diff options
-rw-r--r-- | lib/OPMode.pm | 75 | ||||
-rw-r--r-- | templates/show/vpn/ipsec/sa/detail/node.def.in | 6 | ||||
-rw-r--r-- | templates/show/vpn/ipsec/sa/peer/node.def | 1 | ||||
-rw-r--r-- | templates/show/vpn/ipsec/sa/peer/node.tag/detail/node.def.in | 3 | ||||
-rw-r--r-- | templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in | 3 | ||||
-rw-r--r-- | templates/show/vpn/ipsec/sa/stats/node.def.in | 3 | ||||
-rw-r--r-- | templates/show/vpn/ipsec/sa/stats/node.tag/node.def.in | 3 | ||||
-rw-r--r-- | templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.def | 1 | ||||
-rw-r--r-- | templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.tag/node.def.in | 10 | ||||
-rw-r--r-- | templates/show/vpn/ipsec/sa/verbose/node.def | 7 |
10 files changed, 95 insertions, 17 deletions
diff --git a/lib/OPMode.pm b/lib/OPMode.pm index e304b2f..0068e96 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -201,12 +201,10 @@ sub process_tunnels{ my @ipsecstatus = @{pop(@_)}; my %tunnel_hash = (); my %esp_hash = (); + my %lip_lookup = (); foreach my $line (@ipsecstatus) { - if (($line =~ /(peer-.*-tunnel-.*?):/)){ + if (($line =~ /(peer-.*-tunnel-.*?):/ && !($line =~ /[\[\{]/))){ my $connectid = $1; - if (($line =~ /(peer-.*-tunnel-.*?):(\[\d*\])/)){ - $connectid .= $2; - } $connectid =~ /peer-(.*)-tunnel-(.*)/; my $peer = $1; my $tunid = $2; @@ -234,6 +232,7 @@ sub process_tunnels{ _inspi => 'n/a', _outspi => 'n/a', _pfsgrp => 'n/a', + _ikever => 'n/a', _ikeencrypt => 'n/a', _ikehash => 'n/a', _natt => 'n/a', @@ -249,6 +248,35 @@ sub process_tunnels{ _lifetime => 'n/a', _expire => 'n/a' }; } + # Disgusting hack - rip not mentioned on any line on a second tunnel to a peer - so borrow it from the first one + if($tunid >1) + { + $tunnel_hash{$connectid}->{_lip} = conv_ip($lip_lookup{$peer}); + } + # A line like: 'peer-192.168.3.21-tunnel-1: %any...192.168.3.21 IKEv2' + if ($line =~ /\s+(.*?)\.\.\.(.*?) IKEv(.*?)/ ) + { + my $lip = $1; + my $rip = $2; + my $ikever = $3; + $tunnel_hash{$connectid}->{_lip} = conv_ip($lip); + $tunnel_hash{$connectid}->{_rip} = conv_ip($rip); + $tunnel_hash{$connectid}->{_ikever} = $ikever; + if($tunid == 1) + { + $lip_lookup{$peer} = conv_ip($lip); + } + } + # A line like: 'peer-192.168.3.21-tunnel-1: child: 192.168.1.0/24 === 192.168.0.0/24 TUNNEL' + elsif ($line =~ /child:\s+(.*?) === (.*?) TUNNEL/) + { + my $lsnet = $1; + my $rsnet = $2; + $tunnel_hash{$connectid}->{_lsnet} = $lsnet; + $tunnel_hash{$connectid}->{_rsnet} = $rsnet; + } + + # OLD CODE! $line =~ s/---.*\.\.\./.../g; # remove the next hop router for local-ip 0.0.0.0 case if ($line =~ /IKE.proposal:(.*?)\/(.*?)\/(.*)/){ $tunnel_hash{$connectid}->{_ikeencrypt} = $1; @@ -587,11 +615,16 @@ sub process_tunnels{ $tunnel_hash{$connectid}->{_ikelife} = $ikelife; $tunnel_hash{$connectid}->{_pfsgrp} = $pfs_group; - } elsif ($line =~ /\]:\s+IKE SPIs: .* (reauthentication|rekeying) (disabled|in .*)/) { - $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($2); + } elsif ($line =~ /\]:\s+IKE.* SPIs: .* (reauthentication|rekeying) (disabled|in .*)/) { + my $ikever; + ($ikever) = $line =~ /IKEv(.*?) SPI/; + $tunnel_hash{$connectid}->{_ikever} = $ikever; + my $expiry_time; + (undef,$expiry_time) = $line =~ /(reauthentication|rekeying) (.*)/; + $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($expiry_time); - my ($atime, $ike_lifetime, $ike_expire) = (-1, $tunnel_hash{$connectid}->{_ikelife}, $tunnel_hash{$connectid}->{_ikeexpire}); - $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); + my $atime = $tunnel_hash{$connectid}->{_ikelife} - $tunnel_hash{$connectid}->{_ikeexpire}; +# $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); $tunnel_hash{$connectid}->{_ikestate} = "up" if ($atime >= 0); @@ -862,14 +895,19 @@ sub show_ipsec_sa_natt my %tunnel_hash = get_tunnel_info(); my %tmphash = (); for my $peer ( keys %tunnel_hash ) { - if (${$tunnel_hash{$peer}>{_natt} == 1 ){ + if (${$tunnel_hash{$peer}}{_natt} == 1 ){ $tmphash{$peer} = \%{$tunnel_hash{$peer}}; } } display_ipsec_sa_brief(\%tmphash); } sub show_ike_status{ - my $process_id = `sudo cat /var/run/charon.pid`; + my $pidfile = '/var/run/charon.pid'; + if (! -e $pidfile) { + print "IKE process is not running\n"; + exit(1); + } + my $process_id = `sudo cat $pidfile`; chomp $process_id; print <<EOS; @@ -970,7 +1008,7 @@ sub display_ipsec_sa_brief my $vpncfg = new Vyatta::Config(); $vpncfg->setLevel('vpn ipsec site-to-site'); for my $connectid (keys %th){ - $peerid = conv_ip($th{$connectid}->{_rip}); + $peerid = conv_ip($th{$connectid}->{_peerid}); my $lip = conv_ip($th{$connectid}->{_lip}); my $tunnel = "$peerid-$lip"; my $peer_configured = conv_id_rev($th{$connectid}->{_peerid}); @@ -1027,6 +1065,7 @@ EOH my $atime = $life - $expire; $atime = 0 if ($atime == $life); printf " %-7s %-6s %-14s %-8s %-7s %-6s %-7s %-7s %-2s\n", + $tunnum, $state, $bytesp, $enc, $hash, $natt, $atime, $life, $proto; } @@ -1225,11 +1264,13 @@ sub display_ike_sa_brief { if (not exists $tunhash{$tunnel}) { $tunhash{$tunnel}={ _configpeer => conv_id_rev($th{$connectid}->{_peerid}), + _configpeer => conv_id_rev($th{$connectid}->{_peerid}), _tunnels => [] }; } my @tmp = ( $th{$connectid}->{_tunnelnum}, $th{$connectid}->{_ikestate}, + $th{$connectid}->{_ikever}, $th{$connectid}->{_newestike}, $th{$connectid}->{_ikeencrypt}, $th{$connectid}->{_ikehash}, @@ -1251,20 +1292,20 @@ EOH print "\n Description: $desc\n" if (defined($desc)); print <<EOH; - State Encrypt Hash D-H Grp NAT-T A-Time L-Time - ----- ------- ---- ------- ----- ------ ------ + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ EOH for my $tunnel (tunSort(@{$tunhash{$connid}->{_tunnels}})){ - (my $tunnum, my $state, my $isakmpnum, my $enc, + (my $tunnum, my $state, my $ver, my $isakmpnum, my $enc, my $hash, my $dhgrp, my $natt, my $life, my $expire) = @{$tunnel}; $enc = conv_enc($enc); $hash = conv_hash($hash); $natt = conv_natt($natt); - $dhgrp = conv_dh_group($dhgrp); + $dhgrp = conv_dh_group($dhgrp)."(".$dhgrp.")"; my $atime = $life - $expire; $atime = 0 if ($atime == $life); - printf " %-6s %-8s %-7s %-8s %-6s %-7s %-7s\n", - $state, $enc, $hash, $dhgrp, $natt, $atime, $life; + printf " %-6s %-6s %-8s %-7s %-14s %-6s %-7s %-7s\n", + $state, "IKEv".$ver, $enc, $hash, $dhgrp, $natt, $atime, $life; } print "\n \n"; } diff --git a/templates/show/vpn/ipsec/sa/detail/node.def.in b/templates/show/vpn/ipsec/sa/detail/node.def.in new file mode 100644 index 0000000..3362e9b --- /dev/null +++ b/templates/show/vpn/ipsec/sa/detail/node.def.in @@ -0,0 +1,6 @@ +help: Show Detail on all active IPsec Security Associations (SA) +run: if pgrep charon >&/dev/null; then + @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa + else + echo -e "IPSec Process NOT Running\n" + fi diff --git a/templates/show/vpn/ipsec/sa/peer/node.def b/templates/show/vpn/ipsec/sa/peer/node.def new file mode 100644 index 0000000..f77f46e --- /dev/null +++ b/templates/show/vpn/ipsec/sa/peer/node.def @@ -0,0 +1 @@ +help: Show all currently active IPSec Security Associations (SA) for a peer diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/detail/node.def.in b/templates/show/vpn/ipsec/sa/peer/node.tag/detail/node.def.in new file mode 100644 index 0000000..e05a3c4 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/peer/node.tag/detail/node.def.in @@ -0,0 +1,3 @@ +help: Show detail on all currently active IPSec Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer-detail="$6" diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in new file mode 100644 index 0000000..4b23f44 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show all currently active IPSec Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/sa/stats/node.def.in b/templates/show/vpn/ipsec/sa/stats/node.def.in new file mode 100644 index 0000000..d1d6ad0 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/stats/node.def.in @@ -0,0 +1,3 @@ +help: Show statistics for alll currently active IPSec Security Associations (SA) +run: @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-stats + diff --git a/templates/show/vpn/ipsec/sa/stats/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/stats/node.tag/node.def.in new file mode 100644 index 0000000..9426469 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/stats/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show Statistics for SAs associated with a specific peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +#run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.def new file mode 100644 index 0000000..0429324 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.def @@ -0,0 +1 @@ +help: Get Stats for a specific tunnel diff --git a/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..92a8572 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,10 @@ +help: Reset a specific tunnel for given peer + +allowed: @SUDOUSRDIR@/vyatta-vpn-op.pl \ + --op=get-tunnels-for-peer \ + --peer="${COMP_WORDS[COMP_CWORD-2]}" + +run: @SUDOUSRDIR@/vyatta-op-vpn.pl \ + --op=show-ipsec-sa-stats-conn \ + --peer="$6" \ + --tunnel="$8" diff --git a/templates/show/vpn/ipsec/sa/verbose/node.def b/templates/show/vpn/ipsec/sa/verbose/node.def new file mode 100644 index 0000000..fac77a3 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/verbose/node.def @@ -0,0 +1,7 @@ +help: Show Verbose Detail on all active IPsec Security Associations (SA) +run: if pgrep charon >&/dev/null; then + /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-detail + else + echo -e "IPSec Process NOT Running\n" + fi + |