ipsec: T3718: fix default processing of ike dh-group proposals

IKE dh-group defaults to 2 (modp1024).

1 files changed, 11 insertions, 0 deletions

diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index 11ff12e94..329d84528 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -102,9 +102,20 @@ def get_config(config=None):
                                                    ipsec['esp_group'][group])
     if 'ike_group' in ipsec:
         default_values = defaults(base + ['ike-group'])
+        # proposal is a tag node which may come with individual defaults per node
+        if 'proposal' in default_values:
+            del default_values['proposal']
+
         for group in ipsec['ike_group']:
             ipsec['ike_group'][group] = dict_merge(default_values,
                                                    ipsec['ike_group'][group])
+
+            if 'proposal' in ipsec['ike_group'][group]:
+                default_values = defaults(base + ['ike-group', 'proposal'])
+                for proposal in ipsec['ike_group'][group]['proposal']:
+                    ipsec['ike_group'][group]['proposal'][proposal] = dict_merge(default_values,
+                        ipsec['ike_group'][group]['proposal'][proposal])
+
     if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']:
         default_values = defaults(base + ['remote-access', 'connection'])
         for rw in ipsec['remote_access']['connection']: