From 1d876af9e5d76550b5322aa692706d0319b3b6c9 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Mon, 26 Jul 2021 22:06:55 +0200
Subject: ipsec: T1210: remote-access connections only work with IKEv2

---
 src/conf_mode/vpn_ipsec.py | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src')

diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index a4cd33e64..11ff12e94 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -250,6 +250,11 @@ def verify(ipsec):
                 if 'ike_group' in ra_conf:
                     if 'ike_group' not in ipsec or ra_conf['ike_group'] not in ipsec['ike_group']:
                         raise ConfigError(f"Invalid ike-group on {name} remote-access config")
+
+                    ike = ra_conf['ike_group']
+                    if dict_search(f'ike_group.{ike}.key_exchange', ipsec) != 'ikev2':
+                        raise ConfigError('IPSec remote-access connections requires IKEv2!')
+
                 else:
                     raise ConfigError(f"Missing ike-group on {name} remote-access config")
 
-- 
cgit v1.2.3