diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-07-19 19:04:13 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-07-19 19:04:13 +0200 |
| commit | 02043297db68d45b2ca398486cc119d1c103e68c (patch) | |
| tree | 3aba9dd1d43dd0a7428014886a8b2ed60bacfc15 | |
| parent | 9556d78b1d54c7320a0154990c61d23c6197c38f (diff) | |
| download | vyos-1x-02043297db68d45b2ca398486cc119d1c103e68c.tar.gz vyos-1x-02043297db68d45b2ca398486cc119d1c103e68c.zip | |
ipsec: T1210: add "unique" option to specify how to handle multiple connections
Connection uniqueness policy to enforce. To avoid multiple connections from the
same user, a uniqueness policy can be enforced.
* never: never enforce such a policy, even if a peer included INITIAL_CONTACT
notification
* keep: reject new connection attempts if the same user already has an active
connection
* replace: delete any existing connection if a new one for the same user gets
established
To compare connections for uniqueness, the remote IKE identity is used. If EAP
or XAuth authentication is involved, the EAP-Identity or XAuth username is used
to enforce the uniqueness policy instead.
| -rw-r--r-- | data/templates/ipsec/swanctl/remote_access.tmpl | 2 | ||||
| -rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 23 |
2 files changed, 24 insertions, 1 deletions
diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl index 66ac94b13..456842488 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -10,7 +10,7 @@ send_certreq = no rekey_time = {{ ike.lifetime }}s keyingtries = 0 - unique = never + unique = {{ rw_conf.unique }} {% if rw_conf.pool is defined and rw_conf.pool is not none %} pools = {{ rw_conf.pool | join(',') }} {% endif %} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 5272b57cc..093a677e9 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -841,6 +841,29 @@ <multi/> </properties> </leafNode> + <leafNode name="unique"> + <properties> + <help>Connection uniqueness policy to enforce</help> + <completionHelp> + <list>never keep replace</list> + </completionHelp> + <valueHelp> + <format>never</format> + <description>Never enforce connection uniqueness policy</description> + </valueHelp> + <valueHelp> + <format>keep</format> + <description>Rejects new connection attempts if the same user already has an active connection</description> + </valueHelp> + <valueHelp> + <format>replace</format> + <description>Delete any existing connection if a new one for the same user gets established</description> + </valueHelp> + <constraint> + <regex>^(never|keep|replace)$</regex> + </constraint> + </properties> + </leafNode> </children> </tagNode> <tagNode name="pool"> |