From 0d22919004c27083252c1d70839d86f699e71428 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Matla=CC=A8g?= Date: Wed, 10 Jan 2018 17:04:10 +0100 Subject: [PATCH 1/8] initial attempt to fix strongswan support for cs4.10+ --- .../debian/config/opt/cloud/bin/configure.py | 57 +++++++++++-------- 1 file changed, 33 insertions(+), 24 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index a39e10baa29e..4fa41c60ec63 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -550,30 +550,39 @@ def configure_ipsec(self, obj): if rightpeer in self.confips: self.confips.remove(rightpeer) file = CsFile(vpnconffile) - file.add("#conn for vpn-%s" % rightpeer, 0) - file.search("conn ", "conn vpn-%s" % rightpeer) - file.addeq(" left=%s" % leftpeer) - file.addeq(" leftsubnet=%s" % obj['local_guest_cidr']) - file.addeq(" leftnexthop=%s" % obj['local_public_gateway']) - file.addeq(" right=%s" % rightpeer) - file.addeq(" rightsubnet=%s" % peerlist) - file.addeq(" type=tunnel") - file.addeq(" authby=secret") - file.addeq(" keyexchange=ike") - file.addeq(" ike=%s" % ikepolicy) - file.addeq(" ikelifetime=%s" % self.convert_sec_to_h(obj['ike_lifetime'])) - file.addeq(" esp=%s" % esppolicy) - file.addeq(" lifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime'])) - file.addeq(" pfs=%s" % pfs) - file.addeq(" keyingtries=2") - file.addeq(" auto=start") - if 'encap' not in obj: - obj['encap']=False - file.addeq(" forceencaps=%s" % CsHelper.bool_to_yn(obj['encap'])) - if obj['dpd']: - file.addeq(" dpddelay=30") - file.addeq(" dpdtimeout=120") - file.addeq(" dpdaction=restart") + file.repopulate() + + for idx,subnet in peerlist.split(','): + if idx==0: + file.append("#conn for vpn-%s" % rightpeer, 0) + file.append(" left=%s" % leftpeer) + file.append(" leftsubnet=%s" % obj['local_guest_cidr']) + file.append(" leftnexthop=%s" % obj['local_public_gateway']) + file.append(" right=%s" % rightpeer) + file.append(" rightsubnet=%s" % peerlist) + file.append(" type=tunnel") + file.append(" authby=secret") + file.append(" keyexchange=ikev1") + file.append(" ike=%s" % ikepolicy) + file.append(" ikelifetime=%s" % self.convert_sec_to_h(obj['ike_lifetime'])) + file.append(" esp=%s" % esppolicy) + file.append(" lifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime'])) + file.append(" pfs=%s" % pfs) + file.append(" keyingtries=2") + file.append(" auto=start") + if 'encap' not in obj: + obj['encap']=False + file.append(" forceencaps=%s" % CsHelper.bool_to_yn(obj['encap'])) + if obj['dpd']: + file.append(" dpddelay=30") + file.append(" dpdtimeout=120") + file.append(" dpdaction=restart") + else: + file.append("conn ", "conn vpn-%s-%d" % (rightpeer,idx)) + file.append(" also=conn vpn-%s" % rightpeer) + file.append(" rightsubnet=%s" % subnet) + + secret = CsFile(vpnsecretsfile) secret.search("%s " % leftpeer, "%s %s : PSK \"%s\"" % (leftpeer, rightpeer, obj['ipsec_psk'])) if secret.is_changed() or file.is_changed(): From 19ceea385c139b7703dbd456678e771960902702 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Matla=CC=A8g?= Date: Wed, 10 Jan 2018 23:07:41 +0100 Subject: [PATCH 2/8] changed rightsubnet=%s" % peerlist to rightsubnet=%s" % subnet --- systemvm/patches/debian/config/opt/cloud/bin/configure.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 4fa41c60ec63..9b6d091e73d2 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -559,7 +559,7 @@ def configure_ipsec(self, obj): file.append(" leftsubnet=%s" % obj['local_guest_cidr']) file.append(" leftnexthop=%s" % obj['local_public_gateway']) file.append(" right=%s" % rightpeer) - file.append(" rightsubnet=%s" % peerlist) + file.append(" rightsubnet=%s" % subnet) file.append(" type=tunnel") file.append(" authby=secret") file.append(" keyexchange=ikev1") From 32b60295f5fc52c6c195e71ad2f0f34936608a58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Matla=CC=A8g?= Date: Thu, 11 Jan 2018 08:55:30 +0100 Subject: [PATCH 3/8] fixed split --- systemvm/patches/debian/config/opt/cloud/bin/configure.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 9b6d091e73d2..441aee94ba27 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -19,6 +19,7 @@ import sys import os import base64 +import string from merge import DataBag from pprint import pprint @@ -552,7 +553,7 @@ def configure_ipsec(self, obj): file = CsFile(vpnconffile) file.repopulate() - for idx,subnet in peerlist.split(','): + for idx,subnet in string.split (peerlist, ','): if idx==0: file.append("#conn for vpn-%s" % rightpeer, 0) file.append(" left=%s" % leftpeer) From 5a081f43932e938161882b46d923e6cd9cbe981d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Matla=CC=A8g?= Date: Thu, 11 Jan 2018 10:15:43 +0100 Subject: [PATCH 4/8] Revert "fixed split" This reverts commit 32b60295f5fc52c6c195e71ad2f0f34936608a58. --- systemvm/patches/debian/config/opt/cloud/bin/configure.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 441aee94ba27..9b6d091e73d2 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -19,7 +19,6 @@ import sys import os import base64 -import string from merge import DataBag from pprint import pprint @@ -553,7 +552,7 @@ def configure_ipsec(self, obj): file = CsFile(vpnconffile) file.repopulate() - for idx,subnet in string.split (peerlist, ','): + for idx,subnet in peerlist.split(','): if idx==0: file.append("#conn for vpn-%s" % rightpeer, 0) file.append(" left=%s" % leftpeer) From c061ece630687ef67dd523d99faa7aaa7130a1c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Matla=CC=A8g?= Date: Thu, 11 Jan 2018 10:16:21 +0100 Subject: [PATCH 5/8] fixed cidr split enumeration --- systemvm/patches/debian/config/opt/cloud/bin/configure.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 9b6d091e73d2..cd21f85580d5 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -552,7 +552,7 @@ def configure_ipsec(self, obj): file = CsFile(vpnconffile) file.repopulate() - for idx,subnet in peerlist.split(','): + for idx,subnet in enumerate(peerlist.split(',')): if idx==0: file.append("#conn for vpn-%s" % rightpeer, 0) file.append(" left=%s" % leftpeer) From 0eb504d0b076dd45db3b51f7441302a7e2770366 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Matla=CC=A8g?= Date: Thu, 11 Jan 2018 10:21:04 +0100 Subject: [PATCH 6/8] fixed mixing conn line --- systemvm/patches/debian/config/opt/cloud/bin/configure.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index cd21f85580d5..e50580621902 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -554,7 +554,8 @@ def configure_ipsec(self, obj): for idx,subnet in enumerate(peerlist.split(',')): if idx==0: - file.append("#conn for vpn-%s" % rightpeer, 0) + file.append("#conn for vpn-%s" % rightpeer) + file.append("conn vpn-%s" % rightpeer) file.append(" left=%s" % leftpeer) file.append(" leftsubnet=%s" % obj['local_guest_cidr']) file.append(" leftnexthop=%s" % obj['local_public_gateway']) @@ -578,7 +579,8 @@ def configure_ipsec(self, obj): file.append(" dpdtimeout=120") file.append(" dpdaction=restart") else: - file.append("conn ", "conn vpn-%s-%d" % (rightpeer,idx)) + file.append("") + file.append("conn vpn-%s-%d" % (rightpeer,idx)) file.append(" also=conn vpn-%s" % rightpeer) file.append(" rightsubnet=%s" % subnet) From f2d251d8edd5be5a8c23a1a55fd3602c1d51fd9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Matla=CC=A8g?= Date: Thu, 11 Jan 2018 10:34:36 +0100 Subject: [PATCH 7/8] fixed broken also line --- systemvm/patches/debian/config/opt/cloud/bin/configure.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index e50580621902..08257f36736c 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -581,7 +581,7 @@ def configure_ipsec(self, obj): else: file.append("") file.append("conn vpn-%s-%d" % (rightpeer,idx)) - file.append(" also=conn vpn-%s" % rightpeer) + file.append(" also=vpn-%s" % rightpeer) file.append(" rightsubnet=%s" % subnet) From a599d8057a616149490b0590d7dfbb5746883b58 Mon Sep 17 00:00:00 2001 From: w4rri0r3k Date: Mon, 26 Mar 2018 20:03:33 +0200 Subject: [PATCH 8/8] Update configure.py --- systemvm/patches/debian/config/opt/cloud/bin/configure.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index 08257f36736c..ade4cc8ab376 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -563,14 +563,14 @@ def configure_ipsec(self, obj): file.append(" rightsubnet=%s" % subnet) file.append(" type=tunnel") file.append(" authby=secret") - file.append(" keyexchange=ikev1") + file.append(" keyexchange=ike") file.append(" ike=%s" % ikepolicy) file.append(" ikelifetime=%s" % self.convert_sec_to_h(obj['ike_lifetime'])) file.append(" esp=%s" % esppolicy) file.append(" lifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime'])) file.append(" pfs=%s" % pfs) file.append(" keyingtries=2") - file.append(" auto=start") + file.append(" auto=route") if 'encap' not in obj: obj['encap']=False file.append(" forceencaps=%s" % CsHelper.bool_to_yn(obj['encap']))