diff options
author | zsdc <taras@vyos.io> | 2020-07-24 23:23:14 +0300 |
---|---|---|
committer | zsdc <taras@vyos.io> | 2020-07-30 19:09:44 +0300 |
commit | cec720d0fd241f656100b10674bf2c7c4f02b4ea (patch) | |
tree | 842a337724998fa7e99f8ab37fdfd85cd0b66d7e | |
parent | 66a3c73455d80adc920d4120fb31a9b0070b4158 (diff) | |
download | vyatta-cfg-vpn-cec720d0fd241f656100b10674bf2c7c4f02b4ea.tar.gz vyatta-cfg-vpn-cec720d0fd241f656100b10674bf2c7c4f02b4ea.zip |
IPSec tunnels: T2728: Fixed protocol selector for tunnels
The protocol selector used for tunnels in transport mode was ignored by the configuration script.
This commit adding it as a part of left|rightsubnet, as required by strongSwan.
-rwxr-xr-x | scripts/vpn-config.pl | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 582e3a7..d1ae5a8 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -928,6 +928,29 @@ if ($vcVPN->exists('ipsec')) { if ($isVti == 1) { vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"$tunKeyword"],"$vpn_cfg_err Can not use transport mode for \"$peer\" with vti\n"); } + # Processing protocol selector for a tunnel + my $protocol = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword protocol"); + if (defined($protocol)) { + # Replace 'all' with the proper variant for strongSwan + if ($protocol eq 'all') { + $protocol = '%any'; + } + # Transport mode with protocol selector can be used only together with left|rightsubnet + # Thus, we need to be sure that it is possible to generate their values from left/right + my $left_ip = new NetAddr::IP $vcVPN->returnValue("ipsec site-to-site peer $peer local-address"); + if ($left_ip->addr eq '0.0.0.0') { + vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"$tunKeyword"],"$vpn_cfg_err It is not possible to use transport mode ESP ". + "group and protocol selector without predefined static \"local-address\"\n"); + } + my $right_ip = new NetAddr::IP $peer; + if ($right_ip->addr eq '0.0.0.0') { + vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"$tunKeyword"],"$vpn_cfg_err It is not possible to use transport mode ESP ". + "group and protocol selector together with a peer without predefined IP address\n"); + } + # Generate a config for using with the protocol selector + $genout .= "\tleftsubnet=$left_ip\[$protocol\]\n"; + $genout .= "\trightsubnet=$right_ip\[$protocol\]\n"; + } } $genout .= "\ttype=$espmode\n"; |