From a8fa557cd51eadf2feb448b4398fd040c73264d4 Mon Sep 17 00:00:00 2001 From: Paul Fertser Date: Thu, 21 Nov 2019 20:26:46 +0300 Subject: [PATCH] strongswan: allow to specify per-connection reqid with UCI This is useful to assign all traffic to a fw3 zone, e.g.: /etc/config/ipsec: config remote 'test' list tunnel 'dev' ... config 'tunnel' 'dev' option reqid '33' ... /etc/config/firewall: config zone option name wan option extra_src "-m policy --pol none --dir in" option extra_dest "-m policy --pol none --dir out" ... config zone option name vpn # subnet needed for firewall3 before 22 Nov 2019, 8174814a list subnet '0.0.0.0/0' option extra_src "-m policy --pol ipsec --dir in --reqid 33" option extra_dest "-m policy --pol ipsec --dir out --reqid 33" ... Signed-off-by: Paul Fertser --- net/strongswan/files/ipsec.init | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/strongswan/files/ipsec.init b/net/strongswan/files/ipsec.init index 07ccffd2e..021380487 100644 --- a/net/strongswan/files/ipsec.init +++ b/net/strongswan/files/ipsec.init @@ -140,6 +140,7 @@ config_conn() { local dpddelay local inactivity local keyexchange + local reqid config_get mode "$1" mode "route" config_get local_subnet "$1" local_subnet "" @@ -159,6 +160,7 @@ config_conn() { config_get dpddelay "$1" dpddelay "30s" config_get inactivity "$1" inactivity config_get keyexchange "$1" keyexchange "ikev2" + config_get reqid "$1" reqid [ -n "$local_nat" ] && local_subnet=$local_nat @@ -180,6 +182,7 @@ config_conn() { ipsec_xappend " dpddelay=$dpddelay" [ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity" + [ -n "$reqid" ] && ipsec_xappend " reqid=$reqid" if [ "$auth_method" = "psk" ]; then ipsec_xappend " leftauth=psk"