IPSec tunnels: T2728: Fixed protocol selector for tunnels

The protocol selector used for tunnels in transport mode was ignored by the configuration script. This commit adding it as a part of left|rightsubnet, as required by strongSwan.
author: zsdc <taras@vyos.io> 2020-07-24 23:23:14 +0300
committer: zsdc <taras@vyos.io> 2020-07-30 19:09:44 +0300
commit: cec720d0fd241f656100b10674bf2c7c4f02b4ea (patch)
tree: 842a337724998fa7e99f8ab37fdfd85cd0b66d7e
parent: 66a3c73455d80adc920d4120fb31a9b0070b4158 (diff)
download: vyatta-cfg-vpn-cec720d0fd241f656100b10674bf2c7c4f02b4ea.tar.gz
vyatta-cfg-vpn-cec720d0fd241f656100b10674bf2c7c4f02b4ea.zip
1 files changed, 23 insertions, 0 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 582e3a7..d1ae5a8 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -928,6 +928,29 @@ if ($vcVPN->exists('ipsec')) {
                     if ($isVti == 1) {
                         vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"$tunKeyword"],"$vpn_cfg_err Can not use transport mode for \"$peer\" with vti\n");
                     }
+                    # Processing protocol selector for a tunnel
+                    my $protocol = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword protocol");
+                    if (defined($protocol)) {
+                        # Replace 'all' with the proper variant for strongSwan
+                        if ($protocol eq 'all') {
+                            $protocol = '%any';
+                        }
+                        # Transport mode with protocol selector can be used only together with left|rightsubnet
+                        # Thus, we need to be sure that it is possible to generate their values from left/right
+                        my $left_ip = new NetAddr::IP $vcVPN->returnValue("ipsec site-to-site peer $peer local-address");
+                        if ($left_ip->addr eq '0.0.0.0') {
+                            vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"$tunKeyword"],"$vpn_cfg_err It is not possible to use transport mode ESP ".
+                            "group and protocol selector without predefined static \"local-address\"\n");
+                        }
+                        my $right_ip = new NetAddr::IP $peer;
+                        if ($right_ip->addr eq '0.0.0.0') {
+                            vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"$tunKeyword"],"$vpn_cfg_err It is not possible to use transport mode ESP ".
+                            "group and protocol selector together with a peer without predefined IP address\n");
+                        }
+                        # Generate a config for using with the protocol selector
+                        $genout .= "\tleftsubnet=$left_ip\[$protocol\]\n";
+                        $genout .= "\trightsubnet=$right_ip\[$protocol\]\n";
+                    }
                 }
                 $genout .= "\ttype=$espmode\n";
author	zsdc <taras@vyos.io>	2020-07-24 23:23:14 +0300
committer	zsdc <taras@vyos.io>	2020-07-30 19:09:44 +0300
commit	cec720d0fd241f656100b10674bf2c7c4f02b4ea (patch)
tree	842a337724998fa7e99f8ab37fdfd85cd0b66d7e
parent	66a3c73455d80adc920d4120fb31a9b0070b4158 (diff)
download	vyatta-cfg-vpn-cec720d0fd241f656100b10674bf2c7c4f02b4ea.tar.gz vyatta-cfg-vpn-cec720d0fd241f656100b10674bf2c7c4f02b4ea.zip