diff options
| author | Daniil Baturin <daniil@baturin.org> | 2018-08-25 00:02:35 +0200 |
|---|---|---|
| committer | Daniil Baturin <daniil@baturin.org> | 2018-08-25 00:02:35 +0200 |
| commit | 1b77b2e5f882b0f8ca036843a9c9b88008d2696c (patch) | |
| tree | 549e17c2766f3c6f54c481390594b13982d7903b /data | |
| parent | 357457dab98415442e247c853185b0dd44ad702a (diff) | |
| download | vyos-build-1b77b2e5f882b0f8ca036843a9c9b88008d2696c.tar.gz vyos-build-1b77b2e5f882b0f8ca036843a9c9b88008d2696c.zip | |
T787: add a hook for disabling the StrongSWAN unity plugin that is interfering with DMVPN.
Diffstat (limited to 'data')
| -rwxr-xr-x | data/live-build-config/hooks/30-strongswan-configs.chroot | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/data/live-build-config/hooks/30-strongswan-configs.chroot b/data/live-build-config/hooks/30-strongswan-configs.chroot new file mode 100755 index 00000000..798b0d6d --- /dev/null +++ b/data/live-build-config/hooks/30-strongswan-configs.chroot @@ -0,0 +1,29 @@ +#!/usr/bin/env python + +# The Cisco Unity plugin, that implements a proprietary extension +# for IPsec split tunneling, interfers with DMVPN +# +# Since we do not do remote access IPsec, the simplest solution +# is to disable it entirely from the start. + +import re + +# Disable the cisco_unity option in charon.conf +with open('/etc/strongswan.d/charon.conf', 'r') as f: + charon_conf = f.read() + + charon_conf = re.sub(r'# (cisco_unity = no)', r"\1", charon_conf) + +with open('/etc/strongswan.d/charon.conf', 'w') as f: + f.write(charon_conf) + + +# Prevent the unity plugin from loading + +with open('/etc/strongswan.d/charon/unity.conf', 'r') as f: + unity_conf = f.read() + + unity_conf = re.sub(r'load = yes', r'load = no', unity_conf) + +with open('/etc/strongswan.d/charon/unity.conf', 'w') as f: + f.write(unity_conf) |