ipsec-146.3.tar.gz

diff --git a/ipsec-tools/racoon/ike_session.c b/ipsec-tools/racoon/ike_session.c
index 489fd5c376cbad0cf5a629280c4d0db4f3e9bd16..e122adb107c7943e34f3b9b560de4417868a33a6 100644 (file)
--- a/ipsec-tools/racoon/ike_session.c
+++ b/ipsec-tools/racoon/ike_session.c
@@ -267,6 +267,15 @@ ike_session_get_session (struct sockaddr *local,
                         "still search for IKE-Session. this %s.\n",
                         saddr2str((struct sockaddr *)&p->session_id.remote));
 
+               // for now: ignore any stopped sessions as they will go down
+               if (p->is_dying || p->stopped_by_vpn_controller || p->stop_timestamp.tv_sec || p->stop_timestamp.tv_usec) {
+                       plog(LLV_DEBUG, LOCATION, local,
+                                "still searching. skipping... session to %s is already stopped, active ph1 %d ph2 %d.\n",
+                                saddr2str((struct sockaddr *)&p->session_id.remote),
+                                p->ikev1_state.active_ph1cnt, p->ikev1_state.active_ph2cnt);
+                       continue;
+               }
+
                if (memcmp(&p->session_id, &id, sizeof(id)) == 0) {
                        plog(LLV_DEBUG, LOCATION, local,
                                 "Pre-existing IKE-Session to %s. case 1.\n",
@@ -1794,10 +1803,17 @@ ike_session_sweep_sleepwake (void)
                        plog(LLV_DEBUG2, LOCATION, NULL, "skipping sweep of asserted session.\n");
                        continue;
                }
-               
+
+               // cleanup any stopped sessions as they will go down
+               if (p->stopped_by_vpn_controller || p->stop_timestamp.tv_sec || p->stop_timestamp.tv_usec) {
+                       plog(LLV_DEBUG2, LOCATION, NULL, "sweeping stopped session.\n");
+                       ike_session_cleanup(p, ike_session_stopped_by_sleepwake);
+                       continue;
+               }
+
                if (!ike_session_has_established_ph1(p) && !ike_session_has_established_ph2(p)) {
-                       p->is_dying = 1;
                        plog(LLV_DEBUG2, LOCATION, NULL, "session died while sleeping.\n");
+                       ike_session_cleanup(p, ike_session_stopped_by_sleepwake);
                }
                if (p->traffic_monitor.sc_mon) {
                        if (p->traffic_monitor.sc_mon->xtime <= swept_at) {

diff --git a/ipsec-tools/racoon/ipsecSessionTracer.c b/ipsec-tools/racoon/ipsecSessionTracer.c
index 98308c25983e090c538ac2ffae71dace24f7b98b..5884aaa4bb6f610c80475b8b526aa0a8b0c7779c 100644 (file)
--- a/ipsec-tools/racoon/ipsecSessionTracer.c
+++ b/ipsec-tools/racoon/ipsecSessionTracer.c
@@ -233,7 +233,7 @@ ipsecSessionTracerEvent (ike_session_t *session, ipsecSessionEventCode_t eventCo
        char buf[1024];
 
        if (session == NULL) {
-               ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid session)."));
+               //ipsecSessionLogEvent(session, CONSTSTR("tracer failed. (Invalid session)."));
                return;
        }
        if (eventCode <= IPSECSESSIONEVENTCODE_NONE || eventCode >= IPSECSESSIONEVENTCODE_MAX) {

diff --git a/ipsec-tools/racoon/isakmp.c b/ipsec-tools/racoon/isakmp.c
index 849833622225c0fb9d1b3b2f3f4614d63995b644..36bd7d0611df6e6ed3e1bf8afe4430463c0d2ac4 100644 (file)
--- a/ipsec-tools/racoon/isakmp.c
+++ b/ipsec-tools/racoon/isakmp.c
@@ -954,7 +954,7 @@ ph1_main(iph1, msg)
                                                vfree(raddr);
                                                if (addr->force) {
                                                        (void)ike_session_update_ph1_ph2tree(iph1);
-                                                       isakmp_ph1delete(iph1);
+                                                       isakmp_ph1expire(iph1);
                                                }
                                        }
                                }
@@ -2849,6 +2849,12 @@ isakmp_chkph1there(iph2)
 {
        struct ph1handle *iph1;
 
+       if (iph2->status != PHASE2ST_STATUS2 ||
+               iph2->is_dying) {
+               plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: ph2 handle has advanced too far (status %d, STATUS2 %d, dying %d)... ignoring\n", iph2->status, PHASE2ST_STATUS2, iph2->is_dying);
+               return;
+       }
+
        iph2->retry_checkph1--;
        if (iph2->retry_checkph1 < 0 ||
                ike_session_verify_ph2_parent_session(iph2)) {
@@ -4279,6 +4285,10 @@ isakmp_plist_append_initial_contact (iph1, plist)
                                 "failed to allocate notification payload.\n");
                        return NULL;
                }
+       } else {
+               plog(LLV_DEBUG, LOCATION, iph1->remote,
+                        "failed to add initial-contact payload: rekey %d, ini-contact %d, contacted %d.\n",
+                        iph1->is_rekey? 1:0, iph1->rmconf->ini_contact, getcontacted(iph1->remote)? 1:0);
        }
        return NULL;
 }

diff --git a/ipsec-tools/racoon/session.c b/ipsec-tools/racoon/session.c
index 8f151094fbc189ab8544c74e5bc64b1eb3422922..5bfbaba3b5c73349079b570682bc3b6419580a97 100644 (file)
--- a/ipsec-tools/racoon/session.c
+++ b/ipsec-tools/racoon/session.c
@@ -375,6 +375,17 @@ session(void)
                        if (update_myaddrs() && lcconf->autograbaddr)
                                if (check_rtsock_sched == NULL) /* only schedule if not already done */
                                        check_rtsock_sched = sched_new(1, check_rtsock, NULL);
+                               else {
+                                       // force reinit if schedule is too far off (3 seconds or more)
+                                       time_t too_far = current_time() + 3;
+                                       if (check_rtsock_sched->dead ||
+                                               check_rtsock_sched->xtime >= too_far) {
+                                               plog(LLV_DEBUG, LOCATION, NULL,
+                                                        "forced reinit of addrs\n");
+                                               update_fds = 0;
+                                               check_rtsock(NULL);
+                                       }
+                               }
                        // initfds();   //%%% BUG FIX - not needed here
                }
                if (update_fds) {