diff options
| author | Christian Poessinger <christian@poessinger.com> | 2018-08-08 18:34:58 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2018-08-08 18:38:04 +0200 |
| commit | e6648cebe1a19f3becf1553b45ec2b9337332e65 (patch) | |
| tree | 7593e5da4fb48288b46e4ec389a6c1aedf3b3926 /scripts | |
| parent | ac3e95a9fce6ce8fc9592072a66fcf140f123e36 (diff) | |
| download | vyatta-cfg-vpn-e6648cebe1a19f3becf1553b45ec2b9337332e65.tar.gz vyatta-cfg-vpn-e6648cebe1a19f3becf1553b45ec2b9337332e65.zip | |
T767: cleanup vpn-config.pl - removal of KLIPS
Two IPsec kernel stacks are currently available: KLIPS and NETKEY. The
Linux kernel NETKEY code is a rewrite from scratch of the KAME IPsec
code. The KAME Project was a group effort of six companies in Japan to
provide a free IPv6 and IPsec (for both IPv4 and IPv6) protocol stack
implementation for variants of the BSD UNIX computer operating system.
KLIPS is not a part of the Linux kernel. When using KLIPS, you must
apply a patch to the kernel to support NAT-T. When using NETKEY, NAT-T
support is already inside the kernel, and there is no need to patch the
kernel. [1]
KLIPS part has been removed as we always used the NETKEY path in the
Perl script.
[1]: https://www.linuxjournal.com/article/9916
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/vpn-config.pl | 51 |
1 files changed, 9 insertions, 42 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 3e3835d..4ca4238 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -63,10 +63,6 @@ my $interfaces_use; my %key_file_list; my %public_keys; -# Set $using_klips to 1 if kernel IPsec support is provided by KLIPS. -# Set it to 0 us using NETKEY. -my $using_klips = 0; - $genout .= "# generated by $0\n\n"; $genout_secrets .= "# generated by $0\n\n"; $interfaces_use .= "# generated by $0\n\n"; @@ -235,48 +231,19 @@ if ($vcVPN->exists('ipsec')) { } $interfaces_use .= "\n}"; - # We need to generate an "interfaces=..." entry in the setup section - # only if the underlying IPsec kernel code we are using is KLIPS. - # If we are using NETKEY, the "interfaces=..." entry is essentially - # not used, though we do need to include the line and the keyword - # "%none" to keep the IPsec setup code from defaulting the entry. - if ($using_klips) { - $genout .= "\tinterfaces=\""; - my $counter = 0; + my $counter = 0; + $genout .= "\t"; + if (hasLocalWildcard($vcVPN, 0)) { + $genout .= 'interfaces="'; foreach my $interface (@interfaces) { - if (!(-d "/sys/class/net/$interface")) { - next; - } - if ($counter > 0) { - $genout .= ' '; - } - $genout .= "ipsec$counter=$interface"; + next if !-d "/sys/class/net/$interface"; + next if scalar(getIP($interface)) < 1; + $genout .= "ipsec$counter=$interface "; ++$counter; } - if (hasLocalWildcard($vcVPN, 0)) { - if ($counter > 0) { - $genout .= ' '; - } - $genout .= '%defaultroute'; - } - $genout .= "\"\n"; - } - else { - my $counter = 0; - $genout .= "\t"; - if (hasLocalWildcard($vcVPN, 0)) { - $genout .= 'interfaces="'; - foreach my $interface (@interfaces) { - next if !-d "/sys/class/net/$interface"; - next if scalar(getIP($interface)) < 1; - $genout .= "ipsec$counter=$interface "; - ++$counter; - } - $genout .= '%defaultroute"'; - } - $genout .= "\n"; - + $genout .= '%defaultroute"'; } + $genout .= "\n"; } else { $interfaces_use .= ""; |