diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh index 232958c37b5..f3c5baf0108 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -12,147 +12,107 @@ #!/usr/bin/env bash source /root/func.sh -#lock="biglock" -#locked=$(getLockFile $lock) -#if [ "$locked" != "1" ] -#then -# exit 1 -#fi +lock="biglock" +locked=$(getLockFile $lock) +if [ "$locked" != "1" ] +then + exit 1 +fi vpnconfdir="/etc/ipsec.d" -vpninmark="10" -vpnoutmark="15" -inIf="eth0" -outIf="eth2" +vpnoutmark="0x525" usage() { - printf "Usage: %s: (-A|-D) -r -R -p -e -E -l -i -I -L -s \n" $(basename $0) >&2 + printf "Usage: %s: (-A|-D) -l -n -g -r -N -e -i -t -s \n" $(basename $0) >&2 } #set -x -get_dev_list() { - ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}' - ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}' +enable_iptable() { + sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT + for net in $rightnets + do + sudo iptables -A PREROUTING -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark + done } -#ip_to_dev() { -# local ip=$1 -# -# for dev in $DEV_LIST; do -# ip addr show dev $dev | grep inet | grep $ip &>> /dev/null -# [ $? -eq 0 ] && echo $dev && return 0 -# done -# return 1 -#} - -get_left_info() { - leftpeer=`ip addr show dev $outIf | grep inet | grep brd | awk '{print $2}' | cut -d'/' -f1` - leftpriv=`ip addr show dev $inIf | grep inet | grep brd | awk '{print $2}' | cut -d'/' -f1` - leftnet=`ip route show | grep $inIf | head -1 | awk '{print $1}'` - leftgw=`ip route show | grep $outIf | grep default | head -1 | awk '{print $3}'` -} - -nonat_chain() { - get_left_info - outIp=$leftpeer - if iptables -L VPN_$outIp -t mangle > /dev/null 2>&1 ; then - VPNCHAIN="1" - else - # Create VPN_outIp chain and push all traffic through it to prevent NAT in the tunnel - sudo iptables -N VPN_$outIp -t mangle - sudo iptables -A FORWARD -t mangle -j VPN_$outIp - sudo iptables -A OUTPUT -t mangle -j VPN_$outIp - # Explicitly trust all ESP / VPN traffic - sudo iptables -A PREROUTING -t mangle -d $outIp -p esp -j MARK --set-mark $vpninmark - sudo iptables -A FORWARD -t filter -i $outIf -m mark --mark $vpninmark -j ACCEPT - sudo iptables -A FORWARD -t filter -i $outIf -m mark --mark $vpnoutmark -j ACCEPT - sudo /etc/init.d/ipsec start - fi +disable_iptable() { + sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT + for net in $rightnets + do + sudo iptables -D PREROUTING -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark + done } ipsec_tunnel_del() { - get_left_info + disable_iptable outIp=$leftpeer - local rightpeer=$1 - local rightnet=$2 - local op=$3 local vpnconffile=$vpnconfdir/ipsec.vpn-$rightpeer.conf local vpnsecretsfile=$vpnconfdir/ipsec.vpn-$rightpeer.secrets logger -t cloud "$(basename $0): removing configuration for ipsec tunnel to $rightpeer" sudo rm -f $vpnconffile sudo rm -f $vpnsecretsfile - sudo iptables $op VPN_$outIp -t mangle -o $outIf -d $rightnet -j MARK --set-mark $vpnoutmark } ipsec_tunnel_add() { - get_left_info outIp=$leftpeer - nonat_chain sudo mkdir -p $vpnconfdir - local rightpeer=$1 - local rightpriv=$2 - local rightnet=$3 - local espcrypt=$4 - local esphash=$5 - local salife=$6 - local ikecrypt=$7 - local ikehash=$8 - local ikelife=$9 - local secret=${10} local vpnconffile=$vpnconfdir/ipsec.vpn-$rightpeer.conf local vpnsecretsfile=$vpnconfdir/ipsec.vpn-$rightpeer.secrets logger -t cloud "$(basename $0): creating configuration for ipsec tunnel: left peer=$leftpeer \ - right peer=$rightpeer right network=$rightnet phase1 encryption=$espcrypt phase1 hash=$esphash \ - phase2 encryption=$ikecrypt phase2 hash=$ikehash secret=$secret" + left net=$leftnet left gateway=$leftgw right peer=$rightpeer right network=$rightnets phase1 policy=$ikepolicy \ + phase2 policy=$esppolicy lifetime=$time secret=$secret" - [ "$op" == "-A" ] && ipsec_tunnel_del $rightpeer $rightnet "-D" + [ "$op" == "-A" ] && ipsec_tunnel_del $rightpeer $rightnets "-D" sudo echo "conn vpn-$rightpeer" > $vpnconffile && sudo echo " left=$leftpeer" >> $vpnconffile && sudo echo " leftsubnet=$leftnet" >> $vpnconffile && sudo echo " leftnexthop=$leftgw" >> $vpnconffile && - sudo echo " leftsourceip=$leftpriv" >> $vpnconffile && sudo echo " right=$rightpeer" >> $vpnconffile && - sudo echo " rightsubnets={$rightnet}" >> $vpnconffile && - sudo echo " rightsourceip=$rightpriv" >> $vpnconffile && + sudo echo " rightsubnets={$rightnets}" >> $vpnconffile && sudo echo " type=tunnel" >> $vpnconffile && sudo echo " authby=secret" >> $vpnconffile && sudo echo " keyexchange=ike" >> $vpnconffile && sudo echo " pfs=no" >> $vpnconffile && - sudo echo " esp=$espcrypt;$esphash" >> $vpnconffile && - sudo echo " salifetime=${salife}s" >> $vpnconffile && - sudo echo " ike=$ikecrypt;$ikehash" >> $vpnconffile && - sudo echo " ikelifetime=${ikelife}s" >> $vpnconffile && + sudo echo " esp=$esppolicy" >> $vpnconffile && + sudo echo " salifetime=${time}s" >> $vpnconffile && + sudo echo " ike=$ikepolicy" >> $vpnconffile && + sudo echo " ikelifetime=${time}s" >> $vpnconffile && + sudo echo " keyingtries=3" >> $vpnconffile && + sudo echo " dpddelay=30" >> $vpnconffile && + sudo echo " dpdtimeout=120" >> $vpnconffile && + sudo echo " dpdaction=restart" >> $vpnconffile && sudo echo " auto=start" >> $vpnconffile && - sudo echo "$leftpeer $rightpeer: PSK $secret" > $vpnsecretsfile && - sudo chmod 0400 $vpnsecretsfile && - sudo iptables -A VPN_$outIp -t mangle -o $outIf -d $rightnet -j MARK --set-mark $vpnoutmark && - sudo /etc/init.d/ipsec reload + sudo echo "$leftpeer $rightpeer: PSK \"$secret\"" > $vpnsecretsfile && + + sudo chmod 0400 $vpnsecretsfile + + enable_iptable + + sudo service ipsec restart # Prevent NAT on "marked" VPN traffic sudo iptables -D POSTROUTING -t nat -o $outIf -j SNAT --to-source $outIp sudo iptables -D POSTROUTING -t nat -o $outIf -m mark ! --mark $vpnoutmark -j SNAT --to-source $outIp sudo iptables -A POSTROUTING -t nat -o $outIf -m mark ! --mark $vpnoutmark -j SNAT --to-source $outIp result=$? - logger -t cloud "$(basename $0): done ipsec tunnel entry for right peer=$rightpeer right network=$rightnet" + logger -t cloud "$(basename $0): done ipsec tunnel entry for right peer=$rightpeer right networks=$rightnets" return $result } rflag= -Rflag= pflag= eflag= Eflag= lflag= iflag= Iflag= -Lflag= sflag= op="" -while getopts 'ADr:R:p:e:E:l:i:I:L:s:' OPTION +while getopts 'ADl:n:g:r:N:e:i:t:s:' OPTION do case $OPTION in A) opflag=1 @@ -161,55 +121,63 @@ do D) opflag=2 op="-D" ;; + l) lflag=1 + leftpeer="$OPTARG" + ;; + n) nflag=1 + leftnet="$OPTARG" + ;; + g) gflag=1 + leftgw="$OPTARG" + ;; r) rflag=1 rightpeer="$OPTARG" ;; - R) Rflag=1 - rightpriv="$OPTARG" - ;; - p) pflag=1 - rightnet="$OPTARG" + N) Nflag=1 + rightnets="$OPTARG" ;; e) eflag=1 - espcrypt="$OPTARG" - ;; - E) Eflag=1 - esphash="$OPTARG" - ;; - l) lflag=1 - salife="$OPTARG" + esppolicy="$OPTARG" ;; i) iflag=1 - ikecrypt="$OPTARG" + ikepolicy="$OPTARG" ;; - I) Iflag=1 - ikehash="$OPTARG" - ;; - L) Lflag=1 - ikelife="$OPTARG" + t) tflag=1 + time="$OPTARG" ;; s) sflag=1 secret="$OPTARG" ;; ?) usage -# unlock_exit 2 $lock $locked + unlock_exit 2 $lock $locked ;; esac done -DEV_LIST=$(get_dev_list) -OUTFILE=$(mktemp) +# get interface for public ip +ip link|grep BROADCAST|grep -v eth0|cut -d ":" -f 2 > /tmp/iflist +while read i +do + ip addr show $i|grep "$leftpeer" + if [ $? -eq 0 ] + then + outIf=$i + break + fi +done < /tmp/iflist + +rightnets=${rightnets//,/ } #Firewall ports for one-to-one/static NAT if [ "$opflag" == "1" ] then - ipsec_tunnel_add $rightpeer $rightpriv $rightnet $espcrypt $esphash $salife $ikecrypt $ikehash $ikelife $secret + ipsec_tunnel_add elif [ "$opflag" == "2" ] then - ipsec_tunnel_del $rightpeer $rightnet $op + ipsec_tunnel_del else printf "Invalid action specified, must choose -A or -D to add/del tunnels\n" >&2 -# unlock_exit 5 $lock $locked + unlock_exit 5 $lock $locked fi -#unlock_exit 0 $lock $locked +unlock_exit 0 $lock $locked