summaryrefslogtreecommitdiff
path: root/scripts/vyatta-op-vpn.pl
diff options
context:
space:
mode:
authorJohn Southworth <john.southworth@vyatta.com>2011-01-27 20:02:46 -0600
committerJohn Southworth <john.southworth@vyatta.com>2011-01-27 20:02:46 -0600
commit7c6c1a411173b0c05a8d1d25f19664c3ceda8326 (patch)
tree9e78157d015b13a0627b24d22593356dcf95fe91 /scripts/vyatta-op-vpn.pl
parent554f066d1208b75a907c8f481dc077473ae72c3c (diff)
downloadvyatta-op-vpn-7c6c1a411173b0c05a8d1d25f19664c3ceda8326.tar.gz
vyatta-op-vpn-7c6c1a411173b0c05a8d1d25f19664c3ceda8326.zip
Work on new IPsec operational mode script. setkey is deprecated so switched NAT-T detection to 'ip xfrm'
Diffstat (limited to 'scripts/vyatta-op-vpn.pl')
-rwxr-xr-xscripts/vyatta-op-vpn.pl43
1 files changed, 16 insertions, 27 deletions
diff --git a/scripts/vyatta-op-vpn.pl b/scripts/vyatta-op-vpn.pl
index d851ff6..10e2300 100755
--- a/scripts/vyatta-op-vpn.pl
+++ b/scripts/vyatta-op-vpn.pl
@@ -36,12 +36,6 @@ sub get_tunnel_info {
while(<IPSECSTATUS>){
push (@ipsecstatus, $_);
}
- my $cmd = "sudo setkey -D |";
- open(SETKEY, $cmd);
- my @setkey = [];
- while(<SETKEY>){
- push (@setkey, $_);
- }
my %tunnel_hash = ();
foreach my $line (@ipsecstatus) {
if (($line =~ /\"(peer-.*-tunnel-.*?)\"/)){
@@ -150,27 +144,22 @@ sub get_tunnel_info {
$peerip = "0.0.0.0";
}
- # Detect if we are using NAT-T, and get the port numbers if we are
- my $natsrc = undef;
- my $natdst = undef;
- foreach my $line (@setkey){
- if ($line =~ /$tunnel_hash{$connectid}->{_leftip}\[(.*?)\].*?$peerip\[(.*?)\]/){
- $natsrc = $1;
- $natdst = $2;
- next;
- }
- if ($line =~ /spi=.*?\((.*?)\)/){
- if (hex($tunnel_hash{$connectid}->{_outspi}) eq hex($1)){
- if (defined($natsrc)){
- $tunnel_hash{$connectid}->{_natt} = 1;
- $tunnel_hash{$connectid}->{_natsrc} = $natsrc;
- $tunnel_hash{$connectid}->{_natdst} = $natdst;
- last;
- }
- } else {
- $natsrc = undef;
- $natdst = undef;
- }
+ # Detect NAT
+ my $cmd = "sudo ip xfrm state get "
+ ."src $tunnel_hash{$connectid}->{_leftip} "
+ ."dst $peerip "
+ ."proto esp "
+ ."spi 0x$tunnel_hash{$connectid}->{_outspi} |";
+ open(XFRM, $cmd);
+ my @xfrm = [];
+ while(<XFRM>){
+ push (@xfrm, $_);
+ }
+ for my $line (@xfrm){
+ if ($line =~ /type espinudp sport (.*?) dport (.*?) addr/){
+ $tunnel_hash{$connectid}->{_natt} = 1;
+ $tunnel_hash{$connectid}->{_natsrc} = $1;
+ $tunnel_hash{$connectid}->{_natdst} = $2;
}
}
}