From b6697d98a5e0bd41907fb0049323845ea3780b8a Mon Sep 17 00:00:00 2001 From: Thomas Jepp Date: Wed, 16 Dec 2015 22:16:25 +0000 Subject: Fix build depends. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 57dcaeb..a53855f 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: vyatta-op-vpn Section: contrib/net Priority: extra Maintainer: VyOS Package Maintainers -Build-Depends: debhelper (>= 5), autotools-dev +Build-Depends: debhelper (>= 5), autotools-dev, automake, autoconf, cpio, libtool Standards-Version: 3.7.2 Package: vyatta-op-vpn -- cgit v1.2.3 From 02c5540c29a347348a5a4d89ce432417f561d326 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Sun, 24 Jan 2016 15:23:02 -0500 Subject: 0.15.0+vyos2+current1 --- debian/changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/debian/changelog b/debian/changelog index d8a41b8..ae77d01 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +vyatta-op-vpn (0.15.0+vyos2+current1) unstable; urgency=medium + + [ Thomas Jepp ] + * Fix build depends. + + [ Kim Hagen ] + + -- Kim Hagen Sun, 24 Jan 2016 15:22:51 -0500 + vyatta-op-vpn (0.15.0+vyos2+lithium8) unstable; urgency=low * vyatta-op-vpn: update dh_gencontrol with new development build flag -- cgit v1.2.3 From beed3a41969a522571708cde21631db22d5c54a2 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 25 Jan 2016 14:22:52 +0100 Subject: Remove vyatta-ipsec dependency for migration to upstream strongswan. Update descriptions and standard version. --- debian/control | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/debian/control b/debian/control index a53855f..aeb9c65 100644 --- a/debian/control +++ b/debian/control @@ -3,19 +3,19 @@ Section: contrib/net Priority: extra Maintainer: VyOS Package Maintainers Build-Depends: debhelper (>= 5), autotools-dev, automake, autoconf, cpio, libtool -Standards-Version: 3.7.2 +Standards-Version: 3.9.1 Package: vyatta-op-vpn Architecture: all Depends: vyatta-op, vyatta-bash | bash (>= 3.1), vyatta-cfg-vpn, - vyatta-ipsec, + strongswan (>= 5.2), ${shlibs:Depends} Suggests: util-linux (>= 2.13-5), net-tools, ethtool, ncurses-bin (>= 5.5-5), ntpdate -Description: VyOS operational commands for VPN - VyOS commands to operate openswan VPN. +Description: VyOS operational commands for IPsec VPN + VyOS commands fpr IPsec VPN operations. -- cgit v1.2.3 From 100b1a52ebbc37ee69d9ed9f8d730c2cbaf99e81 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 25 Jan 2016 14:23:46 +0100 Subject: 0.15.0+vyos2+current2 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index ae77d01..fb88360 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-op-vpn (0.15.0+vyos2+current2) unstable; urgency=low + + * Remove vyatta-ipsec dependency for migration to upstream strongswan. + + -- Daniil Baturin Mon, 25 Jan 2016 14:23:46 +0100 + vyatta-op-vpn (0.15.0+vyos2+current1) unstable; urgency=medium [ Thomas Jepp ] -- cgit v1.2.3 From a9a663c0b42db6563db8ac838d3451ca2e59a59e Mon Sep 17 00:00:00 2001 From: wzur Date: Thu, 31 Mar 2016 14:25:39 +0100 Subject: Explicitly close the IPSECCONF pipe This should avoid problems when `cat` commands finishes, but `sudo` doesn't. --- lib/OPMode.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/OPMode.pm b/lib/OPMode.pm index f871533..cea7236 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -695,6 +695,7 @@ sub get_conns while(<$IPSECCONF>){ push (@ipsecconf, $_); } + close($IPSECCONF); my %th = (); for my $line (@ipsecconf){ next if ($line =~/^\#/); -- cgit v1.2.3 From 397864e7371df953b0c5093493f49a5a2cd935c2 Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Tue, 19 Apr 2016 13:48:37 +0200 Subject: defined(@array) is deprecated, omit the defined() --- scripts/vyatta-op-vpn.pl | 6 +++--- scripts/vyatta-op-vpnprof.pl | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/vyatta-op-vpn.pl b/scripts/vyatta-op-vpn.pl index d6648ae..50cbcbd 100755 --- a/scripts/vyatta-op-vpn.pl +++ b/scripts/vyatta-op-vpn.pl @@ -73,10 +73,10 @@ if (defined $show_ipsec_sa_peer) { if (defined $show_ipsec_sa_peer_detail) { Vyatta::VPN::OPMode::show_ipsec_sa_peer_detail($show_ipsec_sa_peer_detail); } -if (defined @show_ipsec_sa_conn_detail) { +if (@show_ipsec_sa_conn_detail) { Vyatta::VPN::OPMode::show_ipsec_sa_conn_detail(@show_ipsec_sa_conn_detail); } -if (defined @show_ipsec_sa_conn) { +if (@show_ipsec_sa_conn) { Vyatta::VPN::OPMode::show_ipsec_sa_conn(@show_ipsec_sa_conn); } if (defined $show_ipsec_sa_natt) { @@ -88,7 +88,7 @@ if (defined $show_ipsec_sa_stats) { if (defined $show_ipsec_sa_stats_peer) { Vyatta::VPN::OPMode::show_ipsec_sa_stats_peer($show_ipsec_sa_stats_peer); } -if (defined @show_ipsec_sa_stats_conn) { +if (@show_ipsec_sa_stats_conn) { Vyatta::VPN::OPMode::show_ipsec_sa_stats_conn(@show_ipsec_sa_stats_conn); } if (defined $show_ike_sa) { diff --git a/scripts/vyatta-op-vpnprof.pl b/scripts/vyatta-op-vpnprof.pl index 72124fa..4da46c4 100644 --- a/scripts/vyatta-op-vpnprof.pl +++ b/scripts/vyatta-op-vpnprof.pl @@ -52,11 +52,11 @@ if ( defined $show_ipsec_sa_profile_detail ) { Vyatta::vpnprof::OPMode::show_ipsec_sa_profile_detail( $show_ipsec_sa_profile_detail); } -if ( defined @show_ipsec_sa_conn_detail ) { +if ( @show_ipsec_sa_conn_detail ) { Vyatta::vpnprof::OPMode::show_ipsec_sa_conn_detail( @show_ipsec_sa_conn_detail); } -if ( defined @show_ipsec_sa_conn ) { +if ( @show_ipsec_sa_conn ) { Vyatta::vpnprof::OPMode::show_ipsec_sa_conn(@show_ipsec_sa_conn); } if ( defined $show_ipsec_sa_stats ) { @@ -66,7 +66,7 @@ if ( defined $show_ipsec_sa_stats_profile ) { Vyatta::vpnprof::OPMode::show_ipsec_sa_stats_profile( $show_ipsec_sa_stats_profile); } -if ( defined @show_ipsec_sa_stats_conn ) { +if ( @show_ipsec_sa_stats_conn ) { Vyatta::vpnprof::OPMode::show_ipsec_sa_stats_conn( @show_ipsec_sa_stats_conn); } -- cgit v1.2.3 From 1f7528e003d6c1d3c061065fa44773caf74874a9 Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Tue, 10 May 2016 11:18:11 +0200 Subject: Show some tunnel information. --- lib/OPMode.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/OPMode.pm b/lib/OPMode.pm index cea7236..49bc966 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -203,9 +203,9 @@ sub process_tunnels{ my %tunnel_hash = (); my %esp_hash = (); foreach my $line (@ipsecstatus) { - if (($line =~ /\"(peer-.*-tunnel-.*?)\"/)){ + if (($line =~ /(peer-.*-tunnel-.*?):/)){ my $connectid = $1; - if (($line =~ /\"(peer-.*-tunnel-.*?)\"(\[\d*\])/)){ + if (($line =~ /(peer-.*-tunnel-.*?):(\[\d*\])/)){ $connectid .= $2; } $connectid =~ /peer-(.*)-tunnel-(.*)/; -- cgit v1.2.3 From ad86c37585a7a6f866f8d8e5cc123a60ab602355 Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Tue, 10 May 2016 16:39:06 -0700 Subject: Address autoreconf warnings * add /m4 to .gitignore * set ACLOCAL_AMFLAGS in Makefile.am * set AC_CONFIG_MACRO_DIRS in configure.ac Signed-off-by: C.J. Collier --- .gitignore | 1 + Makefile.am | 2 ++ configure.ac | 1 + 3 files changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index 9ebd510..4fb5a01 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ *~ +/m4 .*.swp *.[oa] *.l[oa] diff --git a/Makefile.am b/Makefile.am index 1422d22..c4a71ec 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,3 +1,5 @@ +ACLOCAL_AMFLAGS = -I m4 + opdir = $(datadir)/vyatta-op/templates bin_sudo_usersdir = $(bindir)/sudo-users diff --git a/configure.ac b/configure.ac index 7901d66..74be6b9 100644 --- a/configure.ac +++ b/configure.ac @@ -11,6 +11,7 @@ AC_INIT([vyatta-op-vpn], VERSION_ID, [maintainers@vyos.net]) test -n "$VYATTA_VERSION" || VYATTA_VERSION=$PACKAGE_VERSION +AC_CONFIG_MACRO_DIRS([m4]) AC_CONFIG_AUX_DIR([config]) AM_INIT_AUTOMAKE([gnu no-dist-gzip dist-bzip2 subdir-objects]) AC_PREFIX_DEFAULT([/opt/vyatta]) -- cgit v1.2.3 From 23579c359c5d1975c82e7e40c804fe453bea8f0b Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Tue, 10 May 2016 16:39:06 -0700 Subject: Address autoreconf warnings * add /m4 to .gitignore * set ACLOCAL_AMFLAGS in Makefile.am * set AC_CONFIG_MACRO_DIR in configure.ac Signed-off-by: C.J. Collier --- .gitignore | 1 + Makefile.am | 2 ++ configure.ac | 1 + 3 files changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index 9ebd510..4fb5a01 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ *~ +/m4 .*.swp *.[oa] *.l[oa] diff --git a/Makefile.am b/Makefile.am index 1422d22..c4a71ec 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,3 +1,5 @@ +ACLOCAL_AMFLAGS = -I m4 + opdir = $(datadir)/vyatta-op/templates bin_sudo_usersdir = $(bindir)/sudo-users diff --git a/configure.ac b/configure.ac index 7901d66..2d5ef35 100644 --- a/configure.ac +++ b/configure.ac @@ -11,6 +11,7 @@ AC_INIT([vyatta-op-vpn], VERSION_ID, [maintainers@vyos.net]) test -n "$VYATTA_VERSION" || VYATTA_VERSION=$PACKAGE_VERSION +AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([config]) AM_INIT_AUTOMAKE([gnu no-dist-gzip dist-bzip2 subdir-objects]) AC_PREFIX_DEFAULT([/opt/vyatta]) -- cgit v1.2.3 From d1beba186b096550075bbc5d1c8b5d745ac90641 Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Tue, 10 May 2016 16:39:06 -0700 Subject: Address autoreconf warnings * add /m4 to .gitignore * set ACLOCAL_AMFLAGS in Makefile.am * set AC_CONFIG_MACRO_DIR in configure.ac * remove and re-create m4 directory before running autoreconf Signed-off-by: C.J. Collier --- .gitignore | 1 + Makefile.am | 2 ++ configure.ac | 1 + debian/autogen.sh | 3 ++- 4 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 9ebd510..4fb5a01 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ *~ +/m4 .*.swp *.[oa] *.l[oa] diff --git a/Makefile.am b/Makefile.am index 1422d22..c4a71ec 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,3 +1,5 @@ +ACLOCAL_AMFLAGS = -I m4 + opdir = $(datadir)/vyatta-op/templates bin_sudo_usersdir = $(bindir)/sudo-users diff --git a/configure.ac b/configure.ac index 7901d66..2d5ef35 100644 --- a/configure.ac +++ b/configure.ac @@ -11,6 +11,7 @@ AC_INIT([vyatta-op-vpn], VERSION_ID, [maintainers@vyos.net]) test -n "$VYATTA_VERSION" || VYATTA_VERSION=$PACKAGE_VERSION +AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([config]) AM_INIT_AUTOMAKE([gnu no-dist-gzip dist-bzip2 subdir-objects]) AC_PREFIX_DEFAULT([/opt/vyatta]) diff --git a/debian/autogen.sh b/debian/autogen.sh index e8c94af..92719c8 100755 --- a/debian/autogen.sh +++ b/debian/autogen.sh @@ -1,9 +1,10 @@ #!/bin/sh -rm -rf config +rm -rf config m4 rm -f aclocal.m4 config.guess config.statusconfig.sub configure INSTALL +mkdir -p m4 autoreconf --force --install rm -f config.sub config.guess -- cgit v1.2.3 From 286e4186e7185a49bd1be6bc0f7afe77dfcfcdad Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Wed, 11 May 2016 05:28:30 +0000 Subject: vyatta-op-vpn (0.15.0+vyos2+current2+nmu1) UNRELEASED; urgency=low * Non-maintainer upload. * address lintian issues - script-not-executable: removed #!/usr/bin/perl from .pm files - debhelper-but-no-misc-depends: added ${misc:Depends} to Depends: field - debian-rules-missing-recommended-target: added build-arch build-indep - out-of-date-standards-version: updated standards version to 3.9.4 - package-contains-linda-override: removed linda override - file-in-unusual-dir: not triggering, removed from override - script-with-language-extension: renamed vyatta-gen-x509-keypair.sh vyatta-gen-x509-keypair * address dpkg-gencontrol issue: - unknown substitution variable ${shlibs:Depends} - removed * address dpkg-source issue: - debian/source/format set to "3.0 (native)" Signed-off-by: C.J. Collier --- .gitignore | 1 + Makefile.am | 8 ++-- configure.ac | 25 ++++++++---- debian/changelog | 20 ++++++++++ debian/conffiles | 1 + debian/control | 6 +-- debian/linda | 1 - debian/lintian | 4 +- debian/rules | 13 +++--- debian/source/format | 1 + lib/OPMode.pm | 1 - lib/vpnprof/OPMode.pm | 1 - scripts/key-pair.template | 46 ++++++++++++++++++++-- scripts/vyatta-gen-x509-keypair.sh | 11 ------ scripts/vyatta-gen-x509-keypair.sh.in | 11 ++++++ .../generate/vpn/x509/key-pair/node.tag/node.def | 2 +- 16 files changed, 111 insertions(+), 41 deletions(-) create mode 100644 debian/conffiles delete mode 100644 debian/linda create mode 100644 debian/source/format delete mode 100755 scripts/vyatta-gen-x509-keypair.sh create mode 100755 scripts/vyatta-gen-x509-keypair.sh.in diff --git a/.gitignore b/.gitignore index 4fb5a01..67bea90 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ libtool /Makefile /command_proc_show_vpn +/scripts/vyatta-gen-x509-keypair.sh \ No newline at end of file diff --git a/Makefile.am b/Makefile.am index c4a71ec..f15d7c0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -21,10 +21,10 @@ cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ cpio -0pd install-exec-hook: - mkdir -p $(DESTDIR)/opt/vyatta/etc/ - mkdir -p $(DESTDIR)/opt/vyatta/sbin/ - cp scripts/vyatta-gen-x509-keypair.sh $(DESTDIR)/opt/vyatta/sbin - cp scripts/key-pair.template $(DESTDIR)/opt/vyatta/etc + mkdir -p $(DESTDIR)${sysconfdir} + mkdir -p $(DESTDIR)${sbindir} + cp scripts/vyatta-gen-x509-keypair.sh $(DESTDIR)${sbindir}/vyatta-gen-x509-keypair + cp scripts/key-pair.template $(DESTDIR)${sysconfdir} mkdir -p $(DESTDIR)$(opdir) cd templates; $(cpiop) $(DESTDIR)$(opdir) diff --git a/configure.ac b/configure.ac index 2d5ef35..3d9a504 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,8 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) +m4_define([DEFAULT_PREFIX], "/opt/vyatta") + m4_define([VERSION_ID], [m4_esyscmd([ if test -f .version ; then head -n 1 .version | tr -d \\n @@ -14,10 +16,13 @@ test -n "$VYATTA_VERSION" || VYATTA_VERSION=$PACKAGE_VERSION AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([config]) AM_INIT_AUTOMAKE([gnu no-dist-gzip dist-bzip2 subdir-objects]) -AC_PREFIX_DEFAULT([/opt/vyatta]) - -XSLDIR=/opt/vyatta/share/xsl/ +AC_PREFIX_DEFAULT(DEFAULT_PREFIX) +if test "$prefix" = "NONE" ; then + XSLDIR="DEFAULT_PREFIX/share/xsl/" +else + XSLDIR="$prefix/share/xsl/" +fi AC_PROG_CC AC_PROG_CXX @@ -27,17 +32,21 @@ AC_PROG_LIBTOOL AC_PROG_LEX AC_PROG_YACC - AC_ARG_ENABLE([nostrip], AC_HELP_STRING([--enable-nostrip], [include -nostrip option during packaging]), [NOSTRIP=-nostrip], [NOSTRIP=]) -AC_CONFIG_FILES( - [Makefile]) - AC_SUBST(NOSTRIP) AC_SUBST(XSLDIR) -AC_OUTPUT +AC_OUTPUT([ + Makefile + scripts/vyatta-gen-x509-keypair.sh +]) + +echo "prefix: ${prefix}" +echo "sysconfdir: ${sysconfdir}" +echo "datarootdir: ${datarootdir}" +echo "XSLDIR: ${XSLDIR}" diff --git a/debian/changelog b/debian/changelog index fb88360..c7cd4d1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,23 @@ +vyatta-op-vpn (0.15.0+vyos2+current2+nmu1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * address lintian issues + - script-not-executable: removed #!/usr/bin/perl from .pm files + - debhelper-but-no-misc-depends: added ${misc:Depends} to Depends: field + - debian-rules-missing-recommended-target: added build-arch build-indep + - out-of-date-standards-version: updated standards version to 3.9.4 + - package-contains-linda-override: removed linda override + - file-in-unusual-dir: not triggering, removed from override + - script-with-language-extension: renamed vyatta-gen-x509-keypair.sh + vyatta-gen-x509-keypair + * address dpkg-gencontrol issue: + - unknown substitution variable ${shlibs:Depends} - removed + * address dpkg-source issue: + - debian/source/format set to "3.0 (native)" + + + -- C.J. Collier Wed, 11 May 2016 02:33:38 +0000 + vyatta-op-vpn (0.15.0+vyos2+current2) unstable; urgency=low * Remove vyatta-ipsec dependency for migration to upstream strongswan. diff --git a/debian/conffiles b/debian/conffiles new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/debian/conffiles @@ -0,0 +1 @@ + diff --git a/debian/control b/debian/control index aeb9c65..c3f2ec0 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Section: contrib/net Priority: extra Maintainer: VyOS Package Maintainers Build-Depends: debhelper (>= 5), autotools-dev, automake, autoconf, cpio, libtool -Standards-Version: 3.9.1 +Standards-Version: 3.9.4 Package: vyatta-op-vpn Architecture: all @@ -11,11 +11,11 @@ Depends: vyatta-op, vyatta-bash | bash (>= 3.1), vyatta-cfg-vpn, strongswan (>= 5.2), - ${shlibs:Depends} + ${misc:Depends} Suggests: util-linux (>= 2.13-5), net-tools, ethtool, ncurses-bin (>= 5.5-5), ntpdate Description: VyOS operational commands for IPsec VPN - VyOS commands fpr IPsec VPN operations. + VyOS commands for IPsec VPN operations. diff --git a/debian/linda b/debian/linda deleted file mode 100644 index 0381d9d..0000000 --- a/debian/linda +++ /dev/null @@ -1 +0,0 @@ -Tag: file-in-opt diff --git a/debian/lintian b/debian/lintian index a5d78e0..7a94f59 100644 --- a/debian/lintian +++ b/debian/lintian @@ -1,2 +1,2 @@ -vyatta-op-vpn: file-in-unusual-dir -vyatta-op-vpn: dir-or-file-in-opt +# It's a hassle to move it out of /opt. I'll get to it later +#vyatta-op-vpn binary: dir-or-file-in-opt diff --git a/debian/rules b/debian/rules index 4b68fde..67f4ee5 100755 --- a/debian/rules +++ b/debian/rules @@ -22,7 +22,8 @@ CFLAGS = -Wall -g configure = ./configure configure += --host=$(DEB_HOST_GNU_TYPE) configure += --build=$(DEB_BUILD_GNU_TYPE) -configure += --prefix=/opt/vyatta +configure += --prefix=/usr +configure += --sysconfdir=/etc configure += --mandir=\$${prefix}/share/man configure += --infodir=\$${prefix}/share/info configure += CFLAGS="$(CFLAGS)" @@ -43,9 +44,10 @@ config.status: configure rm -f config.cache $(configure) -build: build-stamp - -build-stamp: config.status +build: build-arch build-indep +build-arch: build-stamp +build-indep: build-stamp +build-stamp: config.status dh_testdir $(MAKE) touch $@ @@ -68,13 +70,12 @@ clean-patched: install: build dh_testdir dh_testroot - dh_clean -k + dh_prep dh_installdirs $(MAKE) DESTDIR=$(PKGDIR) install install -D --mode=0644 debian/lintian $(PKGDIR)/usr/share/lintian/overrides/$(PACKAGE) - install -D --mode=0644 debian/linda $(PKGDIR)/usr/share/linda/overrides/$(PACKAGE) # Build architecture-independent files here. binary-indep: build install diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..9f67427 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) \ No newline at end of file diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 49bc966..fa51c66 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -1,4 +1,3 @@ -#!/usr/bin/perl # # Module Vyatta::VPN::OpMode.pm # diff --git a/lib/vpnprof/OPMode.pm b/lib/vpnprof/OPMode.pm index 99c6268..05e1f00 100644 --- a/lib/vpnprof/OPMode.pm +++ b/lib/vpnprof/OPMode.pm @@ -1,4 +1,3 @@ -#!/usr/bin/perl # # Module Vyatta::vpnprof::OpMode.pm # diff --git a/scripts/key-pair.template b/scripts/key-pair.template index 5b5b2a6..bbf5eb9 100644 --- a/scripts/key-pair.template +++ b/scripts/key-pair.template @@ -1,10 +1,15 @@ [ req ] - default_bits = 1024 + default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name + string_mask = utf8only attributes = req_attributes + dirstring_type = nobmp +# SHA-1 is deprecated, so use SHA-2 instead. + default_md = sha256 +# Extension to add when the -x509 option is used. x509_extensions = v3_ca - dirstring_type = nobmp + [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_min = 2 @@ -24,4 +29,39 @@ [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always - basicConstraints = CA:true + basicConstraints = critical, CA:true + keyUsage = critical, digitalSignature, cRLSign, keyCertSign +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer + basicConstraints = critical, CA:true, pathlen:0 + keyUsage = critical, digitalSignature, cRLSign, keyCertSign +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). + basicConstraints = CA:FALSE + nsCertType = client, email + nsComment = "OpenSSL Generated Client Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer + keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment + extendedKeyUsage = clientAuth, emailProtection +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). + basicConstraints = CA:FALSE + nsCertType = server + nsComment = "OpenSSL Generated Server Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + keyUsage = critical, digitalSignature, keyEncipherment + extendedKeyUsage = serverAuth +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). + authorityKeyIdentifier=keyid:always +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). + basicConstraints = CA:FALSE + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer + keyUsage = critical, digitalSignature + extendedKeyUsage = critical, OCSPSigning \ No newline at end of file diff --git a/scripts/vyatta-gen-x509-keypair.sh b/scripts/vyatta-gen-x509-keypair.sh deleted file mode 100755 index 5a66d0a..0000000 --- a/scripts/vyatta-gen-x509-keypair.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -CN=$1 -genkeypair (){ - openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config /opt/vyatta/etc/key-pair.template -} -if [ -f /config/auth/$CN.csr ]; then - read -p "A certificate request named $CN.csr already exists. Overwrite (y/n)?" - [[ $REPLY != y && $REPLY != Y ]] || genkeypair -else - genkeypair -fi diff --git a/scripts/vyatta-gen-x509-keypair.sh.in b/scripts/vyatta-gen-x509-keypair.sh.in new file mode 100755 index 0000000..194ac4f --- /dev/null +++ b/scripts/vyatta-gen-x509-keypair.sh.in @@ -0,0 +1,11 @@ +#!/bin/bash +CN=$1 +genkeypair (){ + openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config @sysconfdir@/key-pair.template +} +if [ -f /config/auth/$CN.csr ]; then + read -p "A certificate request named $CN.csr already exists. Overwrite (y/n)?" + [[ $REPLY != y && $REPLY != Y ]] || genkeypair +else + genkeypair +fi diff --git a/templates/generate/vpn/x509/key-pair/node.tag/node.def b/templates/generate/vpn/x509/key-pair/node.tag/node.def index 9882df8..dc21935 100644 --- a/templates/generate/vpn/x509/key-pair/node.tag/node.def +++ b/templates/generate/vpn/x509/key-pair/node.tag/node.def @@ -1,4 +1,4 @@ help: Generate x509 key-pair run: - sudo /opt/vyatta/sbin/vyatta-gen-x509-keypair.sh $5 + sudo /opt/vyatta/sbin/vyatta-gen-x509-keypair $5 allowed: echo -n '' -- cgit v1.2.3 From 578688a25ba784d839512fefafab4cabdaf32fc5 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sun, 6 Dec 2015 03:16:38 -0500 Subject: Simpilfy the operational commands Instead of trying to parse the outout of ipsec or swanctl, just dump whatever swanctl outputs. --- templates/show/vpn/ipsec/sa/detail/node.def | 3 --- templates/show/vpn/ipsec/sa/detail/peer/node.def | 1 - templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def | 3 --- templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.def | 1 - .../vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def | 3 --- templates/show/vpn/ipsec/sa/detail/profile/node.def | 1 - templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def | 3 --- .../show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.def | 1 - .../ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def | 3 --- templates/show/vpn/ipsec/sa/nat-traversal/node.def | 2 -- templates/show/vpn/ipsec/sa/node.def | 9 +++++++-- templates/show/vpn/ipsec/sa/peer/node.def | 1 - templates/show/vpn/ipsec/sa/peer/node.tag/node.def | 3 --- templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.def | 1 - .../show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def | 3 --- templates/show/vpn/ipsec/sa/profile/node.def | 1 - templates/show/vpn/ipsec/sa/profile/node.tag/node.def | 3 --- templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.def | 1 - .../show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def | 3 --- templates/show/vpn/ipsec/sa/statistics/node.def | 3 --- templates/show/vpn/ipsec/sa/statistics/peer/node.def | 1 - templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def | 3 --- .../show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.def | 1 - .../ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def | 3 --- templates/show/vpn/ipsec/sa/statistics/profile/node.def | 1 - templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def | 3 --- .../vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.def | 1 - .../sa/statistics/profile/node.tag/tunnel/node.tag/node.def | 3 --- 28 files changed, 7 insertions(+), 58 deletions(-) delete mode 100644 templates/show/vpn/ipsec/sa/detail/node.def delete mode 100644 templates/show/vpn/ipsec/sa/detail/peer/node.def delete mode 100644 templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def delete mode 100644 templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.def delete mode 100644 templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def delete mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.def delete mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def delete mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.def delete mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def delete mode 100644 templates/show/vpn/ipsec/sa/nat-traversal/node.def delete mode 100644 templates/show/vpn/ipsec/sa/peer/node.def delete mode 100644 templates/show/vpn/ipsec/sa/peer/node.tag/node.def delete mode 100644 templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.def delete mode 100644 templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def delete mode 100644 templates/show/vpn/ipsec/sa/profile/node.def delete mode 100644 templates/show/vpn/ipsec/sa/profile/node.tag/node.def delete mode 100644 templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.def delete mode 100644 templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def delete mode 100644 templates/show/vpn/ipsec/sa/statistics/node.def delete mode 100644 templates/show/vpn/ipsec/sa/statistics/peer/node.def delete mode 100644 templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def delete mode 100644 templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.def delete mode 100644 templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def delete mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.def delete mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def delete mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.def delete mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def diff --git a/templates/show/vpn/ipsec/sa/detail/node.def b/templates/show/vpn/ipsec/sa/detail/node.def deleted file mode 100644 index 1397817..0000000 --- a/templates/show/vpn/ipsec/sa/detail/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for all active IPsec Security Associations (SA) -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-detail - sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-detail diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.def b/templates/show/vpn/ipsec/sa/detail/peer/node.def deleted file mode 100644 index bbb34b8..0000000 --- a/templates/show/vpn/ipsec/sa/detail/peer/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show details for all active IPsec Security Associations (SA) for a peer diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def deleted file mode 100644 index cad43ba..0000000 --- a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for all active IPsec Security Associations (SA) for a peer -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-peer-detail="$7" diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.def deleted file mode 100644 index 1bc4f2f..0000000 --- a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show details for the active IPsec Security Association (SA) for a peer's tunnel diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index 470578e..0000000 --- a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for the active IPsec Security Associations (SA) for a peer's tunnel -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[6]} -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-conn-detail $7 $9 diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.def b/templates/show/vpn/ipsec/sa/detail/profile/node.def deleted file mode 100644 index 00a4e7c..0000000 --- a/templates/show/vpn/ipsec/sa/detail/profile/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show details for all active IPsec Security Associations (SA) for a profile diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def deleted file mode 100644 index fbb6218..0000000 --- a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for all active IPsec Security Associations (SA) for a profile -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-profiles-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-profile-detail="$7" diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.def deleted file mode 100644 index 58100d8..0000000 --- a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show details for the active IPsec Security Association (SA) for a tunnel bound to profile diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index ac5fd14..0000000 --- a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for the active IPsec Security Associations (SA) for a tunnel bound to profile -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[6]} -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-conn-detail $7 $9 diff --git a/templates/show/vpn/ipsec/sa/nat-traversal/node.def b/templates/show/vpn/ipsec/sa/nat-traversal/node.def deleted file mode 100644 index 7ea610b..0000000 --- a/templates/show/vpn/ipsec/sa/nat-traversal/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Show all active IPsec Security Associations (SA) that are using NAT Traversal -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-natt diff --git a/templates/show/vpn/ipsec/sa/node.def b/templates/show/vpn/ipsec/sa/node.def index 287d489..be8f108 100644 --- a/templates/show/vpn/ipsec/sa/node.def +++ b/templates/show/vpn/ipsec/sa/node.def @@ -1,3 +1,8 @@ help: Show all active IPsec Security Associations (SA) -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa - sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa + +run: if pgrep charon >&/dev/null; then + sudo /usr/sbin/swanctl --list-sas + else + echo -e "IPSec Process NOT Running\n" + fi + diff --git a/templates/show/vpn/ipsec/sa/peer/node.def b/templates/show/vpn/ipsec/sa/peer/node.def deleted file mode 100644 index 7e5e913..0000000 --- a/templates/show/vpn/ipsec/sa/peer/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show all active IPsec Security Associations (SA) for a peer diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def deleted file mode 100644 index 559bed5..0000000 --- a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show all active IPsec Security Associations (SA) for a peer -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.def deleted file mode 100644 index 0772ef3..0000000 --- a/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show the active IPsec Security Association (SA) for a peer's tunnel diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index 195f37a..0000000 --- a/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show the active IPsec Security Association (SA) for a peer's tunnel -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[5]} -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-conn $6 $8 diff --git a/templates/show/vpn/ipsec/sa/profile/node.def b/templates/show/vpn/ipsec/sa/profile/node.def deleted file mode 100644 index a0d7b44..0000000 --- a/templates/show/vpn/ipsec/sa/profile/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show all active IPsec Security Associations (SA) for a profile diff --git a/templates/show/vpn/ipsec/sa/profile/node.tag/node.def b/templates/show/vpn/ipsec/sa/profile/node.tag/node.def deleted file mode 100644 index 76e66a5..0000000 --- a/templates/show/vpn/ipsec/sa/profile/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show all active IPsec Security Associations (SA) for a profile -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-profiles-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-profile="$6" diff --git a/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.def deleted file mode 100644 index ca0ec72..0000000 --- a/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show the active IPsec Security Association (SA) for a profiles's tunnel diff --git a/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index 3f0af98..0000000 --- a/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show the active IPsec Security Association (SA) for a profile's tunnel -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[5]} -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-conn $6 $8 diff --git a/templates/show/vpn/ipsec/sa/statistics/node.def b/templates/show/vpn/ipsec/sa/statistics/node.def deleted file mode 100644 index 84fa4b7..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show statistics of all active tunnels that have IPsec Security Associations (SA) -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-stats - sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-stats diff --git a/templates/show/vpn/ipsec/sa/statistics/peer/node.def b/templates/show/vpn/ipsec/sa/statistics/peer/node.def deleted file mode 100644 index b104a83..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/peer/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show stats for all active IPsec Security Associations (SA) for a peer diff --git a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def b/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def deleted file mode 100644 index 758333e..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show stats for all active IPsec Security Associations (SA) for a peer -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-stats-peer="$7" diff --git a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.def deleted file mode 100644 index 561cd42..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show stats for the active IPsec Security Association (SA) for a peer's tunnel diff --git a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index 1902c22..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show stats for the active IPsec Security Association (SA) for a peer's tunnel -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[6]} -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-stats-conn $7 $9 diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.def b/templates/show/vpn/ipsec/sa/statistics/profile/node.def deleted file mode 100644 index 7b5e040..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/profile/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show stats for all active IPsec Security Associations (SA) for a profile diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def deleted file mode 100644 index 9d49f44..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show stats for all active IPsec Security Associations (SA) for a profile -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-profiles-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-stats-profile="$7" diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.def deleted file mode 100644 index 4b131c5..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show stats for the active IPsec Security Association (SA) for a tunnel bound to profile diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index b8aa7dc..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show stats for the active IPsec Security Association (SA) for a tunnel bound to profile -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[6]} -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-stats-conn $7 $9 -- cgit v1.2.3 From 6ed20a24270b1b33b9a5e4595938590a8d2a76fb Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sat, 31 Jan 2015 05:17:48 +0000 Subject: Bring the VPN tunnel down and up as opposed to commenting it out in the ipsec.conf file Commenting out the tunnel and restoring it does not reset the tunnel. Use the ipsec commands to actually bring it down and back up to properly reset the tunnel. --- scripts/vyatta-vpn-op.pl | 27 +++++---------------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/scripts/vyatta-vpn-op.pl b/scripts/vyatta-vpn-op.pl index f862ef7..55ea1d5 100755 --- a/scripts/vyatta-vpn-op.pl +++ b/scripts/vyatta-vpn-op.pl @@ -44,28 +44,11 @@ sub clear_tunnel { my $cmd = undef; print "Resetting tunnel $tunnel with peer $peer...\n"; - - # back-up ipsec.conf - `sudo cp /etc/ipsec.conf /etc/ipsec.conf.bak.\$PPID`; - - # remove specific connection from ipsec.conf - `sudo sed -i -e '/conn peer-$peer-tunnel-$tunnel/,/#conn peer-$peer-tunnel-$tunnel/d' /etc/ipsec.conf`; - - # update ipsec connections - `sudo /usr/sbin/ipsec update >&/dev/null`; - - # sleep for 1/4th of a second for connection to go down - `sudo sleep 0.25`; - - # move original ipsec.conf back - `sudo mv /etc/ipsec.conf.bak.\$PPID /etc/ipsec.conf`; - - # update ipsec connections - `sudo /usr/sbin/ipsec update >&/dev/null`; - - # sleep for 3/4th of a second for connection to come up - # this gives us sometime before bringing clearing another tunnel - `sudo sleep 0.75`; + + # bring down the tunnel + `sudo /usr/sbin/ipsec down peer-$peer-tunnel-$tunnel`; + # bring up the tunnel + `sudo /usr/sbin/ipsec up peer-$peer-tunnel-$tunnel`; } if ($op eq '') { -- cgit v1.2.3 From 12b2b88d03ce3527a46abc3c1e5cf9e8b8cd5238 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Wed, 28 Jan 2015 08:26:51 +0000 Subject: Update pluto.pid references to charon.pid Since pluto doesn't exist anymore in strongSwan 5.0 and later series, we are updating references from pluto* to charon*. --- lib/OPMode.pm | 2 +- scripts/vyatta-show-ipsec-status.pl | 2 +- templates/restart/vpn/node.def | 2 +- templates/show/vpn/debug/detail/node.def | 2 +- templates/show/vpn/debug/node.def | 2 +- templates/show/vpn/debug/peer/node.tag/node.def | 2 +- templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def | 2 +- templates/show/vpn/ipsec/status/node.def | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 49bc966..7502788 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -870,7 +870,7 @@ sub show_ipsec_sa_natt display_ipsec_sa_brief(\%tmphash); } sub show_ike_status{ - my $process_id = `sudo cat /var/run/pluto.pid`; + my $process_id = `sudo cat /var/run/charon.pid`; chomp $process_id; print </dev/null | grep 'newest IPsec SA: #' | grep -v 'newest IPsec SA: #0' | wc -l`; chomp $process_id; chomp $active_tunnels; diff --git a/templates/restart/vpn/node.def b/templates/restart/vpn/node.def index 7cb9387..6d0f50c 100644 --- a/templates/restart/vpn/node.def +++ b/templates/restart/vpn/node.def @@ -1,7 +1,7 @@ help: Restart IPsec VPN run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null + if pgrep charon > /dev/null then /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=clear-vpn-ipsec-process else diff --git a/templates/show/vpn/debug/detail/node.def b/templates/show/vpn/debug/detail/node.def index ee3604d..0f88f1e 100644 --- a/templates/show/vpn/debug/detail/node.def +++ b/templates/show/vpn/debug/detail/node.def @@ -1,7 +1,7 @@ help: Show detailed VPN debugging information run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null + if pgrep charon > /dev/null then /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug-detail else diff --git a/templates/show/vpn/debug/node.def b/templates/show/vpn/debug/node.def index 7a33888..281228a 100644 --- a/templates/show/vpn/debug/node.def +++ b/templates/show/vpn/debug/node.def @@ -1,7 +1,7 @@ help: Show VPN debugging information run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null + if pgrep charon > /dev/null then /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug else diff --git a/templates/show/vpn/debug/peer/node.tag/node.def b/templates/show/vpn/debug/peer/node.tag/node.def index a27063a..a3a9573 100644 --- a/templates/show/vpn/debug/peer/node.tag/node.def +++ b/templates/show/vpn/debug/peer/node.tag/node.def @@ -2,7 +2,7 @@ help: Show debugging information for a peer allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null + if pgrep charon > /dev/null then /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug | grep peer-$5 else diff --git a/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def index c141ac0..3c96973 100644 --- a/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def +++ b/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def @@ -2,7 +2,7 @@ help: Show debugging information for a peer's tunnel allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[4]} run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null + if pgrep charon > /dev/null then /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug | grep "peer-$5-tunnel-$7" else diff --git a/templates/show/vpn/ipsec/status/node.def b/templates/show/vpn/ipsec/status/node.def index bf4ebf7..3c48c60 100644 --- a/templates/show/vpn/ipsec/status/node.def +++ b/templates/show/vpn/ipsec/status/node.def @@ -1,5 +1,5 @@ help: Show status of IPsec process -run: if pgrep pluto >&/dev/null; then +run: if pgrep charon >&/dev/null; then /opt/vyatta/bin/sudo-users/vyatta-show-ipsec-status.pl else echo -e "IPSec Process NOT Running\n" -- cgit v1.2.3 From 020165ce5b9643ff3b9c96bd4a30c981a5d5d78d Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Wed, 11 May 2016 06:42:43 +0000 Subject: vyatta-op-vpn (0.15.0+vyos2+current2+nmu1) UNRELEASED; urgency=low * Non-maintainer upload. * address lintian issues - script-not-executable: removed #!/usr/bin/perl from .pm files - debhelper-but-no-misc-depends: added ${misc:Depends} to Depends: field - debian-rules-missing-recommended-target: added build-arch build-indep - out-of-date-standards-version: updated standards version to 3.9.4 - package-contains-linda-override: removed linda override - file-in-unusual-dir: not triggering, removed from override - script-with-language-extension: renamed vyatta-gen-x509-keypair.sh vyatta-gen-x509-keypair * address dpkg-gencontrol issue: - unknown substitution variable ${shlibs:Depends} - removed * address dpkg-source issue: - debian/source/format set to "3.0 (native)" * removed all references to /opt/vyatta but one from source Signed-off-by: C.J. Collier --- .gitignore | 42 +++++- Makefile.am | 6 +- configure.ac | 55 +++++++- debian/autogen.sh | 4 +- m4/relpaths.m4 | 155 +++++++++++++++++++++ scripts/vyatta-gen-x509-keypair.in | 11 ++ scripts/vyatta-gen-x509-keypair.sh.in | 11 -- .../generate/vpn/rsa-key/bits/node.tag/node.def | 3 - .../generate/vpn/rsa-key/bits/node.tag/node.def.in | 3 + .../rsa-key/bits/node.tag/random/node.tag/node.def | 3 - .../bits/node.tag/random/node.tag/node.def.in | 3 + templates/generate/vpn/rsa-key/node.def | 2 - templates/generate/vpn/rsa-key/node.def.in | 2 + .../generate/vpn/x509/key-pair/node.tag/node.def | 4 - .../vpn/x509/key-pair/node.tag/node.def.in | 4 + templates/reset/vpn/ipsec-peer/node.tag/node.def | 6 - .../reset/vpn/ipsec-peer/node.tag/node.def.in | 6 + .../ipsec-peer/node.tag/tunnel/node.tag/node.def | 10 -- .../node.tag/tunnel/node.tag/node.def.in | 10 ++ .../reset/vpn/ipsec-peer/node.tag/vti/node.def | 5 - .../reset/vpn/ipsec-peer/node.tag/vti/node.def.in | 5 + .../reset/vpn/ipsec-profile/node.tag/node.def | 6 - .../reset/vpn/ipsec-profile/node.tag/node.def.in | 6 + .../node.tag/tunnel/node.tag/node.def | 10 -- .../node.tag/tunnel/node.tag/node.def.in | 10 ++ templates/restart/vpn/node.def | 12 -- templates/restart/vpn/node.def.in | 12 ++ templates/show/vpn/debug/detail/node.def | 12 -- templates/show/vpn/debug/detail/node.def.in | 12 ++ templates/show/vpn/debug/node.def | 12 -- templates/show/vpn/debug/node.def.in | 12 ++ templates/show/vpn/debug/peer/node.tag/node.def | 14 -- templates/show/vpn/debug/peer/node.tag/node.def.in | 14 ++ .../debug/peer/node.tag/tunnel/node.tag/node.def | 14 -- .../peer/node.tag/tunnel/node.tag/node.def.in | 14 ++ templates/show/vpn/ike/rsa-keys/node.def | 2 - templates/show/vpn/ike/rsa-keys/node.def.in | 2 + templates/show/vpn/ike/sa/nat-traversal/node.def | 2 - .../show/vpn/ike/sa/nat-traversal/node.def.in | 2 + templates/show/vpn/ike/sa/node.def | 2 - templates/show/vpn/ike/sa/node.def.in | 2 + templates/show/vpn/ike/sa/peer/node.tag/node.def | 3 - .../show/vpn/ike/sa/peer/node.tag/node.def.in | 3 + templates/show/vpn/ike/secrets/node.def | 2 - templates/show/vpn/ike/secrets/node.def.in | 2 + templates/show/vpn/ike/status/node.def | 2 - templates/show/vpn/ike/status/node.def.in | 2 + templates/show/vpn/ipsec/sa/detail/node.def | 3 - templates/show/vpn/ipsec/sa/detail/node.def.in | 3 + .../vpn/ipsec/sa/detail/peer/node.tag/node.def | 3 - .../vpn/ipsec/sa/detail/peer/node.tag/node.def.in | 3 + .../detail/peer/node.tag/tunnel/node.tag/node.def | 3 - .../peer/node.tag/tunnel/node.tag/node.def.in | 3 + .../vpn/ipsec/sa/detail/profile/node.tag/node.def | 3 - .../ipsec/sa/detail/profile/node.tag/node.def.in | 3 + .../profile/node.tag/tunnel/node.tag/node.def | 3 - .../profile/node.tag/tunnel/node.tag/node.def.in | 3 + templates/show/vpn/ipsec/sa/nat-traversal/node.def | 2 - .../show/vpn/ipsec/sa/nat-traversal/node.def.in | 2 + templates/show/vpn/ipsec/sa/node.def | 3 - templates/show/vpn/ipsec/sa/node.def.in | 3 + templates/show/vpn/ipsec/sa/peer/node.tag/node.def | 3 - .../show/vpn/ipsec/sa/peer/node.tag/node.def.in | 3 + .../sa/peer/node.tag/tunnel/node.tag/node.def | 3 - .../sa/peer/node.tag/tunnel/node.tag/node.def.in | 3 + .../show/vpn/ipsec/sa/profile/node.tag/node.def | 3 - .../show/vpn/ipsec/sa/profile/node.tag/node.def.in | 3 + .../sa/profile/node.tag/tunnel/node.tag/node.def | 3 - .../profile/node.tag/tunnel/node.tag/node.def.in | 3 + templates/show/vpn/ipsec/sa/statistics/node.def | 3 - templates/show/vpn/ipsec/sa/statistics/node.def.in | 3 + .../vpn/ipsec/sa/statistics/peer/node.tag/node.def | 3 - .../ipsec/sa/statistics/peer/node.tag/node.def.in | 3 + .../peer/node.tag/tunnel/node.tag/node.def | 3 - .../peer/node.tag/tunnel/node.tag/node.def.in | 3 + .../ipsec/sa/statistics/profile/node.tag/node.def | 3 - .../sa/statistics/profile/node.tag/node.def.in | 3 + .../profile/node.tag/tunnel/node.tag/node.def | 3 - .../profile/node.tag/tunnel/node.tag/node.def.in | 3 + templates/show/vpn/ipsec/status/node.def | 6 - templates/show/vpn/ipsec/status/node.def.in | 6 + 81 files changed, 439 insertions(+), 203 deletions(-) create mode 100644 m4/relpaths.m4 create mode 100755 scripts/vyatta-gen-x509-keypair.in delete mode 100755 scripts/vyatta-gen-x509-keypair.sh.in delete mode 100644 templates/generate/vpn/rsa-key/bits/node.tag/node.def create mode 100644 templates/generate/vpn/rsa-key/bits/node.tag/node.def.in delete mode 100644 templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def create mode 100644 templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def.in delete mode 100644 templates/generate/vpn/rsa-key/node.def create mode 100644 templates/generate/vpn/rsa-key/node.def.in delete mode 100644 templates/generate/vpn/x509/key-pair/node.tag/node.def create mode 100644 templates/generate/vpn/x509/key-pair/node.tag/node.def.in delete mode 100644 templates/reset/vpn/ipsec-peer/node.tag/node.def create mode 100644 templates/reset/vpn/ipsec-peer/node.tag/node.def.in delete mode 100644 templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def create mode 100644 templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/reset/vpn/ipsec-peer/node.tag/vti/node.def create mode 100644 templates/reset/vpn/ipsec-peer/node.tag/vti/node.def.in delete mode 100644 templates/reset/vpn/ipsec-profile/node.tag/node.def create mode 100644 templates/reset/vpn/ipsec-profile/node.tag/node.def.in delete mode 100644 templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def create mode 100644 templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/restart/vpn/node.def create mode 100644 templates/restart/vpn/node.def.in delete mode 100644 templates/show/vpn/debug/detail/node.def create mode 100644 templates/show/vpn/debug/detail/node.def.in delete mode 100644 templates/show/vpn/debug/node.def create mode 100644 templates/show/vpn/debug/node.def.in delete mode 100644 templates/show/vpn/debug/peer/node.tag/node.def create mode 100644 templates/show/vpn/debug/peer/node.tag/node.def.in delete mode 100644 templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def create mode 100644 templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ike/rsa-keys/node.def create mode 100644 templates/show/vpn/ike/rsa-keys/node.def.in delete mode 100644 templates/show/vpn/ike/sa/nat-traversal/node.def create mode 100644 templates/show/vpn/ike/sa/nat-traversal/node.def.in delete mode 100644 templates/show/vpn/ike/sa/node.def create mode 100644 templates/show/vpn/ike/sa/node.def.in delete mode 100644 templates/show/vpn/ike/sa/peer/node.tag/node.def create mode 100644 templates/show/vpn/ike/sa/peer/node.tag/node.def.in delete mode 100644 templates/show/vpn/ike/secrets/node.def create mode 100644 templates/show/vpn/ike/secrets/node.def.in delete mode 100644 templates/show/vpn/ike/status/node.def create mode 100644 templates/show/vpn/ike/status/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/detail/node.def create mode 100644 templates/show/vpn/ipsec/sa/detail/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/nat-traversal/node.def create mode 100644 templates/show/vpn/ipsec/sa/nat-traversal/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/node.def create mode 100644 templates/show/vpn/ipsec/sa/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/peer/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/profile/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/profile/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/statistics/node.def create mode 100644 templates/show/vpn/ipsec/sa/statistics/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def create mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/status/node.def create mode 100644 templates/show/vpn/ipsec/status/node.def.in diff --git a/.gitignore b/.gitignore index 67bea90..470b73c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ *~ -/m4 +m4/lt*.m4 +m4/libtool.m4 .*.swp *.[oa] *.l[oa] @@ -27,4 +28,41 @@ libtool /Makefile /command_proc_show_vpn -/scripts/vyatta-gen-x509-keypair.sh \ No newline at end of file +templates/generate/vpn/rsa-key/bits/node.tag/node.def +templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def +templates/generate/vpn/rsa-key/node.def +templates/generate/vpn/x509/key-pair/node.tag/node.def +templates/reset/vpn/ipsec-peer/node.tag/node.def +templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def +templates/reset/vpn/ipsec-peer/node.tag/vti/node.def +templates/reset/vpn/ipsec-profile/node.tag/node.def +templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def +templates/restart/vpn/node.def +templates/show/vpn/debug/detail/node.def +templates/show/vpn/debug/node.def +templates/show/vpn/debug/peer/node.tag/node.def +templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def +templates/show/vpn/ike/rsa-keys/node.def +templates/show/vpn/ike/sa/nat-traversal/node.def +templates/show/vpn/ike/sa/node.def +templates/show/vpn/ike/sa/peer/node.tag/node.def +templates/show/vpn/ike/secrets/node.def +templates/show/vpn/ike/status/node.def +templates/show/vpn/ipsec/sa/detail/node.def +templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def +templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def +templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def +templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def +templates/show/vpn/ipsec/sa/nat-traversal/node.def +templates/show/vpn/ipsec/sa/node.def +templates/show/vpn/ipsec/sa/peer/node.tag/node.def +templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def +templates/show/vpn/ipsec/sa/profile/node.tag/node.def +templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def +templates/show/vpn/ipsec/sa/statistics/node.def +templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def +templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def +templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def +templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def +templates/show/vpn/ipsec/status/node.def +/scripts/vyatta-gen-x509-keypair \ No newline at end of file diff --git a/Makefile.am b/Makefile.am index f15d7c0..490b1f1 100644 --- a/Makefile.am +++ b/Makefile.am @@ -21,11 +21,9 @@ cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ cpio -0pd install-exec-hook: - mkdir -p $(DESTDIR)${sysconfdir} - mkdir -p $(DESTDIR)${sbindir} - cp scripts/vyatta-gen-x509-keypair.sh $(DESTDIR)${sbindir}/vyatta-gen-x509-keypair + mkdir -p $(DESTDIR)${sysconfdir} $(DESTDIR)${sbindir} $(DESTDIR)$(opdir) + cp scripts/vyatta-gen-x509-keypair $(DESTDIR)${sbindir}/ cp scripts/key-pair.template $(DESTDIR)${sysconfdir} - mkdir -p $(DESTDIR)$(opdir) cd templates; $(cpiop) $(DESTDIR)$(opdir) diff --git a/configure.ac b/configure.ac index 3d9a504..6002c2d 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) -m4_define([DEFAULT_PREFIX], "/opt/vyatta") +m4_define([DEFAULT_PREFIX], [/opt/vyatta]) m4_define([VERSION_ID], [m4_esyscmd([ if test -f .version ; then @@ -24,6 +24,9 @@ else XSLDIR="$prefix/share/xsl/" fi +adl_RECURSIVE_EVAL([$bindir/sudo-users/],[SUDOUSRDIR]) +adl_RECURSIVE_EVAL([$sbindir/],[SBINDIR]) + AC_PROG_CC AC_PROG_CXX AM_PROG_AS @@ -39,14 +42,56 @@ AC_ARG_ENABLE([nostrip], AC_SUBST(NOSTRIP) AC_SUBST(XSLDIR) +AC_SUBST(SUDOUSRDIR) +AC_SUBST(SBINDIR) AC_OUTPUT([ Makefile - scripts/vyatta-gen-x509-keypair.sh + scripts/vyatta-gen-x509-keypair + templates/restart/vpn/node.def + templates/generate/vpn/x509/key-pair/node.tag/node.def + templates/generate/vpn/rsa-key/node.def + templates/generate/vpn/rsa-key/bits/node.tag/node.def + templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def + templates/show/vpn/ipsec/status/node.def + templates/show/vpn/ipsec/sa/node.def + templates/show/vpn/ipsec/sa/nat-traversal/node.def + templates/show/vpn/ipsec/sa/statistics/node.def + templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def + templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def + templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def + templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def + templates/show/vpn/ipsec/sa/detail/node.def + templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def + templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def + templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def + templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def + templates/show/vpn/ipsec/sa/profile/node.tag/node.def + templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def + templates/show/vpn/ipsec/sa/peer/node.tag/node.def + templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def + templates/show/vpn/debug/node.def + templates/show/vpn/debug/detail/node.def + templates/show/vpn/debug/peer/node.tag/node.def + templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def + templates/show/vpn/ike/secrets/node.def + templates/show/vpn/ike/status/node.def + templates/show/vpn/ike/sa/node.def + templates/show/vpn/ike/sa/nat-traversal/node.def + templates/show/vpn/ike/sa/peer/node.tag/node.def + templates/show/vpn/ike/rsa-keys/node.def + templates/reset/vpn/ipsec-profile/node.tag/node.def + templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def + templates/reset/vpn/ipsec-peer/node.tag/node.def + templates/reset/vpn/ipsec-peer/node.tag/vti/node.def + templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def ]) -echo "prefix: ${prefix}" -echo "sysconfdir: ${sysconfdir}" +echo "prefix: ${prefix}" +echo "sbindir: ${sbindir}" +echo "sysconfdir: ${sysconfdir}" echo "datarootdir: ${datarootdir}" -echo "XSLDIR: ${XSLDIR}" +echo "XSLDIR: ${XSLDIR}" +echo "SBINDIR: ${SBINDIR}" +echo "SUDOUSRDIR: ${SUDOUSRDIR}" diff --git a/debian/autogen.sh b/debian/autogen.sh index 92719c8..70ecdeb 100755 --- a/debian/autogen.sh +++ b/debian/autogen.sh @@ -1,10 +1,10 @@ #!/bin/sh -rm -rf config m4 +rm -rf config rm -f aclocal.m4 config.guess config.statusconfig.sub configure INSTALL -mkdir -p m4 +mkdir -p autoreconf --force --install rm -f config.sub config.guess diff --git a/m4/relpaths.m4 b/m4/relpaths.m4 new file mode 100644 index 0000000..15f24b3 --- /dev/null +++ b/m4/relpaths.m4 @@ -0,0 +1,155 @@ +dnl @synopsis adl_COMPUTE_RELATIVE_PATHS(PATH_LIST) +dnl +dnl PATH_LIST is a space-separated list of colon-separated triplets of +dnl the form 'FROM:TO:RESULT'. This function iterates over these +dnl triplets and set $RESULT to the relative path from $FROM to $TO. +dnl Note that $FROM and $TO needs to be absolute filenames for this +dnl macro to success. +dnl +dnl For instance, +dnl +dnl first=/usr/local/bin +dnl second=/usr/local/share +dnl adl_COMPUTE_RELATIVE_PATHS([first:second:fs second:first:sf]) +dnl # $fs is set to ../share +dnl # $sf is set to ../bin +dnl +dnl $FROM and $TO are both eval'ed recursively and normalized, this +dnl means that you can call this macro with autoconf's dirnames like +dnl `prefix' or `datadir'. For example: +dnl +dnl adl_COMPUTE_RELATIVE_PATHS([bindir:datadir:bin_to_data]) +dnl +dnl adl_COMPUTE_RELATIVE_PATHS should also works with DOS filenames. +dnl +dnl You may want to use this macro in order to make your package +dnl relocatable. Instead of hardcoding $datadir into your programs just +dnl encode $bin_to_data and try to determine $bindir at run-time. +dnl +dnl This macro requires adl_NORMALIZE_PATH. +dnl +dnl @category Misc +dnl @author Alexandre Duret-Lutz +dnl @version 2001-05-25 +dnl @license GPLWithACException + +AC_DEFUN([adl_COMPUTE_RELATIVE_PATHS], +[for _lcl_i in $1; do + _lcl_from=\[$]`echo "[$]_lcl_i" | sed 's,:.*$,,'` + _lcl_to=\[$]`echo "[$]_lcl_i" | sed 's,^[[^:]]*:,,' | sed 's,:[[^:]]*$,,'` + _lcl_result_var=`echo "[$]_lcl_i" | sed 's,^.*:,,'` + adl_RECURSIVE_EVAL([[$]_lcl_from], [_lcl_from]) + adl_RECURSIVE_EVAL([[$]_lcl_to], [_lcl_to]) + _lcl_notation="$_lcl_from$_lcl_to" + adl_NORMALIZE_PATH([_lcl_from],['/']) + adl_NORMALIZE_PATH([_lcl_to],['/']) + adl_COMPUTE_RELATIVE_PATH([_lcl_from], [_lcl_to], [_lcl_result_tmp]) + adl_NORMALIZE_PATH([_lcl_result_tmp],["[$]_lcl_notation"]) + eval $_lcl_result_var='[$]_lcl_result_tmp' +done]) + +## Note: +## ***** +## The following helper macros are too fragile to be used out +## of adl_COMPUTE_RELATIVE_PATHS (mainly because they assume that +## paths are normalized), that's why I'm keeping them in the same file. +## Still, some of them maybe worth to reuse. + +dnl adl_COMPUTE_RELATIVE_PATH(FROM, TO, RESULT) +dnl =========================================== +dnl Compute the relative path to go from $FROM to $TO and set the value +dnl of $RESULT to that value. This function work on raw filenames +dnl (for instead it will considerate /usr//local and /usr/local as +dnl two distinct paths), you should really use adl_COMPUTE_REALTIVE_PATHS +dnl instead to have the paths sanitized automatically. +dnl +dnl For instance: +dnl first_dir=/somewhere/on/my/disk/bin +dnl second_dir=/somewhere/on/another/disk/share +dnl adl_COMPUTE_RELATIVE_PATH(first_dir, second_dir, first_to_second) +dnl will set $first_to_second to '../../../another/disk/share'. +AC_DEFUN([adl_COMPUTE_RELATIVE_PATH], +[adl_COMPUTE_COMMON_PATH([$1], [$2], [_lcl_common_prefix]) +adl_COMPUTE_BACK_PATH([$1], [_lcl_common_prefix], [_lcl_first_rel]) +adl_COMPUTE_SUFFIX_PATH([$2], [_lcl_common_prefix], [_lcl_second_suffix]) +$3="[$]_lcl_first_rel[$]_lcl_second_suffix"]) + +dnl adl_COMPUTE_COMMON_PATH(LEFT, RIGHT, RESULT) +dnl ============================================ +dnl Compute the common path to $LEFT and $RIGHT and set the result to $RESULT. +dnl +dnl For instance: +dnl first_path=/somewhere/on/my/disk/bin +dnl second_path=/somewhere/on/another/disk/share +dnl adl_COMPUTE_COMMON_PATH(first_path, second_path, common_path) +dnl will set $common_path to '/somewhere/on'. +AC_DEFUN([adl_COMPUTE_COMMON_PATH], +[$3='' +_lcl_second_prefix_match='' +while test "[$]_lcl_second_prefix_match" != 0; do + _lcl_first_prefix=`expr "x[$]$1" : "x\([$]$3/*[[^/]]*\)"` + _lcl_second_prefix_match=`expr "x[$]$2" : "x[$]_lcl_first_prefix"` + if test "[$]_lcl_second_prefix_match" != 0; then + if test "[$]_lcl_first_prefix" != "[$]$3"; then + $3="[$]_lcl_first_prefix" + else + _lcl_second_prefix_match=0 + fi + fi +done]) + +dnl adl_COMPUTE_SUFFIX_PATH(PATH, SUBPATH, RESULT) +dnl ============================================== +dnl Substrack $SUBPATH from $PATH, and set the resulting suffix +dnl (or the empty string if $SUBPATH is not a subpath of $PATH) +dnl to $RESULT. +dnl +dnl For instace: +dnl first_path=/somewhere/on/my/disk/bin +dnl second_path=/somewhere/on +dnl adl_COMPUTE_SUFFIX_PATH(first_path, second_path, common_path) +dnl will set $common_path to '/my/disk/bin'. +AC_DEFUN([adl_COMPUTE_SUFFIX_PATH], +[$3=`expr "x[$]$1" : "x[$]$2/*\(.*\)"`]) + +dnl adl_COMPUTE_BACK_PATH(PATH, SUBPATH, RESULT) +dnl ============================================ +dnl Compute the relative path to go from $PATH to $SUBPATH, knowing that +dnl $SUBPATH is a subpath of $PATH (any other words, only repeated '../' +dnl should be needed to move from $PATH to $SUBPATH) and set the value +dnl of $RESULT to that value. If $SUBPATH is not a subpath of PATH, +dnl set $RESULT to the empty string. +dnl +dnl For instance: +dnl first_path=/somewhere/on/my/disk/bin +dnl second_path=/somewhere/on +dnl adl_COMPUTE_BACK_PATH(first_path, second_path, back_path) +dnl will set $back_path to '../../../'. +AC_DEFUN([adl_COMPUTE_BACK_PATH], +[adl_COMPUTE_SUFFIX_PATH([$1], [$2], [_lcl_first_suffix]) +$3='' +_lcl_tmp='xxx' +while test "[$]_lcl_tmp" != ''; do + _lcl_tmp=`expr "x[$]_lcl_first_suffix" : "x[[^/]]*/*\(.*\)"` + if test "[$]_lcl_first_suffix" != ''; then + _lcl_first_suffix="[$]_lcl_tmp" + $3="../[$]$3" + fi +done]) + + +dnl adl_RECURSIVE_EVAL(VALUE, RESULT) +dnl ================================= +dnl Interpolate the VALUE in loop until it doesn't change, +dnl and set the result to $RESULT. +dnl WARNING: It's easy to get an infinite loop with some unsane input. +AC_DEFUN([adl_RECURSIVE_EVAL], +[_lcl_receval="$1" +$2=`(test "x$prefix" = xNONE && prefix="$ac_default_prefix" + test "x$exec_prefix" = xNONE && exec_prefix="${prefix}" + _lcl_receval_old='' + while test "[$]_lcl_receval_old" != "[$]_lcl_receval"; do + _lcl_receval_old="[$]_lcl_receval" + eval _lcl_receval="\"[$]_lcl_receval\"" + done + echo "[$]_lcl_receval")`]) diff --git a/scripts/vyatta-gen-x509-keypair.in b/scripts/vyatta-gen-x509-keypair.in new file mode 100755 index 0000000..194ac4f --- /dev/null +++ b/scripts/vyatta-gen-x509-keypair.in @@ -0,0 +1,11 @@ +#!/bin/bash +CN=$1 +genkeypair (){ + openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config @sysconfdir@/key-pair.template +} +if [ -f /config/auth/$CN.csr ]; then + read -p "A certificate request named $CN.csr already exists. Overwrite (y/n)?" + [[ $REPLY != y && $REPLY != Y ]] || genkeypair +else + genkeypair +fi diff --git a/scripts/vyatta-gen-x509-keypair.sh.in b/scripts/vyatta-gen-x509-keypair.sh.in deleted file mode 100755 index 194ac4f..0000000 --- a/scripts/vyatta-gen-x509-keypair.sh.in +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -CN=$1 -genkeypair (){ - openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config @sysconfdir@/key-pair.template -} -if [ -f /config/auth/$CN.csr ]; then - read -p "A certificate request named $CN.csr already exists. Overwrite (y/n)?" - [[ $REPLY != y && $REPLY != Y ]] || genkeypair -else - genkeypair -fi diff --git a/templates/generate/vpn/rsa-key/bits/node.tag/node.def b/templates/generate/vpn/rsa-key/bits/node.tag/node.def deleted file mode 100644 index fa2fed2..0000000 --- a/templates/generate/vpn/rsa-key/bits/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Generate local RSA key with specified number of bits -run: sudo /opt/vyatta/bin/sudo-users/gen_local_rsa_key.pl "$5" /dev/random -allowed: echo -n '<16-4096>' diff --git a/templates/generate/vpn/rsa-key/bits/node.tag/node.def.in b/templates/generate/vpn/rsa-key/bits/node.tag/node.def.in new file mode 100644 index 0000000..2eae9cc --- /dev/null +++ b/templates/generate/vpn/rsa-key/bits/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Generate local RSA key with specified number of bits +run: sudo @SUDOUSRDIR@/gen_local_rsa_key.pl "$5" /dev/random +allowed: echo -n '<16-4096>' diff --git a/templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def b/templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def deleted file mode 100644 index eb11433..0000000 --- a/templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Generate local RSA key with specified number of bits and random device -run: sudo /opt/vyatta/bin/sudo-users/gen_local_rsa_key.pl "$5" "$7" -allowed: echo -n '/dev/random /dev/urandom' diff --git a/templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def.in b/templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def.in new file mode 100644 index 0000000..81a9633 --- /dev/null +++ b/templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Generate local RSA key with specified number of bits and random device +run: sudo @SUDOUSRDIR@/gen_local_rsa_key.pl "$5" "$7" +allowed: echo -n '/dev/random /dev/urandom' diff --git a/templates/generate/vpn/rsa-key/node.def b/templates/generate/vpn/rsa-key/node.def deleted file mode 100644 index 60296f2..0000000 --- a/templates/generate/vpn/rsa-key/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Generate local RSA key (default: bits=2192 device=/dev/random) -run: sudo /opt/vyatta/bin/sudo-users/gen_local_rsa_key.pl 2192 /dev/random diff --git a/templates/generate/vpn/rsa-key/node.def.in b/templates/generate/vpn/rsa-key/node.def.in new file mode 100644 index 0000000..482f32c --- /dev/null +++ b/templates/generate/vpn/rsa-key/node.def.in @@ -0,0 +1,2 @@ +help: Generate local RSA key (default: bits=2192 device=/dev/random) +run: sudo @SUDOUSRDIR@/gen_local_rsa_key.pl 2192 /dev/random diff --git a/templates/generate/vpn/x509/key-pair/node.tag/node.def b/templates/generate/vpn/x509/key-pair/node.tag/node.def deleted file mode 100644 index dc21935..0000000 --- a/templates/generate/vpn/x509/key-pair/node.tag/node.def +++ /dev/null @@ -1,4 +0,0 @@ -help: Generate x509 key-pair -run: - sudo /opt/vyatta/sbin/vyatta-gen-x509-keypair $5 -allowed: echo -n '' diff --git a/templates/generate/vpn/x509/key-pair/node.tag/node.def.in b/templates/generate/vpn/x509/key-pair/node.tag/node.def.in new file mode 100644 index 0000000..2c87956 --- /dev/null +++ b/templates/generate/vpn/x509/key-pair/node.tag/node.def.in @@ -0,0 +1,4 @@ +help: Generate x509 key-pair +run: + sudo @SBINDIR@/vyatta-gen-x509-keypair $5 +allowed: echo -n '' diff --git a/templates/reset/vpn/ipsec-peer/node.tag/node.def b/templates/reset/vpn/ipsec-peer/node.tag/node.def deleted file mode 100644 index fa55d52..0000000 --- a/templates/reset/vpn/ipsec-peer/node.tag/node.def +++ /dev/null @@ -1,6 +0,0 @@ -help: Reset all tunnels for given peer - -allowed: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=get-all-peers - -run: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl \ - --op=clear-tunnels-for-peer --peer="$4" diff --git a/templates/reset/vpn/ipsec-peer/node.tag/node.def.in b/templates/reset/vpn/ipsec-peer/node.tag/node.def.in new file mode 100644 index 0000000..621c40a --- /dev/null +++ b/templates/reset/vpn/ipsec-peer/node.tag/node.def.in @@ -0,0 +1,6 @@ +help: Reset all tunnels for given peer + +allowed: @SUDOUSRDIR@/vyatta-vpn-op.pl --op=get-all-peers + +run: @SUDOUSRDIR@/vyatta-vpn-op.pl \ + --op=clear-tunnels-for-peer --peer="$4" diff --git a/templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def b/templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index eecb740..0000000 --- a/templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,10 +0,0 @@ -help: Reset a specific tunnel for given peer - -allowed: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl \ - --op=get-tunnels-for-peer \ - --peer="${COMP_WORDS[COMP_CWORD-2]}" - -run: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl \ - --op=clear-specific-tunnel-for-peer \ - --peer="$4" \ - --tunnel="$6" diff --git a/templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def.in b/templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..4407515 --- /dev/null +++ b/templates/reset/vpn/ipsec-peer/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,10 @@ +help: Reset a specific tunnel for given peer + +allowed: @SUDOUSRDIR@/vyatta-vpn-op.pl \ + --op=get-tunnels-for-peer \ + --peer="${COMP_WORDS[COMP_CWORD-2]}" + +run: @SUDOUSRDIR@/vyatta-vpn-op.pl \ + --op=clear-specific-tunnel-for-peer \ + --peer="$4" \ + --tunnel="$6" diff --git a/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def b/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def deleted file mode 100644 index f0f39a8..0000000 --- a/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def +++ /dev/null @@ -1,5 +0,0 @@ -help: Reset a vti tunnel for given peer - -run: /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl \ - --op=clear-vtis-for-peer \ - --peer="$4" diff --git a/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def.in b/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def.in new file mode 100644 index 0000000..2e8e9be --- /dev/null +++ b/templates/reset/vpn/ipsec-peer/node.tag/vti/node.def.in @@ -0,0 +1,5 @@ +help: Reset a vti tunnel for given peer + +run: @SUDOUSRDIR@/vyatta-vpn-op.pl \ + --op=clear-vtis-for-peer \ + --peer="$4" diff --git a/templates/reset/vpn/ipsec-profile/node.tag/node.def b/templates/reset/vpn/ipsec-profile/node.tag/node.def deleted file mode 100644 index 639fac3..0000000 --- a/templates/reset/vpn/ipsec-profile/node.tag/node.def +++ /dev/null @@ -1,6 +0,0 @@ -help: Reset all tunnels for given profile - -allowed: /opt/vyatta/bin/sudo-users/vyatta-dmvpn-op.pl --op=get-all-profiles - -run: /opt/vyatta/bin/sudo-users/vyatta-dmvpn-op.pl \ - --op=clear-tunnels-for-profile --profile="$4" diff --git a/templates/reset/vpn/ipsec-profile/node.tag/node.def.in b/templates/reset/vpn/ipsec-profile/node.tag/node.def.in new file mode 100644 index 0000000..ea90853 --- /dev/null +++ b/templates/reset/vpn/ipsec-profile/node.tag/node.def.in @@ -0,0 +1,6 @@ +help: Reset all tunnels for given profile + +allowed: @SUDOUSRDIR@/vyatta-dmvpn-op.pl --op=get-all-profiles + +run: @SUDOUSRDIR@/vyatta-dmvpn-op.pl \ + --op=clear-tunnels-for-profile --profile="$4" diff --git a/templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def b/templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index 08e299f..0000000 --- a/templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,10 +0,0 @@ -help: Reset a specific tunnel for given profile - -allowed: /opt/vyatta/bin/sudo-users/vyatta-dmvpn-op.pl \ - --op=get-tunnels-for-profile \ - --profile="${COMP_WORDS[COMP_CWORD-2]}" - -run: /opt/vyatta/bin/sudo-users/vyatta-dmvpn-op.pl \ - --op=clear-specific-tunnel-for-profile \ - --profile="$4" \ - --tunnel="$6" diff --git a/templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def.in b/templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..f5eda6c --- /dev/null +++ b/templates/reset/vpn/ipsec-profile/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,10 @@ +help: Reset a specific tunnel for given profile + +allowed: @SUDOUSRDIR@/vyatta-dmvpn-op.pl \ + --op=get-tunnels-for-profile \ + --profile="${COMP_WORDS[COMP_CWORD-2]}" + +run: @SUDOUSRDIR@/vyatta-dmvpn-op.pl \ + --op=clear-specific-tunnel-for-profile \ + --profile="$4" \ + --tunnel="$6" diff --git a/templates/restart/vpn/node.def b/templates/restart/vpn/node.def deleted file mode 100644 index 7cb9387..0000000 --- a/templates/restart/vpn/node.def +++ /dev/null @@ -1,12 +0,0 @@ -help: Restart IPsec VPN -run: if [ -n "$(cli-shell-api returnActiveValues \ - vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null - then - /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=clear-vpn-ipsec-process - else - echo IPsec process not running - fi - else - echo IPsec VPN not configured - fi diff --git a/templates/restart/vpn/node.def.in b/templates/restart/vpn/node.def.in new file mode 100644 index 0000000..3e3566a --- /dev/null +++ b/templates/restart/vpn/node.def.in @@ -0,0 +1,12 @@ +help: Restart IPsec VPN +run: if [ -n "$(cli-shell-api returnActiveValues \ + vpn ipsec ipsec-interfaces interface)" ]; then + if pgrep pluto > /dev/null + then + @SUDOUSRDIR@/vyatta-vpn-op.pl --op=clear-vpn-ipsec-process + else + echo IPsec process not running + fi + else + echo IPsec VPN not configured + fi diff --git a/templates/show/vpn/debug/detail/node.def b/templates/show/vpn/debug/detail/node.def deleted file mode 100644 index ee3604d..0000000 --- a/templates/show/vpn/debug/detail/node.def +++ /dev/null @@ -1,12 +0,0 @@ -help: Show detailed VPN debugging information -run: if [ -n "$(cli-shell-api returnActiveValues \ - vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null - then - /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug-detail - else - echo IPsec process not running - fi - else - echo VPN ipsec not configured - fi diff --git a/templates/show/vpn/debug/detail/node.def.in b/templates/show/vpn/debug/detail/node.def.in new file mode 100644 index 0000000..9271328 --- /dev/null +++ b/templates/show/vpn/debug/detail/node.def.in @@ -0,0 +1,12 @@ +help: Show detailed VPN debugging information +run: if [ -n "$(cli-shell-api returnActiveValues \ + vpn ipsec ipsec-interfaces interface)" ]; then + if pgrep pluto > /dev/null + then + @SUDOUSRDIR@/vyatta-vpn-op.pl --op=show-vpn-debug-detail + else + echo IPsec process not running + fi + else + echo VPN ipsec not configured + fi diff --git a/templates/show/vpn/debug/node.def b/templates/show/vpn/debug/node.def deleted file mode 100644 index 7a33888..0000000 --- a/templates/show/vpn/debug/node.def +++ /dev/null @@ -1,12 +0,0 @@ -help: Show VPN debugging information -run: if [ -n "$(cli-shell-api returnActiveValues \ - vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null - then - /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug - else - echo IPsec process not running - fi - else - echo VPN ipsec not configured - fi diff --git a/templates/show/vpn/debug/node.def.in b/templates/show/vpn/debug/node.def.in new file mode 100644 index 0000000..1f6c829 --- /dev/null +++ b/templates/show/vpn/debug/node.def.in @@ -0,0 +1,12 @@ +help: Show VPN debugging information +run: if [ -n "$(cli-shell-api returnActiveValues \ + vpn ipsec ipsec-interfaces interface)" ]; then + if pgrep pluto > /dev/null + then + @SUDOUSRDIR@/vyatta-vpn-op.pl --op=show-vpn-debug + else + echo IPsec process not running + fi + else + echo VPN ipsec not configured + fi diff --git a/templates/show/vpn/debug/peer/node.tag/node.def b/templates/show/vpn/debug/peer/node.tag/node.def deleted file mode 100644 index a27063a..0000000 --- a/templates/show/vpn/debug/peer/node.tag/node.def +++ /dev/null @@ -1,14 +0,0 @@ -help: Show debugging information for a peer -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli -run: if [ -n "$(cli-shell-api returnActiveValues \ - vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null - then - /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug | grep peer-$5 - else - echo IPsec process not running - fi - else - echo VPN ipsec not configured - fi - diff --git a/templates/show/vpn/debug/peer/node.tag/node.def.in b/templates/show/vpn/debug/peer/node.tag/node.def.in new file mode 100644 index 0000000..d201746 --- /dev/null +++ b/templates/show/vpn/debug/peer/node.tag/node.def.in @@ -0,0 +1,14 @@ +help: Show debugging information for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: if [ -n "$(cli-shell-api returnActiveValues \ + vpn ipsec ipsec-interfaces interface)" ]; then + if pgrep pluto > /dev/null + then + @SUDOUSRDIR@/vyatta-vpn-op.pl --op=show-vpn-debug | grep peer-$5 + else + echo IPsec process not running + fi + else + echo VPN ipsec not configured + fi + diff --git a/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index c141ac0..0000000 --- a/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,14 +0,0 @@ -help: Show debugging information for a peer's tunnel -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[4]} -run: if [ -n "$(cli-shell-api returnActiveValues \ - vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null - then - /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug | grep "peer-$5-tunnel-$7" - else - echo IPsec process not running - fi - else - echo VPN ipsec not configured - fi - diff --git a/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..5906929 --- /dev/null +++ b/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,14 @@ +help: Show debugging information for a peer's tunnel +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[4]} +run: if [ -n "$(cli-shell-api returnActiveValues \ + vpn ipsec ipsec-interfaces interface)" ]; then + if pgrep pluto > /dev/null + then + @SUDOUSRDIR@/vyatta-vpn-op.pl --op=show-vpn-debug | grep "peer-$5-tunnel-$7" + else + echo IPsec process not running + fi + else + echo VPN ipsec not configured + fi + diff --git a/templates/show/vpn/ike/rsa-keys/node.def b/templates/show/vpn/ike/rsa-keys/node.def deleted file mode 100644 index 6d3baa5..0000000 --- a/templates/show/vpn/ike/rsa-keys/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Show VPN RSA keys -run: sudo /opt/vyatta/bin/sudo-users/vyatta-show-vpn.pl rsa-keys diff --git a/templates/show/vpn/ike/rsa-keys/node.def.in b/templates/show/vpn/ike/rsa-keys/node.def.in new file mode 100644 index 0000000..255ca18 --- /dev/null +++ b/templates/show/vpn/ike/rsa-keys/node.def.in @@ -0,0 +1,2 @@ +help: Show VPN RSA keys +run: sudo @SUDOUSRDIR@/vyatta-show-vpn.pl rsa-keys diff --git a/templates/show/vpn/ike/sa/nat-traversal/node.def b/templates/show/vpn/ike/sa/nat-traversal/node.def deleted file mode 100644 index 3855c49..0000000 --- a/templates/show/vpn/ike/sa/nat-traversal/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Show all currently active IKE Security Associations (SA) that are using NAT Traversal -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ike-sa-natt diff --git a/templates/show/vpn/ike/sa/nat-traversal/node.def.in b/templates/show/vpn/ike/sa/nat-traversal/node.def.in new file mode 100644 index 0000000..6c62b12 --- /dev/null +++ b/templates/show/vpn/ike/sa/nat-traversal/node.def.in @@ -0,0 +1,2 @@ +help: Show all currently active IKE Security Associations (SA) that are using NAT Traversal +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ike-sa-natt diff --git a/templates/show/vpn/ike/sa/node.def b/templates/show/vpn/ike/sa/node.def deleted file mode 100644 index 051d657..0000000 --- a/templates/show/vpn/ike/sa/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Show all currently active IKE Security Associations (SA) -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ike-sa diff --git a/templates/show/vpn/ike/sa/node.def.in b/templates/show/vpn/ike/sa/node.def.in new file mode 100644 index 0000000..e372ff7 --- /dev/null +++ b/templates/show/vpn/ike/sa/node.def.in @@ -0,0 +1,2 @@ +help: Show all currently active IKE Security Associations (SA) +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ike-sa diff --git a/templates/show/vpn/ike/sa/peer/node.tag/node.def b/templates/show/vpn/ike/sa/peer/node.tag/node.def deleted file mode 100644 index c76b71b..0000000 --- a/templates/show/vpn/ike/sa/peer/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show all currently active IKE Security Associations (SA) for a peer -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ike-sa-peer="$6" diff --git a/templates/show/vpn/ike/sa/peer/node.tag/node.def.in b/templates/show/vpn/ike/sa/peer/node.tag/node.def.in new file mode 100644 index 0000000..a9782ad --- /dev/null +++ b/templates/show/vpn/ike/sa/peer/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show all currently active IKE Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ike-sa-peer="$6" diff --git a/templates/show/vpn/ike/secrets/node.def b/templates/show/vpn/ike/secrets/node.def deleted file mode 100644 index ec4073c..0000000 --- a/templates/show/vpn/ike/secrets/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Show all the pre-shared key secrets -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ike-secrets diff --git a/templates/show/vpn/ike/secrets/node.def.in b/templates/show/vpn/ike/secrets/node.def.in new file mode 100644 index 0000000..3d1a32d --- /dev/null +++ b/templates/show/vpn/ike/secrets/node.def.in @@ -0,0 +1,2 @@ +help: Show all the pre-shared key secrets +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ike-secrets diff --git a/templates/show/vpn/ike/status/node.def b/templates/show/vpn/ike/status/node.def deleted file mode 100644 index e74a741..0000000 --- a/templates/show/vpn/ike/status/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Show summary of IKE process information -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ike-status diff --git a/templates/show/vpn/ike/status/node.def.in b/templates/show/vpn/ike/status/node.def.in new file mode 100644 index 0000000..7cc9b10 --- /dev/null +++ b/templates/show/vpn/ike/status/node.def.in @@ -0,0 +1,2 @@ +help: Show summary of IKE process information +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ike-status diff --git a/templates/show/vpn/ipsec/sa/detail/node.def b/templates/show/vpn/ipsec/sa/detail/node.def deleted file mode 100644 index 1397817..0000000 --- a/templates/show/vpn/ipsec/sa/detail/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for all active IPsec Security Associations (SA) -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-detail - sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-detail diff --git a/templates/show/vpn/ipsec/sa/detail/node.def.in b/templates/show/vpn/ipsec/sa/detail/node.def.in new file mode 100644 index 0000000..781d61b --- /dev/null +++ b/templates/show/vpn/ipsec/sa/detail/node.def.in @@ -0,0 +1,3 @@ +help: Show details for all active IPsec Security Associations (SA) +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-detail + sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-detail diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def deleted file mode 100644 index cad43ba..0000000 --- a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for all active IPsec Security Associations (SA) for a peer -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-peer-detail="$7" diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def.in new file mode 100644 index 0000000..659acfa --- /dev/null +++ b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show details for all active IPsec Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer-detail="$7" diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index 470578e..0000000 --- a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for the active IPsec Security Associations (SA) for a peer's tunnel -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[6]} -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-conn-detail $7 $9 diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..5c121c3 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show details for the active IPsec Security Associations (SA) for a peer's tunnel +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[6]} +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-conn-detail $7 $9 diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def deleted file mode 100644 index fbb6218..0000000 --- a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for all active IPsec Security Associations (SA) for a profile -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-profiles-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-profile-detail="$7" diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def.in new file mode 100644 index 0000000..bcbc520 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show details for all active IPsec Security Associations (SA) for a profile +allowed: @SUDOUSRDIR@/vyatta-op-vpnprof.pl --get-profiles-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-profile-detail="$7" diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index ac5fd14..0000000 --- a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for the active IPsec Security Associations (SA) for a tunnel bound to profile -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[6]} -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-conn-detail $7 $9 diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..e31b008 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show details for the active IPsec Security Associations (SA) for a tunnel bound to profile +allowed: @SUDOUSRDIR@/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[6]} +run: sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-conn-detail $7 $9 diff --git a/templates/show/vpn/ipsec/sa/nat-traversal/node.def b/templates/show/vpn/ipsec/sa/nat-traversal/node.def deleted file mode 100644 index 7ea610b..0000000 --- a/templates/show/vpn/ipsec/sa/nat-traversal/node.def +++ /dev/null @@ -1,2 +0,0 @@ -help: Show all active IPsec Security Associations (SA) that are using NAT Traversal -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-natt diff --git a/templates/show/vpn/ipsec/sa/nat-traversal/node.def.in b/templates/show/vpn/ipsec/sa/nat-traversal/node.def.in new file mode 100644 index 0000000..f3bbe87 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/nat-traversal/node.def.in @@ -0,0 +1,2 @@ +help: Show all active IPsec Security Associations (SA) that are using NAT Traversal +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-natt diff --git a/templates/show/vpn/ipsec/sa/node.def b/templates/show/vpn/ipsec/sa/node.def deleted file mode 100644 index 287d489..0000000 --- a/templates/show/vpn/ipsec/sa/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show all active IPsec Security Associations (SA) -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa - sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa diff --git a/templates/show/vpn/ipsec/sa/node.def.in b/templates/show/vpn/ipsec/sa/node.def.in new file mode 100644 index 0000000..036a1d7 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/node.def.in @@ -0,0 +1,3 @@ +help: Show all active IPsec Security Associations (SA) +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa + sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def deleted file mode 100644 index 559bed5..0000000 --- a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show all active IPsec Security Associations (SA) for a peer -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in new file mode 100644 index 0000000..1cae596 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show all active IPsec Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index 195f37a..0000000 --- a/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show the active IPsec Security Association (SA) for a peer's tunnel -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[5]} -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-conn $6 $8 diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..8cc8a9c --- /dev/null +++ b/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show the active IPsec Security Association (SA) for a peer's tunnel +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[5]} +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-conn $6 $8 diff --git a/templates/show/vpn/ipsec/sa/profile/node.tag/node.def b/templates/show/vpn/ipsec/sa/profile/node.tag/node.def deleted file mode 100644 index 76e66a5..0000000 --- a/templates/show/vpn/ipsec/sa/profile/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show all active IPsec Security Associations (SA) for a profile -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-profiles-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-profile="$6" diff --git a/templates/show/vpn/ipsec/sa/profile/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/profile/node.tag/node.def.in new file mode 100644 index 0000000..30ed853 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/profile/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show all active IPsec Security Associations (SA) for a profile +allowed: @SUDOUSRDIR@/vyatta-op-vpnprof.pl --get-profiles-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-profile="$6" diff --git a/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index 3f0af98..0000000 --- a/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show the active IPsec Security Association (SA) for a profile's tunnel -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[5]} -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-conn $6 $8 diff --git a/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..3d643bc --- /dev/null +++ b/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show the active IPsec Security Association (SA) for a profile's tunnel +allowed: @SUDOUSRDIR@/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[5]} +run: sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-conn $6 $8 diff --git a/templates/show/vpn/ipsec/sa/statistics/node.def b/templates/show/vpn/ipsec/sa/statistics/node.def deleted file mode 100644 index 84fa4b7..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show statistics of all active tunnels that have IPsec Security Associations (SA) -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-stats - sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-stats diff --git a/templates/show/vpn/ipsec/sa/statistics/node.def.in b/templates/show/vpn/ipsec/sa/statistics/node.def.in new file mode 100644 index 0000000..5832f1a --- /dev/null +++ b/templates/show/vpn/ipsec/sa/statistics/node.def.in @@ -0,0 +1,3 @@ +help: Show statistics of all active tunnels that have IPsec Security Associations (SA) +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-stats + sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-stats diff --git a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def b/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def deleted file mode 100644 index 758333e..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show stats for all active IPsec Security Associations (SA) for a peer -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-stats-peer="$7" diff --git a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def.in new file mode 100644 index 0000000..8b72451 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show stats for all active IPsec Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-stats-peer="$7" diff --git a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index 1902c22..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show stats for the active IPsec Security Association (SA) for a peer's tunnel -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[6]} -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-stats-conn $7 $9 diff --git a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..6566a44 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show stats for the active IPsec Security Association (SA) for a peer's tunnel +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[6]} +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-stats-conn $7 $9 diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def deleted file mode 100644 index 9d49f44..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show stats for all active IPsec Security Associations (SA) for a profile -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-profiles-for-cli -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-stats-profile="$7" diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def.in new file mode 100644 index 0000000..1bc76d6 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show stats for all active IPsec Security Associations (SA) for a profile +allowed: @SUDOUSRDIR@/vyatta-op-vpnprof.pl --get-profiles-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-stats-profile="$7" diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def deleted file mode 100644 index b8aa7dc..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def +++ /dev/null @@ -1,3 +0,0 @@ -help: Show stats for the active IPsec Security Association (SA) for a tunnel bound to profile -allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[6]} -run: sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpnprof.pl --show-ipsec-sa-stats-conn $7 $9 diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..9ae35c8 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show stats for the active IPsec Security Association (SA) for a tunnel bound to profile +allowed: @SUDOUSRDIR@/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[6]} +run: sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-stats-conn $7 $9 diff --git a/templates/show/vpn/ipsec/status/node.def b/templates/show/vpn/ipsec/status/node.def deleted file mode 100644 index bf4ebf7..0000000 --- a/templates/show/vpn/ipsec/status/node.def +++ /dev/null @@ -1,6 +0,0 @@ -help: Show status of IPsec process -run: if pgrep pluto >&/dev/null; then - /opt/vyatta/bin/sudo-users/vyatta-show-ipsec-status.pl - else - echo -e "IPSec Process NOT Running\n" - fi diff --git a/templates/show/vpn/ipsec/status/node.def.in b/templates/show/vpn/ipsec/status/node.def.in new file mode 100644 index 0000000..25f849b --- /dev/null +++ b/templates/show/vpn/ipsec/status/node.def.in @@ -0,0 +1,6 @@ +help: Show status of IPsec process +run: if pgrep pluto >&/dev/null; then + @SUDOUSRDIR@/vyatta-show-ipsec-status.pl + else + echo -e "IPSec Process NOT Running\n" + fi -- cgit v1.2.3 From 23548e6931a763be01c43463aada7b0ba4d818c9 Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Wed, 11 May 2016 06:44:37 +0000 Subject: oops missed a file --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index c7cd4d1..13bbddd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,7 +14,7 @@ vyatta-op-vpn (0.15.0+vyos2+current2+nmu1) UNRELEASED; urgency=low - unknown substitution variable ${shlibs:Depends} - removed * address dpkg-source issue: - debian/source/format set to "3.0 (native)" - + * removed all references to /opt/vyatta but one from source -- C.J. Collier Wed, 11 May 2016 02:33:38 +0000 -- cgit v1.2.3 From 8a80669f305983de512466e3e2bad0924d7f37a0 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Thu, 15 Sep 2016 08:49:42 +0200 Subject: prefix is set in "configure.ac" file, so is removed from "debian/rules" --- debian/rules | 2 -- 1 file changed, 2 deletions(-) diff --git a/debian/rules b/debian/rules index 67f4ee5..9231584 100755 --- a/debian/rules +++ b/debian/rules @@ -22,8 +22,6 @@ CFLAGS = -Wall -g configure = ./configure configure += --host=$(DEB_HOST_GNU_TYPE) configure += --build=$(DEB_BUILD_GNU_TYPE) -configure += --prefix=/usr -configure += --sysconfdir=/etc configure += --mandir=\$${prefix}/share/man configure += --infodir=\$${prefix}/share/info configure += CFLAGS="$(CFLAGS)" -- cgit v1.2.3 From 33e24e989996ec809e1be696866258ce987cc527 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Thu, 15 Sep 2016 11:40:03 +0200 Subject: Reimplementation of TriJetScud's commit:578688a25ba784d839512fefafab4cabdaf32fc5. Simpilfy the operational commands Instead of trying to parse the outout of ipsec or swanctl, just dump whatever swanctl outputs. --- .gitignore | 18 +----------------- configure.ac | 16 ---------------- templates/show/vpn/ipsec/sa/detail/node.def.in | 3 --- .../show/vpn/ipsec/sa/detail/peer/node.tag/node.def.in | 3 --- .../detail/peer/node.tag/tunnel/node.tag/node.def.in | 3 --- .../vpn/ipsec/sa/detail/profile/node.tag/node.def.in | 3 --- .../profile/node.tag/tunnel/node.tag/node.def.in | 3 --- templates/show/vpn/ipsec/sa/nat-traversal/node.def.in | 2 -- templates/show/vpn/ipsec/sa/node.def | 6 ++++++ templates/show/vpn/ipsec/sa/node.def.in | 3 --- templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in | 3 --- .../ipsec/sa/peer/node.tag/tunnel/node.tag/node.def.in | 3 --- .../show/vpn/ipsec/sa/profile/node.tag/node.def.in | 3 --- .../sa/profile/node.tag/tunnel/node.tag/node.def.in | 3 --- templates/show/vpn/ipsec/sa/statistics/node.def.in | 3 --- .../vpn/ipsec/sa/statistics/peer/node.tag/node.def.in | 3 --- .../peer/node.tag/tunnel/node.tag/node.def.in | 3 --- .../ipsec/sa/statistics/profile/node.tag/node.def.in | 3 --- .../profile/node.tag/tunnel/node.tag/node.def.in | 3 --- 19 files changed, 7 insertions(+), 80 deletions(-) delete mode 100644 templates/show/vpn/ipsec/sa/detail/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/nat-traversal/node.def.in create mode 100644 templates/show/vpn/ipsec/sa/node.def delete mode 100644 templates/show/vpn/ipsec/sa/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/profile/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/statistics/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def.in diff --git a/.gitignore b/.gitignore index 470b73c..cce2a86 100644 --- a/.gitignore +++ b/.gitignore @@ -48,21 +48,5 @@ templates/show/vpn/ike/sa/node.def templates/show/vpn/ike/sa/peer/node.tag/node.def templates/show/vpn/ike/secrets/node.def templates/show/vpn/ike/status/node.def -templates/show/vpn/ipsec/sa/detail/node.def -templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def -templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def -templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def -templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def -templates/show/vpn/ipsec/sa/nat-traversal/node.def -templates/show/vpn/ipsec/sa/node.def -templates/show/vpn/ipsec/sa/peer/node.tag/node.def -templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def -templates/show/vpn/ipsec/sa/profile/node.tag/node.def -templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def -templates/show/vpn/ipsec/sa/statistics/node.def -templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def -templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def -templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def -templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def templates/show/vpn/ipsec/status/node.def -/scripts/vyatta-gen-x509-keypair \ No newline at end of file +/scripts/vyatta-gen-x509-keypair diff --git a/configure.ac b/configure.ac index 6002c2d..19a356f 100644 --- a/configure.ac +++ b/configure.ac @@ -54,22 +54,6 @@ AC_OUTPUT([ templates/generate/vpn/rsa-key/bits/node.tag/node.def templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def templates/show/vpn/ipsec/status/node.def - templates/show/vpn/ipsec/sa/node.def - templates/show/vpn/ipsec/sa/nat-traversal/node.def - templates/show/vpn/ipsec/sa/statistics/node.def - templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def - templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def - templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def - templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def - templates/show/vpn/ipsec/sa/detail/node.def - templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def - templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def - templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def - templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def - templates/show/vpn/ipsec/sa/profile/node.tag/node.def - templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def - templates/show/vpn/ipsec/sa/peer/node.tag/node.def - templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def templates/show/vpn/debug/node.def templates/show/vpn/debug/detail/node.def templates/show/vpn/debug/peer/node.tag/node.def diff --git a/templates/show/vpn/ipsec/sa/detail/node.def.in b/templates/show/vpn/ipsec/sa/detail/node.def.in deleted file mode 100644 index 781d61b..0000000 --- a/templates/show/vpn/ipsec/sa/detail/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for all active IPsec Security Associations (SA) -run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-detail - sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-detail diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def.in deleted file mode 100644 index 659acfa..0000000 --- a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for all active IPsec Security Associations (SA) for a peer -allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer-detail="$7" diff --git a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def.in deleted file mode 100644 index 5c121c3..0000000 --- a/templates/show/vpn/ipsec/sa/detail/peer/node.tag/tunnel/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for the active IPsec Security Associations (SA) for a peer's tunnel -allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[6]} -run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-conn-detail $7 $9 diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def.in deleted file mode 100644 index bcbc520..0000000 --- a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for all active IPsec Security Associations (SA) for a profile -allowed: @SUDOUSRDIR@/vyatta-op-vpnprof.pl --get-profiles-for-cli -run: sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-profile-detail="$7" diff --git a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def.in deleted file mode 100644 index e31b008..0000000 --- a/templates/show/vpn/ipsec/sa/detail/profile/node.tag/tunnel/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show details for the active IPsec Security Associations (SA) for a tunnel bound to profile -allowed: @SUDOUSRDIR@/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[6]} -run: sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-conn-detail $7 $9 diff --git a/templates/show/vpn/ipsec/sa/nat-traversal/node.def.in b/templates/show/vpn/ipsec/sa/nat-traversal/node.def.in deleted file mode 100644 index f3bbe87..0000000 --- a/templates/show/vpn/ipsec/sa/nat-traversal/node.def.in +++ /dev/null @@ -1,2 +0,0 @@ -help: Show all active IPsec Security Associations (SA) that are using NAT Traversal -run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-natt diff --git a/templates/show/vpn/ipsec/sa/node.def b/templates/show/vpn/ipsec/sa/node.def new file mode 100644 index 0000000..99a5cc1 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/node.def @@ -0,0 +1,6 @@ +help: Show all active IPsec Security Associations (SA) +run: if pgrep charon >&/dev/null; then + sudo /usr/sbin/swanctl --list-sas + else + echo -e "IPSec Process NOT Running\n" + fi diff --git a/templates/show/vpn/ipsec/sa/node.def.in b/templates/show/vpn/ipsec/sa/node.def.in deleted file mode 100644 index 036a1d7..0000000 --- a/templates/show/vpn/ipsec/sa/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show all active IPsec Security Associations (SA) -run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa - sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in deleted file mode 100644 index 1cae596..0000000 --- a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show all active IPsec Security Associations (SA) for a peer -allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def.in deleted file mode 100644 index 8cc8a9c..0000000 --- a/templates/show/vpn/ipsec/sa/peer/node.tag/tunnel/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show the active IPsec Security Association (SA) for a peer's tunnel -allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[5]} -run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-conn $6 $8 diff --git a/templates/show/vpn/ipsec/sa/profile/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/profile/node.tag/node.def.in deleted file mode 100644 index 30ed853..0000000 --- a/templates/show/vpn/ipsec/sa/profile/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show all active IPsec Security Associations (SA) for a profile -allowed: @SUDOUSRDIR@/vyatta-op-vpnprof.pl --get-profiles-for-cli -run: sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-profile="$6" diff --git a/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def.in deleted file mode 100644 index 3d643bc..0000000 --- a/templates/show/vpn/ipsec/sa/profile/node.tag/tunnel/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show the active IPsec Security Association (SA) for a profile's tunnel -allowed: @SUDOUSRDIR@/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[5]} -run: sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-conn $6 $8 diff --git a/templates/show/vpn/ipsec/sa/statistics/node.def.in b/templates/show/vpn/ipsec/sa/statistics/node.def.in deleted file mode 100644 index 5832f1a..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show statistics of all active tunnels that have IPsec Security Associations (SA) -run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-stats - sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-stats diff --git a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def.in deleted file mode 100644 index 8b72451..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show stats for all active IPsec Security Associations (SA) for a peer -allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-stats-peer="$7" diff --git a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def.in deleted file mode 100644 index 6566a44..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/peer/node.tag/tunnel/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show stats for the active IPsec Security Association (SA) for a peer's tunnel -allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[6]} -run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-stats-conn $7 $9 diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def.in deleted file mode 100644 index 1bc76d6..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show stats for all active IPsec Security Associations (SA) for a profile -allowed: @SUDOUSRDIR@/vyatta-op-vpnprof.pl --get-profiles-for-cli -run: sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-stats-profile="$7" diff --git a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def.in deleted file mode 100644 index 9ae35c8..0000000 --- a/templates/show/vpn/ipsec/sa/statistics/profile/node.tag/tunnel/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show stats for the active IPsec Security Association (SA) for a tunnel bound to profile -allowed: @SUDOUSRDIR@/vyatta-op-vpnprof.pl --get-conn-for-cli=${COMP_WORDS[6]} -run: sudo @SUDOUSRDIR@/vyatta-op-vpnprof.pl --show-ipsec-sa-stats-conn $7 $9 -- cgit v1.2.3 From 9608b691012160836fd0fdcc1c8f9357d89c4de1 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Wed, 8 Feb 2017 19:51:42 +0100 Subject: change ipsec newhostkey command with openssl command --- scripts/gen_local_rsa_key.pl | 20 +------------------- .../generate/vpn/rsa-key/bits/node.tag/node.def.in | 2 +- .../vpn/rsa-key/bits/node.tag/random/node.def | 1 - .../bits/node.tag/random/node.tag/node.def.in | 3 --- templates/generate/vpn/rsa-key/node.def.in | 4 ++-- 5 files changed, 4 insertions(+), 26 deletions(-) delete mode 100644 templates/generate/vpn/rsa-key/bits/node.tag/random/node.def delete mode 100644 templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def.in diff --git a/scripts/gen_local_rsa_key.pl b/scripts/gen_local_rsa_key.pl index ce3f69b..e874316 100755 --- a/scripts/gen_local_rsa_key.pl +++ b/scripts/gen_local_rsa_key.pl @@ -31,20 +31,12 @@ use Vyatta::Misc qw(get_short_config_path); # Defaults my $bits = 2192; -my $device = "/dev/random"; if ($#ARGV > 1) { die "Usage: gen_local_rsa_key.pl \n"; } $bits = $ARGV[0] if $#ARGV >= 0; -# -# The ipsec newhostkey command seems to support up to -# 20000 bits for key generation, but xorp currently -# can't handle a line that long when entered in the -# config. Xorp seems to be able to handle keys generated -# with up to 5840 bits. -# my ($bits_min, $bits_max) = (16, 4096); if ($bits > $bits_max) { @@ -56,10 +48,6 @@ if ($bits < $bits_min) { if ($bits % 16 != 0) { die "bits=$bits is not a multiple of 16\n"; } -$device = $ARGV[1] if $#ARGV >= 1; -unless (-r $device) { - die "invalid random number device $device\n"; -} my $local_key_file = rsa_get_local_key_file(); @@ -100,13 +88,7 @@ if (-e $temp_key_file) { } } -$cmd = "/usr/lib/ipsec/newhostkey --output $local_key_file --bits $bits"; -# -# The default random number generator is /dev/random, but it will block -# if there isn't enough system activity to provide enough "good" random -# bits. Try /dev/urandom if it's taking too long. -# -$cmd .= " --random $device"; +$cmd = "/usr/bin/openssl genrsa -out $local_key_file $bits"; # when presenting to users, show shortened /config path my $shortened_cfg_path_file = get_short_config_path($local_key_file); diff --git a/templates/generate/vpn/rsa-key/bits/node.tag/node.def.in b/templates/generate/vpn/rsa-key/bits/node.tag/node.def.in index 2eae9cc..198ec58 100644 --- a/templates/generate/vpn/rsa-key/bits/node.tag/node.def.in +++ b/templates/generate/vpn/rsa-key/bits/node.tag/node.def.in @@ -1,3 +1,3 @@ help: Generate local RSA key with specified number of bits -run: sudo @SUDOUSRDIR@/gen_local_rsa_key.pl "$5" /dev/random +run: sudo @SUDOUSRDIR@/gen_local_rsa_key.pl "$5" allowed: echo -n '<16-4096>' diff --git a/templates/generate/vpn/rsa-key/bits/node.tag/random/node.def b/templates/generate/vpn/rsa-key/bits/node.tag/random/node.def deleted file mode 100644 index 42118b5..0000000 --- a/templates/generate/vpn/rsa-key/bits/node.tag/random/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Generate local RSA key with specified number of bits and random device diff --git a/templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def.in b/templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def.in deleted file mode 100644 index 81a9633..0000000 --- a/templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Generate local RSA key with specified number of bits and random device -run: sudo @SUDOUSRDIR@/gen_local_rsa_key.pl "$5" "$7" -allowed: echo -n '/dev/random /dev/urandom' diff --git a/templates/generate/vpn/rsa-key/node.def.in b/templates/generate/vpn/rsa-key/node.def.in index 482f32c..eab5a4f 100644 --- a/templates/generate/vpn/rsa-key/node.def.in +++ b/templates/generate/vpn/rsa-key/node.def.in @@ -1,2 +1,2 @@ -help: Generate local RSA key (default: bits=2192 device=/dev/random) -run: sudo @SUDOUSRDIR@/gen_local_rsa_key.pl 2192 /dev/random +help: Generate local RSA key (default: bits=2192) +run: sudo @SUDOUSRDIR@/gen_local_rsa_key.pl 2192 -- cgit v1.2.3 From b1159f96a27fa39b8b3b71940efff602b468cf65 Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Wed, 8 Feb 2017 19:59:26 +0100 Subject: remove reference to deleted files --- configure.ac | 1 - 1 file changed, 1 deletion(-) diff --git a/configure.ac b/configure.ac index 19a356f..530f4ae 100644 --- a/configure.ac +++ b/configure.ac @@ -52,7 +52,6 @@ AC_OUTPUT([ templates/generate/vpn/x509/key-pair/node.tag/node.def templates/generate/vpn/rsa-key/node.def templates/generate/vpn/rsa-key/bits/node.tag/node.def - templates/generate/vpn/rsa-key/bits/node.tag/random/node.tag/node.def templates/show/vpn/ipsec/status/node.def templates/show/vpn/debug/node.def templates/show/vpn/debug/detail/node.def -- cgit v1.2.3 From ce1c285359947d4af3c2713482ba4927c29b93cd Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Mon, 3 Jul 2017 14:24:44 +0100 Subject: Fix for T319 - show vpn ipsec status returns incorrect information Strongswan 'ipsec status' command changed output format. --- scripts/vyatta-show-ipsec-status.pl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/vyatta-show-ipsec-status.pl b/scripts/vyatta-show-ipsec-status.pl index a96d1dd..bff36c8 100644 --- a/scripts/vyatta-show-ipsec-status.pl +++ b/scripts/vyatta-show-ipsec-status.pl @@ -98,7 +98,10 @@ sub relate_intfs_with_localips { # my $process_id = `sudo cat /var/run/charon.pid`; -my $active_tunnels = `sudo ipsec status 2>/dev/null | grep 'newest IPsec SA: #' | grep -v 'newest IPsec SA: #0' | wc -l`; +# Update to deal with new strongswan syntax for ipsec status command. +my $sa_summary = `sudo ipsec status 2>/dev/null | grep "Security Associations" `; +my $active_tunnels; +($active_tunnels) = $sa_summary =~ /\((.*?) up/; chomp $process_id; chomp $active_tunnels; my @vpn_interfaces = get_vpn_intfs(); -- cgit v1.2.3 From 46c10df71f00f215d6aaa15a3b00e946679a0328 Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Mon, 3 Jul 2017 15:01:31 +0100 Subject: Fix for T303 - 'show vpn ike status per warning: Using a hash as a reference is deprecated' Newer version of perl doesn't like %hash->{item} syntax. Prefers $hash{item} instead. --- lib/OPMode.pm | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/OPMode.pm b/lib/OPMode.pm index ed57ea2..e304b2f 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -837,8 +837,8 @@ sub get_connection_status (my $peerid, my $tun) = @_; my %th = get_tunnel_info_peer($peerid); for my $peer ( keys %th ) { - if (%{$th{$peer}}->{_tunnelnum} eq $tun){ - return %{$th{$peer}}->{_state}; + if (${$th{$peer}}{_tunnelnum} eq $tun){ + return ${$th{$peer}}{_state}; } } } @@ -847,10 +847,10 @@ sub get_peer_ike_status my ($peerid) = @_; my %th = get_tunnel_info_peer($peerid); for my $peer ( keys %th ) { - if (%{$th{$peer}}->{_ikestate} eq 'up'){ + if (${$th{$peer}}{_ikestate} eq 'up'){ return 'up'; } - if (%{$th{$peer}}->{_ikestate} eq 'init'){ + if (${$th{$peer}}{_ikestate} eq 'init'){ return 'init'; } } @@ -862,7 +862,7 @@ sub show_ipsec_sa_natt my %tunnel_hash = get_tunnel_info(); my %tmphash = (); for my $peer ( keys %tunnel_hash ) { - if (%{$tunnel_hash{$peer}}->{_natt} == 1 ){ + if (${$tunnel_hash{$peer}>{_natt} == 1 ){ $tmphash{$peer} = \%{$tunnel_hash{$peer}}; } } @@ -905,7 +905,7 @@ sub show_ike_sa_natt my %tunnel_hash = get_tunnel_info(); my %tmphash = (); for my $peer ( keys %tunnel_hash ) { - if (%{$tunnel_hash{$peer}}->{_natt} == 1 ){ + if (${$tunnel_hash{$peer}}{_natt} == 1 ){ $tmphash{$peer} = \%{$tunnel_hash{$peer}}; } } -- cgit v1.2.3 From 367f00fe224ba76a43fb5ddebfcb0e0052a09075 Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Wed, 5 Jul 2017 09:31:45 +0100 Subject: T303 - Re-fix - broke that the first time Typo, sadly. Resolved this time. --- lib/OPMode.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/OPMode.pm b/lib/OPMode.pm index e304b2f..9e7bd60 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -862,7 +862,7 @@ sub show_ipsec_sa_natt my %tunnel_hash = get_tunnel_info(); my %tmphash = (); for my $peer ( keys %tunnel_hash ) { - if (${$tunnel_hash{$peer}>{_natt} == 1 ){ + if (${$tunnel_hash{$peer}}{_natt} == 1 ){ $tmphash{$peer} = \%{$tunnel_hash{$peer}}; } } -- cgit v1.2.3 From 4aba0c7e26b5336122e88ab2bba01c1c6066600e Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Thu, 27 Jul 2017 13:33:50 +0100 Subject: Fix various bits for newer StrongSwan support Largely revamped process_tunnels Make IKE tunnels information work again. Added initial support for IKEv2 status. --- lib/OPMode.pm | 71 ++++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 56 insertions(+), 15 deletions(-) diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 9e7bd60..438b628 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -201,12 +201,10 @@ sub process_tunnels{ my @ipsecstatus = @{pop(@_)}; my %tunnel_hash = (); my %esp_hash = (); + my %lip_lookup = (); foreach my $line (@ipsecstatus) { - if (($line =~ /(peer-.*-tunnel-.*?):/)){ + if (($line =~ /(peer-.*-tunnel-.*?):/ && !($line =~ /[\[\{]/))){ my $connectid = $1; - if (($line =~ /(peer-.*-tunnel-.*?):(\[\d*\])/)){ - $connectid .= $2; - } $connectid =~ /peer-(.*)-tunnel-(.*)/; my $peer = $1; my $tunid = $2; @@ -234,6 +232,7 @@ sub process_tunnels{ _inspi => 'n/a', _outspi => 'n/a', _pfsgrp => 'n/a', + _ikever => 'n/a', _ikeencrypt => 'n/a', _ikehash => 'n/a', _natt => 'n/a', @@ -249,6 +248,35 @@ sub process_tunnels{ _lifetime => 'n/a', _expire => 'n/a' }; } + # Disgusting hack - rip not mentioned on any line on a second tunnel to a peer - so borrow it from the first one + if($tunid >1) + { + $tunnel_hash{$connectid}->{_lip} = conv_ip($lip_lookup{$peer}); + } + # A line like: 'peer-192.168.3.21-tunnel-1: %any...192.168.3.21 IKEv2' + if ($line =~ /\s+(.*?)\.\.\.(.*?) IKEv(.*?)/ ) + { + my $lip = $1; + my $rip = $2; + my $ikever = $3; + $tunnel_hash{$connectid}->{_lip} = conv_ip($lip); + $tunnel_hash{$connectid}->{_rip} = conv_ip($rip); + $tunnel_hash{$connectid}->{_ikever} = $ikever; + if($tunid == 1) + { + $lip_lookup{$peer} = conv_ip($lip); + } + } + # A line like: 'peer-192.168.3.21-tunnel-1: child: 192.168.1.0/24 === 192.168.0.0/24 TUNNEL' + elsif ($line =~ /child:\s+(.*?) === (.*?) TUNNEL/) + { + my $lsnet = $1; + my $rsnet = $2; + $tunnel_hash{$connectid}->{_lsnet} = $lsnet; + $tunnel_hash{$connectid}->{_rsnet} = $rsnet; + } + + # OLD CODE! $line =~ s/---.*\.\.\./.../g; # remove the next hop router for local-ip 0.0.0.0 case if ($line =~ /IKE.proposal:(.*?)\/(.*?)\/(.*)/){ $tunnel_hash{$connectid}->{_ikeencrypt} = $1; @@ -587,11 +615,16 @@ sub process_tunnels{ $tunnel_hash{$connectid}->{_ikelife} = $ikelife; $tunnel_hash{$connectid}->{_pfsgrp} = $pfs_group; - } elsif ($line =~ /\]:\s+IKE SPIs: .* (reauthentication|rekeying) (disabled|in .*)/) { - $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($2); + } elsif ($line =~ /\]:\s+IKE.* SPIs: .* (reauthentication|rekeying) (disabled|in .*)/) { + my $ikever; + ($ikever) = $line =~ /IKEv(.*?) SPI/; + $tunnel_hash{$connectid}->{_ikever} = $ikever; + my $expiry_time; + (undef,$expiry_time) = $line =~ /(reauthentication|rekeying) (.*)/; + $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($expiry_time); - my ($atime, $ike_lifetime, $ike_expire) = (-1, $tunnel_hash{$connectid}->{_ikelife}, $tunnel_hash{$connectid}->{_ikeexpire}); - $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); + my $atime = $tunnel_hash{$connectid}->{_ikelife} - $tunnel_hash{$connectid}->{_ikeexpire}; +# $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); $tunnel_hash{$connectid}->{_ikestate} = "up" if ($atime >= 0); @@ -869,7 +902,12 @@ sub show_ipsec_sa_natt display_ipsec_sa_brief(\%tmphash); } sub show_ike_status{ - my $process_id = `sudo cat /var/run/charon.pid`; + my $pidfile = '/var/run/charon.pid'; + if (! -e $pidfile) { + print "IKE process is not running\n"; + exit(1); + } + my $process_id = `sudo cat $pidfile`; chomp $process_id; print <setLevel('vpn ipsec site-to-site'); for my $connectid (keys %th){ - $peerid = conv_ip($th{$connectid}->{_rip}); + $peerid = conv_ip($th{$connectid}->{_peerid}); my $lip = conv_ip($th{$connectid}->{_lip}); my $tunnel = "$peerid-$lip"; my $peer_configured = conv_id_rev($th{$connectid}->{_peerid}); @@ -1027,6 +1065,7 @@ EOH my $atime = $life - $expire; $atime = 0 if ($atime == $life); printf " %-7s %-6s %-14s %-8s %-7s %-6s %-7s %-7s %-2s\n", + $tunnum, $state, $bytesp, $enc, $hash, $natt, $atime, $life, $proto; } @@ -1224,12 +1263,14 @@ sub display_ike_sa_brief { next if ($th{$connectid}->{_ikestate} eq 'down'); if (not exists $tunhash{$tunnel}) { $tunhash{$tunnel}={ + _configpeer => conv_id_rev($th{$connectid}->{_peerid}), _configpeer => conv_id_rev($th{$connectid}->{_peerid}), _tunnels => [] }; } my @tmp = ( $th{$connectid}->{_tunnelnum}, $th{$connectid}->{_ikestate}, + $th{$connectid}->{_ikever}, $th{$connectid}->{_newestike}, $th{$connectid}->{_ikeencrypt}, $th{$connectid}->{_ikehash}, @@ -1251,11 +1292,11 @@ EOH print "\n Description: $desc\n" if (defined($desc)); print <{_tunnels}})){ - (my $tunnum, my $state, my $isakmpnum, my $enc, + (my $tunnum, my $state, my $ver, my $isakmpnum, my $enc, my $hash, my $dhgrp, my $natt, my $life, my $expire) = @{$tunnel}; $enc = conv_enc($enc); $hash = conv_hash($hash); @@ -1263,8 +1304,8 @@ EOH $dhgrp = conv_dh_group($dhgrp); my $atime = $life - $expire; $atime = 0 if ($atime == $life); - printf " %-6s %-8s %-7s %-8s %-6s %-7s %-7s\n", - $state, $enc, $hash, $dhgrp, $natt, $atime, $life; + printf " %-6s %-4s %-8s %-7s %-8s %-6s %-7s %-7s\n", + $state, $ver, $enc, $hash, $dhgrp, $natt, $atime, $life; } print "\n \n"; } -- cgit v1.2.3 From 24c7ff03646d73767df9a0b5e20c483fcf9708a6 Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Thu, 27 Jul 2017 15:38:31 +0100 Subject: Add templates for extended commands --- templates/show/vpn/ipsec/peer/node.def | 1 + templates/show/vpn/ipsec/peer/node.tag/detail/node.def.in | 3 +++ templates/show/vpn/ipsec/peer/node.tag/node.def.in | 3 +++ templates/show/vpn/ipsec/sa/detail/node.def.in | 6 ++++++ templates/show/vpn/ipsec/stats/node.def.in | 3 +++ templates/show/vpn/ipsec/stats/node.tag/node.def.in | 3 +++ templates/show/vpn/ipsec/stats/node.tag/tunnel/node.def | 1 + .../show/vpn/ipsec/stats/node.tag/tunnel/node.tag/node.def.in | 10 ++++++++++ templates/show/vpn/ipsec/verbose/node.def | 7 +++++++ 9 files changed, 37 insertions(+) create mode 100644 templates/show/vpn/ipsec/peer/node.def create mode 100644 templates/show/vpn/ipsec/peer/node.tag/detail/node.def.in create mode 100644 templates/show/vpn/ipsec/peer/node.tag/node.def.in create mode 100644 templates/show/vpn/ipsec/sa/detail/node.def.in create mode 100644 templates/show/vpn/ipsec/stats/node.def.in create mode 100644 templates/show/vpn/ipsec/stats/node.tag/node.def.in create mode 100644 templates/show/vpn/ipsec/stats/node.tag/tunnel/node.def create mode 100644 templates/show/vpn/ipsec/stats/node.tag/tunnel/node.tag/node.def.in create mode 100644 templates/show/vpn/ipsec/verbose/node.def diff --git a/templates/show/vpn/ipsec/peer/node.def b/templates/show/vpn/ipsec/peer/node.def new file mode 100644 index 0000000..f77f46e --- /dev/null +++ b/templates/show/vpn/ipsec/peer/node.def @@ -0,0 +1 @@ +help: Show all currently active IPSec Security Associations (SA) for a peer diff --git a/templates/show/vpn/ipsec/peer/node.tag/detail/node.def.in b/templates/show/vpn/ipsec/peer/node.tag/detail/node.def.in new file mode 100644 index 0000000..e05a3c4 --- /dev/null +++ b/templates/show/vpn/ipsec/peer/node.tag/detail/node.def.in @@ -0,0 +1,3 @@ +help: Show detail on all currently active IPSec Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer-detail="$6" diff --git a/templates/show/vpn/ipsec/peer/node.tag/node.def.in b/templates/show/vpn/ipsec/peer/node.tag/node.def.in new file mode 100644 index 0000000..4b23f44 --- /dev/null +++ b/templates/show/vpn/ipsec/peer/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show all currently active IPSec Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/sa/detail/node.def.in b/templates/show/vpn/ipsec/sa/detail/node.def.in new file mode 100644 index 0000000..3362e9b --- /dev/null +++ b/templates/show/vpn/ipsec/sa/detail/node.def.in @@ -0,0 +1,6 @@ +help: Show Detail on all active IPsec Security Associations (SA) +run: if pgrep charon >&/dev/null; then + @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa + else + echo -e "IPSec Process NOT Running\n" + fi diff --git a/templates/show/vpn/ipsec/stats/node.def.in b/templates/show/vpn/ipsec/stats/node.def.in new file mode 100644 index 0000000..d1d6ad0 --- /dev/null +++ b/templates/show/vpn/ipsec/stats/node.def.in @@ -0,0 +1,3 @@ +help: Show statistics for alll currently active IPSec Security Associations (SA) +run: @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-stats + diff --git a/templates/show/vpn/ipsec/stats/node.tag/node.def.in b/templates/show/vpn/ipsec/stats/node.tag/node.def.in new file mode 100644 index 0000000..9426469 --- /dev/null +++ b/templates/show/vpn/ipsec/stats/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show Statistics for SAs associated with a specific peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +#run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/stats/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/stats/node.tag/tunnel/node.def new file mode 100644 index 0000000..0429324 --- /dev/null +++ b/templates/show/vpn/ipsec/stats/node.tag/tunnel/node.def @@ -0,0 +1 @@ +help: Get Stats for a specific tunnel diff --git a/templates/show/vpn/ipsec/stats/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/stats/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..92a8572 --- /dev/null +++ b/templates/show/vpn/ipsec/stats/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,10 @@ +help: Reset a specific tunnel for given peer + +allowed: @SUDOUSRDIR@/vyatta-vpn-op.pl \ + --op=get-tunnels-for-peer \ + --peer="${COMP_WORDS[COMP_CWORD-2]}" + +run: @SUDOUSRDIR@/vyatta-op-vpn.pl \ + --op=show-ipsec-sa-stats-conn \ + --peer="$6" \ + --tunnel="$8" diff --git a/templates/show/vpn/ipsec/verbose/node.def b/templates/show/vpn/ipsec/verbose/node.def new file mode 100644 index 0000000..fac77a3 --- /dev/null +++ b/templates/show/vpn/ipsec/verbose/node.def @@ -0,0 +1,7 @@ +help: Show Verbose Detail on all active IPsec Security Associations (SA) +run: if pgrep charon >&/dev/null; then + /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-detail + else + echo -e "IPSec Process NOT Running\n" + fi + -- cgit v1.2.3 From 739d1c222a3c69d89bf299365c070f5bf7981232 Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Thu, 27 Jul 2017 15:40:14 +0100 Subject: Move into the CORRECT tree location. --- templates/show/vpn/ipsec/peer/node.def | 1 - templates/show/vpn/ipsec/peer/node.tag/detail/node.def.in | 3 --- templates/show/vpn/ipsec/peer/node.tag/node.def.in | 3 --- templates/show/vpn/ipsec/sa/peer/node.def | 1 + templates/show/vpn/ipsec/sa/peer/node.tag/detail/node.def.in | 3 +++ templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in | 3 +++ templates/show/vpn/ipsec/sa/stats/node.def.in | 3 +++ templates/show/vpn/ipsec/sa/stats/node.tag/node.def.in | 3 +++ templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.def | 1 + .../vpn/ipsec/sa/stats/node.tag/tunnel/node.tag/node.def.in | 10 ++++++++++ templates/show/vpn/ipsec/sa/verbose/node.def | 7 +++++++ templates/show/vpn/ipsec/stats/node.def.in | 3 --- templates/show/vpn/ipsec/stats/node.tag/node.def.in | 3 --- templates/show/vpn/ipsec/stats/node.tag/tunnel/node.def | 1 - .../show/vpn/ipsec/stats/node.tag/tunnel/node.tag/node.def.in | 10 ---------- templates/show/vpn/ipsec/verbose/node.def | 7 ------- 16 files changed, 31 insertions(+), 31 deletions(-) delete mode 100644 templates/show/vpn/ipsec/peer/node.def delete mode 100644 templates/show/vpn/ipsec/peer/node.tag/detail/node.def.in delete mode 100644 templates/show/vpn/ipsec/peer/node.tag/node.def.in create mode 100644 templates/show/vpn/ipsec/sa/peer/node.def create mode 100644 templates/show/vpn/ipsec/sa/peer/node.tag/detail/node.def.in create mode 100644 templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in create mode 100644 templates/show/vpn/ipsec/sa/stats/node.def.in create mode 100644 templates/show/vpn/ipsec/sa/stats/node.tag/node.def.in create mode 100644 templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.def create mode 100644 templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.tag/node.def.in create mode 100644 templates/show/vpn/ipsec/sa/verbose/node.def delete mode 100644 templates/show/vpn/ipsec/stats/node.def.in delete mode 100644 templates/show/vpn/ipsec/stats/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/stats/node.tag/tunnel/node.def delete mode 100644 templates/show/vpn/ipsec/stats/node.tag/tunnel/node.tag/node.def.in delete mode 100644 templates/show/vpn/ipsec/verbose/node.def diff --git a/templates/show/vpn/ipsec/peer/node.def b/templates/show/vpn/ipsec/peer/node.def deleted file mode 100644 index f77f46e..0000000 --- a/templates/show/vpn/ipsec/peer/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Show all currently active IPSec Security Associations (SA) for a peer diff --git a/templates/show/vpn/ipsec/peer/node.tag/detail/node.def.in b/templates/show/vpn/ipsec/peer/node.tag/detail/node.def.in deleted file mode 100644 index e05a3c4..0000000 --- a/templates/show/vpn/ipsec/peer/node.tag/detail/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show detail on all currently active IPSec Security Associations (SA) for a peer -allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer-detail="$6" diff --git a/templates/show/vpn/ipsec/peer/node.tag/node.def.in b/templates/show/vpn/ipsec/peer/node.tag/node.def.in deleted file mode 100644 index 4b23f44..0000000 --- a/templates/show/vpn/ipsec/peer/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show all currently active IPSec Security Associations (SA) for a peer -allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli -run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/sa/peer/node.def b/templates/show/vpn/ipsec/sa/peer/node.def new file mode 100644 index 0000000..f77f46e --- /dev/null +++ b/templates/show/vpn/ipsec/sa/peer/node.def @@ -0,0 +1 @@ +help: Show all currently active IPSec Security Associations (SA) for a peer diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/detail/node.def.in b/templates/show/vpn/ipsec/sa/peer/node.tag/detail/node.def.in new file mode 100644 index 0000000..e05a3c4 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/peer/node.tag/detail/node.def.in @@ -0,0 +1,3 @@ +help: Show detail on all currently active IPSec Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer-detail="$6" diff --git a/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in new file mode 100644 index 0000000..4b23f44 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/peer/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show all currently active IPSec Security Associations (SA) for a peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/sa/stats/node.def.in b/templates/show/vpn/ipsec/sa/stats/node.def.in new file mode 100644 index 0000000..d1d6ad0 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/stats/node.def.in @@ -0,0 +1,3 @@ +help: Show statistics for alll currently active IPSec Security Associations (SA) +run: @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-stats + diff --git a/templates/show/vpn/ipsec/sa/stats/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/stats/node.tag/node.def.in new file mode 100644 index 0000000..9426469 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/stats/node.tag/node.def.in @@ -0,0 +1,3 @@ +help: Show Statistics for SAs associated with a specific peer +allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli +#run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.def new file mode 100644 index 0000000..0429324 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.def @@ -0,0 +1 @@ +help: Get Stats for a specific tunnel diff --git a/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.tag/node.def.in new file mode 100644 index 0000000..92a8572 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/stats/node.tag/tunnel/node.tag/node.def.in @@ -0,0 +1,10 @@ +help: Reset a specific tunnel for given peer + +allowed: @SUDOUSRDIR@/vyatta-vpn-op.pl \ + --op=get-tunnels-for-peer \ + --peer="${COMP_WORDS[COMP_CWORD-2]}" + +run: @SUDOUSRDIR@/vyatta-op-vpn.pl \ + --op=show-ipsec-sa-stats-conn \ + --peer="$6" \ + --tunnel="$8" diff --git a/templates/show/vpn/ipsec/sa/verbose/node.def b/templates/show/vpn/ipsec/sa/verbose/node.def new file mode 100644 index 0000000..fac77a3 --- /dev/null +++ b/templates/show/vpn/ipsec/sa/verbose/node.def @@ -0,0 +1,7 @@ +help: Show Verbose Detail on all active IPsec Security Associations (SA) +run: if pgrep charon >&/dev/null; then + /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-detail + else + echo -e "IPSec Process NOT Running\n" + fi + diff --git a/templates/show/vpn/ipsec/stats/node.def.in b/templates/show/vpn/ipsec/stats/node.def.in deleted file mode 100644 index d1d6ad0..0000000 --- a/templates/show/vpn/ipsec/stats/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show statistics for alll currently active IPSec Security Associations (SA) -run: @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-stats - diff --git a/templates/show/vpn/ipsec/stats/node.tag/node.def.in b/templates/show/vpn/ipsec/stats/node.tag/node.def.in deleted file mode 100644 index 9426469..0000000 --- a/templates/show/vpn/ipsec/stats/node.tag/node.def.in +++ /dev/null @@ -1,3 +0,0 @@ -help: Show Statistics for SAs associated with a specific peer -allowed: @SUDOUSRDIR@/vyatta-op-vpn.pl --get-peers-for-cli -#run: sudo @SUDOUSRDIR@/vyatta-op-vpn.pl --show-ipsec-sa-peer="$6" diff --git a/templates/show/vpn/ipsec/stats/node.tag/tunnel/node.def b/templates/show/vpn/ipsec/stats/node.tag/tunnel/node.def deleted file mode 100644 index 0429324..0000000 --- a/templates/show/vpn/ipsec/stats/node.tag/tunnel/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Get Stats for a specific tunnel diff --git a/templates/show/vpn/ipsec/stats/node.tag/tunnel/node.tag/node.def.in b/templates/show/vpn/ipsec/stats/node.tag/tunnel/node.tag/node.def.in deleted file mode 100644 index 92a8572..0000000 --- a/templates/show/vpn/ipsec/stats/node.tag/tunnel/node.tag/node.def.in +++ /dev/null @@ -1,10 +0,0 @@ -help: Reset a specific tunnel for given peer - -allowed: @SUDOUSRDIR@/vyatta-vpn-op.pl \ - --op=get-tunnels-for-peer \ - --peer="${COMP_WORDS[COMP_CWORD-2]}" - -run: @SUDOUSRDIR@/vyatta-op-vpn.pl \ - --op=show-ipsec-sa-stats-conn \ - --peer="$6" \ - --tunnel="$8" diff --git a/templates/show/vpn/ipsec/verbose/node.def b/templates/show/vpn/ipsec/verbose/node.def deleted file mode 100644 index fac77a3..0000000 --- a/templates/show/vpn/ipsec/verbose/node.def +++ /dev/null @@ -1,7 +0,0 @@ -help: Show Verbose Detail on all active IPsec Security Associations (SA) -run: if pgrep charon >&/dev/null; then - /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa-detail - else - echo -e "IPSec Process NOT Running\n" - fi - -- cgit v1.2.3 From c322d07f1d1568ff1ea9a7a85efd825e42cba9d1 Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Thu, 27 Jul 2017 18:33:08 +0100 Subject: Formatting of show vpn ike sa modified ... by suggestions from TomJepp --- lib/OPMode.pm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 438b628..0068e96 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -1292,8 +1292,8 @@ EOH print "\n Description: $desc\n" if (defined($desc)); print <{_tunnels}})){ (my $tunnum, my $state, my $ver, my $isakmpnum, my $enc, @@ -1301,11 +1301,11 @@ EOH $enc = conv_enc($enc); $hash = conv_hash($hash); $natt = conv_natt($natt); - $dhgrp = conv_dh_group($dhgrp); + $dhgrp = conv_dh_group($dhgrp)."(".$dhgrp.")"; my $atime = $life - $expire; $atime = 0 if ($atime == $life); - printf " %-6s %-4s %-8s %-7s %-8s %-6s %-7s %-7s\n", - $state, $ver, $enc, $hash, $dhgrp, $natt, $atime, $life; + printf " %-6s %-6s %-8s %-7s %-14s %-6s %-7s %-7s\n", + $state, "IKEv".$ver, $enc, $hash, $dhgrp, $natt, $atime, $life; } print "\n \n"; } -- cgit v1.2.3 From f6f567b8b168dbe0d4bdb1b08c0f84faa0d362cb Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Sun, 3 Sep 2017 21:25:50 +0100 Subject: Fixes for show vpn ike sa and show vpn ipsec sa Fixed 'show vpn ike sa' to actually show output when the tunnel isn't up. Foxed 'show vpn ipsec sa' to actually use the pretty-printing code, rather than swanctl --list-sas, which is pretty unpleasant. --- lib/OPMode.pm | 16 ++++++++++------ templates/show/vpn/ipsec/sa/node.def | 2 +- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 0068e96..38bea1c 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -615,19 +615,21 @@ sub process_tunnels{ $tunnel_hash{$connectid}->{_ikelife} = $ikelife; $tunnel_hash{$connectid}->{_pfsgrp} = $pfs_group; - } elsif ($line =~ /\]:\s+IKE.* SPIs: .* (reauthentication|rekeying) (disabled|in .*)/) { + } elsif ($line =~ /\]:\s+IKE.* SPIs:/) { my $ikever; ($ikever) = $line =~ /IKEv(.*?) SPI/; $tunnel_hash{$connectid}->{_ikever} = $ikever; my $expiry_time; - (undef,$expiry_time) = $line =~ /(reauthentication|rekeying) (.*)/; - $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($expiry_time); + if($line =~ /(reauthentication|rekeying)/) + {(undef,$expiry_time) = $line =~ /(reauthentication|rekeying) (.*)/; + $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($expiry_time); + my $atime = $tunnel_hash{$connectid}->{_ikelife} - $tunnel_hash{$connectid}->{_ikeexpire}; # $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); $tunnel_hash{$connectid}->{_ikestate} = "up" if ($atime >= 0); - + } } elsif ($line =~ /\]:\s+IKE.proposal:(.*?)\/(.*?)\/(.*?)\/(.*)/) { $tunnel_hash{$connectid}->{_ikeencrypt} = $1; $tunnel_hash{$connectid}->{_ikehash} = $2; @@ -1260,7 +1262,7 @@ sub display_ike_sa_brief { my $lip = $th{$connectid}->{_lip}; $peerid = $th{$connectid}->{_rip}; my $tunnel = "$peerid-$lip"; - next if ($th{$connectid}->{_ikestate} eq 'down'); + #next if ($th{$connectid}->{_ikestate} eq 'down'); if (not exists $tunhash{$tunnel}) { $tunhash{$tunnel}={ _configpeer => conv_id_rev($th{$connectid}->{_peerid}), @@ -1304,8 +1306,10 @@ EOH $dhgrp = conv_dh_group($dhgrp)."(".$dhgrp.")"; my $atime = $life - $expire; $atime = 0 if ($atime == $life); + my $ike_out = "N/A"; + $ike_out = "IKEv".$ver if( $ver > 0 ); printf " %-6s %-6s %-8s %-7s %-14s %-6s %-7s %-7s\n", - $state, "IKEv".$ver, $enc, $hash, $dhgrp, $natt, $atime, $life; + $state, $ike_out, $enc, $hash, $dhgrp, $natt, $atime, $life; } print "\n \n"; } diff --git a/templates/show/vpn/ipsec/sa/node.def b/templates/show/vpn/ipsec/sa/node.def index 99a5cc1..7f569bd 100644 --- a/templates/show/vpn/ipsec/sa/node.def +++ b/templates/show/vpn/ipsec/sa/node.def @@ -1,6 +1,6 @@ help: Show all active IPsec Security Associations (SA) run: if pgrep charon >&/dev/null; then - sudo /usr/sbin/swanctl --list-sas + sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa else echo -e "IPSec Process NOT Running\n" fi -- cgit v1.2.3