From e97a10342018f992634fa90d25c007eb60c25662 Mon Sep 17 00:00:00 2001 From: Justin Pettit Date: Sun, 17 Oct 2010 22:43:14 -0700 Subject: [PATCH] ovs-monitor-ipsec: Add ability to traverse NATs Stable versions of ipsec-tools have a bug that prevents our using transport mode through a NAT box. Even though the bug has been fixed for years, it is only available in the 0.8 alpha release of ipsec-tools. This commit modifies our configuration to allow NAT traversal with that version of ipsec-tools. NB: An official package for this version of ipsec-tools is not yet available on Debian, so we're requiring a custom version number. --- debian/control | 4 +++- debian/ovs-monitor-ipsec | 14 +++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/debian/control b/debian/control index 0efcf925..5f50cc8c 100644 --- a/debian/control +++ b/debian/control @@ -45,7 +45,9 @@ Description: Open vSwitch switch implementations Package: openvswitch-ipsec Architecture: any Depends: - ${shlibs:Depends}, ${misc:Depends}, ${python:Depends}, ipsec-tools, racoon, + ${shlibs:Depends}, ${misc:Depends}, ${python:Depends}, + ipsec-tools (>=0.8~alpha20090903), + racoon (>=0.8~alpha20090903), openvswitch-common (= ${binary:Version}), openvswitch-switch (= ${binary:Version}), python-openvswitch (= ${binary:Version}) diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec index 184b0046..1cea8009 100755 --- a/debian/ovs-monitor-ipsec +++ b/debian/ovs-monitor-ipsec @@ -66,6 +66,7 @@ path certificate "/etc/racoon/certs"; remote anonymous { exchange_mode main; + nat_traversal on; proposal { encryption_algorithm aes; hash_algorithm sha1; @@ -307,13 +308,16 @@ def main(argv): new_interfaces = {} for rec in idl.data["Interface"].itervalues(): name = rec.name.as_scalar() - local_ip = rec.other_config.get("ipsec_local_ip") - if rec.type.as_scalar() == "gre" and local_ip: + ipsec_cert = rec.other_config.get("ipsec_cert") + ipsec_psk = rec.other_config.get("ipsec_psk") + is_ipsec = ipsec_cert or ipsec_psk + + if rec.type.as_scalar() == "gre" and is_ipsec: new_interfaces[name] = { "remote_ip": rec.options.get("remote_ip"), - "local_ip": local_ip, - "ipsec_cert": rec.other_config.get("ipsec_cert"), - "ipsec_psk": rec.other_config.get("ipsec_psk") } + "local_ip": rec.options.get("local_ip", "0.0.0.0/0"), + "ipsec_cert": ipsec_cert, + "ipsec_psk": ipsec_psk } if interfaces != new_interfaces: for name, vals in interfaces.items(): -- 2.30.2