd/nhrpd.h @@ -125,6 +125,7 @@ enum nhrp_notify_type { struct nhrp_vc { struct notifier_list notifier_list; uint32_t ipsec; + uint32_t ike_uniqueid; uint8_t updating; uint8_t abort_migration; @@ -399,6 +400,7 @@ void nhrp_vc_reset(void); void vici_init(void); void vici_terminate(void); +void vici_terminate_vc(unsigned int ike_id); void vici_request_vc(const char *profile, union sockunion *src, union sockunion *dst, int prio); diff --git a/nhrpd/vici.c b/nhrpd/vici.c index 86554f53dc..2b5e0e56ca 100644 --- a/nhrpd/vici.c +++ b/nhrpd/vici.c @@ -200,6 +200,7 @@ static void parse_sa_message(struct vici_message_ctx *ctx, nhrp_vc_ipsec_updown( sactx->child_uniqueid, vc); + vc->ike_uniqueid = sactx->ike_uniqueid; } } else { nhrp_vc_ipsec_updown(sactx->child_uniqueid, 0); @@ -521,6 +522,18 @@ void vici_terminate(void) { } +void vici_terminate_vc(unsigned int ike_id) +{ + struct vici_conn *vici = &vici_connection; + char ike_id_str[10]={0}; + snprintf(ike_id_str, sizeof(ike_id_str), "%d", ike_id); + debugf(NHRP_DEBUG_VICI,"ike_id_str = %s", ike_id_str); + + + vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike-id", + strlen(ike_id_str), ike_id_str, VICI_END); +} + void vici_request_vc(const char *profile, union sockunion *src, union sockunion *dst, int prio) { |