From c6864b6ca7c18ab4ec248186e1310e46b7a97676 Mon Sep 17 00:00:00 2001
From: Jeff Leung <jleung@v10networks.ca>
Date: Tue, 10 Feb 2015 01:05:30 +0000
Subject: Allow the user to force UDP encapsulation for a named peer

This might help with strongSwan traversing through firewalls that
filter proto 51, but not UDP traffic.
---
 .../ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def   | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def

(limited to 'templates/vpn/ipsec/site-to-site/peer')

diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def
new file mode 100644
index 0000000..0015add
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def
@@ -0,0 +1,6 @@
+help: Force UDP Encapsulation for ESP Payloads 
+type: txt 
+syntax:expression: $VAR(@) in "enable", "disable"; "Must be enable or disable"
+val_help: enable; This endpoint will not force UDP encapsulation for this peer 
+val_help: disable; This endpoint will force UDP encapsulation for this peer
+
-- 
cgit v1.2.3


From 5ee99ec9d5cca8c13804964eee23ce0b15578edf Mon Sep 17 00:00:00 2001
From: Jeff Leung <jleung@v10networks.ca>
Date: Fri, 29 Jan 2016 18:43:45 -0500
Subject: vyatta-cfg-vpn: Properly implement force-encapsulation and fix
 descriptions

---
 scripts/vpn-config.pl                                                 | 2 +-
 .../vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'templates/vpn/ipsec/site-to-site/peer')

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 4267564..6a9063f 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -817,7 +817,7 @@ if ($vcVPN->exists('ipsec')) {
                 # Allow the user for force UDP encapsulation for the ESP
                 # payload.
                 #
-                my $forceencaps = $vcVPN->returnValue("ipsec site-to-site $peer force-encapsulation");
+                my $forceencaps = $vcVPN->returnValue("ipsec site-to-site peer $peer force-encapsulation");
                 if (defined($forceencaps)) {
                     if ($forceencaps eq 'enable') {
                         $genout .= "\tforceencaps=yes\n";
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def
index 0015add..bc71729 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def
@@ -1,6 +1,6 @@
 help: Force UDP Encapsulation for ESP Payloads 
 type: txt 
 syntax:expression: $VAR(@) in "enable", "disable"; "Must be enable or disable"
-val_help: enable; This endpoint will not force UDP encapsulation for this peer 
-val_help: disable; This endpoint will force UDP encapsulation for this peer
+val_help: enable; This endpoint will force UDP encapsulation for this peer 
+val_help: disable; This endpoint will not force UDP encapsulation for this peer
 
-- 
cgit v1.2.3


From bbd5b2a113cb64c872142b236b35c650804271eb Mon Sep 17 00:00:00 2001
From: Kim Hagen <kim.sidney@gmail.com>
Date: Tue, 9 Feb 2016 04:10:31 -0500
Subject: Use dhcp instead of dhcp3.

---
 Makefile.am                                                           | 4 ++--
 scripts/vpn-config.pl                                                 | 2 +-
 .../vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def      | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'templates/vpn/ipsec/site-to-site/peer')

diff --git a/Makefile.am b/Makefile.am
index 7ae1717..ff81363 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -31,9 +31,9 @@ install-exec-hook:
 	cd templates; $(cpiop) $(DESTDIR)$(cfgdir)
 	mkdir -p $(DESTDIR)/etc/ppp/ip-up.d
 	mkdir -p $(DESTDIR)/etc/ppp/ip-down.d
-	mkdir -p $(DESTDIR)/etc/dhcp3/dhclient-exit-hooks.d/
+	mkdir -p $(DESTDIR)/etc/dhcp/dhclient-exit-hooks.d/
 	mkdir -p $(DESTDIR)/usr/lib/ipsec/
 	cp scripts/vpn-ppp-up $(DESTDIR)/etc/ppp/ip-up.d/
 	cp scripts/vpn-ppp-down $(DESTDIR)/etc/ppp/ip-down.d/
-	cp scripts/ipsecd-dhclient-hook $(DESTDIR)/etc/dhcp3/dhclient-exit-hooks.d/ipsecd
+	cp scripts/ipsecd-dhclient-hook $(DESTDIR)/etc/dhcp/dhclient-exit-hooks.d/ipsecd
 	cp scripts/vti-up-down $(DESTDIR)/usr/lib/ipsec/
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 7d0289c..635c416 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -1567,7 +1567,7 @@ sub dhcp_hook {
 /opt/vyatta/bin/sudo-users/vyatta-ipsec-dhcp.pl --interface=\"\$interface\" --new_ip=\"\$new_ip_address\" --reason=\"\$reason\" --old_ip=\"\$old_ip_address\"
 EOS
     }
-    my $hook = "/etc/dhcp3/dhclient-exit-hooks.d/ipsecd";
+    my $hook = "/etc/dhcp/dhclient-exit-hooks.d/ipsecd";
     open my $dhcp_hook, '>', $hook
         or die "cannot open $hook";
     print ${dhcp_hook} $str;
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def
index a25e076..026b175 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def
@@ -2,6 +2,6 @@ type: txt
 help: DHCP interface to listen on
 allowed:
          local -a array ;
-         array=( /var/lib/dhcp3/eth* /var/lib/dhcp3/br* /var/lib/dhcp3/bond* ) ;
+         array=( /var/lib/dhcp/eth* /var/lib/dhcp/br* /var/lib/dhcp/bond* ) ;
          echo  -n ${array[@]##*/}
 
-- 
cgit v1.2.3


From ff15bdcdeda459bb7cf5de450d02ea2cee53041c Mon Sep 17 00:00:00 2001
From: Daniil Baturin <daniil@baturin.org>
Date: Fri, 13 Oct 2017 01:35:59 +0200
Subject: T423: use listNodes rather than listActiveNodes to enable completion
 for uncommited IKE and ESP groups.

---
 .../vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def     | 2 +-
 templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def       | 2 +-
 .../ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'templates/vpn/ipsec/site-to-site/peer')

diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def
index f754c32..d389bab 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def
@@ -1,4 +1,4 @@
 help: Defult ESP group name
 type:  txt
-allowed: cli-shell-api listActiveNodes vpn ipsec esp-group
+allowed: cli-shell-api listNodes vpn ipsec esp-group
 
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def
index 343f1fb..146805c 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def
@@ -1,3 +1,3 @@
 help: Internet Key Exchange (IKE) group name [REQUIRED]
 type:  txt
-allowed: cli-shell-api listActiveNodes vpn ipsec ike-group
+allowed: cli-shell-api listNodes vpn ipsec ike-group
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def
index d773b96..16300c5 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def
@@ -1,3 +1,3 @@
 help: ESP group name 
 type:  txt
-allowed: cli-shell-api listActiveNodes vpn ipsec esp-group
+allowed: cli-shell-api listNodes vpn ipsec esp-group
-- 
cgit v1.2.3