summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Southworth <john.southworth@vyatta.com>2011-01-31 13:01:59 -0600
committerJohn Southworth <john.southworth@vyatta.com>2011-01-31 13:01:59 -0600
commit8edd26b88c65e99b53f1f6f1d97be12c39666632 (patch)
treef3262985eb18920378ec6df9f72102165a064457
parent944558ea25a183108d8bdcd772bb0dcc42eee395 (diff)
downloadvyatta-op-vpn-8edd26b88c65e99b53f1f6f1d97be12c39666632.tar.gz
vyatta-op-vpn-8edd26b88c65e99b53f1f6f1d97be12c39666632.zip
Work on new IPsec operational mode script. Fix some syntax; make show based on peer better; Add show ike secrets
-rwxr-xr-xscripts/vyatta-op-vpn.pl112
-rw-r--r--templates/show/vpn/ike/sa/peer/node.tag/node.def2
-rw-r--r--templates/show/vpn/ike/secrets/node.def2
-rw-r--r--templates/show/vpn/ipsec/sa/peer/node.tag/node.def2
4 files changed, 71 insertions, 47 deletions
diff --git a/scripts/vyatta-op-vpn.pl b/scripts/vyatta-op-vpn.pl
index 7a1f19f..9b505db 100755
--- a/scripts/vyatta-op-vpn.pl
+++ b/scripts/vyatta-op-vpn.pl
@@ -216,12 +216,8 @@ sub show_ipsec_sa_peer
my %tmphash = ();
my $peerid = pop(@_);
for my $peer ( keys %tunnel_hash ) {
- for my $key ( keys %{$tunnel_hash{$peer}} ) {
- if ($key eq "_rightid"){
- if (%{$tunnel_hash{$peer}}->{$key} eq $peerid){
- $tmphash{$peer} = \%{$tunnel_hash{$peer}};
- }
- }
+ if (%{$tunnel_hash{$peer}}->{_rightid} eq $peerid){
+ $tmphash{$peer} = \%{$tunnel_hash{$peer}};
}
}
display_ipsec_sa_brief(\%tmphash);
@@ -234,12 +230,8 @@ sub show_ipsec_sa_stats_peer
my %tmphash = ();
my $peerid = pop(@_);
for my $peer ( keys %tunnel_hash ) {
- for my $key ( keys %{$tunnel_hash{$peer}} ) {
- if ($key eq "_rightid"){
- if (%{$tunnel_hash{$peer}}->{$key} eq $peerid){
- $tmphash{$peer} = \%{$tunnel_hash{$peer}};
- }
- }
+ if (%{$tunnel_hash{$peer}}->{_rightid} eq $peerid){
+ $tmphash{$peer} = \%{$tunnel_hash{$peer}};
}
}
display_ipsec_sa_stats(\%tmphash);
@@ -252,9 +244,9 @@ sub show_ipsec_sa_stats_conn
my %tmphash = ();
my $peerid = pop(@_);
for my $peer ( keys %tunnel_hash ) {
- if ($peer eq $peerid){
- $tmphash{$peer} = \%{$tunnel_hash{$peer}};
- }
+ if ($peer eq $peerid){
+ $tmphash{$peer} = \%{$tunnel_hash{$peer}};
+ }
}
display_ipsec_sa_stats(\%tmphash);
}
@@ -265,12 +257,8 @@ sub show_ipsec_sa_peer_detail
my %tmphash = ();
my $peerid = pop(@_);
for my $peer ( keys %tunnel_hash ) {
- for my $key ( keys %{$tunnel_hash{$peer}} ) {
- if ($key eq "_rightid"){
- if (%{$tunnel_hash{$peer}}->{$key} eq $peerid){
- $tmphash{$peer} = \%{$tunnel_hash{$peer}};
- }
- }
+ if (%{$tunnel_hash{$peer}}->{_rightid} eq $peerid){
+ $tmphash{$peer} = \%{$tunnel_hash{$peer}};
}
}
display_ipsec_sa_detail(\%tmphash);
@@ -283,9 +271,9 @@ sub show_ipsec_sa_conn_detail
my %tmphash = ();
my $peerid = pop(@_);
for my $peer ( keys %tunnel_hash ) {
- if ($peer eq $peerid){
- $tmphash{$peer} = \%{$tunnel_hash{$peer}};
- }
+ if ($peer eq $peerid){
+ $tmphash{$peer} = \%{$tunnel_hash{$peer}};
+ }
}
display_ipsec_sa_detail(\%tmphash);
@@ -296,13 +284,9 @@ sub show_ipsec_sa_natt
my %tunnel_hash = get_tunnel_info();
my %tmphash = ();
for my $peer ( keys %tunnel_hash ) {
- for my $key ( keys %{$tunnel_hash{$peer}} ) {
- if ($key eq "_natt"){
- if (%{$tunnel_hash{$peer}}->{$key} == 1 ){
- $tmphash{$peer} = \%{$tunnel_hash{$peer}};
- }
- }
- }
+ if (%{$tunnel_hash{$peer}}->{_natt} == 1 ){
+ $tmphash{$peer} = \%{$tunnel_hash{$peer}};
+ }
}
display_ipsec_sa_brief(\%tmphash);
@@ -326,12 +310,8 @@ sub show_ike_sa_peer
my %tmphash = ();
my $peerid = pop(@_);
for my $peer ( keys %tunnel_hash ) {
- for my $key ( keys %{$tunnel_hash{$peer}} ) {
- if ($key eq "_rightid"){
- if (%{$tunnel_hash{$peer}}->{$key} eq $peerid ){
- $tmphash{$peer} = \%{$tunnel_hash{$peer}};
- }
- }
+ if (%{$tunnel_hash{$peer}}->{_rightid} eq $peerid ){
+ $tmphash{$peer} = \%{$tunnel_hash{$peer}};
}
}
display_ike_sa_brief(\%tmphash);
@@ -343,12 +323,8 @@ sub show_ike_sa_natt
my %tunnel_hash = get_tunnel_info();
my %tmphash = ();
for my $peer ( keys %tunnel_hash ) {
- for my $key ( keys %{$tunnel_hash{$peer}} ) {
- if ($key eq "_natt"){
- if (%{$tunnel_hash{$peer}}->{$key} == 1 ){
- $tmphash{$peer} = \%{$tunnel_hash{$peer}};
- }
- }
+ if (%{$tunnel_hash{$peer}}->{_natt} == 1 ){
+ $tmphash{$peer} = \%{$tunnel_hash{$peer}};
}
}
display_ike_sa_brief(\%tmphash);
@@ -357,7 +333,55 @@ sub show_ike_sa_natt
sub show_ike_secrets
{
- print "show ike secrets\n";
+ my $secret_file = '/etc/ipsec.secrets';
+ unless ( -r $secret_file) {
+ die "No secrets file $secret_file\n";
+ }
+ open(DAT, $secret_file);
+ my @raw_data=<DAT>;
+ close(DAT);
+ foreach my $line (@raw_data) {
+ if ($line =~ /PSK/) {
+ my ($lip, $pip, $lid, $pid, $secret) = ('', '', 'N/A', 'N/A', '');
+ ($secret) = $line =~ /.*:\s+PSK\s+(\"\S+\")/;
+ ($lip, $pip) = $line =~ /^(\S+)\s+(\S+)\s+\:\s+PSK\s+\"\S+\"/;
+ # This processing with depend heavily on the way we write ipsec.secrets
+ # lines with 3 entries are tagged by the config module so that we can tell
+ # if the 3rd entry is a localid or peerid (left or right)
+ if (! defined($lip)){
+ if ($line =~ /^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+\:\s+PSK\s+\"\S+\"/){
+ $lip = $1;
+ $pip = $2;
+ $lid = $3;
+ $pid = $4;
+ } elsif ($line =~ /^(\S+)\s+(\S+)\s+(\S+)\s+\:\s+PSK\s+\"\S+\".*\#(.*)\#/){
+ $lip = $1;
+ $pip = $2;
+ if ($4 eq 'RIGHT'){
+ $pid = $3
+ } else {$lid = $3}
+ }
+ }
+ $lip = '0.0.0.0' if ! defined $lip;
+ $pip = '0.0.0.0' if ! defined $pip;
+ print <<EOH;
+Local IP/ID Peer IP/ID
+--------------------------------------- ---------------------------------------
+EOH
+ printf "%-39s %-39s\n", $lip, $pip;
+ printf "%-39s %-39s\n", substr($lid,0,39), substr($pid,0,39);
+ print <<EOS;
+--------------------------------------- ---------------------------------------
+EOS
+ print " Secret: $secret\n";
+print <<EOS;
+-------------------------------------------------------------------------------
+
+EOS
+ }
+ }
+ exit 0;
+
}
sub display_ipsec_sa_brief
diff --git a/templates/show/vpn/ike/sa/peer/node.tag/node.def b/templates/show/vpn/ike/sa/peer/node.tag/node.def
index a84cc0e..c76b71b 100644
--- a/templates/show/vpn/ike/sa/peer/node.tag/node.def
+++ b/templates/show/vpn/ike/sa/peer/node.tag/node.def
@@ -1,3 +1,3 @@
-help: Show all currently active IKE Security Associations (SA) for a specific peer
+help: Show all currently active IKE Security Associations (SA) for a peer
allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli
run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ike-sa-peer="$6"
diff --git a/templates/show/vpn/ike/secrets/node.def b/templates/show/vpn/ike/secrets/node.def
index d8306d2..ec4073c 100644
--- a/templates/show/vpn/ike/secrets/node.def
+++ b/templates/show/vpn/ike/secrets/node.def
@@ -1,2 +1,2 @@
help: Show all the pre-shared key secrets
-run: sudo /opt/vyatta/bin/sudo-users/vyatta-show-vpn.pl secrets
+run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ike-secrets
diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def
index ad3e8f8..559bed5 100644
--- a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def
+++ b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def
@@ -1,3 +1,3 @@
-help: Show all active IPsec Security Associations (SA) for a specific peer
+help: Show all active IPsec Security Associations (SA) for a peer
allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli
run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6"