use leftsourceip to add route to remote subnetkenwood-strongswan

1 files changed, 55 insertions, 0 deletions

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 483dec2..7b783db 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -36,6 +36,7 @@ use constant VPN_MAX_PROPOSALS   => 10;
 use Vyatta::VPN::Util;
 use Getopt::Long;
 use Vyatta::Misc;
+use NetAddr::IP;
 
 my $changes_dir;
 my $newconfig_dir;
@@ -504,6 +505,16 @@ if ( $vcVPN->exists('ipsec') ) {
       my $conn_head = "\nconn peer-$peer-tunnel-$tunnel\n";
       $conn_head =~ s/ peer-@/ peer-/;
       $genout .= $conn_head;
+      
+      # -> leftsourceip is the internal source IP to use in a tunnel
+      # -> we use leftsourceip to add a route to the rightsubnet
+      #    only when rightsubnet is defined and is not 0.0.0.0/0. we do not
+      #    want to add a vpn route for everything i.e. rightsubnet = 0.0.0.0/0
+      # -> if leftsubnet is defined and is not 0.0.0.0/0; we try and find
+      #    an interface on the system that has an IP address lying within 
+      #    the leftsubnet and use that as leftsourceip. if leftsubnet is not
+      #    defined or is 0.0.0.0/0 then we use local-ip as leftsourceip.
+      my $leftsourceip = undef;
 
       #
       # Assign left and right to local and remote interfaces
@@ -518,10 +529,12 @@ if ( $vcVPN->exists('ipsec') ) {
           } else {
             $genout .= "\tleft=%defaultroute\n";
             $genout .= "\tleftid=$authid\n";
+            $leftsourceip = "\tleftsourceip=%defaultroute\n";
           }
         } else {
           $genout .= "\tleft=$lip\n";
           $genout .= "\tleftid=$authid\n" if defined $authid;
+          $leftsourceip = "\tleftsourceip=$lip\n";
         }
       }
 
@@ -541,6 +554,7 @@ if ( $vcVPN->exists('ipsec') ) {
         or $any_peer == 1 )
       {
         $right = '%any';
+        $any_peer = 1;
       } else {
         $right = $peer;
       }
@@ -558,8 +572,22 @@ if ( $vcVPN->exists('ipsec') ) {
       if ( defined($leftsubnet) && $leftsubnet eq 'any' ) {
         $leftsubnet = '0.0.0.0/0';
       }
+      
       if ( defined($leftsubnet) ) {
         $genout .= "\tleftsubnet=$leftsubnet\n";
+        if (!($leftsubnet eq '0.0.0.0/0')) {
+          my $localsubnet_object = new NetAddr::IP($leftsubnet);
+          # leftsourceip should now be an IP on system lying within the leftsubnet
+          my @system_ips = Vyatta::Misc::getIP(undef, '4');
+          foreach my $system_ip (@system_ips) {
+            my $systemip_object = new NetAddr::IP($system_ip);
+            if (CheckIfAddressInsideNetwork(
+                  $systemip_object, $localsubnet_object)) {
+              my $sourceip = $systemip_object->addr();
+              $leftsourceip = "\tleftsourceip=$sourceip\n";
+            }
+          }
+        } 
       }
 
       my $remotesubnet = $vcVPN->returnValue(
@@ -611,7 +639,14 @@ if ( $vcVPN->exists('ipsec') ) {
       }
       if ( defined($rightsubnet) ) {
         $genout .= "\trightsubnet=$rightsubnet\n";
+        # not adding vpn route if remote subnet is 0.0.0.0/0
+        # user should add a route [default/static] manually
+        $leftsourceip = undef if $rightsubnet eq '0.0.0.0/0'; 
+      } else {
+        $leftsourceip = undef; # no need for vpn route if rightsubnet not defined
       }
+      
+      $genout .= $leftsourceip if defined $leftsourceip;
 
       #
       # Write IKE configuration from group
@@ -1356,4 +1391,24 @@ sub hasLocalWildcard {
   return 0;
 }
 
+sub CheckIfAddressInsideNetwork {
+  my ( $address, $naipNetwork ) = @_;
+  
+  if ( !defined($address) || !defined($naipNetwork) ) {
+    return 0;
+  }
+  
+  my $naipSM = new NetAddr::IP($address);
+  if ( defined($naipSM) ) {
+    my $subnetIA = $naipSM->network()->addr();
+    my $naipIA = new NetAddr::IP( $subnetIA, $naipSM->masklen() );
+    
+    if ( defined($naipIA) && $naipNetwork->within($naipIA) ) {
+      return 1;
+    }
+  }
+  
+  return 0;
+}
+
 # end of file