Initial x509 for site-to-site ipsec vpn

9 files changed, 87 insertions, 2 deletions

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 3aba73f..f265f55 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -47,6 +47,10 @@ GetOptions(
   "secrets_file=s"  => \$secrets_file,
   "init_script=s"   => \$init_script
 );
+my $CA_CERT_PATH = '/etc/ipsec.d/cacerts';
+my $CRL_PATH = '/etc/ipsec.d/crls';
+my $SERVER_CERT_PATH = '/etc/ipsec.d/certs';
+my $SERVER_KEY_PATH = '/etc/ipsec.d/private';
 
 my $vpn_cfg_err   = "VPN configuration error:";
 my $clustering_ip = 0;
@@ -520,7 +524,7 @@ if ( $vcVPN->exists('ipsec') ) {
         $right = $peer;
       }
       $genout .= "\tright=$right\n";
-      $genout .= "\trightid=$rightid\n" if ( defined($rightid) );
+      $genout .= "\trightid=\"$rightid\"\n" if ( defined($rightid) );
       if ($any_peer) {
         $genout .= "\trekey=no\n";
       }
@@ -951,6 +955,9 @@ if ( $vcVPN->exists('ipsec') ) {
           $prev_peer = $peer;
         }
         $genout         .= "\tauthby=secret\n";
+      } elsif ( defined($auth_mode) && $auth_mode eq 'x509') {
+        $genout .= get_x509($peer);
+        $genout_secrets .= get_x509_secret($peer);
       } elsif ( defined($auth_mode) && $auth_mode eq 'rsa' ) {
 
         unless ( -r $local_key_file ) {
@@ -1277,4 +1284,69 @@ sub CheckIfAddressInsideNetwork {
   return 0;
 }
 
+sub get_x509 {
+  my $peer = pop(@_);
+  # Setup x509, based on the L2TP x509 code
+  #
+  ## check that proper nodes are defined.
+  my $path = "vpn ipsec site-to-site peer $peer authentication x509 ";
+  my $cacrt = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication x509 ca-cert-file");
+  vpn_die([split(' ', ($path."ca-cert-file"))],
+          "$vpn_cfg_err No CA certificate for peer \"$peer\" specified.\n") if !defined($cacrt);
+  my $crl = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication x509 crl-file");
+  my $crt = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication x509 cert-file");
+  vpn_die([split(' ', ($path."cert-file"))],
+          "$vpn_cfg_err No Certificate for peer \"$peer\" specified.\n") if !defined($crt);
+  my $key = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication x509 key file");
+  vpn_die([split(' ', ($path."key-file"))],
+          "$vpn_cfg_err No Key for peer \"$peer\" specified.\n") if !defined($key);
+
+  # Verify the files exist
+  vpn_die([split(' ', ($path."ca-cert-file"))] , "Invalid ca-cert-file \"$cacrt\"")
+    if (! -f $cacrt);
+  vpn_die([split(' ', ($path."cert-file"))] , "Invalid server-cert-file \"$crt\"")
+    if (! -f $crt);
+  vpn_die([split(' ', ($path."key-file"))] , "Invalid server-key-file \"$key\"" )
+    if (! -f $key);
+
+  
+  # Copy files to the ipsec directory
+  system("cp -f $cacrt $CA_CERT_PATH/");
+  vpn_die([split(' ', ($path."ca-cert-file"))] , "Cannot copy ca-cert-file \"$cacrt\"")
+    if ($? >> 8);
+  system("cp -f $crt $SERVER_CERT_PATH/");
+  vpn_die([split(' ', ($path."cert-file"))] , "Cannot copy cert-file \"$crt\"")
+    if ($? >> 8);
+  system("cp -f $key $SERVER_KEY_PATH/");
+  vpn_die([split(' ', ($path."key-file"))] , "Cannot copy key-file \"$key\"" )
+    if ($? >> 8);
+
+  # Handle CRL file if it is defined 
+  if (defined($crl)) {
+    vpn_die([split(' ', ($path."crl-file"))], "Invalid crl-file \"$crl\"")
+      if (! -f $crl);
+    system("cp -f $crl $CRL_PATH/");
+    vpn_die([split(' ', ($path."crl-file"))], "Cannot copy crl-file \"$crl\"") 
+      if ($? >> 8);
+  }
+  $crt =~ s/^.*(\/[^\/]+)$/${SERVER_CERT_PATH}$1/;
+  my $auth_str = "\tauthby=rsasig\n";
+  $auth_str .= "\tleftrsasigkey=%cert\n";
+  $auth_str .= "\trightrsasigkey=%cert\n";
+  $auth_str .= "\trightca=%same\n";
+  $auth_str .= "\tleftcert=$crt\n";
+  return $auth_str;
+}
+
+sub get_x509_secret {
+  my $peer = pop(@_);
+  my $key_file = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication x509 key file");
+  my $key_pass = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication x509 key password");
+  my $pstr = (defined($key_pass) ? " \"$key_pass\"" : '');
+  $key_file =~ s/^.*(\/[^\/]+)$/${SERVER_KEY_PATH}$1/;
+  my $str = ": RSA ${key_file}$pstr \n";
+  return $str;
+}
+
+
 # end of file
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/mode/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/mode/node.def
index 25f5f66..d717730 100644
--- a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/mode/node.def
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/mode/node.def
@@ -1,6 +1,7 @@
 help: Authentication mode
 type: txt 
 default: "pre-shared-secret"
-syntax:expression: $VAR(@) in "pre-shared-secret", "rsa"; "must be pre-shared-secret or rsa"
+syntax:expression: $VAR(@) in "pre-shared-secret", "x509", "rsa"; "must be pre-shared-secret, x509, or rsa"
 val_help: pre-shared-secret; Use pre-shared secret key
 val_help: rsa; Use RSA key
+val_help: x509; Use X.509 certificate
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/ca-cert-file/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/ca-cert-file/node.def
new file mode 100644
index 0000000..819e990
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/ca-cert-file/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: File containing the X.509 certificate for the Certificate Authority (CA)
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/cert-file/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/cert-file/node.def
new file mode 100644
index 0000000..1c75264
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/cert-file/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: File containing the X.509 certificate for the remote access VPN server (this host)
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/crl-file/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/crl-file/node.def
new file mode 100644
index 0000000..ce49e36
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/crl-file/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: File containing the X.509 Certificate Revocation List (CRL)
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/file/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/file/node.def
new file mode 100644
index 0000000..0396c3e
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/file/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: File containing the private key for the X.509 certificate for the remote access VPN server (this host)
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/node.def
new file mode 100644
index 0000000..d891c7b
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/node.def
@@ -0,0 +1 @@
+help: Key file and password to open it
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/password/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/password/node.def
new file mode 100644
index 0000000..0667ea6
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/password/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Password that protects the private key
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/node.def
new file mode 100644
index 0000000..81ed780
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/node.def
@@ -0,0 +1 @@
+help: X.509 certificate