etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

S2S VPN: CS-15511: Add PFS support for VPN connection

This commit is contained in:
Sheng Yang 2012-08-02 18:24:59 -07:00
parent 2cca73daef
commit c2250fecf7
3 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
View File

@ -141,7 +141,7 @@ ipsec_tunnel_add() {
sudo echo " ikelifetime=${ikelifetime}s" >> $vpnconffile &&
sudo echo " esp=$esppolicy" >> $vpnconffile &&
sudo echo " salifetime=${esplifetime}s" >> $vpnconffile &&
sudo echo " pfs=no" >> $vpnconffile &&
sudo echo " pfs=$pfs" >> $vpnconffile &&
sudo echo " keyingtries=3" >> $vpnconffile &&
sudo echo " auto=add" >> $vpnconffile &&
sudo echo "$leftpeer $rightpeer: PSK \"$secret\"" > $vpnsecretsfile &&
@ -258,6 +258,12 @@ do
done < /tmp/iflist
rightnets=${rightnets//,/ }
pfs="no"
echo "$esppolicy" | grep "modp" > /dev/null
if [ $? -eq 0 ]
then
pfs="yes"
fi
ret=0
#Firewall ports for one-to-one/static NAT

7
utils/src/com/cloud/utils/net/NetUtils.java
View File

@ -1109,8 +1109,7 @@ public class NetUtils {
if (policy.isEmpty()) {
return false;
}
//String cipherHash = policy.split(";")[0];
String cipherHash = policy;
String cipherHash = policy.split(";")[0];
if (cipherHash.isEmpty()) {
return false;
}
@ -1126,15 +1125,13 @@ public class NetUtils {
if (!hash.matches("md5|sha1")) {
return false;
}
/* Disable pfsGroup support, see CS-15511
String pfsGroup = null;
if (!policy.equals(cipherHash)) {
pfsGroup = policy.split(";")[1];
}
if (pfsGroup != null && !pfsGroup.matches("modp1024|modp1536")) {
if (pfsGroup != null && !pfsGroup.matches("modp1024|modp1536|")) {
return false;
}
*/
}
return true;
}

10
utils/test/com/cloud/utils/net/NetUtilsTest.java
View File

@ -50,12 +50,12 @@ public class NetUtilsTest extends TestCase {
}
public void testVpnPolicy() {
assertTrue(NetUtils.isValidS2SVpnPolicy("aes-sha1"));
assertTrue(NetUtils.isValidS2SVpnPolicy("aes128-sha1"));
assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1"));
assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1"));
assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024"));
assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes-sha1;modp1536"));
assertFalse(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1;modp1536"));
assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes256-sha1"));
assertTrue(NetUtils.isValidS2SVpnPolicy("3des-md5;modp1024"));
assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes128-sha1;modp1536"));
assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes128-sha1;modp1536"));
assertFalse(NetUtils.isValidS2SVpnPolicy("des-sha1"));
assertFalse(NetUtils.isValidS2SVpnPolicy("abc-123,ase-sha1"));
assertFalse(NetUtils.isValidS2SVpnPolicy("de-sh,aes-sha1"));