ike-group: T4288 : close-action is missing in swanctl.conf

[srividya0208]

Change Summary

close-action parameter is missing in the swanctl.conf file so added the parameter as per Strongswan guide.
Also changed the dead-peer-detection action from start to restart as per the following guide:

https://docs.strongswan.org/strongswan-docs/5.9/swanctl/swanctlConf.html

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://phabricator.vyos.net/T4288

Component(s) name

vpn ipsec ike-group

Proposed changes

Existing template;

        children {
            peer_172-21-0-2_tunnel_0 {
                esp_proposals = aes128-sha1
                life_time = 120s
                local_ts = 192.168.0.0/22
                remote_ts = 192.168.254.0/24
                ipcomp = no
                mode = tunnel
                start_action = start
                dpd_action = start
            }
        }
    }

New template:

children {
            peer_172-21-0-2_tunnel_0 {
                esp_proposals = aes128-sha1
                life_time = 120s
                local_ts = 192.168.0.0/22
                remote_ts = 192.168.254.0/24
                ipcomp = no
                mode = tunnel
                start_action = start
                dpd_action = restart
                close_action = trap

How to test

vyos@vyos# set vpn ipsec ike-group ike1 close-action
Possible completions:
   none         Do nothing
   hold         Attempt to re-negotiate when matching traffic is seen
   restart      Attempt to re-negotiate the connection immediately

vyos@vyos# set vpn ipsec ike-group ike1 dead-peer-detection action
Possible completions:
   hold         Attempt to re-negotiate the connection when matching traffic isn
   clear        Remove the connection immediately
   restart      Attempt to re-negotiate the connection immediately

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[sarthurdev]

This will require a migration as is a valid option going back to 1.3 etc

[c-po]

You have a migrator?

[srividya0208]

@c-po

I wrote these lines to the existing migration script src/migration-scripts/ipsec/5-to-6 but I don't know how to validate it :
Can you please guide me on how to validate it.

# Change the close-action options
if config.exists(base +['ike-group']):
    for ike-group in config.list_nodes(base + ['ike-group']):
        base_closeaction = base + ['ike-group', ike-group, 'close-action', 'clear']
        config.delete(base_cloaseaction)

[c-po]

You can test individual migration scripts by just executing this after changing the config version string.

https://docs.vyos.io/en/equuleus/debugging.html#config-migration-scripts

$ cp /config/config.boot /tmp
$ /usr/libexec/vyos/run-config-migration.py --virtual --set-vintage vyos /tmp/config.boot
$ src/migration-scripts/ipsec/5-to-6 /tmp/config.boot

Now inspect /tmp/config.boot if it was altered correctly.

PRO-TIP

Something I do is that right before

try:
    with open(file_name, 'w') as f:
        f.write(config.to_string())
except OSError as e:
    print(f'Failed to save the modified config: {e}')
    exit(1)

I add the following two lines during development of the migrator:

print(config.to_string())
exit(1)

With this the altered config is not saved and you can re-run and debug your migrator until it's ready. Then remove those two lines again.

[srividya0208]

added the migrator