From a261cb06c6cdd3ba14ad0163c8c9e714ae94fc5b Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 19 Feb 2018 23:42:17 +0000
Subject: [PATCH] IPsec: Try to restart always-on tunnels immediately

When a tunnel that is in always-on configuration closes
unexpectedly, we can instruct strongSwan to restart it
immediately which is precisely what we do now.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/core/119/filelists/files |  1 +
 config/rootfiles/core/119/update.sh       | 10 ++++++++--
 html/cgi-bin/vpnmain.cgi                  |  6 ++++++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/core/119/filelists/files b/config/rootfiles/core/119/filelists/files
index 053cb12788..c8f6cc13bb 100644
--- a/config/rootfiles/core/119/filelists/files
+++ b/config/rootfiles/core/119/filelists/files
@@ -5,4 +5,5 @@ etc/rc.d/init.d/unbound
 srv/web/ipfire/cgi-bin/index.cgi
 srv/web/ipfire/cgi-bin/ovpnmain.cgi
 srv/web/ipfire/cgi-bin/proxy.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
 var/ipfire/langs
diff --git a/config/rootfiles/core/119/update.sh b/config/rootfiles/core/119/update.sh
index e4c7a77ebe..1231a4941b 100644
--- a/config/rootfiles/core/119/update.sh
+++ b/config/rootfiles/core/119/update.sh
@@ -73,8 +73,14 @@ rm -vf \
 
 # Start services
 
-# This update need a reboot...
-#touch /var/run/need_reboot
+# Regenerate IPsec configuration
+sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi
+if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
+	/etc/init.d/ipsec restart
+fi
+
+# This update needs a reboot...
+touch /var/run/need_reboot
 
 # Finish
 /etc/init.d/fireinfo start
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 17873d62be..2a0351ea04 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -436,6 +436,12 @@ sub writeipsecfiles {
 			if ($start_action eq 'route' && $inactivity_timeout > 0) {
 				print CONF "\tinactivity=$inactivity_timeout\n";
 			}
+
+			# Restart the connection immediately when it has gone down
+			# unexpectedly
+			if ($start_action eq 'start') {
+				print CONF "\tcloseaction=restart\n";
+			}
 		}
 
 		# Fragmentation
-- 
2.39.2