summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-07-26 22:06:55 +0200
committerChristian Poessinger <christian@poessinger.com>2021-07-26 22:06:55 +0200
commit1d876af9e5d76550b5322aa692706d0319b3b6c9 (patch)
treec60c7e18719c2f83ec6a18d3209ba52c8ca4ddf9
parentc31488f0e3206c4477692065781e49f2fbd7c9ed (diff)
downloadvyos-1x-1d876af9e5d76550b5322aa692706d0319b3b6c9.tar.gz
vyos-1x-1d876af9e5d76550b5322aa692706d0319b3b6c9.zip
ipsec: T1210: remote-access connections only work with IKEv2
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index a4cd33e64..11ff12e94 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -250,6 +250,11 @@ def verify(ipsec):
if 'ike_group' in ra_conf:
if 'ike_group' not in ipsec or ra_conf['ike_group'] not in ipsec['ike_group']:
raise ConfigError(f"Invalid ike-group on {name} remote-access config")
+
+ ike = ra_conf['ike_group']
+ if dict_search(f'ike_group.{ike}.key_exchange', ipsec) != 'ikev2':
+ raise ConfigError('IPSec remote-access connections requires IKEv2!')
+
else:
raise ConfigError(f"Missing ike-group on {name} remote-access config")