diff options
| author | Jason Hendry <jhendry@mintel.com> | 2014-12-01 20:43:42 +0000 |
|---|---|---|
| committer | Jason Hendry <jhendry@mintel.com> | 2014-12-01 20:43:42 +0000 |
| commit | ae063db6eb21bb52ae5e995dfa4bef195de599be (patch) | |
| tree | 76f692dbafb7d9e94065b68dd10133467d215b73 | |
| parent | dd17f6db97ad7e7f58e371e4b6f3ca5eceb4f3a0 (diff) | |
| download | vyatta-cfg-vpn-ae063db6eb21bb52ae5e995dfa4bef195de599be.tar.gz vyatta-cfg-vpn-ae063db6eb21bb52ae5e995dfa4bef195de599be.zip | |
Exposing ikev2 reauth option in CLI, defaulting to 'no'
| -rwxr-xr-x | scripts/vpn-config.pl | 19 | ||||
| -rw-r--r-- | templates/vpn/ipsec/ike-group/node.tag/ikev2-reauth/node.def | 6 | ||||
| -rw-r--r-- | templates/vpn/ipsec/site-to-site/peer/node.tag/ikev2-reauth/node.def | 7 |
3 files changed, 32 insertions, 0 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index e1c3573..cd4166b 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -813,6 +813,25 @@ if ($vcVPN->exists('ipsec')) { } # + # Get ikev2-reauth configuration + # + if ((defined($key_exchange) && ($key_exchange eq 'ikev2')) { + my $ikev2_tunnel_reauth = $vcVPN->returnValue("ipsec site-to-site peer $peer ikev2-reauth"); + + if ((defined($ikev2_tunnel_reauth)) && ($ikev2_tunnel_reauth ne 'inherit')) { + $genout .= "\treauth=$ikev2_tunnel_reauth\n"; + } else { + my $ikev2_group_reauth = $vcVPN->returnValue("ipsec ike-group $ike_group ikev2-reauth"); + if (defined($ikev2_group_reauth)) { + $genout .= "\treauth=$ikev2_group_reauth\n"; + } else { + $genout .= "\treauth=no\n"; + } + } + + } + + # # Allow the user to disable MOBIKE for IKEv2 connections # my $mob_ike = $vcVPN->returnValue("ipsec ike-group $ike_group mobike"); diff --git a/templates/vpn/ipsec/ike-group/node.tag/ikev2-reauth/node.def b/templates/vpn/ipsec/ike-group/node.tag/ikev2-reauth/node.def new file mode 100644 index 0000000..2256ecc --- /dev/null +++ b/templates/vpn/ipsec/ike-group/node.tag/ikev2-reauth/node.def @@ -0,0 +1,6 @@ +help: Re-authentication of the remote peer during an IKE re-key. IKEv2 option only +type: txt +default: "no" +syntax:expression: $VAR(@) in "yes", "no"; "must be yes or no (Default)" +val_help: yes; Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug +val_help: no; Disable remote host re-authenticaton during an IKE rekey. (Default) diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/ikev2-reauth/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/ikev2-reauth/node.def new file mode 100644 index 0000000..8aee33e --- /dev/null +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/ikev2-reauth/node.def @@ -0,0 +1,7 @@ +help: Re-authentication of the remote peer during an IKE re-key. IKEv2 option only +type: txt +default: "inherit" +syntax:expression: $VAR(@) in "yes", "no"; "must be yes, no or inherit (Default)" +val_help: yes; Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug +val_help: no; Disable remote host re-authenticaton during an IKE re-key. +val_help: inherit; Inherit the reauth configuration form your IKE-group |