diff options
| author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-11-24 21:33:31 -0800 |
|---|---|---|
| committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-01-12 16:53:33 -0800 |
| commit | 229dd4af29f29d8a2a4983a811b0c4bef7111892 (patch) | |
| tree | 54ce127ca00f8ee37c6e75e245ec439f27ea1d05 | |
| parent | 275789c02381ebe359d2f0a970aabcf7587e0f58 (diff) | |
| download | vyatta-cfg-vpn-229dd4af29f29d8a2a4983a811b0c4bef7111892.tar.gz vyatta-cfg-vpn-229dd4af29f29d8a2a4983a811b0c4bef7111892.zip | |
First pass code changes to vyatta-cfg-vpn for migration to strongswan :
Remove CLI support and back-end code for unsupported parameters
* No aggressive mode support in strongswan
* remove syslog facility.level CLI. strongswan uses
authpriv facility by default, no syslog parameter support
* remove Robert's disable-uniqreqids option for now. need to get
strongswan to do the same thing first
Remove Openswan specific parameters added to workaroung bugs
* remove plutowait, this was added to workaround Openswan Bug 412
* remove nhelpers, this was added to workaround Openswan Bug 198
Other Changes
* add '!' at the end of ike and esp proposal list to signify end of list
* replace `ipsec start` commands with built-in commands for
`ipsec starter` control utility
* replace `ipsec auto` with `ipsec whack` commands. Still need to figure
out if `ipsec auto --add|--up $connection` could be replaces by simply
using `ipsec update` in stronswan
* change pluto.ctl path
| -rwxr-xr-x | lib/Vyatta/VPN/Util.pm | 2 | ||||
| -rwxr-xr-x | scripts/vpn-config.pl | 90 | ||||
| -rwxr-xr-x | scripts/vyatta-vpn-ppp-updown.pl | 4 | ||||
| -rw-r--r-- | templates/vpn/ipsec/disable-uniqreqids/node.def | 1 | ||||
| -rw-r--r-- | templates/vpn/ipsec/ike-group/node.tag/aggressive-mode/node.def | 7 | ||||
| -rw-r--r-- | templates/vpn/ipsec/logging/facility/node.def | 13 | ||||
| -rw-r--r-- | templates/vpn/ipsec/logging/level/node.def | 12 |
7 files changed, 27 insertions, 102 deletions
diff --git a/lib/Vyatta/VPN/Util.pm b/lib/Vyatta/VPN/Util.pm index 1f0af2d..0c16049 100755 --- a/lib/Vyatta/VPN/Util.pm +++ b/lib/Vyatta/VPN/Util.pm @@ -36,7 +36,7 @@ use constant LOCAL_KEY_FILE_DEFAULT => '/opt/vyatta/etc/config/ipsec.d/rsa-keys/localhost.key'; sub is_vpn_running { - return ( -e '/var/run/pluto/pluto.ctl'); + return ( -e '/var/run/pluto.ctl'); } sub rsa_get_local_key_file { diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 16d1e15..c0326c8 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -381,34 +381,6 @@ if ( $vcVPN->exists('ipsec') ) { $genout .= "\thidetos=yes\n"; } - # - # Logging - # - my $facility = $vcVPN->returnValue('ipsec logging facility'); - my $level = $vcVPN->returnValue('ipsec logging level'); - if ( ( defined($facility) && $facility ne '' ) - && ( !defined($level) || $level eq '' ) ) - { - $error = 1; - print STDERR - "$vpn_cfg_err VPN logging facility has been specified without the VPN" . - " logging level. One may not be specified without the other.\n"; - } elsif ( ( !defined($facility) || $facility eq '' ) - && ( defined($level) && $level ne '' ) ) - { - $error = 1; - print STDERR - "$vpn_cfg_err VPN logging level has been specified without the VPN " . - "logging facility. One may not be specified without the other.\n"; - } - - if ( defined($level) and ( $level eq "err" ) ) { - $level = "error"; # This allows the cli to be consistent with syslog. - } - if ( defined($facility) and defined($level) ) { - $genout .= "\tsyslog=$facility.$level\n"; - } - my @logmodes = $vcVPN->returnValues('ipsec logging log-modes'); if ( @logmodes > 0 ) { my $debugmode = ''; @@ -426,16 +398,6 @@ if ( $vcVPN->exists('ipsec') ) { $genout .= "\tplutodebug=\"$debugmode\"\n"; } - $genout .= "\tnhelpers=5\n"; - $genout .= "\tplutowait=yes\n"; - - # Set plutoopts: - # Disable uniqreqids? - # - if ( $vcVPN->exists('ipsec disable-uniqreqids') ) { - $genout .= "\tplutoopts=--disable-uniqreqids\n"; - } - # # Disable implicit connections # @@ -453,8 +415,9 @@ if ( $vcVPN->exists('ipsec') ) { my $wildcard_psk = undef; my @peers = $vcVPN->listNodes('ipsec site-to-site peer'); if ( @peers == 0 && !($vcVPN->exists('l2tp')) ) { - print "VPN Warning: IPSec configured but no site-to-site peers or l2tp" . - " remote-users configured\n"; + print + "VPN Warning: IPSec configured but no site-to-site peers or l2tp" . + " remote-users configured\n"; } foreach my $peer (@peers) { my $peer_ike_group = @@ -701,7 +664,7 @@ if ( $vcVPN->exists('ipsec') ) { } } } - $genout .= "\n"; + $genout .= "!\n"; my $t_ikelifetime = $vcVPN->returnValue("ipsec ike-group $ike_group lifetime"); @@ -711,19 +674,6 @@ if ( $vcVPN->exists('ipsec') ) { $genout .= "\tikelifetime=$ikelifetime" . "s\n"; # - # Check for agressive-mode - # - my $aggressive_mode = - $vcVPN->returnValue("ipsec ike-group $ike_group aggressive-mode"); - if ( defined($aggressive_mode) ) { - if ( $aggressive_mode eq 'enable' ) { - $genout .= "\taggrmode=yes\n"; - } else { - $genout .= "\taggrmode=no\n"; - } - } - - # # Check for Dead Peer Detection DPD # my $dpd_interval = $vcVPN->returnValue( @@ -779,7 +729,7 @@ if ( $vcVPN->exists('ipsec') ) { $genout .= "$encryption-$hash"; } } - $genout .= "\n"; + $genout .= "!\n"; my $t_esplifetime = $vcVPN->returnValue("ipsec esp-group $esp_group lifetime"); @@ -998,7 +948,7 @@ if ( $error == 0 ) { } if ( $error == 0 ) { if ( is_vpn_running() ) { - vpn_exec( 'ipsec setup --stop', 'stop ipsec' ); + vpn_exec( 'ipsec stop', 'stop ipsec' ); } if ( !enableICMP('1') ) { $error = 1; @@ -1033,7 +983,7 @@ if ( $error == 0 ) { # Full restart required # write_config( $genout, $config_file, $genout_secrets, $secrets_file ); - vpn_exec( 'ipsec setup --restart', 'restart ipsec' ); + vpn_exec( 'ipsec restart', 'restart ipsec' ); } else { my @conn_down; my @conn_delete; @@ -1044,29 +994,37 @@ if ( $error == 0 ) { \@conn_add, \@conn_up ); foreach my $conn (@conn_down) { - vpn_exec( "ipsec auto --down $conn", + vpn_exec( "ipsec down $conn", "bring down ipsec connection $conn" ); } foreach my $conn (@conn_delete) { - vpn_exec( "ipsec auto --delete $conn", + vpn_exec( "ipsec whack --delete --name $conn", "delete ipsec connection $conn" ); } write_config( $genout, $config_file, $genout_secrets, $secrets_file ); - vpn_exec( 'ipsec auto --rereadall', 're-read ipsec configuration' ); + vpn_exec( 'ipsec rereadall', 're-read ipsec configuration' ); foreach my $conn (@conn_replace) { vpn_exec( - "ipsec auto --replace $conn", - "replace ipsec connection $conn" + "ipsec down $conn", + "down ipsec connection $conn" + ); + vpn_exec( + "ipsec whack --delete --name $conn", + "delete ipsec connection $conn" + ); + vpn_exec( + "ipsec route $conn", + "add ipsec policy for connection $conn" ); } foreach my $conn (@conn_add) { - vpn_exec( "ipsec auto --add $conn", "add ipsec connection $conn" ); + vpn_exec( "ipsec route $conn", "add ipsec policy for connection $conn" ); } foreach my $conn (@conn_up) { vpn_exec( - "ipsec auto --asynchronous --up $conn", + "ipsec whack --initiate --name $conn --asynchronous", "bring up replaced ipsec connection $conn" ); } @@ -1074,7 +1032,7 @@ if ( $error == 0 ) { } } else { write_config( $genout, $config_file, $genout_secrets, $secrets_file ); - vpn_exec( 'ipsec setup --start', 'start ipsec' ); + vpn_exec( 'ipsec start', 'start ipsec' ); } } } @@ -1262,7 +1220,7 @@ sub vpn_exec { print ${logf} "Output:\n$cmd_out\n---\n"; print ${logf} "Return code: $rval\n"; if ($rval) { - if ( $command =~ /^ipsec auto --asynchronous --up/ + if ( $command =~ /^ipsec.*--asynchronous$/ && ( $rval == 104 || $rval == 29 ) ) { print ${logf} "OK when bringing up VPN connection\n"; diff --git a/scripts/vyatta-vpn-ppp-updown.pl b/scripts/vyatta-vpn-ppp-updown.pl index 1b5cfe6..00df619 100755 --- a/scripts/vyatta-vpn-ppp-updown.pl +++ b/scripts/vyatta-vpn-ppp-updown.pl @@ -161,10 +161,10 @@ my ($cmd, $rc); $cmd = "mv $tmp_conf $conf_file"; $rc =system($cmd); logit("$cmd = $rc"); -$cmd = "/usr/sbin/ipsec setup --start 2> /dev/null"; +$cmd = "/usr/sbin/ipsec start 2> /dev/null"; $rc =system($cmd); logit("$cmd = $rc"); -$cmd = "/usr/sbin/ipsec auto --rereadall 2> /dev/null"; +$cmd = "/usr/sbin/ipsec rereadall 2> /dev/null"; $rc = system($cmd); logit("$cmd = $rc"); diff --git a/templates/vpn/ipsec/disable-uniqreqids/node.def b/templates/vpn/ipsec/disable-uniqreqids/node.def deleted file mode 100644 index 18fb099..0000000 --- a/templates/vpn/ipsec/disable-uniqreqids/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Disable requirement for unique IDs in the Security Database diff --git a/templates/vpn/ipsec/ike-group/node.tag/aggressive-mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/aggressive-mode/node.def deleted file mode 100644 index d8c88a9..0000000 --- a/templates/vpn/ipsec/ike-group/node.tag/aggressive-mode/node.def +++ /dev/null @@ -1,7 +0,0 @@ -help: Set IKE aggressive-mode -type: txt -default: "disable" -syntax:expression: $VAR(@) in "enable", "disable"; "enable or disable" -comp_help: possible completions - enable Set aggressive-mode enable - disable Set aggressive-mode disable (default) diff --git a/templates/vpn/ipsec/logging/facility/node.def b/templates/vpn/ipsec/logging/facility/node.def deleted file mode 100644 index 0359553..0000000 --- a/templates/vpn/ipsec/logging/facility/node.def +++ /dev/null @@ -1,13 +0,0 @@ -type: txt -help: Set logging facility -syntax:expression: $VAR(@)in "daemon", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7" ; "Value \"$VAR(@)\" not in the list: daemon, local0, local1, local2, local3, local4, local5, local6, local7" -comp_help: Available logging facilities: - daemon System daemons - local0 Local facility 0 - local1 Local facility 1 - local2 Local facility 2 - local3 Local facility 3 - local4 Local facility 4 - local5 Local facility 5 - local6 Local facility 6 - local7 Local facility 7 diff --git a/templates/vpn/ipsec/logging/level/node.def b/templates/vpn/ipsec/logging/level/node.def deleted file mode 100644 index 9b63ebb..0000000 --- a/templates/vpn/ipsec/logging/level/node.def +++ /dev/null @@ -1,12 +0,0 @@ -help: Set logging level -type: txt -syntax:expression: $VAR(@) in "alert", "crit", "debug", "emerg", "err", "info", "notice", "warning" ; "must be one of the following: crit, debug, emerg, err, info, notice, warning" -comp_help: Logging levels in descending order of severity: - emerg Emergency messages - alert Urgent messages - crit Critical messages - err Error messages - warning Warning messages - notice Messages for further investigation - info Informational messages - debug Debug messages |