summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorJeff Leung <jleung@v10networks.ca>2015-01-31 07:37:43 +0000
committerJeff Leung <jleung@v10networks.ca>2015-02-05 06:30:59 +0000
commitde318d8d25427a27c80206c16dc36c0021dfca2c (patch)
tree4e0463412f49777319f448b0a4bb046f30cc49c8 /scripts
parent9d20c1dc27d91e362e79221dd773dd9418d5af99 (diff)
downloadvyatta-cfg-vpn-de318d8d25427a27c80206c16dc36c0021dfca2c.tar.gz
vyatta-cfg-vpn-de318d8d25427a27c80206c16dc36c0021dfca2c.zip
Allow users to specify aggressive mode for IKEv1 key exchanges
Although strongly not recommended by the developers of strongSwan, sometimes remote VPN gateways requires this because of interop reasons or a network admin who doesn't have an idea on why aggressive mode is bad.
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/vpn-config.pl12
1 files changed, 12 insertions, 0 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 725f945..b974a5a 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -825,6 +825,18 @@ if ($vcVPN->exists('ipsec')) {
}
}
+ #
+ # Allow the user to specify aggressive mode for IKEv1 connections
+ #
+ my $aggressive_mode = $vcVPN->returnValue("ipsec ike-group $ike_group mode");
+
+ if (defined($aggressive_mode)) {
+ if (defined($key_exchange) && $key_exchange eq 'ikev2') {
+ vpn_die(["vpn","ipsec","ike-group", $ike_group, "mode"], "$vpn_cfg_err Selection of Main/Aggressive modes is only valid for IKEv1 configurations");
+ } else {
+ $genout .= "\taggressive=yes\n";
+ }
+ }
my $t_ikelifetime =$vcVPN->returnValue("ipsec ike-group $ike_group lifetime");
if (defined($t_ikelifetime) && $t_ikelifetime ne '') {
$ikelifetime = $t_ikelifetime;