Module Name: src Committed By: tteras Date: Fri Nov 12 09:11:37 UTC 2010
Modified Files: src/crypto/dist/ipsec-tools/src/racoon: isakmp.c Log Message: Purge all IPsec-SA's if the last main ISAKMP-SA for the node is deleted by remote request and the phase1 rekeying is enabled (this will also trigger the new phase1_dead script hook). To generate a diff of this commit: cvs rdiff -u -r1.63 -r1.64 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/dist/ipsec-tools/src/racoon/isakmp.c diff -u src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.63 src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.64 --- src/crypto/dist/ipsec-tools/src/racoon/isakmp.c:1.63 Thu Oct 21 06:15:28 2010 +++ src/crypto/dist/ipsec-tools/src/racoon/isakmp.c Fri Nov 12 09:11:37 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: isakmp.c,v 1.63 2010/10/21 06:15:28 tteras Exp $ */ +/* $NetBSD: isakmp.c,v 1.64 2010/11/12 09:11:37 tteras Exp $ */ /* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */ @@ -766,6 +766,20 @@ return 0; } +static int +ph1_rekey_enabled(iph1) + struct ph1handle *iph1; +{ + if (iph1->rmconf->rekey == REKEY_FORCE) + return 1; +#ifdef ENABLE_DPD + if (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support && + iph1->rmconf->dpd_interval) + return 1; +#endif + return 0; +} + /* * main function of phase 1. */ @@ -866,13 +880,7 @@ migrate_dying_ph12(iph1); /* add to the schedule to expire, and seve back pointer. */ - if ((iph1->rmconf->rekey == REKEY_FORCE) -#ifdef ENABLE_DPD - || - (iph1->rmconf->rekey == REKEY_ON && iph1->dpd_support && - iph1->rmconf->dpd_interval) -#endif - ) { + if (ph1_rekey_enabled(iph1)) { sched_schedule(&iph1->sce, iph1->approval->lifetime * PFKEY_SOFT_LIFETIME_RATE / 100, @@ -2071,7 +2079,13 @@ plog(LLV_INFO, LOCATION, NULL, "ISAKMP-SA deleted %s-%s spi:%s\n", src, dst, isakmp_pindex(&iph1->index, 0)); + evt_phase1(iph1, EVT_PHASE1_DOWN, NULL); + + if (new_iph1 == NULL && ph1_rekey_enabled(iph1)) { + purge_remote(iph1); + script_hook(iph1, SCRIPT_PHASE1_DEAD); + } racoon_free(src); racoon_free(dst);