From 4d943d8fbf1253154897179b0e3ea2d93b898197 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 2 Feb 2024 20:44:29 +0100 Subject: ipsec: T5998: add replay-windows setting The replay_window for child SA will always be 32 (hence enabled). Add a CLI node to explicitly change this. * set vpn ipsec site-to-site peer replay-window <0-2040> --- data/templates/ipsec/swanctl/remote_access.j2 | 3 +++ 1 file changed, 3 insertions(+) (limited to 'data/templates/ipsec/swanctl/remote_access.j2') diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2 index 01dc8a4a7..bce8684fe 100644 --- a/data/templates/ipsec/swanctl/remote_access.j2 +++ b/data/templates/ipsec/swanctl/remote_access.j2 @@ -43,6 +43,9 @@ rand_time = 540s dpd_action = clear inactivity = {{ rw_conf.timeout }} +{% if rw_conf.replay_window is vyos_defined %} + replay_window = {{ rw_conf.replay_window }} +{% endif %} {% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %} {% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %} {% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} -- cgit v1.2.3