Merge pull request #4 from vyos/t4350-equuleus1.3.81.3.71.3.61.3.51.3.41.3.3-epa11.3.31.3.2equuleus

T4350: DMVPN spokes do not work behind NAT

1 files changed, 6 insertions, 3 deletions

diff --git a/etc/opennhrp-script b/etc/opennhrp-script
index 92c0043..463e911 100755
--- a/etc/opennhrp-script
+++ b/etc/opennhrp-script
@@ -28,9 +28,12 @@ peer-up)
 	logger -t ${_script_name} -p local7.notice "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
 	if [[ ( ${_type} == "spoke" ) && ( -e ${_strongswan_pid} ) ]]; then
 		if grep "${NHRP_SRCADDR}" "${_nhrp_ipsec}"; then
-			swanctl -t -S $NHRP_SRCNBMA -R $NHRP_DESTNBMA > /dev/null 2>&1
-			logger -t ${_script_name} -p local7.notice "IPSec: connect to $NHRP_SRCADDR ($NHRP_SRCNBMA)"
-			swanctl -i -c dmvpn -S $NHRP_SRCNBMA -R $NHRP_DESTNBMA || exit 1
+			if swanctl -l -r | grep -q "^list-sa event {dmvpn-DMVPN-.* state=ESTABLISHED local-host=$NHRP_SRCNBMA.*remote-host=$NHRP_DESTNBMA"; then
+				logger -t ${_script_name} -p local7.notice "IPSec: connection to $NHRP_DESTADDR ($NHRP_DESTNBMA) already exists"
+			else
+				logger -t ${_script_name} -p local7.notice "IPSec: connect to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
+				swanctl -i -c dmvpn -S $NHRP_SRCNBMA -R $NHRP_DESTNBMA || exit 1
+			fi			
 		fi
 	fi
 	;;