diff options
author | John Southworth <john.southworth@vyatta.com> | 2011-01-27 20:02:46 -0600 |
---|---|---|
committer | John Southworth <john.southworth@vyatta.com> | 2011-01-27 20:02:46 -0600 |
commit | 7c6c1a411173b0c05a8d1d25f19664c3ceda8326 (patch) | |
tree | 9e78157d015b13a0627b24d22593356dcf95fe91 /scripts/vyatta-op-vpn.pl | |
parent | 554f066d1208b75a907c8f481dc077473ae72c3c (diff) | |
download | vyatta-op-vpn-7c6c1a411173b0c05a8d1d25f19664c3ceda8326.tar.gz vyatta-op-vpn-7c6c1a411173b0c05a8d1d25f19664c3ceda8326.zip |
Work on new IPsec operational mode script. setkey is deprecated so switched NAT-T detection to 'ip xfrm'
Diffstat (limited to 'scripts/vyatta-op-vpn.pl')
-rwxr-xr-x | scripts/vyatta-op-vpn.pl | 43 |
1 files changed, 16 insertions, 27 deletions
diff --git a/scripts/vyatta-op-vpn.pl b/scripts/vyatta-op-vpn.pl index d851ff6..10e2300 100755 --- a/scripts/vyatta-op-vpn.pl +++ b/scripts/vyatta-op-vpn.pl @@ -36,12 +36,6 @@ sub get_tunnel_info { while(<IPSECSTATUS>){ push (@ipsecstatus, $_); } - my $cmd = "sudo setkey -D |"; - open(SETKEY, $cmd); - my @setkey = []; - while(<SETKEY>){ - push (@setkey, $_); - } my %tunnel_hash = (); foreach my $line (@ipsecstatus) { if (($line =~ /\"(peer-.*-tunnel-.*?)\"/)){ @@ -150,27 +144,22 @@ sub get_tunnel_info { $peerip = "0.0.0.0"; } - # Detect if we are using NAT-T, and get the port numbers if we are - my $natsrc = undef; - my $natdst = undef; - foreach my $line (@setkey){ - if ($line =~ /$tunnel_hash{$connectid}->{_leftip}\[(.*?)\].*?$peerip\[(.*?)\]/){ - $natsrc = $1; - $natdst = $2; - next; - } - if ($line =~ /spi=.*?\((.*?)\)/){ - if (hex($tunnel_hash{$connectid}->{_outspi}) eq hex($1)){ - if (defined($natsrc)){ - $tunnel_hash{$connectid}->{_natt} = 1; - $tunnel_hash{$connectid}->{_natsrc} = $natsrc; - $tunnel_hash{$connectid}->{_natdst} = $natdst; - last; - } - } else { - $natsrc = undef; - $natdst = undef; - } + # Detect NAT + my $cmd = "sudo ip xfrm state get " + ."src $tunnel_hash{$connectid}->{_leftip} " + ."dst $peerip " + ."proto esp " + ."spi 0x$tunnel_hash{$connectid}->{_outspi} |"; + open(XFRM, $cmd); + my @xfrm = []; + while(<XFRM>){ + push (@xfrm, $_); + } + for my $line (@xfrm){ + if ($line =~ /type espinudp sport (.*?) dport (.*?) addr/){ + $tunnel_hash{$connectid}->{_natt} = 1; + $tunnel_hash{$connectid}->{_natsrc} = $1; + $tunnel_hash{$connectid}->{_natdst} = $2; } } } |