From 11b5636519b360074eb2877006f2d8d63d9f6610 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Mon, 14 Jun 2021 13:04:04 +0200
Subject: ipsec: T2816: T645: T3613: Migrated IPsec to swanctl, includes
multiple selectors, and selectors with VTI.
---
.../dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook | 30 +++++++++++++++-------
src/etc/ipsec.d/vti-up-down | 14 ++++++++++
2 files changed, 35 insertions(+), 9 deletions(-)
(limited to 'src/etc')
diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
index e00e5fe6e..a7a9a2ce6 100755
--- a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
+++ b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
@@ -1,4 +1,18 @@
#!/bin/bash
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
if [ "$reason" == "REBOOT" ] || [ "$reason" == "EXPIRE" ]; then
exit 0
@@ -24,8 +38,7 @@ import re
from vyos.util import call
from vyos.util import cmd
-IPSEC_CONF="/etc/ipsec.conf"
-IPSEC_SECRETS="/etc/ipsec.secrets"
+SWANCTL_CONF="/etc/swanctl/swanctl.conf"
def getlines(file):
with open(file, 'r') as f:
@@ -41,7 +54,7 @@ def ipsec_down(ip_address):
connection_name = None
for line in status.split("\n"):
if line.find(ip_address) > 0:
- regex_match = re.search(r'(peer-[^:\[]+)', line)
+ regex_match = re.search(r'(peer_[^:\[]+)', line)
if regex_match:
connection_name = regex_match[1]
break
@@ -53,8 +66,7 @@ if __name__ == '__main__':
new_ip = os.getenv('new_ip_address')
old_ip = os.getenv('old_ip_address')
- conf_lines = getlines(IPSEC_CONF)
- secrets_lines = getlines(IPSEC_SECRETS)
+ conf_lines = getlines(SWANCTL_CONF)
found = False
to_match = f'# dhcp:{interface}'
@@ -68,9 +80,9 @@ if __name__ == '__main__':
secrets_lines[i] = line.replace(old_ip, new_ip)
if found:
- writelines(IPSEC_CONF, conf_lines)
- writelines(IPSEC_SECRETS, secrets_lines)
+ writelines(SWANCTL_CONF, conf_lines)
ipsec_down(old_ip)
- call('sudo /usr/sbin/ipsec rereadall')
- call('sudo /usr/sbin/ipsec reload')
+ call('sudo ipsec rereadall')
+ call('sudo ipsec reload')
+ call('sudo swanctl -q')
PYEND
\ No newline at end of file
diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down
index 0e1cd7753..2b66dd9e6 100755
--- a/src/etc/ipsec.d/vti-up-down
+++ b/src/etc/ipsec.d/vti-up-down
@@ -1,4 +1,18 @@
#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
## Script called up strongswan to bring the vti interface up/down based on the state of the IPSec tunnel.
## Called as vti_up_down vti_intf_name
--
cgit v1.2.3