nhrpd: Retry IPSec if NHRP is repeatedly failing

This prevents a failed IPSec connection from preventing DMVPN from working. A failure situation can be reproduced using a Cisco peer, and and disabling then re-enabling the tunnel IPSec protection (after the IPSec connection has already been established). Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
author: Gaurav Goyal <gaurav.goyal@4rf.com> 2021-03-11 13:46:37 +1300
committer: Reuben Dowle <reuben.dowle@4rf.com> 2021-03-17 16:56:46 +1300
commit: 4cbaf956f6d711d5ec39b7e62bf0ee1085d96a16 (patch)
tree: 608d00d8825ff88a2c97e17ff2c71777e5ccb8b7 /nhrpd/vici.c
parent: 4d7ae2c0ddc439c0409b04d8b68efa18d4ceeed2 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/nhrpd/vici.c b/nhrpd/vici.c
index 86554f53dc..2b5e0e56ca 100644
--- a/nhrpd/vici.c
+++ b/nhrpd/vici.c
@@ -200,6 +200,7 @@ static void parse_sa_message(struct vici_message_ctx *ctx,
 						nhrp_vc_ipsec_updown(
 							sactx->child_uniqueid,
 							vc);
+					vc->ike_uniqueid = sactx->ike_uniqueid;
 				}
 			} else {
 				nhrp_vc_ipsec_updown(sactx->child_uniqueid, 0);
@@ -521,6 +522,18 @@ void vici_terminate(void)
 {
 }
 
+void vici_terminate_vc(unsigned int ike_id)
+{
+	struct vici_conn *vici = &vici_connection;
+	char ike_id_str[10]={0};
+	snprintf(ike_id_str, sizeof(ike_id_str), "%d", ike_id);
+	debugf(NHRP_DEBUG_VICI,"ike_id_str = %s", ike_id_str);
+
+
+	vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike-id",
+		    strlen(ike_id_str), ike_id_str, VICI_END);
+}
+
 void vici_request_vc(const char *profile, union sockunion *src,
 		     union sockunion *dst, int prio)
 {
author	Gaurav Goyal <gaurav.goyal@4rf.com>	2021-03-11 13:46:37 +1300
committer	Reuben Dowle <reuben.dowle@4rf.com>	2021-03-17 16:56:46 +1300
commit	4cbaf956f6d711d5ec39b7e62bf0ee1085d96a16 (patch)
tree	608d00d8825ff88a2c97e17ff2c71777e5ccb8b7 /nhrpd/vici.c
parent	4d7ae2c0ddc439c0409b04d8b68efa18d4ceeed2 (diff)