diff options
| author | Bob Gilligan <gilligan@vyatta.com> | 2009-04-06 16:38:48 -0700 |
|---|---|---|
| committer | Bob Gilligan <gilligan@vyatta.com> | 2009-04-06 16:38:48 -0700 |
| commit | ec8ba320d17653ac619a284dd6dd62e104531270 (patch) | |
| tree | eef7960a94624fd17d9fa8d345760430e1e4f150 | |
| parent | 0686919dca6c7555db90e99eb12ef509bd2422d5 (diff) | |
| download | vyatta-cfg-vpn-ec8ba320d17653ac619a284dd6dd62e104531270.tar.gz vyatta-cfg-vpn-ec8ba320d17653ac619a284dd6dd62e104531270.zip | |
Bugfix 2387: Don't list interfaces in ipsec config file.
The "interfaces=..." entry in the /etc/ipsec.conf file needs to list
the actual interfaces we are using only if the underlying kernel IPsec
support is provided by KLIPS. In our case, we are using NETKEY, so
we don't need to list our interfaces there. Not listing them makes
ipsec startup a bit more robust.
| -rwxr-xr-x | scripts/vpn-config.pl | 45 |
1 files changed, 29 insertions, 16 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index bff9005..b6cecaa 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -54,6 +54,10 @@ my $error = 0; my $genout; my $genout_secrets; +# Set $using_klips to 1 if kernel IPsec support is provided by KLIPS. +# Set it to 0 us using NETKEY. +my $using_klips = 0; + $genout .= "# generated by $0\n\n"; $genout_secrets .= "# generated by $0\n\n"; @@ -224,25 +228,34 @@ if ($vcVPN->exists('ipsec')) { $error = 1; print STDERR "VPN configuration error. No IPSEC interfaces specified.\n"; } else { - $genout .= "\tinterfaces=\""; - my $counter = 0; - foreach my $interface (@interfaces) { - if (!(-d "/sys/class/net/$interface")) { - next; - } - if ($counter > 0) { - $genout .= ' '; + # We need to generate an "interfaces=..." entry in the setup section + # only if the underlying IPsec kernel code we are using is KLIPS. + # If we are using NETKEY, the "interfaces=..." entry is essentially + # not used, though we do need to include the line and the keyword + # "%none" to keep the IPsec setup code from defaulting the entry. + if ($using_klips) { + $genout .= "\tinterfaces=\""; + my $counter = 0; + foreach my $interface (@interfaces) { + if (!(-d "/sys/class/net/$interface")) { + next; + } + if ($counter > 0) { + $genout .= ' '; + } + $genout .= "ipsec$counter=$interface"; + ++$counter; } - $genout .= "ipsec$counter=$interface"; - ++$counter; - } - if (hasLocalWildcard($vcVPN, 0)) { - if ($counter > 0) { - $genout .= ' '; + if (hasLocalWildcard($vcVPN, 0)) { + if ($counter > 0) { + $genout .= ' '; + } + $genout .= '%defaultroute'; } - $genout .= '%defaultroute'; + $genout .= "\"\n"; + } else { + $genout .= "\tinterfaces=\"%none\"\n"; } - $genout .= "\"\n"; } # |