ipsec: Fix DPD configuration

dpd_action has to go into the children section

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec
index f324369c92bea5662f40d03a10e04ec53d76bed7..03aefcdde2e184c8c35ce1888f868d35f002daf9 100644 (file)
--- a/src/functions/functions.ipsec
+++ b/src/functions/functions.ipsec
@@ -968,6 +968,12 @@ _ipsec_connection_to_strongswan_connection() {
                return ${EXIT_ERROR}
        fi
 
+       # Is DPD enabled?
+       local dpd="false"
+       if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
+               dpd="true"
+       fi
+
        print_indent 0 "connections {"
        print_indent 1 "${connection} {"
 
@@ -1009,10 +1015,8 @@ _ipsec_connection_to_strongswan_connection() {
        print
 
        # DPD Settings
-       if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
+       if enabled dpd; then
                print_indent 2 "# Dead Peer Detection"
-
-               print_indent 2 "dpd_action = ${DPD_ACTION}"
                print_indent 2 "dpd_delay = ${DPD_DELAY}"
 
                if isset DPD_TIMEOUT; then
@@ -1103,6 +1107,13 @@ _ipsec_connection_to_strongswan_connection() {
        print_indent 4 "mark_out = %unique"
        print
 
+       # Dead Peer Detection
+       if enabled dpd; then
+               print_indent 4 "# Dead Peer Detection"
+               print_indent 4 "dpd_action = ${DPD_ACTION}"
+               print
+       fi
+
        # Rekeying
        if isset LIFETIME; then
                print_indent 4 "# Rekey Time"