You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by ya...@apache.org on 2012/07/03 01:40:17 UTC
[8/13] git commit: CS-6840: Add ipsectunnel script
CS-6840: Add ipsectunnel script
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/df062f1f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/df062f1f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/df062f1f
Branch: refs/heads/vpc
Commit: df062f1fe861a51e79bfa7b5054aa838dfebb2c5
Parents: 0ce1e78
Author: Clayton Weise <cw...@iswest.net>
Authored: Wed Jun 27 19:00:55 2012 -0700
Committer: Sheng Yang <sh...@citrix.com>
Committed: Mon Jul 2 16:27:35 2012 -0700
----------------------------------------------------------------------
.../debian/config/opt/cloud/bin/ipsectunnel.sh | 215 +++++++++++++++
1 files changed, 215 insertions(+), 0 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/df062f1f/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
new file mode 100755
index 0000000..232958c
--- /dev/null
+++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
@@ -0,0 +1,215 @@
+# Copyright 2012 Citrix Systems, Inc. Licensed under the
+# Apache License, Version 2.0 (the "License"); you may not use this
+# file except in compliance with the License. Citrix Systems, Inc.
+# reserves all rights not expressly granted by the License.
+# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/usr/bin/env bash
+source /root/func.sh
+
+#lock="biglock"
+#locked=$(getLockFile $lock)
+#if [ "$locked" != "1" ]
+#then
+# exit 1
+#fi
+
+vpnconfdir="/etc/ipsec.d"
+vpninmark="10"
+vpnoutmark="15"
+inIf="eth0"
+outIf="eth2"
+
+usage() {
+ printf "Usage: %s: (-A|-D) -r <right-side vpn peer> -R <right-side private ip> -p <right-side private subnet> -e <esp encryption> -E <esp hash> -l <sa lifetime> -i <ike encryption> -I <ike hash> -L <ike lifetime> -s <pre-shared secret> \n" $(basename $0) >&2
+}
+
+#set -x
+
+get_dev_list() {
+ ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}'
+ ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}'
+}
+
+#ip_to_dev() {
+# local ip=$1
+#
+# for dev in $DEV_LIST; do
+# ip addr show dev $dev | grep inet | grep $ip &>> /dev/null
+# [ $? -eq 0 ] && echo $dev && return 0
+# done
+# return 1
+#}
+
+get_left_info() {
+ leftpeer=`ip addr show dev $outIf | grep inet | grep brd | awk '{print $2}' | cut -d'/' -f1`
+ leftpriv=`ip addr show dev $inIf | grep inet | grep brd | awk '{print $2}' | cut -d'/' -f1`
+ leftnet=`ip route show | grep $inIf | head -1 | awk '{print $1}'`
+ leftgw=`ip route show | grep $outIf | grep default | head -1 | awk '{print $3}'`
+}
+
+nonat_chain() {
+ get_left_info
+ outIp=$leftpeer
+ if iptables -L VPN_$outIp -t mangle > /dev/null 2>&1 ; then
+ VPNCHAIN="1"
+ else
+ # Create VPN_outIp chain and push all traffic through it to prevent NAT in the tunnel
+ sudo iptables -N VPN_$outIp -t mangle
+ sudo iptables -A FORWARD -t mangle -j VPN_$outIp
+ sudo iptables -A OUTPUT -t mangle -j VPN_$outIp
+ # Explicitly trust all ESP / VPN traffic
+ sudo iptables -A PREROUTING -t mangle -d $outIp -p esp -j MARK --set-mark $vpninmark
+ sudo iptables -A FORWARD -t filter -i $outIf -m mark --mark $vpninmark -j ACCEPT
+ sudo iptables -A FORWARD -t filter -i $outIf -m mark --mark $vpnoutmark -j ACCEPT
+ sudo /etc/init.d/ipsec start
+ fi
+}
+
+ipsec_tunnel_del() {
+ get_left_info
+ outIp=$leftpeer
+ local rightpeer=$1
+ local rightnet=$2
+ local op=$3
+ local vpnconffile=$vpnconfdir/ipsec.vpn-$rightpeer.conf
+ local vpnsecretsfile=$vpnconfdir/ipsec.vpn-$rightpeer.secrets
+ logger -t cloud "$(basename $0): removing configuration for ipsec tunnel to $rightpeer"
+ sudo rm -f $vpnconffile
+ sudo rm -f $vpnsecretsfile
+ sudo iptables $op VPN_$outIp -t mangle -o $outIf -d $rightnet -j MARK --set-mark $vpnoutmark
+}
+
+ipsec_tunnel_add() {
+ get_left_info
+ outIp=$leftpeer
+ nonat_chain
+
+ sudo mkdir -p $vpnconfdir
+ local rightpeer=$1
+ local rightpriv=$2
+ local rightnet=$3
+ local espcrypt=$4
+ local esphash=$5
+ local salife=$6
+ local ikecrypt=$7
+ local ikehash=$8
+ local ikelife=$9
+ local secret=${10}
+ local vpnconffile=$vpnconfdir/ipsec.vpn-$rightpeer.conf
+ local vpnsecretsfile=$vpnconfdir/ipsec.vpn-$rightpeer.secrets
+
+ logger -t cloud "$(basename $0): creating configuration for ipsec tunnel: left peer=$leftpeer \
+ right peer=$rightpeer right network=$rightnet phase1 encryption=$espcrypt phase1 hash=$esphash \
+ phase2 encryption=$ikecrypt phase2 hash=$ikehash secret=$secret"
+
+ [ "$op" == "-A" ] && ipsec_tunnel_del $rightpeer $rightnet "-D"
+ sudo echo "conn vpn-$rightpeer" > $vpnconffile &&
+ sudo echo " left=$leftpeer" >> $vpnconffile &&
+ sudo echo " leftsubnet=$leftnet" >> $vpnconffile &&
+ sudo echo " leftnexthop=$leftgw" >> $vpnconffile &&
+ sudo echo " leftsourceip=$leftpriv" >> $vpnconffile &&
+ sudo echo " right=$rightpeer" >> $vpnconffile &&
+ sudo echo " rightsubnets={$rightnet}" >> $vpnconffile &&
+ sudo echo " rightsourceip=$rightpriv" >> $vpnconffile &&
+ sudo echo " type=tunnel" >> $vpnconffile &&
+ sudo echo " authby=secret" >> $vpnconffile &&
+ sudo echo " keyexchange=ike" >> $vpnconffile &&
+ sudo echo " pfs=no" >> $vpnconffile &&
+ sudo echo " esp=$espcrypt;$esphash" >> $vpnconffile &&
+ sudo echo " salifetime=${salife}s" >> $vpnconffile &&
+ sudo echo " ike=$ikecrypt;$ikehash" >> $vpnconffile &&
+ sudo echo " ikelifetime=${ikelife}s" >> $vpnconffile &&
+ sudo echo " auto=start" >> $vpnconffile &&
+ sudo echo "$leftpeer $rightpeer: PSK $secret" > $vpnsecretsfile &&
+ sudo chmod 0400 $vpnsecretsfile &&
+ sudo iptables -A VPN_$outIp -t mangle -o $outIf -d $rightnet -j MARK --set-mark $vpnoutmark &&
+ sudo /etc/init.d/ipsec reload
+ # Prevent NAT on "marked" VPN traffic
+ sudo iptables -D POSTROUTING -t nat -o $outIf -j SNAT --to-source $outIp
+ sudo iptables -D POSTROUTING -t nat -o $outIf -m mark ! --mark $vpnoutmark -j SNAT --to-source $outIp
+ sudo iptables -A POSTROUTING -t nat -o $outIf -m mark ! --mark $vpnoutmark -j SNAT --to-source $outIp
+
+ result=$?
+ logger -t cloud "$(basename $0): done ipsec tunnel entry for right peer=$rightpeer right network=$rightnet"
+ return $result
+}
+
+rflag=
+Rflag=
+pflag=
+eflag=
+Eflag=
+lflag=
+iflag=
+Iflag=
+Lflag=
+sflag=
+op=""
+
+while getopts 'ADr:R:p:e:E:l:i:I:L:s:' OPTION
+do
+ case $OPTION in
+ A) opflag=1
+ op="-A"
+ ;;
+ D) opflag=2
+ op="-D"
+ ;;
+ r) rflag=1
+ rightpeer="$OPTARG"
+ ;;
+ R) Rflag=1
+ rightpriv="$OPTARG"
+ ;;
+ p) pflag=1
+ rightnet="$OPTARG"
+ ;;
+ e) eflag=1
+ espcrypt="$OPTARG"
+ ;;
+ E) Eflag=1
+ esphash="$OPTARG"
+ ;;
+ l) lflag=1
+ salife="$OPTARG"
+ ;;
+ i) iflag=1
+ ikecrypt="$OPTARG"
+ ;;
+ I) Iflag=1
+ ikehash="$OPTARG"
+ ;;
+ L) Lflag=1
+ ikelife="$OPTARG"
+ ;;
+ s) sflag=1
+ secret="$OPTARG"
+ ;;
+ ?) usage
+# unlock_exit 2 $lock $locked
+ ;;
+ esac
+done
+
+DEV_LIST=$(get_dev_list)
+OUTFILE=$(mktemp)
+
+#Firewall ports for one-to-one/static NAT
+if [ "$opflag" == "1" ]
+then
+ ipsec_tunnel_add $rightpeer $rightpriv $rightnet $espcrypt $esphash $salife $ikecrypt $ikehash $ikelife $secret
+elif [ "$opflag" == "2" ]
+then
+ ipsec_tunnel_del $rightpeer $rightnet $op
+else
+ printf "Invalid action specified, must choose -A or -D to add/del tunnels\n" >&2
+# unlock_exit 5 $lock $locked
+fi
+
+#unlock_exit 0 $lock $locked