summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorTaniadz <tdziubenko@ukr.net>2017-10-24 11:48:36 +0300
committerTaniadz <tdziubenko@ukr.net>2017-10-24 11:48:36 +0300
commit60960c1c891d99d2fe10aa0daa5367e31833cb25 (patch)
tree86b39448c986ff28a11bded7e0baa13cc9644739 /scripts
parentff15bdcdeda459bb7cf5de450d02ea2cee53041c (diff)
downloadvyatta-cfg-vpn-60960c1c891d99d2fe10aa0daa5367e31833cb25.tar.gz
vyatta-cfg-vpn-60960c1c891d99d2fe10aa0daa5367e31833cb25.zip
T126: charon listening on ALL interfaces
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/vpn-config.pl51
1 files changed, 36 insertions, 15 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 75d0e91..c1348ed 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -52,12 +52,14 @@ my $CRL_PATH = '/etc/ipsec.d/crls';
my $SERVER_CERT_PATH = '/etc/ipsec.d/certs';
my $SERVER_KEY_PATH = '/etc/ipsec.d/private';
my $LOGFILE = '/var/log/vyatta/ipsec.log';
+my $STRONGSWAN = '/etc/strongswan.d/interfaces_use.conf';
my $vpn_cfg_err = "VPN configuration error:";
my $clustering_ip = 0;
my $dhcp_if = 0;
my $genout;
my $genout_secrets;
+my $interfaces_use;
my %key_file_list;
my %public_keys;
@@ -67,6 +69,7 @@ my $using_klips = 0;
$genout .= "# generated by $0\n\n";
$genout_secrets .= "# generated by $0\n\n";
+$interfaces_use .= "# generated by $0\n\n";
#
# Prepare Vyatta::Config object
@@ -215,15 +218,23 @@ if ($vcVPN->exists('ipsec')) {
# Configuration of system wide options
#
$genout .= "config setup\n";
+ $interfaces_use .= "charon {\n\t";
#
# Interfaces
#
my @interfaces = $vcVPN->returnValues('ipsec ipsec-interfaces interface');
- if (@interfaces == 0) {
- #*THIS CHECK'S ALSO USED BY OP-MODE CMNDS TO CHECK IF IPSEC IS CONFIGURED*#
- vpn_die(["vpn", "ipsec","ipsec-interfaces"],"$vpn_cfg_err No IPSEC interfaces specified.\n");
- } else {
+ if (scalar(@interfaces) > 0) {
+
+ $interfaces_use .= "interfaces_use = ";
+ foreach my $interface (@interfaces) {
+ if (!(-d "/sys/class/net/$interface")) {
+ next;
+ }
+ $interfaces_use .= "$interface, ";
+ }
+ $interfaces_use .= "\n}";
+
# We need to generate an "interfaces=..." entry in the setup section
# only if the underlying IPsec kernel code we are using is KLIPS.
# If we are using NETKEY, the "interfaces=..." entry is essentially
@@ -249,7 +260,8 @@ if ($vcVPN->exists('ipsec')) {
$genout .= '%defaultroute';
}
$genout .= "\"\n";
- } else {
+ }
+ else {
my $counter = 0;
$genout .= "\t";
if (hasLocalWildcard($vcVPN, 0)) {
@@ -261,11 +273,14 @@ if ($vcVPN->exists('ipsec')) {
++$counter;
}
$genout .= '%defaultroute"';
- } else {
+ }
+ else {
$genout .= 'interfaces="%none"';
}
$genout .= "\n";
+
}
+
}
#
@@ -785,7 +800,7 @@ if ($vcVPN->exists('ipsec')) {
if (defined($aggressive_mode)) {
if (defined($key_exchange) && $key_exchange eq 'ikev2') {
vpn_die(["vpn","ipsec","ike-group", $ike_group, "mode"], "$vpn_cfg_err Selection of Main/Aggressive modes is only valid for IKEv1 configurations");
- }
+ }
if ($aggressive_mode eq 'aggressive') {
$genout .= "\taggressive=yes\n";
} else {
@@ -812,7 +827,7 @@ if ($vcVPN->exists('ipsec')) {
$genout .= "\tdpdtimeout=$dpd_timeout" . "s\n";
$genout .= "\tdpdaction=$dpd_action\n";
}
-
+
#
# Allow the user for force UDP encapsulation for the ESP
# payload.
@@ -1134,7 +1149,7 @@ if ($vcVPN->exists('ipsec')) {
}
}
}
-
+
#
# Include a custom configuration file
#
@@ -1147,7 +1162,7 @@ if ($vcVPN->exists('ipsec')) {
$genout .= "\ninclude $custom_include\n";
}
if (defined($custom_secrets)) {
- if ( ! -e $custom_secrets) {
+ if ( ! -e $custom_secrets) {
vpn_die(["vpn","ipsec","include-ipsec-secrets"],"$vpn_cfg_err The specified file for inclusion inside ipsec.secrets does not exist.");
}
$genout_secrets .= "\ninclude $custom_secrets\n";
@@ -1185,13 +1200,13 @@ if ( $vcVPN->isDeleted('.')
if (!enableICMP('1')) {
vpn_die(["vpn","ipsec"],"VPN commit error. Unable to re-enable ICMP redirects.\n");
}
- write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys);
+ write_config($genout, $interfaces_use, $STRONGSWAN, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys);
} else {
if (!enableICMP('0')) {
vpn_die(["vpn","ipsec"],"VPN commit error. Unable to disable ICMP redirects.\n");
}
- write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys);
+ write_config($genout, $interfaces_use, $STRONGSWAN, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys);
# Assumming that if there was a local IP missmatch and clustering is enabled,
# then the clustering scripts will take care of starting the VPN daemon.
@@ -1226,7 +1241,7 @@ if ( $vcVPN->isDeleted('.')
foreach my $tunnel (@tunnel_cfg_old) {
push (@old_tunnels, $tunnel) unless exists $seen{$tunnel};
}
-
+
# Issue an ipsec down on the old tunnel since charon doesn't clean up
# connections removed from ipsec.conf
foreach my $old_peer (@old_tunnels) {
@@ -1247,7 +1262,7 @@ if ( $vcVPN->isDeleted('.')
vpn_exec('ipsec start --auto-update '.$update_interval.' >&/dev/null','start ipsec with auto-update $update_interval');
}
}
-
+
# Activate any debugging options by
# calling ipsec stroke loglevel <source> <level>
my @logmodes = $vcVPN->returnValues('ipsec logging log-modes');
@@ -1280,13 +1295,19 @@ sub vpn_die {
}
sub write_config {
- my ($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_;
+ my ($genout, $interfaces_use, $STRONGSWAN, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_;
open my $output_config, '>', $config_file
or die "Can't open $config_file: $!";
print ${output_config} $genout;
close $output_config;
+
+ open my $strong_config, '>', $STRONGSWAN
+ or die "Can't open $STRONGSWAN: $!";
+ print ${strong_config} $interfaces_use;
+ close $strong_config;
+
my @lines = split("\n", $genout_secrets);
my @any = grep(/%any/, @lines);
if (scalar(@any) > 0) {