2 files changed, 22 insertions, 15 deletions

diff --git a/src/conf_mode/ipsec-settings.py b/src/conf_mode/ipsec-settings.py
index b02f3bcb0..ce313d9a0 100755
--- a/src/conf_mode/ipsec-settings.py
+++ b/src/conf_mode/ipsec-settings.py
@@ -46,6 +46,14 @@ def get_config(config=None):
         config = config
     else:
         config = Config()
+
+    # IPsec isn't configured enough to warrant starting StrongSWAN for it,
+    # it's just some incomplete or leftover options.
+    if config.exists("vpn ipsec site-to-site peer") or \
+       config.exists("vpn ipsec profile") or \
+       config.exists("vpn l2tp remote-access ipsec-settings"):
+        return {}
+
     data = {"install_routes": "yes"}
 
     if config.exists("vpn ipsec options disable-route-autoinstall"):
@@ -204,6 +212,10 @@ def generate(data):
 
 def restart_ipsec():
     try:
+        # Restart the IPsec daemon when it's running.
+        # Since it's started by the legacy ipsec.pl in VyOS 1.3,
+        # there's a chance that this script will run before charon is up,
+        # so we can't assume it's running and have to check and wait if needed.
         wait_for_file_write_complete(charon_pidfile,
           pre_hook=(lambda: call('ipsec restart >&/dev/null')),
           timeout=10)
@@ -214,22 +226,18 @@ def restart_ipsec():
     except OSError:
         raise ConfigError('VPN configuration error: IPSec process did not start.')
 
-def apply(data, config):
-    if config.exists("vpn ipsec site-to-site peer") or \
-       config.exists("vpn ipsec profile") or \
-       config.exists("vpn l2tp remote-access ipsec-settings"):
-        # Restart IPSec daemon
+def apply(data):
+    if data:
         restart_ipsec()
     else:
-        print()
+        print("Note: the IPsec process will not start until you configure some tunnels, profiles, or L2TP/IPsec settings")
 
 if __name__ == '__main__':
     try:
-        vyos_config = Config()
-        c = get_config(vyos_config)
+        c = get_config()
         verify(c)
         generate(c)
-        apply(c, vyos_config)
+        apply(c)
     except ConfigError as e:
         print(e)
         exit(1)
diff --git a/src/etc/vmware-tools/scripts/resume-vm-default.d/ether-resume.py b/src/etc/vmware-tools/scripts/resume-vm-default.d/ether-resume.py
index ec33906ba..4e7fb117c 100755
--- a/src/etc/vmware-tools/scripts/resume-vm-default.d/ether-resume.py
+++ b/src/etc/vmware-tools/scripts/resume-vm-default.d/ether-resume.py
@@ -25,9 +25,8 @@ def get_config():
     c = Config()
     interfaces = dict()
     for intf in c.list_effective_nodes('interfaces ethernet'):
-        # skip interfaces that are disabled or is configured for dhcp
+        # skip interfaces that are disabled
         check_disable = f'interfaces ethernet {intf} disable'
-        check_dhcp = f'interfaces ethernet {intf} address dhcp'
         if c.exists_effective(check_disable):
             continue
 
@@ -49,10 +48,10 @@ def apply(config):
 
         # add configured addresses to interface
         for addr in addresses:
-            if addr == 'dhcp':
-                cmd = ['dhclient', intf]
-            else:
-                cmd = f'ip address add {addr} dev {intf}'
+            # dhcp is handled by netplug
+            if addr in ['dhcp', 'dhcpv6']:
+                continue
+            cmd = f'ip address add {addr} dev {intf}'
             syslog.syslog(cmd)
             run(cmd)