diff options
| author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-12-10 17:19:18 -0800 |
|---|---|---|
| committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-01-12 16:43:37 -0800 |
| commit | 04cb338f62c4e6a8ebd062a524cd2c1c6a3489f4 (patch) | |
| tree | e8b7a417a86f2a52ceed757bf6620a1fb03067ce | |
| parent | 03f361bac3eb20554b7487d4b4b6a56cbeae62a2 (diff) | |
| download | vyatta-op-vpn-04cb338f62c4e6a8ebd062a524cd2c1c6a3489f4.tar.gz vyatta-op-vpn-04cb338f62c4e6a8ebd062a524cd2c1c6a3489f4.zip | |
fix show vpn commands to work with strongswan
(cherry picked from commit 32927e013922e1a79b0f214773e2500a1260871a)
| -rwxr-xr-x | scripts/gen_local_rsa_key.pl | 2 | ||||
| -rwxr-xr-x | scripts/vyatta-vpn-op.pl | 7 | ||||
| -rw-r--r-- | src/command_proc_show_vpn.cc | 77 | ||||
| -rw-r--r-- | src/xsl/show_vpn_ipsec_status.xsl | 4 | ||||
| -rw-r--r-- | templates/show/vpn/ike/sa/peer/node.tag/node.def | 1 | ||||
| -rw-r--r-- | templates/show/vpn/ipsec/sa/detail/connection/node.tag/node.def | 2 | ||||
| -rw-r--r-- | templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def | 1 | ||||
| -rw-r--r-- | templates/show/vpn/ipsec/sa/peer/node.tag/node.def | 1 | ||||
| -rw-r--r-- | templates/show/vpn/ipsec/status/node.def | 7 |
9 files changed, 36 insertions, 66 deletions
diff --git a/scripts/gen_local_rsa_key.pl b/scripts/gen_local_rsa_key.pl index 2be6b2a..9bf914c 100755 --- a/scripts/gen_local_rsa_key.pl +++ b/scripts/gen_local_rsa_key.pl @@ -104,7 +104,7 @@ my $file_pubkey = rsa_get_local_pubkey($local_key_file); if ($file_pubkey ne 0) { print "\nYour new local RSA key has been generated\n"; print "The public portion of the key is:\n\n$file_pubkey\n\n"; - $cmd = "ipsec auto --rereadall 2> /dev/null"; + $cmd = "ipsec rereadall 2> /dev/null"; vpn_debug $cmd; system $cmd; exit 0; diff --git a/scripts/vyatta-vpn-op.pl b/scripts/vyatta-vpn-op.pl index db44959..adcbf84 100755 --- a/scripts/vyatta-vpn-op.pl +++ b/scripts/vyatta-vpn-op.pl @@ -62,13 +62,14 @@ if ($op eq '') { } if ($op eq 'clear-vpn-ipsec-process') { - system 'sudo /usr/sbin/ipsec restart'; + print "Clearing IPsec process...\n"; + system 'sudo /usr/sbin/ipsec restart >&/dev/null'; } elsif ($op eq 'show-vpn-debug') { - system 'sudo /usr/sbin/ipsec status'; + system 'sudo /usr/sbin/ipsec statusall'; } elsif ($op eq 'show-vpn-debug-detail') { - system 'sudo /usr/sbin/ipsec statusall'; + system 'sudo /usr/lib/ipsec/barf'; } elsif ($op eq 'get-all-peers') { # get all site-to-site peers diff --git a/src/command_proc_show_vpn.cc b/src/command_proc_show_vpn.cc index 9ee7a35..f82a968 100644 --- a/src/command_proc_show_vpn.cc +++ b/src/command_proc_show_vpn.cc @@ -158,7 +158,7 @@ CommandProcShowVPN::process(const string &cmd, bool debug, string &reason) // ipsec spigrp // ipsec spi status // ipsec setup --status -// ipsec auto --status +// ipsec statusall ipsec_cmd = "cat /etc/ipsec.secrets"; f = popen(ipsec_cmd.c_str(), "r"); @@ -172,7 +172,7 @@ CommandProcShowVPN::process(const string &cmd, bool debug, string &reason) } } - ipsec_cmd = "cat /var/run/pluto/pluto.pid 2>/dev/null"; + ipsec_cmd = "cat /var/run/pluto.pid 2>/dev/null"; f = popen(ipsec_cmd.c_str(), "r"); if (f) { while(fgets(buf, 2047, f) != NULL) { @@ -187,7 +187,7 @@ CommandProcShowVPN::process(const string &cmd, bool debug, string &reason) process_conf(debug); - ipsec_cmd = "ipsec auto --status"; + ipsec_cmd = "ipsec statusall"; f = popen(ipsec_cmd.c_str(), "r"); if (f) { while(fgets(buf, 2047, f) != NULL) { @@ -201,18 +201,6 @@ CommandProcShowVPN::process(const string &cmd, bool debug, string &reason) convert_to_xml_setkey_d(debug); - ipsec_cmd = "ipsec setup --status"; - f = popen(ipsec_cmd.c_str(), "r"); - if (f) { - while(fgets(buf, 2047, f) != NULL) { - string line(buf); - convert_to_xml_setup_status(line, debug); - } - if (pclose(f) != 0) { - return string(""); - } - } - std::list<Peer*>::const_iterator i = _peers.begin(); const std::list<Peer*>::const_iterator iEnd = _peers.end(); while (i != iEnd) { @@ -320,7 +308,7 @@ CommandProcShowVPN::convert_to_xml_secrets(const string &line, bool debug) /** * -mercury:~# cat /var/run/pluto/pluto.pid +mercury:~# cat /var/run/pluto.pid 3688 **/ void @@ -616,33 +604,6 @@ CommandProcShowVPN::process_conf(bool debug) /** * - >ipsec eroute -[root@localhost etc]# ipsec setup --status -IPsec running - pluto pid: 31272 -pluto pid 31272 -No tunnels up - - **/ -void -CommandProcShowVPN::convert_to_xml_setup_status(const string &line, bool debug) -{ - if (debug) { - cout << "processing: convert_to_xml_setup_status" << endl; - } - StrProc proc_str(line, " "); - if (line.find("- pluto pid") != string::npos) { - _xml_out << "<setup_status_pid>" << proc_str.get(5) << "</setup_status_pid>"; - } - else if (line.find("tunnels") != string::npos) { - _xml_out << "<setup_status_tunnels>" << proc_str.get(0) << "</setup_status_tunnels>"; - } - return; -} - - - -/** - * * **/ void @@ -695,7 +656,7 @@ CommandProcShowVPN::convert_to_xml_auto_status(const string &line, bool debug) if (p_tunnel == NULL) return; //now retrieve ike and esp encryption and hash - if (line.find(" algorithm newest:") != string::npos) { //look up encryption/hash + if (line.find(" proposal: ") != string::npos) { //look up encryption/hash //strip out the tunnel // 000 "peer-10.6.0.57-tunnel-1": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536 @@ -704,9 +665,9 @@ CommandProcShowVPN::convert_to_xml_auto_status(const string &line, bool debug) // need to parse lifetime from setup output // 000 "peer-10.6.0.57-tunnel-50": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 00 - string eh = proc_str.get(5); + string eh = proc_str.get(4); - StrProc tmp(eh, "-"); + StrProc tmp(eh, "/"); //allowed e values: aes128, aes256, 3des //allowed h values: md5, sha1, sha2_256, sha2_384, sha2_512 @@ -733,26 +694,26 @@ CommandProcShowVPN::convert_to_xml_auto_status(const string &line, bool debug) } else if (h.find("_512") != string::npos) { h = "sha2_512"; } + + if (m.find("1024") != string::npos) { + m = "2"; + } else if (m.find("1536") != string::npos) { + m = "5"; + } else if (m.find("Phase1") != string::npos) { + m = "Phase1"; + } //assign encryption and hash if (proc_str.get(2) == "IKE") { p_tunnel->getPeer()._ike_encrypt = e; p_tunnel->getPeer()._ike_hash = h; + p_tunnel->getPeer()._ike_dh = m; } else { //ESP p_tunnel->_esp_encrypt = e; p_tunnel->_esp_hash = h; + p_tunnel->_pfs_group = m; } - - if (m == "MOD1024") { - p_tunnel->getPeer()._ike_dh = "2"; - } else if (m == "MODP1536") { - p_tunnel->getPeer()._ike_dh = "5"; - } - - string pfsgroup_token = proc_str.get(6); - if (pfsgroup_token.length() > 11) { - p_tunnel->_pfs_group = pfsgroup_token.substr(10, pfsgroup_token.length() - 11); - } + } else if (line.find("ike_life:") != string::npos) { p_tunnel->getPeer()._ike_seconds_lifetime = atoi(proc_str.get(3).substr(0,proc_str.get(3).length()-1).c_str()); p_tunnel->_keylife = atoi(proc_str.get(5).c_str()); @@ -803,7 +764,7 @@ CommandProcShowVPN::convert_to_xml_auto_status(const string &line, bool debug) // 000 #2: "peer-10.6.0.57-tunnel-1" esp.d54ce9b0@10.6.0.57 esp.225ad1e@10.6.0.55 tun.0@10.6.0.57 tun.0@10.6.0.55 if (debug) { - cout << "ipsec auto --status: found esp: " << line << ", " << strTunnelName << endl; + cout << "ipsec statusall: found esp: " << line << ", " << strTunnelName << endl; } StrProc ps(line, "@"); diff --git a/src/xsl/show_vpn_ipsec_status.xsl b/src/xsl/show_vpn_ipsec_status.xsl index d56ef1e..63ca9e7 100644 --- a/src/xsl/show_vpn_ipsec_status.xsl +++ b/src/xsl/show_vpn_ipsec_status.xsl @@ -40,8 +40,8 @@ <xsl:variable name="pluto_pid" select="opcommand/format/pluto_pid" /> <xsl:choose> <xsl:when test="string($pluto_pid)"> -IPSec Process Running PID: <xsl:value-of select="$pluto_pid" /><xsl:text>&newln;</xsl:text><xsl:text>&newln;</xsl:text> -<xsl:value-of select="//opcommand/format/setup_status_tunnels" /> Active IPsec Tunnels<xsl:text>&newln;</xsl:text> +IPSec Process Running <xsl:text>&newln;</xsl:text><xsl:text>&newln;</xsl:text> +PID: <xsl:value-of select="$pluto_pid" /><xsl:text>&newln;</xsl:text><xsl:text>&newln;</xsl:text> IPsec Interfaces: <xsl:for-each select="opcommand/format/auto_status_interface"> <xsl:value-of select="$pad2"/> diff --git a/templates/show/vpn/ike/sa/peer/node.tag/node.def b/templates/show/vpn/ike/sa/peer/node.tag/node.def index dae4fae..358d898 100644 --- a/templates/show/vpn/ike/sa/peer/node.tag/node.def +++ b/templates/show/vpn/ike/sa/peer/node.tag/node.def @@ -1,2 +1,3 @@ help: Show all currently active IKE Security Associations (SA) for a specific peer +allowed: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=get-all-peers run: sudo /opt/vyatta/bin/sudo-users/command_proc_show_vpn show_vpn_ike_sa.xsl --pname peer --pval "$6" diff --git a/templates/show/vpn/ipsec/sa/detail/connection/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/connection/node.tag/node.def index 2f7c8f3..c38a84c 100644 --- a/templates/show/vpn/ipsec/sa/detail/connection/node.tag/node.def +++ b/templates/show/vpn/ipsec/sa/detail/connection/node.tag/node.def @@ -2,4 +2,4 @@ help: Show detailed all active IPsec Security Associations (SA) for a specific c run: sudo /opt/vyatta/bin/sudo-users/command_proc_show_vpn show_vpn_ipsec_sa.xsl --pname detail --pval y --pname conn --pval "$7" -allowed: sudo /usr/sbin/ipsec auto --status | grep '000 "peer-' | perl -p -e 's/^000 "([^"]*)":\s.*/\1/' | sort -u +allowed: sudo /usr/sbin/ipsec status | grep '000 "peer-' | perl -p -e 's/^000 "([^"]*)":\s.*/\1/' | sort -u diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def index 6bc7dbb..6e43c91 100644 --- a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def +++ b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def @@ -1,2 +1,3 @@ help: Show detailed all active IPsec Security Associations (SA) for a specific peer +allowed: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=get-all-peers run: sudo /opt/vyatta/bin/sudo-users/command_proc_show_vpn show_vpn_ipsec_sa.xsl --pname detail --pval y --pname peer --pval "$7" diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def index bee0b0d..210c40a 100644 --- a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def +++ b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def @@ -1,2 +1,3 @@ help: Show all active IPsec Security Associations (SA) for a specific peer +allowed: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=get-all-peers run: sudo /opt/vyatta/bin/sudo-users/command_proc_show_vpn show_vpn_ipsec_sa.xsl --pname peer --pval "$6" diff --git a/templates/show/vpn/ipsec/status/node.def b/templates/show/vpn/ipsec/status/node.def index ac82328..4611fdd 100644 --- a/templates/show/vpn/ipsec/status/node.def +++ b/templates/show/vpn/ipsec/status/node.def @@ -1,2 +1,7 @@ help: Show status of IPsec process -run: sudo /opt/vyatta/bin/sudo-users/command_proc_show_vpn show_vpn_ipsec_status.xsl +run: sudo /opt/vyatta/bin/sudo-users/command_proc_show_vpn show_vpn_ipsec_status.xsl + if pgrep pluto >&/dev/null; then + active_tunnels=`ipsec status 2> /dev/null | grep -i "ipsec sa established" | wc -l | sed s/\ //g` + echo "$active_tunnels Active IPsec Tunnels" + echo + fi |