Initial VPN op template migration.

author: Marat Nepomnyashy <marat@vyatta.com> 2008-01-03 20:29:59 -0800
committer: Marat Nepomnyashy <marat@vyatta.com> 2008-01-03 20:29:59 -0800
commit: 7605a8f6472ded387ffb311d1400b084011dfb74 (patch)
tree: 42628396689902032685dd95ec7a8811799d04df
parent: cb8ce9cc1b8fb594a29e5ee7a49949c9d1c9ae1f (diff)
download: vyatta-op-vpn-7605a8f6472ded387ffb311d1400b084011dfb74.tar.gz
vyatta-op-vpn-7605a8f6472ded387ffb311d1400b084011dfb74.zip
34 files changed, 262 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index 316dfe1..659c659 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -17,6 +17,7 @@ xsl_DATA	+= src/xsl/show_vpn_ipsec_status.xsl
 
 sbin_PROGRAMS	= command_proc_show_vpn
 
+sbin_SCRIPTS	= scripts/gen_local_rsa_key.pl scripts/show_vpn.pl
 
 command_proc_show_vpn_SOURCES = src/command_proc_base.hh
 command_proc_show_vpn_SOURCES += src/command_proc_show_vpn.cc
diff --git a/scripts/gen_local_rsa_key.pl b/scripts/gen_local_rsa_key.pl
new file mode 100755
index 0000000..b65b421
--- /dev/null
+++ b/scripts/gen_local_rsa_key.pl
@@ -0,0 +1,116 @@
+#!/usr/bin/perl -w
+#
+# Module: gen_local_rsa_key.pl
+# 
+# **** License ****
+# Version: VPL 1.0
+# 
+# The contents of this file are subject to the Vyatta Public License
+# Version 1.0 ("License"); you may not use this file except in
+# compliance with the License. You may obtain a copy of the License at
+# http://www.vyatta.com/vpl
+# 
+# Software distributed under the License is distributed on an "AS IS"
+# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+# the License for the specific language governing rights and limitations
+# under the License.
+# 
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc.
+# All Rights Reserved.
+# 
+# Author: Stig Thormodsrud
+# Date: 2007
+# Description: Utility to generate a local RSA key.
+# 
+# **** End License ****
+# 
+
+use strict;
+#use warnings;
+use lib "/opt/vyatta/share/perl5/";
+
+use VyattaVPNUtil;
+
+
+# Defaults
+my $bits = 2192;
+my $device = "/dev/random";
+
+if ($#ARGV > 1) {
+    die "Usage: gen_local_rsa_key.pl <bits> <device>\n";
+}
+$bits = $ARGV[0] if $#ARGV >= 0;
+
+#
+# The ipsec newhostkey command seems to support up to 
+# 20000 bits for key generation, but xorp currently
+# can't handle a line that long when entered in the 
+# config.  Xorp seems to be able to handle keys generated
+# with up to 5840 bits.
+#
+my ($bits_min, $bits_max) = (16, 4096);
+
+if ($bits > $bits_max) {
+    die "bits must be <= $bits_max\n";
+}
+if ($bits < $bits_min) {
+    die "bits must be >= $bits_min\n";
+}
+if ($bits % 16 != 0) {
+    die "bits=$bits is not a multiple of 16\n";
+}
+$device = $ARGV[1] if $#ARGV >= 1;
+unless (-r $device) {
+    die "invalid random number device $device\n";
+}
+
+my $local_key_file = VyattaVPNUtil::rsa_get_local_key_file();
+
+my ($cmd, $rc);
+
+if (-r $local_key_file) {
+    $| =1;   # force a flush
+    print "A local RSA key file already exists and will be overwritten\n";
+    print "<CTRL>C to exit:  ";
+    my $loop = 9;
+    while ($loop) {
+	print "\b$loop";
+	sleep 1;
+	$loop--;
+    }
+    print "\n";
+} else {
+    my ($dirpath) = ($local_key_file =~ m#^(.*/)?.*#s);
+    $cmd = "mkdir -p $dirpath";
+    $rc = system($cmd);
+    if ($rc != 0 ) {
+	die "Cannot mkdir $dirpath $!\n";
+    }
+}
+
+$cmd = "/usr/sbin/ipsec newhostkey --output $local_key_file --bits $bits";
+#
+# The default random number generator is /dev/random, but it will block 
+# if there isn't enough system activity to provide enough "good" random
+# bits.  Try /dev/urandom if it's taking too long.
+#
+$cmd .= " --random $device";
+
+print "Generating rsa-key to $local_key_file\n";
+VyattaVPNUtil::vpn_debug $cmd;
+$rc = system($cmd);
+if ($rc != 0) {
+    die "Can not generate RSA key: $!\n";
+}
+
+my $file_pubkey = VyattaVPNUtil::rsa_get_local_pubkey($local_key_file);
+if ($file_pubkey ne 0) {
+    print "\nYour new local RSA key has been generated\n";
+    print "The public portion of the key is:\n\n$file_pubkey\n\n";
+    $cmd = "ipsec auto --rereadall 2> /dev/null";
+    VyattaVPNUtil::vpn_debug $cmd;
+    system $cmd;
+    exit 0;
+}
+die "Can not find pubkey\n";
diff --git a/scripts/show_vpn.pl b/scripts/show_vpn.pl
new file mode 100755
index 0000000..2869525
--- /dev/null
+++ b/scripts/show_vpn.pl
@@ -0,0 +1,94 @@
+#!/usr/bin/perl -w
+#
+# Module: show_vpn.pl
+# 
+# **** License ****
+# Version: VPL 1.0
+# 
+# The contents of this file are subject to the Vyatta Public License
+# Version 1.0 ("License"); you may not use this file except in
+# compliance with the License. You may obtain a copy of the License at
+# http://www.vyatta.com/vpl
+# 
+# Software distributed under the License is distributed on an "AS IS"
+# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+# the License for the specific language governing rights and limitations
+# under the License.
+# 
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc.
+# All Rights Reserved.
+# 
+# Author: Stig Thormodsrud
+# Date: 2007
+# Description: Utility to show various vpn values
+# 
+# **** End License ****
+# 
+
+use strict;
+use warnings;
+
+use lib "/opt/vyatta/share/perl5/";
+
+my $arg0 = $ARGV[0];
+if (!defined($arg0)) {
+    die "Please specify either 'secrets' or 'rsa-keys'.\n";
+}
+
+if ($arg0 eq 'secrets') {
+    my $secret_file = '/etc/ipsec.secrets';
+    unless ( -r $secret_file) {
+	die "No secrets file $secret_file\n";
+    }
+    open(DAT, $secret_file);
+    my @raw_data=<DAT>;
+    close(DAT);
+    print "Local IP          Peer IP           Secret\n";
+    print "--------          -------           ------\n";
+    foreach my $line (@raw_data) {
+	if ($line =~ /PSK/) {
+	    my ($lip, $pip, $secret) = $line =~ /^(\d+\.\d+\.\d+\.\d+)\s+(\d+\.\d+\.\d+\.\d+)\s+\:\s+PSK\s+(\"\w+\")/;
+	    printf "%-15s   %-15s   %s\n", $lip, $pip, $secret;
+	}
+    }
+    exit 0;
+}
+
+
+
+if ($arg0 eq 'rsa-keys') {
+    use VyattaVPNUtil;
+    my $key_file = VyattaVPNUtil::rsa_get_local_key_file();
+    unless ( -r $key_file) {
+        die "No key file $key_file found.\n";
+    }
+    my $pubkey = VyattaVPNUtil::rsa_get_local_pubkey($key_file);
+    if ($pubkey eq 0) {
+	die "No local pubkey found.\n";
+    }
+    print "\nLocal public key ($key_file):\n\n$pubkey\n\n";
+
+    use VyattaConfig;
+    my $vc = new VyattaConfig();
+    $vc->setLevel('vpn');
+
+    my @peers = $vc->listNodes('ipsec site-to-site peer');
+    foreach my $peer (@peers) {
+        my $mode = $vc->returnValue("ipsec site-to-site peer $peer authentication mode");
+        if ($mode eq 'rsa') {
+            my $rsa_key_name = $vc->returnValue("ipsec site-to-site peer $peer authentication rsa-key-name");
+            my $remote_key = $vc->returnValue("rsa-keys rsa-key-name $rsa_key_name rsa-key");
+            print "=" x 80, "\n";
+            print "Peer IP: $peer";
+            if (defined($rsa_key_name)) {
+                print "  ($rsa_key_name)";
+            }
+            print "\n\n";
+            if (defined($remote_key)) {
+                print "$remote_key\n";
+            }
+        }
+    }
+}
+
diff --git a/templates/clear/vpn/ipsec-process/node.def b/templates/clear/vpn/ipsec-process/node.def
new file mode 100644
index 0000000..c4e3637
--- /dev/null
+++ b/templates/clear/vpn/ipsec-process/node.def
@@ -0,0 +1,2 @@
+help: Restart VPN
+run: sudo ipsec setup restart
diff --git a/templates/clear/vpn/node.def b/templates/clear/vpn/node.def
new file mode 100644
index 0000000..4829ea2
--- /dev/null
+++ b/templates/clear/vpn/node.def
@@ -0,0 +1 @@
+help: Clear VPN
diff --git a/templates/show/vpn/debug/detail/node.def b/templates/show/vpn/debug/detail/node.def
new file mode 100644
index 0000000..feca088
--- /dev/null
+++ b/templates/show/vpn/debug/detail/node.def
@@ -0,0 +1,2 @@
+help: Show detailed VPN debugging information
+run: sudo ipsec barf
diff --git a/templates/show/vpn/debug/node.def b/templates/show/vpn/debug/node.def
new file mode 100644
index 0000000..acda656
--- /dev/null
+++ b/templates/show/vpn/debug/node.def
@@ -0,0 +1,2 @@
+help: Show VPN debugging information
+run: sudo ipsec auto --status
diff --git a/templates/show/vpn/ike/node.def b/templates/show/vpn/ike/node.def
new file mode 100644
index 0000000..fd87ea3
--- /dev/null
+++ b/templates/show/vpn/ike/node.def
@@ -0,0 +1 @@
+help: Show Internet Key Exchange information
diff --git a/templates/show/vpn/ike/rsa-keys/node.def b/templates/show/vpn/ike/rsa-keys/node.def
new file mode 100644
index 0000000..c174c96
--- /dev/null
+++ b/templates/show/vpn/ike/rsa-keys/node.def
@@ -0,0 +1,2 @@
+help: Show VPN RSA keys
+run: sudo /opt/vyatta/sbin/show_vpn.pl rsa-keys
diff --git a/templates/show/vpn/ike/sa/nat-traversal/node.def b/templates/show/vpn/ike/sa/nat-traversal/node.def
new file mode 100644
index 0000000..69771e5
--- /dev/null
+++ b/templates/show/vpn/ike/sa/nat-traversal/node.def
@@ -0,0 +1,2 @@
+help: Show all currently active IKE Security Associations (SA) that are using NAT Traversal.
+run: sudo /opt/vyatta/sbin/command_proc_show_vpn show_vpn_ike_sa.xsl --pname nat --pval enabled
diff --git a/templates/show/vpn/ike/sa/node.def b/templates/show/vpn/ike/sa/node.def
new file mode 100644
index 0000000..c225651
--- /dev/null
+++ b/templates/show/vpn/ike/sa/node.def
@@ -0,0 +1,2 @@
+help: Show all currently active IKE Security Associations (SA).
+run: sudo /opt/vyatta/sbin/command_proc_show_vpn show_vpn_ike_sa.xsl
diff --git a/templates/show/vpn/ike/sa/peer/node.def b/templates/show/vpn/ike/sa/peer/node.def
new file mode 100644
index 0000000..5cf7da4
--- /dev/null
+++ b/templates/show/vpn/ike/sa/peer/node.def
@@ -0,0 +1 @@
+help: Show all currently active IKE Security Associations (SA) for a specific peer.
diff --git a/templates/show/vpn/ike/sa/peer/node.tag/node.def b/templates/show/vpn/ike/sa/peer/node.tag/node.def
new file mode 100644
index 0000000..86903bb
--- /dev/null
+++ b/templates/show/vpn/ike/sa/peer/node.tag/node.def
@@ -0,0 +1,2 @@
+help: Show all currently active IKE Security Associations (SA) for a specific peer.
+run: /opt/vyatta/sbin/command_proc_show_vpn show_vpn_ike_sa.xsl --pname peer --pval "$*"
diff --git a/templates/show/vpn/ike/secrets/node.def b/templates/show/vpn/ike/secrets/node.def
new file mode 100644
index 0000000..69a8001
--- /dev/null
+++ b/templates/show/vpn/ike/secrets/node.def
@@ -0,0 +1,2 @@
+help: Show all the pre-shared key secrets.
+run: sudo /opt/vyatta/sbin/show_vpn.pl secrets
diff --git a/templates/show/vpn/ike/status/node.def b/templates/show/vpn/ike/status/node.def
new file mode 100644
index 0000000..e557107
--- /dev/null
+++ b/templates/show/vpn/ike/status/node.def
@@ -0,0 +1,2 @@
+help: Show summary information about the IKE process.
+run: sudo /opt/vyatta/sbin/command_proc_show_vpn show_vpn_ike_status.xsl
diff --git a/templates/show/vpn/ipsec/node.def b/templates/show/vpn/ipsec/node.def
new file mode 100644
index 0000000..ec81428
--- /dev/null
+++ b/templates/show/vpn/ipsec/node.def
@@ -0,0 +1 @@
+help: Show Internet Protocol Security information
diff --git a/templates/show/vpn/ipsec/sa/detail/connection/node.def b/templates/show/vpn/ipsec/sa/detail/connection/node.def
new file mode 100644
index 0000000..e836df9
--- /dev/null
+++ b/templates/show/vpn/ipsec/sa/detail/connection/node.def
@@ -0,0 +1 @@
+help: Show details of all active IPsec Security Associations (SA) for a specific connection.
diff --git a/templates/show/vpn/ipsec/sa/detail/connection/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/connection/node.tag/node.def
new file mode 100644
index 0000000..27e972f
--- /dev/null
+++ b/templates/show/vpn/ipsec/sa/detail/connection/node.tag/node.def
@@ -0,0 +1,2 @@
+help: Show details of all active IPsec Security Associations (SA) for a specific connection.
+run: /opt/vyatta/sbin/command_proc_show_vpn show_vpn_ipsec_sa.xsl --pname detail --pval y --pname conn --pval "$*"
diff --git a/templates/show/vpn/ipsec/sa/detail/node.def b/templates/show/vpn/ipsec/sa/detail/node.def
new file mode 100644
index 0000000..348bf85
--- /dev/null
+++ b/templates/show/vpn/ipsec/sa/detail/node.def
@@ -0,0 +1,2 @@
+help: Show details of all active IPsec Security Associations (SA).
+run: /opt/vyatta/sbin/command_proc_show_vpn show_vpn_ipsec_sa.xsl --pname detail --pval y
diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.def b/templates/show/vpn/ipsec/sa/detail/peer/node.def
new file mode 100644
index 0000000..a52be6f
--- /dev/null
+++ b/templates/show/vpn/ipsec/sa/detail/peer/node.def
@@ -0,0 +1 @@
+help: Show details of all active IPsec Security Associations (SA) for a specific peer.
diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def
new file mode 100644
index 0000000..f00644c
--- /dev/null
+++ b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def
@@ -0,0 +1,2 @@
+help: Show details of all active IPsec Security Associations (SA) for a specific peer.
+run: /opt/vyatta/sbin/command_proc_show_vpn show_vpn_ipsec_sa.xsl --pname detail --pval y --pname peer --pval "$*"
diff --git a/templates/show/vpn/ipsec/sa/nat-traversal/node.def b/templates/show/vpn/ipsec/sa/nat-traversal/node.def
new file mode 100644
index 0000000..d0f225a
--- /dev/null
+++ b/templates/show/vpn/ipsec/sa/nat-traversal/node.def
@@ -0,0 +1,2 @@
+help: Show all active IPsec Security Associations (SA) that are using NAT Traversal.
+run: /opt/vyatta/sbin/command_proc_show_vpn show_vpn_ipsec_sa.xsl --pname nat --pval enabled
diff --git a/templates/show/vpn/ipsec/sa/node.def b/templates/show/vpn/ipsec/sa/node.def
new file mode 100644
index 0000000..97174c3
--- /dev/null
+++ b/templates/show/vpn/ipsec/sa/node.def
@@ -0,0 +1,2 @@
+help: Show all active IPsec Security Associations (SA).
+run: /opt/vyatta/sbin/command_proc_show_vpn show_vpn_ipsec_sa.xsl
diff --git a/templates/show/vpn/ipsec/sa/peer/node.def b/templates/show/vpn/ipsec/sa/peer/node.def
new file mode 100644
index 0000000..0fdf249
--- /dev/null
+++ b/templates/show/vpn/ipsec/sa/peer/node.def
@@ -0,0 +1 @@
+help: Show all active IPsec Security Associations (SA) for a specific peer.
diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def
new file mode 100644
index 0000000..c7cfd9a
--- /dev/null
+++ b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def
@@ -0,0 +1,2 @@
+help: Show all active IPsec Security Associations (SA) for a specific peer.
+run: /opt/vyatta/sbin/command_proc_show_vpn show_vpn_ipsec_sa.xsl --pname peer --pval "$*"
diff --git a/templates/show/vpn/ipsec/sa/statistics/node.def b/templates/show/vpn/ipsec/sa/statistics/node.def
new file mode 100644
index 0000000..9fcfacf
--- /dev/null
+++ b/templates/show/vpn/ipsec/sa/statistics/node.def
@@ -0,0 +1,2 @@
+help: Show statistics on all active tunnels that have IPsec Security Associations (SA).
+run: /opt/vyatta/sbin/command_proc_show_vpn show_vpn_ipsec_sa_statistics.xsl
diff --git a/templates/show/vpn/ipsec/status/node.def b/templates/show/vpn/ipsec/status/node.def
new file mode 100644
index 0000000..b31537c
--- /dev/null
+++ b/templates/show/vpn/ipsec/status/node.def
@@ -0,0 +1,2 @@
+help: Show the status of the IPsec process.
+run: /opt/vyatta/sbin/command_proc_show_vpn show_vpn_ipsec_status.xsl
diff --git a/templates/vpn/node.def b/templates/vpn/node.def
new file mode 100644
index 0000000..2f206d8
--- /dev/null
+++ b/templates/vpn/node.def
@@ -0,0 +1 @@
+help: VPN utilities
diff --git a/templates/vpn/rsa-key/generate/bits/node.def b/templates/vpn/rsa-key/generate/bits/node.def
new file mode 100644
index 0000000..3e5e58a
--- /dev/null
+++ b/templates/vpn/rsa-key/generate/bits/node.def
@@ -0,0 +1 @@
+help: Generate local RSA key with number of bits [16-4096]
diff --git a/templates/vpn/rsa-key/generate/bits/node.tag/node.def b/templates/vpn/rsa-key/generate/bits/node.tag/node.def
new file mode 100644
index 0000000..cc0b054
--- /dev/null
+++ b/templates/vpn/rsa-key/generate/bits/node.tag/node.def
@@ -0,0 +1,2 @@
+help: Generate local RSA key with number of bits [16-4096]
+run: /opt/vyatta/sbin/gen_local_rsa_key.pl "$*" /dev/random
diff --git a/templates/vpn/rsa-key/generate/bits/node.tag/random/node.def b/templates/vpn/rsa-key/generate/bits/node.tag/random/node.def
new file mode 100644
index 0000000..d2a0a48
--- /dev/null
+++ b/templates/vpn/rsa-key/generate/bits/node.tag/random/node.def
@@ -0,0 +1 @@
+help: Generate local RSA key with number of bits and random device
diff --git a/templates/vpn/rsa-key/generate/bits/node.tag/random/node.tag/node.def b/templates/vpn/rsa-key/generate/bits/node.tag/random/node.tag/node.def
new file mode 100644
index 0000000..46406aa
--- /dev/null
+++ b/templates/vpn/rsa-key/generate/bits/node.tag/random/node.tag/node.def
@@ -0,0 +1,2 @@
+help: Generate local RSA key with number of bits and random device
+run: /opt/vyatta/sbin/gen_local_rsa_key.pl "$*" "$*" 
diff --git a/templates/vpn/rsa-key/generate/node.def b/templates/vpn/rsa-key/generate/node.def
new file mode 100644
index 0000000..329a0c2
--- /dev/null
+++ b/templates/vpn/rsa-key/generate/node.def
@@ -0,0 +1,2 @@
+help: Generate local RSA key with default bits=2192 device=/dev/random
+run: /opt/vyatta/sbin/gen_local_rsa_key.pl 2192 /dev/random
diff --git a/templates/vpn/rsa-key/node.def b/templates/vpn/rsa-key/node.def
new file mode 100644
index 0000000..45a50b7
--- /dev/null
+++ b/templates/vpn/rsa-key/node.def
@@ -0,0 +1 @@
+help: VPN RSA key utility
author	Marat Nepomnyashy <marat@vyatta.com>	2008-01-03 20:29:59 -0800
committer	Marat Nepomnyashy <marat@vyatta.com>	2008-01-03 20:29:59 -0800
commit	7605a8f6472ded387ffb311d1400b084011dfb74 (patch)
tree	42628396689902032685dd95ec7a8811799d04df
parent	cb8ce9cc1b8fb594a29e5ee7a49949c9d1c9ae1f (diff)
download	vyatta-op-vpn-7605a8f6472ded387ffb311d1400b084011dfb74.tar.gz vyatta-op-vpn-7605a8f6472ded387ffb311d1400b084011dfb74.zip