diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-09-18 15:18:21 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-09-18 15:18:21 +0200 |
| commit | 6f3130ea5c8c3043e4a5377c972b96233f22a5fc (patch) | |
| tree | ee380c8eb98dd8907ea36799a50d4eec27ea136f /data | |
| parent | dda9f655f94968b07043887a03e3bba176eb94d5 (diff) | |
| download | vyos-1x-6f3130ea5c8c3043e4a5377c972b96233f22a5fc.tar.gz vyos-1x-6f3130ea5c8c3043e4a5377c972b96233f22a5fc.zip | |
ipsec: vti: T3831: avoid usinf xfrm if_id 0 - implement shift by one
The key defaults to 0 and will match any policies which similarly do not have
a lookup key configuration. This means that a vti0 named interface will pull in
all traffic and others will stop working. Thus we simply shift the key by one
to also support a vti0 interface.
Diffstat (limited to 'data')
| -rw-r--r-- | data/templates/ipsec/swanctl/peer.tmpl | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index 98c09436c..e039e98aa 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -61,8 +61,11 @@ local_ts = 0.0.0.0/0,::/0 remote_ts = 0.0.0.0/0,::/0 updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" - if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }} - if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }} + {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} + {# Thus we simply shift the key by one to also support a vti0 interface #} +{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %} + if_id_in = {{ if_id }} + if_id_out = {{ if_id }} ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }} mode = {{ vti_esp.mode }} {% if peer[0:1] == '@' %} @@ -117,8 +120,11 @@ {% endif %} {% if peer_conf.vti is defined and peer_conf.vti.bind is defined %} updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" - if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }} - if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }} + {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} + {# Thus we simply shift the key by one to also support a vti0 interface #} +{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %} + if_id_in = {{ if_id }} + if_id_out = {{ if_id }} {% endif %} } {% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %} |