5 files changed, 24 insertions, 39 deletions

diff --git a/data/configd-include.json b/data/configd-include.json
index 2e6226097..d228ac8a3 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -27,7 +27,6 @@
 "interfaces-wireguard.py",
 "interfaces-wireless.py",
 "interfaces-wwan.py",
-"ipsec-settings.py",
 "lldp.py",
 "nat.py",
 "nat66.py",
diff --git a/interface-definitions/ipsec-settings.xml.in b/interface-definitions/ipsec-settings.xml.in
deleted file mode 100644
index 0bcba9a84..000000000
--- a/interface-definitions/ipsec-settings.xml.in
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
-  <node name="vpn">
-    <children>
-      <node name="ipsec">
-        <children>
-          <node name="options" owner="${vyos_conf_scripts_dir}/ipsec-settings.py">
-            <properties>
-              <help>Global IPsec settings</help>
-              <priority>902</priority>
-            </properties>
-            <children>
-              <leafNode name="disable-route-autoinstall">
-                <properties>
-                  <valueless/>
-                  <help>Do not automatically install routes to remote networks</help>
-                </properties>
-              </leafNode>
-            </children>
-          </node>
-        </children>
-      </node>
-    </children>
-  </node>
-</interfaceDefinition>
diff --git a/python/vyos/util.py b/python/vyos/util.py
index c64b477ef..171ab397f 100644
--- a/python/vyos/util.py
+++ b/python/vyos/util.py
@@ -440,7 +440,6 @@ def process_running(pid_file):
         pid = f.read().strip()
     return pid_exists(int(pid))
 
-
 def process_named_running(name):
     """ Checks if process with given name is running and returns its PID.
     If Process is not running, return None
@@ -451,7 +450,6 @@ def process_named_running(name):
             return p.pid
     return None
 
-
 def seconds_to_human(s, separator=""):
     """ Converts number of seconds passed to a human-readable
     interval such as 1w4d18h35m59s
diff --git a/src/conf_mode/ipsec-settings.py b/src/conf_mode/ipsec-settings.py
index a65e8b567..a373f821f 100755
--- a/src/conf_mode/ipsec-settings.py
+++ b/src/conf_mode/ipsec-settings.py
@@ -29,7 +29,6 @@ from vyos import airbag
 airbag.enable()
 
 ra_conn_name = "remote-access"
-charon_conf_file = "/etc/strongswan.d/charon.conf"
 ipsec_secrets_file = "/etc/ipsec.secrets"
 ipsec_ra_conn_dir = "/etc/ipsec.d/tunnels/"
 ipsec_ra_conn_file = ipsec_ra_conn_dir + ra_conn_name
@@ -46,10 +45,6 @@ def get_config(config=None):
         config = config
     else:
         config = Config()
-    data = {"install_routes": "yes"}
-
-    if config.exists("vpn ipsec options disable-route-autoinstall"):
-        data["install_routes"] = "no"
 
     if config.exists("vpn ipsec ipsec-interfaces interface"):
         data["ipsec_interfaces"] = config.return_values("vpn ipsec ipsec-interfaces interface")
@@ -170,8 +165,6 @@ def verify(data):
            raise ConfigError("L2TP VPN configuration error: \"vpn ipsec ipsec-interfaces\" must be specified.")
 
 def generate(data):
-    render(charon_conf_file, 'ipsec/charon.tmpl', data)
-
     if data["ipsec_l2tp"]:
         remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_secrets_file)
         # old_umask = os.umask(0o077)
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index cf23a89c6..53a50fa1e 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -19,6 +19,7 @@ import os
 
 from sys import exit
 from time import sleep
+from time import time
 
 from vyos.config import Config
 from vyos.configdict import leaf_node_changed
@@ -46,10 +47,15 @@ dhcp_wait_sleep = 1
 swanctl_dir    = '/etc/swanctl'
 ipsec_conf     = '/etc/ipsec.conf'
 ipsec_secrets  = '/etc/ipsec.secrets'
+charon_conf = '/etc/strongswan.d/charon.conf'
 charon_dhcp_conf = '/etc/strongswan.d/charon/dhcp.conf'
 interface_conf = '/etc/strongswan.d/interfaces_use.conf'
 swanctl_conf   = f'{swanctl_dir}/swanctl.conf'
 
+default_install_routes = 'yes'
+
+vici_socket = '/var/run/charon.vici'
+
 CERT_PATH = f'{swanctl_dir}/x509/'
 KEY_PATH  = f'{swanctl_dir}/private/'
 CA_PATH   = f'{swanctl_dir}/x509ca/'
@@ -101,6 +107,7 @@ def get_config(config=None):
                                                     ipsec['remote_access'][rw])
 
     ipsec['dhcp_no_address'] = {}
+    ipsec['install_routes'] = 'no' if conf.exists(base + ["options", "disable-route-autoinstall"]) else default_install_routes
     ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces',
                                                                 'interface'])
     ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access',
@@ -352,9 +359,10 @@ def generate(ipsec):
     cleanup_pki_files()
 
     if not ipsec:
-        for config_file in [ipsec_conf, ipsec_secrets, interface_conf, swanctl_conf]:
+        for config_file in [ipsec_conf, ipsec_secrets, charon_dhcp_conf, interface_conf, swanctl_conf]:
             if os.path.isfile(config_file):
                 os.unlink(config_file)
+        render(charon_conf, 'ipsec/charon.tmpl', {'install_routes': default_install_routes})
         return
 
     if ipsec['dhcp_no_address']:
@@ -371,7 +379,7 @@ def generate(ipsec):
     if not os.path.exists(KEY_PATH):
         os.mkdir(KEY_PATH, mode=0o700)
 
-    if 'remote_access' in ipsec:
+    if 'remote_access' in data:
         for rw, rw_conf in ipsec['remote_access'].items():
             if 'authentication' in rw_conf and 'x509' in rw_conf['authentication']:
                 generate_pki_files(ipsec['pki'], rw_conf['authentication']['x509'])
@@ -414,6 +422,7 @@ def generate(ipsec):
 
     render(ipsec_conf, 'ipsec/ipsec.conf.tmpl', data)
     render(ipsec_secrets, 'ipsec/ipsec.secrets.tmpl', data)
+    render(charon_conf, 'ipsec/charon.tmpl', data)
     render(charon_dhcp_conf, 'ipsec/charon/dhcp.conf.tmpl', data)
     render(interface_conf, 'ipsec/interfaces_use.conf.tmpl', data)
     render(swanctl_conf, 'ipsec/swanctl.conf.tmpl', data)
@@ -434,6 +443,17 @@ def resync_nhrp(ipsec):
     if tmp > 0:
         print('ERROR: failed to reapply NHRP settings!')
 
+def wait_for_vici_socket(timeout=5, sleep_interval=0.1):
+    start_time = time()
+    test_command = f'sudo socat -u OPEN:/dev/null UNIX-CONNECT:{vici_socket}'
+    while True:
+        if (start_time + timeout) < time():
+            return None
+        result = run(test_command)
+        if result == 0:
+            return True
+        sleep(sleep_interval)
+
 def apply(ipsec):
     if not ipsec:
         call('sudo ipsec stop')
@@ -445,8 +465,8 @@ def apply(ipsec):
         call('sudo ipsec rereadall')
         call('sudo ipsec reload')
 
-        sleep(5) # Give charon enough time to start
-        call('sudo swanctl -q')
+        if wait_for_vici_socket():
+            call('sudo swanctl -q')
 
     resync_l2tp(ipsec)
     resync_nhrp(ipsec)