Created
November 15, 2019 18:32
-
-
Save robbat2/8d7351665af58a42ce6990734f0c2627 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From d15f5f6a4c8df14608fde987a70eb533b40dc600 Mon Sep 17 00:00:00 2001 | |
From: "Robin H. Johnson" <robbat2@gentoo.org> | |
Date: Tue, 19 Mar 2019 08:06:00 -0700 | |
Subject: [PATCH] gpst: cap rekey interval | |
Multiple GPST users reporting that while GP is advertising 12 hour | |
sessions, the session stops passing most** traffic around the 3 hour | |
mark. | |
Most traffic: Open TCP sessions work, internal DNS works, recent hosts | |
work for new connections; all other IP traffic is dropped. | |
The GP server configuration document mentions forcing clients to | |
resubmit a HIP at a different interval than rekeying, but doesn't | |
provide any configuration methods for the interval. This functionality | |
is also not presently available seperately from OpenConnect, but is in | |
the rekey codepath. | |
As a workaround, cap the rekey interval to 1 hour, which implicitly | |
includes a HIP cycle. | |
Original-Patch-By: Adam Wolfe Gordon <awg@digitalocean.com> | |
Signed-off-by: Robin H. Johnson <rjohnson@digitalocean.com> | |
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> | |
--- | |
gpst.c | 2 ++ | |
1 file changed, 2 insertions(+) | |
diff --git a/gpst.c b/gpst.c | |
index a0dc81fe..ab7c08b1 100644 | |
--- a/gpst.c | |
+++ b/gpst.c | |
@@ -483,6 +483,8 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_ | |
s = NULL; | |
} else if (!xmlnode_get_val(xml_node, "timeout", &s)) { | |
int sec = atoi(s); | |
+ // XXX: Cap the rekey interval to 1h to trigger HIP submission | |
+ sec = MIN(3600, sec); | |
vpn_progress(vpninfo, PRG_INFO, _("Tunnel timeout (rekey interval) is %d minutes.\n"), sec/60); | |
vpninfo->ssl_times.last_rekey = time(NULL); | |
vpninfo->ssl_times.rekey = sec - 60; | |
-- | |
2.21.0 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment