summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMohit Mehta <mohit.mehta@vyatta.com>2010-05-26 20:09:23 -0700
committerMohit Mehta <mohit.mehta@vyatta.com>2010-05-26 20:09:23 -0700
commit7489c521ca6e4134d02ef4b406ba931de3625613 (patch)
tree6dd445a691da54d5c52cf9cdd1bd6116d543b168
parent19ecf607495d82626490c4c942d233c564f88ad8 (diff)
downloadvyatta-cfg-vpn-7489c521ca6e4134d02ef4b406ba931de3625613.tar.gz
vyatta-cfg-vpn-7489c521ca6e4134d02ef4b406ba931de3625613.zip
add passthrough connection if remote-subnet contains local-subnet
-rwxr-xr-xscripts/vpn-config.pl49
1 files changed, 49 insertions, 0 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index e40e3ba..3577e60 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -33,6 +33,7 @@ use constant REKEYFUZZ_DEFAULT => 100;
use constant INVALID_LOCAL_IP => 254;
use constant VPN_MAX_PROPOSALS => 10;
+use Vyatta::TypeChecker;
use Vyatta::VPN::Util;
use Getopt::Long;
use Vyatta::Misc;
@@ -475,6 +476,8 @@ if ( $vcVPN->exists('ipsec') ) {
}
foreach my $tunnel (@tunnels) {
+ my $needs_passthrough = 'false';
+
#
# Add support for tunnel disable.
#
@@ -647,6 +650,29 @@ if ( $vcVPN->exists('ipsec') ) {
$genout .= $leftsourceip if defined $leftsourceip;
#
+ # check if passthrough connection is needed
+ # needed when remote-subnet encompasses local-subnet
+ #
+ if (defined $leftsubnet && defined $rightsubnet) {
+ # validate that these values are ipv4net
+ my $valid_leftsubnet = 'false';
+ my $valid_rightsubnet = 'false';
+
+ $valid_leftsubnet = 'true' if validateType( 'ipv4net', $leftsubnet, 'quiet' );
+ $valid_rightsubnet = 'true' if validateType( 'ipv4net', $rightsubnet, 'quiet' );
+
+ if ($valid_leftsubnet eq 'true' && $valid_rightsubnet eq 'true') {
+
+ my $localsubnet_object = new NetAddr::IP($leftsubnet);
+ my $remotesubnet_object = new NetAddr::IP($rightsubnet);
+
+ if ($remotesubnet_object->contains($localsubnet_object)) {
+ $needs_passthrough = 'true';
+ }
+ }
+ }
+
+ #
# Write IKE configuration from group
#
my $ikelifetime = IKELIFETIME_DEFAULT;
@@ -951,6 +977,29 @@ if ( $vcVPN->exists('ipsec') ) {
$conn_head =~ s/\n//;
$genout .= "#$conn_head"; # to identify end of connection definition
# used by clear vpn op-mode command
+
+ if ( $needs_passthrough eq 'true' ) {
+
+ # CREATE A PASSTHROUGH CONNECTION
+ my $passthrough_conn_head = "\nconn passthrough-peer-$peer-tunnel-$tunnel\n";
+ $passthrough_conn_head =~ s/ peer-@/ peer-/;
+ $genout .= $passthrough_conn_head;
+ if ( $lip eq '0.0.0.0' ) {
+ $genout .= "\tleft=%defaultroute\n";
+ } else {
+ $genout .= "\tleft=$lip\n";
+ }
+ $genout .= "\tright=$right\n";
+ $genout .= "\tleftsubnet=$leftsubnet\n";
+ $genout .= "\trightsubnet=$leftsubnet\n";
+ $genout .= "\ttype=passthrough\n";
+ $genout .= "\tauthby=never\n";
+ $genout .= "\tauto=route\n";
+ $passthrough_conn_head =~ s/\n//;
+ $genout .= "#$passthrough_conn_head";
+
+ }
+
}
}
} else {