1 files changed, 57 insertions, 15 deletions

diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
index 36edf04f3..a7a9a2ce6 100644..100755
--- a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
+++ b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
@@ -1,12 +1,44 @@
-#!/usr/bin/env python3
+#!/bin/bash
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import os
-import sys
+if [ "$reason" == "REBOOT" ] || [ "$reason" == "EXPIRE" ]; then
+    exit 0
+fi
+
+DHCP_HOOK_IFLIST="/tmp/ipsec_dhcp_waiting"
+
+if [ -f $DHCP_HOOK_IFLIST ] && [ "$reason" == "BOUND" ]; then
+    if grep -qw $interface $DHCP_HOOK_IFLIST; then
+        sudo rm $DHCP_HOOK_IFLIST
+        sudo python3 /usr/libexec/vyos/conf_mode/vpn_ipsec.py
+        exit 0
+    fi
+fi
+
+if [ "$old_ip_address" == "$new_ip_address" ] && [ "$reason" == "BOUND" ]; then
+    exit 0
+fi
 
+python3 - <<PYEND
+import os
+import re
 from vyos.util import call
+from vyos.util import cmd
 
-IPSEC_CONF="/etc/ipsec.conf"
-IPSEC_SECRETS="/etc/ipsec.secrets"
+SWANCTL_CONF="/etc/swanctl/swanctl.conf"
 
 def getlines(file):
     with open(file, 'r') as f:
@@ -16,17 +48,25 @@ def writelines(file, lines):
     with open(file, 'w') as f:
         f.writelines(lines)
 
+def ipsec_down(ip_address):
+    # This prevents the need to restart ipsec and kill all active connections, only the stale connection is closed
+    status = cmd('sudo ipsec statusall')
+    connection_name = None
+    for line in status.split("\n"):
+        if line.find(ip_address) > 0:
+            regex_match = re.search(r'(peer_[^:\[]+)', line)
+            if regex_match:
+                connection_name = regex_match[1]
+                break
+    if connection_name:
+        call(f'sudo ipsec down {connection_name}')
+
 if __name__ == '__main__':
     interface = os.getenv('interface')
     new_ip = os.getenv('new_ip_address')
     old_ip = os.getenv('old_ip_address')
-    reason = os.getenv('reason')
-
-    if (old_ip == new_ip and reason != 'BOUND') or reason in ['REBOOT', 'EXPIRE']:
-        sys.exit(0)
 
-    conf_lines = getlines(IPSEC_CONF)
-    secrets_lines = getlines(IPSEC_SECRETS)
+    conf_lines = getlines(SWANCTL_CONF)
     found = False
     to_match = f'# dhcp:{interface}'
 
@@ -40,7 +80,9 @@ if __name__ == '__main__':
             secrets_lines[i] = line.replace(old_ip, new_ip)
 
     if found:
-        writelines(IPSEC_CONF, conf_lines)
-        writelines(IPSEC_SECRETS, secrets_lines)
-        call('sudo /usr/sbin/ipsec rereadall')
-        call('sudo /usr/sbin/ipsec reload')
+        writelines(SWANCTL_CONF, conf_lines)
+        ipsec_down(old_ip)
+        call('sudo ipsec rereadall')
+        call('sudo ipsec reload')
+        call('sudo swanctl -q')
+PYEND
\ No newline at end of file