ipsec.security-association.sa[].share-session を enable にする。

seil3 では設定不可で、enable 相当の動作となるため。
ただし複数の security-policy から参照されている SA  のみ書く。

また、複数の SA から参照されている単一の IKE peer が、同一内容で複数回
書かれてしまっていたため、一回だけ書くように修正した。

seil2recipe.js

@@ -2938,6 +2938,13 @@ Converter.defer((conv) => {
 });
 
 function ike_peer(conv, prefix, peer, if_prefix) {
+    // write only once
+    if (peer['*DONE*']) {
+        return;
+    } else {
+        peer['*DONE*'] = true;
+    }
+
     const prefix_ike = if_prefix ? `${prefix}.ike` : prefix;
     const prefix_proposal = if_prefix ? `${prefix}.ike.proposal.phase1` : `${prefix}.proposal`;
 
@@ -3239,6 +3246,12 @@ Converter.rules['ipsec'] = {
             conv.badconfig(`ipsec security-association ${sa_name} is not properly configured`);
             return;
         }
+        if (sa['*SP*'] == null) {
+            sa['*SP*'] = "one";
+        } else if (sa['*SP*'] == "one") {
+            conv.add(`ipsec.security-association.${sa['idx']}.share-session`, 'enable');
+            sa['*SP*'] = "some";
+        }
 
         const sap_name = sa['ike'];
 

test/test.js

@@ -1474,6 +1474,43 @@ describe('ipsec', () => {
             interface.l2tp0.ipsec-preshared-key: foo
         `);
     });
+
+    it('multiple security policies can share a security-association', () => {
+        assertconv(`
+            ike preshared-key add "172.16.0.1" "hogehogehoge"
+            ike proposal add A encryption aes256 hash sha1 authentication preshared-key dh-group modp1536 lifetime-of-time 1d
+            ike peer add A address 172.16.0.1 exchange-mode main proposals A
+            ipsec security-association proposal add A authentication-algorithm hmac-sha256 encryption-algorithm aes256
+            ipsec security-association add A tunnel 172.16.0.2 172.16.0.1 ike A esp enable
+            ipsec security-policy add A security-association A src 1.1.1.1/32 dst any
+            ipsec security-policy add B security-association A src 1.1.1.2/32 dst any
+            ----
+            ike.peer.100.address: 172.16.0.1
+            ike.peer.100.check-level: strict
+            ike.peer.100.exchange-mode: main
+            ike.peer.100.nat-traversal: disable
+            ike.peer.100.preshared-key: hogehogehoge
+            ike.peer.100.proposal.dh-group: modp1536
+            ike.peer.100.proposal.encryption.100.algorithm: aes256
+            ike.peer.100.proposal.hash.100.algorithm: sha1
+            ike.peer.100.proposal.lifetime: 24h
+            ipsec.security-association.sa0.address-type: static
+            ipsec.security-association.sa0.local-address: 172.16.0.2
+            ipsec.security-association.sa0.remote-address: 172.16.0.1
+            ipsec.security-association.sa0.share-session: enable
+            ipsec.security-policy.100.destination.address: any
+            ipsec.security-policy.100.ike.proposal.authentication.100.algorithm: hmac-sha256
+            ipsec.security-policy.100.ike.proposal.encryption.100.algorithm: aes256
+            ipsec.security-policy.100.security-association: sa0
+            ipsec.security-policy.100.source.address: 1.1.1.1/32
+            ipsec.security-policy.200.destination.address: any
+            ipsec.security-policy.200.ike.proposal.authentication.100.algorithm: hmac-sha256
+            ipsec.security-policy.200.ike.proposal.encryption.100.algorithm: aes256
+            ipsec.security-policy.200.security-association: sa0
+            ipsec.security-policy.200.source.address: 1.1.1.2/32
+            `);
+    });
+
 });
 
 describe('macfilter', () => {