merging jayapalu and swill's strongswan vpn changes into a single commit

Author: swill

server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java

@@ -517,7 +517,7 @@ public boolean deleteVpnConnection(DeleteVpnConnectionCmd cmd) throws ResourceUn
 
         _accountMgr.checkAccess(caller, null, false, conn);
 
-        if (conn.getState() == State.Connected) {
+        if (conn.getState() != State.Pending) {
             stopVpnConnection(id);
         }
         _vpnConnectionDao.remove(id);
@@ -531,8 +531,8 @@ private void stopVpnConnection(Long id) throws ResourceUnavailableException {
             throw new CloudRuntimeException("Unable to acquire lock on " + conn);
         }
         try {
-            if (conn.getState() != State.Connected && conn.getState() != State.Error) {
-                throw new InvalidParameterValueException("Site to site VPN connection with specified id is not in correct state(connected) to process disconnect!");
+            if (conn.getState() == State.Pending) {
+                throw new InvalidParameterValueException("Site to site VPN connection with specified id is currently Pending, unable to Disconnect!");
             }
 
             conn.setState(State.Disconnected);

systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh

@@ -22,18 +22,9 @@ then
     exit 1
 fi
 
-ipsec auto --status | grep vpn-$1 > /tmp/vpn-$1.status
+ipsec status  vpn-$1 > /tmp/vpn-$1.status
 
-cat /tmp/vpn-$1.status | grep "ISAKMP SA established" > /dev/null
-isakmpok=$?
-if [ $isakmpok -ne 0 ]
-then
-    echo -n "ISAKMP SA NOT found but checking IPsec;"
-else
-    echo -n "ISAKMP SA found;"
-fi
-
-cat /tmp/vpn-$1.status | grep "IPsec SA established" > /dev/null
+cat /tmp/vpn-$1.status | grep "ESTABLISHED" > /dev/null
 ipsecok=$?
 if [ $ipsecok -ne 0 ]
 then

systemvm/patches/debian/config/opt/cloud/bin/configure.py

@@ -471,13 +471,13 @@ def process(self):
 
     def deletevpn(self, ip):
         logging.info("Removing VPN configuration for %s", ip)
-        CsHelper.execute("ipsec auto --down vpn-%s" % ip)
-        CsHelper.execute("ipsec auto --delete vpn-%s" % ip)
+        CsHelper.execute("ipsec down vpn-%s" % ip)
+        CsHelper.execute("ipsec down vpn-%s" % ip)
         vpnconffile = "%s/ipsec.vpn-%s.conf" % (self.VPNCONFDIR, ip)
         vpnsecretsfile = "%s/ipsec.vpn-%s.secrets" % (self.VPNCONFDIR, ip)
         os.remove(vpnconffile)
         os.remove(vpnsecretsfile)
-        CsHelper.execute("ipsec auto --rereadall")
+        CsHelper.execute("ipsec reload")
 
     def configure_iptables(self, dev, obj):
         self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 500 -s %s -d %s -j ACCEPT" % (dev, obj['peer_gateway_ip'], obj['local_public_ip'])])
@@ -500,46 +500,53 @@ def configure_ipsec(self, obj):
         peerlist = obj['peer_guest_cidr_list'].lstrip().rstrip().replace(',', ' ')
         vpnconffile = "%s/ipsec.vpn-%s.conf" % (self.VPNCONFDIR, rightpeer)
         vpnsecretsfile = "%s/ipsec.vpn-%s.secrets" % (self.VPNCONFDIR, rightpeer)
+        ikepolicy=obj['ike_policy'].replace(';','-')
+        esppolicy=obj['esp_policy'].replace(';','-')
+
+        pfs='no'
+        if 'modp' in esppolicy:
+            pfs='yes'
+
         if rightpeer in self.confips:
             self.confips.remove(rightpeer)
         file = CsFile(vpnconffile)
+        file.add("#conn for vpn-%s" % rightpeer, 0)
         file.search("conn ", "conn vpn-%s" % rightpeer)
         file.addeq(" left=%s" % leftpeer)
         file.addeq(" leftsubnet=%s" % obj['local_guest_cidr'])
         file.addeq(" leftnexthop=%s" % obj['local_public_gateway'])
         file.addeq(" right=%s" % rightpeer)
-        file.addeq(" rightsubnets={%s}" % peerlist)
+        file.addeq(" rightsubnet=%s" % peerlist)
         file.addeq(" type=tunnel")
         file.addeq(" authby=secret")
         file.addeq(" keyexchange=ike")
-        file.addeq(" ike=%s" % obj['ike_policy'])
+        file.addeq(" ike=%s" % ikepolicy)
         file.addeq(" ikelifetime=%s" % self.convert_sec_to_h(obj['ike_lifetime']))
-        file.addeq(" esp=%s" % obj['esp_policy'])
-        file.addeq(" salifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime']))
-        if "modp" in obj['esp_policy']:
-            file.addeq(" pfs=yes")
-        else:
-            file.addeq(" pfs=no")
+        file.addeq(" esp=%s" % esppolicy)
+        file.addeq(" lifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime']))
+        file.addeq(" pfs=%s" % pfs)
         file.addeq(" keyingtries=2")
         file.addeq(" auto=start")
         if 'encap' not in obj:
             obj['encap']=False
         file.addeq(" forceencaps=%s" % CsHelper.bool_to_yn(obj['encap']))
         if obj['dpd']:
-            file.addeq("  dpddelay=30")
-            file.addeq("  dpdtimeout=120")
-            file.addeq("  dpdaction=restart")
+            file.addeq(" dpddelay=30")
+            file.addeq(" dpdtimeout=120")
+            file.addeq(" dpdaction=restart")
         secret = CsFile(vpnsecretsfile)
-        secret.search("%s " % leftpeer, "%s %s: PSK \"%s\"" % (leftpeer, rightpeer, obj['ipsec_psk']))
+        secret.search("%s " % leftpeer, "%s %s : PSK \"%s\"" % (leftpeer, rightpeer, obj['ipsec_psk']))
         if secret.is_changed() or file.is_changed():
             secret.commit()
             file.commit()
             logging.info("Configured vpn %s %s", leftpeer, rightpeer)
-            CsHelper.execute("ipsec auto --rereadall")
-            CsHelper.execute("ipsec auto --add vpn-%s" % rightpeer)
-            if not obj['passive']:
-                CsHelper.execute("ipsec auto --up vpn-%s" % rightpeer)
-        os.chmod(vpnsecretsfile, 0o400)
+            CsHelper.execute("ipsec rereadsecrets")
+
+        CsHelper.execute("ipsec reload")
+        if not obj['passive']:
+            CsHelper.execute("sudo nohup ipsec down vpn-%s" % rightpeer)
+            CsHelper.execute("sudo nohup ipsec up vpn-%s &" % rightpeer)
+        os.chmod(vpnsecretsfile, 0400)
 
     def convert_sec_to_h(self, val):
         hrs = int(val) / 3600
@@ -628,25 +635,25 @@ def process(self):
                 logging.debug("Remote accessvpn  data bag %s",  self.dbag)
                 self.remoteaccessvpn_iptables(public_ip, self.dbag[public_ip])
 
-                CsHelper.execute("ipsec auto --rereadall")
+                CsHelper.execute("ipsec down L2TP-PSK")
+                CsHelper.execute("ipsec update")
                 CsHelper.execute("service xl2tpd stop")
                 CsHelper.execute("service xl2tpd start")
-                CsHelper.execute("ipsec auto --rereadsecrets")
-                CsHelper.execute("ipsec auto --replace L2TP-PSK")
+                CsHelper.execute("ipsec rereadsecrets")
             else:
                 logging.debug("Disabling remote access vpn .....")
                 #disable remote access vpn
-                CsHelper.execute("ipsec auto --down L2TP-PSK")
+                CsHelper.execute("ipsec down L2TP-PSK")
                 CsHelper.execute("service xl2tpd stop")
 
 
     def configure_l2tpIpsec(self, left,  obj):
-        vpnconffile="%s/l2tp.conf" % (self.VPNCONFDIR)
+        l2tpconffile="%s/l2tp.conf" % (self.VPNCONFDIR)
         vpnsecretfilte="%s/ipsec.any.secrets" % (self.VPNCONFDIR)
         xl2tpdconffile="/etc/xl2tpd/xl2tpd.conf"
         xl2tpoptionsfile='/etc/ppp/options.xl2tpd'
 
-        file = CsFile(vpnconffile)
+        file = CsFile(l2tpconffile)
         localip=obj['local_ip']
         localcidr=obj['local_cidr']
         publicIface=obj['public_interface']

systemvm/patches/debian/vpn/etc/ipsec.conf

@@ -1,9 +1,8 @@
-# Manual:     ipsec.conf.5
-version	2.0	
+# ipsec.conf - strongSwan IPsec configuration file
 
 config setup
 	nat_traversal=yes
-	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
-	protostack=auto
-	
+	charonstart=yes
+	plutostart=yes
+
 include /etc/ipsec.d/*.conf

systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf

@@ -1,8 +1,14 @@
+#ipsec remote access vpn configuration
 conn L2TP-PSK
-        authby=secret
+        authby=psk
         pfs=no
         rekey=no
         keyingtries=3
+        keyexchange=ikev1
+        forceencaps=yes
+        leftfirewall=yes
+        leftnexthop=%defaultroute
+        type=transport
         #
         # ----------------------------------------------------------
         # The VPN server.
@@ -30,4 +36,5 @@ conn L2TP-PSK
         # ----------------------------------------------------------
         # Change 'ignore' to 'add' to enable this configuration.
         #
+        rightsubnetwithin=0.0.0.0/0
         auto=add

systemvm/patches/debian/vpn/etc/ipsec.secrets

@@ -1,2 +1,2 @@
-include /var/lib/openswan/ipsec.secrets.inc
+include /var/lib/strongswan/ipsec.conf.inc
 include /etc/ipsec.d/ipsec.*.secrets

tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh

@@ -63,7 +63,6 @@ function install_packages() {
     nfs-common \
     samba-common cifs-utils \
     xl2tpd bcrelay ppp ipsec-tools tdb-tools \
-    openswan=1:2.6.37-3+deb7u1 \
     xenstore-utils libxenstore3.0 \
     conntrackd ipvsadm libnetfilter-conntrack3 libnl-3-200 libnl-genl-3-200 \
     ipcalc \
@@ -76,9 +75,8 @@ function install_packages() {
     sharutils
 
   ${apt_get} -t wheezy-backports install keepalived irqbalance open-vm-tools qemu-guest-agent
+  ${apt_get} -t wheezy-backports install strongswan libcharon-extra-plugins libstrongswan-extra-plugins
 
-  # hold on installed openswan version, upgrade rest of the packages (if any)
-  apt-mark hold openswan
   apt-get update
   apt-get -y --force-yes upgrade