mirror of
https://github.com/apache/cloudstack.git
synced 2025-11-02 20:02:29 +01:00
CS-6840: Update ipsectunnel.sh
This commit is contained in:
Sheng Yang
parent
df062f1fe8
commit
cd9854336a
@ -12,147 +12,107 @@
|
||||
#!/usr/bin/env bash
|
||||
source /root/func.sh
|
||||
|
||||
#lock="biglock"
|
||||
#locked=$(getLockFile $lock)
|
||||
#if [ "$locked" != "1" ]
|
||||
#then
|
||||
# exit 1
|
||||
#fi
|
||||
lock="biglock"
|
||||
locked=$(getLockFile $lock)
|
||||
if [ "$locked" != "1" ]
|
||||
then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
vpnconfdir="/etc/ipsec.d"
|
||||
vpninmark="10"
|
||||
vpnoutmark="15"
|
||||
inIf="eth0"
|
||||
outIf="eth2"
|
||||
vpnoutmark="0x525"
|
||||
|
||||
usage() {
|
||||
printf "Usage: %s: (-A|-D) -r <right-side vpn peer> -R <right-side private ip> -p <right-side private subnet> -e <esp encryption> -E <esp hash> -l <sa lifetime> -i <ike encryption> -I <ike hash> -L <ike lifetime> -s <pre-shared secret> \n" $(basename $0) >&2
|
||||
printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr> -g <left-side gateway> -r <right-side vpn peer> -N <right-side private subnets> -e <esp policy> -i <ike policy> -t <lifetime> -s <pre-shared secret> \n" $(basename $0) >&2
|
||||
}
|
||||
|
||||
#set -x
|
||||
|
||||
get_dev_list() {
|
||||
ip link show | grep -e eth[2-9] | awk -F ":" '{print $2}'
|
||||
ip link show | grep -e eth1[0-9] | awk -F ":" '{print $2}'
|
||||
enable_iptable() {
|
||||
sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
|
||||
for net in $rightnets
|
||||
do
|
||||
sudo iptables -A PREROUTING -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark
|
||||
done
|
||||
}
|
||||
|
||||
#ip_to_dev() {
|
||||
# local ip=$1
|
||||
#
|
||||
# for dev in $DEV_LIST; do
|
||||
# ip addr show dev $dev | grep inet | grep $ip &>> /dev/null
|
||||
# [ $? -eq 0 ] && echo $dev && return 0
|
||||
# done
|
||||
# return 1
|
||||
#}
|
||||
|
||||
get_left_info() {
|
||||
leftpeer=`ip addr show dev $outIf | grep inet | grep brd | awk '{print $2}' | cut -d'/' -f1`
|
||||
leftpriv=`ip addr show dev $inIf | grep inet | grep brd | awk '{print $2}' | cut -d'/' -f1`
|
||||
leftnet=`ip route show | grep $inIf | head -1 | awk '{print $1}'`
|
||||
leftgw=`ip route show | grep $outIf | grep default | head -1 | awk '{print $3}'`
|
||||
}
|
||||
|
||||
nonat_chain() {
|
||||
get_left_info
|
||||
outIp=$leftpeer
|
||||
if iptables -L VPN_$outIp -t mangle > /dev/null 2>&1 ; then
|
||||
VPNCHAIN="1"
|
||||
else
|
||||
# Create VPN_outIp chain and push all traffic through it to prevent NAT in the tunnel
|
||||
sudo iptables -N VPN_$outIp -t mangle
|
||||
sudo iptables -A FORWARD -t mangle -j VPN_$outIp
|
||||
sudo iptables -A OUTPUT -t mangle -j VPN_$outIp
|
||||
# Explicitly trust all ESP / VPN traffic
|
||||
sudo iptables -A PREROUTING -t mangle -d $outIp -p esp -j MARK --set-mark $vpninmark
|
||||
sudo iptables -A FORWARD -t filter -i $outIf -m mark --mark $vpninmark -j ACCEPT
|
||||
sudo iptables -A FORWARD -t filter -i $outIf -m mark --mark $vpnoutmark -j ACCEPT
|
||||
sudo /etc/init.d/ipsec start
|
||||
fi
|
||||
disable_iptable() {
|
||||
sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
|
||||
for net in $rightnets
|
||||
do
|
||||
sudo iptables -D PREROUTING -t mangle -s $leftnet -d $net -j MARK --set-mark $vpnoutmark
|
||||
done
|
||||
}
|
||||
|
||||
ipsec_tunnel_del() {
|
||||
get_left_info
|
||||
disable_iptable
|
||||
outIp=$leftpeer
|
||||
local rightpeer=$1
|
||||
local rightnet=$2
|
||||
local op=$3
|
||||
local vpnconffile=$vpnconfdir/ipsec.vpn-$rightpeer.conf
|
||||
local vpnsecretsfile=$vpnconfdir/ipsec.vpn-$rightpeer.secrets
|
||||
logger -t cloud "$(basename $0): removing configuration for ipsec tunnel to $rightpeer"
|
||||
sudo rm -f $vpnconffile
|
||||
sudo rm -f $vpnsecretsfile
|
||||
sudo iptables $op VPN_$outIp -t mangle -o $outIf -d $rightnet -j MARK --set-mark $vpnoutmark
|
||||
}
|
||||
|
||||
ipsec_tunnel_add() {
|
||||
get_left_info
|
||||
outIp=$leftpeer
|
||||
nonat_chain
|
||||
|
||||
sudo mkdir -p $vpnconfdir
|
||||
local rightpeer=$1
|
||||
local rightpriv=$2
|
||||
local rightnet=$3
|
||||
local espcrypt=$4
|
||||
local esphash=$5
|
||||
local salife=$6
|
||||
local ikecrypt=$7
|
||||
local ikehash=$8
|
||||
local ikelife=$9
|
||||
local secret=${10}
|
||||
local vpnconffile=$vpnconfdir/ipsec.vpn-$rightpeer.conf
|
||||
local vpnsecretsfile=$vpnconfdir/ipsec.vpn-$rightpeer.secrets
|
||||
|
||||
logger -t cloud "$(basename $0): creating configuration for ipsec tunnel: left peer=$leftpeer \
|
||||
right peer=$rightpeer right network=$rightnet phase1 encryption=$espcrypt phase1 hash=$esphash \
|
||||
phase2 encryption=$ikecrypt phase2 hash=$ikehash secret=$secret"
|
||||
left net=$leftnet left gateway=$leftgw right peer=$rightpeer right network=$rightnets phase1 policy=$ikepolicy \
|
||||
phase2 policy=$esppolicy lifetime=$time secret=$secret"
|
||||
|
||||
[ "$op" == "-A" ] && ipsec_tunnel_del $rightpeer $rightnet "-D"
|
||||
[ "$op" == "-A" ] && ipsec_tunnel_del $rightpeer $rightnets "-D"
|
||||
sudo echo "conn vpn-$rightpeer" > $vpnconffile &&
|
||||
sudo echo " left=$leftpeer" >> $vpnconffile &&
|
||||
sudo echo " leftsubnet=$leftnet" >> $vpnconffile &&
|
||||
sudo echo " leftnexthop=$leftgw" >> $vpnconffile &&
|
||||
sudo echo " leftsourceip=$leftpriv" >> $vpnconffile &&
|
||||
sudo echo " right=$rightpeer" >> $vpnconffile &&
|
||||
sudo echo " rightsubnets={$rightnet}" >> $vpnconffile &&
|
||||
sudo echo " rightsourceip=$rightpriv" >> $vpnconffile &&
|
||||
sudo echo " rightsubnets={$rightnets}" >> $vpnconffile &&
|
||||
sudo echo " type=tunnel" >> $vpnconffile &&
|
||||
sudo echo " authby=secret" >> $vpnconffile &&
|
||||
sudo echo " keyexchange=ike" >> $vpnconffile &&
|
||||
sudo echo " pfs=no" >> $vpnconffile &&
|
||||
sudo echo " esp=$espcrypt;$esphash" >> $vpnconffile &&
|
||||
sudo echo " salifetime=${salife}s" >> $vpnconffile &&
|
||||
sudo echo " ike=$ikecrypt;$ikehash" >> $vpnconffile &&
|
||||
sudo echo " ikelifetime=${ikelife}s" >> $vpnconffile &&
|
||||
sudo echo " esp=$esppolicy" >> $vpnconffile &&
|
||||
sudo echo " salifetime=${time}s" >> $vpnconffile &&
|
||||
sudo echo " ike=$ikepolicy" >> $vpnconffile &&
|
||||
sudo echo " ikelifetime=${time}s" >> $vpnconffile &&
|
||||
sudo echo " keyingtries=3" >> $vpnconffile &&
|
||||
sudo echo " dpddelay=30" >> $vpnconffile &&
|
||||
sudo echo " dpdtimeout=120" >> $vpnconffile &&
|
||||
sudo echo " dpdaction=restart" >> $vpnconffile &&
|
||||
sudo echo " auto=start" >> $vpnconffile &&
|
||||
sudo echo "$leftpeer $rightpeer: PSK $secret" > $vpnsecretsfile &&
|
||||
sudo chmod 0400 $vpnsecretsfile &&
|
||||
sudo iptables -A VPN_$outIp -t mangle -o $outIf -d $rightnet -j MARK --set-mark $vpnoutmark &&
|
||||
sudo /etc/init.d/ipsec reload
|
||||
sudo echo "$leftpeer $rightpeer: PSK \"$secret\"" > $vpnsecretsfile &&
|
||||
|
||||
sudo chmod 0400 $vpnsecretsfile
|
||||
|
||||
enable_iptable
|
||||
|
||||
sudo service ipsec restart
|
||||
# Prevent NAT on "marked" VPN traffic
|
||||
sudo iptables -D POSTROUTING -t nat -o $outIf -j SNAT --to-source $outIp
|
||||
sudo iptables -D POSTROUTING -t nat -o $outIf -m mark ! --mark $vpnoutmark -j SNAT --to-source $outIp
|
||||
sudo iptables -A POSTROUTING -t nat -o $outIf -m mark ! --mark $vpnoutmark -j SNAT --to-source $outIp
|
||||
|
||||
result=$?
|
||||
logger -t cloud "$(basename $0): done ipsec tunnel entry for right peer=$rightpeer right network=$rightnet"
|
||||
logger -t cloud "$(basename $0): done ipsec tunnel entry for right peer=$rightpeer right networks=$rightnets"
|
||||
return $result
|
||||
}
|
||||
|
||||
rflag=
|
||||
Rflag=
|
||||
pflag=
|
||||
eflag=
|
||||
Eflag=
|
||||
lflag=
|
||||
iflag=
|
||||
Iflag=
|
||||
Lflag=
|
||||
sflag=
|
||||
op=""
|
||||
|
||||
while getopts 'ADr:R:p:e:E:l:i:I:L:s:' OPTION
|
||||
while getopts 'ADl:n:g:r:N:e:i:t:s:' OPTION
|
||||
do
|
||||
case $OPTION in
|
||||
A) opflag=1
|
||||
@ -161,55 +121,63 @@ do
|
||||
D) opflag=2
|
||||
op="-D"
|
||||
;;
|
||||
l) lflag=1
|
||||
leftpeer="$OPTARG"
|
||||
;;
|
||||
n) nflag=1
|
||||
leftnet="$OPTARG"
|
||||
;;
|
||||
g) gflag=1
|
||||
leftgw="$OPTARG"
|
||||
;;
|
||||
r) rflag=1
|
||||
rightpeer="$OPTARG"
|
||||
;;
|
||||
R) Rflag=1
|
||||
rightpriv="$OPTARG"
|
||||
;;
|
||||
p) pflag=1
|
||||
rightnet="$OPTARG"
|
||||
N) Nflag=1
|
||||
rightnets="$OPTARG"
|
||||
;;
|
||||
e) eflag=1
|
||||
espcrypt="$OPTARG"
|
||||
;;
|
||||
E) Eflag=1
|
||||
esphash="$OPTARG"
|
||||
;;
|
||||
l) lflag=1
|
||||
salife="$OPTARG"
|
||||
esppolicy="$OPTARG"
|
||||
;;
|
||||
i) iflag=1
|
||||
ikecrypt="$OPTARG"
|
||||
ikepolicy="$OPTARG"
|
||||
;;
|
||||
I) Iflag=1
|
||||
ikehash="$OPTARG"
|
||||
;;
|
||||
L) Lflag=1
|
||||
ikelife="$OPTARG"
|
||||
t) tflag=1
|
||||
time="$OPTARG"
|
||||
;;
|
||||
s) sflag=1
|
||||
secret="$OPTARG"
|
||||
;;
|
||||
?) usage
|
||||
# unlock_exit 2 $lock $locked
|
||||
unlock_exit 2 $lock $locked
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
DEV_LIST=$(get_dev_list)
|
||||
OUTFILE=$(mktemp)
|
||||
# get interface for public ip
|
||||
ip link|grep BROADCAST|grep -v eth0|cut -d ":" -f 2 > /tmp/iflist
|
||||
while read i
|
||||
do
|
||||
ip addr show $i|grep "$leftpeer"
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
outIf=$i
|
||||
break
|
||||
fi
|
||||
done < /tmp/iflist
|
||||
|
||||
rightnets=${rightnets//,/ }
|
||||
|
||||
#Firewall ports for one-to-one/static NAT
|
||||
if [ "$opflag" == "1" ]
|
||||
then
|
||||
ipsec_tunnel_add $rightpeer $rightpriv $rightnet $espcrypt $esphash $salife $ikecrypt $ikehash $ikelife $secret
|
||||
ipsec_tunnel_add
|
||||
elif [ "$opflag" == "2" ]
|
||||
then
|
||||
ipsec_tunnel_del $rightpeer $rightnet $op
|
||||
ipsec_tunnel_del
|
||||
else
|
||||
printf "Invalid action specified, must choose -A or -D to add/del tunnels\n" >&2
|
||||
# unlock_exit 5 $lock $locked
|
||||
unlock_exit 5 $lock $locked
|
||||
fi
|
||||
|
||||
#unlock_exit 0 $lock $locked
|
||||
unlock_exit 0 $lock $locked
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user