This simply means re-pulling the getconfig.esp tunnel configuration and thereby acquiring new ESP keys and extending the lifetime of the authentication cookie, before the <timeout> elapses.
Signed-off-by: Daniel Lenski <[email protected]> --- gpst.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/gpst.c b/gpst.c index 0544edb..a4ec789 100644 --- a/gpst.c +++ b/gpst.c @@ -394,6 +394,7 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_ vpninfo->ip_info.domain = NULL; vpninfo->ip_info.mtu = 0; vpninfo->esp_magic = inet_addr(vpninfo->ip_info.gateway_addr); + vpninfo->ssl_times.rekey_method = REKEY_NONE; vpninfo->cstp_options = NULL; for (ii = 0; ii < 3; ii++) @@ -409,6 +410,13 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_ else if (!xmlnode_get_text(xml_node, "mtu", &s)) { vpninfo->ip_info.mtu = atoi(s); free(s); + } else if (!xmlnode_get_text(xml_node, "timeout", &s)) { + int sec = atoi(s); + vpn_progress(vpninfo, PRG_INFO, _("Tunnel timeout (rekey interval) is %d minutes.\n"), sec/60); + vpninfo->ssl_times.last_rekey = time(NULL); + vpninfo->ssl_times.rekey = sec - 60; + vpninfo->ssl_times.rekey_method = REKEY_TUNNEL; + free(s); } else if (!xmlnode_get_text(xml_node, "gw-address", &s)) { /* As remarked in oncp.c, "this is a tunnel; having a * gateway is meaningless." See esp_send_probes_gp for the @@ -659,6 +667,9 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout) _("ESP tunnel connected; exiting HTTPS mainloop.\n")); vpninfo->dtls_state = DTLS_CONNECTED; case DTLS_CONNECTED: + /* Rekey if needed */ + if (keepalive_action(&vpninfo->ssl_times, timeout) == KA_REKEY) + goto do_rekey; return 0; case DTLS_SECRET: case DTLS_SLEEPING: @@ -781,6 +792,8 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout) goto do_reconnect; else if (!ret) { switch (ka_stalled_action(&vpninfo->ssl_times, timeout)) { + case KA_REKEY: + goto do_rekey; case KA_DPD_DEAD: goto peer_dead; case KA_NONE: @@ -803,6 +816,11 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout) } switch (keepalive_action(&vpninfo->ssl_times, timeout)) { + case KA_REKEY: + do_rekey: + vpn_progress(vpninfo, PRG_INFO, _("GlobalProtect rekey due\n")); + goto do_reconnect; + case KA_DPD_DEAD: peer_dead: vpn_progress(vpninfo, PRG_ERR, -- 2.7.4 _______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
