summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-04-18 13:36:31 +0200
committerGitHub <noreply@github.com>2020-04-18 13:36:31 +0200
commite2a5057b1358b5d8fa7afcd4398d0b264236172c (patch)
tree7fa6754bdc814a27581b797f1d5da6f3ac1bb15a /src/conf_mode
parent4830651c2b624a163d83da72f4c4414791d4619e (diff)
parent1abe2e41c98c5d36747be3373362f5b5dbc0b8a4 (diff)
downloadvyos-1x-e2a5057b1358b5d8fa7afcd4398d0b264236172c.tar.gz
vyos-1x-e2a5057b1358b5d8fa7afcd4398d0b264236172c.zip
Merge pull request #354 from DmitriyEshenko/fix-ipsec-sts-l2tp
ipsec: T2317: Fix adding params to ipsec configuration files
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/ipsec-settings.py46
1 files changed, 34 insertions, 12 deletions
diff --git a/src/conf_mode/ipsec-settings.py b/src/conf_mode/ipsec-settings.py
index 4fffa11ee..e76916dbd 100755
--- a/src/conf_mode/ipsec-settings.py
+++ b/src/conf_mode/ipsec-settings.py
@@ -28,10 +28,10 @@ from vyos.template import render
ra_conn_name = "remote-access"
charon_conf_file = "/etc/strongswan.d/charon.conf"
-ipsec_secrets_flie = "/etc/ipsec.secrets"
+ipsec_secrets_file = "/etc/ipsec.secrets"
ipsec_ra_conn_dir = "/etc/ipsec.d/tunnels/"
ipsec_ra_conn_file = ipsec_ra_conn_dir + ra_conn_name
-ipsec_conf_flie = "/etc/ipsec.conf"
+ipsec_conf_file = "/etc/ipsec.conf"
ca_cert_path = "/etc/ipsec.d/cacerts"
server_cert_path = "/etc/ipsec.d/certs"
server_key_path = "/etc/ipsec.d/private"
@@ -96,6 +96,24 @@ def get_config():
return data
+def write_ipsec_secrets(c):
+ if c.get("ipsec_l2tp_auth_mode") == "pre-shared-secret":
+ secret_txt = "{0}\n{1} %any : PSK \"{2}\"\n{3}\n".format(delim_ipsec_l2tp_begin, c['outside_addr'], c['ipsec_l2tp_secret'], delim_ipsec_l2tp_end)
+ elif data.get("ipsec_l2tp_auth_mode") == "x509":
+ secret_txt = "{0}\n: RSA {1}\n{2}\n".format(delim_ipsec_l2tp_begin, c['server_key_file_copied'], delim_ipsec_l2tp_begin)
+
+ old_umask = os.umask(0o077)
+ with open(ipsec_secrets_file, 'a+') as f:
+ f.write(secret_txt)
+ os.umask(old_umask)
+
+def write_ipsec_conf(c):
+ ipsec_confg_txt = "{0}\ninclude {1}\n{2}\n".format(delim_ipsec_l2tp_begin, ipsec_ra_conn_file, delim_ipsec_l2tp_begin)
+
+ old_umask = os.umask(0o077)
+ with open(ipsec_conf_file, 'a+') as f:
+ f.write(ipsec_confg_txt)
+ os.umask(old_umask)
### Remove config from file by delimiter
def remove_confs(delim_begin, delim_end, conf_file):
@@ -150,11 +168,12 @@ def generate(data):
render(charon_conf_file, 'ipsec/charon.tmpl', data, trim_blocks=True)
if data["ipsec_l2tp"]:
- remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_conf_flie)
-
- old_umask = os.umask(0o077)
- render(ipsec_secrets_flie, 'ipsec/ipsec.secrets.tmpl', c, trim_blocks=True)
- os.umask(old_umask)
+ remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_secrets_file)
+ # old_umask = os.umask(0o077)
+ # render(ipsec_secrets_file, 'ipsec/ipsec.secrets.tmpl', c, trim_blocks=True)
+ # os.umask(old_umask)
+ ## Use this method while IPSec CLI handler won't be overwritten to python
+ write_ipsec_secrets(data)
old_umask = os.umask(0o077)
@@ -165,15 +184,18 @@ def generate(data):
render(ipsec_ra_conn_file, 'ipsec/remote-access.tmpl', c, trim_blocks=True)
os.umask(old_umask)
- old_umask = os.umask(0o077)
- render(ipsec_conf_flie, 'ipsec/ipsec.conf.tmpl', c, trim_blocks=True)
- os.umask(old_umask)
+ remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_conf_file)
+ # old_umask = os.umask(0o077)
+ # render(ipsec_conf_file, 'ipsec/ipsec.conf.tmpl', c, trim_blocks=True)
+ # os.umask(old_umask)
+ ## Use this method while IPSec CLI handler won't be overwritten to python
+ write_ipsec_conf(data)
else:
if os.path.exists(ipsec_ra_conn_file):
remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_ra_conn_file)
- remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_secrets_flie)
- remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_conf_flie)
+ remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_secrets_file)
+ remove_confs(delim_ipsec_l2tp_begin, delim_ipsec_l2tp_end, ipsec_conf_file)
def restart_ipsec():
call('ipsec restart >&/dev/null')