From 1b5103c5017b7c71d75c817e7900db27a6f97937 Mon Sep 17 00:00:00 2001 From: Sheng Yang Date: Mon, 6 Aug 2012 15:19:26 -0700 Subject: [PATCH] S2S VPN: CS-15472: Separate IKE lifetime and ESP lifetime --- .../api/routing/Site2SiteVpnCfgCommand.java | 36 ++++++++++--- api/src/com/cloud/api/ApiConstants.java | 4 +- .../commands/CreateVpnCustomerGatewayCmd.java | 22 ++++++-- .../commands/UpdateVpnCustomerGatewayCmd.java | 22 ++++++-- .../Site2SiteCustomerGatewayResponse.java | 22 ++++++-- .../Site2SiteVpnConnectionResponse.java | 24 +++++++-- .../network/Site2SiteCustomerGateway.java | 4 +- .../VirtualRoutingResource.java | 10 +++- .../config/opt/cloud/bin/ipsectunnel.sh | 33 +++++++----- .../xen/resource/CitrixResourceBase.java | 10 +++- .../src/com/cloud/api/ApiResponseHelper.java | 11 ++-- .../network/Site2SiteCustomerGatewayVO.java | 43 ++++++++++++--- .../VirtualNetworkApplianceManagerImpl.java | 6 ++- ...VpcVirtualNetworkApplianceManagerImpl.java | 6 ++- .../network/vpn/Site2SiteVpnManagerImpl.java | 53 ++++++++++++++----- 15 files changed, 238 insertions(+), 68 deletions(-) diff --git a/api/src/com/cloud/agent/api/routing/Site2SiteVpnCfgCommand.java b/api/src/com/cloud/agent/api/routing/Site2SiteVpnCfgCommand.java index 6e438f27fda..f9ec641ff15 100644 --- a/api/src/com/cloud/agent/api/routing/Site2SiteVpnCfgCommand.java +++ b/api/src/com/cloud/agent/api/routing/Site2SiteVpnCfgCommand.java @@ -11,7 +11,9 @@ public class Site2SiteVpnCfgCommand extends NetworkElementCommand { private String ipsecPsk; private String ikePolicy; private String espPolicy; - private long lifetime; + private long ikeLifetime; + private long espLifetime; + private boolean dpd; @Override public boolean executeInSequence() { @@ -22,8 +24,8 @@ public class Site2SiteVpnCfgCommand extends NetworkElementCommand { this.create = false; } - public Site2SiteVpnCfgCommand (boolean create, String localPublicIp, String localPublicGateway, String localGuestCidr, - String peerGatewayIp, String peerGuestCidrList, String ikePolicy, String espPolicy, long lifetime, String ipsecPsk) { + public Site2SiteVpnCfgCommand (boolean create, String localPublicIp, String localPublicGateway, String localGuestCidr, String peerGatewayIp, + String peerGuestCidrList, String ikePolicy, String espPolicy, String ipsecPsk, Long ikeLifetime, Long espLifetime, Boolean dpd) { this.create = create; this.setLocalPublicIp(localPublicIp); this.setLocalPublicGateway(localPublicGateway); @@ -33,7 +35,9 @@ public class Site2SiteVpnCfgCommand extends NetworkElementCommand { this.ipsecPsk = ipsecPsk; this.ikePolicy = ikePolicy; this.espPolicy = espPolicy; - this.lifetime = lifetime; + this.ikeLifetime = ikeLifetime; + this.espLifetime = espLifetime; + this.dpd = dpd; } public boolean isCreate() { @@ -68,12 +72,28 @@ public class Site2SiteVpnCfgCommand extends NetworkElementCommand { this.espPolicy = espPolicy; } - public long getLifetime() { - return lifetime; + public long getIkeLifetime() { + return ikeLifetime; } - public void setLifetime(long lifetime) { - this.lifetime = lifetime; + public void setikeLifetime(long ikeLifetime) { + this.ikeLifetime = ikeLifetime; + } + + public long getEspLifetime() { + return espLifetime; + } + + public void setEspLifetime(long espLifetime) { + this.espLifetime = espLifetime; + } + + public Boolean getDpd() { + return dpd; + } + + public void setDpd(Boolean dpd) { + this.dpd = dpd; } public String getLocalPublicIp() { diff --git a/api/src/com/cloud/api/ApiConstants.java b/api/src/com/cloud/api/ApiConstants.java index 923385dd78a..825e276b4be 100755 --- a/api/src/com/cloud/api/ApiConstants.java +++ b/api/src/com/cloud/api/ApiConstants.java @@ -373,7 +373,9 @@ public class ApiConstants { public static final String REMOVED = "removed"; public static final String IKE_POLICY = "ikepolicy"; public static final String ESP_POLICY = "esppolicy"; - public static final String LIFETIME = "lifetime"; + public static final String IKE_LIFETIME = "ikelifetime"; + public static final String ESP_LIFETIME = "esplifetime"; + public static final String DPD = "dpd"; public static final String FOR_VPC = "forvpc"; public static final String NICIRA_NVP_DEVICE_ID = "nvpdeviceid"; public static final String NICIRA_NVP_TRANSPORT_ZONE_UUID = "transportzoneuuid"; diff --git a/api/src/com/cloud/api/commands/CreateVpnCustomerGatewayCmd.java b/api/src/com/cloud/api/commands/CreateVpnCustomerGatewayCmd.java index ae0e99c33a4..9754f1c0f2c 100644 --- a/api/src/com/cloud/api/commands/CreateVpnCustomerGatewayCmd.java +++ b/api/src/com/cloud/api/commands/CreateVpnCustomerGatewayCmd.java @@ -58,8 +58,14 @@ public class CreateVpnCustomerGatewayCmd extends BaseAsyncCmd { @Parameter(name=ApiConstants.ESP_POLICY, type=CommandType.STRING, required=true, description="ESP policy of the customer gateway") private String espPolicy; - @Parameter(name=ApiConstants.LIFETIME, type=CommandType.LONG, required=false, description="Lifetime of vpn connection to the customer gateway, in seconds") - private Long lifetime; + @Parameter(name=ApiConstants.IKE_LIFETIME, type=CommandType.LONG, required=false, description="Lifetime of phase 1 VPN connection to the customer gateway, in seconds") + private Long ikeLifetime; + + @Parameter(name=ApiConstants.ESP_LIFETIME, type=CommandType.LONG, required=false, description="Lifetime of phase 2 VPN connection to the customer gateway, in seconds") + private Long espLifetime; + + @Parameter(name=ApiConstants.DPD, type=CommandType.BOOLEAN, required=false, description="If DPD is enabled for VPN connection") + private Boolean dpd; @Parameter(name=ApiConstants.ACCOUNT, type=CommandType.STRING, description="the account associated with the gateway. Must be used with the domainId parameter.") private String accountName; @@ -101,8 +107,16 @@ public class CreateVpnCustomerGatewayCmd extends BaseAsyncCmd { return espPolicy; } - public Long getLifetime() { - return lifetime; + public Long getIkeLifetime() { + return ikeLifetime; + } + + public Long getEspLifetime() { + return espLifetime; + } + + public Boolean getDpd() { + return dpd; } public String getAccountName() { diff --git a/api/src/com/cloud/api/commands/UpdateVpnCustomerGatewayCmd.java b/api/src/com/cloud/api/commands/UpdateVpnCustomerGatewayCmd.java index 4af4c0d8b62..09b45eb1845 100644 --- a/api/src/com/cloud/api/commands/UpdateVpnCustomerGatewayCmd.java +++ b/api/src/com/cloud/api/commands/UpdateVpnCustomerGatewayCmd.java @@ -59,8 +59,14 @@ public class UpdateVpnCustomerGatewayCmd extends BaseAsyncCmd { @Parameter(name=ApiConstants.ESP_POLICY, type=CommandType.STRING, required=true, description="ESP policy of the customer gateway") private String espPolicy; - @Parameter(name=ApiConstants.LIFETIME, type=CommandType.LONG, required=false, description="Lifetime of vpn connection to the customer gateway, in seconds") - private Long lifetime; + @Parameter(name=ApiConstants.IKE_LIFETIME, type=CommandType.LONG, required=false, description="Lifetime of phase 1 VPN connection to the customer gateway, in seconds") + private Long ikeLifetime; + + @Parameter(name=ApiConstants.ESP_LIFETIME, type=CommandType.LONG, required=false, description="Lifetime of phase 2 VPN connection to the customer gateway, in seconds") + private Long espLifetime; + + @Parameter(name=ApiConstants.DPD, type=CommandType.BOOLEAN, required=false, description="If DPD is enabled for VPN connection") + private Boolean dpd; @Parameter(name=ApiConstants.ACCOUNT, type=CommandType.STRING, description="the account associated with the gateway. Must be used with the domainId parameter.") private String accountName; @@ -102,8 +108,16 @@ public class UpdateVpnCustomerGatewayCmd extends BaseAsyncCmd { return espPolicy; } - public Long getLifetime() { - return lifetime; + public Long getIkeLifetime() { + return ikeLifetime; + } + + public Long getEspLifetime() { + return espLifetime; + } + + public Boolean getDpd() { + return dpd; } ///////////////////////////////////////////////////// diff --git a/api/src/com/cloud/api/response/Site2SiteCustomerGatewayResponse.java b/api/src/com/cloud/api/response/Site2SiteCustomerGatewayResponse.java index 0e2c3539815..7c706f3452a 100644 --- a/api/src/com/cloud/api/response/Site2SiteCustomerGatewayResponse.java +++ b/api/src/com/cloud/api/response/Site2SiteCustomerGatewayResponse.java @@ -49,8 +49,14 @@ public class Site2SiteCustomerGatewayResponse extends BaseResponse implements Co @SerializedName(ApiConstants.ESP_POLICY) @Param(description="IPsec policy of customer gateway") private String espPolicy; - @SerializedName(ApiConstants.LIFETIME) @Param(description="Lifetime of IKE and IPsec policy of customer gateway") - private Long lifetime; + @SerializedName(ApiConstants.IKE_LIFETIME) @Param(description="Lifetime of IKE SA of customer gateway") + private Long ikeLifetime; + + @SerializedName(ApiConstants.ESP_LIFETIME) @Param(description="Lifetime of ESP SA of customer gateway") + private Long espLifetime; + + @SerializedName(ApiConstants.DPD) @Param(description="if DPD is enabled for customer gateway") + private Boolean dpd; @SerializedName(ApiConstants.ACCOUNT) @Param(description="the owner") private String accountName; @@ -102,8 +108,16 @@ public class Site2SiteCustomerGatewayResponse extends BaseResponse implements Co this.espPolicy = espPolicy; } - public void setLifetime(Long lifetime) { - this.lifetime = lifetime; + public void setIkeLifetime(Long ikeLifetime) { + this.ikeLifetime = ikeLifetime; + } + + public void setEspLifetime(Long espLifetime) { + this.espLifetime = espLifetime; + } + + public void setDpd(Boolean dpd) { + this.dpd= dpd; } public void setRemoved(Date removed) { diff --git a/api/src/com/cloud/api/response/Site2SiteVpnConnectionResponse.java b/api/src/com/cloud/api/response/Site2SiteVpnConnectionResponse.java index 44f7c202669..1af50178172 100644 --- a/api/src/com/cloud/api/response/Site2SiteVpnConnectionResponse.java +++ b/api/src/com/cloud/api/response/Site2SiteVpnConnectionResponse.java @@ -52,8 +52,14 @@ public class Site2SiteVpnConnectionResponse extends BaseResponse implements Cont @SerializedName(ApiConstants.ESP_POLICY) @Param(description="ESP policy of the customer gateway") //from CustomerGateway private String espPolicy; - @SerializedName(ApiConstants.LIFETIME) @Param(description="Lifetime of vpn connection to the customer gateway, in seconds") //from CustomerGateway - private Long lifetime; + @SerializedName(ApiConstants.IKE_LIFETIME) @Param(description="Lifetime of IKE SA of customer gateway") //from CustomerGateway + private Long ikeLifetime; + + @SerializedName(ApiConstants.ESP_LIFETIME) @Param(description="Lifetime of ESP SA of customer gateway") //from CustomerGateway + private Long espLifetime; + + @SerializedName(ApiConstants.DPD) @Param(description="if DPD is enabled for customer gateway") //from CustomerGateway + private Boolean dpd; @SerializedName(ApiConstants.STATE) @Param(description="State of vpn connection") private String state; @@ -115,9 +121,17 @@ public class Site2SiteVpnConnectionResponse extends BaseResponse implements Cont this.espPolicy = espPolicy; } - public void setLifetime(Long lifetime) { - this.lifetime = lifetime; - } + public void setIkeLifetime(Long ikeLifetime) { + this.ikeLifetime = ikeLifetime; + } + + public void setEspLifetime(Long espLifetime) { + this.espLifetime = espLifetime; + } + + public void setDpd(Boolean dpd) { + this.dpd= dpd; + } public void setState(String state) { this.state = state; diff --git a/api/src/com/cloud/network/Site2SiteCustomerGateway.java b/api/src/com/cloud/network/Site2SiteCustomerGateway.java index 29f580f18ba..623721b0f82 100644 --- a/api/src/com/cloud/network/Site2SiteCustomerGateway.java +++ b/api/src/com/cloud/network/Site2SiteCustomerGateway.java @@ -11,7 +11,9 @@ public interface Site2SiteCustomerGateway extends ControlledEntity { public String getIpsecPsk(); public String getIkePolicy(); public String getEspPolicy(); - public Long getLifetime(); + public Long getIkeLifetime(); + public Long getEspLifetime(); + public Boolean getDpd(); public Date getRemoved(); String getName(); } diff --git a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java index efd44ba23a0..522ceb89175 100755 --- a/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java +++ b/core/src/com/cloud/agent/resource/virtualnetwork/VirtualRoutingResource.java @@ -596,9 +596,17 @@ public class VirtualRoutingResource implements Manager { args += " -i "; args += "\"" + cmd.getIkePolicy() + "\""; args += " -t "; - args += Long.toString(cmd.getLifetime()); + args += Long.toString(cmd.getIkeLifetime()); + args += " -T "; + args += Long.toString(cmd.getEspLifetime()); args += " -s "; args += "\"" + cmd.getIpsecPsk() + "\""; + args += " -d "; + if (cmd.getDpd()) { + args += "1"; + } else { + args += "0"; + } } else { args = "-D"; args += " -r "; diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh index 15eb4c2f7ad..74d31191804 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -23,7 +23,7 @@ vpnconfdir="/etc/ipsec.d" vpnoutmark="0x525" usage() { - printf "Usage: %s: (-A|-D) -l -n -g -r -N -e -i -t -s \n" $(basename $0) >&2 + printf "Usage: %s: (-A|-D) -l -n -g -r -N -e -i -t -T -s -d \n" $(basename $0) >&2 } #set -x @@ -122,7 +122,7 @@ ipsec_tunnel_add() { logger -t cloud "$(basename $0): creating configuration for ipsec tunnel: left peer=$leftpeer \ left net=$leftnet left gateway=$leftgw right peer=$rightpeer right network=$rightnets phase1 policy=$ikepolicy \ - phase2 policy=$esppolicy lifetime=$time secret=$secret" + phase2 policy=$esppolicy secret=$secret" [ "$op" == "-A" ] && ipsec_tunnel_del @@ -137,20 +137,23 @@ ipsec_tunnel_add() { sudo echo " type=tunnel" >> $vpnconffile && sudo echo " authby=secret" >> $vpnconffile && sudo echo " keyexchange=ike" >> $vpnconffile && - sudo echo " pfs=no" >> $vpnconffile && - sudo echo " esp=$esppolicy" >> $vpnconffile && - sudo echo " salifetime=${time}s" >> $vpnconffile && sudo echo " ike=$ikepolicy" >> $vpnconffile && - sudo echo " ikelifetime=${time}s" >> $vpnconffile && + sudo echo " ikelifetime=${ikelifetime}s" >> $vpnconffile && + sudo echo " esp=$esppolicy" >> $vpnconffile && + sudo echo " salifetime=${esplifetime}s" >> $vpnconffile && + sudo echo " pfs=no" >> $vpnconffile && sudo echo " keyingtries=3" >> $vpnconffile && - sudo echo " dpddelay=30" >> $vpnconffile && - sudo echo " dpdtimeout=120" >> $vpnconffile && - sudo echo " dpdaction=restart" >> $vpnconffile && sudo echo " auto=add" >> $vpnconffile && sudo echo "$leftpeer $rightpeer: PSK \"$secret\"" > $vpnsecretsfile && - sudo chmod 0400 $vpnsecretsfile + if [ $dpd -ne 0 ] + then + sudo echo " dpddelay=30" >> $vpnconffile && + sudo echo " dpdtimeout=120" >> $vpnconffile && + sudo echo " dpdaction=restart" >> $vpnconffile + fi + enable_iptables_subnets sudo ipsec auto --rereadall @@ -192,7 +195,7 @@ Iflag= sflag= op="" -while getopts 'ADl:n:g:r:N:e:i:t:s:' OPTION +while getopts 'ADl:n:g:r:N:e:i:t:T:s:d:' OPTION do case $OPTION in A) opflag=1 @@ -223,11 +226,17 @@ do ikepolicy="$OPTARG" ;; t) tflag=1 - time="$OPTARG" + ikelifetime="$OPTARG" + ;; + T) Tflag=1 + esplifetime="$OPTARG" ;; s) sflag=1 secret="$OPTARG" ;; + d) dflag=1 + dpd="$OPTARG" + ;; ?) usage unlock_exit 2 $lock $locked ;; diff --git a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java index 7c42e7667cc..fd09c8a4af5 100644 --- a/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java +++ b/plugins/hypervisors/xen/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java @@ -7420,9 +7420,17 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe args += " -i "; args += "\"" + cmd.getIkePolicy() + "\""; args += " -t "; - args += Long.toString(cmd.getLifetime()); + args += Long.toString(cmd.getIkeLifetime()); + args += " -T "; + args += Long.toString(cmd.getEspLifetime()); args += " -s "; args += "\"" + cmd.getIpsecPsk() + "\""; + args += " -d "; + if (cmd.getDpd()) { + args += "1"; + } else { + args += "0"; + } } else { args += " -D"; args += " -r "; diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index a9e991087a7..0340a941b83 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -3841,7 +3841,10 @@ public class ApiResponseHelper implements ResponseGenerator { response.setIpsecPsk(result.getIpsecPsk()); response.setIkePolicy(result.getIkePolicy()); response.setEspPolicy(result.getEspPolicy()); - response.setLifetime(result.getLifetime()); + response.setIkeLifetime(result.getIkeLifetime()); + response.setEspLifetime(result.getEspLifetime()); + response.setDpd(result.getDpd()); + response.setRemoved(result.getRemoved()); response.setObjectName("vpncustomergateway"); @@ -3875,7 +3878,9 @@ public class ApiResponseHelper implements ResponseGenerator { response.setIpsecPsk(customerGateway.getIpsecPsk()); response.setIkePolicy(customerGateway.getIkePolicy()); response.setEspPolicy(customerGateway.getEspPolicy()); - response.setLifetime(customerGateway.getLifetime()); + response.setIkeLifetime(customerGateway.getIkeLifetime()); + response.setEspLifetime(customerGateway.getEspLifetime()); + response.setDpd(customerGateway.getDpd()); } populateAccount(response, result.getAccountId()); @@ -3887,4 +3892,4 @@ public class ApiResponseHelper implements ResponseGenerator { response.setObjectName("vpnconnection"); return response; } -} \ No newline at end of file +} diff --git a/server/src/com/cloud/network/Site2SiteCustomerGatewayVO.java b/server/src/com/cloud/network/Site2SiteCustomerGatewayVO.java index 573d5f1445b..1a46f4c7695 100644 --- a/server/src/com/cloud/network/Site2SiteCustomerGatewayVO.java +++ b/server/src/com/cloud/network/Site2SiteCustomerGatewayVO.java @@ -41,8 +41,14 @@ public class Site2SiteCustomerGatewayVO implements Site2SiteCustomerGateway { @Column(name="esp_policy") private String espPolicy; - @Column(name="lifetime") - private long lifetime; + @Column(name="ike_lifetime") + private long ikeLifetime; + + @Column(name="esp_lifetime") + private long espLifetime; + + @Column(name="dpd") + private boolean dpd; @Column(name="domain_id") private Long domainId; @@ -55,14 +61,17 @@ public class Site2SiteCustomerGatewayVO implements Site2SiteCustomerGateway { public Site2SiteCustomerGatewayVO() { } - public Site2SiteCustomerGatewayVO(String name, long accountId, long domainId, String gatewayIp, String guestCidrList, String ipsecPsk, String ikePolicy, String espPolicy, long lifetime) { + public Site2SiteCustomerGatewayVO(String name, long accountId, long domainId, String gatewayIp, String guestCidrList, String ipsecPsk, String ikePolicy, String espPolicy, + long ikeLifetime, long espLifetime, boolean dpd) { this.name = name; this.gatewayIp = gatewayIp; this.guestCidrList = guestCidrList; this.ipsecPsk = ipsecPsk; this.ikePolicy = ikePolicy; this.espPolicy = espPolicy; - this.lifetime = lifetime; + this.ikeLifetime = ikeLifetime; + this.espLifetime = espLifetime; + this.dpd = dpd; this.uuid = UUID.randomUUID().toString(); this.accountId = accountId; this.domainId = domainId; @@ -119,12 +128,21 @@ public class Site2SiteCustomerGatewayVO implements Site2SiteCustomerGateway { } @Override - public Long getLifetime() { - return lifetime; + public Long getIkeLifetime() { + return ikeLifetime; } - public void setLifetime(long lifetime) { - this.lifetime = lifetime; + public void setIkeLifetime(long ikeLifetime) { + this.ikeLifetime = ikeLifetime; + } + + @Override + public Long getEspLifetime() { + return espLifetime; + } + + public void setEspLifetime(long espLifetime) { + this.espLifetime = espLifetime; } @Override @@ -145,6 +163,15 @@ public class Site2SiteCustomerGatewayVO implements Site2SiteCustomerGateway { this.espPolicy = espPolicy; } + @Override + public Boolean getDpd() { + return dpd; + } + + public void setDpd(boolean dpd) { + this.dpd = dpd; + } + public String getUuid() { return uuid; } diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java index cb55578318b..5ec8108a8d4 100755 --- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java @@ -917,8 +917,10 @@ public class VirtualNetworkApplianceManagerImpl implements VirtualNetworkApplian } if (router.getState() != State.Running) { for (Site2SiteVpnConnectionVO conn : conns) { - conn.setState(Site2SiteVpnConnection.State.Disconnected); - _s2sVpnConnectionDao.persist(conn); + if (conn.getState() != Site2SiteVpnConnection.State.Error) { + conn.setState(Site2SiteVpnConnection.State.Disconnected); + _s2sVpnConnectionDao.persist(conn); + } } continue; } diff --git a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java index c5ad65d2d56..31aade4d4e3 100644 --- a/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VpcVirtualNetworkApplianceManagerImpl.java @@ -1095,10 +1095,12 @@ public class VpcVirtualNetworkApplianceManagerImpl extends VirtualNetworkApplian String ipsecPsk = gw.getIpsecPsk(); String ikePolicy = gw.getIkePolicy(); String espPolicy = gw.getEspPolicy(); - Long lifetime = gw.getLifetime(); + Long ikeLifetime = gw.getIkeLifetime(); + Long espLifetime = gw.getEspLifetime(); + Boolean dpd = gw.getDpd(); Site2SiteVpnCfgCommand cmd = new Site2SiteVpnCfgCommand(isCreate, localPublicIp, localPublicGateway, localGuestCidr, - peerGatewayIp, peerGuestCidrList, ikePolicy, espPolicy, lifetime, ipsecPsk); + peerGatewayIp, peerGuestCidrList, ikePolicy, espPolicy, ipsecPsk, ikeLifetime, espLifetime, dpd); cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, getRouterControlIp(router.getId())); cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, getRouterControlIp(router.getId())); cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName()); diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java index 9fe212baea5..4658c1eb10b 100644 --- a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java +++ b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java @@ -158,14 +158,28 @@ public class Site2SiteVpnManagerImpl implements Site2SiteVpnManager, Manager { if (!NetUtils.isValidS2SVpnPolicy(espPolicy)) { throw new InvalidParameterValueException("The customer gateway ESP policy " + espPolicy + " is invalid!"); } - Long lifetime = cmd.getLifetime(); - if (lifetime == null) { + Long ikeLifetime = cmd.getIkeLifetime(); + if (ikeLifetime == null) { // Default value of lifetime is 1 day - lifetime = (long) 86400; + ikeLifetime = (long) 86400; } - if (lifetime > 86400) { - throw new InvalidParameterValueException("The lifetime " + lifetime + " of vpn connection is invalid!"); + if (ikeLifetime > 86400) { + throw new InvalidParameterValueException("The IKE lifetime " + ikeLifetime + " of vpn connection is invalid!"); } + Long espLifetime = cmd.getEspLifetime(); + if (espLifetime == null) { + // Default value of lifetime is 1 day + espLifetime = (long) 3600; + } + if (espLifetime > 86400) { + throw new InvalidParameterValueException("The ESP lifetime " + espLifetime + " of vpn connection is invalid!"); + } + + Boolean dpd = cmd.getDpd(); + if (dpd == null) { + dpd = false; + } + if (_customerGatewayDao.findByGatewayIp(gatewayIp) != null) { throw new InvalidParameterValueException("The customer gateway with ip " + gatewayIp + " already existed!"); } @@ -173,7 +187,7 @@ public class Site2SiteVpnManagerImpl implements Site2SiteVpnManager, Manager { throw new InvalidParameterValueException("The customer gateway with name " + name + " already existed!"); } Site2SiteCustomerGatewayVO gw = new Site2SiteCustomerGatewayVO(name, owner.getAccountId(), owner.getDomainId(), gatewayIp, guestCidrList, ipsecPsk, - ikePolicy, espPolicy, lifetime); + ikePolicy, espPolicy, ikeLifetime, espLifetime, dpd); _customerGatewayDao.persist(gw); return gw; } @@ -347,20 +361,35 @@ public class Site2SiteVpnManagerImpl implements Site2SiteVpnManager, Manager { if (!NetUtils.isValidS2SVpnPolicy(espPolicy)) { throw new InvalidParameterValueException("The customer gateway ESP policy" + espPolicy + " is invalid!"); } - Long lifetime = cmd.getLifetime(); - if (lifetime == null) { + Long ikeLifetime = cmd.getIkeLifetime(); + if (ikeLifetime == null) { // Default value of lifetime is 1 day - lifetime = (long) 86400; + ikeLifetime = (long) 86400; } - if (lifetime > 86400) { - throw new InvalidParameterValueException("The lifetime " + lifetime + " of vpn connection is invalid!"); + if (ikeLifetime > 86400) { + throw new InvalidParameterValueException("The IKE lifetime " + ikeLifetime + " of vpn connection is invalid!"); + } + Long espLifetime = cmd.getEspLifetime(); + if (espLifetime == null) { + // Default value of lifetime is 1 day + espLifetime = (long) 3600; + } + if (espLifetime > 86400) { + throw new InvalidParameterValueException("The ESP lifetime " + espLifetime + " of vpn connection is invalid!"); + } + + Boolean dpd = cmd.getDpd(); + if (dpd == null) { + dpd = false; } gw.setGatewayIp(gatewayIp); gw.setGuestCidrList(guestCidrList); gw.setIkePolicy(ikePolicy); gw.setEspPolicy(espPolicy); gw.setIpsecPsk(ipsecPsk); - gw.setLifetime(lifetime); + gw.setIkeLifetime(ikeLifetime); + gw.setEspLifetime(espLifetime); + gw.setDpd(dpd); _customerGatewayDao.persist(gw); return gw; }