summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-06-13 09:00:12 +0200
committerGitHub <noreply@github.com>2021-06-13 09:00:12 +0200
commitc88d8999873db638aa2c05d479502cedd1afd142 (patch)
tree8f260e771285efef284eeee54647f54780a25bf0
parent97f5e8562f3a49e7b63f0c5a20b46a33c8eb4f89 (diff)
parent0b1695221657336b436fc27217614b07a34cc132 (diff)
downloadvyos-1x-c88d8999873db638aa2c05d479502cedd1afd142.tar.gz
vyos-1x-c88d8999873db638aa2c05d479502cedd1afd142.zip
Merge pull request #877 from sarthurdev/disable_peer_tunnel
ipsec: T57: Support disable on peer, peer tunnel and dmvpn profile
-rw-r--r--data/templates/ipsec/ipsec.conf.tmpl4
-rw-r--r--data/templates/ipsec/ipsec.secrets.tmpl2
-rw-r--r--data/templates/ipsec/swanctl.conf.tmpl4
-rw-r--r--interface-definitions/vpn_ipsec.xml.in2
4 files changed, 7 insertions, 5 deletions
diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl
index 53cba44b9..18f6c0988 100644
--- a/data/templates/ipsec/ipsec.conf.tmpl
+++ b/data/templates/ipsec/ipsec.conf.tmpl
@@ -7,7 +7,7 @@ config setup
uniqueids = {{ "no" if disable_uniqreqids is defined else "yes" }}
{% if site_to_site is defined and site_to_site.peer is defined %}
-{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
{% set peer_index = loop.index %}
{% set peer_ike = ike_group[peer_conf.ike_group] %}
{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %}
@@ -60,7 +60,7 @@ conn peer-{{ peer }}-vti
{% endif %}
{% endif %}
{% elif peer_conf.tunnel is defined %}
-{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() %}
+{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
{% set tunnel_esp_name = tunnel_conf.esp_group if "esp_group" in tunnel_conf else peer_conf.default_esp_group %}
{% set tunnel_esp = esp_group[tunnel_esp_name] %}
{% set proto = tunnel_conf.protocol if "protocol" in tunnel_conf else '%any' %}
diff --git a/data/templates/ipsec/ipsec.secrets.tmpl b/data/templates/ipsec/ipsec.secrets.tmpl
index a1432de57..0d2654abc 100644
--- a/data/templates/ipsec/ipsec.secrets.tmpl
+++ b/data/templates/ipsec/ipsec.secrets.tmpl
@@ -2,7 +2,7 @@
{% if site_to_site is defined and "peer" in site_to_site %}
{% set ns = namespace(local_key_set=False) %}
-{% for peer, peer_conf in site_to_site.peer.items() %}
+{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %}
{% if peer_conf.authentication.mode == 'pre-shared-secret' %}
{{ (peer_conf.local_address if "local_address" in peer_conf else "%any") ~
(" " ~ peer) ~
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index 0ce703f20..ce007c1fd 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -2,7 +2,7 @@
{% if profile is defined %}
connections {
-{% for name, profile_conf in profile.items() if "bind" in profile_conf and "tunnel" in profile_conf.bind %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{% set dmvpn_ike = ike_group[profile_conf.ike_group] %}
{% set dmvpn_esp = esp_group[profile_conf.esp_group] %}
{% for interface in profile_conf.bind.tunnel %}
@@ -41,7 +41,7 @@ connections {
}
secrets {
-{% for name, profile_conf in profile.items() if "bind" in profile_conf and "tunnel" in profile_conf.bind %}
+{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %}
{% if profile_conf.authentication.mode == 'pre-shared-secret' %}
{% for interface in profile_conf.bind.tunnel %}
ike-dmvpn-{{ interface }} {
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 604f49cb6..d7435d6df 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -642,6 +642,7 @@
<help>VPN IPSec Profile</help>
</properties>
<children>
+ #include <include/generic-disable-node.xml.i>
<node name="authentication">
<properties>
<help>Authentication [REQUIRED]</help>
@@ -731,6 +732,7 @@
</valueHelp>
</properties>
<children>
+ #include <include/generic-disable-node.xml.i>
<node name="authentication">
<properties>
<help>Peer authentication [REQUIRED]</help>