Browse Source

Merge pull request #4433 from aTanW/master

ipsec: add ability to configure "none" SA
lilik-openwrt-22.03
Hannu Nyman 8 years ago
committed by GitHub
parent
commit
6950c73a7c
4 changed files with 50 additions and 6 deletions
  1. +3
    -2
      net/ipsec-tools/Makefile
  2. +35
    -0
      net/ipsec-tools/files/functions.sh
  3. +4
    -0
      net/ipsec-tools/files/racoon
  4. +8
    -4
      net/ipsec-tools/files/racoon.init

+ 3
- 2
net/ipsec-tools/Makefile View File

@ -11,8 +11,9 @@ include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=ipsec-tools
PKG_VERSION:=0.8.2
PKG_RELEASE:=5
PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
PKG_RELEASE:=6
PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>, \
Vitaly Protsko <villy@sft.ru>
PKG_LICENSE := BSD-3-Clause
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2


+ 35
- 0
net/ipsec-tools/files/functions.sh View File

@ -88,6 +88,41 @@ spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require;
done
}
manage_nonesa() {
local spdcmd
local item
local cout cin
if [ -z "$4" ]; then
$log "Bad usage of manage_nonesa"
errno=3; return 3
fi
case "$1" in
add|up|1) spdcmd=add ;;
del|down|0) spdcmd=delete ;;
*) errno=3; return 3 ;;
esac
case "$2" in
local|remote) ;;
*) errno=3; return 3 ;;
esac
for item in $3 ; do
if [ "$2" = "local" ]; then
cout="$4 $item"
cin="$item $4"
else
cout="$item $4"
cin="$4 $item"
fi
echo "
spd$spdcmd $cout any -P out none;
spd$spdcmd $cin any -P in none;
" | /usr/sbin/setkey -c 1>&2
done
}
. /lib/functions/network.sh


+ 4
- 0
net/ipsec-tools/files/racoon View File

@ -51,6 +51,10 @@ config sainfo 'office'
option p2_proposal 'example_prop2'
option local_net '192.168.8.0/24'
option remote_net '192.168.1.0/24'
# you can exclude some local or remote
# addresses from SA rules
list local_exclude '192.168.8.0/30'
list remote_exclude '192.168.1.128/29'
config sainfo 'welcome'
option p2_proposal 'example_in2'


+ 8
- 4
net/ipsec-tools/files/racoon.init View File

@ -183,10 +183,12 @@ setup_sa() {
echo -e " split_network include $locnet;\n}" >> $conf
elif [ -z "$client" ]; then
manage_sa add $locnet $remnet $remote
config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet"
config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet"
manage_sa add "$locnet" "$remnet" $remote
test $? -gt 0 -o $errno -gt 0 && return $errno
manage_fw add $confIntZone $confExtZone $remnet
manage_fw add $confIntZone $confExtZone "$remnet"
fi
}
@ -339,8 +341,10 @@ destroy_sa() {
errno=4; return 4
fi
manage_sa del $locnet $remnet $2
manage_fw del $confIntZone $confExtZone $remnet
config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet"
config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet"
manage_sa del "$locnet" "$remnet" $2
manage_fw del $confIntZone $confExtZone "$remnet"
}
destroy_tunnel() {


Loading…
Cancel
Save