From 22c3dcbb01d731f0dab0ffefa2e5a0be7009baf1 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 31 Oct 2022 15:09:58 +0100
Subject: ipsec: T4787: add support for road-warrior/remote-access RADIUS
 timeout

This enabled users to also use 2FA/MFA authentication with a radius backend as
there is enough time to enter the second factor.
---
 data/templates/ipsec/charon/eap-radius.conf.j2 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'data/templates/ipsec')

diff --git a/data/templates/ipsec/charon/eap-radius.conf.j2 b/data/templates/ipsec/charon/eap-radius.conf.j2
index 8495011fe..364377473 100644
--- a/data/templates/ipsec/charon/eap-radius.conf.j2
+++ b/data/templates/ipsec/charon/eap-radius.conf.j2
@@ -49,8 +49,10 @@ eap-radius {
     # Base to use for calculating exponential back off.
     # retransmit_base = 1.4
 
+{% if remote_access.radius.timeout is vyos_defined %}
     # Timeout in seconds before sending first retransmit.
-    # retransmit_timeout = 2.0
+    retransmit_timeout = {{ remote_access.radius.timeout | float }}
+{% endif %}
 
     # Number of times to retransmit a packet before giving up.
     # retransmit_tries = 4
-- 
cgit v1.2.3


From 2ac4a8a5fed9db471b7ffac0f54e6741c6f87834 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Mon, 21 Nov 2022 18:42:41 +0000
Subject: T4823: Fix IPsec transport mode remote TS

Remote TS for transport mode GRE must be remote-address and
not peer name
---
 data/templates/ipsec/swanctl/peer.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'data/templates/ipsec')

diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2
index d097a04fc..837fa263c 100644
--- a/data/templates/ipsec/swanctl/peer.j2
+++ b/data/templates/ipsec/swanctl/peer.j2
@@ -124,7 +124,7 @@
 {%             endif %}
 {%         elif tunnel_esp.mode == 'transport' %}
                 local_ts = {{ peer_conf.local_address }}{{ local_suffix }}
-                remote_ts = {{ peer }}{{ remote_suffix }}
+                remote_ts = {{ peer_conf.remote_address | join(",") }}{{ remote_suffix }}
 {%         endif %}
                 ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined else 'no' }}
                 mode = {{ tunnel_esp.mode }}
-- 
cgit v1.2.3