From ae063db6eb21bb52ae5e995dfa4bef195de599be Mon Sep 17 00:00:00 2001
From: Jason Hendry <jhendry@mintel.com>
Date: Mon, 1 Dec 2014 20:43:42 +0000
Subject: Exposing ikev2 reauth option in CLI, defaulting to 'no'

---
 scripts/vpn-config.pl | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'scripts')

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index e1c3573..cd4166b 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -812,6 +812,25 @@ if ($vcVPN->exists('ipsec')) {
                     $genout .= "\tkeyexchange=ikev1\n";
                 }
 
+                #
+                # Get ikev2-reauth configuration
+                #
+                if ((defined($key_exchange) && ($key_exchange eq 'ikev2')) {
+                    my $ikev2_tunnel_reauth = $vcVPN->returnValue("ipsec site-to-site peer $peer ikev2-reauth");
+
+                    if ((defined($ikev2_tunnel_reauth)) && ($ikev2_tunnel_reauth ne 'inherit')) {
+                        $genout .= "\treauth=$ikev2_tunnel_reauth\n";
+                    } else {
+                        my $ikev2_group_reauth = $vcVPN->returnValue("ipsec ike-group $ike_group ikev2-reauth");
+                        if (defined($ikev2_group_reauth)) {
+                            $genout .= "\treauth=$ikev2_group_reauth\n";
+                        } else {
+                            $genout .= "\treauth=no\n";
+                        }
+                    }
+
+                }
+
                 #
                 # Allow the user to disable MOBIKE for IKEv2 connections
                 #
-- 
cgit v1.2.3


From 259abd0641a999e390d67cb424c9093e1c0f72bf Mon Sep 17 00:00:00 2001
From: Jason Hendry <jhendry@mintel.com>
Date: Mon, 1 Dec 2014 21:21:24 +0000
Subject: Fixing syntax error in vpn-config.pl, fixing allowed parameters in
 the per-tunnel ikev2-reauth node

---
 scripts/vpn-config.pl                                                | 2 +-
 templates/vpn/ipsec/site-to-site/peer/node.tag/ikev2-reauth/node.def | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'scripts')

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index cd4166b..2228997 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -815,7 +815,7 @@ if ($vcVPN->exists('ipsec')) {
                 #
                 # Get ikev2-reauth configuration
                 #
-                if ((defined($key_exchange) && ($key_exchange eq 'ikev2')) {
+                if ((defined($key_exchange)) && ($key_exchange eq 'ikev2')) {
                     my $ikev2_tunnel_reauth = $vcVPN->returnValue("ipsec site-to-site peer $peer ikev2-reauth");
 
                     if ((defined($ikev2_tunnel_reauth)) && ($ikev2_tunnel_reauth ne 'inherit')) {
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/ikev2-reauth/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/ikev2-reauth/node.def
index 8aee33e..8e1c6d7 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/ikev2-reauth/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/ikev2-reauth/node.def
@@ -1,7 +1,7 @@
 help: Re-authentication of the remote peer during an IKE re-key.  IKEv2 option only
 type: txt
 default: "inherit"
-syntax:expression: $VAR(@) in "yes", "no"; "must be yes, no or inherit (Default)"
+syntax:expression: $VAR(@) in "yes", "no", "inherit"; "must be yes, no or inherit (Default)"
 val_help: yes; Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug
 val_help: no; Disable remote host re-authenticaton during an IKE re-key.
-val_help: inherit; Inherit the reauth configuration form your IKE-group
+val_help: inherit; Inherit the reauth configuration form your IKE-group (Default)
-- 
cgit v1.2.3