Skip to content

Updated StrongSwan VPN Implementation #1741

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
asfgit merged 1 commit into from
Feb 14, 2017
Merged

Updated StrongSwan VPN Implementation #1741

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,10 +190,10 @@ public Site2SiteCustomerGateway createCustomerGateway(CreateVpnCustomerGatewayCm
String ipsecPsk = cmd.getIpsecPsk();
String ikePolicy = cmd.getIkePolicy();
String espPolicy = cmd.getEspPolicy();
if (!NetUtils.isValidS2SVpnPolicy(ikePolicy)) {
throw new InvalidParameterValueException("The customer gateway IKE policy " + ikePolicy + " is invalid!");
if (!NetUtils.isValidS2SVpnPolicy("ike", ikePolicy)) {
throw new InvalidParameterValueException("The customer gateway IKE policy " + ikePolicy + " is invalid! Verify the required Diffie Hellman (DH) group is specified.");
}
if (!NetUtils.isValidS2SVpnPolicy(espPolicy)) {
if (!NetUtils.isValidS2SVpnPolicy("esp", espPolicy)) {
throw new InvalidParameterValueException("The customer gateway ESP policy " + espPolicy + " is invalid!");
}
Long ikeLifetime = cmd.getIkeLifetime();
Expand Down Expand Up @@ -444,10 +444,10 @@ public Site2SiteCustomerGateway updateCustomerGateway(UpdateVpnCustomerGatewayCm
String ipsecPsk = cmd.getIpsecPsk();
String ikePolicy = cmd.getIkePolicy();
String espPolicy = cmd.getEspPolicy();
if (!NetUtils.isValidS2SVpnPolicy(ikePolicy)) {
throw new InvalidParameterValueException("The customer gateway IKE policy" + ikePolicy + " is invalid!");
if (!NetUtils.isValidS2SVpnPolicy("ike", ikePolicy)) {
throw new InvalidParameterValueException("The customer gateway IKE policy" + ikePolicy + " is invalid! Verify the required Diffie Hellman (DH) group is specified.");
}
if (!NetUtils.isValidS2SVpnPolicy(espPolicy)) {
if (!NetUtils.isValidS2SVpnPolicy("esp", espPolicy)) {
throw new InvalidParameterValueException("The customer gateway ESP policy" + espPolicy + " is invalid!");
}
Long ikeLifetime = cmd.getIkeLifetime();
Expand Down Expand Up @@ -517,7 +517,7 @@ public boolean deleteVpnConnection(DeleteVpnConnectionCmd cmd) throws ResourceUn

_accountMgr.checkAccess(caller, null, false, conn);

if (conn.getState() == State.Connected) {
if (conn.getState() != State.Pending) {
stopVpnConnection(id);
}
_vpnConnectionDao.remove(id);
Expand All @@ -531,8 +531,8 @@ private void stopVpnConnection(Long id) throws ResourceUnavailableException {
throw new CloudRuntimeException("Unable to acquire lock on " + conn);
}
try {
if (conn.getState() != State.Connected && conn.getState() != State.Error) {
throw new InvalidParameterValueException("Site to site VPN connection with specified id is not in correct state(connected) to process disconnect!");
if (conn.getState() == State.Pending) {
throw new InvalidParameterValueException("Site to site VPN connection with specified id is currently Pending, unable to Disconnect!");
}

conn.setState(State.Disconnected);
Expand Down
5 changes: 3 additions & 2 deletions systemvm/patches/debian/config/etc/logrotate.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
# rotate log files daily
daily
# keep 5 days worth
rotate 5
# keep 3 days worth
rotate 3
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
#dateext
# max size 50M
size 50M
compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here
Expand Down
13 changes: 2 additions & 11 deletions systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,18 +22,9 @@ then
exit 1
fi

ipsec auto --status | grep vpn-$1 > /tmp/vpn-$1.status
ipsec status vpn-$1 > /tmp/vpn-$1.status

cat /tmp/vpn-$1.status | grep "ISAKMP SA established" > /dev/null
isakmpok=$?
if [ $isakmpok -ne 0 ]
then
echo -n "ISAKMP SA NOT found but checking IPsec;"
else
echo -n "ISAKMP SA found;"
fi

cat /tmp/vpn-$1.status | grep "IPsec SA established" > /dev/null
cat /tmp/vpn-$1.status | grep "ESTABLISHED" > /dev/null
ipsecok=$?
if [ $ipsecok -ne 0 ]
then
Expand Down
61 changes: 34 additions & 27 deletions systemvm/patches/debian/config/opt/cloud/bin/configure.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -471,13 +471,13 @@ def process(self):

def deletevpn(self, ip):
logging.info("Removing VPN configuration for %s", ip)
CsHelper.execute("ipsec auto --down vpn-%s" % ip)
CsHelper.execute("ipsec auto --delete vpn-%s" % ip)
CsHelper.execute("ipsec down vpn-%s" % ip)
CsHelper.execute("ipsec down vpn-%s" % ip)
vpnconffile = "%s/ipsec.vpn-%s.conf" % (self.VPNCONFDIR, ip)
vpnsecretsfile = "%s/ipsec.vpn-%s.secrets" % (self.VPNCONFDIR, ip)
os.remove(vpnconffile)
os.remove(vpnsecretsfile)
CsHelper.execute("ipsec auto --rereadall")
CsHelper.execute("ipsec reload")

def configure_iptables(self, dev, obj):
self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 500 -s %s -d %s -j ACCEPT" % (dev, obj['peer_gateway_ip'], obj['local_public_ip'])])
Expand All @@ -497,49 +497,56 @@ def configure_iptables(self, dev, obj):
def configure_ipsec(self, obj):
leftpeer = obj['local_public_ip']
rightpeer = obj['peer_gateway_ip']
peerlist = obj['peer_guest_cidr_list'].lstrip().rstrip().replace(',', ' ')
peerlist = obj['peer_guest_cidr_list'].replace(' ', '')
vpnconffile = "%s/ipsec.vpn-%s.conf" % (self.VPNCONFDIR, rightpeer)
vpnsecretsfile = "%s/ipsec.vpn-%s.secrets" % (self.VPNCONFDIR, rightpeer)
ikepolicy=obj['ike_policy'].replace(';','-')
esppolicy=obj['esp_policy'].replace(';','-')

pfs='no'
if 'modp' in esppolicy:
pfs='yes'

if rightpeer in self.confips:
self.confips.remove(rightpeer)
file = CsFile(vpnconffile)
file.add("#conn for vpn-%s" % rightpeer, 0)
file.search("conn ", "conn vpn-%s" % rightpeer)
file.addeq(" left=%s" % leftpeer)
file.addeq(" leftsubnet=%s" % obj['local_guest_cidr'])
file.addeq(" leftnexthop=%s" % obj['local_public_gateway'])
file.addeq(" right=%s" % rightpeer)
file.addeq(" rightsubnets={%s}" % peerlist)
file.addeq(" rightsubnet=%s" % peerlist)
file.addeq(" type=tunnel")
file.addeq(" authby=secret")
file.addeq(" keyexchange=ike")
file.addeq(" ike=%s" % obj['ike_policy'])
file.addeq(" ike=%s" % ikepolicy)
file.addeq(" ikelifetime=%s" % self.convert_sec_to_h(obj['ike_lifetime']))
file.addeq(" esp=%s" % obj['esp_policy'])
file.addeq(" salifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime']))
if "modp" in obj['esp_policy']:
file.addeq(" pfs=yes")
else:
file.addeq(" pfs=no")
file.addeq(" esp=%s" % esppolicy)
file.addeq(" lifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime']))
file.addeq(" pfs=%s" % pfs)
file.addeq(" keyingtries=2")
file.addeq(" auto=start")
if 'encap' not in obj:
obj['encap']=False
file.addeq(" forceencaps=%s" % CsHelper.bool_to_yn(obj['encap']))
if obj['dpd']:
file.addeq(" dpddelay=30")
file.addeq(" dpdtimeout=120")
file.addeq(" dpdaction=restart")
file.addeq(" dpddelay=30")
file.addeq(" dpdtimeout=120")
file.addeq(" dpdaction=restart")
secret = CsFile(vpnsecretsfile)
secret.search("%s " % leftpeer, "%s %s: PSK \"%s\"" % (leftpeer, rightpeer, obj['ipsec_psk']))
secret.search("%s " % leftpeer, "%s %s : PSK \"%s\"" % (leftpeer, rightpeer, obj['ipsec_psk']))
if secret.is_changed() or file.is_changed():
secret.commit()
file.commit()
logging.info("Configured vpn %s %s", leftpeer, rightpeer)
CsHelper.execute("ipsec auto --rereadall")
CsHelper.execute("ipsec auto --add vpn-%s" % rightpeer)
if not obj['passive']:
CsHelper.execute("ipsec auto --up vpn-%s" % rightpeer)
os.chmod(vpnsecretsfile, 0o400)
CsHelper.execute("ipsec rereadsecrets")

CsHelper.execute("ipsec reload")
if not obj['passive']:
CsHelper.execute("sudo nohup ipsec down vpn-%s" % rightpeer)
CsHelper.execute("sudo nohup ipsec up vpn-%s &" % rightpeer)
os.chmod(vpnsecretsfile, 0400)

def convert_sec_to_h(self, val):
hrs = int(val) / 3600
Expand Down Expand Up @@ -628,25 +635,25 @@ def process(self):
logging.debug("Remote accessvpn data bag %s", self.dbag)
self.remoteaccessvpn_iptables(public_ip, self.dbag[public_ip])

CsHelper.execute("ipsec auto --rereadall")
CsHelper.execute("ipsec down L2TP-PSK")
CsHelper.execute("ipsec update")
CsHelper.execute("service xl2tpd stop")
CsHelper.execute("service xl2tpd start")
CsHelper.execute("ipsec auto --rereadsecrets")
CsHelper.execute("ipsec auto --replace L2TP-PSK")
CsHelper.execute("ipsec rereadsecrets")
else:
logging.debug("Disabling remote access vpn .....")
#disable remote access vpn
CsHelper.execute("ipsec auto --down L2TP-PSK")
CsHelper.execute("ipsec down L2TP-PSK")
CsHelper.execute("service xl2tpd stop")


def configure_l2tpIpsec(self, left, obj):
vpnconffile="%s/l2tp.conf" % (self.VPNCONFDIR)
l2tpconffile="%s/l2tp.conf" % (self.VPNCONFDIR)
vpnsecretfilte="%s/ipsec.any.secrets" % (self.VPNCONFDIR)
xl2tpdconffile="/etc/xl2tpd/xl2tpd.conf"
xl2tpoptionsfile='/etc/ppp/options.xl2tpd'

file = CsFile(vpnconffile)
file = CsFile(l2tpconffile)
localip=obj['local_ip']
localcidr=obj['local_cidr']
publicIface=obj['public_interface']
Expand Down
16 changes: 9 additions & 7 deletions systemvm/patches/debian/config/opt/cloud/bin/cs_ip.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,21 +15,20 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from pprint import pprint
from netaddr import *

from netaddr import *

def merge(dbag, ip):
added = False
nic_dev_id = None
index = -1 # a non-valid array index
for dev in dbag:
if dev == "id":
continue
for address in dbag[dev]:
for i, address in enumerate(dbag[dev]):
if address['public_ip'] == ip['public_ip']:
if 'nic_dev_id' in address:
nic_dev_id = address['nic_dev_id']
dbag[dev].remove(address)
index = i

ipo = IPNetwork(ip['public_ip'] + '/' + ip['netmask'])
if 'nic_dev_id' in ip:
Expand All @@ -44,8 +43,11 @@ def merge(dbag, ip):
else:
ip['nw_type'] = ip['nw_type'].lower()
if ip['nw_type'] == 'control':
dbag['eth' + str(nic_dev_id)] = [ip]
dbag[ip['device']] = [ip]
else:
dbag.setdefault('eth' + str(nic_dev_id), []).append(ip)
if index != -1:
dbag[ip['device']][index] = ip
else:
dbag.setdefault(ip['device'], []).append(ip)

return dbag
8 changes: 2 additions & 6 deletions systemvm/patches/debian/vpn/etc/ipsec.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
# Manual: ipsec.conf.5
version 2.0
# ipsec.conf - strongSwan IPsec configuration file

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
protostack=auto


include /etc/ipsec.d/*.conf
9 changes: 8 additions & 1 deletion systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,14 @@
#ipsec remote access vpn configuration
conn L2TP-PSK
authby=secret
authby=psk
pfs=no
rekey=no
keyingtries=3
keyexchange=ikev1
forceencaps=yes
leftfirewall=yes
leftnexthop=%defaultroute
type=transport
#
# ----------------------------------------------------------
# The VPN server.
Expand Down Expand Up @@ -30,4 +36,5 @@ conn L2TP-PSK
# ----------------------------------------------------------
# Change 'ignore' to 'add' to enable this configuration.
#
rightsubnetwithin=0.0.0.0/0
auto=add
2 changes: 1 addition & 1 deletion systemvm/patches/debian/vpn/etc/ipsec.secrets
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
include /var/lib/openswan/ipsec.secrets.inc
include /var/lib/strongswan/ipsec.conf.inc
include /etc/ipsec.d/ipsec.*.secrets
2 changes: 1 addition & 1 deletion test/integration/component/maint/test_vpc.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ def __init__(self):
},
"vpn_customer_gw": {
"ipsecpsk": "s2svpn",
"ikepolicy": "3des-md5",
"ikepolicy": "3des-md5;modp1536",
"ikelifetime": "86400",
"esppolicy": "3des-md5",
"esplifetime": "3600",
Expand Down
2 changes: 1 addition & 1 deletion test/integration/component/test_vpc.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ def __init__(self):
},
"vpn_customer_gw": {
"ipsecpsk": "s2svpn",
"ikepolicy": "3des-md5",
"ikepolicy": "3des-md5;modp1536",
"ikelifetime": "86400",
"esppolicy": "3des-md5",
"esplifetime": "3600",
Expand Down
6 changes: 6 additions & 0 deletions tools/appliance/definitions/systemvmtemplate/configure_systemvm_services.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,11 @@ function do_signature() {
echo "Cloudstack Release $CLOUDSTACK_RELEASE $(date)" > /etc/cloudstack-release
}

function configure_strongswan() {
# change the charon stroke timeout from 3 minutes to 30 seconds
sed -i "s/# timeout = 0/timeout = 30000/" /etc/strongswan.d/charon/stroke.conf
}

function configure_services() {
mkdir -p /var/www/html
mkdir -p /opt/cloud/bin
Expand Down Expand Up @@ -81,6 +86,7 @@ function configure_services() {
chkconfig radvd off

configure_apache2
configure_strongswan
}

return 2>/dev/null || configure_services
4 changes: 1 addition & 3 deletions tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,6 @@ function install_packages() {
nfs-common \
samba-common cifs-utils \
xl2tpd bcrelay ppp ipsec-tools tdb-tools \
openswan=1:2.6.37-3+deb7u1 \
xenstore-utils libxenstore3.0 \
conntrackd ipvsadm libnetfilter-conntrack3 libnl-3-200 libnl-genl-3-200 \
ipcalc \
Expand All @@ -76,9 +75,8 @@ function install_packages() {
sharutils

${apt_get} -t wheezy-backports install keepalived irqbalance open-vm-tools qemu-guest-agent
${apt_get} -t wheezy-backports install strongswan libcharon-extra-plugins libstrongswan-extra-plugins

# hold on installed openswan version, upgrade rest of the packages (if any)
apt-mark hold openswan
apt-get update
apt-get -y --force-yes upgrade

Expand Down
Loading