Browse Source

strongswan: allow to specify per-connection reqid with UCI

This is useful to assign all traffic to a fw3 zone, e.g.:

/etc/config/ipsec:

config remote 'test'
	list tunnel		'dev'
...

config 'tunnel' 'dev'
	option reqid		'33'
...

/etc/config/firewall:

config zone
	option name		wan
	option extra_src	"-m policy --pol none --dir in"
	option extra_dest	"-m policy --pol none --dir out"
...

config zone
	option name		vpn
	# subnet needed for firewall3 before 22 Nov 2019, 8174814a
	list subnet		'0.0.0.0/0'
	option extra_src	"-m policy --pol ipsec --dir in --reqid 33"
	option extra_dest	"-m policy --pol ipsec --dir out --reqid 33"
...

Signed-off-by: Paul Fertser <fercerpav@gmail.com>
lilik-openwrt-22.03
Paul Fertser 5 years ago
parent
commit
a8fa557cd5
1 changed files with 3 additions and 0 deletions
  1. +3
    -0
      net/strongswan/files/ipsec.init

+ 3
- 0
net/strongswan/files/ipsec.init View File

@ -140,6 +140,7 @@ config_conn() {
local dpddelay local dpddelay
local inactivity local inactivity
local keyexchange local keyexchange
local reqid
config_get mode "$1" mode "route" config_get mode "$1" mode "route"
config_get local_subnet "$1" local_subnet "" config_get local_subnet "$1" local_subnet ""
@ -159,6 +160,7 @@ config_conn() {
config_get dpddelay "$1" dpddelay "30s" config_get dpddelay "$1" dpddelay "30s"
config_get inactivity "$1" inactivity config_get inactivity "$1" inactivity
config_get keyexchange "$1" keyexchange "ikev2" config_get keyexchange "$1" keyexchange "ikev2"
config_get reqid "$1" reqid
[ -n "$local_nat" ] && local_subnet=$local_nat [ -n "$local_nat" ] && local_subnet=$local_nat
@ -180,6 +182,7 @@ config_conn() {
ipsec_xappend " dpddelay=$dpddelay" ipsec_xappend " dpddelay=$dpddelay"
[ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity" [ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity"
[ -n "$reqid" ] && ipsec_xappend " reqid=$reqid"
if [ "$auth_method" = "psk" ]; then if [ "$auth_method" = "psk" ]; then
ipsec_xappend " leftauth=psk" ipsec_xappend " leftauth=psk"


Loading…
Cancel
Save