summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeff Leung <jleung@v10networks.ca>2015-02-09 07:30:14 +0000
committerJeff Leung <jleung@v10networks.ca>2015-02-09 07:47:27 +0000
commita69985d6853537d296027be5d2d1c44d73fbeccc (patch)
tree654701154ec68221080697780a22e9ebb0d66500
parent6b652b14199b748089f50bc417b7866300cd0a2f (diff)
downloadvyatta-cfg-vpn-a69985d6853537d296027be5d2d1c44d73fbeccc.tar.gz
vyatta-cfg-vpn-a69985d6853537d296027be5d2d1c44d73fbeccc.zip
Removing generation of leftsourceip= parameter in ipsec.conf
As confirmed by Thermi in the strongSwan IRC channel inside freenode, this parameter should not have been generated for a S2S VPN setup. If leftsourceip= is specified on both ends in an IKEv1 S2S VPN tunnel, both ends will have charon hanging on MODE_CONFIG. This is because both ends are trying to ask an IP from the remote end which doesn't exist.
-rwxr-xr-xscripts/vpn-config.pl60
1 files changed, 0 insertions, 60 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 41e2a35..ca685bd 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -37,7 +37,6 @@ use Vyatta::TypeChecker;
use Vyatta::VPN::Util;
use Getopt::Long;
use Vyatta::Misc;
-use NetAddr::IP;
use Vyatta::VPN::vtiIntf;
my $config_file;
@@ -479,16 +478,6 @@ if ($vcVPN->exists('ipsec')) {
$lip = get_dhcp_addr($dhcp_iface);
}
- # -> leftsourceip is the internal source IP to use in a tunnel
- # -> we use leftsourceip to add a route to the rightsubnet
- # only when rightsubnet is defined and is not 0.0.0.0/0. we do not
- # want to add a vpn route for everything i.e. rightsubnet = 0.0.0.0/0
- # -> if leftsubnet is defined and is not 0.0.0.0/0; we try and find
- # an interface on the system that has an IP address lying within
- # the leftsubnet and use that as leftsourceip. if leftsubnet is not
- # defined or is 0.0.0.0/0 then we use local-address as leftsourceip.
- my $leftsourceip = undef;
-
#
# Assign left and right to local and remote interfaces
#
@@ -499,11 +488,8 @@ if ($vcVPN->exists('ipsec')) {
"for peer \"$peer\" $tunKeyword.\n");
}
$genout .= "\tleft=%defaultroute\n";
-
- # no need for leftsourceip as a defaultroute is must for this to work
} else {
$genout .= "\tleft=$lip\n";
- $leftsourceip = "\tleftsourceip=$lip\n";
}
$genout .= "\tleftid=\"$authid\"\n" if defined $authid;
}
@@ -554,19 +540,6 @@ if ($vcVPN->exists('ipsec')) {
if (defined($leftsubnet)) {
$genout .= "\tleftsubnet=$leftsubnet\n";
- if (!($leftsubnet eq '0.0.0.0/0')) {
- my $localsubnet_object = new NetAddr::IP($leftsubnet);
-
- # leftsourceip should now be an IP on system lying within the leftsubnet
- my @system_ips = Vyatta::Misc::getIP(undef, '4');
- foreach my $system_ip (@system_ips) {
- my $systemip_object = new NetAddr::IP($system_ip);
- if (CheckIfAddressInsideNetwork($systemip_object, $localsubnet_object)){
- my $sourceip = $systemip_object->addr();
- $leftsourceip = "\tleftsourceip=$sourceip\n";
- }
- }
- }
}
my $remotesubnet = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword remote prefix");
@@ -624,21 +597,8 @@ if ($vcVPN->exists('ipsec')) {
}
if (defined($rightsubnet)) {
$genout .= "\trightsubnet=$rightsubnet\n";
-
- # not adding vpn route if remote prefix is 0.0.0.0/0
- # user should add a route [default/static] manually
- $leftsourceip = undef if $rightsubnet eq '0.0.0.0/0';
- if ($rightsubnet =~ /vhost:%priv/) {
-
- # can't add route when rightsubnet is not specific
- $leftsourceip = undef;
- }
- } else {
- $leftsourceip =undef; # no need for vpn route if rightsubnet not defined
}
- $genout .= $leftsourceip if defined $leftsourceip;
-
#
# Protocol/port
#
@@ -1416,26 +1376,6 @@ sub hasLocalWildcard {
return 0;
}
-sub CheckIfAddressInsideNetwork {
- my ($address, $naipNetwork) = @_;
-
- if (!defined($address) || !defined($naipNetwork)) {
- return 0;
- }
-
- my $naipSM = new NetAddr::IP($address);
- if (defined($naipSM)) {
- my $subnetIA = $naipSM->network()->addr();
- my $naipIA = new NetAddr::IP($subnetIA, $naipSM->masklen());
-
- if (defined($naipIA) && $naipNetwork->within($naipIA)) {
- return 1;
- }
- }
-
- return 0;
-}
-
sub get_x509 {
my $peer = pop(@_);