You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ra...@apache.org on 2017/02/14 12:29:44 UTC
[1/2] git commit: updated refs/heads/master to 13bfdd7
Repository: cloudstack
Updated Branches:
refs/heads/master 2aeca0d34 -> 13bfdd71e
complete implementation of the StrongSwan VPN feature
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/f045d65b
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/f045d65b
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/f045d65b
Branch: refs/heads/master
Commit: f045d65b90b9b241968d8e7d574bf4e404397a4a
Parents: 17787a1
Author: Will Stevens <wi...@gmail.com>
Authored: Mon Jan 16 13:34:11 2017 -0500
Committer: Will Stevens <wi...@gmail.com>
Committed: Thu Feb 2 16:18:06 2017 -0500
----------------------------------------------------------------------
.../network/vpn/Site2SiteVpnManagerImpl.java | 18 +--
.../patches/debian/config/etc/logrotate.conf | 5 +-
.../debian/config/opt/cloud/bin/checks2svpn.sh | 13 +-
.../debian/config/opt/cloud/bin/configure.py | 61 +++++-----
.../debian/config/opt/cloud/bin/cs_ip.py | 16 +--
systemvm/patches/debian/vpn/etc/ipsec.conf | 8 +-
.../patches/debian/vpn/etc/ipsec.d/l2tp.conf | 9 +-
systemvm/patches/debian/vpn/etc/ipsec.secrets | 2 +-
test/integration/component/maint/test_vpc.py | 2 +-
test/integration/component/test_vpc.py | 2 +-
.../configure_systemvm_services.sh | 6 +
.../install_systemvm_packages.sh | 4 +-
ui/scripts/network.js | 121 ++++++++++++++-----
.../main/java/com/cloud/utils/net/NetUtils.java | 16 ++-
.../java/com/cloud/utils/net/NetUtilsTest.java | 31 +++--
15 files changed, 200 insertions(+), 114 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
index 3746526..4ca0328 100644
--- a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
+++ b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
@@ -190,10 +190,10 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
String ipsecPsk = cmd.getIpsecPsk();
String ikePolicy = cmd.getIkePolicy();
String espPolicy = cmd.getEspPolicy();
- if (!NetUtils.isValidS2SVpnPolicy(ikePolicy)) {
- throw new InvalidParameterValueException("The customer gateway IKE policy " + ikePolicy + " is invalid!");
+ if (!NetUtils.isValidS2SVpnPolicy("ike", ikePolicy)) {
+ throw new InvalidParameterValueException("The customer gateway IKE policy " + ikePolicy + " is invalid! Verify the required Diffie Hellman (DH) group is specified.");
}
- if (!NetUtils.isValidS2SVpnPolicy(espPolicy)) {
+ if (!NetUtils.isValidS2SVpnPolicy("esp", espPolicy)) {
throw new InvalidParameterValueException("The customer gateway ESP policy " + espPolicy + " is invalid!");
}
Long ikeLifetime = cmd.getIkeLifetime();
@@ -444,10 +444,10 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
String ipsecPsk = cmd.getIpsecPsk();
String ikePolicy = cmd.getIkePolicy();
String espPolicy = cmd.getEspPolicy();
- if (!NetUtils.isValidS2SVpnPolicy(ikePolicy)) {
- throw new InvalidParameterValueException("The customer gateway IKE policy" + ikePolicy + " is invalid!");
+ if (!NetUtils.isValidS2SVpnPolicy("ike", ikePolicy)) {
+ throw new InvalidParameterValueException("The customer gateway IKE policy" + ikePolicy + " is invalid! Verify the required Diffie Hellman (DH) group is specified.");
}
- if (!NetUtils.isValidS2SVpnPolicy(espPolicy)) {
+ if (!NetUtils.isValidS2SVpnPolicy("esp", espPolicy)) {
throw new InvalidParameterValueException("The customer gateway ESP policy" + espPolicy + " is invalid!");
}
Long ikeLifetime = cmd.getIkeLifetime();
@@ -517,7 +517,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
_accountMgr.checkAccess(caller, null, false, conn);
- if (conn.getState() == State.Connected) {
+ if (conn.getState() != State.Pending) {
stopVpnConnection(id);
}
_vpnConnectionDao.remove(id);
@@ -531,8 +531,8 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn
throw new CloudRuntimeException("Unable to acquire lock on " + conn);
}
try {
- if (conn.getState() != State.Connected && conn.getState() != State.Error) {
- throw new InvalidParameterValueException("Site to site VPN connection with specified id is not in correct state(connected) to process disconnect!");
+ if (conn.getState() == State.Pending) {
+ throw new InvalidParameterValueException("Site to site VPN connection with specified id is currently Pending, unable to Disconnect!");
}
conn.setState(State.Disconnected);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/systemvm/patches/debian/config/etc/logrotate.conf
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/etc/logrotate.conf b/systemvm/patches/debian/config/etc/logrotate.conf
index 6b5fcc6..a44abf9 100644
--- a/systemvm/patches/debian/config/etc/logrotate.conf
+++ b/systemvm/patches/debian/config/etc/logrotate.conf
@@ -1,13 +1,14 @@
# rotate log files daily
daily
-# keep 5 days worth
-rotate 5
+# keep 3 days worth
+rotate 3
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
#dateext
# max size 50M
size 50M
+compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp -- we'll rotate them here
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh b/systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh
index 59ab426..a78ec88 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh
@@ -22,18 +22,9 @@ then
exit 1
fi
-ipsec auto --status | grep vpn-$1 > /tmp/vpn-$1.status
+ipsec status vpn-$1 > /tmp/vpn-$1.status
-cat /tmp/vpn-$1.status | grep "ISAKMP SA established" > /dev/null
-isakmpok=$?
-if [ $isakmpok -ne 0 ]
-then
- echo -n "ISAKMP SA NOT found but checking IPsec;"
-else
- echo -n "ISAKMP SA found;"
-fi
-
-cat /tmp/vpn-$1.status | grep "IPsec SA established" > /dev/null
+cat /tmp/vpn-$1.status | grep "ESTABLISHED" > /dev/null
ipsecok=$?
if [ $ipsecok -ne 0 ]
then
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index 5a2a9ed..b8f38e9 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -471,13 +471,13 @@ class CsSite2SiteVpn(CsDataBag):
def deletevpn(self, ip):
logging.info("Removing VPN configuration for %s", ip)
- CsHelper.execute("ipsec auto --down vpn-%s" % ip)
- CsHelper.execute("ipsec auto --delete vpn-%s" % ip)
+ CsHelper.execute("ipsec down vpn-%s" % ip)
+ CsHelper.execute("ipsec down vpn-%s" % ip)
vpnconffile = "%s/ipsec.vpn-%s.conf" % (self.VPNCONFDIR, ip)
vpnsecretsfile = "%s/ipsec.vpn-%s.secrets" % (self.VPNCONFDIR, ip)
os.remove(vpnconffile)
os.remove(vpnsecretsfile)
- CsHelper.execute("ipsec auto --rereadall")
+ CsHelper.execute("ipsec reload")
def configure_iptables(self, dev, obj):
self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 500 -s %s -d %s -j ACCEPT" % (dev, obj['peer_gateway_ip'], obj['local_public_ip'])])
@@ -497,49 +497,56 @@ class CsSite2SiteVpn(CsDataBag):
def configure_ipsec(self, obj):
leftpeer = obj['local_public_ip']
rightpeer = obj['peer_gateway_ip']
- peerlist = obj['peer_guest_cidr_list'].lstrip().rstrip().replace(',', ' ')
+ peerlist = obj['peer_guest_cidr_list'].replace(' ', '')
vpnconffile = "%s/ipsec.vpn-%s.conf" % (self.VPNCONFDIR, rightpeer)
vpnsecretsfile = "%s/ipsec.vpn-%s.secrets" % (self.VPNCONFDIR, rightpeer)
+ ikepolicy=obj['ike_policy'].replace(';','-')
+ esppolicy=obj['esp_policy'].replace(';','-')
+
+ pfs='no'
+ if 'modp' in esppolicy:
+ pfs='yes'
+
if rightpeer in self.confips:
self.confips.remove(rightpeer)
file = CsFile(vpnconffile)
+ file.add("#conn for vpn-%s" % rightpeer, 0)
file.search("conn ", "conn vpn-%s" % rightpeer)
file.addeq(" left=%s" % leftpeer)
file.addeq(" leftsubnet=%s" % obj['local_guest_cidr'])
file.addeq(" leftnexthop=%s" % obj['local_public_gateway'])
file.addeq(" right=%s" % rightpeer)
- file.addeq(" rightsubnets={%s}" % peerlist)
+ file.addeq(" rightsubnet=%s" % peerlist)
file.addeq(" type=tunnel")
file.addeq(" authby=secret")
file.addeq(" keyexchange=ike")
- file.addeq(" ike=%s" % obj['ike_policy'])
+ file.addeq(" ike=%s" % ikepolicy)
file.addeq(" ikelifetime=%s" % self.convert_sec_to_h(obj['ike_lifetime']))
- file.addeq(" esp=%s" % obj['esp_policy'])
- file.addeq(" salifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime']))
- if "modp" in obj['esp_policy']:
- file.addeq(" pfs=yes")
- else:
- file.addeq(" pfs=no")
+ file.addeq(" esp=%s" % esppolicy)
+ file.addeq(" lifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime']))
+ file.addeq(" pfs=%s" % pfs)
file.addeq(" keyingtries=2")
file.addeq(" auto=start")
if 'encap' not in obj:
obj['encap']=False
file.addeq(" forceencaps=%s" % CsHelper.bool_to_yn(obj['encap']))
if obj['dpd']:
- file.addeq(" dpddelay=30")
- file.addeq(" dpdtimeout=120")
- file.addeq(" dpdaction=restart")
+ file.addeq(" dpddelay=30")
+ file.addeq(" dpdtimeout=120")
+ file.addeq(" dpdaction=restart")
secret = CsFile(vpnsecretsfile)
- secret.search("%s " % leftpeer, "%s %s: PSK \"%s\"" % (leftpeer, rightpeer, obj['ipsec_psk']))
+ secret.search("%s " % leftpeer, "%s %s : PSK \"%s\"" % (leftpeer, rightpeer, obj['ipsec_psk']))
if secret.is_changed() or file.is_changed():
secret.commit()
file.commit()
logging.info("Configured vpn %s %s", leftpeer, rightpeer)
- CsHelper.execute("ipsec auto --rereadall")
- CsHelper.execute("ipsec auto --add vpn-%s" % rightpeer)
- if not obj['passive']:
- CsHelper.execute("ipsec auto --up vpn-%s" % rightpeer)
- os.chmod(vpnsecretsfile, 0o400)
+ CsHelper.execute("ipsec rereadsecrets")
+
+ CsHelper.execute("ipsec reload")
+ if not obj['passive']:
+ CsHelper.execute("sudo nohup ipsec down vpn-%s" % rightpeer)
+ CsHelper.execute("sudo nohup ipsec up vpn-%s &" % rightpeer)
+ os.chmod(vpnsecretsfile, 0400)
def convert_sec_to_h(self, val):
hrs = int(val) / 3600
@@ -628,25 +635,25 @@ class CsRemoteAccessVpn(CsDataBag):
logging.debug("Remote accessvpn data bag %s", self.dbag)
self.remoteaccessvpn_iptables(public_ip, self.dbag[public_ip])
- CsHelper.execute("ipsec auto --rereadall")
+ CsHelper.execute("ipsec down L2TP-PSK")
+ CsHelper.execute("ipsec update")
CsHelper.execute("service xl2tpd stop")
CsHelper.execute("service xl2tpd start")
- CsHelper.execute("ipsec auto --rereadsecrets")
- CsHelper.execute("ipsec auto --replace L2TP-PSK")
+ CsHelper.execute("ipsec rereadsecrets")
else:
logging.debug("Disabling remote access vpn .....")
#disable remote access vpn
- CsHelper.execute("ipsec auto --down L2TP-PSK")
+ CsHelper.execute("ipsec down L2TP-PSK")
CsHelper.execute("service xl2tpd stop")
def configure_l2tpIpsec(self, left, obj):
- vpnconffile="%s/l2tp.conf" % (self.VPNCONFDIR)
+ l2tpconffile="%s/l2tp.conf" % (self.VPNCONFDIR)
vpnsecretfilte="%s/ipsec.any.secrets" % (self.VPNCONFDIR)
xl2tpdconffile="/etc/xl2tpd/xl2tpd.conf"
xl2tpoptionsfile='/etc/ppp/options.xl2tpd'
- file = CsFile(vpnconffile)
+ file = CsFile(l2tpconffile)
localip=obj['local_ip']
localcidr=obj['local_cidr']
publicIface=obj['public_interface']
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/systemvm/patches/debian/config/opt/cloud/bin/cs_ip.py
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_ip.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_ip.py
index 1ce78f9..5b980ef 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs_ip.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs_ip.py
@@ -15,21 +15,20 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
-from pprint import pprint
-from netaddr import *
+from netaddr import *
def merge(dbag, ip):
- added = False
nic_dev_id = None
+ index = -1 # a non-valid array index
for dev in dbag:
if dev == "id":
continue
- for address in dbag[dev]:
+ for i, address in enumerate(dbag[dev]):
if address['public_ip'] == ip['public_ip']:
if 'nic_dev_id' in address:
nic_dev_id = address['nic_dev_id']
- dbag[dev].remove(address)
+ index = i
ipo = IPNetwork(ip['public_ip'] + '/' + ip['netmask'])
if 'nic_dev_id' in ip:
@@ -44,8 +43,11 @@ def merge(dbag, ip):
else:
ip['nw_type'] = ip['nw_type'].lower()
if ip['nw_type'] == 'control':
- dbag['eth' + str(nic_dev_id)] = [ip]
+ dbag[ip['device']] = [ip]
else:
- dbag.setdefault('eth' + str(nic_dev_id), []).append(ip)
+ if index != -1:
+ dbag[ip['device']][index] = ip
+ else:
+ dbag.setdefault(ip['device'], []).append(ip)
return dbag
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/systemvm/patches/debian/vpn/etc/ipsec.conf
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/vpn/etc/ipsec.conf b/systemvm/patches/debian/vpn/etc/ipsec.conf
index dc363b3..344d0c3 100644
--- a/systemvm/patches/debian/vpn/etc/ipsec.conf
+++ b/systemvm/patches/debian/vpn/etc/ipsec.conf
@@ -1,9 +1,5 @@
-# Manual: ipsec.conf.5
-version 2.0
+# ipsec.conf - strongSwan IPsec configuration file
config setup
- nat_traversal=yes
- virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
- protostack=auto
-
+
include /etc/ipsec.d/*.conf
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf b/systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf
index 7459e25..1cbfe78 100644
--- a/systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf
+++ b/systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf
@@ -1,8 +1,14 @@
+#ipsec remote access vpn configuration
conn L2TP-PSK
- authby=secret
+ authby=psk
pfs=no
rekey=no
keyingtries=3
+ keyexchange=ikev1
+ forceencaps=yes
+ leftfirewall=yes
+ leftnexthop=%defaultroute
+ type=transport
#
# ----------------------------------------------------------
# The VPN server.
@@ -30,4 +36,5 @@ conn L2TP-PSK
# ----------------------------------------------------------
# Change 'ignore' to 'add' to enable this configuration.
#
+ rightsubnetwithin=0.0.0.0/0
auto=add
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/systemvm/patches/debian/vpn/etc/ipsec.secrets
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/vpn/etc/ipsec.secrets b/systemvm/patches/debian/vpn/etc/ipsec.secrets
index d9a9a43..0e4715c 100644
--- a/systemvm/patches/debian/vpn/etc/ipsec.secrets
+++ b/systemvm/patches/debian/vpn/etc/ipsec.secrets
@@ -1,2 +1,2 @@
-include /var/lib/openswan/ipsec.secrets.inc
+include /var/lib/strongswan/ipsec.conf.inc
include /etc/ipsec.d/ipsec.*.secrets
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/test/integration/component/maint/test_vpc.py
----------------------------------------------------------------------
diff --git a/test/integration/component/maint/test_vpc.py b/test/integration/component/maint/test_vpc.py
index 5973f85..8a4447f 100644
--- a/test/integration/component/maint/test_vpc.py
+++ b/test/integration/component/maint/test_vpc.py
@@ -177,7 +177,7 @@ class Services:
},
"vpn_customer_gw": {
"ipsecpsk": "s2svpn",
- "ikepolicy": "3des-md5",
+ "ikepolicy": "3des-md5;modp1536",
"ikelifetime": "86400",
"esppolicy": "3des-md5",
"esplifetime": "3600",
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/test/integration/component/test_vpc.py
----------------------------------------------------------------------
diff --git a/test/integration/component/test_vpc.py b/test/integration/component/test_vpc.py
index 5f7ea98..335a4c9 100644
--- a/test/integration/component/test_vpc.py
+++ b/test/integration/component/test_vpc.py
@@ -186,7 +186,7 @@ class Services:
},
"vpn_customer_gw": {
"ipsecpsk": "s2svpn",
- "ikepolicy": "3des-md5",
+ "ikepolicy": "3des-md5;modp1536",
"ikelifetime": "86400",
"esppolicy": "3des-md5",
"esplifetime": "3600",
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/tools/appliance/definitions/systemvmtemplate/configure_systemvm_services.sh
----------------------------------------------------------------------
diff --git a/tools/appliance/definitions/systemvmtemplate/configure_systemvm_services.sh b/tools/appliance/definitions/systemvmtemplate/configure_systemvm_services.sh
index 57fa2a7..60082e3 100644
--- a/tools/appliance/definitions/systemvmtemplate/configure_systemvm_services.sh
+++ b/tools/appliance/definitions/systemvmtemplate/configure_systemvm_services.sh
@@ -54,6 +54,11 @@ function do_signature() {
echo "Cloudstack Release $CLOUDSTACK_RELEASE $(date)" > /etc/cloudstack-release
}
+function configure_strongswan() {
+ # change the charon stroke timeout from 3 minutes to 30 seconds
+ sed -i "s/# timeout = 0/timeout = 30000/" /etc/strongswan.d/charon/stroke.conf
+}
+
function configure_services() {
mkdir -p /var/www/html
mkdir -p /opt/cloud/bin
@@ -81,6 +86,7 @@ function configure_services() {
chkconfig radvd off
configure_apache2
+ configure_strongswan
}
return 2>/dev/null || configure_services
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh
----------------------------------------------------------------------
diff --git a/tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh b/tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh
index f390821..4a74b8b 100644
--- a/tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh
+++ b/tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh
@@ -64,7 +64,6 @@ function install_packages() {
nfs-common \
samba-common cifs-utils \
xl2tpd bcrelay ppp ipsec-tools tdb-tools \
- openswan=1:2.6.37-3+deb7u1 \
xenstore-utils libxenstore3.0 \
conntrackd ipvsadm libnetfilter-conntrack3 libnl-3-200 libnl-genl-3-200 \
ipcalc \
@@ -76,9 +75,8 @@ function install_packages() {
sharutils
${apt_get} -t wheezy-backports install keepalived irqbalance open-vm-tools qemu-guest-agent
+ ${apt_get} -t wheezy-backports install strongswan libcharon-extra-plugins libstrongswan-extra-plugins
- # hold on installed openswan version, upgrade rest of the packages (if any)
- apt-mark hold openswan
apt-get update
apt-get -y --force-yes upgrade
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/ui/scripts/network.js
----------------------------------------------------------------------
diff --git a/ui/scripts/network.js b/ui/scripts/network.js
index 7299a7b..78c90e1 100755
--- a/ui/scripts/network.js
+++ b/ui/scripts/network.js
@@ -5993,10 +5993,6 @@
select: function(args) {
var items = [];
items.push({
- id: '3des',
- description: '3des'
- });
- items.push({
id: 'aes128',
description: 'aes128'
});
@@ -6008,6 +6004,10 @@
id: 'aes256',
description: 'aes256'
});
+ items.push({
+ id: '3des',
+ description: '3des'
+ });
args.response.success({
data: items
});
@@ -6019,13 +6019,25 @@
select: function(args) {
var items = [];
items.push({
- id: 'md5',
- description: 'md5'
- });
- items.push({
id: 'sha1',
description: 'sha1'
});
+ items.push({
+ id: 'sha256',
+ description: 'sha256'
+ });
+ items.push({
+ id: 'sha384',
+ description: 'sha384'
+ });
+ items.push({
+ id: 'sha512',
+ description: 'sha512'
+ });
+ items.push({
+ id: 'md5',
+ description: 'md5'
+ });
args.response.success({
data: items
});
@@ -6036,17 +6048,38 @@
docID: 'helpVPNGatewayIKEDH',
select: function(args) {
var items = [];
+ // StrongSwan now requires a DH group to be specified...
+ //items.push({
+ // id: '',
+ // description: _l('label.none')
+ //});
items.push({
- id: '',
- description: _l('label.none')
+ id: 'modp1536',
+ description: 'Group 5(modp1536)'
});
items.push({
- id: 'modp1024',
- description: 'Group 2(modp1024)'
+ id: 'modp2048',
+ description: 'Group 14(modp2048)'
});
items.push({
- id: 'modp1536',
- description: 'Group 5(modp1536)'
+ id: 'modp3072',
+ description: 'Group 15(modp3072)'
+ });
+ items.push({
+ id: 'modp4096',
+ description: 'Group 16(modp4096)'
+ });
+ items.push({
+ id: 'modp6144',
+ description: 'Group 17(modp6144)'
+ });
+ items.push({
+ id: 'modp8192',
+ description: 'Group 18(modp8192)'
+ });
+ items.push({
+ id: 'modp1024',
+ description: 'Group 2(modp1024)'
});
args.response.success({
data: items
@@ -6061,10 +6094,6 @@
select: function(args) {
var items = [];
items.push({
- id: '3des',
- description: '3des'
- });
- items.push({
id: 'aes128',
description: 'aes128'
});
@@ -6076,6 +6105,10 @@
id: 'aes256',
description: 'aes256'
});
+ items.push({
+ id: '3des',
+ description: '3des'
+ });
args.response.success({
data: items
});
@@ -6087,13 +6120,25 @@
select: function(args) {
var items = [];
items.push({
- id: 'md5',
- description: 'md5'
- });
- items.push({
id: 'sha1',
description: 'sha1'
});
+ items.push({
+ id: 'sha256',
+ description: 'sha256'
+ });
+ items.push({
+ id: 'sha384',
+ description: 'sha384'
+ });
+ items.push({
+ id: 'sha512',
+ description: 'sha512'
+ });
+ items.push({
+ id: 'md5',
+ description: 'md5'
+ });
args.response.success({
data: items
});
@@ -6109,13 +6154,33 @@
description: _l('label.none')
});
items.push({
- id: 'modp1024',
- description: 'Group 2(modp1024)'
- });
- items.push({
id: 'modp1536',
description: 'Group 5(modp1536)'
});
+ items.push({
+ id: 'modp2048',
+ description: 'Group 14(modp2048)'
+ });
+ items.push({
+ id: 'modp3072',
+ description: 'Group 15(modp3072)'
+ });
+ items.push({
+ id: 'modp4096',
+ description: 'Group 16(modp4096)'
+ });
+ items.push({
+ id: 'modp6144',
+ description: 'Group 17(modp6144)'
+ });
+ items.push({
+ id: 'modp8192',
+ description: 'Group 18(modp8192)'
+ });
+ items.push({
+ id: 'modp1024',
+ description: 'Group 2(modp1024)'
+ });
args.response.success({
data: items
});
@@ -6522,8 +6587,8 @@
success: function(json) {
var item = json.listvpncustomergatewaysresponse.vpncustomergateway[0];
- //IKE POlicy
- var a1 = item.ikepolicy.split('-'); //e.g. item.ikepolicy == '3des-md5' or '3des-md5;modp1024'
+ //IKE Policy
+ var a1 = item.ikepolicy.split('-'); //e.g. item.ikepolicy == '3des-md5;modp1024'
item.ikeEncryption = a1[0];
if (a1[1].indexOf(';') == -1) {
item.ikeHash = a1[1];
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/utils/src/main/java/com/cloud/utils/net/NetUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/main/java/com/cloud/utils/net/NetUtils.java b/utils/src/main/java/com/cloud/utils/net/NetUtils.java
index a014bf7..6baaf38 100644
--- a/utils/src/main/java/com/cloud/utils/net/NetUtils.java
+++ b/utils/src/main/java/com/cloud/utils/net/NetUtils.java
@@ -1187,7 +1187,10 @@ public class NetUtils {
return false;
}
- public static boolean isValidS2SVpnPolicy(final String policys) {
+ public static boolean isValidS2SVpnPolicy(final String policyType, final String policys) {
+ if (policyType == null || policyType.isEmpty()) {
+ return false;
+ }
if (policys == null || policys.isEmpty()) {
return false;
}
@@ -1208,14 +1211,17 @@ public class NetUtils {
if (!cipher.matches("3des|aes128|aes192|aes256")) {
return false;
}
- if (!hash.matches("md5|sha1")) {
+ if (!hash.matches("md5|sha1|sha256|sha384|sha512")) {
return false;
}
- String pfsGroup = null;
+ String group = null;
if (!policy.equals(cipherHash)) {
- pfsGroup = policy.split(";")[1];
+ group = policy.split(";")[1];
+ }
+ if (group == null && policyType.toLowerCase().matches("ike")) {
+ return false; // StrongSwan requires a DH group for the IKE policy
}
- if (pfsGroup != null && !pfsGroup.matches("modp1024|modp1536")) {
+ if (group != null && !group.matches("modp1024|modp1536|modp2048|modp3072|modp4096|modp6144|modp8192")) {
return false;
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f045d65b/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
----------------------------------------------------------------------
diff --git a/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java b/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
index 6d939d5..c2e8829 100644
--- a/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
+++ b/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java
@@ -105,18 +105,25 @@ public class NetUtilsTest {
@Test
public void testIsValidS2SVpnPolicy() {
- assertTrue(NetUtils.isValidS2SVpnPolicy("aes128-sha1"));
- assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1"));
- assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes256-sha1"));
- assertTrue(NetUtils.isValidS2SVpnPolicy("3des-md5;modp1024"));
- assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes128-sha1;modp1536"));
- assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes128-sha1;modp1536"));
- assertFalse(NetUtils.isValidS2SVpnPolicy("des-sha1"));
- assertFalse(NetUtils.isValidS2SVpnPolicy("abc-123,ase-sha1"));
- assertFalse(NetUtils.isValidS2SVpnPolicy("de-sh,aes-sha1"));
- assertFalse(NetUtils.isValidS2SVpnPolicy(""));
- assertFalse(NetUtils.isValidS2SVpnPolicy(";modp1536"));
- assertFalse(NetUtils.isValidS2SVpnPolicy(",aes;modp1536,,,"));
+ assertTrue(NetUtils.isValidS2SVpnPolicy("esp", "aes128-sha1"));
+ assertTrue(NetUtils.isValidS2SVpnPolicy("esp", "3des-sha1"));
+ assertTrue(NetUtils.isValidS2SVpnPolicy("esp", "3des-sha1,aes256-sha1"));
+ assertTrue(NetUtils.isValidS2SVpnPolicy("esp", "3des-md5;modp1024"));
+ assertTrue(NetUtils.isValidS2SVpnPolicy("esp", "3des-sha256,aes128-sha512;modp1536"));
+ assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1;modp3072,aes128-sha1;modp1536"));
+ assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-md5;modp1024"));
+ assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1;modp3072,aes128-sha1;modp1536"));
+ assertTrue(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha256;modp3072,aes128-sha512;modp1536"));
+ assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "aes128-sha1"));
+ assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1"));
+ assertFalse(NetUtils.isValidS2SVpnPolicy("ike", "3des-sha1,aes256-sha1"));
+ assertFalse(NetUtils.isValidS2SVpnPolicy("esp", "des-md5;modp1024,aes128-sha1;modp1536"));
+ assertFalse(NetUtils.isValidS2SVpnPolicy("esp", "des-sha1"));
+ assertFalse(NetUtils.isValidS2SVpnPolicy("esp", "abc-123,ase-sha1"));
+ assertFalse(NetUtils.isValidS2SVpnPolicy("esp", "de-sh,aes-sha1"));
+ assertFalse(NetUtils.isValidS2SVpnPolicy("esp", ""));
+ assertFalse(NetUtils.isValidS2SVpnPolicy("esp", ";modp1536"));
+ assertFalse(NetUtils.isValidS2SVpnPolicy("esp", ",aes;modp1536,,,"));
}
@Test
[2/2] git commit: updated refs/heads/master to 13bfdd7
Posted by ra...@apache.org.
Merge pull request #1741 from swill/strongswanvpn
Updated StrongSwan VPN ImplementationThis PR is a merge of @jayapalu changes in #872 and the changes I had to make to get the functionality working.
I have done pretty extensive testing of this code so far and we are looking to be in pretty good shape. One thing to note is that a `Diffie-Hellman` group **is required** in order for this feature to work correctly. It is not highlighted in the tests below, but I have shown that the `PFS` is not required for this feature to work. In #872 I have shown a more exhaustive set of tests of this code, but I have limited this set of tests to a recommended `IKE` and `ESP` configuration in order to reduce the noise and test the other areas of functionality.
**Test Results**
I am testing this functionality by creating two VPCs with VMs in each and creating a S2S VPN connection between the two VPCs. Then I SSH into a VM in one VPC and I ping the private IP of a VM in the other VPC. Then I tear it down and try a different configuration.
_Setup_
```
VPC 1 VPC 2
===== =====
VPN Gateway VPN Gateway
VPN Customer Gateway VPN Customer Gateway
VPN Connection <---> VPN Connection
- Passive = True - Passive = False
```
_Legend_
`SKIP` => At least one of the VPN Connections did not come up, so no test was run.
`OK` => The ping test was successful over the S2S VPN connection.
`FAIL` => The ping test failed over the S2S VPN connection.
`Passive` => Specifies if either the `<vpc_1> : <vpc_2>` sides of the VPN Connection is set to passive.
`Conn State` => Specifies the connection status of the `<vpc_1> : <vpc_2>` VPN Connection in the UI.
`Requires Reset` => If the ping test does not result in an `OK`, then a VPN Connection Reset is performed on either `<vpc_1> : <vpc_2>` sides of the VPN Connection based on which side is not showing `Connected`. The results in the `Status` column is the final result after the reset is performed.
_Results_
```
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| Status | IKE & ESP | DPD | Encap | IKE Life | ESP Life | Passive | Conn State | Requires Reset |
+========+======================+=======+=======+==========+==========+===============+=============================+================+
| OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 | True : False | Disconnected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | True | 86400 | 3600 | True : False | Disconnected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | False | | 3600 | True : False | Disconnected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | False | 86400 | | True : False | Disconnected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | False | | | True : False | Disconnected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 | False : False | Connected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 | True : True | Disconnected : Disconnected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 | False : True | Connected : Disconnected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 | False : False | Connected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 | True : False | Disconnected : Connected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 | True : True | Disconnected : Disconnected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 | False : True | Connected : Disconnected | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| SKIP | aes128-sha1 | True | False | 86400 | 3600 | True : False | Disconnected : Error | True : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| SKIP | aes128-sha1 | False | False | 86400 | 3600 | True : False | Disconnected : Error | True : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| FAIL | aes128-sha1 | True | False | 86400 | 3600 | True : True | Disconnected : Disconnected | True : True |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
| SKIP | aes128-sha1 | True | False | 86400 | 3600 | False : False | Connected : Error | False : False |
+--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+
```
* pr/1741:
complete implementation of the StrongSwan VPN feature
Signed-off-by: Rajani Karuturi <ra...@accelerite.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/13bfdd71
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/13bfdd71
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/13bfdd71
Branch: refs/heads/master
Commit: 13bfdd71e6fffff52d2f613a802b3d16c9b40af7
Parents: 2aeca0d f045d65
Author: Rajani Karuturi <ra...@accelerite.com>
Authored: Tue Feb 14 17:59:17 2017 +0530
Committer: Rajani Karuturi <ra...@accelerite.com>
Committed: Tue Feb 14 17:59:17 2017 +0530
----------------------------------------------------------------------
.../network/vpn/Site2SiteVpnManagerImpl.java | 18 +--
.../patches/debian/config/etc/logrotate.conf | 5 +-
.../debian/config/opt/cloud/bin/checks2svpn.sh | 13 +-
.../debian/config/opt/cloud/bin/configure.py | 61 +++++-----
.../debian/config/opt/cloud/bin/cs_ip.py | 16 +--
systemvm/patches/debian/vpn/etc/ipsec.conf | 8 +-
.../patches/debian/vpn/etc/ipsec.d/l2tp.conf | 9 +-
systemvm/patches/debian/vpn/etc/ipsec.secrets | 2 +-
test/integration/component/maint/test_vpc.py | 2 +-
test/integration/component/test_vpc.py | 2 +-
.../configure_systemvm_services.sh | 6 +
.../install_systemvm_packages.sh | 4 +-
ui/scripts/network.js | 121 ++++++++++++++-----
.../main/java/com/cloud/utils/net/NetUtils.java | 16 ++-
.../java/com/cloud/utils/net/NetUtilsTest.java | 31 +++--
15 files changed, 200 insertions(+), 114 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/13bfdd71/systemvm/patches/debian/config/opt/cloud/bin/configure.py
----------------------------------------------------------------------