summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Southworth <john.southworth@vyatta.com>2011-01-31 10:59:10 -0600
committerJohn Southworth <john.southworth@vyatta.com>2011-01-31 10:59:10 -0600
commitb875926eb1a66152c5a72865e3b2804cffda40ad (patch)
tree57597a1f21cf77277c57494e54f301bf7fa63f9e
parent4cb66ca670d767a8e0fc53ddb77dc2c246b064ad (diff)
downloadvyatta-op-vpn-b875926eb1a66152c5a72865e3b2804cffda40ad.tar.gz
vyatta-op-vpn-b875926eb1a66152c5a72865e3b2804cffda40ad.zip
Work on new IPsec operational mode script. New format for commands for the pending addition of ipv6
-rwxr-xr-xscripts/vyatta-op-vpn.pl279
1 files changed, 137 insertions, 142 deletions
diff --git a/scripts/vyatta-op-vpn.pl b/scripts/vyatta-op-vpn.pl
index dce4743..67a9c5b 100755
--- a/scripts/vyatta-op-vpn.pl
+++ b/scripts/vyatta-op-vpn.pl
@@ -23,6 +23,7 @@
# **** End License ****
#
use Getopt::Long;
+use Data::Dumper;
use strict;
@@ -30,7 +31,7 @@ sub process_shell_api {
my $path = pop(@_);
my $output = `cli-shell-api returnActiveValue $path`;
return undef
- if $output == "";
+ if $output eq "";
return $output;
}
sub get_tunnel_info {
@@ -178,6 +179,7 @@ sub get_tunnel_info {
}
}
}
+ #print Dumper \%tunnel_hash;
return %tunnel_hash;
}
@@ -331,12 +333,12 @@ sub display_ipsec_sa_brief
my $peerid = undef;
for my $connectid (keys %th){
if ($th{$connectid}->{_rightid} ne "n/a"){
- $peerid = $th{$connectid}->{_rightid};
+ $peerid = "$th{$connectid}->{_rightid}";
} else {
$peerid = $th{$connectid}->{_peerid};
}
if ($th{$connectid}->{_leftid} ne "n/a"){
- $myid = $th{$connectid}->{_leftid};
+ $myid = "$th{$connectid}->{_leftid}";
} else {
$myid = $th{$connectid}->{_leftip};
}
@@ -360,7 +362,7 @@ sub display_ipsec_sa_brief
}
for my $connid (keys %tunhash){
print <<EOH;
-Peer ID Local ID
+Peer ID / IP Local ID / IP
--------------------------------------- ----------------------------------------
EOH
(my $peerid, my $myid) = $connid =~ /(.*?)-(.*)/;
@@ -372,7 +374,7 @@ EOH
EOH
for my $tunnel (@{$tunhash{$connid}}){
(my $tunnum, my $state, my $inspi, my $outspi,
- my $enc, my $hash, my $natt, my $life, my $expire) = @{$tunnel};
+ my $enc, my $hash, my $natt, my $life, my $expire) = @{$tunnel};
my $encp = "n/a";
my $hashp = "n/a";
my $nattp = "";
@@ -390,8 +392,8 @@ EOH
}
my $atime = $life - $expire;
$atime = 0 if ($atime == $life);
- printf " %-7s %-6s %-9s %-9s %-8s %-5s %-6s %-7s %-7s\n",
- $tunnum, $state, $inspi, $outspi, $encp, $hashp, $nattp, $atime, $life;
+ printf " %-7s %-6s %-9s %-9s %-8s %-5s %-6s %-7s %-7s\n",
+ $tunnum, $state, $inspi, $outspi, $encp, $hashp, $nattp, $atime, $life;
}
print <<EOH;
--------------------------------------------------------------------------------
@@ -399,50 +401,6 @@ EOH
EOH
}
}
-sub display_ipsec_sa_brief_old
-{
- my %tunnel_hash = %{pop(@_)};
- print <<EOH;
-Peer Tunnel# Dir SPI Encrypt Hash NAT-T A-Time L-Time
-------- ------- --- -------- ------- ---- ----- ------ ------
-EOH
- for my $peer ( keys %tunnel_hash){
- my $peerid = "";
- if ($tunnel_hash{$peer}->{_rightid} ne "n/a"){
- $peerid = $tunnel_hash{$peer}->{_rightid};
- } else {
- $peerid = $tunnel_hash{$peer}->{_peerid};
- }
- my $tunnum = $tunnel_hash{$peer}->{_tunnelnum};
- my $io = "in";
- my $inspi = $tunnel_hash{$peer}->{_inspi};
- my $outspi = $tunnel_hash{$peer}->{_outspi};
- my $enc = "n/a";
- my $hash = "n/a";
- my $natt = "";
- if ($tunnel_hash{$peer}->{_encryption} =~ /(.*?)_.*?_(.*)/){
- $enc = lc($1).$2;
- $enc =~ s/^ //g;
- }
- if ($tunnel_hash{$peer}->{_hash} =~ /.*_(.*)/){
- $hash = lc($1);
- }
- if ($tunnel_hash{$peer}->{_natt} == 0){
- $natt = "no";
- } else {
- $natt = "yes";
- }
- my $lifetime = $tunnel_hash{$peer}->{_lifetime};
- my $expire = $tunnel_hash{$peer}->{_expire};
- my $atime = $lifetime - $expire;
- $atime = 0 if ($atime == $lifetime);
- printf "%-15s %-7s %-3s %-9s %-9s %-9s %-5s %-6s %-6s\n",
- substr($peerid,0,14), $tunnum, $io, $inspi, $enc, $hash, $natt, $atime, $lifetime;
- $io = "out";
- printf "%-15s %-7s %-3s %-9s %-9s %-9s %-5s %-6s %-6s\n",
- substr($peerid,0,14), $tunnum, $io, $outspi, $enc, $hash, $natt, $atime, $lifetime;
- }
-}
sub display_ipsec_sa_detail
{
@@ -515,38 +473,23 @@ sub display_ipsec_sa_detail
print "Conn Name:\t\t$peer\n";
print "State:\t\t\t$tunnel_hash{$peer}->{_state}\n";
- print "Peer:\t\t\t$peerid\n";
- print "Direction:\t\tin\n";
- print "Source Net:\t\t$tunnel_hash{$peer}->{_dstnet}\n";
- print "Dest Net:\t\t$tunnel_hash{$peer}->{_srcnet}\n";
- print "SPI:\t\t\t$tunnel_hash{$peer}->{_inspi}\n";
- print "Encryption:\t\t$enc\n";
- print "Hash:\t\t\t$hash\n";
- print "PFS Group:\t\t$pfs_group\n";
- print "DH Group:\t\t$dh_group\n";
- print "NAT Traversal:\t\t$natt\n";
- print "NAT Source Port:\t$tunnel_hash{$peer}->{_natsrc}\n";
- print "Nat Dest Port:\t\t$tunnel_hash{$peer}->{_natdst}\n";
- print "Bytes:\t\t\t$tunnel_hash{$peer}->{_inbytes}\n";
- print "Active Time (s):\t$atime\n";
- print "Lifetime (s):\t\t$tunnel_hash{$peer}->{_lifetime}\n";
- print "\n";
-
- print "Conn Name:\t\t$peer\n";
- print "State:\t\t\t$tunnel_hash{$peer}->{_state}\n";
- print "Peer:\t\t\t$peerid\n";
- print "Direction:\t\tout\n";
- print "Source Net:\t\t$tunnel_hash{$peer}->{_srcnet}\n";
- print "Dest Net:\t\t$tunnel_hash{$peer}->{_dstnet}\n";
- print "SPI:\t\t\t$tunnel_hash{$peer}->{_outspi}\n";
+ print "Peer IP:\t\t$tunnel_hash{$peer}->{_rightip}\n";
+ print "Peer ID:\t\t$tunnel_hash{$peer}->{_rightid}\n";
+ print "Local IP:\t\t$tunnel_hash{$peer}->{_leftip}\n";
+ print "Local ID:\t\t$tunnel_hash{$peer}->{_leftid}\n";
+ print "Local Net:\t\t$tunnel_hash{$peer}->{_srcnet}\n";
+ print "Remote Net:\t\t$tunnel_hash{$peer}->{_dstnet}\n";
+ print "Inbound SPI:\t\t$tunnel_hash{$peer}->{_inspi}\n";
+ print "Outbound SPI:\t\t$tunnel_hash{$peer}->{_outspi}\n";
print "Encryption:\t\t$enc\n";
print "Hash:\t\t\t$hash\n";
print "PFS Group:\t\t$pfs_group\n";
print "DH Group:\t\t$dh_group\n";
print "NAT Traversal:\t\t$natt\n";
print "NAT Source Port:\t$tunnel_hash{$peer}->{_natsrc}\n";
- print "Nat Dest Port:\t\t$tunnel_hash{$peer}->{_natdst}\n";
- print "Bytes:\t\t\t$tunnel_hash{$peer}->{_outbytes}\n";
+ print "NAT Dest Port:\t\t$tunnel_hash{$peer}->{_natdst}\n";
+ print "Inbound Bytes:\t\t$tunnel_hash{$peer}->{_inbytes}\n";
+ print "Outbound Bytes:\t\t$tunnel_hash{$peer}->{_outbytes}\n";
print "Active Time (s):\t$atime\n";
print "Lifetime (s):\t\t$tunnel_hash{$peer}->{_lifetime}\n";
print "\n";
@@ -555,85 +498,137 @@ sub display_ipsec_sa_detail
sub display_ipsec_sa_stats
{
+ my %th = %{pop(@_)};
+ my $listref = [];
+ my %tunhash = ();
+ my $myid = undef;
+ my $peerid = undef;
+ for my $connectid (keys %th){
+ if ($th{$connectid}->{_rightid} ne "n/a"){
+ $peerid = "$th{$connectid}->{_rightid}";
+ } else {
+ $peerid = $th{$connectid}->{_peerid};
+ }
+ if ($th{$connectid}->{_leftid} ne "n/a"){
+ $myid = "$th{$connectid}->{_leftid}";
+ } else {
+ $myid = $th{$connectid}->{_leftip};
+ }
+
+ my $tunnel = "$peerid-$myid";
+
+ if (not exists $tunhash{$tunnel}) {
+ $tunhash{$tunnel}=[];
+ }
+ my @tmp = ( $th{$connectid}->{_tunnelnum},
+ $th{$connectid}->{_srcnet},
+ $th{$connectid}->{_dstnet},
+ $th{$connectid}->{_inbytes},
+ $th{$connectid}->{_outbytes} );
+ push (@{$tunhash{$tunnel}}, [ @tmp ]);
+
+ }
+ for my $connid (keys %tunhash){
print <<EOH;
-Peer Dir SRC Network DST Network Bytes
-------- --- ----------- ----------- -----
+Peer ID / IP Local ID / IP
+--------------------------------------- ----------------------------------------
EOH
- my %tunnel_hash = %{pop(@_)};
- for my $peer ( keys %tunnel_hash){
- my $peerid = "";
- my $srcnet = "";
- my $dstnet = "";
- my $inbytes = "";
- my $outbytes = "";
- my $io = "in";
- if ($tunnel_hash{$peer}->{_rightid} ne "n/a"){
- $peerid = $tunnel_hash{$peer}->{_rightid};
- } else {
- $peerid = $tunnel_hash{$peer}->{_peerid};
+ (my $peerid, my $myid) = $connid =~ /(.*?)-(.*)/;
+ printf "%-39s %-39s\n", $peerid, $myid;
+ print <<EOH;
+--------------------------------------- ----------------------------------------
+ Tunnel Dir Source Network Destination Network Bytes
+ ------ --- ---------------------------- ---------------------------- ---------
+EOH
+ for my $tunnel (@{$tunhash{$connid}}){
+ (my $tunnum, my $srcnet, my $dstnet,
+ my $inbytes, my $outbytes) = @{$tunnel};
+ printf " %-6s %-3s %-28s %-28s %-8s\n",
+ $tunnum, 'in', $dstnet, $srcnet, $inbytes;
+ printf " %-6s %-3s %-28s %-28s %-8s\n",
+ $tunnum, 'out', $srcnet, $dstnet, $outbytes;
}
- $srcnet = $tunnel_hash{$peer}->{_srcnet};
- $dstnet = $tunnel_hash{$peer}->{_dstnet};
- $inbytes = $tunnel_hash{$peer}->{_inbytes};
- $outbytes = $tunnel_hash{$peer}->{_outbytes};
+ print <<EOH;
+--------------------------------------------------------------------------------
- printf "%-15s %-3s %-18s %-18s %-5s\n",
- substr($peerid,0,14), $io, $dstnet, $srcnet, $inbytes;
- $io = "out";
- printf "%-15s %-3s %-18s %-18s %-5s\n",
- substr($peerid,0,14), $io, $srcnet, $dstnet, $outbytes;
- }
+EOH
+ }
}
-sub display_ike_sa_brief
-{
- my %tunnel_hash = %{pop(@_)};
- print <<EOH;
-Local Peer State Encrypt Hash NAT-T A-Time L-Time
--------- ------- ----- ------- ---- ----- ------ ------
-EOH
- for my $peer ( keys %tunnel_hash){
- my $peerid = "";
- my $myid = "";
- if ($tunnel_hash{$peer}->{_rightid} ne "n/a"){
- $peerid = $tunnel_hash{$peer}->{_rightid};
+sub display_ike_sa_brief {
+ my %th = %{pop(@_)};
+ my $listref = [];
+ my %tunhash = ();
+ my $myid = undef;
+ my $peerid = undef;
+ for my $connectid (keys %th){
+ if ($th{$connectid}->{_rightid} ne "n/a"){
+ $peerid = "$th{$connectid}->{_rightid}";
} else {
- $peerid = $tunnel_hash{$peer}->{_peerid};
+ $peerid = $th{$connectid}->{_peerid};
}
- if ($tunnel_hash{$peer}->{_leftid} ne "n/a"){
- $myid = $tunnel_hash{$peer}->{_leftid};
+ if ($th{$connectid}->{_leftid} ne "n/a"){
+ $myid = "$th{$connectid}->{_leftid}";
} else {
- $myid = $tunnel_hash{$peer}->{_leftip};
- }
- my $io = "in";
- my $inspi = $tunnel_hash{$peer}->{_inspi};
- my $outspi = $tunnel_hash{$peer}->{_outspi};
- my $state = $tunnel_hash{$peer}->{_ikestate};
- my $enc = "n/a";
- my $hash = "n/a";
- my $natt = "";
- if ($tunnel_hash{$peer}->{_ikeencrypt} =~ /(.*?)_.*?_(.*)/){
- $enc = lc($1).$2;
- $enc =~ s/^ //g;
+ $myid = $th{$connectid}->{_leftip};
}
- if ($tunnel_hash{$peer}->{_ikehash} =~ /.*_(.*)/){
- $hash = lc($1);
+
+ my $tunnel = "$peerid-$myid";
+
+ if (not exists $tunhash{$tunnel}) {
+ $tunhash{$tunnel}=[];
}
- if ($tunnel_hash{$peer}->{_natt} == 0){
- $natt = "no";
- } else {
- $natt = "yes";
+ my @tmp = ( $th{$connectid}->{_tunnelnum},
+ $th{$connectid}->{_ikestate},
+ $th{$connectid}->{_newestike},
+ $th{$connectid}->{_ikeencrypt},
+ $th{$connectid}->{_ikehash},
+ $th{$connectid}->{_natt},
+ $th{$connectid}->{_lifetime},
+ $th{$connectid}->{_expire} );
+ push (@{$tunhash{$tunnel}}, [ @tmp ]);
+
+ }
+ for my $connid (keys %tunhash){
+ print <<EOH;
+Peer ID / IP Local ID / IP
+--------------------------------------- ----------------------------------------
+EOH
+ (my $peerid, my $myid) = $connid =~ /(.*?)-(.*)/;
+ printf "%-39s %-39s\n", $peerid, $myid;
+ print <<EOH;
+--------------------------------------- ----------------------------------------
+ Tunnel State ISAKMP# Encrypt Hash NAT-T A-Time L-Time
+ ------ ----- ------- ------- ---- ----- ------ ------
+EOH
+ for my $tunnel (@{$tunhash{$connid}}){
+ (my $tunnum, my $state, my $isakmpnum, my $enc,
+ my $hash, my $natt, my $life, my $expire) = @{$tunnel};
+ my $encp = "n/a";
+ my $hashp = "n/a";
+ my $nattp = "";
+ if ($enc =~ /(.*?)_.*?_(.*)/){
+ $encp = lc($1).$2;
+ $encp =~ s/^ //g;
+ }
+ if ($hash =~ /.*_(.*)/){
+ $hashp = lc($1);
+ }
+ if ($natt == 0){
+ $nattp = "no";
+ } else {
+ $nattp = "yes";
+ }
+ my $atime = $life - $expire;
+ $atime = 0 if ($atime == $life);
+ printf " %-7s %-6s %-8s %-8s %-5s %-6s %-7s %-7s\n",
+ $tunnum, $state, $isakmpnum, $encp, $hashp, $nattp, $atime, $life;
}
- my $lifetime = $tunnel_hash{$peer}->{_ikelife};
- my $expire = $tunnel_hash{$peer}->{_ikeexpire};
- my $atime = $lifetime - $expire;
- $atime = 0 if ($atime == $lifetime);
-
- printf "%-15s %-15s %-9s %-9s %-8s %-5s %-6s %-6s\n",
- substr($myid,0,14), substr($peerid,0,14), $state, $enc, $hash, $natt, $atime, $lifetime;
+ print <<EOH;
+--------------------------------------------------------------------------------
+EOH
}
-
}
## CLI options get processed here