diff options
| author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-11-28 01:01:04 -0800 |
|---|---|---|
| committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-01-12 16:43:37 -0800 |
| commit | 8fcedd464beb0f3124d3df5970aa5b74adb28645 (patch) | |
| tree | 3353c876c5413e1143755edb65e9e81cce051aa5 | |
| parent | edcead8c91a8248460ccfcee8f46a89613550c32 (diff) | |
| download | vyatta-op-vpn-8fcedd464beb0f3124d3df5970aa5b74adb28645.tar.gz vyatta-op-vpn-8fcedd464beb0f3124d3df5970aa5b74adb28645.zip | |
fix op-mode commands for migration to strongswan
* use `ipsec update` instead of openswan's `ipsec auto`
commands to make 'clear vpn ipsec-peer <> tunnel <>' work
* no `ipsec barf` in strongswan. instead use detailed version
of the command status i.e. `ipsec statusall` for 'show vpn debug detail'
* use strongswan's syntax for `ipsec rereadall` and `ipsec status`
(cherry picked from commit 2c5e47cc7871bc7da84f3a14398b15cf3b1da352)
| -rwxr-xr-x | scripts/vyatta-vpn-op.pl | 47 |
1 files changed, 29 insertions, 18 deletions
diff --git a/scripts/vyatta-vpn-op.pl b/scripts/vyatta-vpn-op.pl index ca44011..db44959 100755 --- a/scripts/vyatta-vpn-op.pl +++ b/scripts/vyatta-vpn-op.pl @@ -14,6 +14,8 @@ GetOptions( "op=s" => \$op, "peer=s" => \$peer, "tunnel=s" => \$tunnel); +sub numerically { $a <=> $b; } + sub get_tunnels { my $s2s_peer = undef; $s2s_peer = shift; @@ -30,20 +32,29 @@ sub clear_tunnel { my $error = undef; my $cmd = undef; - # replace connection i.e. sequentially run down, delete, load connection - $cmd = "sudo ipsec auto --replace peer-$peer-tunnel-$tunnel &> /dev/null"; - $error = system "$cmd"; - - if ($error eq '0') { - if (!($peer =~ /^\@/ || $peer eq 'any' || $peer eq '0.0.0.0')) { - # initiate the connection to peer if peer is a specific IP - $cmd = "sudo ipsec auto --asynchronous --up " . - "peer-$peer-tunnel-$tunnel &> /dev/null"; - system "$cmd"; - } - } else { - die "Error clearing tunnel $tunnel for peer $peer\n"; - } + print "Clearing tunnel $tunnel with peer $peer...\n"; + + # back-up ipsec.conf + `sudo cp /etc/ipsec.conf /etc/ipsec.conf.bak.\$PPID`; + + # remove specific connection from ipsec.conf + `sudo sed -i -e '/conn peer-$peer-tunnel-$tunnel/,/#conn peer-$peer-tunnel-$tunnel/d' /etc/ipsec.conf`; + + # update ipsec connections + `sudo /usr/sbin/ipsec update >&/dev/null`; + + # sleep for 1/4th of a second for connection to go down + `sudo sleep 0.25`; + + # move original ipsec.conf back + `sudo mv /etc/ipsec.conf.bak.\$PPID /etc/ipsec.conf`; + + # update ipsec connections + `sudo /usr/sbin/ipsec update >&/dev/null`; + + # sleep for 3/4th of a second for connection to come up + # this gives us sometime before bringing clearing another tunnel + `sudo sleep 0.75`; } if ($op eq '') { @@ -51,13 +62,13 @@ if ($op eq '') { } if ($op eq 'clear-vpn-ipsec-process') { - system 'sudo /usr/sbin/ipsec setup restart'; + system 'sudo /usr/sbin/ipsec restart'; } elsif ($op eq 'show-vpn-debug') { - system 'sudo /usr/sbin/ipsec auto --status'; + system 'sudo /usr/sbin/ipsec status'; } elsif ($op eq 'show-vpn-debug-detail') { - system 'sudo /usr/sbin/ipsec barf'; + system 'sudo /usr/sbin/ipsec statusall'; } elsif ($op eq 'get-all-peers') { # get all site-to-site peers @@ -77,7 +88,7 @@ if ($op eq 'clear-vpn-ipsec-process') { die 'Undefined peer to clear tunnels for' if ! defined $peer; my @peer_tunnels = get_tunnels("$peer"); if (scalar(@peer_tunnels)>0) { - foreach my $tun (@peer_tunnels) { + foreach my $tun (sort numerically @peer_tunnels) { clear_tunnel($peer, $tun); } } else { |