From df449695e73cb44b971b02e93fe59d5a99bd7586 Mon Sep 17 00:00:00 2001 From: Jayapalu Date: Mon, 19 Sep 2016 16:17:18 +0530 Subject: [PATCH 1/2] Added the strongswan 5.2 implementation --- .../config/opt/cloud/bin/checks2svpn.sh | 13 +---- .../debian/config/opt/cloud/bin/configure.py | 50 +++++++++++-------- systemvm/patches/debian/vpn/etc/ipsec.conf | 11 ++-- .../patches/debian/vpn/etc/ipsec.d/l2tp.conf | 8 ++- systemvm/patches/debian/vpn/etc/ipsec.secrets | 2 +- .../install_systemvm_packages.sh | 4 +- 6 files changed, 44 insertions(+), 44 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh b/systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh index 59ab4260f880..a78ec8835a86 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh +++ b/systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh @@ -22,18 +22,9 @@ then exit 1 fi -ipsec auto --status | grep vpn-$1 > /tmp/vpn-$1.status +ipsec status vpn-$1 > /tmp/vpn-$1.status -cat /tmp/vpn-$1.status | grep "ISAKMP SA established" > /dev/null -isakmpok=$? -if [ $isakmpok -ne 0 ] -then - echo -n "ISAKMP SA NOT found but checking IPsec;" -else - echo -n "ISAKMP SA found;" -fi - -cat /tmp/vpn-$1.status | grep "IPsec SA established" > /dev/null +cat /tmp/vpn-$1.status | grep "ESTABLISHED" > /dev/null ipsecok=$? if [ $ipsecok -ne 0 ] then diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index dd164a2aae67..7676691ef750 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -472,13 +472,13 @@ def process(self): def deletevpn(self, ip): logging.info("Removing VPN configuration for %s", ip) - CsHelper.execute("ipsec auto --down vpn-%s" % ip) - CsHelper.execute("ipsec auto --delete vpn-%s" % ip) + CsHelper.execute("ipsec down vpn-%s" % ip) + CsHelper.execute("ipsec down vpn-%s" % ip) vpnconffile = "%s/ipsec.vpn-%s.conf" % (self.VPNCONFDIR, ip) vpnsecretsfile = "%s/ipsec.vpn-%s.secrets" % (self.VPNCONFDIR, ip) os.remove(vpnconffile) os.remove(vpnsecretsfile) - CsHelper.execute("ipsec auto --rereadall") + CsHelper.execute("ipsec reload") def configure_iptables(self, dev, obj): self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 500 -s %s -d %s -j ACCEPT" % (dev, obj['peer_gateway_ip'], obj['local_public_ip'])]) @@ -501,26 +501,33 @@ def configure_ipsec(self, obj): peerlist = obj['peer_guest_cidr_list'].lstrip().rstrip().replace(',', ' ') vpnconffile = "%s/ipsec.vpn-%s.conf" % (self.VPNCONFDIR, rightpeer) vpnsecretsfile = "%s/ipsec.vpn-%s.secrets" % (self.VPNCONFDIR, rightpeer) + ikepolicy=obj['ike_policy'] + ikepolicy=ikepolicy.replace(';','-') + esppolicy=obj['esp_policy'] + esppolicy=esppolicy.replace(';','-') + + pfs='yes' + if (esppolicy.rfind('modp') == -1): + pfs='no' + if rightpeer in self.confips: self.confips.remove(rightpeer) file = CsFile(vpnconffile) + file.add("#conn for vpn-%s" % rightpeer, 0) file.search("conn ", "conn vpn-%s" % rightpeer) file.addeq(" left=%s" % leftpeer) file.addeq(" leftsubnet=%s" % obj['local_guest_cidr']) file.addeq(" leftnexthop=%s" % obj['local_public_gateway']) file.addeq(" right=%s" % rightpeer) - file.addeq(" rightsubnets={%s}" % peerlist) + file.addeq(" rightsubnet=%s" % peerlist) file.addeq(" type=tunnel") file.addeq(" authby=secret") file.addeq(" keyexchange=ike") - file.addeq(" ike=%s" % obj['ike_policy']) + file.addeq(" ike=%s" % ikepolicy) file.addeq(" ikelifetime=%s" % self.convert_sec_to_h(obj['ike_lifetime'])) - file.addeq(" esp=%s" % obj['esp_policy']) - file.addeq(" salifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime'])) - if "modp" in obj['esp_policy']: - file.addeq(" pfs=yes") - else: - file.addeq(" pfs=no") + file.addeq(" esp=%s" % esppolicy) + file.addeq(" lifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime'])) + file.addeq(" pfs=%s" % pfs) file.addeq(" keyingtries=2") file.addeq(" auto=start") if 'encap' not in obj: @@ -531,16 +538,15 @@ def configure_ipsec(self, obj): file.addeq(" dpdtimeout=120") file.addeq(" dpdaction=restart") secret = CsFile(vpnsecretsfile) - secret.search("%s " % leftpeer, "%s %s: PSK \"%s\"" % (leftpeer, rightpeer, obj['ipsec_psk'])) + secret.search("%s " % leftpeer, "%s %s : PSK \"%s\"" % (leftpeer, rightpeer, obj['ipsec_psk'])) if secret.is_changed() or file.is_changed(): secret.commit() file.commit() logging.info("Configured vpn %s %s", leftpeer, rightpeer) - CsHelper.execute("ipsec auto --rereadall") - CsHelper.execute("ipsec auto --add vpn-%s" % rightpeer) + CsHelper.execute("ipsec reload") if not obj['passive']: - CsHelper.execute("ipsec auto --up vpn-%s" % rightpeer) - os.chmod(vpnsecretsfile, 0o400) + CsHelper.execute("sudo nohup ipsec up vpn-%s &" % rightpeer) + os.chmod(vpnsecretsfile, 0400) def convert_sec_to_h(self, val): hrs = int(val) / 3600 @@ -629,25 +635,25 @@ def process(self): logging.debug("Remote accessvpn data bag %s", self.dbag) self.remoteaccessvpn_iptables(public_ip, self.dbag[public_ip]) - CsHelper.execute("ipsec auto --rereadall") + CsHelper.execute("ipsec down L2TP-PSK") + CsHelper.execute("ipsec update") CsHelper.execute("service xl2tpd stop") CsHelper.execute("service xl2tpd start") - CsHelper.execute("ipsec auto --rereadsecrets") - CsHelper.execute("ipsec auto --replace L2TP-PSK") + CsHelper.execute("ipsec rereadsecrets") else: logging.debug("Disabling remote access vpn .....") #disable remote access vpn - CsHelper.execute("ipsec auto --down L2TP-PSK") + CsHelper.execute("ipsec down L2TP-PSK") CsHelper.execute("service xl2tpd stop") def configure_l2tpIpsec(self, left, obj): - vpnconffile="%s/l2tp.conf" % (self.VPNCONFDIR) + l2tpconffile="%s/l2tp.conf" % (self.VPNCONFDIR) vpnsecretfilte="%s/ipsec.any.secrets" % (self.VPNCONFDIR) xl2tpdconffile="/etc/xl2tpd/xl2tpd.conf" xl2tpoptionsfile='/etc/ppp/options.xl2tpd' - file = CsFile(vpnconffile) + file = CsFile(l2tpconffile) localip=obj['local_ip'] localcidr=obj['local_cidr'] publicIface=obj['public_interface'] diff --git a/systemvm/patches/debian/vpn/etc/ipsec.conf b/systemvm/patches/debian/vpn/etc/ipsec.conf index dc363b3a65f8..affe64b74eef 100644 --- a/systemvm/patches/debian/vpn/etc/ipsec.conf +++ b/systemvm/patches/debian/vpn/etc/ipsec.conf @@ -1,9 +1,8 @@ -# Manual: ipsec.conf.5 -version 2.0 +# ipsec.conf - strongSwan IPsec configuration file config setup - nat_traversal=yes - virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 - protostack=auto - + nat_traversal=yes + charonstart=yes + plutostart=yes + include /etc/ipsec.d/*.conf diff --git a/systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf b/systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf index 7459e259a4e7..fddd6f346630 100644 --- a/systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf +++ b/systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf @@ -1,8 +1,13 @@ +#ipsec remote access vpn configuration conn L2TP-PSK - authby=secret + authby=psk pfs=no rekey=no keyingtries=3 + keyexchange=ikev1 + forceencaps=yes + leftfirewall=yes + leftnexthop=%defaultroute # # ---------------------------------------------------------- # The VPN server. @@ -30,4 +35,5 @@ conn L2TP-PSK # ---------------------------------------------------------- # Change 'ignore' to 'add' to enable this configuration. # + rightsubnetwithin=0.0.0.0/0 auto=add diff --git a/systemvm/patches/debian/vpn/etc/ipsec.secrets b/systemvm/patches/debian/vpn/etc/ipsec.secrets index d9a9a43c747c..0e4715c3579f 100644 --- a/systemvm/patches/debian/vpn/etc/ipsec.secrets +++ b/systemvm/patches/debian/vpn/etc/ipsec.secrets @@ -1,2 +1,2 @@ -include /var/lib/openswan/ipsec.secrets.inc +include /var/lib/strongswan/ipsec.conf.inc include /etc/ipsec.d/ipsec.*.secrets diff --git a/tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh b/tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh index f5f871b38dc4..414e5ad186a2 100644 --- a/tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh +++ b/tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh @@ -63,7 +63,6 @@ function install_packages() { nfs-common \ samba-common cifs-utils \ xl2tpd bcrelay ppp ipsec-tools tdb-tools \ - openswan=1:2.6.37-3+deb7u1 \ xenstore-utils libxenstore3.0 \ conntrackd ipvsadm libnetfilter-conntrack3 libnl-3-200 libnl-genl-3-200 \ ipcalc \ @@ -76,9 +75,8 @@ function install_packages() { sharutils ${apt_get} -t wheezy-backports install keepalived irqbalance open-vm-tools + ${apt_get} -t wheezy-backports install strongswan libcharon-extra-plugins - # hold on installed openswan version, upgrade rest of the packages (if any) - apt-mark hold openswan apt-get update apt-get -y --force-yes upgrade From 2471cd7088d30a3697f8ec908bc8b5ca83bed6aa Mon Sep 17 00:00:00 2001 From: Jayapalu Date: Wed, 19 Oct 2016 14:08:05 +0530 Subject: [PATCH 2/2] CLOUDSTACK-8682: updated the ipsec commands --- .../patches/debian/config/opt/cloud/bin/configure.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 7676691ef750..f7491b3a2d5d 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -543,9 +543,12 @@ def configure_ipsec(self, obj): secret.commit() file.commit() logging.info("Configured vpn %s %s", leftpeer, rightpeer) - CsHelper.execute("ipsec reload") - if not obj['passive']: - CsHelper.execute("sudo nohup ipsec up vpn-%s &" % rightpeer) + CsHelper.execute("ipsec rereadsecrets") + + CsHelper.execute("ipsec reload") + if not obj['passive']: + CsHelper.execute("sudo nohup ipsec down vpn-%s " % rightpeer) + CsHelper.execute("sudo nohup ipsec up vpn-%s &" % rightpeer) os.chmod(vpnsecretsfile, 0400) def convert_sec_to_h(self, val):