diff options
| author | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-03-31 15:31:29 -0700 |
|---|---|---|
| committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-03-31 15:31:29 -0700 |
| commit | ee1dd6e55c21d0c8bbbad311b7e53c777aa86f3d (patch) | |
| tree | 61b139095a2f4c0103501a0540c75d65576380ec /scripts | |
| parent | b98163cd302d5b864724db780148f8e11c645f28 (diff) | |
| download | vyatta-cfg-vpn-ee1dd6e55c21d0c8bbbad311b7e53c777aa86f3d.tar.gz vyatta-cfg-vpn-ee1dd6e55c21d0c8bbbad311b7e53c777aa86f3d.zip | |
Fix Bug 5500 Unable to establish a VPN connection from a remote peer with a
dynamic peer when using FQDN identifier for remote end
* allow remote peer with dynamic IP to connect using Main Mode/PSK
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/vpn-config.pl | 33 |
1 files changed, 21 insertions, 12 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 58b4c1d..6c7dee8 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -515,21 +515,13 @@ if ( $vcVPN->exists('ipsec') ) { # if ( defined($lip) ) { if ( $lip eq '0.0.0.0' ) { - if ( !defined($authid) ) { - print STDERR "$vpn_cfg_err " - . 'The "authentication id" must be ' - . 'configured if local IP is 0.0.0.0.' . "\n"; - $error = 1; - } else { - $genout .= "\tleft=%defaultroute\n"; - $genout .= "\tleftid=$authid\n"; - $leftsourceip = "\tleftsourceip=%defaultroute\n"; - } + $genout .= "\tleft=%defaultroute\n"; + # no need for leftsourceip as a defaultroute is must for this to work } else { $genout .= "\tleft=$lip\n"; - $genout .= "\tleftid=$authid\n" if defined $authid; $leftsourceip = "\tleftsourceip=$lip\n"; } + $genout .= "\tleftid=$authid\n" if defined $authid; } my $any_peer = 0; @@ -876,7 +868,24 @@ if ( $vcVPN->exists('ipsec') ) { } my $index1 = ( defined($authid) ) ? "$authid" : $lip; my $index2 = ( defined($authremoteid) ) ? "$authremoteid" : $right; - $genout_secrets .= "$index1 $index2 : PSK \"$psk\"\n"; + if ($lip eq '0.0.0.0') { + if ($index1 =~ m/^@/) { + # In main mode PSK, the responder needs to look up the secret + # before the Peer's ID payload has been decoded, so the ID used + # will be the IP address. Note that this'll work with aggressive + # mode PSK but starting VC6, we use strongswan which doesn't + # support aggressive mode. More info on reported bug : + # http://bugzilla.vyatta.com/show_bug.cgi?id=5500 + $error = 1; + print STDERR + "$vpn_cfg_err cannot use authentication id with pre-shared-secret" + . " when local-ip is 0.0.0.0\n"; + } + # when local-ip is dynamic then only the following generic form works + $genout_secrets .= ": PSK \"$psk\"\n"; + } else { + $genout_secrets .= "$index1 $index2 : PSK \"$psk\"\n"; + } $genout .= "\tauthby=secret\n"; } elsif ( defined($auth_mode) && $auth_mode eq 'rsa' ) { |