diff options
| author | jules-vyos <vyos@ourhouse.org.uk> | 2017-07-27 13:33:50 +0100 |
|---|---|---|
| committer | jules-vyos <vyos@ourhouse.org.uk> | 2017-07-27 13:33:50 +0100 |
| commit | 4aba0c7e26b5336122e88ab2bba01c1c6066600e (patch) | |
| tree | 55459247678147f90c9a887c78571194c445a44f | |
| parent | 367f00fe224ba76a43fb5ddebfcb0e0052a09075 (diff) | |
| download | vyatta-op-vpn-4aba0c7e26b5336122e88ab2bba01c1c6066600e.tar.gz vyatta-op-vpn-4aba0c7e26b5336122e88ab2bba01c1c6066600e.zip | |
Fix various bits for newer StrongSwan support
Largely revamped process_tunnels
Make IKE tunnels information work again.
Added initial support for IKEv2 status.
| -rw-r--r-- | lib/OPMode.pm | 71 |
1 files changed, 56 insertions, 15 deletions
diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 9e7bd60..438b628 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -201,12 +201,10 @@ sub process_tunnels{ my @ipsecstatus = @{pop(@_)}; my %tunnel_hash = (); my %esp_hash = (); + my %lip_lookup = (); foreach my $line (@ipsecstatus) { - if (($line =~ /(peer-.*-tunnel-.*?):/)){ + if (($line =~ /(peer-.*-tunnel-.*?):/ && !($line =~ /[\[\{]/))){ my $connectid = $1; - if (($line =~ /(peer-.*-tunnel-.*?):(\[\d*\])/)){ - $connectid .= $2; - } $connectid =~ /peer-(.*)-tunnel-(.*)/; my $peer = $1; my $tunid = $2; @@ -234,6 +232,7 @@ sub process_tunnels{ _inspi => 'n/a', _outspi => 'n/a', _pfsgrp => 'n/a', + _ikever => 'n/a', _ikeencrypt => 'n/a', _ikehash => 'n/a', _natt => 'n/a', @@ -249,6 +248,35 @@ sub process_tunnels{ _lifetime => 'n/a', _expire => 'n/a' }; } + # Disgusting hack - rip not mentioned on any line on a second tunnel to a peer - so borrow it from the first one + if($tunid >1) + { + $tunnel_hash{$connectid}->{_lip} = conv_ip($lip_lookup{$peer}); + } + # A line like: 'peer-192.168.3.21-tunnel-1: %any...192.168.3.21 IKEv2' + if ($line =~ /\s+(.*?)\.\.\.(.*?) IKEv(.*?)/ ) + { + my $lip = $1; + my $rip = $2; + my $ikever = $3; + $tunnel_hash{$connectid}->{_lip} = conv_ip($lip); + $tunnel_hash{$connectid}->{_rip} = conv_ip($rip); + $tunnel_hash{$connectid}->{_ikever} = $ikever; + if($tunid == 1) + { + $lip_lookup{$peer} = conv_ip($lip); + } + } + # A line like: 'peer-192.168.3.21-tunnel-1: child: 192.168.1.0/24 === 192.168.0.0/24 TUNNEL' + elsif ($line =~ /child:\s+(.*?) === (.*?) TUNNEL/) + { + my $lsnet = $1; + my $rsnet = $2; + $tunnel_hash{$connectid}->{_lsnet} = $lsnet; + $tunnel_hash{$connectid}->{_rsnet} = $rsnet; + } + + # OLD CODE! $line =~ s/---.*\.\.\./.../g; # remove the next hop router for local-ip 0.0.0.0 case if ($line =~ /IKE.proposal:(.*?)\/(.*?)\/(.*)/){ $tunnel_hash{$connectid}->{_ikeencrypt} = $1; @@ -587,11 +615,16 @@ sub process_tunnels{ $tunnel_hash{$connectid}->{_ikelife} = $ikelife; $tunnel_hash{$connectid}->{_pfsgrp} = $pfs_group; - } elsif ($line =~ /\]:\s+IKE SPIs: .* (reauthentication|rekeying) (disabled|in .*)/) { - $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($2); + } elsif ($line =~ /\]:\s+IKE.* SPIs: .* (reauthentication|rekeying) (disabled|in .*)/) { + my $ikever; + ($ikever) = $line =~ /IKEv(.*?) SPI/; + $tunnel_hash{$connectid}->{_ikever} = $ikever; + my $expiry_time; + (undef,$expiry_time) = $line =~ /(reauthentication|rekeying) (.*)/; + $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($expiry_time); - my ($atime, $ike_lifetime, $ike_expire) = (-1, $tunnel_hash{$connectid}->{_ikelife}, $tunnel_hash{$connectid}->{_ikeexpire}); - $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); + my $atime = $tunnel_hash{$connectid}->{_ikelife} - $tunnel_hash{$connectid}->{_ikeexpire}; +# $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); $tunnel_hash{$connectid}->{_ikestate} = "up" if ($atime >= 0); @@ -869,7 +902,12 @@ sub show_ipsec_sa_natt display_ipsec_sa_brief(\%tmphash); } sub show_ike_status{ - my $process_id = `sudo cat /var/run/charon.pid`; + my $pidfile = '/var/run/charon.pid'; + if (! -e $pidfile) { + print "IKE process is not running\n"; + exit(1); + } + my $process_id = `sudo cat $pidfile`; chomp $process_id; print <<EOS; @@ -970,7 +1008,7 @@ sub display_ipsec_sa_brief my $vpncfg = new Vyatta::Config(); $vpncfg->setLevel('vpn ipsec site-to-site'); for my $connectid (keys %th){ - $peerid = conv_ip($th{$connectid}->{_rip}); + $peerid = conv_ip($th{$connectid}->{_peerid}); my $lip = conv_ip($th{$connectid}->{_lip}); my $tunnel = "$peerid-$lip"; my $peer_configured = conv_id_rev($th{$connectid}->{_peerid}); @@ -1027,6 +1065,7 @@ EOH my $atime = $life - $expire; $atime = 0 if ($atime == $life); printf " %-7s %-6s %-14s %-8s %-7s %-6s %-7s %-7s %-2s\n", + $tunnum, $state, $bytesp, $enc, $hash, $natt, $atime, $life, $proto; } @@ -1225,11 +1264,13 @@ sub display_ike_sa_brief { if (not exists $tunhash{$tunnel}) { $tunhash{$tunnel}={ _configpeer => conv_id_rev($th{$connectid}->{_peerid}), + _configpeer => conv_id_rev($th{$connectid}->{_peerid}), _tunnels => [] }; } my @tmp = ( $th{$connectid}->{_tunnelnum}, $th{$connectid}->{_ikestate}, + $th{$connectid}->{_ikever}, $th{$connectid}->{_newestike}, $th{$connectid}->{_ikeencrypt}, $th{$connectid}->{_ikehash}, @@ -1251,11 +1292,11 @@ EOH print "\n Description: $desc\n" if (defined($desc)); print <<EOH; - State Encrypt Hash D-H Grp NAT-T A-Time L-Time - ----- ------- ---- ------- ----- ------ ------ + State Ver Encrypt Hash D-H Grp NAT-T A-Time L-Time + ----- --- ------- ---- ------- ----- ------ ------ EOH for my $tunnel (tunSort(@{$tunhash{$connid}->{_tunnels}})){ - (my $tunnum, my $state, my $isakmpnum, my $enc, + (my $tunnum, my $state, my $ver, my $isakmpnum, my $enc, my $hash, my $dhgrp, my $natt, my $life, my $expire) = @{$tunnel}; $enc = conv_enc($enc); $hash = conv_hash($hash); @@ -1263,8 +1304,8 @@ EOH $dhgrp = conv_dh_group($dhgrp); my $atime = $life - $expire; $atime = 0 if ($atime == $life); - printf " %-6s %-8s %-7s %-8s %-6s %-7s %-7s\n", - $state, $enc, $hash, $dhgrp, $natt, $atime, $life; + printf " %-6s %-4s %-8s %-7s %-8s %-6s %-7s %-7s\n", + $state, $ver, $enc, $hash, $dhgrp, $natt, $atime, $life; } print "\n \n"; } |