diff options
| -rw-r--r-- | data/templates/ipsec/swanctl/peer.tmpl | 4 | ||||
| -rw-r--r-- | data/templates/ipsec/swanctl/profile.tmpl | 6 | ||||
| -rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 4 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 15 |
4 files changed, 24 insertions, 5 deletions
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index 0559d1dac..b35cd4b60 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -63,7 +63,7 @@ if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }} if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }} ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }} - mode = {{ vti_esp.mode if vti_esp.mode is defined else "tunnel" }} + mode = {{ vti_esp.mode }} {% if peer[0:1] == '@' %} start_action = none {% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} @@ -101,7 +101,7 @@ remote_ts = {{ peer }}{{ remote_suffix }} {% endif %} ipcomp = {{ 'yes' if tunnel_esp.compression is defined and tunnel_esp.compression == 'enable' else 'no' }} - mode = {{ tunnel_esp.mode if tunnel_esp.mode is defined else "tunnel" }} + mode = {{ tunnel_esp.mode }} {% if peer[0:1] == '@' %} start_action = none {% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.tmpl index 0360972f6..0a7268405 100644 --- a/data/templates/ipsec/swanctl/profile.tmpl +++ b/data/templates/ipsec/swanctl/profile.tmpl @@ -7,7 +7,7 @@ dmvpn-{{ name }}-{{ interface }} { proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }} version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} - rekey_time = {{ ike.lifetime if ike.lifetime is defined else '28800' }}s + rekey_time = {{ ike.lifetime }}s keyingtries = 0 {% if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %} local { @@ -20,11 +20,11 @@ children { dmvpn { esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }} - rekey_time = {{ esp.lifetime if esp.lifetime is defined else '3600' }}s + rekey_time = {{ esp.lifetime }}s rand_time = 540s local_ts = dynamic[gre] remote_ts = dynamic[gre] - mode = {{ esp.mode if esp.mode is defined else 'transport' }} + mode = {{ esp.mode }} {% if ike.dead_peer_detection is defined and ike.dead_peer_detection.action is defined %} dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 6aff7bef5..a2e9a7a5a 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -64,6 +64,7 @@ <validator name="numeric" argument="--range 30-86400"/> </constraint> </properties> + <defaultValue>3600</defaultValue> </leafNode> <leafNode name="mode"> <properties> @@ -83,6 +84,7 @@ <regex>^(tunnel|transport)$</regex> </constraint> </properties> + <defaultValue>tunnel</defaultValue> </leafNode> <leafNode name="pfs"> <properties> @@ -190,6 +192,7 @@ <regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex> </constraint> </properties> + <defaultValue>enable</defaultValue> </leafNode> <tagNode name="proposal"> <properties> @@ -341,6 +344,7 @@ <validator name="numeric" argument="--range 30-86400"/> </constraint> </properties> + <defaultValue>28800</defaultValue> </leafNode> <leafNode name="mobike"> <properties> diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index e95a3e82d..6d5d24e52 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -23,6 +23,7 @@ from time import sleep from vyos.config import Config from vyos.configdict import leaf_node_changed from vyos.configverify import verify_interface_exists +from vyos.configdict import dict_merge from vyos.ifconfig import Interface from vyos.pki import wrap_certificate from vyos.pki import wrap_crl @@ -35,6 +36,7 @@ from vyos.util import call from vyos.util import dict_search from vyos.util import process_named_running from vyos.util import run +from vyos.xml import defaults from vyos import ConfigError from vyos import airbag airbag.enable() @@ -77,6 +79,19 @@ def get_config(config=None): ipsec = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) + if 'esp_group' in ipsec: + default_values = defaults(base + ['esp-group']) + for group in ipsec['esp_group']: + ipsec['esp_group'][group] = dict_merge(default_values, + ipsec['esp_group'][group]) + + if 'ike_group' in ipsec: + default_values = defaults(base + ['ike-group']) + for group in ipsec['ike_group']: + ipsec['ike_group'][group] = dict_merge(default_values, + ipsec['ike_group'][group]) + + ipsec['dhcp_no_address'] = {} ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces', 'interface']) |