diff options
| author | hagbard <vyosdev@derith.de> | 2018-12-06 11:06:25 -0800 |
|---|---|---|
| committer | hagbard <vyosdev@derith.de> | 2018-12-06 11:06:25 -0800 |
| commit | a413b8acc402c52fcc112b27ed722709db84579b (patch) | |
| tree | dab18ef3c3463226bc8ca7eac6157745022abfbb /scripts/vpn-config.pl | |
| parent | de1f3fbfaaa499e476ae15d53a023e286908c009 (diff) | |
| download | vyatta-cfg-vpn-a413b8acc402c52fcc112b27ed722709db84579b.tar.gz vyatta-cfg-vpn-a413b8acc402c52fcc112b27ed722709db84579b.zip | |
Fix: T1048: [IPSec] Protocol all does not work in IPSec Tunnel
Diffstat (limited to 'scripts/vpn-config.pl')
| -rwxr-xr-x | scripts/vpn-config.pl | 90 |
1 files changed, 53 insertions, 37 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 4ca4238..ace33e8 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -589,49 +589,65 @@ if ($vcVPN->exists('ipsec')) { } } if (defined($rightsubnet)) { - $genout .= "\trightsubnet=$rightsubnet\n"; - } + my $protocol = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword protocol"); + my $rport = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword remote port"); - # - # Protocol/port - # - my $protocol = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword protocol"); - my $lprotoport = ''; - if (defined($protocol)){ - $lprotoport .= $protocol; - } - my $lport = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword local port"); - if (defined($lport)){ - if (!defined($protocol)){ - $lprotoport .= "0/$lport"; - } elsif (is_tcp_udp($protocol)){ - $lprotoport .= "/$lport"; - } else { - vpn_die(["vpn","ipsec","site-to-site","peer",$peer, "tunnel", $tunnel, "local", "port"], - "$vpn_cfg_err local port can only be defined when protocol is tcp, udp, or undefined.\n"); + if ($protocol eq 'all') { + $protocol = '%any'; + } + if (defined($rport)){ + if (is_tcp_udp($protocol)){ + if ($rport eq 'all') { + $rport = '%any'; + } + } + else { + vpn_die(["vpn","ipsec","site-to-site","peer",$peer, "tunnel", $tunnel, "remote", "port"], + "$vpn_cfg_err remote port can only be defined when protocol is tcp, udp, or undefined.\n"); + } + } + else { + $rport = '%any'; + } + if (defined($protocol)) { + $genout .= "\trightsubnet=$rightsubnet\[$protocol/$rport\]\n"; + } + else { + $genout .= "\trightsubnet=$rightsubnet\n"; } - } - if (not($lprotoport eq '')){ - $genout .= "\tleftprotoport=$lprotoport\n"; } - my $rprotoport = ''; - if (defined($protocol)){ - $rprotoport .= $protocol; - } - my $rport = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword remote port"); - if (defined($rport)){ - if (!defined($protocol)){ - $rprotoport .= "0/$rport"; - } elsif (is_tcp_udp($protocol)){ - $rprotoport .= "/$rport"; - } else { + if (defined($leftsubnet)) { + my $protocol = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword protocol"); + my $lport = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword local port"); + + if ($protocol eq 'all') { + $protocol = '%any'; + } + + if (defined($lport)){ + if (is_tcp_udp($protocol)){ + if ($lport eq 'all') { + $lport = '%any'; + } + + } + else { vpn_die(["vpn","ipsec","site-to-site","peer",$peer, "tunnel", $tunnel, "remote", "port"], - "$vpn_cfg_err remote port can only be defined when protocol is tcp, udp, or undefined.\n"); + "$vpn_cfg_err remote port can only be defined when protocol is tcp, udp, or undefined.\n"); + } + + } + else { + $lport = '%any'; + } + + if (defined($protocol)) { + $genout .= "\tleftsubnet=$leftsubnet\[$protocol/$lport\]\n"; + } + else { + $genout .= "\tleftsubnet=$leftsubnet\n"; } - } - if (not($rprotoport eq '')){ - $genout .= "\trightprotoport=$rprotoport\n"; } # |