diff options
| author | jules-vyos <vyos@ourhouse.org.uk> | 2017-09-03 21:25:50 +0100 |
|---|---|---|
| committer | jules-vyos <vyos@ourhouse.org.uk> | 2017-09-03 21:25:50 +0100 |
| commit | f6f567b8b168dbe0d4bdb1b08c0f84faa0d362cb (patch) | |
| tree | 1ce5e1911f588045a92e385cde8dd7630ffb47d7 | |
| parent | c322d07f1d1568ff1ea9a7a85efd825e42cba9d1 (diff) | |
| download | vyatta-op-vpn-f6f567b8b168dbe0d4bdb1b08c0f84faa0d362cb.tar.gz vyatta-op-vpn-f6f567b8b168dbe0d4bdb1b08c0f84faa0d362cb.zip | |
Fixes for show vpn ike sa and show vpn ipsec sa
Fixed 'show vpn ike sa' to actually show output when the tunnel isn't up.
Foxed 'show vpn ipsec sa' to actually use the pretty-printing code, rather than swanctl --list-sas, which is pretty unpleasant.
| -rw-r--r-- | lib/OPMode.pm | 16 | ||||
| -rw-r--r-- | templates/show/vpn/ipsec/sa/node.def | 2 |
2 files changed, 11 insertions, 7 deletions
diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 0068e96..38bea1c 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -615,19 +615,21 @@ sub process_tunnels{ $tunnel_hash{$connectid}->{_ikelife} = $ikelife; $tunnel_hash{$connectid}->{_pfsgrp} = $pfs_group; - } elsif ($line =~ /\]:\s+IKE.* SPIs: .* (reauthentication|rekeying) (disabled|in .*)/) { + } elsif ($line =~ /\]:\s+IKE.* SPIs:/) { my $ikever; ($ikever) = $line =~ /IKEv(.*?) SPI/; $tunnel_hash{$connectid}->{_ikever} = $ikever; my $expiry_time; - (undef,$expiry_time) = $line =~ /(reauthentication|rekeying) (.*)/; - $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($expiry_time); + if($line =~ /(reauthentication|rekeying)/) + {(undef,$expiry_time) = $line =~ /(reauthentication|rekeying) (.*)/; + $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($expiry_time); + my $atime = $tunnel_hash{$connectid}->{_ikelife} - $tunnel_hash{$connectid}->{_ikeexpire}; # $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); $tunnel_hash{$connectid}->{_ikestate} = "up" if ($atime >= 0); - + } } elsif ($line =~ /\]:\s+IKE.proposal:(.*?)\/(.*?)\/(.*?)\/(.*)/) { $tunnel_hash{$connectid}->{_ikeencrypt} = $1; $tunnel_hash{$connectid}->{_ikehash} = $2; @@ -1260,7 +1262,7 @@ sub display_ike_sa_brief { my $lip = $th{$connectid}->{_lip}; $peerid = $th{$connectid}->{_rip}; my $tunnel = "$peerid-$lip"; - next if ($th{$connectid}->{_ikestate} eq 'down'); + #next if ($th{$connectid}->{_ikestate} eq 'down'); if (not exists $tunhash{$tunnel}) { $tunhash{$tunnel}={ _configpeer => conv_id_rev($th{$connectid}->{_peerid}), @@ -1304,8 +1306,10 @@ EOH $dhgrp = conv_dh_group($dhgrp)."(".$dhgrp.")"; my $atime = $life - $expire; $atime = 0 if ($atime == $life); + my $ike_out = "N/A"; + $ike_out = "IKEv".$ver if( $ver > 0 ); printf " %-6s %-6s %-8s %-7s %-14s %-6s %-7s %-7s\n", - $state, "IKEv".$ver, $enc, $hash, $dhgrp, $natt, $atime, $life; + $state, $ike_out, $enc, $hash, $dhgrp, $natt, $atime, $life; } print "\n \n"; } diff --git a/templates/show/vpn/ipsec/sa/node.def b/templates/show/vpn/ipsec/sa/node.def index 99a5cc1..7f569bd 100644 --- a/templates/show/vpn/ipsec/sa/node.def +++ b/templates/show/vpn/ipsec/sa/node.def @@ -1,6 +1,6 @@ help: Show all active IPsec Security Associations (SA) run: if pgrep charon >&/dev/null; then - sudo /usr/sbin/swanctl --list-sas + sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa else echo -e "IPSec Process NOT Running\n" fi |