diff options
| author | Kim Hagen <khagen@multi-development.com> | 2015-02-02 14:57:19 +0100 |
|---|---|---|
| committer | Kim Hagen <khagen@multi-development.com> | 2015-02-02 14:57:19 +0100 |
| commit | 1be0e699d43e2ea72b791c502749d78d9acc9e84 (patch) | |
| tree | f1938795c7e822963d67604b41d82ff1046cd084 /scripts | |
| parent | 791097277d7ec62cc6c3f9b418d75b4a1a713759 (diff) | |
| download | vyatta-cfg-vpn-1be0e699d43e2ea72b791c502749d78d9acc9e84.tar.gz vyatta-cfg-vpn-1be0e699d43e2ea72b791c502749d78d9acc9e84.zip | |
Bug #367 - DMVPN Testing, but I do not see ESP traffic.
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/dmvpn-config.pl | 100 |
1 files changed, 79 insertions, 21 deletions
diff --git a/scripts/dmvpn-config.pl b/scripts/dmvpn-config.pl index 02df73c..8a8c1ff 100755 --- a/scripts/dmvpn-config.pl +++ b/scripts/dmvpn-config.pl @@ -43,6 +43,7 @@ my $clustering_ip = 0; my $dhcp_if = 0; my $genout; my $genout_secrets; +my $dh_disable; # Set $using_klips to 1 if kernel IPsec support is provided by KLIPS. # Set it to 0 if using NETKEY. @@ -274,6 +275,10 @@ if ( $vcVPN->exists('ipsec') ) { "ipsec ike-group $ike_group proposal $ike_proposal dh-group" ); + if ( defined($dh_group) ) { + $dh_disable = 1; + } + # # Write separator if not first proposal # @@ -290,23 +295,40 @@ if ( $vcVPN->exists('ipsec') ) { if ( defined($encryption) && defined($hash) ) { $genout .= "$encryption-$hash"; if ( defined($dh_group) ) { - if ( $dh_group eq '2' ) { + if ($dh_group eq '2') { $genout .= '-modp1024'; - } - elsif ( $dh_group eq '5' ) { + } elsif ($dh_group eq '5') { $genout .= '-modp1536'; + } elsif ($dh_group eq '14') { + $genout .= '-modp2048'; + } elsif ($dh_group eq '15') { + $genout .= '-modp3072'; + } elsif ($dh_group eq '16') { + $genout .= '-modp4096'; + } elsif ($dh_group eq '17') { + $genout .= '-modp6144'; + } elsif ($dh_group eq '18') { + $genout .= '-modp8192'; + } elsif ($dh_group eq '19') { + $genout .= '-ecp256'; + } elsif ($dh_group eq '20') { + $genout .= '-ecp384'; + } elsif ($dh_group eq '21') { + $genout .= '-ecp521'; + } elsif ($dh_group eq '22') { + $genout .= '-modp1024s160'; + } elsif ($dh_group eq '23') { + $genout .= '-modp2048s224'; + } elsif ($dh_group eq '24') { + $genout .= '-modp2048s256'; + } elsif ($dh_group eq '25') { + $genout .= '-ecp192'; + } elsif ($dh_group eq '26') { + $genout .= '-ecp224'; } elsif ( $dh_group ne '' ) { - vpn_die( - [ - "vpn", "ipsec", - "profile", $profile, - "bind", "tunnel", - $tunnel - ], -"$vpn_cfg_err Invalid 'dh-group' $dh_group specified in " - . "profile \"$profile\" for $tunKeyword. Only 2 or 5 accepted.\n" - ); + vpn_die(["vpn","ipsec","profile", $profile,"bind","tunnel", $tunnel],"$vpn_cfg_err Invalid 'dh-group' $dh_group specified in ". + "profile \"$profile\" for $tunKeyword. Only 2, 5, or 14 through 26 accepted.\n"); } } } @@ -419,19 +441,55 @@ if ( $vcVPN->exists('ipsec') ) { # Perfect Forward Secrecy # my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); - if ( defined($pfs) ) { - if ( $pfs eq 'enable' ) { + if (defined($pfs)) { + if ( $pfs eq 'enable' && defined($dh_disable) ) { $genout .= "\tpfs=yes\n"; - } - elsif ( $pfs eq 'dh-group2' ) { + } elsif ($pfs eq 'dh-group2') { $genout .= "\tpfs=yes\n"; $genout .= "\tpfsgroup=modp1024\n"; - } - elsif ( $pfs eq 'dh-group5' ) { + } elsif ($pfs eq 'dh-group5') { $genout .= "\tpfs=yes\n"; $genout .= "\tpfsgroup=modp1536\n"; - } - else { + } elsif ($pfs eq 'dh-group14') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp2048\n"; + } elsif ($pfs eq 'dh-group15') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp3072\n"; + } elsif ($pfs eq 'dh-group16') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp4096\n"; + } elsif ($pfs eq 'dh-group17') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp6144\n"; + } elsif ($pfs eq 'dh-group18') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp8192\n"; + } elsif ($pfs eq 'dh-group19') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp256\n"; + } elsif ($pfs eq 'dh-group20') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp384\n"; + } elsif ($pfs eq 'dh-group21') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp521\n"; + } elsif ($pfs eq 'dh-group22') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp1024s160\n"; + } elsif ($pfs eq 'dh-group23') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp2048s224\n"; + } elsif ($pfs eq 'dh-group24') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp2048s256\n"; + } elsif ($pfs eq 'dh-group25') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp192\n"; + } elsif ($pfs eq 'dh-group26') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp224\n"; + } else { $genout .= "\tpfs=no\n"; } } |