Adding initial support for IKEv2/IKEv1 Site-to-Site VPN's by adding the optional "vpn ipsec ike-group <IKEGROUP> key-exchange" parameter.

1 files changed, 21 insertions, 1 deletions

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 4870d48..dd6113d 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -253,7 +253,7 @@ if ( $vcVPN->exists('ipsec') ) {
   $genout .= "version 2.0\n";
   $genout .= "\n";
   $genout .= "config setup\n";
-  $genout .= "\tcharonstart=no\n";    # no need for charon unless we have ikev2
+  $genout .= "\tcharonstart=yes\n";
 
   #
   # Interfaces
@@ -865,6 +865,26 @@ if ( $vcVPN->exists('ipsec') ) {
         }
         $genout .= "!\n";
 
+        #
+        # Get IKE version setting
+        #
+        my $key_exchange = $vcVPN->returnValue(
+          "ipsec ike-group $ike_group key-exchange");
+        if ( defined($key_exchange) ) {
+          if ($key_exchange eq 'auto') {
+            $genout .= "\tkeyexchange=ike\n";
+          }
+          elsif ($key_exchange eq 'ikev1') {
+            $genout .= "\tkeyexchange=ikev1\n";
+          }
+          elsif ($key_exchange eq 'ikev2') {
+            $genout .= "\tkeyexchange=ikev2\n";
+          }
+        }
+        else {
+          $genout .= "\tkeyexchange=ikev1\n";
+        }
+
         my $t_ikelifetime =
           $vcVPN->returnValue("ipsec ike-group $ike_group lifetime");
         if ( defined($t_ikelifetime) && $t_ikelifetime ne '' ) {