diff options
| author | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-05-26 20:09:23 -0700 |
|---|---|---|
| committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-05-26 20:09:23 -0700 |
| commit | 7489c521ca6e4134d02ef4b406ba931de3625613 (patch) | |
| tree | 6dd445a691da54d5c52cf9cdd1bd6116d543b168 /scripts | |
| parent | 19ecf607495d82626490c4c942d233c564f88ad8 (diff) | |
| download | vyatta-cfg-vpn-7489c521ca6e4134d02ef4b406ba931de3625613.tar.gz vyatta-cfg-vpn-7489c521ca6e4134d02ef4b406ba931de3625613.zip | |
add passthrough connection if remote-subnet contains local-subnet
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/vpn-config.pl | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index e40e3ba..3577e60 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -33,6 +33,7 @@ use constant REKEYFUZZ_DEFAULT => 100; use constant INVALID_LOCAL_IP => 254; use constant VPN_MAX_PROPOSALS => 10; +use Vyatta::TypeChecker; use Vyatta::VPN::Util; use Getopt::Long; use Vyatta::Misc; @@ -475,6 +476,8 @@ if ( $vcVPN->exists('ipsec') ) { } foreach my $tunnel (@tunnels) { + my $needs_passthrough = 'false'; + # # Add support for tunnel disable. # @@ -647,6 +650,29 @@ if ( $vcVPN->exists('ipsec') ) { $genout .= $leftsourceip if defined $leftsourceip; # + # check if passthrough connection is needed + # needed when remote-subnet encompasses local-subnet + # + if (defined $leftsubnet && defined $rightsubnet) { + # validate that these values are ipv4net + my $valid_leftsubnet = 'false'; + my $valid_rightsubnet = 'false'; + + $valid_leftsubnet = 'true' if validateType( 'ipv4net', $leftsubnet, 'quiet' ); + $valid_rightsubnet = 'true' if validateType( 'ipv4net', $rightsubnet, 'quiet' ); + + if ($valid_leftsubnet eq 'true' && $valid_rightsubnet eq 'true') { + + my $localsubnet_object = new NetAddr::IP($leftsubnet); + my $remotesubnet_object = new NetAddr::IP($rightsubnet); + + if ($remotesubnet_object->contains($localsubnet_object)) { + $needs_passthrough = 'true'; + } + } + } + + # # Write IKE configuration from group # my $ikelifetime = IKELIFETIME_DEFAULT; @@ -951,6 +977,29 @@ if ( $vcVPN->exists('ipsec') ) { $conn_head =~ s/\n//; $genout .= "#$conn_head"; # to identify end of connection definition # used by clear vpn op-mode command + + if ( $needs_passthrough eq 'true' ) { + + # CREATE A PASSTHROUGH CONNECTION + my $passthrough_conn_head = "\nconn passthrough-peer-$peer-tunnel-$tunnel\n"; + $passthrough_conn_head =~ s/ peer-@/ peer-/; + $genout .= $passthrough_conn_head; + if ( $lip eq '0.0.0.0' ) { + $genout .= "\tleft=%defaultroute\n"; + } else { + $genout .= "\tleft=$lip\n"; + } + $genout .= "\tright=$right\n"; + $genout .= "\tleftsubnet=$leftsubnet\n"; + $genout .= "\trightsubnet=$leftsubnet\n"; + $genout .= "\ttype=passthrough\n"; + $genout .= "\tauthby=never\n"; + $genout .= "\tauto=route\n"; + $passthrough_conn_head =~ s/\n//; + $genout .= "#$passthrough_conn_head"; + + } + } } } else { |