T5873: vpn ipsec: ignore dhcp/vti settings when connection disabled

author: Lucas Christian <lucas@lucasec.com> 2024-07-07 03:11:00 -0700
committer: Lucas Christian <lucas@lucasec.com> 2024-07-26 18:26:30 -0700
commit: 404b641121d3f5f7686b6ad75236ff64b0733cf9 (patch)
tree: 6eb5b19a3ff1cbce6b6f8341ee3dcfdde63d4519 /src
parent: 376e2d898f26c13a31f80d877f4e2621fd6efb0f (diff)
download: vyos-1x-404b641121d3f5f7686b6ad75236ff64b0733cf9.tar.gz
vyos-1x-404b641121d3f5f7686b6ad75236ff64b0733cf9.zip
1 files changed, 10 insertions, 6 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index 789d37a77..e8a0bc414 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -280,7 +280,8 @@ def verify(ipsec):
                     if not os.path.exists(f'{dhcp_base}/dhclient_{dhcp_interface}.conf'):
                         raise ConfigError(f"Invalid dhcp-interface on remote-access connection {name}")
 
-                    ipsec['dhcp_interfaces'].add(dhcp_interface)
+                    if 'disable' not in ra_conf:
+                        ipsec['dhcp_interfaces'].add(dhcp_interface)
 
                     address = get_dhcp_address(dhcp_interface)
                     count = 0
@@ -340,9 +341,10 @@ def verify(ipsec):
                     if not interface_exists(vti_interface):
                         raise ConfigError(f'VTI interface {vti_interface} for remote-access connection {name} does not exist!')
 
-                    ipsec['enabled_vti_interfaces'].add(vti_interface)
-                    # remote access VPN interfaces are always up regardless of whether clients are connected
-                    ipsec['persistent_vti_interfaces'].add(vti_interface)
+                    if 'disable' not in ra_conf:
+                        ipsec['enabled_vti_interfaces'].add(vti_interface)
+                        # remote access VPN interfaces are always up regardless of whether clients are connected
+                        ipsec['persistent_vti_interfaces'].add(vti_interface)
 
                 if 'pool' in ra_conf:
                     if {'dhcp', 'radius'} <= set(ra_conf['pool']):
@@ -507,7 +509,8 @@ def verify(ipsec):
                 if not os.path.exists(f'{dhcp_base}/dhclient_{dhcp_interface}.conf'):
                     raise ConfigError(f"Invalid dhcp-interface on site-to-site peer {peer}")
 
-                ipsec['dhcp_interfaces'].add(dhcp_interface)
+                if 'disable' not in peer_conf:
+                    ipsec['dhcp_interfaces'].add(dhcp_interface)
 
                 address = get_dhcp_address(dhcp_interface)
                 count = 0
@@ -529,7 +532,8 @@ def verify(ipsec):
                     vti_interface = peer_conf['vti']['bind']
                     if not interface_exists(vti_interface):
                         raise ConfigError(f'VTI interface {vti_interface} for site-to-site peer {peer} does not exist!')
-                    ipsec['enabled_vti_interfaces'].add(vti_interface)
+                    if 'disable' not in peer_conf:
+                        ipsec['enabled_vti_interfaces'].add(vti_interface)
 
             if 'vti' not in peer_conf and 'tunnel' not in peer_conf:
                 raise ConfigError(f"No VTI or tunnel specified on site-to-site peer {peer}")
author	Lucas Christian <lucas@lucasec.com>	2024-07-07 03:11:00 -0700
committer	Lucas Christian <lucas@lucasec.com>	2024-07-26 18:26:30 -0700
commit	404b641121d3f5f7686b6ad75236ff64b0733cf9 (patch)
tree	6eb5b19a3ff1cbce6b6f8341ee3dcfdde63d4519 /src
parent	376e2d898f26c13a31f80d877f4e2621fd6efb0f (diff)
download	vyos-1x-404b641121d3f5f7686b6ad75236ff64b0733cf9.tar.gz vyos-1x-404b641121d3f5f7686b6ad75236ff64b0733cf9.zip