ipsec: T5998: add replay-windows setting

The replay_window for child SA will always be 32 (hence enabled). Add a CLI node
to explicitly change this.

* set vpn ipsec site-to-site peer <name> replay-window <0-2040>

1 files changed, 6 insertions, 0 deletions

diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2
index c5841fb91..58f0199fa 100644
--- a/data/templates/ipsec/swanctl/peer.j2
+++ b/data/templates/ipsec/swanctl/peer.j2
@@ -86,6 +86,9 @@
                 dpd_action = {{ ike.dead_peer_detection.action }}
 {%     endif %}
                 close_action = {{ ike.close_action }}
+{%     if peer_conf.replay_window is vyos_defined %}
+                replay_window = {{ peer_conf.replay_window }}
+{%     endif %}
             }
 {% elif peer_conf.tunnel is vyos_defined %}
 {%     for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
@@ -136,6 +139,9 @@
                 dpd_action = {{ ike.dead_peer_detection.action }}
 {%         endif %}
                 close_action = {{ ike.close_action }}
+{%         if peer_conf.replay_window is vyos_defined %}
+                replay_window = {{ peer_conf.replay_window }}
+{%         endif %}
 {%         if peer_conf.vti.bind is vyos_defined %}
 {#             The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
 {#             Thus we simply shift the key by one to also support a vti0 interface #}