1 files changed, 75 insertions, 0 deletions
diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down
new file mode 100755
index 000000000..281c9bf2b
--- /dev/null
+++ b/src/etc/ipsec.d/vti-up-down
@@ -0,0 +1,75 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+## Script called up strongswan to bring the vti interface up/down based on the state of the IPSec tunnel.
+## Called as vti_up_down vti_intf_name
+
+import os
+import sys
+
+from syslog import syslog
+from syslog import openlog
+from syslog import LOG_PID
+from syslog import LOG_INFO
+
+from vyos.configquery import ConfigTreeQuery
+from vyos.util import call
+from vyos.util import get_interface_config
+from vyos.util import get_interface_address
+
+def get_dhcp_address(interface):
+    addr = get_interface_address(interface)
+    if not addr:
+        return None
+    if len(addr['addr_info']) == 0:
+        return None
+    return addr['addr_info'][0]['local']
+
+if __name__ == '__main__':
+    verb = os.getenv('PLUTO_VERB')
+    connection = os.getenv('PLUTO_CONNECTION')
+    interface = sys.argv[1]
+    dhcp_interface = sys.argv[2]
+
+    openlog(ident=f'vti-up-down', logoption=LOG_PID, facility=LOG_INFO)
+    syslog(f'Interface {interface} {verb} {connection}')
+
+    if verb in ['up-client', 'up-host']:
+        call('sudo ip route delete default table 220')
+
+    vti_link = get_interface_config(interface)
+
+    if not vti_link:
+        syslog(f'Interface {interface} not found')
+        sys.exit(0)
+
+    vti_link_up = (vti_link['operstate'] == 'UP' if 'operstate' in vti_link else False)
+
+    config = ConfigTreeQuery()
+    vti_dict = config.get_config_dict(['interfaces', 'vti', interface],
+                                      get_first_key=True)
+
+    if verb in ['up-client', 'up-host']:
+        if not vti_link_up:
+            if dhcp_interface != 'no':
+                local_ip = get_dhcp_address(dhcp_interface)
+                call(f'sudo ip tunnel change {interface} local {local_ip}')
+            if 'disable' not in vti_dict:
+                call(f'sudo ip link set {interface} up')
+            else:
+                syslog(f'Interface {interface} is admin down ...')
+    elif verb in ['down-client', 'down-host']:
+        if vti_link_up:
+            call(f'sudo ip link set {interface} down')