summaryrefslogtreecommitdiff
path: root/data/templates
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-09-18 15:18:21 +0200
committerChristian Poessinger <christian@poessinger.com>2021-09-18 15:18:21 +0200
commit6f3130ea5c8c3043e4a5377c972b96233f22a5fc (patch)
treeee380c8eb98dd8907ea36799a50d4eec27ea136f /data/templates
parentdda9f655f94968b07043887a03e3bba176eb94d5 (diff)
downloadvyos-1x-6f3130ea5c8c3043e4a5377c972b96233f22a5fc.tar.gz
vyos-1x-6f3130ea5c8c3043e4a5377c972b96233f22a5fc.zip
ipsec: vti: T3831: avoid usinf xfrm if_id 0 - implement shift by one
The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. This means that a vti0 named interface will pull in all traffic and others will stop working. Thus we simply shift the key by one to also support a vti0 interface.
Diffstat (limited to 'data/templates')
-rw-r--r--data/templates/ipsec/swanctl/peer.tmpl14
1 files changed, 10 insertions, 4 deletions
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index 98c09436c..e039e98aa 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -61,8 +61,11 @@
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
- if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
- if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
+ {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
+ {# Thus we simply shift the key by one to also support a vti0 interface #}
+{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %}
+ if_id_in = {{ if_id }}
+ if_id_out = {{ if_id }}
ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }}
mode = {{ vti_esp.mode }}
{% if peer[0:1] == '@' %}
@@ -117,8 +120,11 @@
{% endif %}
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %}
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
- if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
- if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
+ {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
+ {# Thus we simply shift the key by one to also support a vti0 interface #}
+{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %}
+ if_id_in = {{ if_id }}
+ if_id_out = {{ if_id }}
{% endif %}
}
{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %}