diff options
author | Jeff Leung <jleung@v10networks.ca> | 2015-02-09 07:30:14 +0000 |
---|---|---|
committer | Jeff Leung <jleung@v10networks.ca> | 2015-02-09 07:47:27 +0000 |
commit | a69985d6853537d296027be5d2d1c44d73fbeccc (patch) | |
tree | 654701154ec68221080697780a22e9ebb0d66500 | |
parent | 6b652b14199b748089f50bc417b7866300cd0a2f (diff) | |
download | vyatta-cfg-vpn-a69985d6853537d296027be5d2d1c44d73fbeccc.tar.gz vyatta-cfg-vpn-a69985d6853537d296027be5d2d1c44d73fbeccc.zip |
Removing generation of leftsourceip= parameter in ipsec.conf
As confirmed by Thermi in the strongSwan IRC channel inside freenode,
this parameter should not have been generated for a S2S VPN setup.
If leftsourceip= is specified on both ends in an IKEv1 S2S VPN tunnel,
both ends will have charon hanging on MODE_CONFIG. This is because both
ends are trying to ask an IP from the remote end which doesn't exist.
-rwxr-xr-x | scripts/vpn-config.pl | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 41e2a35..ca685bd 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -37,7 +37,6 @@ use Vyatta::TypeChecker; use Vyatta::VPN::Util; use Getopt::Long; use Vyatta::Misc; -use NetAddr::IP; use Vyatta::VPN::vtiIntf; my $config_file; @@ -479,16 +478,6 @@ if ($vcVPN->exists('ipsec')) { $lip = get_dhcp_addr($dhcp_iface); } - # -> leftsourceip is the internal source IP to use in a tunnel - # -> we use leftsourceip to add a route to the rightsubnet - # only when rightsubnet is defined and is not 0.0.0.0/0. we do not - # want to add a vpn route for everything i.e. rightsubnet = 0.0.0.0/0 - # -> if leftsubnet is defined and is not 0.0.0.0/0; we try and find - # an interface on the system that has an IP address lying within - # the leftsubnet and use that as leftsourceip. if leftsubnet is not - # defined or is 0.0.0.0/0 then we use local-address as leftsourceip. - my $leftsourceip = undef; - # # Assign left and right to local and remote interfaces # @@ -499,11 +488,8 @@ if ($vcVPN->exists('ipsec')) { "for peer \"$peer\" $tunKeyword.\n"); } $genout .= "\tleft=%defaultroute\n"; - - # no need for leftsourceip as a defaultroute is must for this to work } else { $genout .= "\tleft=$lip\n"; - $leftsourceip = "\tleftsourceip=$lip\n"; } $genout .= "\tleftid=\"$authid\"\n" if defined $authid; } @@ -554,19 +540,6 @@ if ($vcVPN->exists('ipsec')) { if (defined($leftsubnet)) { $genout .= "\tleftsubnet=$leftsubnet\n"; - if (!($leftsubnet eq '0.0.0.0/0')) { - my $localsubnet_object = new NetAddr::IP($leftsubnet); - - # leftsourceip should now be an IP on system lying within the leftsubnet - my @system_ips = Vyatta::Misc::getIP(undef, '4'); - foreach my $system_ip (@system_ips) { - my $systemip_object = new NetAddr::IP($system_ip); - if (CheckIfAddressInsideNetwork($systemip_object, $localsubnet_object)){ - my $sourceip = $systemip_object->addr(); - $leftsourceip = "\tleftsourceip=$sourceip\n"; - } - } - } } my $remotesubnet = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword remote prefix"); @@ -624,21 +597,8 @@ if ($vcVPN->exists('ipsec')) { } if (defined($rightsubnet)) { $genout .= "\trightsubnet=$rightsubnet\n"; - - # not adding vpn route if remote prefix is 0.0.0.0/0 - # user should add a route [default/static] manually - $leftsourceip = undef if $rightsubnet eq '0.0.0.0/0'; - if ($rightsubnet =~ /vhost:%priv/) { - - # can't add route when rightsubnet is not specific - $leftsourceip = undef; - } - } else { - $leftsourceip =undef; # no need for vpn route if rightsubnet not defined } - $genout .= $leftsourceip if defined $leftsourceip; - # # Protocol/port # @@ -1416,26 +1376,6 @@ sub hasLocalWildcard { return 0; } -sub CheckIfAddressInsideNetwork { - my ($address, $naipNetwork) = @_; - - if (!defined($address) || !defined($naipNetwork)) { - return 0; - } - - my $naipSM = new NetAddr::IP($address); - if (defined($naipSM)) { - my $subnetIA = $naipSM->network()->addr(); - my $naipIA = new NetAddr::IP($subnetIA, $naipSM->masklen()); - - if (defined($naipIA) && $naipNetwork->within($naipIA)) { - return 1; - } - } - - return 0; -} - sub get_x509 { my $peer = pop(@_); |