diff options
| author | Saurabh Mohan <saurabh.mohan@vyatta.com> | 2012-06-04 16:40:24 -0700 |
|---|---|---|
| committer | Saurabh Mohan <saurabh.mohan@vyatta.com> | 2012-06-04 16:40:24 -0700 |
| commit | d814767a9daa54cf10176aa923453d5246898b3f (patch) | |
| tree | aa9647761ccc0c13e9b403729283c3c142886769 | |
| parent | 1df15ff287d70b9e9689b987e335f4a8f35fd989 (diff) | |
| download | vyatta-cfg-vpn-d814767a9daa54cf10176aa923453d5246898b3f.tar.gz vyatta-cfg-vpn-d814767a9daa54cf10176aa923453d5246898b3f.zip | |
VTI bring tunnel based on ipsec-sa state.
| -rw-r--r-- | Makefile.am | 2 | ||||
| -rwxr-xr-x | scripts/vpn-config.pl | 8 | ||||
| -rwxr-xr-x | scripts/vti-up-down.sh | 17 | ||||
| -rwxr-xr-x | scripts/vyatta-vti-config.pl | 61 |
4 files changed, 72 insertions, 16 deletions
diff --git a/Makefile.am b/Makefile.am index f3c732d..b657a9c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -29,6 +29,8 @@ install-exec-hook: mkdir -p $(DESTDIR)/etc/ppp/ip-up.d mkdir -p $(DESTDIR)/etc/ppp/ip-down.d mkdir -p $(DESTDIR)/etc/dhcp3/dhclient-exit-hooks.d/ + mkdir -p $(DESTDIR)/usr/lib/ipsec/ cp scripts/vpn-ppp-up $(DESTDIR)/etc/ppp/ip-up.d/ cp scripts/vpn-ppp-down $(DESTDIR)/etc/ppp/ip-down.d/ cp scripts/ipsecd-dhclient-hook $(DESTDIR)/etc/dhcp3/dhclient-exit-hooks.d/ipsecd + cp scripts/vti-up-down.sh $(DESTDIR)/usr/lib/ipsec/ diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index c708724..2d5b78f 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1137,6 +1137,7 @@ if ( $vcVPN->exists('ipsec') ) { # # Mark setting for vti. + # and up/down script hook. # if ($isVti) { my $mark = $vcVPN->returnValue("ipsec site-to-site peer $peer vti mark"); @@ -1152,6 +1153,13 @@ if ( $vcVPN->exists('ipsec') ) { $genout .= "\tmark=$mark\n"; } } + # up/down script hook. + my $tunName = $vcVPN->returnValue("ipsec site-to-site peer $peer vti bind"); + if (!defined($tunName)) { + vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"vti","bind"], + "$vpn_cfg_err No interface bind specified for peer \"$peer\" vti\n"); + } + $genout .= "\tleftupdown=\"/usr/lib/ipsec/vti-up-down.sh $tunName\"\n"; } # diff --git a/scripts/vti-up-down.sh b/scripts/vti-up-down.sh new file mode 100755 index 0000000..efa4118 --- /dev/null +++ b/scripts/vti-up-down.sh @@ -0,0 +1,17 @@ +#!/bin/sh +## Script called up strongswan to bring the vti interface up/down based on the state of the IPSec tunnel. +## Called as vti_up_down vti_intf_name + +source /etc/default/vyatta +source /etc/default/locale +case "$PLUTO_VERB" in +route-client) +/opt/vyatta/sbin/vyatta-vti-config.pl --updown --intf=$1 --action=up + ;; +down-client) +/opt/vyatta/sbin/vyatta-vti-config.pl --updown --intf=$1 --action=down + ;; +*) + ;; +esac + diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl index 40b9ec6..aa1efee 100755 --- a/scripts/vyatta-vti-config.pl +++ b/scripts/vyatta-vti-config.pl @@ -1,6 +1,6 @@ #!/usr/bin/perl -w # -# Module: vpn-config.pl +# Module: vyatta-vti-config.pl # # **** License **** # This program is free software; you can redistribute it and/or modify @@ -16,7 +16,7 @@ # Portions created by Vyatta are Copyright (C) 2006, 2007, 2008, 2009 Vyatta, Inc. # All Rights Reserved. # -# Authors: Justin Fletcher, Marat Nepomnyashy +# Authors: Saurabh Mohan # Date: 2012 # Description: setup the vti tunnel # @@ -34,16 +34,38 @@ use strict; use lib "/opt/vyatta/share/perl5"; -use Vyatta::TypeChecker; -use Vyatta::VPN::Util; use Getopt::Long; -use Vyatta::Misc; -use NetAddr::IP; my $vti_cfg_err = "VPN VTI configuration error:"; my $gencmds = ""; my $result = 0; +my $updown=""; +my $intfName=""; +my $action=""; + +GetOptions( + "updown" => \$updown, + "intf=s" => \$intfName, + "action=s" => \$action, +); + + +# +# --updown intfName --action=[up|down] +# +if ($updown ne '') { + if (!(defined $intfName) || $intfName eq '' ) { + # invalid + exit -1; + } + if (!(defined $action) || $action eq '' ) { + # invalid + exit -1; + } + vti_handle_updown($intfName, $action); + exit 0; +} # # Prepare Vyatta::Config object @@ -110,8 +132,6 @@ if (@peers == 0) { if (!defined($mtu) || $mtu eq "") { $mtu = 1500; } - # disabled or not. - my $disabled = $vcIntf->exists("vti $tunName disabled"); #my $exists = `ls -l /sys/class/net/$tunName &> /dev/null`; # description. @@ -121,18 +141,13 @@ if (@peers == 0) { # Set the configuration into the output string. # # By default we delete the tunnel... - $gencmds .= "sudo /sbin/ip tunnel del $tunName &> /dev/null\n"; - $gencmds .= "sudo /sbin/ip tunnel add $tunName mode esp remote $peer local $lip ikey $mark\n"; + $gencmds .= "sudo /sbin/ip link delete $tunName type vti &> /dev/null\n"; + $gencmds .= "sudo /sbin/ip link add $tunName type vti key $mark remote $peer local $lip\n"; foreach my $tunIP (@tunIPs) { $gencmds .= "sudo /sbin/ip addr add $tunIP dev $tunName\n"; } $gencmds .= "sudo /sbin/ip link set $tunName mtu $mtu\n"; - if (! $disabled) { - # @SM TODO: Don not bring the tunnel link-state up till strongswan does it. - $gencmds .= "sudo /sbin/ip link set $tunName up\n"; - # @SM TODO: Add the static routes over this tunnel... - } if (defined($description)) { $gencmds .= "if [ -d /sys/class/net/$tunName ] ; then\n\tsudo echo \"$description\" > /sys/class/net/$tunName/ifalias\nfi\n"; } @@ -141,7 +156,6 @@ if (@peers == 0) { if ($gencmds ne "") { open my $output_config, '>', '/tmp/vti_config' or die "Can't open /tmp/vti_config $!"; print ${output_config} "#!/bin/sh\n"; - print ${output_config} "sudo modprobe ip_vti\n"; print ${output_config} $gencmds; close $output_config; `chmod 755 /tmp/vti_config`; @@ -150,3 +164,18 @@ if ($gencmds ne "") { #@SM TODO: remove /tmp/vti_config; } exit $result; + + +# +# Handle VTI tunnel state based on input from strongswan and configuration. +# +sub vti_handle_updown { + my ($intfName, $action) = @_; + use Vyatta::Config; + my $vcIntf = new Vyatta::Config(); + $vcIntf->setLevel('interfaces'); + my $disabled = $vcIntf->exists("vti $intfName disabled"); + if (!defined($disabled) || ! $disabled) { + system("sudo /sbin/ip link set $intfName $action\n"); + } +} |