From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jonatan Schlag <jonatan.schlag@ipfire.org>
To: network@lists.ipfire.org
Subject: [PATCH 2/2] ipsec: reload connection when the security policy changes
Date: Fri, 04 Aug 2017 21:26:37 +0200
Message-ID: <1501874797-9731-2-git-send-email-jonatan.schlag@ipfire.org>
In-Reply-To: <1501874797-9731-1-git-send-email-jonatan.schlag@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1981797437064134324=="
List-Id: <network.lists.ipfire.org>

--===============1981797437064134324==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
---
 src/functions/functions.ipsec                 | 12 ++++++++----
 src/functions/functions.vpn-security-policies | 25 ++++++++++++++++++++++++-
 2 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec
index 6dc4d5b..57897ec 100644
--- a/src/functions/functions.ipsec
+++ b/src/functions/functions.ipsec
@@ -283,6 +283,13 @@ ipsec_connection_exists() {
 	[ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
 }
=20
+ipsec_strongswan_load() {
+	if ! cmd swanctl --load-all; then
+		log ERROR "Could not reload strongswan config"
+		return ${EXIT_ERROR}
+	fi
+}
+
 # Reloads the connection after config changes
 ipsec_reload() {
 	local connection=3D${1}
@@ -292,10 +299,7 @@ ipsec_reload() {
 		return ${EXIT_ERROR}
 	fi
=20
-	if ! cmd swanctl --load-all; then
-		log ERROR "Could not reload strongswan config"
-		return ${EXIT_ERROR}
-	fi
+	ipsec_strongswan_load
 }
=20
 # Handle the cli after authentification
diff --git a/src/functions/functions.vpn-security-policies b/src/functions/fu=
nctions.vpn-security-policies
index f73670b..ae652a2 100644
--- a/src/functions/functions.vpn-security-policies
+++ b/src/functions/functions.vpn-security-policies
@@ -334,7 +334,30 @@ vpn_security_policies_write_config() {
 		return ${EXIT_ERROR}
 	fi
=20
-	# TODO everytime we successfully write a config we should call some trigger=
 to take the changes into effect
+	if ! vpn_security_policies_reload ${name}; then
+		log WARNING "Could not reload the IPsec connection using this security pol=
icy"
+		return ${EXIT_ERROR}
+	fi
+}
+
+# reload IPsec connections using a special policy
+vpn_security_policies_reload() {
+	local name=3D${1}
+
+	local connection
+	for connection in $(ipsec_list_connections); do
+		if ! ipsec_connection_read_config "${connection}" "SECURITY_POLICY"; then
+			continue
+		fi
+
+		if [[ "${SECURITY_POLICY}" =3D "${name}" ]]; then
+			if ! ipsec_connection_to_strongswan "${connection}"; then
+				log ERROR "Could not generate strongswan config for ${connnection}"
+			fi
+		fi
+	done
+
+	ipsec_strongswan_load
 }
=20
 # This funtion writes the value for one key to a via ${name} specificated vp=
n security policy configuration file
--=20
2.6.3


--===============1981797437064134324==--