From: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Fri, 4 Aug 2017 19:26:37 +0000 (+0200)
Subject: ipsec: reload connection when the security policy changes
X-Git-Tag: 009~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f0e91d26721271749088be8d30ea96282ddd9e03;p=network.git

ipsec: reload connection when the security policy changes

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec
index 5a464b5d..015b3b81 100644
--- a/src/functions/functions.ipsec
+++ b/src/functions/functions.ipsec
@@ -293,6 +293,13 @@ ipsec_connection_exists() {
 	[ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
 }
 
+ipsec_strongswan_load() {
+	if ! cmd swanctl --load-all; then
+		log ERROR "Could not reload strongswan config"
+		return ${EXIT_ERROR}
+	fi
+}
+
 # Reloads the connection after config changes
 ipsec_reload() {
 	local connection=${1}
@@ -302,10 +309,7 @@ ipsec_reload() {
 		return ${EXIT_ERROR}
 	fi
 
-	if ! cmd swanctl --load-all; then
-		log ERROR "Could not reload strongswan config"
-		return ${EXIT_ERROR}
-	fi
+	ipsec_strongswan_load
 }
 
 # Handle the cli after authentification
diff --git a/src/functions/functions.vpn-security-policies b/src/functions/functions.vpn-security-policies
index e61e4113..670c12de 100644
--- a/src/functions/functions.vpn-security-policies
+++ b/src/functions/functions.vpn-security-policies
@@ -334,7 +334,30 @@ vpn_security_policies_write_config() {
 		return ${EXIT_ERROR}
 	fi
 
-	# TODO everytime we successfully write a config we should call some trigger to take the changes into effect
+	if ! vpn_security_policies_reload ${name}; then
+		log WARNING "Could not reload the IPsec connection using this security policy"
+		return ${EXIT_ERROR}
+	fi
+}
+
+# reload IPsec connections using a special policy
+vpn_security_policies_reload() {
+	local name=${1}
+
+	local connection
+	for connection in $(ipsec_list_connections); do
+		if ! ipsec_connection_read_config "${connection}" "SECURITY_POLICY"; then
+			continue
+		fi
+
+		if [[ "${SECURITY_POLICY}" = "${name}" ]]; then
+			if ! ipsec_connection_to_strongswan "${connection}"; then
+				log ERROR "Could not generate strongswan config for ${connnection}"
+			fi
+		fi
+	done
+
+	ipsec_strongswan_load
 }
 
 # This funtion writes the value for one key to a via ${name} specificated vpn security policy configuration file