summaryrefslogtreecommitdiff
path: root/src/etc
diff options
context:
space:
mode:
authorsarthurdev <965089+sarthurdev@users.noreply.github.com>2021-06-14 13:04:04 +0200
committersarthurdev <965089+sarthurdev@users.noreply.github.com>2021-06-15 00:16:42 +0200
commit11b5636519b360074eb2877006f2d8d63d9f6610 (patch)
tree1ff04e1e0aba2167b746f2f1373544e3d38b055d /src/etc
parent78099bccc510c90ad7cfa5f56475ba024d5d53a7 (diff)
downloadvyos-1x-11b5636519b360074eb2877006f2d8d63d9f6610.tar.gz
vyos-1x-11b5636519b360074eb2877006f2d8d63d9f6610.zip
ipsec: T2816: T645: T3613: Migrated IPsec to swanctl, includes multiple selectors, and selectors with VTI.
Diffstat (limited to 'src/etc')
-rwxr-xr-xsrc/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook30
-rwxr-xr-xsrc/etc/ipsec.d/vti-up-down14
2 files changed, 35 insertions, 9 deletions
diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
index e00e5fe6e..a7a9a2ce6 100755
--- a/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
+++ b/src/etc/dhcp/dhclient-exit-hooks.d/ipsec-dhclient-hook
@@ -1,4 +1,18 @@
#!/bin/bash
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
if [ "$reason" == "REBOOT" ] || [ "$reason" == "EXPIRE" ]; then
exit 0
@@ -24,8 +38,7 @@ import re
from vyos.util import call
from vyos.util import cmd
-IPSEC_CONF="/etc/ipsec.conf"
-IPSEC_SECRETS="/etc/ipsec.secrets"
+SWANCTL_CONF="/etc/swanctl/swanctl.conf"
def getlines(file):
with open(file, 'r') as f:
@@ -41,7 +54,7 @@ def ipsec_down(ip_address):
connection_name = None
for line in status.split("\n"):
if line.find(ip_address) > 0:
- regex_match = re.search(r'(peer-[^:\[]+)', line)
+ regex_match = re.search(r'(peer_[^:\[]+)', line)
if regex_match:
connection_name = regex_match[1]
break
@@ -53,8 +66,7 @@ if __name__ == '__main__':
new_ip = os.getenv('new_ip_address')
old_ip = os.getenv('old_ip_address')
- conf_lines = getlines(IPSEC_CONF)
- secrets_lines = getlines(IPSEC_SECRETS)
+ conf_lines = getlines(SWANCTL_CONF)
found = False
to_match = f'# dhcp:{interface}'
@@ -68,9 +80,9 @@ if __name__ == '__main__':
secrets_lines[i] = line.replace(old_ip, new_ip)
if found:
- writelines(IPSEC_CONF, conf_lines)
- writelines(IPSEC_SECRETS, secrets_lines)
+ writelines(SWANCTL_CONF, conf_lines)
ipsec_down(old_ip)
- call('sudo /usr/sbin/ipsec rereadall')
- call('sudo /usr/sbin/ipsec reload')
+ call('sudo ipsec rereadall')
+ call('sudo ipsec reload')
+ call('sudo swanctl -q')
PYEND \ No newline at end of file
diff --git a/src/etc/ipsec.d/vti-up-down b/src/etc/ipsec.d/vti-up-down
index 0e1cd7753..2b66dd9e6 100755
--- a/src/etc/ipsec.d/vti-up-down
+++ b/src/etc/ipsec.d/vti-up-down
@@ -1,4 +1,18 @@
#!/usr/bin/env python3
+#
+# Copyright (C) 2021 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
## Script called up strongswan to bring the vti interface up/down based on the state of the IPSec tunnel.
## Called as vti_up_down vti_intf_name