ipsec: T4787: add support for road-warrior/remote-access RADIUS timeout

This enabled users to also use 2FA/MFA authentication with a radius backend as
there is enough time to enter the second factor.

5 files changed, 36 insertions, 17 deletions

diff --git a/data/templates/ipsec/charon/eap-radius.conf.j2 b/data/templates/ipsec/charon/eap-radius.conf.j2
index 8495011fe..364377473 100644
--- a/data/templates/ipsec/charon/eap-radius.conf.j2
+++ b/data/templates/ipsec/charon/eap-radius.conf.j2
@@ -49,8 +49,10 @@ eap-radius {
     # Base to use for calculating exponential back off.
     # retransmit_base = 1.4
 
+{% if remote_access.radius.timeout is vyos_defined %}
     # Timeout in seconds before sending first retransmit.
-    # retransmit_timeout = 2.0
+    retransmit_timeout = {{ remote_access.radius.timeout | float }}
+{% endif %}
 
     # Number of times to retransmit a packet before giving up.
     # retransmit_tries = 4
diff --git a/interface-definitions/include/radius-timeout.xml.i b/interface-definitions/include/radius-timeout.xml.i
new file mode 100644
index 000000000..22bb6d312
--- /dev/null
+++ b/interface-definitions/include/radius-timeout.xml.i
@@ -0,0 +1,16 @@
+<!-- include start from radius-timeout.xml.i -->
+<leafNode name="timeout">
+  <properties>
+    <help>Session timeout</help>
+    <valueHelp>
+      <format>u32:1-240</format>
+      <description>Session timeout in seconds (default: 2)</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-240"/>
+    </constraint>
+    <constraintErrorMessage>Timeout must be between 1 and 240 seconds</constraintErrorMessage>
+  </properties>
+  <defaultValue>2</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/vpn-ipsec.xml.in b/interface-definitions/vpn-ipsec.xml.in
index 4776c53dc..64966b540 100644
--- a/interface-definitions/vpn-ipsec.xml.in
+++ b/interface-definitions/vpn-ipsec.xml.in
@@ -888,6 +888,7 @@
               <node name="radius">
                 <children>
                   #include <include/radius-nas-identifier.xml.i>
+                  #include <include/radius-timeout.xml.i>
                   <tagNode name="server">
                     <children>
                       #include <include/accel-ppp/radius-additions-disable-accounting.xml.i>
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index 3b3a83bd4..8b60f2e6e 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -140,20 +140,7 @@
               #include <include/radius-server-ipv4.xml.i>
               <node name="radius">
                 <children>
-                  <leafNode name="timeout">
-                    <properties>
-                      <help>Session timeout</help>
-                      <valueHelp>
-                        <format>u32:1-240</format>
-                        <description>Session timeout in seconds (default: 2)</description>
-                      </valueHelp>
-                      <constraint>
-                        <validator name="numeric" argument="--range 1-240"/>
-                      </constraint>
-                      <constraintErrorMessage>Timeout must be between 1 and 240 seconds</constraintErrorMessage>
-                    </properties>
-                    <defaultValue>2</defaultValue>
-                  </leafNode>
+                  #include <include/radius-timeout.xml.i>
                   <leafNode name="groupconfig">
                     <properties>
                       <help>If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from RADIUS.</help>
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index 77a425f8b..cfefcfbe8 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -117,13 +117,26 @@ def get_config(config=None):
                     ipsec['ike_group'][group]['proposal'][proposal] = dict_merge(default_values,
                         ipsec['ike_group'][group]['proposal'][proposal])
 
-    if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']:
+    # XXX: T2665: we can not safely rely on the defaults() when there are
+    # tagNodes in place, it is better to blend in the defaults manually.
+    if dict_search('remote_access.connection', ipsec):
         default_values = defaults(base + ['remote-access', 'connection'])
         for rw in ipsec['remote_access']['connection']:
             ipsec['remote_access']['connection'][rw] = dict_merge(default_values,
               ipsec['remote_access']['connection'][rw])
 
-    if 'remote_access' in ipsec and 'radius' in ipsec['remote_access'] and 'server' in ipsec['remote_access']['radius']:
+    # XXX: T2665: we can not safely rely on the defaults() when there are
+    # tagNodes in place, it is better to blend in the defaults manually.
+    if dict_search('remote_access.radius.server', ipsec):
+        # Fist handle the "base" stuff like RADIUS timeout
+        default_values = defaults(base + ['remote-access', 'radius'])
+        if 'server' in default_values:
+            del default_values['server']
+        ipsec['remote_access']['radius'] = dict_merge(default_values,
+                                                      ipsec['remote_access']['radius'])
+
+        # Take care about individual RADIUS servers implemented as tagNodes - this
+        # requires special treatment
         default_values = defaults(base + ['remote-access', 'radius', 'server'])
         for server in ipsec['remote_access']['radius']['server']:
             ipsec['remote_access']['radius']['server'][server] = dict_merge(default_values,