From a9a663c0b42db6563db8ac838d3451ca2e59a59e Mon Sep 17 00:00:00 2001 From: wzur Date: Thu, 31 Mar 2016 14:25:39 +0100 Subject: Explicitly close the IPSECCONF pipe This should avoid problems when `cat` commands finishes, but `sudo` doesn't. --- lib/OPMode.pm | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/OPMode.pm') diff --git a/lib/OPMode.pm b/lib/OPMode.pm index f871533..cea7236 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -695,6 +695,7 @@ sub get_conns while(<$IPSECCONF>){ push (@ipsecconf, $_); } + close($IPSECCONF); my %th = (); for my $line (@ipsecconf){ next if ($line =~/^\#/); -- cgit v1.2.3 From 1f7528e003d6c1d3c061065fa44773caf74874a9 Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Tue, 10 May 2016 11:18:11 +0200 Subject: Show some tunnel information. --- lib/OPMode.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/OPMode.pm') diff --git a/lib/OPMode.pm b/lib/OPMode.pm index cea7236..49bc966 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -203,9 +203,9 @@ sub process_tunnels{ my %tunnel_hash = (); my %esp_hash = (); foreach my $line (@ipsecstatus) { - if (($line =~ /\"(peer-.*-tunnel-.*?)\"/)){ + if (($line =~ /(peer-.*-tunnel-.*?):/)){ my $connectid = $1; - if (($line =~ /\"(peer-.*-tunnel-.*?)\"(\[\d*\])/)){ + if (($line =~ /(peer-.*-tunnel-.*?):(\[\d*\])/)){ $connectid .= $2; } $connectid =~ /peer-(.*)-tunnel-(.*)/; -- cgit v1.2.3 From 286e4186e7185a49bd1be6bc0f7afe77dfcfcdad Mon Sep 17 00:00:00 2001 From: "C.J. Collier" Date: Wed, 11 May 2016 05:28:30 +0000 Subject: vyatta-op-vpn (0.15.0+vyos2+current2+nmu1) UNRELEASED; urgency=low * Non-maintainer upload. * address lintian issues - script-not-executable: removed #!/usr/bin/perl from .pm files - debhelper-but-no-misc-depends: added ${misc:Depends} to Depends: field - debian-rules-missing-recommended-target: added build-arch build-indep - out-of-date-standards-version: updated standards version to 3.9.4 - package-contains-linda-override: removed linda override - file-in-unusual-dir: not triggering, removed from override - script-with-language-extension: renamed vyatta-gen-x509-keypair.sh vyatta-gen-x509-keypair * address dpkg-gencontrol issue: - unknown substitution variable ${shlibs:Depends} - removed * address dpkg-source issue: - debian/source/format set to "3.0 (native)" Signed-off-by: C.J. Collier --- .gitignore | 1 + Makefile.am | 8 ++-- configure.ac | 25 ++++++++---- debian/changelog | 20 ++++++++++ debian/conffiles | 1 + debian/control | 6 +-- debian/linda | 1 - debian/lintian | 4 +- debian/rules | 13 +++--- debian/source/format | 1 + lib/OPMode.pm | 1 - lib/vpnprof/OPMode.pm | 1 - scripts/key-pair.template | 46 ++++++++++++++++++++-- scripts/vyatta-gen-x509-keypair.sh | 11 ------ scripts/vyatta-gen-x509-keypair.sh.in | 11 ++++++ .../generate/vpn/x509/key-pair/node.tag/node.def | 2 +- 16 files changed, 111 insertions(+), 41 deletions(-) create mode 100644 debian/conffiles delete mode 100644 debian/linda create mode 100644 debian/source/format delete mode 100755 scripts/vyatta-gen-x509-keypair.sh create mode 100755 scripts/vyatta-gen-x509-keypair.sh.in (limited to 'lib/OPMode.pm') diff --git a/.gitignore b/.gitignore index 4fb5a01..67bea90 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ libtool /Makefile /command_proc_show_vpn +/scripts/vyatta-gen-x509-keypair.sh \ No newline at end of file diff --git a/Makefile.am b/Makefile.am index c4a71ec..f15d7c0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -21,10 +21,10 @@ cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ cpio -0pd install-exec-hook: - mkdir -p $(DESTDIR)/opt/vyatta/etc/ - mkdir -p $(DESTDIR)/opt/vyatta/sbin/ - cp scripts/vyatta-gen-x509-keypair.sh $(DESTDIR)/opt/vyatta/sbin - cp scripts/key-pair.template $(DESTDIR)/opt/vyatta/etc + mkdir -p $(DESTDIR)${sysconfdir} + mkdir -p $(DESTDIR)${sbindir} + cp scripts/vyatta-gen-x509-keypair.sh $(DESTDIR)${sbindir}/vyatta-gen-x509-keypair + cp scripts/key-pair.template $(DESTDIR)${sysconfdir} mkdir -p $(DESTDIR)$(opdir) cd templates; $(cpiop) $(DESTDIR)$(opdir) diff --git a/configure.ac b/configure.ac index 2d5ef35..3d9a504 100644 --- a/configure.ac +++ b/configure.ac @@ -1,6 +1,8 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) +m4_define([DEFAULT_PREFIX], "/opt/vyatta") + m4_define([VERSION_ID], [m4_esyscmd([ if test -f .version ; then head -n 1 .version | tr -d \\n @@ -14,10 +16,13 @@ test -n "$VYATTA_VERSION" || VYATTA_VERSION=$PACKAGE_VERSION AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([config]) AM_INIT_AUTOMAKE([gnu no-dist-gzip dist-bzip2 subdir-objects]) -AC_PREFIX_DEFAULT([/opt/vyatta]) - -XSLDIR=/opt/vyatta/share/xsl/ +AC_PREFIX_DEFAULT(DEFAULT_PREFIX) +if test "$prefix" = "NONE" ; then + XSLDIR="DEFAULT_PREFIX/share/xsl/" +else + XSLDIR="$prefix/share/xsl/" +fi AC_PROG_CC AC_PROG_CXX @@ -27,17 +32,21 @@ AC_PROG_LIBTOOL AC_PROG_LEX AC_PROG_YACC - AC_ARG_ENABLE([nostrip], AC_HELP_STRING([--enable-nostrip], [include -nostrip option during packaging]), [NOSTRIP=-nostrip], [NOSTRIP=]) -AC_CONFIG_FILES( - [Makefile]) - AC_SUBST(NOSTRIP) AC_SUBST(XSLDIR) -AC_OUTPUT +AC_OUTPUT([ + Makefile + scripts/vyatta-gen-x509-keypair.sh +]) + +echo "prefix: ${prefix}" +echo "sysconfdir: ${sysconfdir}" +echo "datarootdir: ${datarootdir}" +echo "XSLDIR: ${XSLDIR}" diff --git a/debian/changelog b/debian/changelog index fb88360..c7cd4d1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,23 @@ +vyatta-op-vpn (0.15.0+vyos2+current2+nmu1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * address lintian issues + - script-not-executable: removed #!/usr/bin/perl from .pm files + - debhelper-but-no-misc-depends: added ${misc:Depends} to Depends: field + - debian-rules-missing-recommended-target: added build-arch build-indep + - out-of-date-standards-version: updated standards version to 3.9.4 + - package-contains-linda-override: removed linda override + - file-in-unusual-dir: not triggering, removed from override + - script-with-language-extension: renamed vyatta-gen-x509-keypair.sh + vyatta-gen-x509-keypair + * address dpkg-gencontrol issue: + - unknown substitution variable ${shlibs:Depends} - removed + * address dpkg-source issue: + - debian/source/format set to "3.0 (native)" + + + -- C.J. Collier Wed, 11 May 2016 02:33:38 +0000 + vyatta-op-vpn (0.15.0+vyos2+current2) unstable; urgency=low * Remove vyatta-ipsec dependency for migration to upstream strongswan. diff --git a/debian/conffiles b/debian/conffiles new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/debian/conffiles @@ -0,0 +1 @@ + diff --git a/debian/control b/debian/control index aeb9c65..c3f2ec0 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Section: contrib/net Priority: extra Maintainer: VyOS Package Maintainers Build-Depends: debhelper (>= 5), autotools-dev, automake, autoconf, cpio, libtool -Standards-Version: 3.9.1 +Standards-Version: 3.9.4 Package: vyatta-op-vpn Architecture: all @@ -11,11 +11,11 @@ Depends: vyatta-op, vyatta-bash | bash (>= 3.1), vyatta-cfg-vpn, strongswan (>= 5.2), - ${shlibs:Depends} + ${misc:Depends} Suggests: util-linux (>= 2.13-5), net-tools, ethtool, ncurses-bin (>= 5.5-5), ntpdate Description: VyOS operational commands for IPsec VPN - VyOS commands fpr IPsec VPN operations. + VyOS commands for IPsec VPN operations. diff --git a/debian/linda b/debian/linda deleted file mode 100644 index 0381d9d..0000000 --- a/debian/linda +++ /dev/null @@ -1 +0,0 @@ -Tag: file-in-opt diff --git a/debian/lintian b/debian/lintian index a5d78e0..7a94f59 100644 --- a/debian/lintian +++ b/debian/lintian @@ -1,2 +1,2 @@ -vyatta-op-vpn: file-in-unusual-dir -vyatta-op-vpn: dir-or-file-in-opt +# It's a hassle to move it out of /opt. I'll get to it later +#vyatta-op-vpn binary: dir-or-file-in-opt diff --git a/debian/rules b/debian/rules index 4b68fde..67f4ee5 100755 --- a/debian/rules +++ b/debian/rules @@ -22,7 +22,8 @@ CFLAGS = -Wall -g configure = ./configure configure += --host=$(DEB_HOST_GNU_TYPE) configure += --build=$(DEB_BUILD_GNU_TYPE) -configure += --prefix=/opt/vyatta +configure += --prefix=/usr +configure += --sysconfdir=/etc configure += --mandir=\$${prefix}/share/man configure += --infodir=\$${prefix}/share/info configure += CFLAGS="$(CFLAGS)" @@ -43,9 +44,10 @@ config.status: configure rm -f config.cache $(configure) -build: build-stamp - -build-stamp: config.status +build: build-arch build-indep +build-arch: build-stamp +build-indep: build-stamp +build-stamp: config.status dh_testdir $(MAKE) touch $@ @@ -68,13 +70,12 @@ clean-patched: install: build dh_testdir dh_testroot - dh_clean -k + dh_prep dh_installdirs $(MAKE) DESTDIR=$(PKGDIR) install install -D --mode=0644 debian/lintian $(PKGDIR)/usr/share/lintian/overrides/$(PACKAGE) - install -D --mode=0644 debian/linda $(PKGDIR)/usr/share/linda/overrides/$(PACKAGE) # Build architecture-independent files here. binary-indep: build install diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..9f67427 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) \ No newline at end of file diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 49bc966..fa51c66 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -1,4 +1,3 @@ -#!/usr/bin/perl # # Module Vyatta::VPN::OpMode.pm # diff --git a/lib/vpnprof/OPMode.pm b/lib/vpnprof/OPMode.pm index 99c6268..05e1f00 100644 --- a/lib/vpnprof/OPMode.pm +++ b/lib/vpnprof/OPMode.pm @@ -1,4 +1,3 @@ -#!/usr/bin/perl # # Module Vyatta::vpnprof::OpMode.pm # diff --git a/scripts/key-pair.template b/scripts/key-pair.template index 5b5b2a6..bbf5eb9 100644 --- a/scripts/key-pair.template +++ b/scripts/key-pair.template @@ -1,10 +1,15 @@ [ req ] - default_bits = 1024 + default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name + string_mask = utf8only attributes = req_attributes + dirstring_type = nobmp +# SHA-1 is deprecated, so use SHA-2 instead. + default_md = sha256 +# Extension to add when the -x509 option is used. x509_extensions = v3_ca - dirstring_type = nobmp + [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_min = 2 @@ -24,4 +29,39 @@ [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always - basicConstraints = CA:true + basicConstraints = critical, CA:true + keyUsage = critical, digitalSignature, cRLSign, keyCertSign +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer + basicConstraints = critical, CA:true, pathlen:0 + keyUsage = critical, digitalSignature, cRLSign, keyCertSign +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). + basicConstraints = CA:FALSE + nsCertType = client, email + nsComment = "OpenSSL Generated Client Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer + keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment + extendedKeyUsage = clientAuth, emailProtection +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). + basicConstraints = CA:FALSE + nsCertType = server + nsComment = "OpenSSL Generated Server Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + keyUsage = critical, digitalSignature, keyEncipherment + extendedKeyUsage = serverAuth +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). + authorityKeyIdentifier=keyid:always +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). + basicConstraints = CA:FALSE + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer + keyUsage = critical, digitalSignature + extendedKeyUsage = critical, OCSPSigning \ No newline at end of file diff --git a/scripts/vyatta-gen-x509-keypair.sh b/scripts/vyatta-gen-x509-keypair.sh deleted file mode 100755 index 5a66d0a..0000000 --- a/scripts/vyatta-gen-x509-keypair.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -CN=$1 -genkeypair (){ - openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config /opt/vyatta/etc/key-pair.template -} -if [ -f /config/auth/$CN.csr ]; then - read -p "A certificate request named $CN.csr already exists. Overwrite (y/n)?" - [[ $REPLY != y && $REPLY != Y ]] || genkeypair -else - genkeypair -fi diff --git a/scripts/vyatta-gen-x509-keypair.sh.in b/scripts/vyatta-gen-x509-keypair.sh.in new file mode 100755 index 0000000..194ac4f --- /dev/null +++ b/scripts/vyatta-gen-x509-keypair.sh.in @@ -0,0 +1,11 @@ +#!/bin/bash +CN=$1 +genkeypair (){ + openssl req -new -nodes -keyout /config/auth/$CN.key -out /config/auth/$CN.csr -config @sysconfdir@/key-pair.template +} +if [ -f /config/auth/$CN.csr ]; then + read -p "A certificate request named $CN.csr already exists. Overwrite (y/n)?" + [[ $REPLY != y && $REPLY != Y ]] || genkeypair +else + genkeypair +fi diff --git a/templates/generate/vpn/x509/key-pair/node.tag/node.def b/templates/generate/vpn/x509/key-pair/node.tag/node.def index 9882df8..dc21935 100644 --- a/templates/generate/vpn/x509/key-pair/node.tag/node.def +++ b/templates/generate/vpn/x509/key-pair/node.tag/node.def @@ -1,4 +1,4 @@ help: Generate x509 key-pair run: - sudo /opt/vyatta/sbin/vyatta-gen-x509-keypair.sh $5 + sudo /opt/vyatta/sbin/vyatta-gen-x509-keypair $5 allowed: echo -n '' -- cgit v1.2.3 From 12b2b88d03ce3527a46abc3c1e5cf9e8b8cd5238 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Wed, 28 Jan 2015 08:26:51 +0000 Subject: Update pluto.pid references to charon.pid Since pluto doesn't exist anymore in strongSwan 5.0 and later series, we are updating references from pluto* to charon*. --- lib/OPMode.pm | 2 +- scripts/vyatta-show-ipsec-status.pl | 2 +- templates/restart/vpn/node.def | 2 +- templates/show/vpn/debug/detail/node.def | 2 +- templates/show/vpn/debug/node.def | 2 +- templates/show/vpn/debug/peer/node.tag/node.def | 2 +- templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def | 2 +- templates/show/vpn/ipsec/status/node.def | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) (limited to 'lib/OPMode.pm') diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 49bc966..7502788 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -870,7 +870,7 @@ sub show_ipsec_sa_natt display_ipsec_sa_brief(\%tmphash); } sub show_ike_status{ - my $process_id = `sudo cat /var/run/pluto.pid`; + my $process_id = `sudo cat /var/run/charon.pid`; chomp $process_id; print </dev/null | grep 'newest IPsec SA: #' | grep -v 'newest IPsec SA: #0' | wc -l`; chomp $process_id; chomp $active_tunnels; diff --git a/templates/restart/vpn/node.def b/templates/restart/vpn/node.def index 7cb9387..6d0f50c 100644 --- a/templates/restart/vpn/node.def +++ b/templates/restart/vpn/node.def @@ -1,7 +1,7 @@ help: Restart IPsec VPN run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null + if pgrep charon > /dev/null then /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=clear-vpn-ipsec-process else diff --git a/templates/show/vpn/debug/detail/node.def b/templates/show/vpn/debug/detail/node.def index ee3604d..0f88f1e 100644 --- a/templates/show/vpn/debug/detail/node.def +++ b/templates/show/vpn/debug/detail/node.def @@ -1,7 +1,7 @@ help: Show detailed VPN debugging information run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null + if pgrep charon > /dev/null then /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug-detail else diff --git a/templates/show/vpn/debug/node.def b/templates/show/vpn/debug/node.def index 7a33888..281228a 100644 --- a/templates/show/vpn/debug/node.def +++ b/templates/show/vpn/debug/node.def @@ -1,7 +1,7 @@ help: Show VPN debugging information run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null + if pgrep charon > /dev/null then /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug else diff --git a/templates/show/vpn/debug/peer/node.tag/node.def b/templates/show/vpn/debug/peer/node.tag/node.def index a27063a..a3a9573 100644 --- a/templates/show/vpn/debug/peer/node.tag/node.def +++ b/templates/show/vpn/debug/peer/node.tag/node.def @@ -2,7 +2,7 @@ help: Show debugging information for a peer allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-peers-for-cli run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null + if pgrep charon > /dev/null then /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug | grep peer-$5 else diff --git a/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def b/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def index c141ac0..3c96973 100644 --- a/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def +++ b/templates/show/vpn/debug/peer/node.tag/tunnel/node.tag/node.def @@ -2,7 +2,7 @@ help: Show debugging information for a peer's tunnel allowed: /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --get-conn-for-cli=${COMP_WORDS[4]} run: if [ -n "$(cli-shell-api returnActiveValues \ vpn ipsec ipsec-interfaces interface)" ]; then - if pgrep pluto > /dev/null + if pgrep charon > /dev/null then /opt/vyatta/bin/sudo-users/vyatta-vpn-op.pl --op=show-vpn-debug | grep "peer-$5-tunnel-$7" else diff --git a/templates/show/vpn/ipsec/status/node.def b/templates/show/vpn/ipsec/status/node.def index bf4ebf7..3c48c60 100644 --- a/templates/show/vpn/ipsec/status/node.def +++ b/templates/show/vpn/ipsec/status/node.def @@ -1,5 +1,5 @@ help: Show status of IPsec process -run: if pgrep pluto >&/dev/null; then +run: if pgrep charon >&/dev/null; then /opt/vyatta/bin/sudo-users/vyatta-show-ipsec-status.pl else echo -e "IPSec Process NOT Running\n" -- cgit v1.2.3 From 46c10df71f00f215d6aaa15a3b00e946679a0328 Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Mon, 3 Jul 2017 15:01:31 +0100 Subject: Fix for T303 - 'show vpn ike status per warning: Using a hash as a reference is deprecated' Newer version of perl doesn't like %hash->{item} syntax. Prefers $hash{item} instead. --- lib/OPMode.pm | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'lib/OPMode.pm') diff --git a/lib/OPMode.pm b/lib/OPMode.pm index ed57ea2..e304b2f 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -837,8 +837,8 @@ sub get_connection_status (my $peerid, my $tun) = @_; my %th = get_tunnel_info_peer($peerid); for my $peer ( keys %th ) { - if (%{$th{$peer}}->{_tunnelnum} eq $tun){ - return %{$th{$peer}}->{_state}; + if (${$th{$peer}}{_tunnelnum} eq $tun){ + return ${$th{$peer}}{_state}; } } } @@ -847,10 +847,10 @@ sub get_peer_ike_status my ($peerid) = @_; my %th = get_tunnel_info_peer($peerid); for my $peer ( keys %th ) { - if (%{$th{$peer}}->{_ikestate} eq 'up'){ + if (${$th{$peer}}{_ikestate} eq 'up'){ return 'up'; } - if (%{$th{$peer}}->{_ikestate} eq 'init'){ + if (${$th{$peer}}{_ikestate} eq 'init'){ return 'init'; } } @@ -862,7 +862,7 @@ sub show_ipsec_sa_natt my %tunnel_hash = get_tunnel_info(); my %tmphash = (); for my $peer ( keys %tunnel_hash ) { - if (%{$tunnel_hash{$peer}}->{_natt} == 1 ){ + if (${$tunnel_hash{$peer}>{_natt} == 1 ){ $tmphash{$peer} = \%{$tunnel_hash{$peer}}; } } @@ -905,7 +905,7 @@ sub show_ike_sa_natt my %tunnel_hash = get_tunnel_info(); my %tmphash = (); for my $peer ( keys %tunnel_hash ) { - if (%{$tunnel_hash{$peer}}->{_natt} == 1 ){ + if (${$tunnel_hash{$peer}}{_natt} == 1 ){ $tmphash{$peer} = \%{$tunnel_hash{$peer}}; } } -- cgit v1.2.3 From 367f00fe224ba76a43fb5ddebfcb0e0052a09075 Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Wed, 5 Jul 2017 09:31:45 +0100 Subject: T303 - Re-fix - broke that the first time Typo, sadly. Resolved this time. --- lib/OPMode.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/OPMode.pm') diff --git a/lib/OPMode.pm b/lib/OPMode.pm index e304b2f..9e7bd60 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -862,7 +862,7 @@ sub show_ipsec_sa_natt my %tunnel_hash = get_tunnel_info(); my %tmphash = (); for my $peer ( keys %tunnel_hash ) { - if (${$tunnel_hash{$peer}>{_natt} == 1 ){ + if (${$tunnel_hash{$peer}}{_natt} == 1 ){ $tmphash{$peer} = \%{$tunnel_hash{$peer}}; } } -- cgit v1.2.3 From 4aba0c7e26b5336122e88ab2bba01c1c6066600e Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Thu, 27 Jul 2017 13:33:50 +0100 Subject: Fix various bits for newer StrongSwan support Largely revamped process_tunnels Make IKE tunnels information work again. Added initial support for IKEv2 status. --- lib/OPMode.pm | 71 ++++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 56 insertions(+), 15 deletions(-) (limited to 'lib/OPMode.pm') diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 9e7bd60..438b628 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -201,12 +201,10 @@ sub process_tunnels{ my @ipsecstatus = @{pop(@_)}; my %tunnel_hash = (); my %esp_hash = (); + my %lip_lookup = (); foreach my $line (@ipsecstatus) { - if (($line =~ /(peer-.*-tunnel-.*?):/)){ + if (($line =~ /(peer-.*-tunnel-.*?):/ && !($line =~ /[\[\{]/))){ my $connectid = $1; - if (($line =~ /(peer-.*-tunnel-.*?):(\[\d*\])/)){ - $connectid .= $2; - } $connectid =~ /peer-(.*)-tunnel-(.*)/; my $peer = $1; my $tunid = $2; @@ -234,6 +232,7 @@ sub process_tunnels{ _inspi => 'n/a', _outspi => 'n/a', _pfsgrp => 'n/a', + _ikever => 'n/a', _ikeencrypt => 'n/a', _ikehash => 'n/a', _natt => 'n/a', @@ -249,6 +248,35 @@ sub process_tunnels{ _lifetime => 'n/a', _expire => 'n/a' }; } + # Disgusting hack - rip not mentioned on any line on a second tunnel to a peer - so borrow it from the first one + if($tunid >1) + { + $tunnel_hash{$connectid}->{_lip} = conv_ip($lip_lookup{$peer}); + } + # A line like: 'peer-192.168.3.21-tunnel-1: %any...192.168.3.21 IKEv2' + if ($line =~ /\s+(.*?)\.\.\.(.*?) IKEv(.*?)/ ) + { + my $lip = $1; + my $rip = $2; + my $ikever = $3; + $tunnel_hash{$connectid}->{_lip} = conv_ip($lip); + $tunnel_hash{$connectid}->{_rip} = conv_ip($rip); + $tunnel_hash{$connectid}->{_ikever} = $ikever; + if($tunid == 1) + { + $lip_lookup{$peer} = conv_ip($lip); + } + } + # A line like: 'peer-192.168.3.21-tunnel-1: child: 192.168.1.0/24 === 192.168.0.0/24 TUNNEL' + elsif ($line =~ /child:\s+(.*?) === (.*?) TUNNEL/) + { + my $lsnet = $1; + my $rsnet = $2; + $tunnel_hash{$connectid}->{_lsnet} = $lsnet; + $tunnel_hash{$connectid}->{_rsnet} = $rsnet; + } + + # OLD CODE! $line =~ s/---.*\.\.\./.../g; # remove the next hop router for local-ip 0.0.0.0 case if ($line =~ /IKE.proposal:(.*?)\/(.*?)\/(.*)/){ $tunnel_hash{$connectid}->{_ikeencrypt} = $1; @@ -587,11 +615,16 @@ sub process_tunnels{ $tunnel_hash{$connectid}->{_ikelife} = $ikelife; $tunnel_hash{$connectid}->{_pfsgrp} = $pfs_group; - } elsif ($line =~ /\]:\s+IKE SPIs: .* (reauthentication|rekeying) (disabled|in .*)/) { - $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($2); + } elsif ($line =~ /\]:\s+IKE.* SPIs: .* (reauthentication|rekeying) (disabled|in .*)/) { + my $ikever; + ($ikever) = $line =~ /IKEv(.*?) SPI/; + $tunnel_hash{$connectid}->{_ikever} = $ikever; + my $expiry_time; + (undef,$expiry_time) = $line =~ /(reauthentication|rekeying) (.*)/; + $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($expiry_time); - my ($atime, $ike_lifetime, $ike_expire) = (-1, $tunnel_hash{$connectid}->{_ikelife}, $tunnel_hash{$connectid}->{_ikeexpire}); - $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); + my $atime = $tunnel_hash{$connectid}->{_ikelife} - $tunnel_hash{$connectid}->{_ikeexpire}; +# $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); $tunnel_hash{$connectid}->{_ikestate} = "up" if ($atime >= 0); @@ -869,7 +902,12 @@ sub show_ipsec_sa_natt display_ipsec_sa_brief(\%tmphash); } sub show_ike_status{ - my $process_id = `sudo cat /var/run/charon.pid`; + my $pidfile = '/var/run/charon.pid'; + if (! -e $pidfile) { + print "IKE process is not running\n"; + exit(1); + } + my $process_id = `sudo cat $pidfile`; chomp $process_id; print <setLevel('vpn ipsec site-to-site'); for my $connectid (keys %th){ - $peerid = conv_ip($th{$connectid}->{_rip}); + $peerid = conv_ip($th{$connectid}->{_peerid}); my $lip = conv_ip($th{$connectid}->{_lip}); my $tunnel = "$peerid-$lip"; my $peer_configured = conv_id_rev($th{$connectid}->{_peerid}); @@ -1027,6 +1065,7 @@ EOH my $atime = $life - $expire; $atime = 0 if ($atime == $life); printf " %-7s %-6s %-14s %-8s %-7s %-6s %-7s %-7s %-2s\n", + $tunnum, $state, $bytesp, $enc, $hash, $natt, $atime, $life, $proto; } @@ -1224,12 +1263,14 @@ sub display_ike_sa_brief { next if ($th{$connectid}->{_ikestate} eq 'down'); if (not exists $tunhash{$tunnel}) { $tunhash{$tunnel}={ + _configpeer => conv_id_rev($th{$connectid}->{_peerid}), _configpeer => conv_id_rev($th{$connectid}->{_peerid}), _tunnels => [] }; } my @tmp = ( $th{$connectid}->{_tunnelnum}, $th{$connectid}->{_ikestate}, + $th{$connectid}->{_ikever}, $th{$connectid}->{_newestike}, $th{$connectid}->{_ikeencrypt}, $th{$connectid}->{_ikehash}, @@ -1251,11 +1292,11 @@ EOH print "\n Description: $desc\n" if (defined($desc)); print <{_tunnels}})){ - (my $tunnum, my $state, my $isakmpnum, my $enc, + (my $tunnum, my $state, my $ver, my $isakmpnum, my $enc, my $hash, my $dhgrp, my $natt, my $life, my $expire) = @{$tunnel}; $enc = conv_enc($enc); $hash = conv_hash($hash); @@ -1263,8 +1304,8 @@ EOH $dhgrp = conv_dh_group($dhgrp); my $atime = $life - $expire; $atime = 0 if ($atime == $life); - printf " %-6s %-8s %-7s %-8s %-6s %-7s %-7s\n", - $state, $enc, $hash, $dhgrp, $natt, $atime, $life; + printf " %-6s %-4s %-8s %-7s %-8s %-6s %-7s %-7s\n", + $state, $ver, $enc, $hash, $dhgrp, $natt, $atime, $life; } print "\n \n"; } -- cgit v1.2.3 From c322d07f1d1568ff1ea9a7a85efd825e42cba9d1 Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Thu, 27 Jul 2017 18:33:08 +0100 Subject: Formatting of show vpn ike sa modified ... by suggestions from TomJepp --- lib/OPMode.pm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'lib/OPMode.pm') diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 438b628..0068e96 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -1292,8 +1292,8 @@ EOH print "\n Description: $desc\n" if (defined($desc)); print <{_tunnels}})){ (my $tunnum, my $state, my $ver, my $isakmpnum, my $enc, @@ -1301,11 +1301,11 @@ EOH $enc = conv_enc($enc); $hash = conv_hash($hash); $natt = conv_natt($natt); - $dhgrp = conv_dh_group($dhgrp); + $dhgrp = conv_dh_group($dhgrp)."(".$dhgrp.")"; my $atime = $life - $expire; $atime = 0 if ($atime == $life); - printf " %-6s %-4s %-8s %-7s %-8s %-6s %-7s %-7s\n", - $state, $ver, $enc, $hash, $dhgrp, $natt, $atime, $life; + printf " %-6s %-6s %-8s %-7s %-14s %-6s %-7s %-7s\n", + $state, "IKEv".$ver, $enc, $hash, $dhgrp, $natt, $atime, $life; } print "\n \n"; } -- cgit v1.2.3 From f6f567b8b168dbe0d4bdb1b08c0f84faa0d362cb Mon Sep 17 00:00:00 2001 From: jules-vyos Date: Sun, 3 Sep 2017 21:25:50 +0100 Subject: Fixes for show vpn ike sa and show vpn ipsec sa Fixed 'show vpn ike sa' to actually show output when the tunnel isn't up. Foxed 'show vpn ipsec sa' to actually use the pretty-printing code, rather than swanctl --list-sas, which is pretty unpleasant. --- lib/OPMode.pm | 16 ++++++++++------ templates/show/vpn/ipsec/sa/node.def | 2 +- 2 files changed, 11 insertions(+), 7 deletions(-) (limited to 'lib/OPMode.pm') diff --git a/lib/OPMode.pm b/lib/OPMode.pm index 0068e96..38bea1c 100644 --- a/lib/OPMode.pm +++ b/lib/OPMode.pm @@ -615,19 +615,21 @@ sub process_tunnels{ $tunnel_hash{$connectid}->{_ikelife} = $ikelife; $tunnel_hash{$connectid}->{_pfsgrp} = $pfs_group; - } elsif ($line =~ /\]:\s+IKE.* SPIs: .* (reauthentication|rekeying) (disabled|in .*)/) { + } elsif ($line =~ /\]:\s+IKE.* SPIs:/) { my $ikever; ($ikever) = $line =~ /IKEv(.*?) SPI/; $tunnel_hash{$connectid}->{_ikever} = $ikever; my $expiry_time; - (undef,$expiry_time) = $line =~ /(reauthentication|rekeying) (.*)/; - $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($expiry_time); + if($line =~ /(reauthentication|rekeying)/) + {(undef,$expiry_time) = $line =~ /(reauthentication|rekeying) (.*)/; + $tunnel_hash{$connectid}->{_ikeexpire} = conv_time($expiry_time); + my $atime = $tunnel_hash{$connectid}->{_ikelife} - $tunnel_hash{$connectid}->{_ikeexpire}; # $atime = $ike_lifetime - $ike_expire if (($ike_lifetime ne 'n/a') && ($ike_expire ne 'n/a')); $tunnel_hash{$connectid}->{_ikestate} = "up" if ($atime >= 0); - + } } elsif ($line =~ /\]:\s+IKE.proposal:(.*?)\/(.*?)\/(.*?)\/(.*)/) { $tunnel_hash{$connectid}->{_ikeencrypt} = $1; $tunnel_hash{$connectid}->{_ikehash} = $2; @@ -1260,7 +1262,7 @@ sub display_ike_sa_brief { my $lip = $th{$connectid}->{_lip}; $peerid = $th{$connectid}->{_rip}; my $tunnel = "$peerid-$lip"; - next if ($th{$connectid}->{_ikestate} eq 'down'); + #next if ($th{$connectid}->{_ikestate} eq 'down'); if (not exists $tunhash{$tunnel}) { $tunhash{$tunnel}={ _configpeer => conv_id_rev($th{$connectid}->{_peerid}), @@ -1304,8 +1306,10 @@ EOH $dhgrp = conv_dh_group($dhgrp)."(".$dhgrp.")"; my $atime = $life - $expire; $atime = 0 if ($atime == $life); + my $ike_out = "N/A"; + $ike_out = "IKEv".$ver if( $ver > 0 ); printf " %-6s %-6s %-8s %-7s %-14s %-6s %-7s %-7s\n", - $state, "IKEv".$ver, $enc, $hash, $dhgrp, $natt, $atime, $life; + $state, $ike_out, $enc, $hash, $dhgrp, $natt, $atime, $life; } print "\n \n"; } diff --git a/templates/show/vpn/ipsec/sa/node.def b/templates/show/vpn/ipsec/sa/node.def index 99a5cc1..7f569bd 100644 --- a/templates/show/vpn/ipsec/sa/node.def +++ b/templates/show/vpn/ipsec/sa/node.def @@ -1,6 +1,6 @@ help: Show all active IPsec Security Associations (SA) run: if pgrep charon >&/dev/null; then - sudo /usr/sbin/swanctl --list-sas + sudo /opt/vyatta/bin/sudo-users/vyatta-op-vpn.pl --show-ipsec-sa else echo -e "IPSec Process NOT Running\n" fi -- cgit v1.2.3