vyatta-cfg-vpn: vti interfaces remain link down after ipsec sa renewal

VTI interfaces can remain link down after IPSec SA expiry and renewal,
leaving the actual IPSec tunnel up and active but the route relating to
this VTI interface absent from the routing table; with the end result
of no traffic passing through it without manual intervention.  Earlier
fixes for this issue in both bug #183 and bug #291 fixed one issue but
introduced another, this commit fixes both scenarios.

Bug #568 http://bugzilla.vyos.net/show_bug.cgi?id=568

2 files changed, 7 insertions, 2 deletions

diff --git a/scripts/vti-up-down b/scripts/vti-up-down
index 60fc191..378cb6e 100755
--- a/scripts/vti-up-down
+++ b/scripts/vti-up-down
@@ -5,7 +5,7 @@
 source /etc/default/vyatta
 source /etc/default/locale
 case "$PLUTO_VERB" in
-route-client)
+route-client | up-client)
 /opt/vyatta/sbin/vyatta-vti-config.pl --updown --intf=$1 --action=up
     ;;
 down-client)
diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl
index 980724c..23bead1 100755
--- a/scripts/vyatta-vti-config.pl
+++ b/scripts/vyatta-vti-config.pl
@@ -37,6 +37,7 @@ use lib "/opt/vyatta/share/perl5";
 use Getopt::Long;
 use Vyatta::VPN::vtiIntf;
 use Vyatta::Config;
+use Vyatta::Misc;
 
 my $vti_cfg_err = "VPN VTI configuration error:";
 my $gencmds = "";
@@ -225,7 +226,11 @@ sub vti_handle_updown {
     $vcIntf->setLevel('interfaces');
     my $disabled = $vcIntf->existsOrig("vti $intfName disabled");
     if (!defined($disabled) || !$disabled) {
-        system("sudo /sbin/ip link set $intfName $action\n");
+        my $vtiInterface = new Vyatta::Interface($intfName);
+        my $state = $vtiInterface->up();
+        if (!($state && ($action eq "up"))) {
+            system("sudo /sbin/ip link set $intfName $action\n");
+        }
     }
 }