summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--data/templates/ipsec/ipsec.conf.tmpl2
-rwxr-xr-xsrc/etc/ipsec.d/vti-up-down56
2 files changed, 11 insertions, 47 deletions
diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl
index 75f3de39c..67447366c 100644
--- a/data/templates/ipsec/ipsec.conf.tmpl
+++ b/data/templates/ipsec/ipsec.conf.tmpl
@@ -42,7 +42,7 @@ conn peer-{{ peer }}
conn peer-{{ peer }}-vti
also = peer-{{ peer }}
leftsubnet = 0.0.0.0/0
- leftupdown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
+ leftupdown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}"
rightsubnet = 0.0.0.0/0
mark = {{ marks[peer_conf.vti.bind] }}
{{ ike_esp.conn(None, None, vti_esp, ciphers.esp[peer_conf.vti.esp_group] if vti_esp else None) }}
diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down
index 9abca1fd6..0e1cd7753 100755
--- a/src/etc/ipsec.d/vti-up-down
+++ b/src/etc/ipsec.d/vti-up-down
@@ -5,16 +5,8 @@
import os
import sys
-from vyos.config import Config
from vyos.util import call, get_interface_config, get_interface_address
-def get_config(config, base):
- if not config.exists(base):
- return None
-
- return conf.get_config_dict(base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
-
def get_dhcp_address(interface):
addr = get_interface_address(interface)
if not addr:
@@ -26,58 +18,30 @@ def get_dhcp_address(interface):
if __name__ == '__main__':
verb = os.getenv('PLUTO_VERB')
connection = os.getenv('PLUTO_CONNECTION')
- parent_conn = connection[:-3]
interface = sys.argv[1]
+ dhcp_interface = sys.argv[2]
print(f'vti-up-down: start: {verb} {connection} {interface}')
if verb in ['up-client', 'up-host']:
call('sudo ip route delete default table 220')
- vti_base = ['interfaces', 'vti', interface]
- ipsec_base = ['vpn', 'ipsec', 'site-to-site']
-
- conf = Config()
- vti_conf = get_config(conf, vti_base)
- ipsec_conf = get_config(conf, ipsec_base)
-
- if not vti_conf or 'disable' in vti_conf or not ipsec_conf or 'peer' not in ipsec_conf:
- print('vti-up-down: exit: vti not found, disabled or no peers found')
- sys.exit(0)
-
- peer_conf = None
-
- for peer, peer_tmp_conf in ipsec_conf['peer'].items():
- if 'vti' in peer_tmp_conf and 'bind' in peer_tmp_conf['vti']:
- bind = peer_tmp_conf['vti']['bind']
- if isinstance(bind, str):
- bind = [bind]
- if interface in bind:
- peer_conf = peer_tmp_conf
- break
+ vti_link = get_interface_config(interface)
- if not peer_conf:
- print(f'vti-up-down: exit: No peer found for {interface}')
+ if not vti_link:
+ print('vti-up-down: interface not found')
sys.exit(0)
- vti_link = get_interface_config(interface)
- vti_link_up = vti_link['operstate'] == 'UP' if vti_link else False
-
- child_sa_installed = False
- try:
- child_sa_installed = (call(f'sudo /usr/sbin/swanctl -l -r -i {connection} {parent_conn} | grep -s -q state=INSTALLED', timeout = 5) == 0)
- except:
- print('vti-up-down: child-sa check failed')
+ vti_link_up = (vti_link['operstate'] == 'UP' if 'operstate' in vti_link else False)
if verb in ['up-client', 'up-host']:
if not vti_link_up:
- if 'dhcp_interface' in peer_conf:
- local_ip = get_dhcp_address(peer_conf['dhcp_interface'])
+ if dhcp_interface != 'no':
+ local_ip = get_dhcp_address(dhcp_interface)
call(f'sudo ip tunnel change {interface} local {local_ip}')
- if child_sa_installed:
- call(f'sudo ip link set {interface} up')
+ call(f'sudo ip link set {interface} up')
elif verb in ['down-client', 'down-host']:
- if vti_link_up and not child_sa_installed:
+ if vti_link_up:
call(f'sudo ip link set {interface} down')
- print('vti-up-down: finish')
+ print('vti-up-down: finish') \ No newline at end of file