summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@baturin.org>2018-06-24 13:06:04 +0200
committerDaniil Baturin <daniil@baturin.org>2018-06-24 13:06:04 +0200
commit1e57b56f271d55bee4e1118f4f4f9aad27b813ce (patch)
tree52644fe91c46af6dbad1edf2664e2f359ed6c992 /scripts
parenta2574ad42f708aa662bc9fc7bbbf0badf8349bd1 (diff)
parent90daa5e2cf02ffd3fd5936b4f372f1e85ab62ef6 (diff)
downloadvyatta-cfg-vpn-lithium.tar.gz
vyatta-cfg-vpn-lithium.zip
Merge branch 'current' into lithiumlithium
Conflicts: scripts/vpn-config.pl
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/dmvpn-config.pl1164
-rwxr-xr-xscripts/vpn-config.pl451
-rwxr-xr-xscripts/vyatta-vti-config.pl4
3 files changed, 783 insertions, 836 deletions
diff --git a/scripts/dmvpn-config.pl b/scripts/dmvpn-config.pl
index 8a8c1ff..6fa180d 100755
--- a/scripts/dmvpn-config.pl
+++ b/scripts/dmvpn-config.pl
@@ -21,36 +21,24 @@ use NetAddr::IP;
use Vyatta::VPN::vtiIntf;
my $config_file;
-my $secrets_file;
my $init_script;
my $tunnel_context;
my $tun_id;
GetOptions(
"config_file=s" => \$config_file,
- "secrets_file=s" => \$secrets_file,
"init_script=s" => \$init_script,
"tunnel_context" => \$tunnel_context,
"tun_id=s" => \$tun_id
);
-my $CA_CERT_PATH = '/etc/ipsec.d/cacerts';
-my $CRL_PATH = '/etc/ipsec.d/crls';
-my $SERVER_CERT_PATH = '/etc/ipsec.d/certs';
-my $SERVER_KEY_PATH = '/etc/ipsec.d/private';
+
my $LOGFILE = '/var/log/vyatta/ipsec.log';
my $vpn_cfg_err = "VPN configuration error:";
-my $clustering_ip = 0;
-my $dhcp_if = 0;
my $genout;
-my $genout_secrets;
my $dh_disable;
-# Set $using_klips to 1 if kernel IPsec support is provided by KLIPS.
-# Set it to 0 if using NETKEY.
-my $using_klips = 0;
-
-$genout .= "# generated by $0\n\n";
-$genout_secrets .= "# generated by $0\n\n";
+$genout .= "# generated by $0\n\n";
+$genout .= "connections {\n";
#
# Prepare Vyatta::Config object
@@ -64,528 +52,475 @@ $vcVPN->setLevel('vpn');
# if it has not then exit
my $ipsecstatus = $vcVPN->isChanged('ipsec');
if ( $ipsecstatus && $tunnel_context ) {
-
- # no sence to do same update twice, will be done via vpn context
- exit 0;
+ # no sence to do same update twice, will be done via vpn context
+ exit 0;
}
if ( !$ipsecstatus ) {
- my $tun_ip_changed = 0;
- my @tuns = $vc->listNodes('interfaces tunnel');
- my @profs = $vcVPN->listNodes('ipsec profile');
- foreach my $prof (@profs) {
- my @tuns = $vcVPN->listNodes("ipsec profile $prof bind tunnel");
- foreach my $tun (@tuns) {
- my $lip_old =
- $vc->returnOrigValue("interfaces tunnel $tun local-ip");
- my $lip_new = $vc->returnValue("interfaces tunnel $tun local-ip");
- if ( !( "$lip_old" eq "$lip_new" ) ) {
- if ($tun_ip_changed) {
-
- # tunnel $tun_id is not the last tunnel with updated local-ip, so skip
+ my $tun_ip_changed = 0;
+ my @tuns = $vc->listNodes('interfaces tunnel');
+ my @profs = $vcVPN->listNodes('ipsec profile');
+ foreach my $prof (@profs) {
+ my @tuns = $vcVPN->listNodes("ipsec profile $prof bind tunnel");
+ foreach my $tun (@tuns) {
+ my $lip_old = $vc->returnOrigValue("interfaces tunnel $tun local-ip");
+ my $lip_new = $vc->returnValue("interfaces tunnel $tun local-ip");
+ if ( !( "$lip_old" eq "$lip_new" ) ) {
+ if ($tun_ip_changed) {
+ # tunnel $tun_id is not the last tunnel with updated local-ip, so skip
exit 0;
- }
- if ( "$tun" eq "$tun_id" ) {
- $tun_ip_changed = 1;
- }
- }
- }
- }
- if ( !$tun_ip_changed ) {
- exit 0;
- }
+ }
+ if ( "$tun" eq "$tun_id" ) {
+ $tun_ip_changed = 1;
+ }
+ }
+ }
+ }
+ if ( !$tun_ip_changed ) {
+ exit 0;
+ }
}
if ( $vcVPN->exists('ipsec') ) {
-
- #
- # Connection configurations
- #
- my @profiles = $vcVPN->listNodes('ipsec profile');
- my $prev_profile = "";
- foreach my $profile (@profiles) {
- my $profile_ike_group =
- $vcVPN->returnValue("ipsec profile $profile ike-group");
- if ( !defined($profile_ike_group) || $profile_ike_group eq '' ) {
- vpn_die(
- [ "vpn", "ipsec", "profile", $profile, "ike-group" ],
-"$vpn_cfg_err No IKE group specified for profile \"$profile\".\n"
- );
- }
- elsif ( !$vcVPN->exists("ipsec ike-group $profile_ike_group") ) {
- vpn_die(
- [ "vpn", "ipsec", "profile", $profile, "ike-group" ],
-"$vpn_cfg_err The IKE group \"$profile_ike_group\" specified for profile "
- . "\"$profile\" has not been configured.\n"
- );
- }
-
- my $authid =
- $vcVPN->returnValue("ipsec profile $profile authentication id");
-
- #
- # ESP group
- #
- my $profile_esp_group =
- $vcVPN->returnValue("ipsec profile $profile esp-group");
- if ( !defined($profile_esp_group) || $profile_esp_group eq '' ) {
- vpn_die(
- [ "vpn", "ipsec", "profile", $profile, "esp-group" ],
-"$vpn_cfg_err No ESP group specified for profile \"$profile\".\n"
- );
- }
- elsif ( !$vcVPN->exists("ipsec esp-group $profile_esp_group") ) {
- vpn_die(
- [ "vpn", "ipsec", "profile", $profile, "esp-group" ],
- "$vpn_cfg_err The ESP group \"$profile_esp_group\" specified "
- . "for profile \"$profile\" has not been configured.\n"
- );
- }
-
- #
- # Authentication mode
- #
- #
- # Write shared secrets to ipsec.secrets
- #
- my $auth_mode =
- $vcVPN->returnValue("ipsec profile $profile authentication mode");
- my $psk = '';
- if ( !defined($auth_mode) || $auth_mode eq '' ) {
- vpn_die(
- [ "vpn", "ipsec", "profile", $profile, "authentication" ],
-"$vpn_cfg_err No authentication mode for profile \"$profile\" specified.\n"
- );
- }
- elsif ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) ) {
- $psk = $vcVPN->returnValue(
- "ipsec profile $profile authentication pre-shared-secret");
- my $orig_psk = $vcVPN->returnOrigValue(
- "ipsec profile $profile authentication pre-shared-secret");
- $orig_psk = "" if ( !defined($orig_psk) );
- if ( $psk ne $orig_psk && $orig_psk ne "" ) {
- print
-"WARNING: The pre-shared-secret will not be updated until the next re-keying interval\n";
- print "To force the key change use: 'reset vpn ipsec-peer'\n";
- }
- if ( !defined($psk) || $psk eq '' ) {
- vpn_die(
- [ "vpn", "ipsec", "profile", $profile, "authentication" ],
-"$vpn_cfg_err No 'pre-shared-secret' specified for profile \"$profile\""
- . " while 'pre-shared-secret' authentication mode is specified.\n"
- );
- }
- }
- else {
- vpn_die(
- [ "vpn", "ipsec", "profile", $profile, "authentication" ],
-"$vpn_cfg_err Unknown/unsupported authentication mode \"$auth_mode\" for profile "
- . "\"$profile\" specified.\n"
- );
- }
-
- my @tunnels = $vcVPN->listNodes("ipsec profile $profile bind tunnel");
-
- foreach my $tunnel (@tunnels) {
-
- #
- # Check whether this tunnel is already in some profile
- #
- foreach my $prof (@profiles) {
- if ( $prof != $profile ) {
- if (
- $vcVPN->exists(
- "ipsec profile $prof bind tunnel $tunnel")
- )
+ #
+ # Connection configurations
+ #
+ my @profiles = $vcVPN->listNodes('ipsec profile');
+ my $prev_profile = "";
+ foreach my $profile (@profiles) {
+ my $profile_ike_group = $vcVPN->returnValue("ipsec profile $profile ike-group");
+ if ( !defined($profile_ike_group) || $profile_ike_group eq '' ) {
+ vpn_die([ "vpn", "ipsec", "profile", $profile, "ike-group" ],
+ "$vpn_cfg_err No IKE group specified for profile \"$profile\".\n");
+ }
+ elsif ( !$vcVPN->exists("ipsec ike-group $profile_ike_group") ) {
+ vpn_die([ "vpn", "ipsec", "profile", $profile, "ike-group" ],
+ "$vpn_cfg_err The IKE group \"$profile_ike_group\" specified for profile "
+ . "\"$profile\" has not been configured.\n");
+ }
+
+ #
+ # ESP group
+ #
+ my $profile_esp_group = $vcVPN->returnValue("ipsec profile $profile esp-group");
+ if ( !defined($profile_esp_group) || $profile_esp_group eq '' ) {
+ vpn_die([ "vpn", "ipsec", "profile", $profile, "esp-group" ],
+ "$vpn_cfg_err No ESP group specified for profile \"$profile\".\n");
+ }
+ elsif ( !$vcVPN->exists("ipsec esp-group $profile_esp_group") ) {
+ vpn_die([ "vpn", "ipsec", "profile", $profile, "esp-group" ],
+ "$vpn_cfg_err The ESP group \"$profile_esp_group\" specified "
+ . "for profile \"$profile\" has not been configured.\n");
+ }
+
+ #
+ # Authentication mode
+ #
+ #
+ # Write shared secrets to ipsec.secrets
+ #
+ my $auth_mode = $vcVPN->returnValue("ipsec profile $profile authentication mode");
+ my $psk = '';
+ if ( !defined($auth_mode) || $auth_mode eq '' ) {
+ vpn_die(
+ [ "vpn", "ipsec", "profile", $profile, "authentication" ],
+ "$vpn_cfg_err No authentication mode for profile \"$profile\" specified.\n"
+ );
+ }
+ elsif ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) ) {
+ $psk = $vcVPN->returnValue("ipsec profile $profile authentication pre-shared-secret");
+ my $orig_psk = $vcVPN->returnOrigValue("ipsec profile $profile authentication pre-shared-secret");
+ $orig_psk = "" if ( !defined($orig_psk) );
+ if ( $psk ne $orig_psk && $orig_psk ne "" ) {
+ print "WARNING: The pre-shared-secret will not be updated until the next re-keying interval\n";
+ print "To force the key change use: 'reset vpn ipsec-peer'\n";
+ }
+ if ( !defined($psk) || $psk eq '' ) {
+ vpn_die(
+ [ "vpn", "ipsec", "profile", $profile, "authentication" ],
+ "$vpn_cfg_err No 'pre-shared-secret' specified for profile \"$profile\""
+ . " while 'pre-shared-secret' authentication mode is specified.\n"
+ );
+ }
+ }
+ else {
+ vpn_die(
+ [ "vpn", "ipsec", "profile", $profile, "authentication" ],
+ "$vpn_cfg_err Unknown/unsupported authentication mode \"$auth_mode\" for profile "
+ . "\"$profile\" specified.\n"
+ );
+ }
+
+ my @tunnels = $vcVPN->listNodes("ipsec profile $profile bind tunnel");
+ foreach my $tunnel (@tunnels) {
+ #
+ # Check whether this tunnel is already in some profile
+ #
+ foreach my $prof (@profiles) {
+ if ( $prof != $profile ) {
+ if ( $vcVPN->exists("ipsec profile $prof bind tunnel $tunnel") )
{
- vpn_die(
- [
- "vpn", "ipsec", "profile", $profile,
- "bind", "tunnel", $tunnel
- ],
-"$vpn_cfg_err Tunnel \"$tunnel\" is already configured in profile \"$prof\"."
- );
- }
- }
- }
-
- my $needs_passthrough = 'false';
- my $tunKeyword = 'tunnel ' . "$tunnel";
-
- my $conn_head = "conn vpnprof-tunnel-$tunnel\n";
- $genout .= $conn_head;
-
- my $lip = $vc->returnValue("interfaces tunnel $tunnel local-ip");
- my $leftsourceip = undef;
-
- $genout .= "\tleft=$lip\n";
- $leftsourceip = "\tleftsourceip=$lip\n";
- $genout .= "\tleftid=$authid\n" if defined $authid;
-
- my $right = '%any';
- my $any_peer = 1;
-
- $genout .= "\tright=$right\n";
- if ($any_peer) {
- $genout .= "\trekey=no\n";
- }
-
- #
- # Protocol/port
- #
- my $protocol = "gre";
- my $lprotoport = '';
- if ( defined($protocol) ) {
- $lprotoport .= $protocol;
- }
- if ( not( $lprotoport eq '' ) ) {
- $genout .= "\tleftprotoport=$lprotoport\n";
- }
-
- my $rprotoport = '';
- if ( defined($protocol) ) {
- $rprotoport .= $protocol;
- }
- if ( not( $rprotoport eq '' ) ) {
- $genout .= "\trightprotoport=$rprotoport\n";
- }
-
- #
- # Write IKE configuration from group
- #
- my $ikelifetime = IKELIFETIME_DEFAULT;
- $genout .= "\tike=";
- my $ike_group =
- $vcVPN->returnValue("ipsec profile $profile ike-group");
- if ( defined($ike_group) && $ike_group ne '' ) {
- my @ike_proposals =
- $vcVPN->listNodes("ipsec ike-group $ike_group proposal");
-
- my $first_ike_proposal = 1;
- foreach my $ike_proposal (@ike_proposals) {
-
- #
- # Get encryption, hash & Diffie-Hellman key size
- #
- my $encryption = $vcVPN->returnValue(
-"ipsec ike-group $ike_group proposal $ike_proposal encryption"
- );
- my $hash = $vcVPN->returnValue(
- "ipsec ike-group $ike_group proposal $ike_proposal hash"
- );
- my $dh_group = $vcVPN->returnValue(
-"ipsec ike-group $ike_group proposal $ike_proposal dh-group"
- );
-
- if ( defined($dh_group) ) {
- $dh_disable = 1;
- }
-
- #
- # Write separator if not first proposal
- #
- if ($first_ike_proposal) {
- $first_ike_proposal = 0;
- }
- else {
- $genout .= ",";
- }
-
- #
- # Write values
- #
- if ( defined($encryption) && defined($hash) ) {
- $genout .= "$encryption-$hash";
- if ( defined($dh_group) ) {
- if ($dh_group eq '2') {
- $genout .= '-modp1024';
- } elsif ($dh_group eq '5') {
- $genout .= '-modp1536';
- } elsif ($dh_group eq '14') {
- $genout .= '-modp2048';
- } elsif ($dh_group eq '15') {
- $genout .= '-modp3072';
- } elsif ($dh_group eq '16') {
- $genout .= '-modp4096';
- } elsif ($dh_group eq '17') {
- $genout .= '-modp6144';
- } elsif ($dh_group eq '18') {
- $genout .= '-modp8192';
- } elsif ($dh_group eq '19') {
- $genout .= '-ecp256';
- } elsif ($dh_group eq '20') {
- $genout .= '-ecp384';
- } elsif ($dh_group eq '21') {
- $genout .= '-ecp521';
- } elsif ($dh_group eq '22') {
- $genout .= '-modp1024s160';
- } elsif ($dh_group eq '23') {
- $genout .= '-modp2048s224';
- } elsif ($dh_group eq '24') {
- $genout .= '-modp2048s256';
- } elsif ($dh_group eq '25') {
- $genout .= '-ecp192';
- } elsif ($dh_group eq '26') {
- $genout .= '-ecp224';
- }
- elsif ( $dh_group ne '' ) {
- vpn_die(["vpn","ipsec","profile", $profile,"bind","tunnel", $tunnel],"$vpn_cfg_err Invalid 'dh-group' $dh_group specified in ".
- "profile \"$profile\" for $tunKeyword. Only 2, 5, or 14 through 26 accepted.\n");
- }
- }
- }
- }
-
- #why we always set strict mode?
- $genout .= "!\n";
-
- my $t_ikelifetime =
- $vcVPN->returnValue("ipsec ike-group $ike_group lifetime");
- if ( defined($t_ikelifetime) && $t_ikelifetime ne '' ) {
- $ikelifetime = $t_ikelifetime;
- }
- $genout .= "\tikelifetime=$ikelifetime" . "s\n";
-
- #
- # Check for Dead Peer Detection DPD
- #
- my $dpd_interval = $vcVPN->returnValue(
- "ipsec ike-group $ike_group dead-peer-detection interval");
- my $dpd_timeout = $vcVPN->returnValue(
- "ipsec ike-group $ike_group dead-peer-detection timeout");
- my $dpd_action = $vcVPN->returnValue(
- "ipsec ike-group $ike_group dead-peer-detection action");
- if ( defined($dpd_interval)
- && defined($dpd_timeout)
- && defined($dpd_action) )
- {
- $genout .= "\tdpddelay=$dpd_interval" . "s\n";
- $genout .= "\tdpdtimeout=$dpd_timeout" . "s\n";
- $genout .= "\tdpdaction=$dpd_action\n";
- }
- }
-
- #
- # Write ESP configuration from group
- #
- my $esplifetime = ESPLIFETIME_DEFAULT;
- $genout .= "\tesp=";
- my $esp_group =
- $vcVPN->returnValue("ipsec profile $profile esp-group");
- if ( defined($esp_group) && $esp_group ne '' ) {
- my @esp_proposals =
- $vcVPN->listNodes("ipsec esp-group $esp_group proposal");
- my $first_esp_proposal = 1;
- foreach my $esp_proposal (@esp_proposals) {
-
- #
- # Get encryption, hash
- #
- my $encryption = $vcVPN->returnValue(
-"ipsec esp-group $esp_group proposal $esp_proposal encryption"
- );
- my $hash = $vcVPN->returnValue(
- "ipsec esp-group $esp_group proposal $esp_proposal hash"
- );
-
- #
- # Write separator if not first proposal
- #
- if ($first_esp_proposal) {
- $first_esp_proposal = 0;
- }
- else {
- $genout .= ",";
- }
-
- #
- # Write values
- #
- if ( defined($encryption) && defined($hash) ) {
- $genout .= "$encryption-$hash";
- }
- }
- $genout .= "!\n";
-
- my $t_esplifetime =
- $vcVPN->returnValue("ipsec esp-group $esp_group lifetime");
- if ( defined($t_esplifetime) && $t_esplifetime ne '' ) {
- $esplifetime = $t_esplifetime;
- }
- $genout .= "\tkeylife=$esplifetime" . "s\n";
-
- my $lower_lifetime = $ikelifetime;
- if ( $esplifetime < $ikelifetime ) {
- $lower_lifetime = $esplifetime;
- }
-
- #
- # The lifetime values need to be greater than:
- # rekeymargin*(100+rekeyfuzz)/100
- #
- my $rekeymargin = REKEYMARGIN_DEFAULT;
- if ( $lower_lifetime <= ( 2 * $rekeymargin ) ) {
- $rekeymargin = int( $lower_lifetime / 2 ) - 1;
- }
- $genout .= "\trekeymargin=$rekeymargin" . "s\n";
-
- #
- # Mode (tunnel or transport)
- #
- my $espmode =
- $vcVPN->returnValue("ipsec esp-group $esp_group mode");
- if ( !defined($espmode) || $espmode eq '' ) {
- $espmode = "tunnel";
- }
- $genout .= "\ttype=$espmode\n";
-
- #
- # Perfect Forward Secrecy
- #
- my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs");
- if (defined($pfs)) {
- if ( $pfs eq 'enable' && defined($dh_disable) ) {
- $genout .= "\tpfs=yes\n";
- } elsif ($pfs eq 'dh-group2') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp1024\n";
- } elsif ($pfs eq 'dh-group5') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp1536\n";
- } elsif ($pfs eq 'dh-group14') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp2048\n";
- } elsif ($pfs eq 'dh-group15') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp3072\n";
- } elsif ($pfs eq 'dh-group16') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp4096\n";
- } elsif ($pfs eq 'dh-group17') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp6144\n";
- } elsif ($pfs eq 'dh-group18') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp8192\n";
- } elsif ($pfs eq 'dh-group19') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=ecp256\n";
- } elsif ($pfs eq 'dh-group20') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=ecp384\n";
- } elsif ($pfs eq 'dh-group21') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=ecp521\n";
- } elsif ($pfs eq 'dh-group22') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp1024s160\n";
- } elsif ($pfs eq 'dh-group23') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp2048s224\n";
- } elsif ($pfs eq 'dh-group24') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp2048s256\n";
- } elsif ($pfs eq 'dh-group25') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=ecp192\n";
- } elsif ($pfs eq 'dh-group26') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=ecp224\n";
- } else {
- $genout .= "\tpfs=no\n";
- }
- }
-
- #
- # Compression
- #
- my $compression =
- $vcVPN->returnValue("ipsec esp-group $esp_group compression");
- if ( defined($compression) ) {
- if ( $compression eq 'enable' ) {
- $genout .= "\tcompress=yes\n";
- }
- else {
- $genout .= "\tcompress=no\n";
- }
- }
- }
-
- #
- # Authentication
- #
- $right = '%any';
- if ( not( $prev_profile eq $profile ) ) {
- $genout_secrets .= "\n$lip $right ";
- if ( defined($authid) ) {
- $genout_secrets .= "$authid ";
- }
- $genout_secrets .= ": PSK \"$psk\" ";
- }
- $prev_profile = $profile;
- if ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) )
- {
- $genout .= "\tauthby=secret\n";
- }
-
- #
- # Start automatically
- #
- if ($any_peer) {
- $genout .= "\tauto=add\n";
- $genout .= "\tkeyingtries=%forever\n";
- }
- else {
- $genout .= "\tauto=start\n";
- }
- $genout .= "#$conn_head"; # to identify end of connection definition
- # used by clear vpn op-mode command
- }
- }
-
+ vpn_die(["vpn", "ipsec", "profile", $profile,"bind", "tunnel", $tunnel],
+ "$vpn_cfg_err Tunnel \"$tunnel\" is already configured in profile \"$prof\".");
+ }
+ }
+ }
+
+ my $needs_passthrough = 'false';
+ my $tunKeyword = 'tunnel ' . "$tunnel";
+
+ my $conn_head = "\tvpnprof-dmvpn-$tunnel {\n";
+ $genout .= $conn_head;
+
+ my $lip = $vc->returnValue("interfaces tunnel $tunnel local-ip");
+ my $leftsourceip = undef;
+
+ #
+ # Write IKE configuration from group
+ #
+ my $ikelifetime = IKELIFETIME_DEFAULT;
+ $genout .= "\t\tproposals = ";
+ my $ike_group = $vcVPN->returnValue("ipsec profile $profile ike-group");
+ if ( defined($ike_group) && $ike_group ne '' ) {
+ my @ike_proposals = $vcVPN->listNodes("ipsec ike-group $ike_group proposal");
+ my $first_ike_proposal = 1;
+ foreach my $ike_proposal (@ike_proposals) {
+ #
+ # Get encryption, hash & Diffie-Hellman key size
+ #
+ my $encryption = $vcVPN->returnValue("ipsec ike-group $ike_group proposal $ike_proposal encryption");
+ my $hash = $vcVPN->returnValue("ipsec ike-group $ike_group proposal $ike_proposal hash");
+ my $dh_group = $vcVPN->returnValue("ipsec ike-group $ike_group proposal $ike_proposal dh-group");
+
+ if ( defined($dh_group) ) {
+ $dh_disable = 1;
+ }
+
+ #
+ # Write separator if not first proposal
+ #
+ if ($first_ike_proposal) {
+ if ( !defined($dh_group) ) {
+ vpn_die(["vpn","ipsec","profile", $profile,"bind","tunnel", $tunnel],"$vpn_cfg_err 'dh-group' must be specified in ".
+ "ike-group \"$ike_group\" proposal \"$ike_proposal\" dh-group. \n");
+ }
+ $first_ike_proposal = 0;
+ }
+ else {
+ $genout .= ",";
+ }
+
+ #
+ # Write values
+ #
+ if ( defined($encryption) && defined($hash) ) {
+ $genout .= "$encryption-$hash";
+ if ( defined($dh_group) ) {
+ my $cipher_out = get_dh_cipher_result($dh_group);
+ if ($cipher_out eq 'unknown') {
+ vpn_die(["vpn","ipsec","profile", $profile,"bind","tunnel", $tunnel],"$vpn_cfg_err Invalid 'dh-group' $dh_group specified in ".
+ "profile \"$profile\" for $tunKeyword. Only 2, 5, or 14 through 26 accepted.\n");
+ } else {
+ $genout .= "-$cipher_out";
+ }
+ }
+ }
+ }
+ $genout .= "\n";
+
+ #
+ # Get IKE version setting
+ #
+ my $key_exchange = $vcVPN->returnValue("ipsec ike-group $ike_group key-exchange");
+ if ( defined($key_exchange) ) {
+ if ( $key_exchange eq 'ikev1' ) {
+ $genout .= "\t\tversion = 1\n";
+ }
+ if ( $key_exchange eq 'ikev2' ) {
+ $genout .= "\t\tversion = 2\n";
+ }
+ }else {
+ $genout .= "\t\tversion = 0\n";
+ }
+
+ #
+ # Get ikev2-reauth configuration
+ # Check IKE Lifetime
+ #
+ my $ikev2_group_reauth = $vcVPN->returnValue("ipsec ike-group $ike_group ikev2-reauth");
+ my $t_ikelifetime = $vcVPN->returnValue("ipsec ike-group $ike_group lifetime");
+ if ( defined($t_ikelifetime) && $t_ikelifetime ne '' ) {
+ $ikelifetime = $t_ikelifetime;
+ }
+ if ( defined($ikev2_group_reauth) ) {
+ if ( $ikev2_group_reauth eq 'yes' && defined($ikelifetime) ) {
+ $genout .= "\t\treauth_time = $ikelifetime" . "s\n";
+ }else {
+ $genout .= "\t\trekey_time = $ikelifetime" . "s\n";
+ }
+ } else {
+ $genout .= "\t\trekey_time = $ikelifetime" . "s\n";
+ }
+
+ #
+ # Allow the user to disable MOBIKE for IKEv2 connections
+ #
+ my $mob_ike = $vcVPN->returnValue("ipsec ike-group $ike_group mobike");
+
+ if (defined($mob_ike)) {
+ if (defined($key_exchange) && $key_exchange eq 'ikev2') {
+ if ($mob_ike eq 'enable') {
+ $genout .= "\t\tmobike = yes";
+ }
+ if ($mob_ike eq 'disable') {
+ $genout .= "\t\tmobike = no";
+ }
+ }else {
+ $genout .= "\t\tmobike = no";
+ }
+ }
+
+ #
+ # Check for Dead Peer Detection DPD
+ #
+ my $dpd_interval = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection interval");
+ my $dpd_timeout = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection timeout");
+ my $dpd_action = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection action");
+ if ( defined($dpd_interval) && defined($dpd_timeout) && defined($dpd_action) ) {
+ $genout .= "\t\tdpd_delay = $dpd_interval" . "s\n";
+ $genout .= "\t\tdpd_timeou = $dpd_timeout" . "s\n";
+ }
+ }
+
+ $genout .= "\t\tkeyingtries = 0\n";
+
+ #
+ # Authentication
+ #
+ $genout .="\t\tlocal {\n";
+ if ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) ) {
+ $genout .= "\t\t\tauth = psk\n";
+ }
+ $genout .="\t\t}\n";
+ $genout .="\t\tremote {\n";
+ if ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) ) {
+ $genout .= "\t\t\tauth = psk\n";
+ }
+ $genout .="\t\t}\n";
+
+ #
+ # Write ESP configuration from group
+ #
+ $genout .="\t\tchildren {\n";
+ $genout .="\t\t\tdmvpn {\n";
+ my $esplifetime = ESPLIFETIME_DEFAULT;
+ $genout .= "\t\t\t\tesp_proposals = ";
+ my $esp_group = $vcVPN->returnValue("ipsec profile $profile esp-group");
+ if ( defined($esp_group) && $esp_group ne '' ) {
+ my @esp_proposals = $vcVPN->listNodes("ipsec esp-group $esp_group proposal");
+ my $first_esp_proposal = 1;
+ foreach my $esp_proposal (@esp_proposals) {
+ #
+ # Get encryption, hash
+ #
+ my $encryption = $vcVPN->returnValue("ipsec esp-group $esp_group proposal $esp_proposal encryption");
+ my $hash = $vcVPN->returnValue("ipsec esp-group $esp_group proposal $esp_proposal hash");
+ my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs");
+
+ #
+ # Write separator if not first proposal
+ #
+ if ($first_esp_proposal) {
+ $first_esp_proposal = 0;
+ }
+ else {
+ $genout .= ",";
+ }
+ if (defined($pfs)) {
+ if ($pfs eq 'enable') {
+ # Get the first IKE group's dh-group and use that as our PFS setting
+ my $default_pfs = $vcVPN->returnValue("ipsec ike-group $ike_group proposal 1 dh-group");
+ $pfs = get_dh_cipher_result($default_pfs);
+ if ( !defined($default_pfs) && $pfs eq 'unknown' ) {
+ vpn_die(["vpn","ipsec","profile", $profile,"bind","tunnel", $tunnel],"$vpn_cfg_err 'pfs enabled' needs 'dh-group' specified in ".
+ "ike-group \"$ike_group\" proposal 1 dh-group. \n");
+ }
+ } elsif ($pfs eq 'disable') {
+ undef $pfs;
+ } else {
+ $pfs = get_dh_cipher_result($pfs);
+ }
+ }
+
+ #
+ # Write values
+ #
+ if ( defined($encryption) && defined($hash) ) {
+ $genout .= "$encryption-$hash";
+ if (defined($pfs)) {
+ $genout .= "-$pfs";
+ }
+ }
+ }
+ $genout .= "\n";
+
+ my $t_esplifetime = $vcVPN->returnValue("ipsec esp-group $esp_group lifetime");
+ if ( defined($t_esplifetime) && $t_esplifetime ne '' ) {
+ $esplifetime = $t_esplifetime;
+ }
+ $genout .= "\t\t\t\trekey_time = $esplifetime" . "s\n";
+
+ my $lower_lifetime = $ikelifetime;
+ if ( $esplifetime < $ikelifetime ) {
+ $lower_lifetime = $esplifetime;
+ }
+
+ #
+ # The lifetime values need to be greater than:
+ # rekeymargin*(100+rekeyfuzz)/100
+ #
+ my $rekeymargin = REKEYMARGIN_DEFAULT;
+ if ($lower_lifetime <= (2 * $rekeymargin)) {
+ $rekeymargin = int($lower_lifetime / 2) - 1;
+ }
+ $genout .= "\t\t\t\trand_time = $rekeymargin" . "s\n";
+
+ #
+ # Protocol/port
+ #
+ my $protocol = "gre";
+ my $lprotoport = '';
+ if ( defined($protocol) ) {
+ $lprotoport .= $protocol;
+ }
+ if ( not( $lprotoport eq '' ) ) {
+ $genout .= "\t\t\t\tlocal_ts = dynamic[$lprotoport]\n";
+ }
+
+ my $rprotoport = '';
+ if ( defined($protocol) ) {
+ $rprotoport .= $protocol;
+ }
+ if ( not( $rprotoport eq '' ) ) {
+ $genout .= "\t\t\t\tremote_ts = dynamic[$rprotoport]\n";
+ }
+
+ #
+ # Mode (tunnel or transport)
+ #
+ my $espmode = $vcVPN->returnValue("ipsec esp-group $esp_group mode");
+ if ( !defined($espmode) || $espmode eq '' ) {
+ $espmode = "transport";
+ }
+ $genout .= "\t\t\t\tmode = $espmode\n";
+
+ #
+ # Check for Dead Peer Detection DPD
+ #
+ my $dpd_interval = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection interval");
+ my $dpd_timeout = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection timeout");
+ my $dpd_action = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection action");
+ if ( defined($dpd_interval) && defined($dpd_timeout) && defined($dpd_action) ) {
+
+ $genout .= "\t\t\t\tdpd_action = $dpd_action\n";
+ }
+
+
+ #
+ # Compression
+ #
+ my $compression = $vcVPN->returnValue("ipsec esp-group $esp_group compression");
+ if ( defined($compression) ) {
+ if ( $compression eq 'enable' ) {
+ $genout .= "\t\t\t\tipcomp=yes\n";
+ }
+ }
+ }
+
+ $genout .= "\t\t\t}\n";
+ $genout .= "\t\t}\n";
+ $genout .= "\t}\n"; # to identify end of connection definition
+ # used by clear vpn op-mode command
+ }
+ $genout .= "}\n";
+ $genout .= "secrets {\n";
+ my @tunnels = $vcVPN->listNodes("ipsec profile $profile bind tunnel");
+ foreach my $tunnel (@tunnels) {
+ #
+ # Check whether this tunnel is already in some profile
+ #
+ foreach my $prof (@profiles) {
+ if ( $prof != $profile ) {
+ if ($vcVPN->exists("ipsec profile $prof bind tunnel $tunnel")){
+ vpn_die(["vpn", "ipsec", "profile", $profile,"bind", "tunnel", $tunnel],
+ "$vpn_cfg_err Tunnel \"$tunnel\" is already configured in profile \"$prof\".");
+ }
+ }
+ }
+ my $ike_id = "\tike-dmvpn-$tunnel {\n";
+ $genout .= $ike_id;
+ $genout .= "\t\tsecret = $psk\n";
+ $genout .= "\t}\n";
+ }
+ $genout .= "}\n";
+ }
}
else {
-
- #
- # remove any previous config lines, so that when "clear vpn ipsec-process"
- # is called it won't find the vyatta keyword and therefore will not try
- # to start the ipsec process.
- #
- $genout = '';
- $genout .= "# No VPN configuration exists.\n";
- $genout_secrets .= "# No VPN configuration exists.\n";
+ #
+ # remove any previous config lines, so that when "clear vpn ipsec-process"
+ # is called it won't find the vyatta keyword and therefore will not try
+ # to start the ipsec process.
+ #
+ $genout = '';
+ $genout .= "# No VPN configuration exists.\n";
}
-if (
- !(
- defined($config_file)
- && ( $config_file ne '' )
- && defined($secrets_file)
- && ( $secrets_file ne '' )
- )
- )
-{
- print "Regular config file output would be:\n\n$genout\n\n";
- print "Secrets config file output would be:\n\n$genout_secrets\n\n";
- exit(0);
+if (!(defined($config_file) && ( $config_file ne '' ))) {
+ print "Regular config file output would be:\n\n$genout\n\n";
+ exit(0);
}
-write_config( $genout, $config_file, $genout_secrets, $secrets_file );
+write_config( $genout, $config_file);
my $update_interval = $vcVPN->returnValue("ipsec auto-update");
my $update_interval_orig = $vcVPN->returnOrigValue("ipsec auto-update");
$update_interval_orig = 0 if !defined($update_interval_orig);
if ( is_vpn_running() ) {
- vpn_exec( 'ipsec rereadall >&/dev/null', 're-read secrets and certs' );
- vpn_exec( 'ipsec update >&/dev/null', 'update changes to ipsec.conf' );
+ vpn_exec( 'ipsec rereadall >&/dev/null', 're-read secrets and certs' );
+ vpn_exec( 'ipsec reload >&/dev/null', 'reload changes to ipsec.conf' );
+ vpn_exec( 'swanctl -q >&/dev/null', 'reload changes to swanctl.conf' );
}
else {
- if ( !defined($update_interval) ) {
- vpn_exec( 'ipsec start >&/dev/null', 'start ipsec' );
- }
- else {
- vpn_exec(
- 'ipsec start --auto-update ' . $update_interval . ' >&/dev/null',
- 'start ipsec with auto-update $update_interval' );
- }
+ if ( !defined($update_interval) ) {
+ vpn_exec( 'ipsec start >&/dev/null', 'start ipsec' );
+ my $counter = 10;
+ while($counter > 0){
+ if (-e "/var/run/charon.pid") {
+ vpn_exec( 'swanctl -q >&/dev/null', 'reload changes to swanctl.conf' );
+ last;
+ }
+ $counter--;
+ sleep(1);
+ if($counter == 0){
+ vpn_die("$vpn_cfg_err Ipsec is not running.");
+ }
+ }
+ }
+ else {
+ vpn_exec(
+ 'ipsec start --auto-update ' . $update_interval . ' >&/dev/null',
+ 'start ipsec with auto-update $update_interval' );
+ my $counter = 10;
+ while($counter > 0){
+ if (-e "/var/run/charon.pid") {
+ vpn_exec( 'swanctl -q >&/dev/null', 'reload changes to swanctl.conf' );
+ last;
+ }
+ $counter--;
+ sleep(1);
+ if($counter == 0){
+ vpn_die("$vpn_cfg_err Ipsec is not running.");
+ }
+ }
+ }
}
#
@@ -594,101 +529,130 @@ else {
exit 0;
sub vpn_die {
- my ( @path, $msg ) = @_;
- Vyatta::Config::outputError( @path, $msg );
- exit 1;
+ my ( @path, $msg ) = @_;
+ Vyatta::Config::outputError( @path, $msg );
+ exit 1;
}
sub write_config {
- my ( $genout, $config_file, $genout_secrets, $secrets_file ) = @_;
+ my ( $genout, $config_file) = @_;
- open my $output_config, '>', $config_file
- or die "Can't open $config_file: $!";
- print ${output_config} $genout;
- close $output_config;
-
- open my $output_secrets, '>', $secrets_file
- or die "Can't open $secrets_file: $!";
- print ${output_secrets} $genout_secrets;
- close $output_secrets;
+ open my $output_config, '>', $config_file
+ or die "Can't open $config_file: $!";
+ print ${output_config} $genout;
+ close $output_config;
}
sub vpn_exec {
- my ( $command, $desc ) = @_;
-
- open my $logf, '>>', $LOGFILE
- or die "Can't open $LOGFILE: $!";
-
- use POSIX;
- my $timestamp = strftime( "%Y-%m-%d %H:%M.%S", localtime );
-
- print ${logf} "$timestamp\nExecuting: $command\nDescription: $desc\n";
-
- my $cmd_out = qx($command);
- my $rval = ( $? >> 8 );
- print ${logf} "Output:\n$cmd_out\n---\n";
- print ${logf} "Return code: $rval\n";
- if ($rval) {
- if ( $command =~ /^ipsec.*--asynchronous$/
- && ( $rval == 104 || $rval == 29 ) )
- {
- print ${logf} "OK when bringing up VPN connection\n";
- }
- else {
-
- #
- # We use to consider the commit failed if we got a error
- # from the call to ipsec, but this causes the configuration
- # to not get included in the running config. Now that
- # we support dynamic interface/address (e.g. dhcp, pppoe)
- # we want a valid config to get committed even if the
- # interface doesn't exist yet. That way we can use
- # "clear vpn ipsec-process" to bring up the tunnel once
- # the interface is instantiated. For pppoe we will add
- # a script to /etc/ppp/ip-up.d to bring up the vpn
- # tunnel.
- #
- print ${logf}
- "VPN commit error. Unable to $desc, received error code $?\n";
-
- #
- # code 768 is for a syntax error in the secrets file
- # this happens when a dhcp interface is configured
- # but no address is assigned yet.
- # only the line that has the syntax error is not loaded
- # So we can safely ignore this error since our code generates
- # secrets file.
- #
- if ( $? ne '768' ) {
- print "Warning: unable to [$desc], received error code $?\n";
- print "$cmd_out\n";
- }
- }
- }
- print ${logf} "---\n\n";
- close $logf;
+ my ( $command, $desc ) = @_;
+
+ open my $logf, '>>', $LOGFILE
+ or die "Can't open $LOGFILE: $!";
+
+ use POSIX;
+ my $timestamp = strftime( "%Y-%m-%d %H:%M.%S", localtime );
+
+ print ${logf} "$timestamp\nExecuting: $command\nDescription: $desc\n";
+
+ my $cmd_out = qx($command);
+ my $rval = ( $? >> 8 );
+ print ${logf} "Output:\n$cmd_out\n---\n";
+ print ${logf} "Return code: $rval\n";
+ if ($rval) {
+ if ( $command =~ /^ipsec.*--asynchronous$/ && ( $rval == 104 || $rval == 29 ) ) {
+ print ${logf} "OK when bringing up VPN connection\n";
+ }
+ else {
+ #
+ # We use to consider the commit failed if we got a error
+ # from the call to ipsec, but this causes the configuration
+ # to not get included in the running config. Now that
+ # we support dynamic interface/address (e.g. dhcp, pppoe)
+ # we want a valid config to get committed even if the
+ # interface doesn't exist yet. That way we can use
+ # "clear vpn ipsec-process" to bring up the tunnel once
+ # the interface is instantiated. For pppoe we will add
+ # a script to /etc/ppp/ip-up.d to bring up the vpn
+ # tunnel.
+ #
+ print ${logf} "VPN commit error. Unable to $desc, received error code $?\n";
+
+ #
+ # code 768 is for a syntax error in the secrets file
+ # this happens when a dhcp interface is configured
+ # but no address is assigned yet.
+ # only the line that has the syntax error is not loaded
+ # So we can safely ignore this error since our code generates
+ # secrets file.
+ #
+ if ( $? ne '768' ) {
+ print "Warning: unable to [$desc], received error code $?\n";
+ print "$cmd_out\n";
+ }
+ }
+ }
+ print ${logf} "---\n\n";
+ close $logf;
}
sub printTree {
- my ( $vc, $path, $depth ) = @_;
-
- my @children = $vc->listNodes($path);
- foreach my $child (@children) {
- print ' ' x $depth;
- print $child . "\n";
- printTree( $vc, "$path $child", $depth + 1 );
- }
+ my ( $vc, $path, $depth ) = @_;
+
+ my @children = $vc->listNodes($path);
+ foreach my $child (@children) {
+ print ' ' x $depth;
+ print $child . "\n";
+ printTree( $vc, "$path $child", $depth + 1 );
+ }
}
sub printTreeOrig {
- my ( $vc, $path, $depth ) = @_;
-
- my @children = $vc->listOrigNodes($path);
- foreach my $child (@children) {
- print ' ' x $depth;
- print $child . "\n";
- printTreeOrig( $vc, "$path $child", $depth + 1 );
- }
+ my ( $vc, $path, $depth ) = @_;
+
+ my @children = $vc->listOrigNodes($path);
+ foreach my $child (@children) {
+ print ' ' x $depth;
+ print $child . "\n";
+ printTreeOrig( $vc, "$path $child", $depth + 1 );
+ }
}
+sub get_dh_cipher_result {
+ my ($cipher) = @_;
+ my $ciph_out;
+ if ($cipher eq '2' || $cipher eq 'dh-group2') {
+ $ciph_out = 'modp1024';
+ } elsif ($cipher eq '5' || $cipher eq 'dh-group5') {
+ $ciph_out = 'modp1536';
+ } elsif ($cipher eq '14' || $cipher eq 'dh-group14') {
+ $ciph_out = 'modp2048';
+ } elsif ($cipher eq '15' || $cipher eq 'dh-group15') {
+ $ciph_out = 'modp3072';
+ } elsif ($cipher eq '16' || $cipher eq 'dh-group16') {
+ $ciph_out = 'modp4096';
+ } elsif ($cipher eq '17' || $cipher eq 'dh-group17') {
+ $ciph_out = 'modp6144';
+ } elsif ($cipher eq '18' || $cipher eq 'dh-group18') {
+ $ciph_out = 'modp8192';
+ } elsif ($cipher eq '19' || $cipher eq 'dh-group19') {
+ $ciph_out = 'ecp256';
+ } elsif ($cipher eq '20' || $cipher eq 'dh-group20') {
+ $ciph_out = 'ecp384';
+ } elsif ($cipher eq '21' || $cipher eq 'dh-group21') {
+ $ciph_out = 'ecp521';
+ } elsif ($cipher eq '22' || $cipher eq 'dh-group22') {
+ $ciph_out = 'modp1024s160';
+ } elsif ($cipher eq '23' || $cipher eq 'dh-group23') {
+ $ciph_out = 'modp2048s224';
+ } elsif ($cipher eq '24' || $cipher eq 'dh-group24') {
+ $ciph_out = 'modp2048s256';
+ } elsif ($cipher eq '25' || $cipher eq 'dh-group25') {
+ $ciph_out = 'ecp192';
+ } elsif ($cipher eq '26' || $cipher eq 'dh-group26') {
+ $ciph_out = 'ecp224';
+ } else {
+ $ciph_out = 'unknown';
+ }
+ return $ciph_out;
+}
# end of file
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 184d1f2..071b3b8 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -37,7 +37,6 @@ use Vyatta::TypeChecker;
use Vyatta::VPN::Util;
use Getopt::Long;
use Vyatta::Misc;
-use NetAddr::IP;
use Vyatta::VPN::vtiIntf;
my $config_file;
@@ -53,13 +52,16 @@ my $CRL_PATH = '/etc/ipsec.d/crls';
my $SERVER_CERT_PATH = '/etc/ipsec.d/certs';
my $SERVER_KEY_PATH = '/etc/ipsec.d/private';
my $LOGFILE = '/var/log/vyatta/ipsec.log';
+my $STRONGSWAN_INTF_CONFIG = '/etc/strongswan.d/interfaces_use.conf';
my $vpn_cfg_err = "VPN configuration error:";
my $clustering_ip = 0;
my $dhcp_if = 0;
my $genout;
my $genout_secrets;
+my $interfaces_use;
my %key_file_list;
+my %public_keys;
# Set $using_klips to 1 if kernel IPsec support is provided by KLIPS.
# Set it to 0 us using NETKEY.
@@ -67,6 +69,7 @@ my $using_klips = 0;
$genout .= "# generated by $0\n\n";
$genout_secrets .= "# generated by $0\n\n";
+$interfaces_use .= "# generated by $0\n\n";
#
# Prepare Vyatta::Config object
@@ -212,21 +215,26 @@ if ($vcVPN->exists('ipsec')) {
}
#
- # Version 2
+ # Configuration of system wide options
#
- $genout .= "version 2.0\n";
- $genout .= "\n";
$genout .= "config setup\n";
- $genout .= "\tcharonstart=yes\n";
+
#
# Interfaces
#
my @interfaces = $vcVPN->returnValues('ipsec ipsec-interfaces interface');
- if (@interfaces == 0) {
- #*THIS CHECK'S ALSO USED BY OP-MODE CMNDS TO CHECK IF IPSEC IS CONFIGURED*#
- vpn_die(["vpn", "ipsec","ipsec-interfaces"],"$vpn_cfg_err No IPSEC interfaces specified.\n");
- } else {
+ if (scalar(@interfaces) > 0) {
+
+ $interfaces_use .= "charon {\n\tinterfaces_use = ";
+ foreach my $interface (@interfaces) {
+ if (!(-d "/sys/class/net/$interface")) {
+ print "Warning: unable to configure non-existent interface\n";
+ }
+ $interfaces_use .= "$interface, ";
+ }
+ $interfaces_use .= "\n}";
+
# We need to generate an "interfaces=..." entry in the setup section
# only if the underlying IPsec kernel code we are using is KLIPS.
# If we are using NETKEY, the "interfaces=..." entry is essentially
@@ -252,7 +260,8 @@ if ($vcVPN->exists('ipsec')) {
$genout .= '%defaultroute';
}
$genout .= "\"\n";
- } else {
+ }
+ else {
my $counter = 0;
$genout .= "\t";
if (hasLocalWildcard($vcVPN, 0)) {
@@ -264,13 +273,18 @@ if ($vcVPN->exists('ipsec')) {
++$counter;
}
$genout .= '%defaultroute"';
- } else {
+ }
+ else {
$genout .= 'interfaces="%none"';
}
$genout .= "\n";
+
}
- }
+ } else {
+ $interfaces_use .= "";
+
+ }
#
# NAT traversal
#
@@ -308,26 +322,6 @@ if ($vcVPN->exists('ipsec')) {
$genout .= "\"\n";
}
- #
- # log-mode
- #
- my @logmodes = $vcVPN->returnValues('ipsec logging log-modes');
- if (@logmodes > 0) {
- my $debugmode = '';
- foreach my $mode (@logmodes) {
- if ($mode eq "all") {
- $debugmode = "all";
- last;
- }
- if ($debugmode eq '') {
- $debugmode = "$mode";
- } else {
- $debugmode .= " $mode";
- }
- }
- $genout .= "\tplutodebug=\"$debugmode\"\n";
- }
-
# Set plutoopts:
# Disable uniqreqids?
#
@@ -336,15 +330,6 @@ if ($vcVPN->exists('ipsec')) {
}
#
- # Disable implicit connections
- #
- foreach my $conn (qw/clear clear-or-private private-or-clear private block packetdefault/){
- $genout .= "\n";
- $genout .= "conn $conn\n";
- $genout .= "\tauto=ignore\n";
- }
-
- #
# Default keyengine is ikev1
#
$genout .= "\n";
@@ -517,16 +502,6 @@ if ($vcVPN->exists('ipsec')) {
$lip = get_dhcp_addr($dhcp_iface);
}
- # -> leftsourceip is the internal source IP to use in a tunnel
- # -> we use leftsourceip to add a route to the rightsubnet
- # only when rightsubnet is defined and is not 0.0.0.0/0. we do not
- # want to add a vpn route for everything i.e. rightsubnet = 0.0.0.0/0
- # -> if leftsubnet is defined and is not 0.0.0.0/0; we try and find
- # an interface on the system that has an IP address lying within
- # the leftsubnet and use that as leftsourceip. if leftsubnet is not
- # defined or is 0.0.0.0/0 then we use local-address as leftsourceip.
- my $leftsourceip = undef;
-
#
# Assign left and right to local and remote interfaces
#
@@ -537,11 +512,8 @@ if ($vcVPN->exists('ipsec')) {
"for peer \"$peer\" $tunKeyword.\n");
}
$genout .= "\tleft=%defaultroute\n";
-
- # no need for leftsourceip as a defaultroute is must for this to work
} else {
$genout .= "\tleft=$lip\n";
- $leftsourceip = "\tleftsourceip=$lip\n";
}
if (defined($authidfromcert)) {
$genout .= "\tleftid=%fromcert\n";
@@ -597,19 +569,6 @@ if ($vcVPN->exists('ipsec')) {
if (defined($leftsubnet)) {
$genout .= "\tleftsubnet=$leftsubnet\n";
- if (!($leftsubnet eq '0.0.0.0/0')) {
- my $localsubnet_object = new NetAddr::IP($leftsubnet);
-
- # leftsourceip should now be an IP on system lying within the leftsubnet
- my @system_ips = Vyatta::Misc::getIP(undef, '4');
- foreach my $system_ip (@system_ips) {
- my $systemip_object = new NetAddr::IP($system_ip);
- if (CheckIfAddressInsideNetwork($systemip_object, $localsubnet_object)){
- my $sourceip = $systemip_object->addr();
- $leftsourceip = "\tleftsourceip=$sourceip\n";
- }
- }
- }
}
my $remotesubnet = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword remote prefix");
@@ -667,21 +626,8 @@ if ($vcVPN->exists('ipsec')) {
}
if (defined($rightsubnet)) {
$genout .= "\trightsubnet=$rightsubnet\n";
-
- # not adding vpn route if remote prefix is 0.0.0.0/0
- # user should add a route [default/static] manually
- $leftsourceip = undef if $rightsubnet eq '0.0.0.0/0';
- if ($rightsubnet =~ /vhost:%priv/) {
-
- # can't add route when rightsubnet is not specific
- $leftsourceip = undef;
- }
- } else {
- $leftsourceip =undef; # no need for vpn route if rightsubnet not defined
}
- $genout .= $leftsourceip if defined $leftsourceip;
-
#
# Protocol/port
#
@@ -784,39 +730,12 @@ if ($vcVPN->exists('ipsec')) {
if (defined($encryption) && defined($hash)) {
$genout .= "$encryption-$hash";
if (defined($dh_group)) {
- if ($dh_group eq '2') {
- $genout .= '-modp1024';
- } elsif ($dh_group eq '5') {
- $genout .= '-modp1536';
- } elsif ($dh_group eq '14') {
- $genout .= '-modp2048';
- } elsif ($dh_group eq '15') {
- $genout .= '-modp3072';
- } elsif ($dh_group eq '16') {
- $genout .= '-modp4096';
- } elsif ($dh_group eq '17') {
- $genout .= '-modp6144';
- } elsif ($dh_group eq '18') {
- $genout .= '-modp8192';
- } elsif ($dh_group eq '19') {
- $genout .= '-ecp256';
- } elsif ($dh_group eq '20') {
- $genout .= '-ecp384';
- } elsif ($dh_group eq '21') {
- $genout .= '-ecp521';
- } elsif ($dh_group eq '22') {
- $genout .= '-modp1024s160';
- } elsif ($dh_group eq '23') {
- $genout .= '-modp2048s224';
- } elsif ($dh_group eq '24') {
- $genout .= '-modp2048s256';
- } elsif ($dh_group eq '25') {
- $genout .= '-ecp192';
- } elsif ($dh_group eq '26') {
- $genout .= '-ecp224';
- } elsif ($dh_group ne '') {
+ my $cipher_out = get_dh_cipher_result($dh_group);
+ if ($cipher_out eq 'unknown') {
vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"tunnel", $tunnel],"$vpn_cfg_err Invalid 'dh-group' $dh_group specified for ".
"peer \"$peer\" $tunKeyword. Only 2, 5, or 14 through 26 accepted.\n");
+ } else {
+ $genout .= "-$cipher_out";
}
}
}
@@ -875,6 +794,21 @@ if ($vcVPN->exists('ipsec')) {
}
}
+ #
+ # Allow the user to specify aggressive mode for IKEv1 connections
+ #
+ my $aggressive_mode = $vcVPN->returnValue("ipsec ike-group $ike_group mode");
+
+ if (defined($aggressive_mode)) {
+ if (defined($key_exchange) && $key_exchange eq 'ikev2') {
+ vpn_die(["vpn","ipsec","ike-group", $ike_group, "mode"], "$vpn_cfg_err Selection of Main/Aggressive modes is only valid for IKEv1 configurations");
+ }
+ if ($aggressive_mode eq 'aggressive') {
+ $genout .= "\taggressive=yes\n";
+ } else {
+ $genout .= "\taggressive=no\n";
+ }
+ }
my $t_ikelifetime =$vcVPN->returnValue("ipsec ike-group $ike_group lifetime");
if (defined($t_ikelifetime) && $t_ikelifetime ne '') {
$ikelifetime = $t_ikelifetime;
@@ -895,6 +829,19 @@ if ($vcVPN->exists('ipsec')) {
$genout .= "\tdpdtimeout=$dpd_timeout" . "s\n";
$genout .= "\tdpdaction=$dpd_action\n";
}
+
+ #
+ # Allow the user for force UDP encapsulation for the ESP
+ # payload.
+ #
+ my $forceencaps = $vcVPN->returnValue("ipsec site-to-site peer $peer force-encapsulation");
+ if (defined($forceencaps)) {
+ if ($forceencaps eq 'enable') {
+ $genout .= "\tforceencaps=yes\n";
+ } else {
+ $genout .= "\tforceencaps=no\n";
+ }
+ }
}
#
@@ -912,10 +859,11 @@ if ($vcVPN->exists('ipsec')) {
foreach my $esp_proposal (@esp_proposals) {
#
- # Get encryption, hash
+ # Get encryption, hash and PFS group settings
#
my $encryption = $vcVPN->returnValue("ipsec esp-group $esp_group proposal $esp_proposal encryption");
my $hash = $vcVPN->returnValue("ipsec esp-group $esp_group proposal $esp_proposal hash");
+ my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs");
#
# Write separator if not first proposal
@@ -925,45 +873,25 @@ if ($vcVPN->exists('ipsec')) {
} else {
$genout .= ",";
}
+ if (defined($pfs)) {
+ if ($pfs eq 'enable') {
+ # Get the first IKE group's dh-group and use that as our PFS setting
+ my $default_pfs = $vcVPN->returnValue("ipsec ike-group $ike_group proposal 1 dh-group");
+ $pfs = get_dh_cipher_result($default_pfs);
+ } elsif ($pfs eq 'disable') {
+ undef $pfs;
+ } else {
+ $pfs = get_dh_cipher_result($pfs);
+ }
+ }
#
# Write values
#
if (defined($encryption) && defined($hash)) {
$genout .= "$encryption-$hash";
- my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs");
if (defined($pfs)) {
- if ($pfs eq 'dh-group2') {
- $genout .= "\-modp1024";
- } elsif ($pfs eq 'dh-group5') {
- $genout .= "\-modp1536";
- } elsif ($pfs eq 'dh-group14') {
- $genout .= "\-modp2048";
- } elsif ($pfs eq 'dh-group15') {
- $genout .= "\-modp3072";
- } elsif ($pfs eq 'dh-group16') {
- $genout .= "\-modp4096";
- } elsif ($pfs eq 'dh-group17') {
- $genout .= "\-modp6144";
- } elsif ($pfs eq 'dh-group18') {
- $genout .= "\-modp8192";
- } elsif ($pfs eq 'dh-group19') {
- $genout .= "\-ecp256";
- } elsif ($pfs eq 'dh-group20') {
- $genout .= "\-ecp384";
- } elsif ($pfs eq 'dh-group21') {
- $genout .= "\-ecp521";
- } elsif ($pfs eq 'dh-group22') {
- $genout .= "\-modp1024s160";
- } elsif ($pfs eq 'dh-group23') {
- $genout .= "\-modp2048s224";
- } elsif ($pfs eq 'dh-group24') {
- $genout .= "\-modp2048s256";
- } elsif ($pfs eq 'dh-group25') {
- $genout .= "\-ecp192";
- } elsif ($pfs eq 'dh-group26') {
- $genout .= "\-ecp224";
- }
+ $genout .= "-$pfs";
}
}
}
@@ -1009,63 +937,6 @@ if ($vcVPN->exists('ipsec')) {
$genout .= "\ttype=$espmode\n";
#
- # Perfect Forward Secrecy
- #
- my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs");
- if (defined($pfs)) {
- if ($pfs eq 'enable') {
- $genout .= "\tpfs=yes\n";
- } elsif ($pfs eq 'dh-group2') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp1024\n";
- } elsif ($pfs eq 'dh-group5') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp1536\n";
- } elsif ($pfs eq 'dh-group14') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp2048\n";
- } elsif ($pfs eq 'dh-group15') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp3072\n";
- } elsif ($pfs eq 'dh-group16') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp4096\n";
- } elsif ($pfs eq 'dh-group17') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp6144\n";
- } elsif ($pfs eq 'dh-group18') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp8192\n";
- } elsif ($pfs eq 'dh-group19') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=ecp256\n";
- } elsif ($pfs eq 'dh-group20') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=ecp384\n";
- } elsif ($pfs eq 'dh-group21') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=ecp521\n";
- } elsif ($pfs eq 'dh-group22') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp1024s160\n";
- } elsif ($pfs eq 'dh-group23') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp2048s224\n";
- } elsif ($pfs eq 'dh-group24') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=modp2048s256\n";
- } elsif ($pfs eq 'dh-group25') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=ecp192\n";
- } elsif ($pfs eq 'dh-group26') {
- $genout .= "\tpfs=yes\n";
- $genout .= "\tpfsgroup=ecp224\n";
- } else {
- $genout .= "\tpfs=no\n";
- }
- }
-
- #
# Compression
#
my $compression =$vcVPN->returnValue("ipsec esp-group $esp_group compression");
@@ -1177,7 +1048,10 @@ if ($vcVPN->exists('ipsec')) {
vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"authentication"],"$vpn_cfg_err Unable to determine local public key from local key".
" file \"$local_key_file\" for peer \"$peer\".\n");
} else {
- $genout .= "\tleftrsasigkey=\"$local_key\"\n";
+ if (!defined($public_keys{localhost})) {
+ $public_keys{localhost} = $local_key;
+ $genout .= "\tleftsigkey=localhost.pub\n";
+ }
}
my $rsa_key_name = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication rsa-key-name");
@@ -1190,13 +1064,16 @@ if ($vcVPN->exists('ipsec')) {
vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"authentication"],"$vpn_cfg_err No remote key configured for rsa key name ".
"\"$rsa_key_name\" that is specified for peer \"$peer\".\n");
} else {
- $genout .= "\trightrsasigkey=\"$remote_key\"\n";
+ if (!defined($public_keys{$rsa_key_name})) {
+ $public_keys{$rsa_key_name} = $remote_key;
+ $genout .= "\trightsigkey=$rsa_key_name.pub\n";
+ }
}
}
# Prevent duplicate includes for rsa keys.
if (!defined($key_file_list{$local_key_file})) {
$key_file_list{$local_key_file} = 1;
- $genout_secrets .= "include $local_key_file\n";
+ $genout_secrets .= ": RSA $local_key_file\n";
}
} else {
vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"authentication"],"$vpn_cfg_err Unknown authentication mode \"$auth_mode\" for peer ".
@@ -1274,11 +1151,23 @@ if ($vcVPN->exists('ipsec')) {
}
}
}
- if (-e '/etc/dmvpn.conf') {
- $genout .= "\ninclude /etc/dmvpn.conf\n";
+
+ #
+ # Include a custom configuration file
+ #
+ my $custom_include = $vcVPN->returnValue("ipsec include-ipsec-conf");
+ my $custom_secrets = $vcVPN->returnValue("ipsec include-ipsec-secrets");
+ if (defined($custom_include)) {
+ if ( ! -e $custom_include ) {
+ vpn_die(["vpn","ipsec","include-ipsec-conf"],"$vpn_cfg_err The specified file for inclusion inside ipsec.conf does not exist.");
+ }
+ $genout .= "\ninclude $custom_include\n";
}
- if (-e '/etc/dmvpn.secrets') {
- $genout_secrets .= "\ninclude /etc/dmvpn.secrets\n";
+ if (defined($custom_secrets)) {
+ if ( ! -e $custom_secrets) {
+ vpn_die(["vpn","ipsec","include-ipsec-secrets"],"$vpn_cfg_err The specified file for inclusion inside ipsec.secrets does not exist.");
+ }
+ $genout_secrets .= "\ninclude $custom_secrets\n";
}
} else {
@@ -1313,13 +1202,13 @@ if ( $vcVPN->isDeleted('.')
if (!enableICMP('1')) {
vpn_die(["vpn","ipsec"],"VPN commit error. Unable to re-enable ICMP redirects.\n");
}
- write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if);
+ write_config($genout, $interfaces_use, $STRONGSWAN_INTF_CONFIG, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys);
} else {
if (!enableICMP('0')) {
vpn_die(["vpn","ipsec"],"VPN commit error. Unable to disable ICMP redirects.\n");
}
- write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if);
+ write_config($genout, $interfaces_use, $STRONGSWAN_INTF_CONFIG, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys);
# Assumming that if there was a local IP missmatch and clustering is enabled,
# then the clustering scripts will take care of starting the VPN daemon.
@@ -1342,8 +1231,51 @@ if ( $vcVPN->isDeleted('.')
print "Re-starting IPsec daemon to deactivate auto-update...\n";
vpn_exec('ipsec restart >&/dev/null', 're-starting ipsec');
}else {
- vpn_exec('ipsec rereadall >&/dev/null', 're-read secrets and certs');
- vpn_exec('ipsec update >&/dev/null', 'update changes to ipsec.conf');
+
+ # Grab the list of old peers and tunnels
+ my @tunnel_cfg_new = $vcVPN->listNodes('ipsec site-to-site peer');
+ my @tunnel_cfg_old = $vcVPN->listOrigNodes('ipsec site-to-site peer');
+ my @old_tunnels;
+ my %seen;
+ @seen{@tunnel_cfg_new} = ();
+
+ # Find the old tunnels in previous configuration
+ foreach my $tunnel (@tunnel_cfg_old) {
+ push (@old_tunnels, $tunnel) unless exists $seen{$tunnel};
+ }
+
+ # Issue an ipsec down on the old tunnel since charon doesn't clean up
+ # connections removed from ipsec.conf
+ foreach my $old_peer (@old_tunnels) {
+ my @tunnels = $vcVPN->listOrigNodes("ipsec site-to-site peer $old_peer tunnel");
+ foreach my $tunnel (@tunnels)
+ {
+ vpn_exec("ipsec down peer-$old_peer-tunnel-$tunnel", "Cleaning up site-to-site peer $old_peer at tunnel $tunnel");
+ }
+ }
+ # Check if returnValues equals returnOrigValues for ipsec-interfaces and restart if they are not equal
+ my $equals = 1;
+ my @working_interfaces = $vcVPN->returnValues("ipsec ipsec-interfaces interface");
+ my @active_interfaces = $vcVPN->returnOrigValues("ipsec ipsec-interfaces interface");
+ if (scalar(@working_interfaces) != scalar(@active_interfaces)){
+ $equals = 0;
+ }
+ else {
+ my @sorted_working = sort @working_interfaces;
+ my @sorted_active = sort @active_interfaces;
+ foreach (my $i = 0; $i < @sorted_working; $i++) {
+ if ($sorted_working[$i] ne $sorted_active[$i]) {
+ $equals = 0;
+ last;
+ }
+ }
+ }
+ if ($equals == 0) {
+ vpn_exec('ipsec restart >&/dev/null', 're-starting ipsec');
+ }else {
+ vpn_exec('ipsec rereadall >&/dev/null', 're-read secrets and certs');
+ vpn_exec('ipsec reload >&/dev/null', 'reload changes to ipsec.conf');
+ }
}
} else {
if (!defined($update_interval)) {
@@ -1352,6 +1284,24 @@ if ( $vcVPN->isDeleted('.')
vpn_exec('ipsec start --auto-update '.$update_interval.' >&/dev/null','start ipsec with auto-update $update_interval');
}
}
+
+ # Activate any debugging options by
+ # calling ipsec stroke loglevel <source> <level>
+ my @logmodes = $vcVPN->returnValues('ipsec logging log-modes');
+ my @oldmodes = $vcVPN->returnOrigValues('ipsec logging log-modes');
+ my $charonloglevel = $vcVPN->returnValue('ipsec logging log-level');
+ # Clean up any logging modes if present
+ if (@oldmodes > 0) {
+ foreach my $mode (@oldmodes) {
+ vpn_exec("ipsec stroke loglevel $mode 0", "Deactivating log source $mode");
+ }
+ }
+ # Finally activate our new logger configuration
+ if (@logmodes > 0) {
+ foreach my $mode (@logmodes) {
+ vpn_exec("ipsec stroke loglevel $mode $charonloglevel", "Stroking log source $mode to loglevel $charonloglevel");
+ }
+ }
}
}
@@ -1367,13 +1317,19 @@ sub vpn_die {
}
sub write_config {
- my ($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if) = @_;
+ my ($genout, $interfaces_use, $STRONGSWAN_INTF_CONFIG, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_;
open my $output_config, '>', $config_file
or die "Can't open $config_file: $!";
print ${output_config} $genout;
close $output_config;
+
+ open my $strong_config, '>', $STRONGSWAN_INTF_CONFIG
+ or die "Can't open $STRONGSWAN_INTF_CONFIG: $!";
+ print ${strong_config} $interfaces_use;
+ close $strong_config;
+
my @lines = split("\n", $genout_secrets);
my @any = grep(/%any/, @lines);
if (scalar(@any) > 0) {
@@ -1388,6 +1344,14 @@ sub write_config {
print ${output_secrets} $genout_secrets;
close $output_secrets;
dhcp_hook($dhcp_if);
+
+ for my $name (keys %public_keys) {
+ my $output_path = "/etc/ipsec.d/certs/$name.pub";
+ open my $output_file, '>', $output_path
+ or die "Can't open $output_path: $!";
+ print ${output_file} rsa_convert_pubkey_pem($public_keys{$name});
+ close $output_file;
+ }
}
sub vpn_exec {
@@ -1496,26 +1460,6 @@ sub hasLocalWildcard {
return 0;
}
-sub CheckIfAddressInsideNetwork {
- my ($address, $naipNetwork) = @_;
-
- if (!defined($address) || !defined($naipNetwork)) {
- return 0;
- }
-
- my $naipSM = new NetAddr::IP($address);
- if (defined($naipSM)) {
- my $subnetIA = $naipSM->network()->addr();
- my $naipIA = new NetAddr::IP($subnetIA, $naipSM->masklen());
-
- if (defined($naipIA) && $naipNetwork->within($naipIA)) {
- return 1;
- }
- }
-
- return 0;
-}
-
sub get_x509 {
my $peer = pop(@_);
@@ -1601,11 +1545,50 @@ sub dhcp_hook {
/opt/vyatta/bin/sudo-users/vyatta-ipsec-dhcp.pl --interface=\"\$interface\" --new_ip=\"\$new_ip_address\" --reason=\"\$reason\" --old_ip=\"\$old_ip_address\"
EOS
}
- my $hook = "/etc/dhcp3/dhclient-exit-hooks.d/ipsecd";
+ my $hook = "/etc/dhcp/dhclient-exit-hooks.d/ipsecd";
open my $dhcp_hook, '>', $hook
or die "cannot open $hook";
print ${dhcp_hook} $str;
close $dhcp_hook;
}
+sub get_dh_cipher_result {
+ my ($cipher) = @_;
+ my $ciph_out;
+ if ($cipher eq '2' || $cipher eq 'dh-group2') {
+ $ciph_out = 'modp1024';
+ } elsif ($cipher eq '5' || $cipher eq 'dh-group5') {
+ $ciph_out = 'modp1536';
+ } elsif ($cipher eq '14' || $cipher eq 'dh-group14') {
+ $ciph_out = 'modp2048';
+ } elsif ($cipher eq '15' || $cipher eq 'dh-group15') {
+ $ciph_out = 'modp3072';
+ } elsif ($cipher eq '16' || $cipher eq 'dh-group16') {
+ $ciph_out = 'modp4096';
+ } elsif ($cipher eq '17' || $cipher eq 'dh-group17') {
+ $ciph_out = 'modp6144';
+ } elsif ($cipher eq '18' || $cipher eq 'dh-group18') {
+ $ciph_out = 'modp8192';
+ } elsif ($cipher eq '19' || $cipher eq 'dh-group19') {
+ $ciph_out = 'ecp256';
+ } elsif ($cipher eq '20' || $cipher eq 'dh-group20') {
+ $ciph_out = 'ecp384';
+ } elsif ($cipher eq '21' || $cipher eq 'dh-group21') {
+ $ciph_out = 'ecp521';
+ } elsif ($cipher eq '22' || $cipher eq 'dh-group22') {
+ $ciph_out = 'modp1024s160';
+ } elsif ($cipher eq '23' || $cipher eq 'dh-group23') {
+ $ciph_out = 'modp2048s224';
+ } elsif ($cipher eq '24' || $cipher eq 'dh-group24') {
+ $ciph_out = 'modp2048s256';
+ } elsif ($cipher eq '25' || $cipher eq 'dh-group25') {
+ $ciph_out = 'ecp192';
+ } elsif ($cipher eq '26' || $cipher eq 'dh-group26') {
+ $ciph_out = 'ecp224';
+ } else {
+ $ciph_out = 'unknown';
+ }
+ return $ciph_out;
+}
+
# end of file
diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl
index fbfad64..81abf97 100755
--- a/scripts/vyatta-vti-config.pl
+++ b/scripts/vyatta-vti-config.pl
@@ -25,7 +25,7 @@
#
# For each VTI tunnel (vpn ipsec site-to-site peer ip-address sti); find the vti tunnel, local address, mark.
# Find the corresponding tunnel (interfaces vti vtiXXX), tunnel address, disable, mtu
-# if not configured: ip tunnel add vtiXXX mode esp local $local remote $remote i_key $mark
+# if not configured: ip tunnel add vtiXXX mode esp local $local remote $remote ikey $mark okey $mark
# if (mtu): configure mtu
# if (tunnel-addres): configur ip link vtiXXX address
# if (!disable): enable the interface.
@@ -207,7 +207,7 @@ foreach my $peer (@peers) {
# By default we delete the tunnel...
my $genmark = $mark;
$gencmds .= "sudo /sbin/ip link delete $tunName type vti &> /dev/null\n";
- $gencmds .= "sudo /sbin/ip link add $tunName type vti local $lip remote $peer okey $genmark\n";
+ $gencmds .= "sudo /sbin/ip link add $tunName type vti local $lip remote $peer okey $genmark ikey $genmark\n";
foreach my $tunIP (@tunIPs) {
$gencmds .= "sudo /sbin/ip addr add $tunIP dev $tunName\n";
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-15 07:45:20 +0000