From 02043297db68d45b2ca398486cc119d1c103e68c Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 19 Jul 2021 19:04:13 +0200
Subject: ipsec: T1210: add "unique" option to specify how to handle multiple
 connections

Connection uniqueness policy to enforce. To avoid multiple connections from the
same user, a uniqueness policy can be enforced.

* never: never enforce such a policy, even if a peer included INITIAL_CONTACT
  notification
* keep: reject new connection attempts if the same user already has an active
  connection
* replace: delete any existing connection if a new one for the same user gets
  established

To compare connections for uniqueness, the remote IKE identity is used. If EAP
or XAuth authentication is involved, the EAP-Identity or XAuth username is used
to enforce the uniqueness policy instead.
---
 data/templates/ipsec/swanctl/remote_access.tmpl |  2 +-
 interface-definitions/vpn_ipsec.xml.in          | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl
index 66ac94b13..456842488 100644
--- a/data/templates/ipsec/swanctl/remote_access.tmpl
+++ b/data/templates/ipsec/swanctl/remote_access.tmpl
@@ -10,7 +10,7 @@
         send_certreq = no
         rekey_time = {{ ike.lifetime }}s
         keyingtries = 0
-        unique = never
+        unique = {{ rw_conf.unique }}
 {%   if rw_conf.pool is defined and rw_conf.pool is not none %}
         pools = {{ rw_conf.pool | join(',') }}
 {%   endif %}
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 5272b57cc..093a677e9 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -841,6 +841,29 @@
                       <multi/>
                     </properties>
                   </leafNode>
+                  <leafNode name="unique">
+                    <properties>
+                      <help>Connection uniqueness policy to enforce</help>
+                      <completionHelp>
+                        <list>never keep replace</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>never</format>
+                        <description>Never enforce connection uniqueness policy</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>keep</format>
+                        <description>Rejects new connection attempts if the same user already has an active connection</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>replace</format>
+                        <description>Delete any existing connection if a new one for the same user gets established</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>^(never|keep|replace)$</regex>
+                      </constraint>
+                    </properties>
+                  </leafNode>
                 </children>
               </tagNode>
               <tagNode name="pool">
-- 
cgit v1.2.3