From 0b10ce8e4575347b8c09482740e79eda6bcb2708 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Wed, 17 Jan 2018 08:16:06 +0000
Subject: [PATCH] Dont insist on IKEv2

For some reason, using IKEv2 causes issues with tunnels
that are on the same network going to different hosts.

This commit leaves then the usage of IKEv2 only for
opportunistic IPSEC configurations.

Closes-Bug: #1743693
Change-Id: Ic1b1dfa86fd9fb328a197211b114cd39ee12da3f
---
 templates/ipsec-node-to-node-private-or-clear.conf.j2 | 1 -
 templates/ipsec-node-to-node-private.conf.j2          | 1 -
 templates/ipsec-vip-tunnels.conf.j2                   | 2 --
 3 files changed, 4 deletions(-)

diff --git a/templates/ipsec-node-to-node-private-or-clear.conf.j2 b/templates/ipsec-node-to-node-private-or-clear.conf.j2
index 49c7a47..a4bed5d 100644
--- a/templates/ipsec-node-to-node-private-or-clear.conf.j2
+++ b/templates/ipsec-node-to-node-private-or-clear.conf.j2
@@ -14,7 +14,6 @@ conn overcloud-private-node-to-node-{{ network }}-ip-{{ loop.index0 }}
         rightid={{ other_ip }}
         right={{ other_ip }}
         failureshunt=passthrough
-        ikev2=insist
         auto=start
         retransmit-timeout=2s
         phase2alg={{ ipsec_algorithm }}
diff --git a/templates/ipsec-node-to-node-private.conf.j2 b/templates/ipsec-node-to-node-private.conf.j2
index 92569ca..6572b79 100644
--- a/templates/ipsec-node-to-node-private.conf.j2
+++ b/templates/ipsec-node-to-node-private.conf.j2
@@ -12,7 +12,6 @@ conn overcloud-private-node-to-node-{{ network }}-ip-{{ loop.index0 }}
         rightid={{ other_ip }}
         right={{ other_ip }}
         failureshunt=drop
-        ikev2=insist
         auto=start
         retransmit-timeout=2s
         phase2alg={{ ipsec_algorithm }}
diff --git a/templates/ipsec-vip-tunnels.conf.j2 b/templates/ipsec-vip-tunnels.conf.j2
index efe74d8..bb908e6 100644
--- a/templates/ipsec-vip-tunnels.conf.j2
+++ b/templates/ipsec-vip-tunnels.conf.j2
@@ -13,7 +13,6 @@ conn overcloud-{{ current_vip.name }}-vip-tunnel
     dpdtimeout=15
     phase2alg={{ ipsec_algorithm }}
     failureshunt=drop
-    ikev2=insist
 
 {% endif %}
 
@@ -29,4 +28,3 @@ conn overcloud-{{ current_vip.name }}-node-to-vip-tunnel
     dpdtimeout=15
     phase2alg={{ ipsec_algorithm }}
     failureshunt=drop
-    ikev2=insist