diff options
| author | zsdc <taras@vyos.io> | 2020-07-13 17:48:47 +0300 |
|---|---|---|
| committer | zsdc <taras@vyos.io> | 2020-07-13 17:55:04 +0300 |
| commit | c56ddd91ac9a99bb410c872a4d777e962c08f36d (patch) | |
| tree | c0cbb5136755894d3048a7b6c54522a06fab4b67 /scripts | |
| parent | 9b27f7fd624a69a242f84f73a8b085587fb18d0b (diff) | |
| download | vyatta-cfg-vpn-c56ddd91ac9a99bb410c872a4d777e962c08f36d.tar.gz vyatta-cfg-vpn-c56ddd91ac9a99bb410c872a4d777e962c08f36d.zip | |
ESP: T2701: Fixed "pfs enable" option usage
When in ESP group configured "pfs enable" option (default behavior), PFS settings are taken from the IKE proposal 1. In case if there is no "proposal 1", this ends up with broken ESP settings and unusable VPN peer.
This fix replacing logic by taking PFS from the first one IKE proposal, regardless of its number.
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/vpn-config.pl | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 7f51fc1..582e3a7 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -868,8 +868,10 @@ if ($vcVPN->exists('ipsec')) { } if (defined($pfs)) { if ($pfs eq 'enable') { + # Get list of IKE proposals + my @ike_proposals = $vcVPN->listNodes("ipsec ike-group $ike_group proposal"); # Get the first IKE group's dh-group and use that as our PFS setting - my $default_pfs = $vcVPN->returnValue("ipsec ike-group $ike_group proposal 1 dh-group"); + my $default_pfs = $vcVPN->returnValue("ipsec ike-group $ike_group proposal $ike_proposals[0] dh-group"); $pfs = get_dh_cipher_result($default_pfs); } elsif ($pfs eq 'disable') { undef $pfs; |