diff options
| author | John Southworth <john.southworth@vyatta.com> | 2011-02-16 19:16:25 -0600 |
|---|---|---|
| committer | John Southworth <john.southworth@vyatta.com> | 2011-02-16 19:16:25 -0600 |
| commit | eca11479b369dc04894da775f394e306b452d5b4 (patch) | |
| tree | 7c9e50c5c4cf420e6083faa5d18d6da11918b415 /scripts/vyatta-ipsec-dhcp.pl | |
| parent | 241734ed6dc0c63411c78b82b8a85254fc311809 (diff) | |
| download | vyatta-cfg-vpn-eca11479b369dc04894da775f394e306b452d5b4.tar.gz vyatta-cfg-vpn-eca11479b369dc04894da775f394e306b452d5b4.zip | |
Initial support for configuring dhcp-interfaces for IPSEC, needs testing
Diffstat (limited to 'scripts/vyatta-ipsec-dhcp.pl')
| -rwxr-xr-x | scripts/vyatta-ipsec-dhcp.pl | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/scripts/vyatta-ipsec-dhcp.pl b/scripts/vyatta-ipsec-dhcp.pl new file mode 100755 index 0000000..f20a65f --- /dev/null +++ b/scripts/vyatta-ipsec-dhcp.pl @@ -0,0 +1,92 @@ +#!/usr/bin/perl +use Getopt::Long; +use strict; + +my $config_file = "/etc/ipsec.conf"; +my $secrets_file = "/etc/ipsec.secrets"; +my ($iface, $config_iface, $nip, $oip, $reason); +GetOptions("interface=s" => \$iface, + "new_ip=s" => \$nip, + "old_ip=s" => \$oip, + "reason=s" => \$reason); + +# check if an update is needed +exit(0) if (($oip eq $nip) && ($reason ne "BOUND")); + +# open ipsec config +open (my $FD, '<', $config_file); +my $header = ''; +my $footer = ''; +my $finheader = 0; +my %connhash = (); +my $curconn = ''; +foreach my $line (<$FD>){ + next if (($line =~/^\s*$/) && $finheader); + if ($line =~ /\#conn.*/){ + $curconn = ''; + next; + } + if ($line =~ /(peer-.*-tunnel.*)/){ + $finheader = 1; + my $connid = $1; + $curconn = $connid; + if (not exists $connhash{$connid}){ + $connhash{$connid} = { + _dhcp_iface => undef, + _lip => undef, + _lines => [] + }; + } + } elsif (($line =~ /dhcp-interface=(.*)/) && ($curconn ne '') ){ + $connhash{$curconn}->{_dhcp_iface}=$1; + } elsif (($line =~ /left=(.*)/) && ($curconn ne '') ){ + $connhash{$curconn}->{_lip}=$1; + } elsif (!$finheader){ + $header .= $line; + } elsif ($curconn ne ''){ + push (@{$connhash{"$curconn"}->{_lines}}, $line); + } elsif ($curconn eq ''){ + $footer .= $line; + } +} +close($FD); + +# output new ipsec.conf +open my $output_config, '>', $config_file + or die "Can't open $config_file: $!"; + +print ${output_config} "$header\n"; +foreach my $connid ( keys (%connhash)){ + print ${output_config} "conn $connid\n"; + if (defined($connhash{$connid}->{_dhcp_iface})){ + if ($connhash{$connid}->{_dhcp_iface} eq $iface){ + $connhash{$connid}->{_lip} = $nip; + } + print ${output_config} "\t\#dhcp-interface=$connhash{$connid}->{_dhcp_iface}\n"; + } + print ${output_config} "\tleft=$connhash{$connid}->{_lip}\n"; + foreach my $line (@{$connhash{$connid}->{_lines}}){ + print ${output_config} $line; + } + print ${output_config} "\#conn $connid\n\n"; +} +print ${output_config} "$footer\n"; +close $output_config; + +# change ipsec.secrets +open (my $FD, '<', $secrets_file); +my @lines = <$FD>; +close FD; +open my $output_secrets, '>', $secrets_file + or die "Can't open $secrets_file"; +foreach my $line (@lines){ + if (($line =~ /\#dhcp-interface=(.*)\#/) && ($1 eq $iface)){ + $line =~ s/^$oip /$nip /; + if (!($line =~ /^oip/)){ + $line =~ s/^/$nip /; + } + } + print ${output_secrets} $line; +} +close $output_secrets; +system ("/usr/sbin/ipsec update"); |