gistfile1.txt

From d15f5f6a4c8df14608fde987a70eb533b40dc600 Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Tue, 19 Mar 2019 08:06:00 -0700
Subject: [PATCH] gpst: cap rekey interval

Multiple GPST users reporting that while GP is advertising 12 hour
sessions, the session stops passing most** traffic around the 3 hour
mark. 

Most traffic: Open TCP sessions work, internal DNS works, recent hosts
work for new connections; all other IP traffic is dropped.

The GP server configuration document mentions forcing clients to
resubmit a HIP at a different interval than rekeying, but doesn't
provide any configuration methods for the interval. This functionality
is also not presently available seperately from OpenConnect, but is in
the rekey codepath.

As a workaround, cap the rekey interval to 1 hour, which implicitly
includes a HIP cycle.

Original-Patch-By: Adam Wolfe Gordon <awg@digitalocean.com>
Signed-off-by: Robin H. Johnson <rjohnson@digitalocean.com>
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 gpst.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gpst.c b/gpst.c
index a0dc81fe..ab7c08b1 100644
--- a/gpst.c
+++ b/gpst.c
@@ -483,6 +483,8 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
 			s = NULL;
 		} else if (!xmlnode_get_val(xml_node, "timeout", &s)) {
 			int sec = atoi(s);
+			// XXX: Cap the rekey interval to 1h to trigger HIP submission
+			sec = MIN(3600, sec);
 			vpn_progress(vpninfo, PRG_INFO, _("Tunnel timeout (rekey interval) is %d minutes.\n"), sec/60);
 			vpninfo->ssl_times.last_rekey = time(NULL);
 			vpninfo->ssl_times.rekey = sec - 60;
-- 
2.21.0