summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-17 18:48:34 +0100
committerGitHub <noreply@github.com>2024-01-17 18:48:34 +0100
commit0f61334ff4a38aca6e0c33a16f2400b5e7a3b5b3 (patch)
tree879826a9e22c8228827a8ab1dcee55cd9c5cf240
parent31d3d7263ee3082bb7f7dd722086e2ce5c892a03 (diff)
parente6713a7e861dbe3ec8af1761f1c0a3d1ad725cac (diff)
downloadvyos-1x-0f61334ff4a38aca6e0c33a16f2400b5e7a3b5b3.tar.gz
vyos-1x-0f61334ff4a38aca6e0c33a16f2400b5e7a3b5b3.zip
Merge pull request #2845 from vyos/mergify/bp/sagitta/pr-2842
T5953: Changed values of 'close-action' to Strongswan values (backport #2842)
-rw-r--r--data/templates/ipsec/swanctl/peer.j24
-rw-r--r--interface-definitions/vpn_ipsec.xml.in8
-rwxr-xr-xsrc/migration-scripts/ipsec/12-to-137
3 files changed, 13 insertions, 6 deletions
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2
index 86a44a0ff..c5841fb91 100644
--- a/data/templates/ipsec/swanctl/peer.j2
+++ b/data/templates/ipsec/swanctl/peer.j2
@@ -85,7 +85,7 @@
{% if ike.dead_peer_detection is vyos_defined %}
dpd_action = {{ ike.dead_peer_detection.action }}
{% endif %}
- close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }}
+ close_action = {{ ike.close_action }}
}
{% elif peer_conf.tunnel is vyos_defined %}
{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
@@ -135,7 +135,7 @@
{% if ike.dead_peer_detection is vyos_defined %}
dpd_action = {{ ike.dead_peer_detection.action }}
{% endif %}
- close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }}
+ close_action = {{ ike.close_action }}
{% if peer_conf.vti.bind is vyos_defined %}
{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
{# Thus we simply shift the key by one to also support a vti0 interface #}
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 76c71949f..9d1d5d824 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -251,22 +251,22 @@
<properties>
<help>Action to take if a child SA is unexpectedly closed</help>
<completionHelp>
- <list>none hold restart</list>
+ <list>none trap start</list>
</completionHelp>
<valueHelp>
<format>none</format>
<description>Do nothing</description>
</valueHelp>
<valueHelp>
- <format>hold</format>
+ <format>trap</format>
<description>Attempt to re-negotiate when matching traffic is seen</description>
</valueHelp>
<valueHelp>
- <format>restart</format>
+ <format>start</format>
<description>Attempt to re-negotiate the connection immediately</description>
</valueHelp>
<constraint>
- <regex>(none|hold|restart)</regex>
+ <regex>(none|trap|start)</regex>
</constraint>
</properties>
<defaultValue>none</defaultValue>
diff --git a/src/migration-scripts/ipsec/12-to-13 b/src/migration-scripts/ipsec/12-to-13
index 504a2e9c7..c11f708bd 100755
--- a/src/migration-scripts/ipsec/12-to-13
+++ b/src/migration-scripts/ipsec/12-to-13
@@ -15,6 +15,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Changed value of dead-peer-detection.action from hold to trap
+# Changed value of close-action from hold to trap and from restart to start
import re
@@ -41,8 +42,14 @@ if not config.exists(base):
else:
for ike_group in config.list_nodes(base):
base_dpd_action = base + [ike_group, 'dead-peer-detection', 'action']
+ base_close_action = base + [ike_group, 'close-action']
if config.exists(base_dpd_action) and config.return_value(base_dpd_action) == 'hold':
config.set(base_dpd_action, 'trap', replace=True)
+ if config.exists(base_close_action):
+ if config.return_value(base_close_action) == 'hold':
+ config.set(base_close_action, 'trap', replace=True)
+ if config.return_value(base_close_action) == 'restart':
+ config.set(base_close_action, 'start', replace=True)
try:
with open(file_name, 'w') as f: