summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSaurabh Mohan <saurabh.mohan@vyatta.com>2012-09-04 10:34:32 -0700
committerSaurabh Mohan <saurabh.mohan@vyatta.com>2012-09-04 10:34:32 -0700
commit400c7337f7498e9f958fe04873565060f4b9cf89 (patch)
tree22afc5b562f95c585bb819ede623f4c8d2ac752b
parentf49b2338a457ff224acd306738314d178e46d82c (diff)
downloadvyatta-cfg-vpn-400c7337f7498e9f958fe04873565060f4b9cf89.tar.gz
vyatta-cfg-vpn-400c7337f7498e9f958fe04873565060f4b9cf89.zip
Bugfix 8277: For connection type respond do not attempt keying forever
When a connection-type is respond (configured using: set vpn ipsec site-to-site peer <ip-addr> connection-type [initiate | respond]), the device should not keep trying to key forever.
-rwxr-xr-xscripts/vpn-config.pl9
1 files changed, 6 insertions, 3 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 12b561a..2abf3bb 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -881,9 +881,6 @@ if ( $vcVPN->exists('ipsec') ) {
}
}
- ## explicitly set keyingtries to forever ##
- $genout .= "\tkeyingtries=%forever\n";
-
#
# Write ESP configuration from group
#
@@ -1168,13 +1165,19 @@ if ( $vcVPN->exists('ipsec') ) {
#
if ($any_peer) {
$genout .= "\tauto=add\n";
+ $genout .= "\tkeyingtries=%forever\n";
} else {
my $conntype = $vcVPN->returnValue("ipsec site-to-site peer $peer connection-type");
if (defined ($conntype)){
if ($conntype eq "initiate"){
$genout .= "\tauto=start\n";
+ $genout .= "\tkeyingtries=%forever\n";
} elsif ($conntype eq "respond"){
$genout .= "\tauto=add\n";
+ ## We want to act as a responder. Ideally we do not want to ever
+ ## be a initiator. The best we can do is to not try to attempt
+ ## keying forever.
+ $genout .= "\tkeyingtries=1\n";
}
}
else{