diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-02-02 20:44:29 +0100 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2024-02-03 13:01:02 +0100 |
| commit | 4d943d8fbf1253154897179b0e3ea2d93b898197 (patch) | |
| tree | 9067a3e6b59ce2aa5d1be2872a59ff9debaf3008 /data/templates | |
| parent | 84b17f0e666b7fb48e2e9cde12ce2e84b59dd5b2 (diff) | |
| download | vyos-1x-4d943d8fbf1253154897179b0e3ea2d93b898197.tar.gz vyos-1x-4d943d8fbf1253154897179b0e3ea2d93b898197.zip | |
ipsec: T5998: add replay-windows setting
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node
to explicitly change this.
* set vpn ipsec site-to-site peer <name> replay-window <0-2040>
Diffstat (limited to 'data/templates')
| -rw-r--r-- | data/templates/ipsec/swanctl/peer.j2 | 6 | ||||
| -rw-r--r-- | data/templates/ipsec/swanctl/remote_access.j2 | 3 |
2 files changed, 9 insertions, 0 deletions
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2 index c5841fb91..58f0199fa 100644 --- a/data/templates/ipsec/swanctl/peer.j2 +++ b/data/templates/ipsec/swanctl/peer.j2 @@ -86,6 +86,9 @@ dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} close_action = {{ ike.close_action }} +{% if peer_conf.replay_window is vyos_defined %} + replay_window = {{ peer_conf.replay_window }} +{% endif %} } {% elif peer_conf.tunnel is vyos_defined %} {% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} @@ -136,6 +139,9 @@ dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} close_action = {{ ike.close_action }} +{% if peer_conf.replay_window is vyos_defined %} + replay_window = {{ peer_conf.replay_window }} +{% endif %} {% if peer_conf.vti.bind is vyos_defined %} {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} {# Thus we simply shift the key by one to also support a vti0 interface #} diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2 index 01dc8a4a7..bce8684fe 100644 --- a/data/templates/ipsec/swanctl/remote_access.j2 +++ b/data/templates/ipsec/swanctl/remote_access.j2 @@ -43,6 +43,9 @@ rand_time = 540s dpd_action = clear inactivity = {{ rw_conf.timeout }} +{% if rw_conf.replay_window is vyos_defined %} + replay_window = {{ rw_conf.replay_window }} +{% endif %} {% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %} {% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %} {% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} |