diff options
author | Jeff Leung <jleung@v10networks.ca> | 2015-01-31 07:37:43 +0000 |
---|---|---|
committer | Jeff Leung <jleung@v10networks.ca> | 2015-02-05 06:30:59 +0000 |
commit | de318d8d25427a27c80206c16dc36c0021dfca2c (patch) | |
tree | 4e0463412f49777319f448b0a4bb046f30cc49c8 /scripts | |
parent | 9d20c1dc27d91e362e79221dd773dd9418d5af99 (diff) | |
download | vyatta-cfg-vpn-de318d8d25427a27c80206c16dc36c0021dfca2c.tar.gz vyatta-cfg-vpn-de318d8d25427a27c80206c16dc36c0021dfca2c.zip |
Allow users to specify aggressive mode for IKEv1 key exchanges
Although strongly not recommended by the developers of strongSwan,
sometimes remote VPN gateways requires this because of interop
reasons or a network admin who doesn't have an idea on why
aggressive mode is bad.
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/vpn-config.pl | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 725f945..b974a5a 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -825,6 +825,18 @@ if ($vcVPN->exists('ipsec')) { } } + # + # Allow the user to specify aggressive mode for IKEv1 connections + # + my $aggressive_mode = $vcVPN->returnValue("ipsec ike-group $ike_group mode"); + + if (defined($aggressive_mode)) { + if (defined($key_exchange) && $key_exchange eq 'ikev2') { + vpn_die(["vpn","ipsec","ike-group", $ike_group, "mode"], "$vpn_cfg_err Selection of Main/Aggressive modes is only valid for IKEv1 configurations"); + } else { + $genout .= "\taggressive=yes\n"; + } + } my $t_ikelifetime =$vcVPN->returnValue("ipsec ike-group $ike_group lifetime"); if (defined($t_ikelifetime) && $t_ikelifetime ne '') { $ikelifetime = $t_ikelifetime; |