T5872: ipsec remote access VPN: support dhcp-interface.

1 files changed, 36 insertions, 2 deletions

diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index 388f2a709..64d0f6d9d 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -229,6 +229,30 @@ def verify(ipsec):
     if 'remote_access' in ipsec:
         if 'connection' in ipsec['remote_access']:
             for name, ra_conf in ipsec['remote_access']['connection'].items():
+                if 'local_address' not in ra_conf and 'dhcp_interface' not in ra_conf:
+                    raise ConfigError(f"Missing local-address or dhcp-interface on remote-access connection {name}")
+
+                if 'dhcp_interface' in ra_conf:
+                    dhcp_interface = ra_conf['dhcp_interface']
+
+                    verify_interface_exists(dhcp_interface)
+                    dhcp_base = directories['isc_dhclient_dir']
+
+                    if not os.path.exists(f'{dhcp_base}/dhclient_{dhcp_interface}.conf'):
+                        raise ConfigError(f"Invalid dhcp-interface on remote-access connection {name}")
+
+                    address = get_dhcp_address(dhcp_interface)
+                    count = 0
+                    while not address and count < dhcp_wait_attempts:
+                        address = get_dhcp_address(dhcp_interface)
+                        count += 1
+                        sleep(dhcp_wait_sleep)
+
+                    if not address:
+                        ipsec['dhcp_no_address'][f'ra_{name}'] = dhcp_interface
+                        print(f"Failed to get address from dhcp-interface on remote-access connection {name} -- skipped")
+                        continue
+
                 if 'esp_group' in ra_conf:
                     if 'esp_group' not in ipsec or ra_conf['esp_group'] not in ipsec['esp_group']:
                         raise ConfigError(f"Invalid esp-group on {name} remote-access config")
@@ -394,7 +418,7 @@ def verify(ipsec):
                     sleep(dhcp_wait_sleep)
 
                 if not address:
-                    ipsec['dhcp_no_address'][peer] = dhcp_interface
+                    ipsec['dhcp_no_address'][f'peer_{peer}'] = dhcp_interface
                     print(f"Failed to get address from dhcp-interface on site-to-site peer {peer} -- skipped")
                     continue
 
@@ -522,13 +546,23 @@ def generate(ipsec):
 
     if 'remote_access' in ipsec and 'connection' in ipsec['remote_access']:
         for rw, rw_conf in ipsec['remote_access']['connection'].items():
+            if f'ra_{rw}' in ipsec['dhcp_no_address']:
+                continue
+
+            local_ip = ''
+            if 'local_address' in rw_conf:
+                local_ip = rw_conf['local_address']
+            elif 'dhcp_interface' in rw_conf:
+                local_ip = get_dhcp_address(rw_conf['dhcp_interface'])
+
+            ipsec['remote_access']['connection'][rw]['local_address'] = local_ip
 
             if 'authentication' in rw_conf and 'x509' in rw_conf['authentication']:
                 generate_pki_files_x509(ipsec['pki'], rw_conf['authentication']['x509'])
 
     if 'site_to_site' in ipsec and 'peer' in ipsec['site_to_site']:
         for peer, peer_conf in ipsec['site_to_site']['peer'].items():
-            if peer in ipsec['dhcp_no_address']:
+            if f'peer_{peer}' in ipsec['dhcp_no_address']:
                 continue
 
             if peer_conf['authentication']['mode'] == 'x509':