From 13236b0a6632d8039ecf90fcc0dbb66ad32fc3ff Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 7 Jun 2021 18:54:25 +0200
Subject: ipsec: T3588: remove site-to-site tunnel CLI options only valid in
 Openswan

---
 src/migration-scripts/ipsec/5-to-6 | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'src')

diff --git a/src/migration-scripts/ipsec/5-to-6 b/src/migration-scripts/ipsec/5-to-6
index 29d73536f..86be55d13 100755
--- a/src/migration-scripts/ipsec/5-to-6
+++ b/src/migration-scripts/ipsec/5-to-6
@@ -44,6 +44,22 @@ for cli_node in ['nat-traversal', 'nat-networks']:
     if config.exists(base + [cli_node]):
         config.delete(base + [cli_node])
 
+# Remove options only valid in Openswan
+if config.exists(base + ['site-to-site', 'peer']):
+    for peer in config.list_nodes(base + ['site-to-site', 'peer']):
+        if not config.exists(base + ['site-to-site', 'peer', peer, 'tunnel']):
+            continue
+        for tunnel in config.list_nodes(base + ['site-to-site', 'peer', peer, 'tunnel']):
+            # allow-public-networks - Sets a value in ipsec.conf that was only ever valid in Openswan on kernel 2.6
+            nat_networks = base + ['site-to-site', 'peer', peer, 'tunnel', tunnel, 'allow-nat-networks']
+            if config.exists(nat_networks):
+                config.delete(nat_networks)
+
+            # allow-nat-networks - Also sets a value only valid in Openswan
+            public_networks = base + ['site-to-site', 'peer', peer, 'tunnel', tunnel, 'allow-public-networks']
+            if config.exists(public_networks):
+                config.delete(public_networks)
+
 try:
     with open(file_name, 'w') as f:
         f.write(config.to_string())
-- 
cgit v1.2.3