From f480346bb8e934b1ce2e0fc3be23f7168273bba1 Mon Sep 17 00:00:00 2001
From: sarthurdev <965089+sarthurdev@users.noreply.github.com>
Date: Fri, 2 Jul 2021 10:57:32 +0200
Subject: ipsec: T3656: T3659: Fix pass-through with ipv6. Fix op-mode ipsec
 commands. Remove python3-crypto dependency.

---
 src/conf_mode/vpn_ipsec.py   | 6 ++++--
 src/op_mode/show_ipsec_sa.py | 2 +-
 src/op_mode/vpn_ipsec.py     | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index bf4aa332a..ce72ee094 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -14,6 +14,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import ipaddress
 import os
 
 from sys import exit
@@ -34,7 +35,6 @@ from vyos.util import call
 from vyos.util import dict_search
 from vyos.util import process_named_running
 from vyos.util import run
-from vyos.util import cidr_fit
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
@@ -407,7 +407,9 @@ def generate(ipsec):
 
                         for local_prefix in local_prefixes:
                             for remote_prefix in remote_prefixes:
-                                if cidr_fit(local_prefix, remote_prefix):
+                                local_net = ipaddress.ip_network(local_prefix)
+                                remote_net = ipaddress.ip_network(remote_prefix)
+                                if local_net.overlaps(remote_net):
                                     passthrough.append(local_prefix)
 
                         data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough
diff --git a/src/op_mode/show_ipsec_sa.py b/src/op_mode/show_ipsec_sa.py
index a94c7efc6..e491267fd 100755
--- a/src/op_mode/show_ipsec_sa.py
+++ b/src/op_mode/show_ipsec_sa.py
@@ -26,7 +26,7 @@ import vyos.util
 def format_output(conns, sas):
     sa_data = []
 
-    for peer, parent_conn in conn.items():
+    for peer, parent_conn in conns.items():
         if peer not in sas:
             continue
 
diff --git a/src/op_mode/vpn_ipsec.py b/src/op_mode/vpn_ipsec.py
index dd5a85ed3..ad7efbf2d 100755
--- a/src/op_mode/vpn_ipsec.py
+++ b/src/op_mode/vpn_ipsec.py
@@ -23,7 +23,7 @@ import argparse
 from subprocess import TimeoutExpired
 
 from vyos.util import ask_yes_no, call, cmd, process_named_running
-from Crypto.PublicKey.RSA import importKey
+from Cryptodome.PublicKey.RSA import importKey
 
 RSA_LOCAL_KEY_PATH = '/config/ipsec.d/rsa-keys/localhost.key'
 RSA_LOCAL_PUB_PATH = '/etc/ipsec.d/certs/localhost.pub'
-- 
cgit v1.2.3