summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMohit Mehta <mohit.mehta@vyatta.com>2009-11-24 21:33:31 -0800
committerMohit Mehta <mohit.mehta@vyatta.com>2010-01-12 16:53:33 -0800
commit229dd4af29f29d8a2a4983a811b0c4bef7111892 (patch)
tree54ce127ca00f8ee37c6e75e245ec439f27ea1d05
parent275789c02381ebe359d2f0a970aabcf7587e0f58 (diff)
downloadvyatta-cfg-vpn-229dd4af29f29d8a2a4983a811b0c4bef7111892.tar.gz
vyatta-cfg-vpn-229dd4af29f29d8a2a4983a811b0c4bef7111892.zip
First pass code changes to vyatta-cfg-vpn for migration to strongswan :
Remove CLI support and back-end code for unsupported parameters * No aggressive mode support in strongswan * remove syslog facility.level CLI. strongswan uses authpriv facility by default, no syslog parameter support * remove Robert's disable-uniqreqids option for now. need to get strongswan to do the same thing first Remove Openswan specific parameters added to workaroung bugs * remove plutowait, this was added to workaround Openswan Bug 412 * remove nhelpers, this was added to workaround Openswan Bug 198 Other Changes * add '!' at the end of ike and esp proposal list to signify end of list * replace `ipsec start` commands with built-in commands for `ipsec starter` control utility * replace `ipsec auto` with `ipsec whack` commands. Still need to figure out if `ipsec auto --add|--up $connection` could be replaces by simply using `ipsec update` in stronswan * change pluto.ctl path
-rwxr-xr-xlib/Vyatta/VPN/Util.pm2
-rwxr-xr-xscripts/vpn-config.pl90
-rwxr-xr-xscripts/vyatta-vpn-ppp-updown.pl4
-rw-r--r--templates/vpn/ipsec/disable-uniqreqids/node.def1
-rw-r--r--templates/vpn/ipsec/ike-group/node.tag/aggressive-mode/node.def7
-rw-r--r--templates/vpn/ipsec/logging/facility/node.def13
-rw-r--r--templates/vpn/ipsec/logging/level/node.def12
7 files changed, 27 insertions, 102 deletions
diff --git a/lib/Vyatta/VPN/Util.pm b/lib/Vyatta/VPN/Util.pm
index 1f0af2d..0c16049 100755
--- a/lib/Vyatta/VPN/Util.pm
+++ b/lib/Vyatta/VPN/Util.pm
@@ -36,7 +36,7 @@ use constant LOCAL_KEY_FILE_DEFAULT
=> '/opt/vyatta/etc/config/ipsec.d/rsa-keys/localhost.key';
sub is_vpn_running {
- return ( -e '/var/run/pluto/pluto.ctl');
+ return ( -e '/var/run/pluto.ctl');
}
sub rsa_get_local_key_file {
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 16d1e15..c0326c8 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -381,34 +381,6 @@ if ( $vcVPN->exists('ipsec') ) {
$genout .= "\thidetos=yes\n";
}
- #
- # Logging
- #
- my $facility = $vcVPN->returnValue('ipsec logging facility');
- my $level = $vcVPN->returnValue('ipsec logging level');
- if ( ( defined($facility) && $facility ne '' )
- && ( !defined($level) || $level eq '' ) )
- {
- $error = 1;
- print STDERR
- "$vpn_cfg_err VPN logging facility has been specified without the VPN" .
- " logging level. One may not be specified without the other.\n";
- } elsif ( ( !defined($facility) || $facility eq '' )
- && ( defined($level) && $level ne '' ) )
- {
- $error = 1;
- print STDERR
- "$vpn_cfg_err VPN logging level has been specified without the VPN " .
- "logging facility. One may not be specified without the other.\n";
- }
-
- if ( defined($level) and ( $level eq "err" ) ) {
- $level = "error"; # This allows the cli to be consistent with syslog.
- }
- if ( defined($facility) and defined($level) ) {
- $genout .= "\tsyslog=$facility.$level\n";
- }
-
my @logmodes = $vcVPN->returnValues('ipsec logging log-modes');
if ( @logmodes > 0 ) {
my $debugmode = '';
@@ -426,16 +398,6 @@ if ( $vcVPN->exists('ipsec') ) {
$genout .= "\tplutodebug=\"$debugmode\"\n";
}
- $genout .= "\tnhelpers=5\n";
- $genout .= "\tplutowait=yes\n";
-
- # Set plutoopts:
- # Disable uniqreqids?
- #
- if ( $vcVPN->exists('ipsec disable-uniqreqids') ) {
- $genout .= "\tplutoopts=--disable-uniqreqids\n";
- }
-
#
# Disable implicit connections
#
@@ -453,8 +415,9 @@ if ( $vcVPN->exists('ipsec') ) {
my $wildcard_psk = undef;
my @peers = $vcVPN->listNodes('ipsec site-to-site peer');
if ( @peers == 0 && !($vcVPN->exists('l2tp')) ) {
- print "VPN Warning: IPSec configured but no site-to-site peers or l2tp" .
- " remote-users configured\n";
+ print
+ "VPN Warning: IPSec configured but no site-to-site peers or l2tp" .
+ " remote-users configured\n";
}
foreach my $peer (@peers) {
my $peer_ike_group =
@@ -701,7 +664,7 @@ if ( $vcVPN->exists('ipsec') ) {
}
}
}
- $genout .= "\n";
+ $genout .= "!\n";
my $t_ikelifetime =
$vcVPN->returnValue("ipsec ike-group $ike_group lifetime");
@@ -711,19 +674,6 @@ if ( $vcVPN->exists('ipsec') ) {
$genout .= "\tikelifetime=$ikelifetime" . "s\n";
#
- # Check for agressive-mode
- #
- my $aggressive_mode =
- $vcVPN->returnValue("ipsec ike-group $ike_group aggressive-mode");
- if ( defined($aggressive_mode) ) {
- if ( $aggressive_mode eq 'enable' ) {
- $genout .= "\taggrmode=yes\n";
- } else {
- $genout .= "\taggrmode=no\n";
- }
- }
-
- #
# Check for Dead Peer Detection DPD
#
my $dpd_interval = $vcVPN->returnValue(
@@ -779,7 +729,7 @@ if ( $vcVPN->exists('ipsec') ) {
$genout .= "$encryption-$hash";
}
}
- $genout .= "\n";
+ $genout .= "!\n";
my $t_esplifetime =
$vcVPN->returnValue("ipsec esp-group $esp_group lifetime");
@@ -998,7 +948,7 @@ if ( $error == 0 ) {
}
if ( $error == 0 ) {
if ( is_vpn_running() ) {
- vpn_exec( 'ipsec setup --stop', 'stop ipsec' );
+ vpn_exec( 'ipsec stop', 'stop ipsec' );
}
if ( !enableICMP('1') ) {
$error = 1;
@@ -1033,7 +983,7 @@ if ( $error == 0 ) {
# Full restart required
#
write_config( $genout, $config_file, $genout_secrets, $secrets_file );
- vpn_exec( 'ipsec setup --restart', 'restart ipsec' );
+ vpn_exec( 'ipsec restart', 'restart ipsec' );
} else {
my @conn_down;
my @conn_delete;
@@ -1044,29 +994,37 @@ if ( $error == 0 ) {
\@conn_add, \@conn_up );
foreach my $conn (@conn_down) {
- vpn_exec( "ipsec auto --down $conn",
+ vpn_exec( "ipsec down $conn",
"bring down ipsec connection $conn" );
}
foreach my $conn (@conn_delete) {
- vpn_exec( "ipsec auto --delete $conn",
+ vpn_exec( "ipsec whack --delete --name $conn",
"delete ipsec connection $conn" );
}
write_config( $genout, $config_file, $genout_secrets, $secrets_file );
- vpn_exec( 'ipsec auto --rereadall', 're-read ipsec configuration' );
+ vpn_exec( 'ipsec rereadall', 're-read ipsec configuration' );
foreach my $conn (@conn_replace) {
vpn_exec(
- "ipsec auto --replace $conn",
- "replace ipsec connection $conn"
+ "ipsec down $conn",
+ "down ipsec connection $conn"
+ );
+ vpn_exec(
+ "ipsec whack --delete --name $conn",
+ "delete ipsec connection $conn"
+ );
+ vpn_exec(
+ "ipsec route $conn",
+ "add ipsec policy for connection $conn"
);
}
foreach my $conn (@conn_add) {
- vpn_exec( "ipsec auto --add $conn", "add ipsec connection $conn" );
+ vpn_exec( "ipsec route $conn", "add ipsec policy for connection $conn" );
}
foreach my $conn (@conn_up) {
vpn_exec(
- "ipsec auto --asynchronous --up $conn",
+ "ipsec whack --initiate --name $conn --asynchronous",
"bring up replaced ipsec connection $conn"
);
}
@@ -1074,7 +1032,7 @@ if ( $error == 0 ) {
}
} else {
write_config( $genout, $config_file, $genout_secrets, $secrets_file );
- vpn_exec( 'ipsec setup --start', 'start ipsec' );
+ vpn_exec( 'ipsec start', 'start ipsec' );
}
}
}
@@ -1262,7 +1220,7 @@ sub vpn_exec {
print ${logf} "Output:\n$cmd_out\n---\n";
print ${logf} "Return code: $rval\n";
if ($rval) {
- if ( $command =~ /^ipsec auto --asynchronous --up/
+ if ( $command =~ /^ipsec.*--asynchronous$/
&& ( $rval == 104 || $rval == 29 ) )
{
print ${logf} "OK when bringing up VPN connection\n";
diff --git a/scripts/vyatta-vpn-ppp-updown.pl b/scripts/vyatta-vpn-ppp-updown.pl
index 1b5cfe6..00df619 100755
--- a/scripts/vyatta-vpn-ppp-updown.pl
+++ b/scripts/vyatta-vpn-ppp-updown.pl
@@ -161,10 +161,10 @@ my ($cmd, $rc);
$cmd = "mv $tmp_conf $conf_file";
$rc =system($cmd);
logit("$cmd = $rc");
-$cmd = "/usr/sbin/ipsec setup --start 2> /dev/null";
+$cmd = "/usr/sbin/ipsec start 2> /dev/null";
$rc =system($cmd);
logit("$cmd = $rc");
-$cmd = "/usr/sbin/ipsec auto --rereadall 2> /dev/null";
+$cmd = "/usr/sbin/ipsec rereadall 2> /dev/null";
$rc = system($cmd);
logit("$cmd = $rc");
diff --git a/templates/vpn/ipsec/disable-uniqreqids/node.def b/templates/vpn/ipsec/disable-uniqreqids/node.def
deleted file mode 100644
index 18fb099..0000000
--- a/templates/vpn/ipsec/disable-uniqreqids/node.def
+++ /dev/null
@@ -1 +0,0 @@
-help: Disable requirement for unique IDs in the Security Database
diff --git a/templates/vpn/ipsec/ike-group/node.tag/aggressive-mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/aggressive-mode/node.def
deleted file mode 100644
index d8c88a9..0000000
--- a/templates/vpn/ipsec/ike-group/node.tag/aggressive-mode/node.def
+++ /dev/null
@@ -1,7 +0,0 @@
-help: Set IKE aggressive-mode
-type: txt
-default: "disable"
-syntax:expression: $VAR(@) in "enable", "disable"; "enable or disable"
-comp_help: possible completions
- enable Set aggressive-mode enable
- disable Set aggressive-mode disable (default)
diff --git a/templates/vpn/ipsec/logging/facility/node.def b/templates/vpn/ipsec/logging/facility/node.def
deleted file mode 100644
index 0359553..0000000
--- a/templates/vpn/ipsec/logging/facility/node.def
+++ /dev/null
@@ -1,13 +0,0 @@
-type: txt
-help: Set logging facility
-syntax:expression: $VAR(@)in "daemon", "local0", "local1", "local2", "local3", "local4", "local5", "local6", "local7" ; "Value \"$VAR(@)\" not in the list: daemon, local0, local1, local2, local3, local4, local5, local6, local7"
-comp_help: Available logging facilities:
- daemon System daemons
- local0 Local facility 0
- local1 Local facility 1
- local2 Local facility 2
- local3 Local facility 3
- local4 Local facility 4
- local5 Local facility 5
- local6 Local facility 6
- local7 Local facility 7
diff --git a/templates/vpn/ipsec/logging/level/node.def b/templates/vpn/ipsec/logging/level/node.def
deleted file mode 100644
index 9b63ebb..0000000
--- a/templates/vpn/ipsec/logging/level/node.def
+++ /dev/null
@@ -1,12 +0,0 @@
-help: Set logging level
-type: txt
-syntax:expression: $VAR(@) in "alert", "crit", "debug", "emerg", "err", "info", "notice", "warning" ; "must be one of the following: crit, debug, emerg, err, info, notice, warning"
-comp_help: Logging levels in descending order of severity:
- emerg Emergency messages
- alert Urgent messages
- crit Critical messages
- err Error messages
- warning Warning messages
- notice Messages for further investigation
- info Informational messages
- debug Debug messages