From: Daniel Lenski Date: Mon, 12 Apr 2021 03:23:11 +0000 (-0700) Subject: Set Fortinet DPD interval from server's config X-Git-Tag: v8.20~300 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=e1eac26733f89fcf6eacffe6aa5a2b49bb1dae38;p=users%2Fdwmw2%2Fopenconnect.git Set Fortinet DPD interval from server's config The name of the tag implies that its purpose is DTLS-specific () and that it requires the use of the DTLS heartbeat extension (https://tools.ietf.org/html/rfc6520). However, PPP already contains natural analogues for keepalive (Discard-Request) and DPD (Echo-Request and Echo-Reply), which appear to work just fine with Fortinet servers. We may as well use the server's heartbeat/keepalive interval for a more generic, transport-agnostic DPD mechanism, since OpenConnect and PPP already support it. The official Fortinet client software for Windows/Mac appears to be very deficient at dead peer detection, so this may represent a substantial improvement in functionality for some users. Signed-off-by: Daniel Lenski --- diff --git a/fortinet.c b/fortinet.c index 8d9b4bbf..9718230d 100644 --- a/fortinet.c +++ b/fortinet.c @@ -343,6 +343,10 @@ static int parse_fortinet_xml_config(struct openconnect_info *vpninfo, char *buf else if (xmlnode_is_named(xml_node, "idle-timeout") && !xmlnode_get_prop(xml_node, "val", &s)) { int sec = vpninfo->idle_timeout = atoi(s); vpn_progress(vpninfo, PRG_INFO, _("Idle timeout is %d minutes.\n"), sec/60); + } else if (xmlnode_is_named(xml_node, "dtls-config") && !xmlnode_get_prop(xml_node, "heartbeat-interval", &s)) { + int sec = atoi(s); + if (sec && (!vpninfo->dtls_times.dpd || sec < vpninfo->dtls_times.dpd)) + vpninfo->dtls_times.dpd = vpninfo->ssl_times.dpd = sec; } else if (xmlnode_is_named(xml_node, "fos")) { char platform[80], *p = platform, *e = platform + 80; if (!xmlnode_get_prop(xml_node, "platform", &s)) {