From a061c3e1fa28a7f07a80fbd6b04978080095be79 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 8 Dec 2019 13:04:10 +0100
Subject: T1864: lower IKEv1 DPD timeout value from 10s to 2s

(cherry picked from commit c4c8711939f709c445fe634b2f624933fa9651ab)
---
 .../ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def
index 3378cb5..8a4edee 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def
@@ -1,5 +1,5 @@
-help: Keep-alive timeout
+help: Dead-Peer-Detection keep-alive timeout (IKEv1 only)
 type: u32
 default: 120
-syntax:expression: ($VAR(@) >= 10 && $VAR(@) <= 86400) ; "must be between 10-86400 seconds"
-val_help: u32:10-86400; Keep-alive timeout in seconds (default 120)
+syntax:expression: ($VAR(@) >= 2 && $VAR(@) <= 86400) ; "must be between 2-86400 seconds"
+val_help: u32:2-86400; Keep-alive timeout in seconds (default 120)
-- 
cgit v1.2.3


From 3a192885d754ca71051cb3420e17de570c1aa88c Mon Sep 17 00:00:00 2001
From: DmitriyEshenko <snooppy@mail.ua>
Date: Thu, 31 Oct 2019 07:45:34 +0000
Subject: T1780 Adding IPSec IKE close-action

---
 scripts/vpn-config.pl                                        | 8 ++++++++
 templates/vpn/ipsec/ike-group/node.tag/close-action/node.def | 8 ++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 templates/vpn/ipsec/ike-group/node.tag/close-action/node.def

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index d68e419..369e568 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -810,6 +810,14 @@ if ($vcVPN->exists('ipsec')) {
                     $genout .= "\tdpdaction=$dpd_action\n";
                 }
 
+                #
+                # Check for closeaction
+                #
+                my $close_act = $vcVPN->returnValue("ipsec ike-group $ike_group close-action");
+                if (defined($close_act)) {
+                    $genout .= "\tcloseaction=$close_act\n";
+                }
+
                 #
                 # Allow the user for force UDP encapsulation for the ESP
                 # payload.
diff --git a/templates/vpn/ipsec/ike-group/node.tag/close-action/node.def b/templates/vpn/ipsec/ike-group/node.tag/close-action/node.def
new file mode 100644
index 0000000..0c05c21
--- /dev/null
+++ b/templates/vpn/ipsec/ike-group/node.tag/close-action/node.def
@@ -0,0 +1,8 @@
+help: Action if the remote peer unexpectedly closes a CHILD_SA
+type:  txt
+default:  "none"
+syntax:expression: $VAR(@) in "none","hold", "clear", "restart"; "must be none, hold clear, or restart"
+val_help: none; Set action to none (default)
+val_help: hold; Set action to hold
+val_help: clear; Set action to clear
+val_help: restart; Set action to restart
-- 
cgit v1.2.3