diff options
| author | aapostoliuk <a.apostoliuk@vyos.io> | 2024-01-17 17:46:38 +0200 |
|---|---|---|
| committer | aapostoliuk <a.apostoliuk@vyos.io> | 2024-01-17 17:46:38 +0200 |
| commit | 8870fabf1b4358618fca7db459515106653214b5 (patch) | |
| tree | ac8bad9ab957d525f0787662ecb3ab486e687b29 | |
| parent | 0afa8dd813195b43f7ac3c9f0c11fdc8dae31668 (diff) | |
| download | vyos-1x-8870fabf1b4358618fca7db459515106653214b5.tar.gz vyos-1x-8870fabf1b4358618fca7db459515106653214b5.zip | |
T5953: Changed values of 'close-action' to Strongswan values
Changed the value from 'hold' to 'trap' in the 'close-action'
option in the IKE group.
Changed the value from 'restart' to 'start' in the 'close-action'
option in the IKE group.
| -rw-r--r-- | data/templates/ipsec/swanctl/peer.j2 | 4 | ||||
| -rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 8 | ||||
| -rwxr-xr-x | src/migration-scripts/ipsec/12-to-13 | 7 |
3 files changed, 13 insertions, 6 deletions
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2 index 86a44a0ff..c5841fb91 100644 --- a/data/templates/ipsec/swanctl/peer.j2 +++ b/data/templates/ipsec/swanctl/peer.j2 @@ -85,7 +85,7 @@ {% if ike.dead_peer_detection is vyos_defined %} dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} - close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} + close_action = {{ ike.close_action }} } {% elif peer_conf.tunnel is vyos_defined %} {% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} @@ -135,7 +135,7 @@ {% if ike.dead_peer_detection is vyos_defined %} dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} - close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} + close_action = {{ ike.close_action }} {% if peer_conf.vti.bind is vyos_defined %} {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} {# Thus we simply shift the key by one to also support a vti0 interface #} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 76c71949f..9d1d5d824 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -251,22 +251,22 @@ <properties> <help>Action to take if a child SA is unexpectedly closed</help> <completionHelp> - <list>none hold restart</list> + <list>none trap start</list> </completionHelp> <valueHelp> <format>none</format> <description>Do nothing</description> </valueHelp> <valueHelp> - <format>hold</format> + <format>trap</format> <description>Attempt to re-negotiate when matching traffic is seen</description> </valueHelp> <valueHelp> - <format>restart</format> + <format>start</format> <description>Attempt to re-negotiate the connection immediately</description> </valueHelp> <constraint> - <regex>(none|hold|restart)</regex> + <regex>(none|trap|start)</regex> </constraint> </properties> <defaultValue>none</defaultValue> diff --git a/src/migration-scripts/ipsec/12-to-13 b/src/migration-scripts/ipsec/12-to-13 index 504a2e9c7..c11f708bd 100755 --- a/src/migration-scripts/ipsec/12-to-13 +++ b/src/migration-scripts/ipsec/12-to-13 @@ -15,6 +15,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # Changed value of dead-peer-detection.action from hold to trap +# Changed value of close-action from hold to trap and from restart to start import re @@ -41,8 +42,14 @@ if not config.exists(base): else: for ike_group in config.list_nodes(base): base_dpd_action = base + [ike_group, 'dead-peer-detection', 'action'] + base_close_action = base + [ike_group, 'close-action'] if config.exists(base_dpd_action) and config.return_value(base_dpd_action) == 'hold': config.set(base_dpd_action, 'trap', replace=True) + if config.exists(base_close_action): + if config.return_value(base_close_action) == 'hold': + config.set(base_close_action, 'trap', replace=True) + if config.return_value(base_close_action) == 'restart': + config.set(base_close_action, 'start', replace=True) try: with open(file_name, 'w') as f: |