From c56ddd91ac9a99bb410c872a4d777e962c08f36d Mon Sep 17 00:00:00 2001
From: zsdc <taras@vyos.io>
Date: Mon, 13 Jul 2020 17:48:47 +0300
Subject: ESP: T2701: Fixed "pfs enable" option usage

When in ESP group configured "pfs enable" option (default behavior), PFS settings are taken from the IKE proposal 1. In case if there is no "proposal 1", this ends up with broken ESP settings and unusable VPN peer.
This fix replacing logic by taking PFS from the first one IKE proposal, regardless of its number.
---
 scripts/vpn-config.pl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 7f51fc1..582e3a7 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -868,8 +868,10 @@ if ($vcVPN->exists('ipsec')) {
                     }
                     if (defined($pfs)) {
                         if ($pfs eq 'enable') {
+                            # Get list of IKE proposals
+                            my @ike_proposals = $vcVPN->listNodes("ipsec ike-group $ike_group proposal");
                             # Get the first IKE group's dh-group and use that as our PFS setting
-                            my $default_pfs = $vcVPN->returnValue("ipsec ike-group $ike_group proposal 1 dh-group");
+                            my $default_pfs = $vcVPN->returnValue("ipsec ike-group $ike_group proposal $ike_proposals[0] dh-group");
                             $pfs = get_dh_cipher_result($default_pfs);
                         } elsif ($pfs eq 'disable') {
                             undef $pfs;
-- 
cgit v1.2.3