From 60960c1c891d99d2fe10aa0daa5367e31833cb25 Mon Sep 17 00:00:00 2001 From: Taniadz Date: Tue, 24 Oct 2017 11:48:36 +0300 Subject: T126: charon listening on ALL interfaces --- scripts/vpn-config.pl | 51 ++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 15 deletions(-) (limited to 'scripts/vpn-config.pl') diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 75d0e91..c1348ed 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -52,12 +52,14 @@ my $CRL_PATH = '/etc/ipsec.d/crls'; my $SERVER_CERT_PATH = '/etc/ipsec.d/certs'; my $SERVER_KEY_PATH = '/etc/ipsec.d/private'; my $LOGFILE = '/var/log/vyatta/ipsec.log'; +my $STRONGSWAN = '/etc/strongswan.d/interfaces_use.conf'; my $vpn_cfg_err = "VPN configuration error:"; my $clustering_ip = 0; my $dhcp_if = 0; my $genout; my $genout_secrets; +my $interfaces_use; my %key_file_list; my %public_keys; @@ -67,6 +69,7 @@ my $using_klips = 0; $genout .= "# generated by $0\n\n"; $genout_secrets .= "# generated by $0\n\n"; +$interfaces_use .= "# generated by $0\n\n"; # # Prepare Vyatta::Config object @@ -215,15 +218,23 @@ if ($vcVPN->exists('ipsec')) { # Configuration of system wide options # $genout .= "config setup\n"; + $interfaces_use .= "charon {\n\t"; # # Interfaces # my @interfaces = $vcVPN->returnValues('ipsec ipsec-interfaces interface'); - if (@interfaces == 0) { - #*THIS CHECK'S ALSO USED BY OP-MODE CMNDS TO CHECK IF IPSEC IS CONFIGURED*# - vpn_die(["vpn", "ipsec","ipsec-interfaces"],"$vpn_cfg_err No IPSEC interfaces specified.\n"); - } else { + if (scalar(@interfaces) > 0) { + + $interfaces_use .= "interfaces_use = "; + foreach my $interface (@interfaces) { + if (!(-d "/sys/class/net/$interface")) { + next; + } + $interfaces_use .= "$interface, "; + } + $interfaces_use .= "\n}"; + # We need to generate an "interfaces=..." entry in the setup section # only if the underlying IPsec kernel code we are using is KLIPS. # If we are using NETKEY, the "interfaces=..." entry is essentially @@ -249,7 +260,8 @@ if ($vcVPN->exists('ipsec')) { $genout .= '%defaultroute'; } $genout .= "\"\n"; - } else { + } + else { my $counter = 0; $genout .= "\t"; if (hasLocalWildcard($vcVPN, 0)) { @@ -261,11 +273,14 @@ if ($vcVPN->exists('ipsec')) { ++$counter; } $genout .= '%defaultroute"'; - } else { + } + else { $genout .= 'interfaces="%none"'; } $genout .= "\n"; + } + } # @@ -785,7 +800,7 @@ if ($vcVPN->exists('ipsec')) { if (defined($aggressive_mode)) { if (defined($key_exchange) && $key_exchange eq 'ikev2') { vpn_die(["vpn","ipsec","ike-group", $ike_group, "mode"], "$vpn_cfg_err Selection of Main/Aggressive modes is only valid for IKEv1 configurations"); - } + } if ($aggressive_mode eq 'aggressive') { $genout .= "\taggressive=yes\n"; } else { @@ -812,7 +827,7 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\tdpdtimeout=$dpd_timeout" . "s\n"; $genout .= "\tdpdaction=$dpd_action\n"; } - + # # Allow the user for force UDP encapsulation for the ESP # payload. @@ -1134,7 +1149,7 @@ if ($vcVPN->exists('ipsec')) { } } } - + # # Include a custom configuration file # @@ -1147,7 +1162,7 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\ninclude $custom_include\n"; } if (defined($custom_secrets)) { - if ( ! -e $custom_secrets) { + if ( ! -e $custom_secrets) { vpn_die(["vpn","ipsec","include-ipsec-secrets"],"$vpn_cfg_err The specified file for inclusion inside ipsec.secrets does not exist."); } $genout_secrets .= "\ninclude $custom_secrets\n"; @@ -1185,13 +1200,13 @@ if ( $vcVPN->isDeleted('.') if (!enableICMP('1')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to re-enable ICMP redirects.\n"); } - write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); + write_config($genout, $interfaces_use, $STRONGSWAN, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); } else { if (!enableICMP('0')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to disable ICMP redirects.\n"); } - write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); + write_config($genout, $interfaces_use, $STRONGSWAN, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); # Assumming that if there was a local IP missmatch and clustering is enabled, # then the clustering scripts will take care of starting the VPN daemon. @@ -1226,7 +1241,7 @@ if ( $vcVPN->isDeleted('.') foreach my $tunnel (@tunnel_cfg_old) { push (@old_tunnels, $tunnel) unless exists $seen{$tunnel}; } - + # Issue an ipsec down on the old tunnel since charon doesn't clean up # connections removed from ipsec.conf foreach my $old_peer (@old_tunnels) { @@ -1247,7 +1262,7 @@ if ( $vcVPN->isDeleted('.') vpn_exec('ipsec start --auto-update '.$update_interval.' >&/dev/null','start ipsec with auto-update $update_interval'); } } - + # Activate any debugging options by # calling ipsec stroke loglevel my @logmodes = $vcVPN->returnValues('ipsec logging log-modes'); @@ -1280,13 +1295,19 @@ sub vpn_die { } sub write_config { - my ($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_; + my ($genout, $interfaces_use, $STRONGSWAN, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_; open my $output_config, '>', $config_file or die "Can't open $config_file: $!"; print ${output_config} $genout; close $output_config; + + open my $strong_config, '>', $STRONGSWAN + or die "Can't open $STRONGSWAN: $!"; + print ${strong_config} $interfaces_use; + close $strong_config; + my @lines = split("\n", $genout_secrets); my @any = grep(/%any/, @lines); if (scalar(@any) > 0) { -- cgit v1.2.3