fix for bugs 3044, 3047, and 3048: support ipsec road warriors.

3 files changed, 91 insertions, 12 deletions

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index b82ebfd..219c4fe 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -227,6 +227,12 @@ if ($vcVPN->exists('ipsec')) {
 	    $genout .= "ipsec$counter=$interface";
 	    ++$counter;
 	}
+	if (hasLocalWildcard($vcVPN, 0)) {
+	    if ($counter > 0) {
+		$genout .= ' ';
+	    }
+	    $genout .= '%defaultroute';
+	}
 	$genout .= "\"\n";
     }
     
@@ -329,6 +335,7 @@ if ($vcVPN->exists('ipsec')) {
     #
     # Connection configurations
     #
+    my $wildcard_psk = undef;
     my @peers = $vcVPN->listNodes('ipsec site-to-site peer');
     if (@peers == 0) {
 	#$error = 1;
@@ -346,10 +353,14 @@ if ($vcVPN->exists('ipsec')) {
 	}
 
 	my $lip = $vcVPN->returnValue("ipsec site-to-site peer $peer local-ip");
+	my $authid = $vcVPN->returnValue(
+			    "ipsec site-to-site peer $peer authentication id");
 	if (!defined($lip) || $lip eq "") {
 	    $error = 1;
 	    print STDERR "VPN configuration error.  No local IP specified for peer \"$peer\"\n";
-	} else {
+	} elsif ($lip ne '0.0.0.0') {
+	    # not '0.0.0.0' special case.
+	    # check interface addresses.
 	    use VyattaMisc;
 	    if (!VyattaMisc::isIPinInterfaces($vc, $lip, @interfaces)) {
 		
@@ -396,26 +407,46 @@ if ($vcVPN->exists('ipsec')) {
 		$error = 1;
 		print STDERR "VPN configuration error.  The ESP group \"$peer_tunnel_esp_group\" specified for peer \"$peer\" tunnel $tunnel has not been configured.\n";
 	    }
-	    
-	    $genout .= "\nconn peer-$peer-tunnel-$tunnel\n";
+	   
+            my $conn_head = "\nconn peer-$peer-tunnel-$tunnel\n";
+            $conn_head =~ s/ peer-@/ peer-/;
+	    $genout .= $conn_head;
 	    
 	    #
 	    # Assign left and right to local and remote interfaces
 	    #
 	    if (defined($lip)) {
-		my $left = $lip;
-		$genout .= "\tleft=$left\n";
+		if ($lip eq '0.0.0.0') {
+		    if (!defined($authid)) {
+			print STDERR 'VPN configuration error.  '
+			             . 'The "authentication id" must be '
+				     . 'configured if local IP is 0.0.0.0.'
+				     . "\n";
+			$error = 1;
+		    }
+		    $genout .= "\tleft=%defaultroute\n";
+		    $genout .= "\tleftid=$authid\n";
+		} else {
+		    $genout .= "\tleft=$lip\n";
+		}
 	    }
 	    
 	    my $any_peer = 0;
 	    my $right;
-	    if (($peer eq 'any') or ($peer eq '0.0.0.0')) {
+	    my $rightid = undef;
+            if ($peer =~ /^\@/) {
+                # peer is an "ID"
+                $rightid = $peer;
+            }
+	    if (($peer eq 'any') or ($peer eq '0.0.0.0')
+                or defined($rightid)) {
 		$right = '%any';
 		$any_peer = 1;
 	    } else {
 		$right = $peer;
 	    }
 	    $genout .= "\tright=$right\n";
+	    $genout .= "\trightid=$rightid\n" if (defined($rightid));
 	    if ($any_peer) {
 		$genout .= "\trekey=no\n";
 	    }
@@ -658,12 +689,24 @@ if ($vcVPN->exists('ipsec')) {
 		}
 
 		my $right;
-		if (($peer eq 'any') or ($peer eq '0.0.0.0')) {
+		if (($peer eq 'any') or ($peer eq '0.0.0.0')
+                    or ($peer =~ /^\@/)) {
 		    $right = '%any';
+                    if (defined($wildcard_psk)) {
+                      if ($wildcard_psk ne $psk) {
+                        $error = 1;
+                        print STDERR 'VPN configuration error.  '
+                                     . 'All dynamic peers must have the same '
+                                     . "'pre-shared-secret'.\n";
+                      }
+                    } else {
+                      $wildcard_psk = $psk;
+                    }
 		} else {
 		    $right = $peer;
 		}
-		$genout_secrets .= "$lip $right : PSK \"$psk\"\n";
+		my $index1 = ($lip eq '0.0.0.0') ? "$authid" : $lip;
+		$genout_secrets .= "$index1 $right : PSK \"$psk\"\n";
 		$genout .= "\tauthby=secret\n";
 	    } elsif (defined($auth_mode) && $auth_mode eq 'rsa') {
 		
@@ -873,6 +916,7 @@ sub partial_restart {
 	    my %tunnels = $vcVPN->listNodeStatus("ipsec site-to-site peer $peer tunnel");
 	    while (my ($tunnel, $tunnel_status) = each %tunnels) {
 		my $conn = "peer-$peer-tunnel-$tunnel";
+                $conn =~ s/peer-@/peer-/;
 		if ($tunnel_status eq 'added') {
 		    addConnection($peer, $tunnel, $conn_add, $conn_up);
 		} elsif ($tunnel_status eq 'changed') {
@@ -889,6 +933,7 @@ sub partial_restart {
 	    my @tunnels = $vcVPN->listOrigNodes("ipsec site-to-site peer $peer tunnel");
 	    foreach my $tunnel (@tunnels) {
 		my $conn = "peer-$peer-tunnel-$tunnel";
+                $conn =~ s/peer-@/peer-/;
 		deleteConnection($conn, $conn_down, $conn_delete);
 	    }
 	} elsif ($peer_status eq 'static') {
@@ -918,11 +963,13 @@ sub vpn_exec {
 
     if ($error == 0) {
 	my $cmd_out = qx($command);
+        my $rval = ($? >> 8);
 	print LOG "Output:\n$cmd_out\n---\n";
-	print LOG "Return code: $?\n";
-	if ($?) {
-            if ($? == 26624 && ($command =~ /^ipsec auto --asynchronous --up/g)) {
-                print LOG "Return code 26624 OK when bringing up VPN connection.\n";
+	print LOG "Return code: $rval\n";
+	if ($rval) {
+            if ($command =~ /^ipsec auto --asynchronous --up/
+                && ($rval == 104 || $rval == 29)) {
+                print LOG "OK when bringing up VPN connection\n";
 	    } else {
                 $error = 1;
                 print LOG "VPN commit error.  Unable to $desc, received error code $?\n";
@@ -954,6 +1001,7 @@ sub vpn_log {
 sub addConnection {
     my ($peer, $tunnel, $conn_add, $conn_up) = @_;
     my $conn = "peer-$peer-tunnel-$tunnel";
+    $conn =~ s/peer-@/peer-/;
     push(@$conn_add, $conn);
     if ($peer ne '0.0.0.0') {
 	push(@$conn_up,  $conn);
@@ -963,6 +1011,7 @@ sub addConnection {
 sub replaceConnection {
     my ($peer, $tunnel, $conn_down, $conn_replace, $conn_up) = @_;
     my $conn = "peer-$peer-tunnel-$tunnel";
+    $conn =~ s/peer-@/peer-/;
     push(@$conn_down, $conn);
     push(@$conn_replace, $conn);
     if ($peer ne '0.0.0.0') {
@@ -1018,6 +1067,9 @@ sub isFullRestartRequired {
 	# FIXME: in reality this global doesn't affect every tunnel
 	
 	$restartf = 1;
+    } elsif (hasLocalWildcard($vcVPN, 0) != hasLocalWildcard($vcVPN, 1)) {
+	# local wild card has changed. this affects ipsec-interfaces.
+	$restartf = 1;
     }
     
     return $restartf;
@@ -1071,4 +1123,24 @@ sub printTreeOrig {
     }
 }
 
+sub hasLocalWildcard {
+    my $vc = shift;
+    my $orig = shift;
+    my @peers = $vc->listNodes('ipsec site-to-site peer');
+    if ($orig) {
+	@peers = $vc->listOrigNodes('ipsec site-to-site peer');
+    }
+    return 0 if (@peers == 0);
+    foreach my $peer (@peers) {
+	my $lip
+	    = $vcVPN->returnValue("ipsec site-to-site peer $peer local-ip");
+	if ($orig) {
+	    $lip = $vcVPN->returnOrigValue(
+				    "ipsec site-to-site peer $peer local-ip");
+	}
+	return 1 if ($lip eq '0.0.0.0');
+    }
+    return 0;
+}
+
 # end of file
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.def b/templates/vpn/ipsec/site-to-site/peer/node.def
index e4e349e..2118990 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.def
@@ -4,3 +4,4 @@ help: Set VPN peers
 comp_help: Allowed values:
   <x.x.x.x>        Set IP address of the peer
   <text>           Set the hostname of the peer
+  @<text>          Set the ID of the peer
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/id/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/id/node.def
new file mode 100644
index 0000000..c5e66c1
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/id/node.def
@@ -0,0 +1,6 @@
+help: Set ID for peer authentication
+type: txt
+syntax:expression: pattern $VAR(@) "^@[a-zA-Z_][a-zA-Z0-9_-]*$"
+                     ; "invalid ID \"$VAR(@)\""
+comp_help:Possible completions:
+  @<text>       ID used for peer authentication