diff options
| author | Daniil Baturin <daniil@baturin.org> | 2017-10-31 21:13:10 +0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-10-31 21:13:10 +0700 |
| commit | 489211d40ccd6d594817993a94d12278da7c5579 (patch) | |
| tree | a21c1d8ed47b1eab6a1266a806c0026b6e914c25 | |
| parent | ff15bdcdeda459bb7cf5de450d02ea2cee53041c (diff) | |
| parent | b53019e4bf1b51b40cefc263479ee0531341cb78 (diff) | |
| download | vyatta-cfg-vpn-489211d40ccd6d594817993a94d12278da7c5579.tar.gz vyatta-cfg-vpn-489211d40ccd6d594817993a94d12278da7c5579.zip | |
Merge pull request #17 from Taniadz/current
T126: charon listening on ALL interfaces
| -rwxr-xr-x | scripts/vpn-config.pl | 81 |
1 files changed, 62 insertions, 19 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 75d0e91..071b3b8 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -52,12 +52,14 @@ my $CRL_PATH = '/etc/ipsec.d/crls'; my $SERVER_CERT_PATH = '/etc/ipsec.d/certs'; my $SERVER_KEY_PATH = '/etc/ipsec.d/private'; my $LOGFILE = '/var/log/vyatta/ipsec.log'; +my $STRONGSWAN_INTF_CONFIG = '/etc/strongswan.d/interfaces_use.conf'; my $vpn_cfg_err = "VPN configuration error:"; my $clustering_ip = 0; my $dhcp_if = 0; my $genout; my $genout_secrets; +my $interfaces_use; my %key_file_list; my %public_keys; @@ -67,6 +69,7 @@ my $using_klips = 0; $genout .= "# generated by $0\n\n"; $genout_secrets .= "# generated by $0\n\n"; +$interfaces_use .= "# generated by $0\n\n"; # # Prepare Vyatta::Config object @@ -216,14 +219,22 @@ if ($vcVPN->exists('ipsec')) { # $genout .= "config setup\n"; + # # Interfaces # my @interfaces = $vcVPN->returnValues('ipsec ipsec-interfaces interface'); - if (@interfaces == 0) { - #*THIS CHECK'S ALSO USED BY OP-MODE CMNDS TO CHECK IF IPSEC IS CONFIGURED*# - vpn_die(["vpn", "ipsec","ipsec-interfaces"],"$vpn_cfg_err No IPSEC interfaces specified.\n"); - } else { + if (scalar(@interfaces) > 0) { + + $interfaces_use .= "charon {\n\tinterfaces_use = "; + foreach my $interface (@interfaces) { + if (!(-d "/sys/class/net/$interface")) { + print "Warning: unable to configure non-existent interface\n"; + } + $interfaces_use .= "$interface, "; + } + $interfaces_use .= "\n}"; + # We need to generate an "interfaces=..." entry in the setup section # only if the underlying IPsec kernel code we are using is KLIPS. # If we are using NETKEY, the "interfaces=..." entry is essentially @@ -249,7 +260,8 @@ if ($vcVPN->exists('ipsec')) { $genout .= '%defaultroute'; } $genout .= "\"\n"; - } else { + } + else { my $counter = 0; $genout .= "\t"; if (hasLocalWildcard($vcVPN, 0)) { @@ -261,13 +273,18 @@ if ($vcVPN->exists('ipsec')) { ++$counter; } $genout .= '%defaultroute"'; - } else { + } + else { $genout .= 'interfaces="%none"'; } $genout .= "\n"; + } - } + } else { + $interfaces_use .= ""; + + } # # NAT traversal # @@ -785,7 +802,7 @@ if ($vcVPN->exists('ipsec')) { if (defined($aggressive_mode)) { if (defined($key_exchange) && $key_exchange eq 'ikev2') { vpn_die(["vpn","ipsec","ike-group", $ike_group, "mode"], "$vpn_cfg_err Selection of Main/Aggressive modes is only valid for IKEv1 configurations"); - } + } if ($aggressive_mode eq 'aggressive') { $genout .= "\taggressive=yes\n"; } else { @@ -812,7 +829,7 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\tdpdtimeout=$dpd_timeout" . "s\n"; $genout .= "\tdpdaction=$dpd_action\n"; } - + # # Allow the user for force UDP encapsulation for the ESP # payload. @@ -1134,7 +1151,7 @@ if ($vcVPN->exists('ipsec')) { } } } - + # # Include a custom configuration file # @@ -1147,7 +1164,7 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\ninclude $custom_include\n"; } if (defined($custom_secrets)) { - if ( ! -e $custom_secrets) { + if ( ! -e $custom_secrets) { vpn_die(["vpn","ipsec","include-ipsec-secrets"],"$vpn_cfg_err The specified file for inclusion inside ipsec.secrets does not exist."); } $genout_secrets .= "\ninclude $custom_secrets\n"; @@ -1185,13 +1202,13 @@ if ( $vcVPN->isDeleted('.') if (!enableICMP('1')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to re-enable ICMP redirects.\n"); } - write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); + write_config($genout, $interfaces_use, $STRONGSWAN_INTF_CONFIG, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); } else { if (!enableICMP('0')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to disable ICMP redirects.\n"); } - write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); + write_config($genout, $interfaces_use, $STRONGSWAN_INTF_CONFIG, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); # Assumming that if there was a local IP missmatch and clustering is enabled, # then the clustering scripts will take care of starting the VPN daemon. @@ -1226,7 +1243,7 @@ if ( $vcVPN->isDeleted('.') foreach my $tunnel (@tunnel_cfg_old) { push (@old_tunnels, $tunnel) unless exists $seen{$tunnel}; } - + # Issue an ipsec down on the old tunnel since charon doesn't clean up # connections removed from ipsec.conf foreach my $old_peer (@old_tunnels) { @@ -1236,9 +1253,29 @@ if ( $vcVPN->isDeleted('.') vpn_exec("ipsec down peer-$old_peer-tunnel-$tunnel", "Cleaning up site-to-site peer $old_peer at tunnel $tunnel"); } } - - vpn_exec('ipsec rereadall >&/dev/null', 're-read secrets and certs'); - vpn_exec('ipsec reload >&/dev/null', 'reload changes to ipsec.conf'); + # Check if returnValues equals returnOrigValues for ipsec-interfaces and restart if they are not equal + my $equals = 1; + my @working_interfaces = $vcVPN->returnValues("ipsec ipsec-interfaces interface"); + my @active_interfaces = $vcVPN->returnOrigValues("ipsec ipsec-interfaces interface"); + if (scalar(@working_interfaces) != scalar(@active_interfaces)){ + $equals = 0; + } + else { + my @sorted_working = sort @working_interfaces; + my @sorted_active = sort @active_interfaces; + foreach (my $i = 0; $i < @sorted_working; $i++) { + if ($sorted_working[$i] ne $sorted_active[$i]) { + $equals = 0; + last; + } + } + } + if ($equals == 0) { + vpn_exec('ipsec restart >&/dev/null', 're-starting ipsec'); + }else { + vpn_exec('ipsec rereadall >&/dev/null', 're-read secrets and certs'); + vpn_exec('ipsec reload >&/dev/null', 'reload changes to ipsec.conf'); + } } } else { if (!defined($update_interval)) { @@ -1247,7 +1284,7 @@ if ( $vcVPN->isDeleted('.') vpn_exec('ipsec start --auto-update '.$update_interval.' >&/dev/null','start ipsec with auto-update $update_interval'); } } - + # Activate any debugging options by # calling ipsec stroke loglevel <source> <level> my @logmodes = $vcVPN->returnValues('ipsec logging log-modes'); @@ -1280,13 +1317,19 @@ sub vpn_die { } sub write_config { - my ($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_; + my ($genout, $interfaces_use, $STRONGSWAN_INTF_CONFIG, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_; open my $output_config, '>', $config_file or die "Can't open $config_file: $!"; print ${output_config} $genout; close $output_config; + + open my $strong_config, '>', $STRONGSWAN_INTF_CONFIG + or die "Can't open $STRONGSWAN_INTF_CONFIG: $!"; + print ${strong_config} $interfaces_use; + close $strong_config; + my @lines = split("\n", $genout_secrets); my @any = grep(/%any/, @lines); if (scalar(@any) > 0) { |