From 8612b9da11ef7fd0237a7734582d3353efc1b136 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Tue, 22 Dec 2009 12:29:25 -0800 Subject: use leftsourceip to add route to remote subnet (cherry picked from commit eb6d27497bab9e82218d8999778f7b4959fd34ea) --- scripts/vpn-config.pl | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) (limited to 'scripts') diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 483dec2..7b783db 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -36,6 +36,7 @@ use constant VPN_MAX_PROPOSALS => 10; use Vyatta::VPN::Util; use Getopt::Long; use Vyatta::Misc; +use NetAddr::IP; my $changes_dir; my $newconfig_dir; @@ -504,6 +505,16 @@ if ( $vcVPN->exists('ipsec') ) { my $conn_head = "\nconn peer-$peer-tunnel-$tunnel\n"; $conn_head =~ s/ peer-@/ peer-/; $genout .= $conn_head; + + # -> leftsourceip is the internal source IP to use in a tunnel + # -> we use leftsourceip to add a route to the rightsubnet + # only when rightsubnet is defined and is not 0.0.0.0/0. we do not + # want to add a vpn route for everything i.e. rightsubnet = 0.0.0.0/0 + # -> if leftsubnet is defined and is not 0.0.0.0/0; we try and find + # an interface on the system that has an IP address lying within + # the leftsubnet and use that as leftsourceip. if leftsubnet is not + # defined or is 0.0.0.0/0 then we use local-ip as leftsourceip. + my $leftsourceip = undef; # # Assign left and right to local and remote interfaces @@ -518,10 +529,12 @@ if ( $vcVPN->exists('ipsec') ) { } else { $genout .= "\tleft=%defaultroute\n"; $genout .= "\tleftid=$authid\n"; + $leftsourceip = "\tleftsourceip=%defaultroute\n"; } } else { $genout .= "\tleft=$lip\n"; $genout .= "\tleftid=$authid\n" if defined $authid; + $leftsourceip = "\tleftsourceip=$lip\n"; } } @@ -541,6 +554,7 @@ if ( $vcVPN->exists('ipsec') ) { or $any_peer == 1 ) { $right = '%any'; + $any_peer = 1; } else { $right = $peer; } @@ -558,8 +572,22 @@ if ( $vcVPN->exists('ipsec') ) { if ( defined($leftsubnet) && $leftsubnet eq 'any' ) { $leftsubnet = '0.0.0.0/0'; } + if ( defined($leftsubnet) ) { $genout .= "\tleftsubnet=$leftsubnet\n"; + if (!($leftsubnet eq '0.0.0.0/0')) { + my $localsubnet_object = new NetAddr::IP($leftsubnet); + # leftsourceip should now be an IP on system lying within the leftsubnet + my @system_ips = Vyatta::Misc::getIP(undef, '4'); + foreach my $system_ip (@system_ips) { + my $systemip_object = new NetAddr::IP($system_ip); + if (CheckIfAddressInsideNetwork( + $systemip_object, $localsubnet_object)) { + my $sourceip = $systemip_object->addr(); + $leftsourceip = "\tleftsourceip=$sourceip\n"; + } + } + } } my $remotesubnet = $vcVPN->returnValue( @@ -611,7 +639,14 @@ if ( $vcVPN->exists('ipsec') ) { } if ( defined($rightsubnet) ) { $genout .= "\trightsubnet=$rightsubnet\n"; + # not adding vpn route if remote subnet is 0.0.0.0/0 + # user should add a route [default/static] manually + $leftsourceip = undef if $rightsubnet eq '0.0.0.0/0'; + } else { + $leftsourceip = undef; # no need for vpn route if rightsubnet not defined } + + $genout .= $leftsourceip if defined $leftsourceip; # # Write IKE configuration from group @@ -1356,4 +1391,24 @@ sub hasLocalWildcard { return 0; } +sub CheckIfAddressInsideNetwork { + my ( $address, $naipNetwork ) = @_; + + if ( !defined($address) || !defined($naipNetwork) ) { + return 0; + } + + my $naipSM = new NetAddr::IP($address); + if ( defined($naipSM) ) { + my $subnetIA = $naipSM->network()->addr(); + my $naipIA = new NetAddr::IP( $subnetIA, $naipSM->masklen() ); + + if ( defined($naipIA) && $naipNetwork->within($naipIA) ) { + return 1; + } + } + + return 0; +} + # end of file -- cgit v1.2.3