nhrpd: Close IPSec connection when tunnel protection removed

Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>

diff --git a/nhrpd/nhrp_interface.c b/nhrpd/nhrp_interface.c
index f86dbe3d29d84eb9ba1c96a772d28e7a92661380..a328a91b1876fdf757d95615275d4855771fd051 100644 (file)
--- a/nhrpd/nhrp_interface.c
+++ b/nhrpd/nhrp_interface.c
@@ -465,11 +465,17 @@ void nhrp_interface_set_protection(struct interface *ifp, const char *profile,
        struct nhrp_interface *nifp = ifp->info;
 
        if (nifp->ipsec_profile)
+       {
+               vici_terminate_vc_by_profile_name(nifp->ipsec_profile);
                free(nifp->ipsec_profile);
+       }
        nifp->ipsec_profile = profile ? strdup(profile) : NULL;
 
        if (nifp->ipsec_fallback_profile)
+       {
+               vici_terminate_vc_by_profile_name(nifp->ipsec_fallback_profile);
                free(nifp->ipsec_fallback_profile);
+       }
        nifp->ipsec_fallback_profile =
                fallback_profile ? strdup(fallback_profile) : NULL;
 

diff --git a/nhrpd/nhrp_nhs.c b/nhrpd/nhrp_nhs.c
index 31f20c0677263c4950231e4c05a2fe0c763769fd..2a871ee089cdf85250ccfa3fde62c23c74ff3838 100644 (file)
--- a/nhrpd/nhrp_nhs.c
+++ b/nhrpd/nhrp_nhs.c
@@ -122,7 +122,8 @@ static int nhrp_reg_timeout(struct thread *t)
                if(r->peer && r->peer->vc && r->peer->vc->ike_uniqueid)
                {
                        debugf(NHRP_DEBUG_COMMON, "Terminating IPSec Connection for %d\n", r->peer->vc->ike_uniqueid);
-                       vici_terminate_vc(r->peer->vc->ike_uniqueid);
+                       vici_terminate_vc_by_ike_id(r->peer->vc->ike_uniqueid);
+                       r->peer->vc->ike_uniqueid = 0;
                }
                r->timeout = 2;
        }

diff --git a/nhrpd/nhrpd.h b/nhrpd/nhrpd.h
index 37a9e338cda07b04b8830ca6635f29253b1aa993..66ca1eabfd80cdeb30764fe51ca7a5f1c8eeb455 100644 (file)
--- a/nhrpd/nhrpd.h
+++ b/nhrpd/nhrpd.h
@@ -400,7 +400,8 @@ void nhrp_vc_reset(void);
 
 void vici_init(void);
 void vici_terminate(void);
-void vici_terminate_vc(unsigned int ike_id);
+void vici_terminate_vc_by_profile_name(char *profile_name);
+void vici_terminate_vc_by_ike_id(unsigned int ike_id);
 void vici_request_vc(const char *profile, union sockunion *src,
                     union sockunion *dst, int prio);
 

diff --git a/nhrpd/vici.c b/nhrpd/vici.c
index 2b5e0e56ca2b97c9e5496b3eb65fbb3dfc119c9d..cce3947ee023eb9eafc2d771dd8896e145a710dc 100644 (file)
--- a/nhrpd/vici.c
+++ b/nhrpd/vici.c
@@ -522,14 +522,18 @@ void vici_terminate(void)
 {
 }
 
-void vici_terminate_vc(unsigned int ike_id)
+void vici_terminate_vc_by_profile_name(char *profile_name)
+{
+       struct vici_conn *vici = &vici_connection;
+       vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike",
+                   strlen(profile_name), profile_name, VICI_END);
+}
+
+void vici_terminate_vc_by_ike_id(unsigned int ike_id)
 {
        struct vici_conn *vici = &vici_connection;
        char ike_id_str[10]={0};
        snprintf(ike_id_str, sizeof(ike_id_str), "%d", ike_id);
-       debugf(NHRP_DEBUG_VICI,"ike_id_str = %s", ike_id_str);
-
-
        vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike-id",
                    strlen(ike_id_str), ike_id_str, VICI_END);
 }