ipsec: T3718: fix default processing of ike dh-group proposals

IKE dh-group defaults to 2 (modp1024).
author: Christian Poessinger <christian@poessinger.com> 2021-08-04 20:48:09 +0200
committer: Christian Poessinger <christian@poessinger.com> 2021-08-04 20:49:29 +0200
commit: 947f8290ea7094dbd2c4e72df42f54e763c7ec62 (patch)
tree: 7e99392adf1d96641ad99b5dba0a281924e64899
parent: 3a814957f412759b6ebc908ed78c7d299adedfb3 (diff)
download: vyos-1x-947f8290ea7094dbd2c4e72df42f54e763c7ec62.tar.gz
vyos-1x-947f8290ea7094dbd2c4e72df42f54e763c7ec62.zip
2 files changed, 12 insertions, 1 deletions
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 165fdfdf3..b28c86ae6 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -383,7 +383,6 @@
                 </properties>
                 <children>
                   <leafNode name="dh-group">
-                    <defaultValue>2</defaultValue>
                     <properties>
                       <help>dh-grouphelp</help>
                       <completionHelp>
@@ -481,6 +480,7 @@
                         <regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex>
                       </constraint>
                     </properties>
+                    <defaultValue>2</defaultValue>
                   </leafNode>
                   #include <include/vpn-ipsec-encryption.xml.i>
                   #include <include/vpn-ipsec-hash.xml.i>
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index 11ff12e94..329d84528 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -102,9 +102,20 @@ def get_config(config=None):
                                                    ipsec['esp_group'][group])
     if 'ike_group' in ipsec:
         default_values = defaults(base + ['ike-group'])
+        # proposal is a tag node which may come with individual defaults per node
+        if 'proposal' in default_values:
+            del default_values['proposal']
+
         for group in ipsec['ike_group']:
             ipsec['ike_group'][group] = dict_merge(default_values,
                                                    ipsec['ike_group'][group])
+
+            if 'proposal' in ipsec['ike_group'][group]:
+                default_values = defaults(base + ['ike-group', 'proposal'])
+                for proposal in ipsec['ike_group'][group]['proposal']:
+                    ipsec['ike_group'][group]['proposal'][proposal] = dict_merge(default_values,
+                        ipsec['ike_group'][group]['proposal'][proposal])
+
     if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']:
         default_values = defaults(base + ['remote-access', 'connection'])
         for rw in ipsec['remote_access']['connection']:
author	Christian Poessinger <christian@poessinger.com>	2021-08-04 20:48:09 +0200
committer	Christian Poessinger <christian@poessinger.com>	2021-08-04 20:49:29 +0200
commit	947f8290ea7094dbd2c4e72df42f54e763c7ec62 (patch)
tree	7e99392adf1d96641ad99b5dba0a281924e64899
parent	3a814957f412759b6ebc908ed78c7d299adedfb3 (diff)
download	vyos-1x-947f8290ea7094dbd2c4e72df42f54e763c7ec62.tar.gz vyos-1x-947f8290ea7094dbd2c4e72df42f54e763c7ec62.zip