1 files changed, 47 insertions, 0 deletions

diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down
new file mode 100755
index 000000000..0e1cd7753
--- /dev/null
+++ b/src/etc/ipsec.d/vti-up-down
@@ -0,0 +1,47 @@
+#!/usr/bin/env python3
+## Script called up strongswan to bring the vti interface up/down based on the state of the IPSec tunnel.
+## Called as vti_up_down vti_intf_name
+
+import os
+import sys
+
+from vyos.util import call, get_interface_config, get_interface_address
+
+def get_dhcp_address(interface):
+    addr = get_interface_address(interface)
+    if not addr:
+        return None
+    if len(addr['addr_info']) == 0:
+        return None
+    return addr['addr_info'][0]['local']
+
+if __name__ == '__main__':
+    verb = os.getenv('PLUTO_VERB')
+    connection = os.getenv('PLUTO_CONNECTION')
+    interface = sys.argv[1]
+    dhcp_interface = sys.argv[2]
+
+    print(f'vti-up-down: start: {verb} {connection} {interface}')
+
+    if verb in ['up-client', 'up-host']:
+        call('sudo ip route delete default table 220')
+
+    vti_link = get_interface_config(interface)
+
+    if not vti_link:
+        print('vti-up-down: interface not found')
+        sys.exit(0)
+
+    vti_link_up = (vti_link['operstate'] == 'UP' if 'operstate' in vti_link else False)
+
+    if verb in ['up-client', 'up-host']:
+        if not vti_link_up:
+            if dhcp_interface != 'no':
+                local_ip = get_dhcp_address(dhcp_interface)
+                call(f'sudo ip tunnel change {interface} local {local_ip}')
+            call(f'sudo ip link set {interface} up')
+    elif verb in ['down-client', 'down-host']:
+        if vti_link_up:
+            call(f'sudo ip link set {interface} down')
+
+    print('vti-up-down: finish')
\ No newline at end of file