diff options
9 files changed, 87 insertions, 2 deletions
diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 3aba73f..f265f55 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -47,6 +47,10 @@ GetOptions( "secrets_file=s" => \$secrets_file, "init_script=s" => \$init_script ); +my $CA_CERT_PATH = '/etc/ipsec.d/cacerts'; +my $CRL_PATH = '/etc/ipsec.d/crls'; +my $SERVER_CERT_PATH = '/etc/ipsec.d/certs'; +my $SERVER_KEY_PATH = '/etc/ipsec.d/private'; my $vpn_cfg_err = "VPN configuration error:"; my $clustering_ip = 0; @@ -520,7 +524,7 @@ if ( $vcVPN->exists('ipsec') ) { $right = $peer; } $genout .= "\tright=$right\n"; - $genout .= "\trightid=$rightid\n" if ( defined($rightid) ); + $genout .= "\trightid=\"$rightid\"\n" if ( defined($rightid) ); if ($any_peer) { $genout .= "\trekey=no\n"; } @@ -951,6 +955,9 @@ if ( $vcVPN->exists('ipsec') ) { $prev_peer = $peer; } $genout .= "\tauthby=secret\n"; + } elsif ( defined($auth_mode) && $auth_mode eq 'x509') { + $genout .= get_x509($peer); + $genout_secrets .= get_x509_secret($peer); } elsif ( defined($auth_mode) && $auth_mode eq 'rsa' ) { unless ( -r $local_key_file ) { @@ -1277,4 +1284,69 @@ sub CheckIfAddressInsideNetwork { return 0; } +sub get_x509 { + my $peer = pop(@_); + # Setup x509, based on the L2TP x509 code + # + ## check that proper nodes are defined. + my $path = "vpn ipsec site-to-site peer $peer authentication x509 "; + my $cacrt = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication x509 ca-cert-file"); + vpn_die([split(' ', ($path."ca-cert-file"))], + "$vpn_cfg_err No CA certificate for peer \"$peer\" specified.\n") if !defined($cacrt); + my $crl = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication x509 crl-file"); + my $crt = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication x509 cert-file"); + vpn_die([split(' ', ($path."cert-file"))], + "$vpn_cfg_err No Certificate for peer \"$peer\" specified.\n") if !defined($crt); + my $key = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication x509 key file"); + vpn_die([split(' ', ($path."key-file"))], + "$vpn_cfg_err No Key for peer \"$peer\" specified.\n") if !defined($key); + + # Verify the files exist + vpn_die([split(' ', ($path."ca-cert-file"))] , "Invalid ca-cert-file \"$cacrt\"") + if (! -f $cacrt); + vpn_die([split(' ', ($path."cert-file"))] , "Invalid server-cert-file \"$crt\"") + if (! -f $crt); + vpn_die([split(' ', ($path."key-file"))] , "Invalid server-key-file \"$key\"" ) + if (! -f $key); + + + # Copy files to the ipsec directory + system("cp -f $cacrt $CA_CERT_PATH/"); + vpn_die([split(' ', ($path."ca-cert-file"))] , "Cannot copy ca-cert-file \"$cacrt\"") + if ($? >> 8); + system("cp -f $crt $SERVER_CERT_PATH/"); + vpn_die([split(' ', ($path."cert-file"))] , "Cannot copy cert-file \"$crt\"") + if ($? >> 8); + system("cp -f $key $SERVER_KEY_PATH/"); + vpn_die([split(' ', ($path."key-file"))] , "Cannot copy key-file \"$key\"" ) + if ($? >> 8); + + # Handle CRL file if it is defined + if (defined($crl)) { + vpn_die([split(' ', ($path."crl-file"))], "Invalid crl-file \"$crl\"") + if (! -f $crl); + system("cp -f $crl $CRL_PATH/"); + vpn_die([split(' ', ($path."crl-file"))], "Cannot copy crl-file \"$crl\"") + if ($? >> 8); + } + $crt =~ s/^.*(\/[^\/]+)$/${SERVER_CERT_PATH}$1/; + my $auth_str = "\tauthby=rsasig\n"; + $auth_str .= "\tleftrsasigkey=%cert\n"; + $auth_str .= "\trightrsasigkey=%cert\n"; + $auth_str .= "\trightca=%same\n"; + $auth_str .= "\tleftcert=$crt\n"; + return $auth_str; +} + +sub get_x509_secret { + my $peer = pop(@_); + my $key_file = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication x509 key file"); + my $key_pass = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication x509 key password"); + my $pstr = (defined($key_pass) ? " \"$key_pass\"" : ''); + $key_file =~ s/^.*(\/[^\/]+)$/${SERVER_KEY_PATH}$1/; + my $str = ": RSA ${key_file}$pstr \n"; + return $str; +} + + # end of file diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/mode/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/mode/node.def index 25f5f66..d717730 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/mode/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/mode/node.def @@ -1,6 +1,7 @@ help: Authentication mode type: txt default: "pre-shared-secret" -syntax:expression: $VAR(@) in "pre-shared-secret", "rsa"; "must be pre-shared-secret or rsa" +syntax:expression: $VAR(@) in "pre-shared-secret", "x509", "rsa"; "must be pre-shared-secret, x509, or rsa" val_help: pre-shared-secret; Use pre-shared secret key val_help: rsa; Use RSA key +val_help: x509; Use X.509 certificate diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/ca-cert-file/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/ca-cert-file/node.def new file mode 100644 index 0000000..819e990 --- /dev/null +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/ca-cert-file/node.def @@ -0,0 +1,2 @@ +type: txt +help: File containing the X.509 certificate for the Certificate Authority (CA) diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/cert-file/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/cert-file/node.def new file mode 100644 index 0000000..1c75264 --- /dev/null +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/cert-file/node.def @@ -0,0 +1,2 @@ +type: txt +help: File containing the X.509 certificate for the remote access VPN server (this host) diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/crl-file/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/crl-file/node.def new file mode 100644 index 0000000..ce49e36 --- /dev/null +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/crl-file/node.def @@ -0,0 +1,2 @@ +type: txt +help: File containing the X.509 Certificate Revocation List (CRL) diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/file/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/file/node.def new file mode 100644 index 0000000..0396c3e --- /dev/null +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/file/node.def @@ -0,0 +1,2 @@ +type: txt +help: File containing the private key for the X.509 certificate for the remote access VPN server (this host) diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/node.def new file mode 100644 index 0000000..d891c7b --- /dev/null +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/node.def @@ -0,0 +1 @@ +help: Key file and password to open it diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/password/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/password/node.def new file mode 100644 index 0000000..0667ea6 --- /dev/null +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/key/password/node.def @@ -0,0 +1,2 @@ +type: txt +help: Password that protects the private key diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/node.def new file mode 100644 index 0000000..81ed780 --- /dev/null +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/x509/node.def @@ -0,0 +1 @@ +help: X.509 certificate |