Generate PFS group settings alongside with our ESP settings

Since strongSwan 5.0.0, defining the PFS group settings has moved in the esp= parameter. If PFS is simply enabled, it will use the first IKE proposal's dh-group as the PFS group.
author: Jeff Leung <jleung@v10networks.ca> 2015-01-27 00:45:15 -0800
committer: Jeff Leung <jleung@v10networks.ca> 2015-01-27 01:26:55 -0800
commit: d1618604bde40ae38ba3b587e655f16948212917 (patch)
tree: 590e17add1e83acc3c0742809186e25696c1ba5b /scripts/vpn-config.pl
parent: 9587a7eb06ecef9610260657d98736d8286feab0 (diff)
download: vyatta-cfg-vpn-d1618604bde40ae38ba3b587e655f16948212917.tar.gz
vyatta-cfg-vpn-d1618604bde40ae38ba3b587e655f16948212917.zip
1 files changed, 16 insertions, 1 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 8227d90..dfc9e97 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -862,10 +862,11 @@ if ($vcVPN->exists('ipsec')) {
                 foreach my $esp_proposal (@esp_proposals) {
 
                     #
-                    # Get encryption, hash
+                    # Get encryption, hash and PFS group settings
                     #
                     my $encryption = $vcVPN->returnValue("ipsec esp-group $esp_group proposal $esp_proposal encryption");
                     my $hash = $vcVPN->returnValue("ipsec esp-group $esp_group proposal $esp_proposal hash");
+                    my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs");
 
                     #
                     # Write separator if not first proposal
@@ -875,12 +876,26 @@ if ($vcVPN->exists('ipsec')) {
                     } else {
                         $genout .= ",";
                     }
+                    if (defined($pfs)) {
+                        if ($pfs eq 'enable') {
+                            # Get the first IKE group's dh-group and use that as our PFS setting
+                            my $default_pfs = $vcVPN->returnValue("ipsec ike-group $ike_group proposal 1 dh-group");
+                            $pfs = get_dh_cipher_result($default_pfs);
+                        } elsif ($pfs eq 'disable') {
+                            undef $pfs;
+                        } else {
+                            $pfs = get_dh_cipher_result($pfs);
+                        }
+                    }
 
                     #
                     # Write values
                     #
                     if (defined($encryption) && defined($hash)) {
                         $genout .= "$encryption-$hash";
+                        if (defined($pfs)) {
+                            $genout .= "-$pfs";
+                        }
                     }
                 }
                 $genout .= "!\n";
author	Jeff Leung <jleung@v10networks.ca>	2015-01-27 00:45:15 -0800
committer	Jeff Leung <jleung@v10networks.ca>	2015-01-27 01:26:55 -0800
commit	d1618604bde40ae38ba3b587e655f16948212917 (patch)
tree	590e17add1e83acc3c0742809186e25696c1ba5b /scripts/vpn-config.pl
parent	9587a7eb06ecef9610260657d98736d8286feab0 (diff)
download	vyatta-cfg-vpn-d1618604bde40ae38ba3b587e655f16948212917.tar.gz vyatta-cfg-vpn-d1618604bde40ae38ba3b587e655f16948212917.zip