From 29666fa797d4cd62fbfc7fb9f8532f36196e78cc Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sat, 7 Feb 2015 06:32:31 +0000 Subject: Update references from pluto.ctl to charon.ctl This needs to be updated or VPN configurations won't be properly handled on subsequent updates. --- lib/Vyatta/VPN/Util.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/Vyatta/VPN') diff --git a/lib/Vyatta/VPN/Util.pm b/lib/Vyatta/VPN/Util.pm index f7dc320..a40cc90 100755 --- a/lib/Vyatta/VPN/Util.pm +++ b/lib/Vyatta/VPN/Util.pm @@ -37,7 +37,7 @@ use constant LOCAL_KEY_FILE_DEFAULT => '/opt/vyatta/etc/config/ipsec.d/rsa-keys/localhost.key'; sub is_vpn_running { - return ( -e '/var/run/pluto.ctl'); + return ( -e '/var/run/charon.ctl'); } sub get_protocols { -- cgit v1.2.3 From 7c6c1e2073207612a2d819471bc680564c945cc7 Mon Sep 17 00:00:00 2001 From: Ryan Riske Date: Sun, 1 Mar 2015 20:23:07 -0600 Subject: Add support for RSA keys with strongSwan 5.2.x strongSwan 5.2.x no longer recognizes keys in RFC 3110 format inlined in ipsec.conf and ipsec.secrets. We need to convert the local private key and peer public keys to PEM format, without changing the config templates or user-visible key formats. This patch will require the Debian packages 'libcrypt-openssl-bignum-perl' and 'libcrypt-openssl-rsa-perl' to be added to the system. --- lib/Vyatta/VPN/Util.pm | 48 +++++++++++++++++++++++++++++++++++++++++++++++- scripts/vpn-config.pl | 25 ++++++++++++++++++++----- 2 files changed, 67 insertions(+), 6 deletions(-) (limited to 'lib/Vyatta/VPN') diff --git a/lib/Vyatta/VPN/Util.pm b/lib/Vyatta/VPN/Util.pm index a40cc90..65877b0 100755 --- a/lib/Vyatta/VPN/Util.pm +++ b/lib/Vyatta/VPN/Util.pm @@ -27,10 +27,14 @@ use strict; use warnings; our @EXPORT = qw(rsa_get_local_key_file LOCAL_KEY_FILE_DEFAULT rsa_get_local_pubkey - is_vpn_running vpn_debug enableICMP is_tcp_udp get_protocols conv_protocol); + rsa_convert_pubkey_pem is_vpn_running vpn_debug enableICMP is_tcp_udp + get_protocols conv_protocol); use base qw(Exporter); use Vyatta::Config; +use Crypt::OpenSSL::RSA; +use MIME::Base64; +use File::Copy; use POSIX qw(strftime); use constant LOCAL_KEY_FILE_DEFAULT @@ -110,15 +114,57 @@ sub rsa_get_local_pubkey { my @raw_data=<$dat>; close($dat); + # PEM encoded private key + my $rsa = Crypt::OpenSSL::RSA->new_private_key(join("", @raw_data)); + if (defined $rsa) { + my ($n, $e) = $rsa->get_key_parameters(); + my $eb = $e->to_bin(); + return "0s" . encode_base64(pack("C", length($eb)) . $eb . $n->to_bin(), ''); + } + + # legacy private key format foreach my $line (@raw_data) { my $file_pubkey; if (($file_pubkey) = ($line =~ m/\s+\#pubkey=(\S+)/)) { + # Found a legacy private key; convert to PEM for strongSwan 5.2.x + my $key = join("", @raw_data); + $key =~ /^\s+Modulus:\s+0x([0-9a-fA-F]+)$/m; + my $n = Crypt::OpenSSL::Bignum->new_from_hex($1); + $key =~ /^\s+PublicExponent:\s+0x([0-9a-fA-F]+)$/m; + my $e = Crypt::OpenSSL::Bignum->new_from_hex($1); + $key =~ /^\s+PrivateExponent:\s+0x([0-9a-fA-F]+)$/m; + my $d = Crypt::OpenSSL::Bignum->new_from_hex($1); + $key =~ /^\s+Prime1:\s+0x([0-9a-fA-F]+)$/m; + my $p = Crypt::OpenSSL::Bignum->new_from_hex($1); + $key =~ /^\s+Prime2:\s+0x([0-9a-fA-F]+)$/m; + my $q = Crypt::OpenSSL::Bignum->new_from_hex($1); + + my $rsa = Crypt::OpenSSL::RSA->new_key_from_parameters($n, $e, $d, $p, $q); + if (defined $rsa) { + # write out PEM formatted key + move("$file", "$file.bak"); + open(my $priv, '>', "$file") + or return 0; + chmod 0600, $file; + print {$priv} $rsa->get_private_key_string(); + close($priv); + } return $file_pubkey; } } return 0; } +sub rsa_convert_pubkey_pem { + my $key = shift; + my $decoded = decode_base64($key); + my $len = unpack("C", substr($decoded, 0, 1)); + my $e = Crypt::OpenSSL::Bignum->new_from_bin(substr($decoded, 1, $len)); + my $n = Crypt::OpenSSL::Bignum->new_from_bin(substr($decoded, 1 + $len)); + my $rsa = Crypt::OpenSSL::RSA->new_key_from_parameters($n, $e); + return $rsa->get_public_key_x509_string(); +} + sub vpn_debug { my $timestamp = strftime("%Y%m%d-%H:%M.%S", localtime); diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index dd5da34..c7e227c 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -59,6 +59,7 @@ my $dhcp_if = 0; my $genout; my $genout_secrets; my %key_file_list; +my %public_keys; # Set $using_klips to 1 if kernel IPsec support is provided by KLIPS. # Set it to 0 us using NETKEY. @@ -1010,7 +1011,10 @@ if ($vcVPN->exists('ipsec')) { vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"authentication"],"$vpn_cfg_err Unable to determine local public key from local key". " file \"$local_key_file\" for peer \"$peer\".\n"); } else { - $genout .= "\tleftrsasigkey=\"$local_key\"\n"; + if (!defined($public_keys{localhost})) { + $public_keys{localhost} = $local_key; + $genout .= "\tleftsigkey=localhost.pub\n"; + } } my $rsa_key_name = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication rsa-key-name"); @@ -1023,7 +1027,10 @@ if ($vcVPN->exists('ipsec')) { vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"authentication"],"$vpn_cfg_err No remote key configured for rsa key name ". "\"$rsa_key_name\" that is specified for peer \"$peer\".\n"); } else { - $genout .= "\trightrsasigkey=\"$remote_key\"\n"; + if (!defined($public_keys{$rsa_key_name})) { + $public_keys{$rsa_key_name} = $remote_key; + $genout .= "\trightsigkey=$rsa_key_name.pub\n"; + } } } # Prevent duplicate includes for rsa keys. @@ -1156,13 +1163,13 @@ if ( $vcVPN->isDeleted('.') if (!enableICMP('1')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to re-enable ICMP redirects.\n"); } - write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if); + write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); } else { if (!enableICMP('0')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to disable ICMP redirects.\n"); } - write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if); + write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); # Assumming that if there was a local IP missmatch and clustering is enabled, # then the clustering scripts will take care of starting the VPN daemon. @@ -1251,7 +1258,7 @@ sub vpn_die { } sub write_config { - my ($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if) = @_; + my ($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_; open my $output_config, '>', $config_file or die "Can't open $config_file: $!"; @@ -1272,6 +1279,14 @@ sub write_config { print ${output_secrets} $genout_secrets; close $output_secrets; dhcp_hook($dhcp_if); + + for my $name (keys %public_keys) { + my $output_path = "/etc/ipsec.d/certs/$name.pub"; + open my $output_file, '>', $output_path + or die "Can't open $output_path: $!"; + print ${output_file} rsa_convert_pubkey_pem($public_keys{$name}); + close $output_file; + } } sub vpn_exec { -- cgit v1.2.3 From 57d284aded5003468dee946f906bf88f09a79d5a Mon Sep 17 00:00:00 2001 From: Ryan Riske Date: Sun, 1 Mar 2015 21:28:00 -0600 Subject: Exclude '0s' from public key string input in rsa_convert_pubkey_pem --- lib/Vyatta/VPN/Util.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/Vyatta/VPN') diff --git a/lib/Vyatta/VPN/Util.pm b/lib/Vyatta/VPN/Util.pm index 65877b0..606178a 100755 --- a/lib/Vyatta/VPN/Util.pm +++ b/lib/Vyatta/VPN/Util.pm @@ -157,7 +157,7 @@ sub rsa_get_local_pubkey { sub rsa_convert_pubkey_pem { my $key = shift; - my $decoded = decode_base64($key); + my $decoded = decode_base64(substr($key, 2)); my $len = unpack("C", substr($decoded, 0, 1)); my $e = Crypt::OpenSSL::Bignum->new_from_bin(substr($decoded, 1, $len)); my $n = Crypt::OpenSSL::Bignum->new_from_bin(substr($decoded, 1 + $len)); -- cgit v1.2.3 From e6bde39b75eca1f4b30b7d4fa3c6eb9dd0100775 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Tue, 23 Feb 2016 03:59:49 -0500 Subject: Update vpn check file from "charon.ctl" to "charon.pid". --- lib/Vyatta/VPN/Util.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/Vyatta/VPN') diff --git a/lib/Vyatta/VPN/Util.pm b/lib/Vyatta/VPN/Util.pm index 606178a..315651e 100755 --- a/lib/Vyatta/VPN/Util.pm +++ b/lib/Vyatta/VPN/Util.pm @@ -41,7 +41,7 @@ use constant LOCAL_KEY_FILE_DEFAULT => '/opt/vyatta/etc/config/ipsec.d/rsa-keys/localhost.key'; sub is_vpn_running { - return ( -e '/var/run/charon.ctl'); + return ( -e '/var/run/charon.pid'); } sub get_protocols { -- cgit v1.2.3 From 4e78db594120375843a981eae43d87edc873177a Mon Sep 17 00:00:00 2001 From: Sylvain Munaut Date: Thu, 23 Mar 2017 22:16:18 +0100 Subject: Fix VTI interface configuration to set both ikey and okey Without this, the outgoing traffic is marked and encrypted but incoming traffic isn't properly forwarded to the VTI and just gets dropped. Partially Fixes T137 Signed-off-by: Sylvain Munaut --- lib/Vyatta/VPN/vtiIntf.pm | 2 +- scripts/vyatta-vti-config.pl | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'lib/Vyatta/VPN') diff --git a/lib/Vyatta/VPN/vtiIntf.pm b/lib/Vyatta/VPN/vtiIntf.pm index daec058..4e52fff 100755 --- a/lib/Vyatta/VPN/vtiIntf.pm +++ b/lib/Vyatta/VPN/vtiIntf.pm @@ -70,7 +70,7 @@ sub parseVtiTun { if ($tunop =~ m/local ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/) { $local = $1; } - if ($tunop =~ m/okey ([0-9\.]+)/) { + if ($tunop =~ m/key ([0-9\.]+)/) { $mark = $1; } return($remote, $local, $tunName, $mark); diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl index fbfad64..81abf97 100755 --- a/scripts/vyatta-vti-config.pl +++ b/scripts/vyatta-vti-config.pl @@ -25,7 +25,7 @@ # # For each VTI tunnel (vpn ipsec site-to-site peer ip-address sti); find the vti tunnel, local address, mark. # Find the corresponding tunnel (interfaces vti vtiXXX), tunnel address, disable, mtu -# if not configured: ip tunnel add vtiXXX mode esp local $local remote $remote i_key $mark +# if not configured: ip tunnel add vtiXXX mode esp local $local remote $remote ikey $mark okey $mark # if (mtu): configure mtu # if (tunnel-addres): configur ip link vtiXXX address # if (!disable): enable the interface. @@ -207,7 +207,7 @@ foreach my $peer (@peers) { # By default we delete the tunnel... my $genmark = $mark; $gencmds .= "sudo /sbin/ip link delete $tunName type vti &> /dev/null\n"; - $gencmds .= "sudo /sbin/ip link add $tunName type vti local $lip remote $peer okey $genmark\n"; + $gencmds .= "sudo /sbin/ip link add $tunName type vti local $lip remote $peer okey $genmark ikey $genmark\n"; foreach my $tunIP (@tunIPs) { $gencmds .= "sudo /sbin/ip addr add $tunIP dev $tunName\n"; } -- cgit v1.2.3