From bf7cd8a9f0de150e5c320354cb35d9977d6e3117 Mon Sep 17 00:00:00 2001 From: Remi Bergsma Date: Mon, 8 Dec 2014 18:53:18 +0100 Subject: [PATCH 1/6] remove biglock usage from ipsectunnel.sh Biglock breaks creating VPN's when other scripts run at the same time that also use the same biglock. These other scripts do nothing that could harm our deployment and even multiple vpn's can safely be created simultaniously. (cherry picked from commit 8b412ce194eaf195dc77531379687de43e14a088) --- .../debian/config/opt/cloud/bin/ipsectunnel.sh | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh index e20c10f9e6d..9aa3f898666 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -18,13 +18,6 @@ source /root/func.sh -lock="biglock" -locked=$(getLockFile $lock) -if [ "$locked" != "1" ] -then - exit 1 -fi - vpnconfdir="/etc/ipsec.d" vpnoutmark="0x525" vpninmark="0x524" @@ -262,7 +255,7 @@ do p) passive=1 ;; ?) usage - unlock_exit 2 $lock $locked + exit 2 ;; esac done @@ -301,7 +294,7 @@ then ret=$? else printf "Invalid action specified, must choose -A or -D to add/del tunnels\n" >&2 - unlock_exit 5 $lock $locked + exit 5 fi -unlock_exit $ret $lock $locked +exit $ret From 08ab9a37690e059768622de8b90967d9e0a0afdf Mon Sep 17 00:00:00 2001 From: Remi Bergsma Date: Mon, 8 Dec 2014 18:54:27 +0100 Subject: [PATCH 2/6] renamed $leftgw to $leftnexthop to make clear what it does (cherry picked from commit 8b2563a216b012ab1905e65f446c8b6b1435b983) --- .../patches/debian/config/opt/cloud/bin/ipsectunnel.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh index 9aa3f898666..cfee6d12d0f 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -23,7 +23,7 @@ vpnoutmark="0x525" vpninmark="0x524" usage() { - printf "Usage: %s: (-A|-D) -l -n -g -r -N -e -i -t -T -s -d [ -p ]\n" $(basename $0) >&2 + printf "Usage: %s: (-A|-D) -l -n -g -r -N -e -i -t -T -s -d [ -p ]\n" $(basename $0) >&2 } #set -x @@ -129,7 +129,7 @@ ipsec_tunnel_add() { local vpnsecretsfile=$vpnconfdir/ipsec.vpn-$rightpeer.secrets logger -t cloud "$(basename $0): creating configuration for ipsec tunnel: left peer=$leftpeer \ - left net=$leftnet left gateway=$leftgw right peer=$rightpeer right network=$rightnets phase1 policy=$ikepolicy \ + left net=$leftnet left gateway=$leftnexthop right peer=$rightpeer right network=$rightnets phase1 policy=$ikepolicy \ phase2 policy=$esppolicy secret=$secret" [ "$op" == "-A" ] && ipsec_tunnel_del @@ -139,7 +139,7 @@ ipsec_tunnel_add() { sudo echo "conn vpn-$rightpeer" > $vpnconffile && sudo echo " left=$leftpeer" >> $vpnconffile && sudo echo " leftsubnet=$leftnet" >> $vpnconffile && - sudo echo " leftnexthop=$leftgw" >> $vpnconffile && + sudo echo " leftnexthop=$leftnexthop" >> $vpnconffile && sudo echo " right=$rightpeer" >> $vpnconffile && sudo echo " rightsubnets={$rightnets}" >> $vpnconffile && sudo echo " type=tunnel" >> $vpnconffile && @@ -226,7 +226,7 @@ do leftnet="$OPTARG" ;; g) gflag=1 - leftgw="$OPTARG" + leftnexthop="$OPTARG" ;; r) rflag=1 rightpeer="$OPTARG" From e89f09aa516ec06dcd2cced38de70f1bde9f0aaa Mon Sep 17 00:00:00 2001 From: Remi Bergsma Date: Mon, 8 Dec 2014 18:55:35 +0100 Subject: [PATCH 3/6] starting the tunnel will make it keep trying until it connects Changed 'auto=add' to 'auto=start' to make sure the tunnel starts. When both sides are there they will connect. This resolves the issue that there is only a small time frame in which the VPN would connect. (cherry picked from commit b95addd3efb45f61b129584ade49bad7bbaa16f8) --- systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh index cfee6d12d0f..d30a9cadbae 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -151,7 +151,7 @@ ipsec_tunnel_add() { sudo echo " salifetime=${esplifetime}s" >> $vpnconffile && sudo echo " pfs=$pfs" >> $vpnconffile && sudo echo " keyingtries=2" >> $vpnconffile && - sudo echo " auto=add" >> $vpnconffile && + sudo echo " auto=start" >> $vpnconffile && sudo echo "$leftpeer $rightpeer: PSK \"$secret\"" > $vpnsecretsfile && sudo chmod 0400 $vpnsecretsfile From cbc4fa2e9c88bada9faaf1574930b3875f6a5ca3 Mon Sep 17 00:00:00 2001 From: Remi Bergsma Date: Mon, 8 Dec 2014 18:59:16 +0100 Subject: [PATCH 4/6] add a flag -c whether or not to check the VPN on create Changed default to no, as the other side may not be up yet. If this check fails, the VPN enters Error state and will not work. It's safe to just let it connect on its own so it will connect when it can. (cherry picked from commit f8d718e3e31ad517969663d24647fcbd9b50cc3d) --- .../patches/debian/config/opt/cloud/bin/ipsectunnel.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh index d30a9cadbae..809cb4dd5af 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -23,7 +23,7 @@ vpnoutmark="0x525" vpninmark="0x524" usage() { - printf "Usage: %s: (-A|-D) -l -n -g -r -N -e -i -t -T -s -d [ -p ]\n" $(basename $0) >&2 + printf "Usage: %s: (-A|-D) -l -n -g -r -N -e -i -t -T -s -d [ -p -c &2 } #set -x @@ -174,6 +174,9 @@ ipsec_tunnel_add() { if [ $passive -eq 0 ] then sudo ipsec auto --up vpn-$rightpeer + fi + if [ $checkup -eq 1 ] + then #5 seconds for checking if it's ready for i in {1..5} @@ -209,8 +212,9 @@ Iflag= sflag= passive=0 op="" +checkup=0 -while getopts 'ADpl:n:g:r:N:e:i:t:T:s:d:' OPTION +while getopts 'ADpcl:n:g:r:N:e:i:t:T:s:d:' OPTION do case $OPTION in A) opflag=1 @@ -254,6 +258,8 @@ do ;; p) passive=1 ;; + c) checkup=1 + ;; ?) usage exit 2 ;; From 85ba1f76a441e36e9998a0a5d40943889d5d8290 Mon Sep 17 00:00:00 2001 From: Remi Bergsma Date: Mon, 8 Dec 2014 19:00:59 +0100 Subject: [PATCH 5/6] prevent CloudStack from removing the VPN connection If connecting the VPN takes some time, for example because the other end is not (yet) up, CloudStack will delete the VPN because the ipsectunnel.sh does not return in time. The VPN connection then enters the Error state. This change makes sure ipsectunnel.sh returns in time, and lets ipsec connect in the background. If it all fails, the connection enters Disconnected. (cherry picked from commit 7f33f7c3969d3b217ad6977f01bb487ebeee665d) --- systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh index 809cb4dd5af..a95c65ea350 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -173,7 +173,7 @@ ipsec_tunnel_add() { if [ $passive -eq 0 ] then - sudo ipsec auto --up vpn-$rightpeer + sudo ipsec auto --up vpn-$rightpeer & fi if [ $checkup -eq 1 ] then From a592b010350296d06fef987b5bd6b21f7cfca8a8 Mon Sep 17 00:00:00 2001 From: Remi Bergsma Date: Mon, 8 Dec 2014 19:06:55 +0100 Subject: [PATCH 6/6] made iptables for the VPN connection more secure Added destination and source definition. Flag -S can be used to ignore this. It's the new default as it is more secure and does not impact the way things work (backwords compatible). (cherry picked from commit ef3b4bb4e3342f166489034fa7149540d2ef1383) --- .../config/opt/cloud/bin/ipsectunnel.sh | 26 +++++++++++++------ 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh index a95c65ea350..e0af6a2d20f 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -23,7 +23,7 @@ vpnoutmark="0x525" vpninmark="0x524" usage() { - printf "Usage: %s: (-A|-D) -l -n -g -r -N -e -i -t -T -s -d [ -p -c &2 + printf "Usage: %s: (-A|-D) -l -n -g -r -N -e -i -t -T -s -d [ -p -c -S ]\n" $(basename $0) >&2 } #set -x @@ -61,13 +61,16 @@ enable_iptables_subnets() { return 0 } +# +# Add the right side here to close the gap, so we're sure no one else comes in +# also double check the default behaviour of ipsec to drop if wrong.... check_and_enable_iptables() { sudo iptables-save | grep "A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT" if [ $? -ne 0 ] then - sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT - sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT - sudo iptables -A INPUT -i $outIf -p 50 -j ACCEPT + sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT + sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT + sudo iptables -A INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT # Prevent NAT on "marked" VPN traffic, so need to be the first one on POSTROUTING chain sudo iptables -t nat -I POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT fi @@ -90,9 +93,9 @@ check_and_disable_iptables() { if [ $? -ne 0 ] then #Nobody else use s2s vpn now, so delete the iptables rules - sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT - sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT - sudo iptables -D INPUT -i $outIf -p 50 -j ACCEPT + sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT + sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT + sudo iptables -D INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT sudo iptables -t nat -D POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT fi return 0 @@ -213,8 +216,9 @@ sflag= passive=0 op="" checkup=0 +secure=1 -while getopts 'ADpcl:n:g:r:N:e:i:t:T:s:d:' OPTION +while getopts 'ADSpcl:n:g:r:N:e:i:t:T:s:d:' OPTION do case $OPTION in A) opflag=1 @@ -260,6 +264,8 @@ do ;; c) checkup=1 ;; + S) secure=0 + ;; ?) usage exit 2 ;; @@ -267,6 +273,10 @@ do done logger -t cloud "$(basename $0): parameters $*" +if [ $secure -eq 1 ] +then + iptables_secure=" -s $rightpeer -d $leftpeer " +fi # get interface for public ip ip link|grep BROADCAST|grep -v eth0|cut -d ":" -f 2 > /tmp/iflist