ipsec: T1210: add "unique" option to specify how to handle multiple connections

Connection uniqueness policy to enforce. To avoid multiple connections from the same user, a uniqueness policy can be enforced. * never: never enforce such a policy, even if a peer included INITIAL_CONTACT notification * keep: reject new connection attempts if the same user already has an active connection * replace: delete any existing connection if a new one for the same user gets established To compare connections for uniqueness, the remote IKE identity is used. If EAP or XAuth authentication is involved, the EAP-Identity or XAuth username is used to enforce the uniqueness policy instead.
author: Christian Poessinger <christian@poessinger.com> 2021-07-19 19:04:13 +0200
committer: Christian Poessinger <christian@poessinger.com> 2021-07-19 19:04:13 +0200
commit: 02043297db68d45b2ca398486cc119d1c103e68c (patch)
tree: 3aba9dd1d43dd0a7428014886a8b2ed60bacfc15 /interface-definitions/vpn_ipsec.xml.in
parent: 9556d78b1d54c7320a0154990c61d23c6197c38f (diff)
download: vyos-1x-02043297db68d45b2ca398486cc119d1c103e68c.tar.gz
vyos-1x-02043297db68d45b2ca398486cc119d1c103e68c.zip
1 files changed, 23 insertions, 0 deletions
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 5272b57cc..093a677e9 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -841,6 +841,29 @@
                       <multi/>
                     </properties>
                   </leafNode>
+                  <leafNode name="unique">
+                    <properties>
+                      <help>Connection uniqueness policy to enforce</help>
+                      <completionHelp>
+                        <list>never keep replace</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>never</format>
+                        <description>Never enforce connection uniqueness policy</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>keep</format>
+                        <description>Rejects new connection attempts if the same user already has an active connection</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>replace</format>
+                        <description>Delete any existing connection if a new one for the same user gets established</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>^(never|keep|replace)$</regex>
+                      </constraint>
+                    </properties>
+                  </leafNode>
                 </children>
               </tagNode>
               <tagNode name="pool">
author	Christian Poessinger <christian@poessinger.com>	2021-07-19 19:04:13 +0200
committer	Christian Poessinger <christian@poessinger.com>	2021-07-19 19:04:13 +0200
commit	02043297db68d45b2ca398486cc119d1c103e68c (patch)
tree	3aba9dd1d43dd0a7428014886a8b2ed60bacfc15 /interface-definitions/vpn_ipsec.xml.in
parent	9556d78b1d54c7320a0154990c61d23c6197c38f (diff)
download	vyos-1x-02043297db68d45b2ca398486cc119d1c103e68c.tar.gz vyos-1x-02043297db68d45b2ca398486cc119d1c103e68c.zip