diff options
author | Christian Breunig <christian@breunig.cc> | 2024-01-17 18:48:34 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-01-17 18:48:34 +0100 |
commit | 0f61334ff4a38aca6e0c33a16f2400b5e7a3b5b3 (patch) | |
tree | 879826a9e22c8228827a8ab1dcee55cd9c5cf240 | |
parent | 31d3d7263ee3082bb7f7dd722086e2ce5c892a03 (diff) | |
parent | e6713a7e861dbe3ec8af1761f1c0a3d1ad725cac (diff) | |
download | vyos-1x-0f61334ff4a38aca6e0c33a16f2400b5e7a3b5b3.tar.gz vyos-1x-0f61334ff4a38aca6e0c33a16f2400b5e7a3b5b3.zip |
Merge pull request #2845 from vyos/mergify/bp/sagitta/pr-2842
T5953: Changed values of 'close-action' to Strongswan values (backport #2842)
-rw-r--r-- | data/templates/ipsec/swanctl/peer.j2 | 4 | ||||
-rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 8 | ||||
-rwxr-xr-x | src/migration-scripts/ipsec/12-to-13 | 7 |
3 files changed, 13 insertions, 6 deletions
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2 index 86a44a0ff..c5841fb91 100644 --- a/data/templates/ipsec/swanctl/peer.j2 +++ b/data/templates/ipsec/swanctl/peer.j2 @@ -85,7 +85,7 @@ {% if ike.dead_peer_detection is vyos_defined %} dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} - close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} + close_action = {{ ike.close_action }} } {% elif peer_conf.tunnel is vyos_defined %} {% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} @@ -135,7 +135,7 @@ {% if ike.dead_peer_detection is vyos_defined %} dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} - close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} + close_action = {{ ike.close_action }} {% if peer_conf.vti.bind is vyos_defined %} {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} {# Thus we simply shift the key by one to also support a vti0 interface #} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 76c71949f..9d1d5d824 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -251,22 +251,22 @@ <properties> <help>Action to take if a child SA is unexpectedly closed</help> <completionHelp> - <list>none hold restart</list> + <list>none trap start</list> </completionHelp> <valueHelp> <format>none</format> <description>Do nothing</description> </valueHelp> <valueHelp> - <format>hold</format> + <format>trap</format> <description>Attempt to re-negotiate when matching traffic is seen</description> </valueHelp> <valueHelp> - <format>restart</format> + <format>start</format> <description>Attempt to re-negotiate the connection immediately</description> </valueHelp> <constraint> - <regex>(none|hold|restart)</regex> + <regex>(none|trap|start)</regex> </constraint> </properties> <defaultValue>none</defaultValue> diff --git a/src/migration-scripts/ipsec/12-to-13 b/src/migration-scripts/ipsec/12-to-13 index 504a2e9c7..c11f708bd 100755 --- a/src/migration-scripts/ipsec/12-to-13 +++ b/src/migration-scripts/ipsec/12-to-13 @@ -15,6 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # Changed value of dead-peer-detection.action from hold to trap +# Changed value of close-action from hold to trap and from restart to start import re @@ -41,8 +42,14 @@ if not config.exists(base): else: for ike_group in config.list_nodes(base): base_dpd_action = base + [ike_group, 'dead-peer-detection', 'action'] + base_close_action = base + [ike_group, 'close-action'] if config.exists(base_dpd_action) and config.return_value(base_dpd_action) == 'hold': config.set(base_dpd_action, 'trap', replace=True) + if config.exists(base_close_action): + if config.return_value(base_close_action) == 'hold': + config.set(base_close_action, 'trap', replace=True) + if config.return_value(base_close_action) == 'restart': + config.set(base_close_action, 'start', replace=True) try: with open(file_name, 'w') as f: |