diff options
59 files changed, 488 insertions, 130 deletions
@@ -1,4 +1,6 @@ *~ +m4/lt*.m4 +m4/libtool.m4 .*.swp *.[oa] *.l[oa] @@ -26,3 +28,25 @@ libtool /Makefile /command_proc_show_vpn +templates/generate/vpn/rsa-key/bits/node.tag/node.def +templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def +templates/generate/vpn/rsa-key/node.def +templates/generate/vpn/x509/key-pair/node.tag/node.def +templates/reset/vpn/ipsec-peer/node.tag/node.def +templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def +templates/reset/vpn/ipsec-peer/node.tag/vti/node.def +templates/reset/vpn/ipsec-profile/node.tag/node.def +templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def +templates/restart/vpn/node.def +templates/show/vpn/debug/detail/node.def +templates/show/vpn/debug/node.def +templates/show/vpn/debug/peer/node.tag/node.def +templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def +templates/show/vpn/ike/rsa-keys/node.def +templates/show/vpn/ike/sa/nat-traversal/node.def +templates/show/vpn/ike/sa/node.def +templates/show/vpn/ike/sa/peer/node.tag/node.def +templates/show/vpn/ike/secrets/node.def +templates/show/vpn/ike/status/node.def +templates/show/vpn/ipsec/status/node.def +/scripts/vyatta-gen-x509-keypair diff --git a/Makefile.am b/Makefile.am index 1422d22..490b1f1 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,3 +1,5 @@ +ACLOCAL_AMFLAGS = -I m4 + opdir = $(datadir)/vyatta-op/templates bin_sudo_usersdir = $(bindir)/sudo-users @@ -19,11 +21,9 @@ cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ cpio -0pd install-exec-hook: - mkdir -p $(DESTDIR)/opt/vyatta/etc/ - mkdir -p $(DESTDIR)/opt/vyatta/sbin/ - cp scripts/vyatta-gen-x509-keypair.sh $(DESTDIR)/opt/vyatta/sbin - cp scripts/key-pair.template $(DESTDIR)/opt/vyatta/etc - mkdir -p $(DESTDIR)$(opdir) + mkdir -p $(DESTDIR)${sysconfdir} $(DESTDIR)${sbindir} $(DESTDIR)$(opdir) + cp scripts/vyatta-gen-x509-keypair $(DESTDIR)${sbindir}/ + cp scripts/key-pair.template $(DESTDIR)${sysconfdir} cd templates; $(cpiop) $(DESTDIR)$(opdir) diff --git a/configure.ac b/configure.ac index 7901d66..530f4ae 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,8 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) +m4_define([DEFAULT_PREFIX], [/opt/vyatta]) + m4_define([VERSION_ID], [m4_esyscmd([ if test -f .version ; then head -n 1 .version | tr -d \\n @@ -11,12 +13,19 @@ AC_INIT([vyatta-op-vpn], VERSION_ID, [maintainers@vyos.net]) test -n "$VYATTA_VERSION" || VYATTA_VERSION=$PACKAGE_VERSION +AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([config]) AM_INIT_AUTOMAKE([gnu no-dist-gzip dist-bzip2 subdir-objects]) -AC_PREFIX_DEFAULT([/opt/vyatta]) +AC_PREFIX_DEFAULT(DEFAULT_PREFIX) -XSLDIR=/opt/vyatta/share/xsl/ +if test "$prefix" = "NONE" ; then + XSLDIR="DEFAULT_PREFIX/share/xsl/" +else + XSLDIR="$prefix/share/xsl/" +fi +adl_RECURSIVE_EVAL([$bindir/sudo-users/],[SUDOUSRDIR]) +adl_RECURSIVE_EVAL([$sbindir/],[SBINDIR]) AC_PROG_CC AC_PROG_CXX @@ -26,17 +35,46 @@ AC_PROG_LIBTOOL AC_PROG_LEX AC_PROG_YACC - AC_ARG_ENABLE([nostrip], AC_HELP_STRING([--enable-nostrip], [include -nostrip option during packaging]), [NOSTRIP=-nostrip], [NOSTRIP=]) -AC_CONFIG_FILES( - [Makefile]) - AC_SUBST(NOSTRIP) AC_SUBST(XSLDIR) +AC_SUBST(SUDOUSRDIR) +AC_SUBST(SBINDIR) + +AC_OUTPUT([ + Makefile + scripts/vyatta-gen-x509-keypair + templates/restart/vpn/node.def + templates/generate/vpn/x509/key-pair/node.tag/node.def + templates/generate/vpn/rsa-key/node.def + templates/generate/vpn/rsa-key/bits/node.tag/node.def + templates/show/vpn/ipsec/status/node.def + templates/show/vpn/debug/node.def + templates/show/vpn/debug/detail/node.def + templates/show/vpn/debug/peer/node.tag/node.def + templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def + templates/show/vpn/ike/secrets/node.def + templates/show/vpn/ike/status/node.def + templates/show/vpn/ike/sa/node.def + templates/show/vpn/ike/sa/nat-traversal/node.def + templates/show/vpn/ike/sa/peer/node.tag/node.def + templates/show/vpn/ike/rsa-keys/node.def + templates/reset/vpn/ipsec-profile/node.tag/node.def + templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def + templates/reset/vpn/ipsec-peer/node.tag/node.def + templates/reset/vpn/ipsec-peer/node.tag/vti/node.def + templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def +]) -AC_OUTPUT +echo "prefix: ${prefix}" +echo "sbindir: ${sbindir}" +echo "sysconfdir: ${sysconfdir}" +echo "datarootdir: ${datarootdir}" +echo "XSLDIR: ${XSLDIR}" +echo "SBINDIR: ${SBINDIR}" +echo "SUDOUSRDIR: ${SUDOUSRDIR}" diff --git a/debian/autogen.sh b/debian/autogen.sh index e8c94af..70ecdeb 100755 --- a/debian/autogen.sh +++ b/debian/autogen.sh @@ -4,6 +4,7 @@ rm -rf config rm -f aclocal.m4 config.guess config.statusconfig.sub configure INSTALL +mkdir -p autoreconf --force --install rm -f config.sub config.guess diff --git a/debian/changelog b/debian/changelog index d8a41b8..13bbddd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,38 @@ +vyatta-op-vpn (0.15.0+vyos2+current2+nmu1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * address lintian issues + - script-not-executable: removed #!/usr/bin/perl from .pm files + - debhelper-but-no-misc-depends: added ${misc:Depends} to Depends: field + - debian-rules-missing-recommended-target: added build-arch build-indep + - out-of-date-standards-version: updated standards version to 3.9.4 + - package-contains-linda-override: removed linda override + - file-in-unusual-dir: not triggering, removed from override + - script-with-language-extension: renamed vyatta-gen-x509-keypair.sh + vyatta-gen-x509-keypair + * address dpkg-gencontrol issue: + - unknown substitution variable ${shlibs:Depends} - removed + * address dpkg-source issue: + - debian/source/format set to "3.0 (native)" + * removed all references to /opt/vyatta but one from source + + -- C.J. Collier <cjcollier@linuxfoundation.org> Wed, 11 May 2016 02:33:38 +0000 + +vyatta-op-vpn (0.15.0+vyos2+current2) unstable; urgency=low + + * Remove vyatta-ipsec dependency for migration to upstream strongswan. + + -- Daniil Baturin <daniil@baturin.org> Mon, 25 Jan 2016 14:23:46 +0100 + +vyatta-op-vpn (0.15.0+vyos2+current1) unstable; urgency=medium + + [ Thomas Jepp ] + * Fix build depends. + + [ Kim Hagen ] + + -- Kim Hagen <kim.sidney@gmail.com> Sun, 24 Jan 2016 15:22:51 -0500 + vyatta-op-vpn (0.15.0+vyos2+lithium8) unstable; urgency=low * vyatta-op-vpn: update dh_gencontrol with new development build flag diff --git a/debian/conffiles b/debian/conffiles new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/debian/conffiles @@ -0,0 +1 @@ + diff --git a/debian/control b/debian/control index 57dcaeb..c3f2ec0 100644 --- a/debian/control +++ b/debian/control @@ -2,20 +2,20 @@ Source: vyatta-op-vpn Section: contrib/net Priority: extra Maintainer: VyOS Package Maintainers <maintainers@vyos.net> -Build-Depends: debhelper (>= 5), autotools-dev -Standards-Version: 3.7.2 +Build-Depends: debhelper (>= 5), autotools-dev, automake, autoconf, cpio, libtool +Standards-Version: 3.9.4 Package: vyatta-op-vpn Architecture: all Depends: vyatta-op, vyatta-bash | bash (>= 3.1), vyatta-cfg-vpn, - vyatta-ipsec, - ${shlibs:Depends} + strongswan (>= 5.2), + ${misc:Depends} Suggests: util-linux (>= 2.13-5), net-tools, ethtool, ncurses-bin (>= 5.5-5), ntpdate -Description: VyOS operational commands for VPN - VyOS commands to operate openswan VPN. +Description: VyOS operational commands for IPsec VPN + VyOS commands for IPsec VPN operations. diff --git a/debian/linda b/debian/linda deleted file mode 100644 index 0381d9d..0000000 --- a/debian/linda +++ /dev/null @@ -1 +0,0 @@ -Tag: file-in-opt diff --git a/debian/lintian b/debian/lintian index a5d78e0..7a94f59 100644 --- a/debian/lintian +++ b/debian/lintian @@ -1,2 +1,2 @@ -vyatta-op-vpn: file-in-unusual-dir -vyatta-op-vpn: dir-or-file-in-opt +# It's a hassle to move it out of /opt. I'll get to it later +#vyatta-op-vpn binary: dir-or-file-in-opt diff --git a/debian/rules b/debian/rules index 4b68fde..9231584 100755 --- a/debian/rules +++ b/debian/rules @@ -22,7 +22,6 @@ CFLAGS = -Wall -g configure = ./configure configure += --host=$(DEB_HOST_GNU_TYPE) configure += --build=$(DEB_BUILD_GNU_TYPE) -configure += --prefix=/opt/vyatta configure += --mandir=\$${prefix}/share/man configure += --infodir=\$${prefix}/share/info configure += CFLAGS="$(CFLAGS)" @@ -43,9 +42,10 @@ config.status: configure rm -f config.cache $(configure) -build: build-stamp - -build-stamp: config.status +build: build-arch build-indep +build-arch: build-stamp +build-indep: build-stamp +build-stamp: config.status dh_testdir $(MAKE) touch $@ @@ -68,13 +68,12 @@ clean-patched: install: build dh_testdir dh_testroot - dh_clean -k + dh_prep dh_installdirs $(MAKE) DESTDIR=$(PKGDIR) install install -D --mode=0644 debian/lintian $(PKGDIR)/usr/share/lintian/overrides/$(PACKAGE) - install -D --mode=0644 debian/linda $(PKGDIR)/usr/share/linda/overrides/$(PACKAGE) # Build architecture-independent files here. binary-indep: build install diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..9f67427 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native)
\ No newline at end of file diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 5a17836..38bea1c 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -1,4 +1,3 @@ -#!/usr/bin/perl # # Module Vyatta::VPN::OpMode.pm # @@ -202,12 +201,10 @@ sub process_tunnels{ my @ipsecstatus = @{pop(@_)}; my %tunnel_hash = (); my %esp_hash = (); + my %lip_lookup = (); foreach my $line (@ipsecstatus) { - if (($line =~ /\"(peer-.*-tunnel-.*?)\"/)){ + if (($line =~ /(peer-.*-tunnel-.*?):/ && !($line =~ /[\[\{]/))){ my $connectid = $1; - if (($line =~ /\"(peer-.*-tunnel-.*?)\"(\[\d*\])/)){ - $connectid .= $2; - } $connectid =~ /peer-(.*)-tunnel-(.*)/; my $peer = $1; my $tunid = $2; @@ -235,6 +232,7 @@ sub process_tunnels{ _inspi => 'n/a', _outspi => 'n/a', _pfsgrp => 'n/a', + _ikever => 'n/a', _ikeencrypt => 'n/a', _ikehash => 'n/a', _natt => 'n/a', @@ -250,6 +248,35 @@ sub process_tunnels{ _lifetime => 'n/a', _expire => 'n/a' }; } + # Disgusting hack - rip not mentioned on any line on a second tunnel to a peer - so borrow it from the first one + if($tunid >1) + { + $tunnel_hash{$connectid}->{_lip} = conv_ip($lip_lookup{$peer}); + } + # A line like: 'peer-192.168.3.21-tunnel-1: %any...192.168.3.21 IKEv2' + if ($line =~ /\s+(.*?)\.\.\.(.*?) IKEv(.*?)/ ) + { + my $lip = $1; + my $rip = $2; + my $ikever = $3; + $tunnel_hash{$connectid}->{_lip} = conv_ip($lip); + $tunnel_hash{$connectid}->{_rip} = conv_ip($rip); + $tunnel_hash{$connectid}->{_ikever} = $ikever; + if($tunid == 1) + { + $lip_lookup{$peer} = conv_ip($lip); + } + } + # A line like: 'peer-192.168.3.21-tunnel-1: child: 192.168.1.0/24 === 192.168.0.0/24 TUNNEL' + elsif ($line =~ /child:\s+(.*?) === (.*?) TUNNEL/) + { + my $lsnet = $1; + my $rsnet = $2; + $tunnel_hash{$connectid}->{_lsnet} = $lsnet; + $tunnel_hash{$connectid}->{_rsnet} = $rsnet; + } + + # OLD CODE! $line =~ s/---.*\.\.\./.../g; # remove the next hop router for local-ip 0.0.0.0 case if ($line =~ /IKE.proposal:(.*?)\/(.*?)\/(.*)/){ $tunnel_hash{$connectid}->{_ikeencrypt} = $1; @@ -588,14 +615,21 @@ sub process_tunnels{ $tunnel_hash{$connectid}->{_ikelife} = $ikelife; $tunnel_hash{$connectid}->{_pfsgrp} = $pfs_group; - } elsif ($line =~ /\]:\s+IKE SPIs: .* (reauthentication|rekeying) (disabled|in .*)/) { - $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($2); + } elsif ($line =~ /\]:\s+IKE.* SPIs:/) { + my $ikever; + ($ikever) = $line =~ /IKEv(.*?) SPI/; + $tunnel_hash{$connectid}->{_ikever} = $ikever; + my $expiry_time; + if($line =~ /(reauthentication|rekeying)/) + {(undef,$expiry_time) = $line =~ /(reauthentication|rekeying) (.*)/; + $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($expiry_time); + - my ($atime, $ike_lifetime, $ike_expire) = (-1, $tunnel_hash{$connectid}->{_ikelife}, $tunnel_hash{$connectid}->{_ikeexpire}); - $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); + my $atime = $tunnel_hash{$connectid}->{_ikelife} - $tunnel_hash{$connectid}->{_ikeexpire}; +# $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); $tunnel_hash{$connectid}->{_ikestate} = "up" if ($atime >= 0); - + } } elsif ($line =~ /\]:\s+IKE.proposal:(.*?)\/(.*?)\/(.*?)\/(.*)/) { $tunnel_hash{$connectid}->{_ikeencrypt} = $1; $tunnel_hash{$connectid}->{_ikehash} = $2; @@ -695,6 +729,7 @@ sub get_conns while(<$IPSECCONF>){ push (@ipsecconf, $_); } + close($IPSECCONF); my %th = (); for my $line (@ipsecconf){ next if ($line =~/^\#/); @@ -837,8 +872,8 @@ sub get_connection_status (my $peerid, my $tun) = @_; my %th = get_tunnel_info_peer($peerid); for my $peer ( keys %th ) { - if (%{$th{$peer}}->{_tunnelnum} eq $tun){ - return %{$th{$peer}}->{_state}; + if (${$th{$peer}}{_tunnelnum} eq $tun){ + return ${$th{$peer}}{_state}; } } } @@ -847,10 +882,10 @@ sub get_peer_ike_status my ($peerid) = @_; my %th = get_tunnel_info_peer($peerid); for my $peer ( keys %th ) { - if (%{$th{$peer}}->{_ikestate} eq 'up'){ + if (${$th{$peer}}{_ikestate} eq 'up'){ return 'up'; } - if (%{$th{$peer}}->{_ikestate} eq 'init'){ + if (${$th{$peer}}{_ikestate} eq 'init'){ return 'init'; } } @@ -862,14 +897,19 @@ sub show_ipsec_sa_natt my %tunnel_hash = get_tunnel_info(); my %tmphash = (); for my $peer ( keys %tunnel_hash ) { - if (%{$tunnel_hash{$peer}}->{_natt} == 1 ){ + if (${$tunnel_hash{$peer}}{_natt} == 1 ){ $tmphash{$peer} = \%{$tunnel_hash{$peer}}; } } display_ipsec_sa_brief(\%tmphash); } sub show_ike_status{ - my $process_id = `sudo cat /var/run/charon.pid`; + my $pidfile = '/var/run/charon.pid'; + if (! -e $pidfile) { + print "IKE process is not running\n"; + exit(1); + } + my $process_id = `sudo cat $pidfile`; chomp $process_id; print <<EOS; @@ -905,7 +945,7 @@ sub show_ike_sa_natt my %tunnel_hash = get_tunnel_info(); my %tmphash = (); for my $peer ( keys %tunnel_hash ) { - if (%{$tunnel_hash{$peer}}->{_natt} == 1 ){ + if (${$tunnel_hash{$peer}}{_natt} == 1 ){ $tmphash{$peer} = \%{$tunnel_hash{$peer}}; } } @@ -970,7 +1010,7 @@ sub display_ipsec_sa_brief my $vpncfg = new Vyatta::Config(); $vpncfg->setLevel('vpn ipsec site-to-site'); for my $connectid (keys %th){ - $peerid = conv_ip($th{$connectid}->{_rip}); + $peerid = conv_ip($th{$connectid}->{_peerid}); my $lip = conv_ip($th{$connectid}->{_lip}); my $tunnel = "$peerid-$lip"; my $peer_configured = conv_id_rev($th{$connectid}->{_peerid}); @@ -1027,6 +1067,7 @@ EOH my $atime = $life - $expire; $atime = 0 if ($atime == $life); printf " %-7s %-6s %-14s %-8s %-7s %-6s %-7s %-7s %-2s\n", + $tunnum, $state, $bytesp, $enc, $hash, $natt, $atime, $life, $proto; } @@ -1221,15 +1262,17 @@ sub display_ike_sa_brief { my $lip = $th{$connectid}->{_lip}; $peerid = $th{$connectid}->{_rip}; my $tunnel = "$peerid-$lip"; - next if ($th{$connectid}->{_ikestate} eq 'down'); + #next if ($th{$connectid}->{_ikestate} eq 'down'); if (not exists $tunhash{$tunnel}) { $tunhash{$tunnel}={ _configpeer => conv_id_rev($th{$connectid}->{_peerid}), + _configpeer => conv_id_rev($th{$connectid}->{_peerid}), _tunnels => [] }; } my @tmp = ( $th{$connectid}->{_tunnelnum}, $th{$connectid}->{_ikestate}, + $th{$connectid}->{_ikever}, $th{$connectid}->{_newestike}, $th{$connectid}->{_ikeencrypt}, $th{$connectid}->{_ikehash}, @@ -1251,20 +1294,22 @@ EOH print "\n Description: $desc\n" if (defined($desc)); print <<EOH; - State Encrypt Hash D-H Grp NAT-T A-Time L-Time - ----- ------- ---- ------- ----- ------ ------ + State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time + ----- ------ ------- ---- --------- ----- ------ ------ EOH for my $tunnel (tunSort(@{$tunhash{$connid}->{_tunnels}})){ - (my $tunnum, my $state, my $isakmpnum, my $enc, + (my $tunnum, my $state, my $ver, my $isakmpnum, my $enc, my $hash, my $dhgrp, my $natt, my $life, my $expire) = @{$tunnel}; $enc = conv_enc($enc); $hash = conv_hash($hash); $natt = conv_natt($natt); - $dhgrp = conv_dh_group($dhgrp); + $dhgrp = conv_dh_group($dhgrp)."(".$dhgrp.")"; my $atime = $life - $expire; $atime = 0 if ($atime == $life); - printf " %-6s %-8s %-7s %-8s %-6s %-7s %-7s\n", - $state, $enc, $hash, $dhgrp, $natt, $atime, $life; + my $ike_out = "N/A"; + $ike_out = "IKEv".$ver if( $ver > 0 ); + printf " %-6s %-6s %-8s %-7s %-14s %-6s %-7s %-7s\n", + $state, $ike_out, $enc, $hash, $dhgrp, $natt, $atime, $life; } print "\n \n"; } diff --git a/lib/vpnprof/OPMode.pm b/lib/vpnprof/OPMode.pm index 99c6268..05e1f00 100644 --- a/lib/vpnprof/OPMode.pm +++ b/lib/vpnprof/OPMode.pm @@ -1,4 +1,3 @@ -#!/usr/bin/perl # # Module Vyatta::vpnprof::OpMode.pm # diff --git a/m4/relpaths.m4 b/m4/relpaths.m4 new file mode 100644 index 0000000..15f24b3 --- /dev/null +++ b/m4/relpaths.m4 @@ -0,0 +1,155 @@ +dnl @synopsis adl_COMPUTE_RELATIVE_PATHS(PATH_LIST) +dnl +dnl PATH_LIST is a space-separated list of colon-separated triplets of +dnl the form 'FROM:TO:RESULT'. This function iterates over these +dnl triplets and set $RESULT to the relative path from $FROM to $TO. +dnl Note that $FROM and $TO needs to be absolute filenames for this +dnl macro to success. +dnl +dnl For instance, +dnl +dnl first=/usr/local/bin +dnl second=/usr/local/share +dnl adl_COMPUTE_RELATIVE_PATHS([first:second:fs second:first:sf]) +dnl # $fs is set to ../share +dnl # $sf is set to ../bin +dnl +dnl $FROM and $TO are both eval'ed recursively and normalized, this +dnl means that you can call this macro with autoconf's dirnames like +dnl `prefix' or `datadir'. For example: +dnl +dnl adl_COMPUTE_RELATIVE_PATHS([bindir:datadir:bin_to_data]) +dnl +dnl adl_COMPUTE_RELATIVE_PATHS should also works with DOS filenames. +dnl +dnl You may want to use this macro in order to make your package +dnl relocatable. Instead of hardcoding $datadir into your programs just +dnl encode $bin_to_data and try to determine $bindir at run-time. +dnl +dnl This macro requires adl_NORMALIZE_PATH. +dnl +dnl @category Misc +dnl @author Alexandre Duret-Lutz <duret_g@epita.fr> +dnl @version 2001-05-25 +dnl @license GPLWithACException + +AC_DEFUN([adl_COMPUTE_RELATIVE_PATHS], +[for _lcl_i in $1; do + _lcl_from=\[$]`echo "[$]_lcl_i" | sed 's,:.*$,,'` + _lcl_to=\[$]`echo "[$]_lcl_i" | sed 's,^[[^:]]*:,,' | sed 's,:[[^:]]*$,,'` + _lcl_result_var=`echo "[$]_lcl_i" | sed 's,^.*:,,'` + adl_RECURSIVE_EVAL([[$]_lcl_from], [_lcl_from]) + adl_RECURSIVE_EVAL([[$]_lcl_to], [_lcl_to]) + _lcl_notation="$_lcl_from$_lcl_to" + adl_NORMALIZE_PATH([_lcl_from],['/']) + adl_NORMALIZE_PATH([_lcl_to],['/']) + adl_COMPUTE_RELATIVE_PATH([_lcl_from], [_lcl_to], [_lcl_result_tmp]) + adl_NORMALIZE_PATH([_lcl_result_tmp],["[$]_lcl_notation"]) + eval $_lcl_result_var='[$]_lcl_result_tmp' +done]) + +## Note: +## ***** +## The following helper macros are too fragile to be used out +## of adl_COMPUTE_RELATIVE_PATHS (mainly because they assume that +## paths are normalized), that's why I'm keeping them in the same file. +## Still, some of them maybe worth to reuse. + +dnl adl_COMPUTE_RELATIVE_PATH(FROM, TO, RESULT) +dnl =========================================== +dnl Compute the relative path to go from $FROM to $TO and set the value +dnl of $RESULT to that value. This function work on raw filenames +dnl (for instead it will considerate /usr//local and /usr/local as +dnl two distinct paths), you should really use adl_COMPUTE_REALTIVE_PATHS +dnl instead to have the paths sanitized automatically. +dnl +dnl For instance: +dnl first_dir=/somewhere/on/my/disk/bin +dnl second_dir=/somewhere/on/another/disk/share +dnl adl_COMPUTE_RELATIVE_PATH(first_dir, second_dir, first_to_second) +dnl will set $first_to_second to '../../../another/disk/share'. +AC_DEFUN([adl_COMPUTE_RELATIVE_PATH], +[adl_COMPUTE_COMMON_PATH([$1], [$2], [_lcl_common_prefix]) +adl_COMPUTE_BACK_PATH([$1], [_lcl_common_prefix], [_lcl_first_rel]) +adl_COMPUTE_SUFFIX_PATH([$2], [_lcl_common_prefix], [_lcl_second_suffix]) +$3="[$]_lcl_first_rel[$]_lcl_second_suffix"]) + +dnl adl_COMPUTE_COMMON_PATH(LEFT, RIGHT, RESULT) +dnl ============================================ +dnl Compute the common path to $LEFT and $RIGHT and set the result to $RESULT. +dnl +dnl For instance: +dnl first_path=/somewhere/on/my/disk/bin +dnl second_path=/somewhere/on/another/disk/share +dnl adl_COMPUTE_COMMON_PATH(first_path, second_path, common_path) +dnl will set $common_path to '/somewhere/on'. +AC_DEFUN([adl_COMPUTE_COMMON_PATH], +[$3='' +_lcl_second_prefix_match='' +while test "[$]_lcl_second_prefix_match" != 0; do + _lcl_first_prefix=`expr "x[$]$1" : "x\([$]$3/*[[^/]]*\)"` + _lcl_second_prefix_match=`expr "x[$]$2" : "x[$]_lcl_first_prefix"` + if test "[$]_lcl_second_prefix_match" != 0; then + if test "[$]_lcl_first_prefix" != "[$]$3"; then + $3="[$]_lcl_first_prefix" + else + _lcl_second_prefix_match=0 + fi + fi +done]) + +dnl adl_COMPUTE_SUFFIX_PATH(PATH, SUBPATH, RESULT) +dnl ============================================== +dnl Substrack $SUBPATH from $PATH, and set the resulting suffix +dnl (or the empty string if $SUBPATH is not a subpath of $PATH) +dnl to $RESULT. +dnl +dnl For instace: +dnl first_path=/somewhere/on/my/disk/bin +dnl second_path=/somewhere/on +dnl adl_COMPUTE_SUFFIX_PATH(first_path, second_path, common_path) +dnl will set $common_path to '/my/disk/bin'. +AC_DEFUN([adl_COMPUTE_SUFFIX_PATH], +[$3=`expr "x[$]$1" : "x[$]$2/*\(.*\)"`]) + +dnl adl_COMPUTE_BACK_PATH(PATH, SUBPATH, RESULT) +dnl ============================================ +dnl Compute the relative path to go from $PATH to $SUBPATH, knowing that +dnl $SUBPATH is a subpath of $PATH (any other words, only repeated '../' +dnl should be needed to move from $PATH to $SUBPATH) and set the value +dnl of $RESULT to that value. If $SUBPATH is not a subpath of PATH, +dnl set $RESULT to the empty string. +dnl +dnl For instance: +dnl first_path=/somewhere/on/my/disk/bin +dnl second_path=/somewhere/on +dnl adl_COMPUTE_BACK_PATH(first_path, second_path, back_path) +dnl will set $back_path to '../../../'. +AC_DEFUN([adl_COMPUTE_BACK_PATH], +[adl_COMPUTE_SUFFIX_PATH([$1], [$2], [_lcl_first_suffix]) +$3='' +_lcl_tmp='xxx' +while test "[$]_lcl_tmp" != ''; do + _lcl_tmp=`expr "x[$]_lcl_first_suffix" : "x[[^/]]*/*\(.*\)"` + if test "[$]_lcl_first_suffix" != ''; then + _lcl_first_suffix="[$]_lcl_tmp" + $3="../[$]$3" + fi +done]) + + +dnl adl_RECURSIVE_EVAL(VALUE, RESULT) +dnl ================================= +dnl Interpolate the VALUE in loop until it doesn't change, +dnl and set the result to $RESULT. +dnl WARNING: It's easy to get an infinite loop with some unsane input. +AC_DEFUN([adl_RECURSIVE_EVAL], +[_lcl_receval="$1" +$2=`(test "x$prefix" = xNONE && prefix="$ac_default_prefix" + test "x$exec_prefix" = xNONE && exec_prefix="${prefix}" + _lcl_receval_old='' + while test "[$]_lcl_receval_old" != "[$]_lcl_receval"; do + _lcl_receval_old="[$]_lcl_receval" + eval _lcl_receval="\"[$]_lcl_receval\"" + done + echo "[$]_lcl_receval")`]) diff --git a/scripts/gen_local_rsa_key.pl b/scripts/gen_local_rsa_key.pl index ce3f69b..e874316 100755 --- a/scripts/gen_local_rsa_key.pl +++ b/scripts/gen_local_rsa_key.pl @@ -31,20 +31,12 @@ use Vyatta::Misc qw(get_short_config_path); # Defaults my $bits = 2192; -my $device = "/dev/random"; if ($#ARGV > 1) { die "Usage: gen_local_rsa_key.pl <bits> <device>\n"; } $bits = $ARGV[0] if $#ARGV >= 0; -# -# The ipsec newhostkey command seems to support up to -# 20000 bits for key generation, but xorp currently -# can't handle a line that long when entered in the -# config. Xorp seems to be able to handle keys generated -# with up to 5840 bits. -# my ($bits_min, $bits_max) = (16, 4096); if ($bits > $bits_max) { @@ -56,10 +48,6 @@ if ($bits < $bits_min) { if ($bits % 16 != 0) { die "bits=$bits is not a multiple of 16\n"; } -$device = $ARGV[1] if $#ARGV >= 1; -unless (-r $device) { - die "invalid random number device $device\n"; -} my $local_key_file = rsa_get_local_key_file(); @@ -100,13 +88,7 @@ if (-e $temp_key_file) { } } -$cmd = "/usr/lib/ipsec/newhostkey --output $local_key_file --bits $bits"; -# -# The default random number generator is /dev/random, but it will block -# if there isn't enough system activity to provide enough "good" random -# bits. Try /dev/urandom if it's taking too long. -# -$cmd .= " --random $device"; +$cmd = "/usr/bin/openssl genrsa -out $local_key_file $bits"; # when presenting to users, show shortened /config path my $shortened_cfg_path_file = get_short_config_path($local_key_file); diff --git a/scripts/key-pair.template b/scripts/key-pair.template index 5b5b2a6..bbf5eb9 100644 --- a/scripts/key-pair.template +++ b/scripts/key-pair.template @@ -1,10 +1,15 @@ [ req ] - default_bits = 1024 + default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name + string_mask = utf8only attributes = req_attributes + dirstring_type = nobmp +# SHA-1 is deprecated, so use SHA-2 instead. + default_md = sha256 +# Extension to add when the -x509 option is used. x509_extensions = v3_ca - dirstring_type = nobmp + [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_min = 2 @@ -24,4 +29,39 @@ [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always - basicConstraints = CA:true + basicConstraints = critical, CA:true + keyUsage = critical, digitalSignature, cRLSign, keyCertSign +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer + basicConstraints = critical, CA:true, pathlen:0 + keyUsage = critical, digitalSignature, cRLSign, keyCertSign +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). + basicConstraints = CA:FALSE + nsCertType = client, email + nsComment = "OpenSSL Generated Client Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer + keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment + extendedKeyUsage = clientAuth, emailProtection +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). + basicConstraints = CA:FALSE + nsCertType = server + nsComment = "OpenSSL Generated Server Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + keyUsage = critical, digitalSignature, keyEncipherment + extendedKeyUsage = serverAuth +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). + authorityKeyIdentifier=keyid:always +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). + basicConstraints = CA:FALSE + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer + keyUsage = critical, digitalSignature + extendedKeyUsage = critical, OCSPSigning
\ No newline at end of file diff --git a/scripts/vyatta-gen-x509-keypair.sh b/scripts/vyatta-gen-x509-keypair.in index 5a66d0a..194ac4f 100755 --- a/scripts/vyatta-gen-x509-keypair.sh +++ b/scripts/vyatta-gen-x509-keypair.in @@ -1,7 +1,7 @@ #!/bin/bash CN=$1 genkeypair (){ - openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config /opt/vyatta/etc/key-pair.template + openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config @sysconfdir@/key-pair.template } if [ -f /config/auth/$CN.csr ]; then read -p "A certificate request named $CN.csr already exists. Overwrite (y/n)?" diff --git a/scripts/vyatta-op-vpn.pl b/scripts/vyatta-op-vpn.pl index d6648ae..50cbcbd 100755 --- a/scripts/vyatta-op-vpn.pl +++ b/scripts/vyatta-op-vpn.pl @@ -73,10 +73,10 @@ if (defined $show_ipsec_sa_peer) { if (defined $show_ipsec_sa_peer_detail) { Vyatta::VPN::OPMode::show_ipsec_sa_peer_detail($show_ipsec_sa_peer_detail); } -if (defined @show_ipsec_sa_conn_detail) { +if (@show_ipsec_sa_conn_detail) { Vyatta::VPN::OPMode::show_ipsec_sa_conn_detail(@show_ipsec_sa_conn_detail); } -if (defined @show_ipsec_sa_conn) { +if (@show_ipsec_sa_conn) { Vyatta::VPN::OPMode::show_ipsec_sa_conn(@show_ipsec_sa_conn); } if (defined $show_ipsec_sa_natt) { @@ -88,7 +88,7 @@ if (defined $show_ipsec_sa_stats) { if (defined $show_ipsec_sa_stats_peer) { Vyatta::VPN::OPMode::show_ipsec_sa_stats_peer($show_ipsec_sa_stats_peer); } -if (defined @show_ipsec_sa_stats_conn) { +if (@show_ipsec_sa_stats_conn) { Vyatta::VPN::OPMode::show_ipsec_sa_stats_conn(@show_ipsec_sa_stats_conn); } if (defined $show_ike_sa) { diff --git a/scripts/vyatta-op-vpnprof.pl b/scripts/vyatta-op-vpnprof.pl index 72124fa..4da46c4 100644 --- a/scripts/vyatta-op-vpnprof.pl +++ b/scripts/vyatta-op-vpnprof.pl @@ -52,11 +52,11 @@ if ( defined $show_ipsec_sa_profile_detail ) { Vyatta::vpnprof::OPMode::show_ipsec_sa_profile_detail( $show_ipsec_sa_profile_detail); } -if ( defined @show_ipsec_sa_conn_detail ) { +if ( @show_ipsec_sa_conn_detail ) { Vyatta::vpnprof::OPMode::show_ipsec_sa_conn_detail( @show_ipsec_sa_conn_detail); } -if ( defined @show_ipsec_sa_conn ) { +if ( @show_ipsec_sa_conn ) { Vyatta::vpnprof::OPMode::show_ipsec_sa_conn(@show_ipsec_sa_conn); } if ( defined $show_ipsec_sa_stats ) { @@ -66,7 +66,7 @@ if ( defined $show_ipsec_sa_stats_profile ) { Vyatta::vpnprof::OPMode::show_ipsec_sa_stats_profile( $show_ipsec_sa_stats_profile); } -if ( defined @show_ipsec_sa_stats_conn ) { +if ( @show_ipsec_sa_stats_conn ) { Vyatta::vpnprof::OPMode::show_ipsec_sa_stats_conn( @show_ipsec_sa_stats_conn); } diff --git a/scripts/vyatta-show-ipsec-status.pl b/scripts/vyatta-show-ipsec-status.pl index a96d1dd..bff36c8 100644 --- a/scripts/vyatta-show-ipsec-status.pl +++ b/scripts/vyatta-show-ipsec-status.pl @@ -98,7 +98,10 @@ sub relate_intfs_with_localips { # my $process_id = `sudo cat /var/run/charon.pid`; -my $active_tunnels = `sudo ipsec status 2>/dev/null | grep 'newest IPsec SA: #' | grep -v 'newest IPsec SA: #0' | wc -l`; +# Update to deal with new strongswan syntax for ipsec status command. +my $sa_summary = `sudo ipsec status 2>/dev/null | grep "Security Associations" `; +my $active_tunnels; +($active_tunnels) = $sa_summary =~ /\((.*?) up/; chomp $process_id; chomp $active_tunnels; my @vpn_interfaces = get_vpn_intfs(); diff --git a/templates/generate/vpn/rsa-key/bits/node.tag/node.def b/templates/generate/vpn/rsa-key/bits/node.tag/node.def.in index fa2fed2..198ec58 100644 --- a/templates/generate/vpn/rsa-key/bits/node.tag/node.def +++ b/templates/generate/vpn/rsa-key/bits/node.tag/node.def.in @@ -1,3 +1,3 @@ help: Generate local RSA key with specified number of bits -run: sudo /opt/vyatta/bin/sudo-users/gen_local_rsa_key.pl "$5" /dev/random +run: sudo @SUDOUSRDIR@/gen_local_rsa_key.pl "$5" allowed: echo -n '<16-4096>' diff --git a/templates/generate/vpn/rsa-key/bits/node.tag/random/node.def b/templates/generate/vpn/rsa-key/bits/node.tag/random/node.def deleted file mode 100644 index 42118b5..0000000 --- a/templates/generate/vpn/rsa-key/bits/node.tag/random/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Generate local RSA key with specified number of bits and random device diff --git a/templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def b/templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def deleted file mode 100644 index eb11433..0000000 --- a/templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Generate local RSA key with specified number of bits and random device -run: sudo /opt/vyatta/bin/sudo-users/gen_local_rsa_key.pl "$5" "$7" -allowed: echo -n '/dev/random /dev/urandom' diff --git a/templates/generate/vpn/rsa-key/node.def b/templates/generate/vpn/rsa-key/node.def deleted file mode 100644 index 60296f2..0000000 --- a/templates/generate/vpn/rsa-key/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Generate local RSA key (default: bits=2192 device=/dev/random) -run: sudo /opt/vyatta/bin/sudo-users/gen_local_rsa_key.pl 2192 /dev/random diff --git a/templates/generate/vpn/rsa-key/node.def.in b/templates/generate/vpn/rsa-key/node.def.in new file mode 100644 index 0000000..eab5a4f --- /dev/null +++ b/templates/generate/vpn/rsa-key/node.def.in @@ -0,0 +1,2 @@ +help: Generate local RSA key (default: bits=2192) +run: sudo @SUDOUSRDIR@/gen_local_rsa_key.pl 2192 diff --git a/templates/generate/vpn/x509/key-pair/node.tag/node.def b/templates/generate/vpn/x509/key-pair/node.tag/node.def.in index 9882df8..2c87956 100644 --- a/templates/generate/vpn/x509/key-pair/node.tag/node.def +++ b/templates/generate/vpn/x509/key-pair/node.tag/node.def.in @@ -1,4 +1,4 @@ help: Generate x509 key-pair run: - sudo /opt/vyatta/sbin/vyatta-gen-x509-keypair.sh $5 + sudo @SBINDIR@/vyatta-gen-x509-keypair $5 allowed: echo -n '<common-name>' diff --git a/templates/reset/vpn/ipsec-peer/node.tag/node.def b/templates/reset/vpn/ipsec-peer/node.tag/node.def deleted file mode 100644 index fa55d52..0000000 --- a/templates/reset/vpn/ipsec-peer/node.tag/node.def +++ /dev/null @@ -1,6 +0,0 @@ -help: Reset all tunnels for given peer - -allowed: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=get-all-peers - -run: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl \ - --op=clear-tunnels-for-peer --peer="$4" diff --git a/templates/reset/vpn/ipsec-peer/node.tag/node.def.in b/templates/reset/vpn/ipsec-peer/node.tag/node.def.in new file mode 100644 index 0000000..621c40a --- /dev/null +++ b/templates/reset/vpn/ipsec-peer/node.tag/node.def.in @@ -0,0 +1,6 @@ +help: Reset all tunnels for given peer + +allowed: @SUDOUSRDIR@/vyatta-vpn-op.pl --op=get-all-peers + +run: @SUDOUSRDIR@/vyatta-vpn-op.pl \ + --op=clear-tunnels-for-peer --peer="$4" diff --git a/templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def b/templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def.in index eecb740..4407515 100644 --- a/templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def +++ b/templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def.in @@ -1,10 +1,10 @@ help: Reset a specific tunnel for given peer -allowed: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl \ +allowed: @SUDOUSRDIR@/vyatta-vpn-op.pl \ --op=get-tunnels-for-peer \ --peer="${COMP_WORDS[COMP_CWORD-2]}" -run: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl \ +run: @SUDOUSRDIR@/vyatta-vpn-op.pl \ --op=clear-specific-tunnel-for-peer \ --peer="$4" \ --tunnel="$6" diff --git a/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def b/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def.in index f0f39a8..2e8e9be 100644 --- a/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def +++ b/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def.in @@ -1,5 +1,5 @@ help: Reset a vti tunnel for given peer -run: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl \ +run: @SUDOUSRDIR@/vyatta-vpn-op.pl \ --op=clear-vtis-for-peer \ --peer="$4" diff --git a/templates/reset/vpn/ipsec-profile/node.tag/node.def b/templates/reset/vpn/ipsec-profile/node.tag/node.def deleted file mode 100644 index 639fac3..0000000 --- a/templates/reset/vpn/ipsec-profile/node.tag/node.def +++ /dev/null @@ -1,6 +0,0 @@ -help: Reset all tunnels for given profile - -allowed: /opt/vyatta/bin/sudo-users/vyatta-dmvpn-op.pl --op=get-all-profiles - -run: /opt/vyatta/bin/sudo-users/vyatta-dmvpn-op.pl \ - --op=clear-tunnels-for-profile --profile="$4" diff --git a/templates/reset/vpn/ipsec-profile/node.tag/node.def.in b/templates/reset/vpn/ipsec-profile/node.tag/node.def.in new file mode 100644 index 0000000..ea90853 --- /dev/null +++ b/templates/reset/vpn/ipsec-profile/node.tag/node.def.in @@ -0,0 +1,6 @@ +help: Reset all tunnels for given profile + +allowed: @SUDOUSRDIR@/vyatta-dmvpn-op.pl --op=get-all-profiles + +run: @SUDOUSRDIR@/vyatta-dmvpn-op.pl \ + --op=clear-tunnels-for-profile --profile="$4" diff --git a/templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def b/templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def.in index 08e299f..f5eda6c 100644 --- a/templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def +++ b/templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def.in @@ -1,10 +1,10 @@ help: Reset a specific tunnel for given profile -allowed: /opt/vyatta/bin/sudo-users/vyatta-dmvpn-op.pl \ +allowed: @SUDOUSRDIR@/vyatta-dmvpn-op.pl \ --op=get-tunnels-for-profile \ --profile="${COMP_WORDS[COMP_CWORD-2]}" -run: /opt/vyatta/bin/sudo-users/vyatta-dmvpn-op.pl \ +run: @SUDOUSRDIR@/vyatta-dmvpn-op.pl \ --op=clear-specific-tunnel-for-profile \ --profile="$4" \ --tunnel="$6" diff --git a/templates/restart/vpn/node.def b/templates/restart/vpn/node.def.in index 6d0f50c..4366d19 100644 --- a/templates/restart/vpn/node.def +++ b/templates/restart/vpn/node.def.in @@ -3,7 +3,7 @@ run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then if pgrep charon > /dev/null then - /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=clear-vpn-ipsec-process + @SUDOUSRDIR@/vyatta-vpn-op.pl --op=clear-vpn-ipsec-process else echo IPsec process not running fi diff --git a/templates/show/vpn/debug/detail/node.def b/templates/show/vpn/debug/detail/node.def.in index 0f88f1e..8eb4e70 100644 --- a/templates/show/vpn/debug/detail/node.def +++ b/templates/show/vpn/debug/detail/node.def.in @@ -3,7 +3,7 @@ run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then if pgrep charon > /dev/null then - /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug-detail + @SUDOUSRDIR@/vyatta-vpn-op.pl --op=show-vpn-debug-detail else echo IPsec process not running fi diff --git a/templates/show/vpn/debug/node.def b/templates/show/vpn/debug/node.def.in index 281228a..6fb98de 100644 --- a/templates/show/vpn/debug/node.def +++ b/templates/show/vpn/debug/node.def.in @@ -3,7 +3,7 @@ run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then if pgrep charon > /dev/null then - /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug + @SUDOUSRDIR@/vyatta-vpn-op.pl --op=show-vpn-debug else echo IPsec process not running fi diff --git a/templates/show/vpn/debug/peer/node.tag/node.def b/templates/show/vpn/debug/peer/node.tag/node.def.in index a3a9573..bd60ed5 100644 --- a/templates/show/vpn/debug/peer/node.tag/node.def +++ b/templates/show/vpn/debug/peer/node.tag/node.def.in @@ -1,10 +1,10 @@ help: Show debugging information for a peer -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then if pgrep charon > /dev/null then - /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug | grep peer-$5 + @SUDOUSRDIR@/vyatta-vpn-op.pl --op=show-vpn-debug | grep peer-$5 else echo IPsec process not running fi diff --git a/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def.in index 3c96973..ca422e3 100644 --- a/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def +++ b/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def.in @@ -1,10 +1,10 @@ help: Show debugging information for a peer's tunnel -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[4]} +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[4]} run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then if pgrep charon > /dev/null then - /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug | grep "peer-$5-tunnel-$7" + @SUDOUSRDIR@/vyatta-vpn-op.pl --op=show-vpn-debug | grep "peer-$5-tunnel-$7" else echo IPsec process not running fi diff --git a/templates/show/vpn/ike/rsa-keys/node.def b/templates/show/vpn/ike/rsa-keys/node.def deleted file mode 100644 index 6d3baa5..0000000 --- a/templates/show/vpn/ike/rsa-keys/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Show VPN RSA keys -run: sudo /opt/vyatta/bin/sudo-users/vyatta-show-vpn.pl rsa-keys diff --git a/templates/show/vpn/ike/rsa-keys/node.def.in b/templates/show/vpn/ike/rsa-keys/node.def.in new file mode 100644 index 0000000..255ca18 --- /dev/null +++ b/templates/show/vpn/ike/rsa-keys/node.def.in @@ -0,0 +1,2 @@ +help: Show VPN RSA keys +run: sudo @SUDOUSRDIR@/vyatta-show-vpn.pl rsa-keys diff --git a/templates/show/vpn/ike/sa/nat-traversal/node.def b/templates/show/vpn/ike/sa/nat-traversal/node.def.in index 3855c49..6c62b12 100644 --- a/templates/show/vpn/ike/sa/nat-traversal/node.def +++ b/templates/show/vpn/ike/sa/nat-traversal/node.def.in @@ -1,2 +1,2 @@ help: Show all currently active IKE Security Associations (SA) that are using NAT Traversal -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ike-sa-natt +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ike-sa-natt diff --git a/templates/show/vpn/ike/sa/node.def b/templates/show/vpn/ike/sa/node.def deleted file mode 100644 index 051d657..0000000 --- a/templates/show/vpn/ike/sa/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Show all currently active IKE Security Associations (SA) -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ike-sa diff --git a/templates/show/vpn/ike/sa/node.def.in b/templates/show/vpn/ike/sa/node.def.in new file mode 100644 index 0000000..e372ff7 --- /dev/null +++ b/templates/show/vpn/ike/sa/node.def.in @@ -0,0 +1,2 @@ +help: Show all currently active IKE Security Associations (SA) +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ike-sa diff --git a/templates/show/vpn/ike/sa/peer/node.tag/node.def b/templates/show/vpn/ike/sa/peer/node.tag/node.def deleted file mode 100644 index c76b71b..0000000 --- a/templates/show/vpn/ike/sa/peer/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show all currently active IKE Security Associations (SA) for a peer -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ike-sa-peer="$6" diff --git a/templates/show/vpn/ike/sa/peer/node.tag/node.def.in b/templates/show/vpn/ike/sa/peer/node.tag/node.def.in new file mode 100644 index 0000000..a9782ad --- /dev/null +++ b/templates/show/vpn/ike/sa/peer/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show all currently active IKE Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ike-sa-peer="$6" diff --git a/templates/show/vpn/ike/secrets/node.def b/templates/show/vpn/ike/secrets/node.def deleted file mode 100644 index ec4073c..0000000 --- a/templates/show/vpn/ike/secrets/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Show all the pre-shared key secrets -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ike-secrets diff --git a/templates/show/vpn/ike/secrets/node.def.in b/templates/show/vpn/ike/secrets/node.def.in new file mode 100644 index 0000000..3d1a32d --- /dev/null +++ b/templates/show/vpn/ike/secrets/node.def.in @@ -0,0 +1,2 @@ +help: Show all the pre-shared key secrets +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ike-secrets diff --git a/templates/show/vpn/ike/status/node.def b/templates/show/vpn/ike/status/node.def deleted file mode 100644 index e74a741..0000000 --- a/templates/show/vpn/ike/status/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Show summary of IKE process information -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ike-status diff --git a/templates/show/vpn/ike/status/node.def.in b/templates/show/vpn/ike/status/node.def.in new file mode 100644 index 0000000..7cc9b10 --- /dev/null +++ b/templates/show/vpn/ike/status/node.def.in @@ -0,0 +1,2 @@ +help: Show summary of IKE process information +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ike-status diff --git a/templates/show/vpn/ipsec/sa/detail/node.def.in b/templates/show/vpn/ipsec/sa/detail/node.def.in new file mode 100644 index 0000000..3362e9b --- /dev/null +++ b/templates/show/vpn/ipsec/sa/detail/node.def.in @@ -0,0 +1,6 @@ +help: Show Detail on all active IPsec Security Associations (SA) +run: if pgrep charon >&/dev/null; then + @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa + else + echo -e "IPSec Process NOT Running\n" + fi diff --git a/templates/show/vpn/ipsec/sa/node.def b/templates/show/vpn/ipsec/sa/node.def index be8f108..7f569bd 100644 --- a/templates/show/vpn/ipsec/sa/node.def +++ b/templates/show/vpn/ipsec/sa/node.def @@ -1,8 +1,6 @@ help: Show all active IPsec Security Associations (SA) - run: if pgrep charon >&/dev/null; then - sudo /usr/sbin/swanctl --list-sas + sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa else echo -e "IPSec Process NOT Running\n" fi - diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/detail/node.def.in b/templates/show/vpn/ipsec/sa/peer/node.tag/detail/node.def.in new file mode 100644 index 0000000..e05a3c4 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/peer/node.tag/detail/node.def.in @@ -0,0 +1,3 @@ +help: Show detail on all currently active IPSec Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer-detail="$6" diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in new file mode 100644 index 0000000..4b23f44 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show all currently active IPSec Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/sa/stats/node.def.in b/templates/show/vpn/ipsec/sa/stats/node.def.in new file mode 100644 index 0000000..d1d6ad0 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/stats/node.def.in @@ -0,0 +1,3 @@ +help: Show statistics for alll currently active IPSec Security Associations (SA) +run: @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-stats + diff --git a/templates/show/vpn/ipsec/sa/stats/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/stats/node.tag/node.def.in new file mode 100644 index 0000000..9426469 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/stats/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show Statistics for SAs associated with a specific peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +#run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.def new file mode 100644 index 0000000..0429324 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.def @@ -0,0 +1 @@ +help: Get Stats for a specific tunnel diff --git a/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..92a8572 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,10 @@ +help: Reset a specific tunnel for given peer + +allowed: @SUDOUSRDIR@/vyatta-vpn-op.pl \ + --op=get-tunnels-for-peer \ + --peer="${COMP_WORDS[COMP_CWORD-2]}" + +run: @SUDOUSRDIR@/vyatta-op-vpn.pl \ + --op=show-ipsec-sa-stats-conn \ + --peer="$6" \ + --tunnel="$8" diff --git a/templates/show/vpn/ipsec/sa/verbose/node.def b/templates/show/vpn/ipsec/sa/verbose/node.def new file mode 100644 index 0000000..fac77a3 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/verbose/node.def @@ -0,0 +1,7 @@ +help: Show Verbose Detail on all active IPsec Security Associations (SA) +run: if pgrep charon >&/dev/null; then + /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-detail + else + echo -e "IPSec Process NOT Running\n" + fi + diff --git a/templates/show/vpn/ipsec/status/node.def.in b/templates/show/vpn/ipsec/status/node.def.in new file mode 100644 index 0000000..838a133 --- /dev/null +++ b/templates/show/vpn/ipsec/status/node.def.in @@ -0,0 +1,6 @@ +help: Show status of IPsec process +run: if pgrep charon >&/dev/null; then + @SUDOUSRDIR@/vyatta-show-ipsec-status.pl + else + echo -e "IPSec Process NOT Running\n" + fi |