fix: make DPD less sensitive

t8m · streambinder · commit 88069f6faaeb · 2024-11-13T18:24:44.000+01:00
[lkundrak@v3.sk: this patch has been sitting in Fedora package in 2007. I don't understand the details here, but given the origin of the patch I can hazard a guess it was dealing with the Cisco IPSec VPN concentrator that Red Hat was running at the time being too keen to kill idle clients.] https://bugzilla.redhat.com/show_bug.cgi?id=345281
diff --git a/src/config.c b/src/config.c
@@ -349,7 +349,7 @@ static const char *config_def_udp_port(void)
 
 static const char *config_def_dpd_idle(void)
 {
-	return "300";
+	return "600";
 }
 
 static const char *config_ca_dir(void)
diff --git a/src/tunip.c b/src/tunip.c
@@ -955,7 +955,7 @@ static void vpnc_main_loop(struct sa_block *s)
 					time_t now = time(NULL);
 					if (s->ike.dpd_seqno != s->ike.dpd_seqno_ack) {
 						/* Wake up more often for dpd attempts */
-						select_timeout.tv_sec = 5;
+						select_timeout.tv_sec = s->ike.dpd_idle/10;
 						select_timeout.tv_usec = 0;
 						dpd_ike(s);
 						next_ike_dpd = now + s->ike.dpd_idle;
@@ -1029,8 +1029,8 @@ static void vpnc_main_loop(struct sa_block *s)
 				if (s->ike.dpd_seqno != s->ike.dpd_seqno_ack) {
 					dpd_ike(s);
 					next_ike_dpd = now + s->ike.dpd_idle;
-					if (now + 5 < next_up)
-						next_up = now + 5;
+					if (now + s->ike.dpd_idle/10 < next_up)
+						next_up = now + s->ike.dpd_idle/10;
 				}
 				else if (now >= next_ike_dpd) {
 					dpd_ike(s);
diff --git a/src/vpnc.c b/src/vpnc.c
@@ -801,20 +801,22 @@ void dpd_ike(struct sa_block *s)
 		send_dpd(s, 0, s->ike.dpd_seqno);
 	} else {
 		/* Our last dpd request has not yet been acked.  If it's been
-		** less than 5 seconds since we sent it do nothing.  Otherwise
+		** less than 1/10th of idle timeout since we sent it do nothing.  Otherwise
 		** decrement dpd_attempts.  If dpd_attempts is 0 dpd fails and we
 		** terminate otherwise we send it again with the same sequence
 		** number and record current time.
 		*/
 		time_t now = time(NULL);
-		if (now < s->ike.dpd_sent + 5)
+		if (now < s->ike.dpd_sent + s->ike.dpd_idle/10)
 			return;
 		if (--s->ike.dpd_attempts == 0) {
 			DEBUG(2, printf("dead peer detected, terminating\n"));
 			do_kill = -2;
 			return;
 		}
 		s->ike.dpd_sent = now;
+		if (s->ike.dpd_attempts == 3)
+		    ++s->ike.dpd_seqno; /* maybe just the dpd reply got lost let's try new seq no */
 		send_dpd(s, 0, s->ike.dpd_seqno);
 	}
 	DEBUG(3, printf("sent DPD packet\n"));

Original file line number	Diff line number	Diff line change
`@@ -349,7 +349,7 @@ static const char *config_def_udp_port(void)`
`349`	`349`
`350`	`350`	`static const char *config_def_dpd_idle(void)`
`351`	`351`	`{`
`352`		`- return "300";`
	`352`	`+ return "600";`
`353`	`353`	`}`
`354`	`354`
`355`	`355`	`static const char *config_ca_dir(void)`