diff options
| author | Saurabh Mohan <saurabh.mohan@vyatta.com> | 2012-09-04 10:34:32 -0700 |
|---|---|---|
| committer | Saurabh Mohan <saurabh.mohan@vyatta.com> | 2012-09-04 10:34:32 -0700 |
| commit | 400c7337f7498e9f958fe04873565060f4b9cf89 (patch) | |
| tree | 22afc5b562f95c585bb819ede623f4c8d2ac752b | |
| parent | f49b2338a457ff224acd306738314d178e46d82c (diff) | |
| download | vyatta-cfg-vpn-400c7337f7498e9f958fe04873565060f4b9cf89.tar.gz vyatta-cfg-vpn-400c7337f7498e9f958fe04873565060f4b9cf89.zip | |
Bugfix 8277: For connection type respond do not attempt keying forever
When a connection-type is respond (configured using: set vpn ipsec
site-to-site peer <ip-addr> connection-type [initiate | respond]), the device
should not keep trying to key forever.
| -rwxr-xr-x | scripts/vpn-config.pl | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 12b561a..2abf3bb 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -881,9 +881,6 @@ if ( $vcVPN->exists('ipsec') ) { } } - ## explicitly set keyingtries to forever ## - $genout .= "\tkeyingtries=%forever\n"; - # # Write ESP configuration from group # @@ -1168,13 +1165,19 @@ if ( $vcVPN->exists('ipsec') ) { # if ($any_peer) { $genout .= "\tauto=add\n"; + $genout .= "\tkeyingtries=%forever\n"; } else { my $conntype = $vcVPN->returnValue("ipsec site-to-site peer $peer connection-type"); if (defined ($conntype)){ if ($conntype eq "initiate"){ $genout .= "\tauto=start\n"; + $genout .= "\tkeyingtries=%forever\n"; } elsif ($conntype eq "respond"){ $genout .= "\tauto=add\n"; + ## We want to act as a responder. Ideally we do not want to ever + ## be a initiator. The best we can do is to not try to attempt + ## keying forever. + $genout .= "\tkeyingtries=1\n"; } } else{ |