diff options
Diffstat (limited to 'python/vyos/template.py')
| -rw-r--r-- | python/vyos/template.py | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/python/vyos/template.py b/python/vyos/template.py index 08a5712af..d13915766 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -393,8 +393,15 @@ def get_ip(interface): from vyos.ifconfig import Interface return Interface(interface).get_addr() +def get_first_ike_dh_group(ike_group): + if ike_group and 'proposal' in ike_group: + for priority, proposal in ike_group['proposal'].items(): + if 'dh_group' in proposal: + return 'dh-group' + proposal['dh_group'] + return 'dh-group2' # Fallback on dh-group2 + @register_filter('get_esp_ike_cipher') -def get_esp_ike_cipher(group_config): +def get_esp_ike_cipher(group_config, ike_group=None): pfs_lut = { 'dh-group1' : 'modp768', 'dh-group2' : 'modp1024', @@ -406,7 +413,7 @@ def get_esp_ike_cipher(group_config): 'dh-group18' : 'modp8192', 'dh-group19' : 'ecp256', 'dh-group20' : 'ecp384', - 'dh-group21' : 'ecp512', + 'dh-group21' : 'ecp521', 'dh-group22' : 'modp1024s160', 'dh-group23' : 'modp2048s224', 'dh-group24' : 'modp2048s256', @@ -433,7 +440,7 @@ def get_esp_ike_cipher(group_config): elif 'pfs' in group_config and group_config['pfs'] != 'disable': group = group_config['pfs'] if group_config['pfs'] == 'enable': - group = 'dh-group2' + group = get_first_ike_dh_group(ike_group) tmp += '-' + pfs_lut[group] ciphers.append(tmp) |