From: Ruoyu <ruoyu.ying@intel.com>
Date: Thu, 4 Feb 2021 17:29:56 +0000 (-0500)
Subject: Fix VTI support in cnf
X-Git-Tag: 21-12-01~13
X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=39ffb31b48226675690201ed92d4aa5641eca577;p=icn%2Fsdwan.git

Fix VTI support in cnf

* Add base64 decoding for cert
* Repair public key authentication

Signed-off-by: Ruoyu Ying <ruoyu.ying@intel.com>
Change-Id: I6c68143f067731118b6e175fb3523d823f26b708
Signed-off-by: Ruoyu Ying <ruoyu.ying@intel.com>
---

diff --git a/platform/cnf/src/Dockerfile_1806_mwan3.tpl b/platform/cnf/src/Dockerfile_1806_mwan3.tpl
index 8e937d2..6c7b326 100644
--- a/platform/cnf/src/Dockerfile_1806_mwan3.tpl
+++ b/platform/cnf/src/Dockerfile_1806_mwan3.tpl
@@ -12,12 +12,14 @@ RUN mkdir /var/lock && \
     uci commit uhttpd && \
     opkg install shadow-useradd shadow-groupadd shadow-usermod sudo && \
     opkg install mwan3 jq bash && \
-    opkg install strongswan-default && \
+    opkg install strongswan-default luasocket && \
     opkg install luci-app-mwan3; exit 0
 
 COPY system /etc/config/system
 COPY ipsec /etc/config/ipsec
 COPY ipsec_exec /etc/init.d/ipsec
+COPY updown /etc/updown
+COPY updown_oip /etc/updown_oip
 COPY sdewan.user /etc/sdewan.user
 COPY sdewan_svc.info /etc/sdewan_svc.info
 COPY app_cr.info /etc/app_cr.info
diff --git a/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl b/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl
index f180084..e576650 100644
--- a/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl
+++ b/platform/cnf/src/Dockerfile_1806_mwan3_noproxy.tpl
@@ -9,12 +9,14 @@ RUN mkdir /var/lock && \
     uci commit uhttpd && \
     opkg install shadow-useradd shadow-groupadd shadow-usermod sudo && \
     opkg install mwan3 jq bash && \
-    opkg install strongswan-default && \
+    opkg install strongswan-default luasocket && \
     opkg install luci-app-mwan3; exit 0
 
 COPY system /etc/config/system
 COPY ipsec /etc/config/ipsec
 COPY ipsec_exec /etc/init.d/ipsec
+COPY updown /etc/updown
+COPY updown_oip /etc/updown_oip
 COPY sdewan.user /etc/sdewan.user
 COPY sdewan_svc.info /etc/sdewan_svc.info
 COPY app_cr.info /etc/app_cr.info
diff --git a/platform/cnf/src/ipsec_exec b/platform/cnf/src/ipsec_exec
index 032d732..7897af3 100755
--- a/platform/cnf/src/ipsec_exec
+++ b/platform/cnf/src/ipsec_exec
@@ -189,6 +189,7 @@ config_conn() {
 	if [ "$auth_method" = "psk" ]; then
 		ipsec_xappend "  leftauth=psk"
 		ipsec_xappend "  rightauth=psk"
+		secret_xappend " : PSK $pre_shared_key"
 
 		[ "$remote_sourceip" != "" ] && ipsec_xappend "  rightsourceip=$remote_sourceip"
 		[ "$remote_subnet" != "" ] && ipsec_xappend "  rightsubnet=$remote_subnet"
@@ -197,6 +198,10 @@ config_conn() {
 	elif [ "$auth_method" = "pubkey" ]; then
 		ipsec_xappend "  leftauth=pubkey"
 		ipsec_xappend "  rightauth=pubkey"
+		ipsec_xappend "  leftcert=$local_public_cert"
+		ipsec_xappend "  leftsendcert=yes"
+		ipsec_xappend "  rightsendcert=yes"
+		secret_xappend " : RSA $local_private_cert"
 
 		[ "$remote_sourceip" != "" ] && ipsec_xappend "  rightsourceip=$remote_sourceip"
 		[ "$remote_subnet" != "" ] && ipsec_xappend "  rightsubnet=$remote_subnet"
@@ -206,13 +211,13 @@ config_conn() {
 		warning "AuthenticationMethod $auth_method not supported"
 	fi
 
-	[ -n "$local_identifier" ] && ipsec_xappend "  leftid=$local_identifier"
-	[ -n "$remote_identifier" ] && ipsec_xappend "  rightid=$remote_identifier"
+	[ -n "$local_identifier" ] && ipsec_xappend "  leftid=\"$local_identifier\""
+	[ -n "$remote_identifier" ] && ipsec_xappend "  rightid=\"$remote_identifier\""
 	[ -n "$local_updown" ] && ipsec_xappend "  leftupdown=$local_updown"
 	[ -n "$remote_updown" ] && ipsec_xappend "  rightupdown=$remote_updown"
 	ipsec_xappend "  keyexchange=$keyexchange"
 
-	[ "$type" = "VTI-based" ] && ipsec_xappend "  mark=$mark"
+	[ "$type" = "VTI-based" ] && [ -n "$mark" ] && ipsec_xappend "  mark=$mark"
 
 	set_crypto_proposal "$1"
 	[ -n "${crypto_proposal}" ] && ipsec_xappend "  esp=$crypto_proposal"
@@ -239,6 +244,8 @@ config_remote() {
 	local pre_shared_key
 	local auth_method
 	local type
+	local local_public_cert
+	local local_private_cert
 
 	config_name=$1
 
@@ -251,6 +258,8 @@ config_remote() {
 	config_get local_identifier  "$1" local_identifier ""
 	config_get remote_identifier "$1" remote_identifier ""
 	config_get type              "$1" type "policy-based"
+	config_get local_public_cert "$1" local_public_cert
+	config_get local_private_cert "$1" local_private_cert
 
 	[ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
 
@@ -264,8 +273,6 @@ config_remote() {
 	[ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway "
 	[ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway "
 
-	secret_xappend ": PSK \"$pre_shared_key\""
-
 	set_crypto_proposal "$1"
 	ike_proposal="$crypto_proposal"
 
@@ -284,6 +291,7 @@ config_ipsec() {
 	local routing_table_id
 	local interface
 	local device_list
+	local vip_enabled
 
 	ipsec_reset
 	secret_reset
@@ -296,8 +304,10 @@ config_ipsec() {
 	secret_xappend "# generated by /etc/init.d/ipsec"
 
 	config_get debug "$1" debug 0
-	config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
+	config_get_bool rtinstall_enabled "$1" rtinstall_enabled 0
+	config_get_bool vip_enabled "$1" vip_enabled 0 
 	[ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no
+	[ $vip_enabled -eq 1] && install_virtual_ip=yes || install_virtual_ip=no
 
 	# prepare extra charon config option ignore_routing_tables
 	for routing_table in $(config_get "$1" "ignore_routing_tables"); do
@@ -324,6 +334,7 @@ config_ipsec() {
 	swan_xappend "# generated by /etc/init.d/ipsec"
 	swan_xappend "charon {"
 	swan_xappend "  load_modular = yes"
+	swan_xappend "  install_virtual_ip = $install_virtual_ip"
 	swan_xappend "  install_routes = $install_routes"
 	[ -n "$routing_tables_ignored" ] && swan_xappend "  ignore_routing_tables = $routing_tables_ignored"
 	[ -n "$device_list" ] && swan_xappend "  interfaces_use = $device_list"
diff --git a/platform/cnf/src/rest_v1/ipsec_rest.lua b/platform/cnf/src/rest_v1/ipsec_rest.lua
index 8500820..c996754 100644
--- a/platform/cnf/src/rest_v1/ipsec_rest.lua
+++ b/platform/cnf/src/rest_v1/ipsec_rest.lua
@@ -1,4 +1,4 @@
--- Copyright 2020 Intel Corporation, Inc
+-- Copyright 2020 Intel Corporation, Inc.
 -- Licensed to the public under the Apache License 2.0.
 
 module("luci.controller.rest_v1.ipsec_rest", package.seeall)
@@ -9,6 +9,7 @@ json = require "luci.jsonc"
 io = require "io"
 sys = require "luci.sys"
 utils = require "luci.controller.rest_v1.utils"
+mime = require "mime"
 
 uci_conf = "ipsec"
 
@@ -134,7 +135,9 @@ function save_cert(content, path)
         return false, "Can not generate cert at: " .. path
     end
 
-    file:write(content)
+    mime.decode("base64")
+    local cert = mime.unb64(content)
+    file:write(cert)
     file:close()
 
     return true, path
@@ -150,7 +153,8 @@ function load_cert(path)
         content = file:read "*a"
         file:close()
     end
-    return content
+    mime.decode("base64")
+    return mime.unb64(content)
 end
 
 function delete_cert(path)
diff --git a/platform/cnf/src/updown b/platform/cnf/src/updown
new file mode 100755
index 0000000..2ca547e
--- /dev/null
+++ b/platform/cnf/src/updown
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# set charon.install_virtual_ip = no to prevent the daemon from also installing the VIP
+
+set -o nounset
+set -o errexit
+
+MARK=`echo ${PLUTO_MARK_IN} | cut -d'/' -f1`
+VTI_IF="vti${MARK}"
+
+case "${PLUTO_VERB}" in
+    up-host)
+        ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \
+            key "${PLUTO_MARK_OUT%%/*}"
+        ip link set "${VTI_IF}" up
+        ip route add "${PLUTO_PEER_SOURCEIP}" dev "${VTI_IF}" src "${PLUTO_ME}"
+        sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
+        ;;
+    down-host)
+        ip tunnel del "${VTI_IF}"
+        ;;
+esac
diff --git a/platform/cnf/src/updown_oip b/platform/cnf/src/updown_oip
new file mode 100755
index 0000000..82cb40f
--- /dev/null
+++ b/platform/cnf/src/updown_oip
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# set charon.install_virtual_ip = no to prevent the daemon from also installing the VIP
+
+set -o nounset
+set -o errexit
+
+MARK=`echo ${PLUTO_MARK_IN} | cut -d'/' -f1`
+VTI_IF="vti${MARK}"
+
+case "${PLUTO_VERB}" in
+    up-client)
+        #ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \
+        ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote 0.0.0.0 mode vti \
+            key "${PLUTO_MARK_OUT%%/*}"
+        ip link set "${VTI_IF}" up
+        ip addr add "${PLUTO_MY_SOURCEIP}" dev "${VTI_IF}"
+        ip rule add to "${PLUTO_MY_SOURCEIP}" table 40
+        ip rule add from "${PLUTO_MY_SOURCEIP}" table 40
+        ip route add "${PLUTO_PEER}" dev "${VTI_IF}" src "${PLUTO_MY_SOURCEIP}" table 40
+	sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
+        ;;
+    down-client)
+        ip rule del from all to "${PLUTO_MY_SOURCEIP}"
+        ip rule del from "${PLUTO_MY_SOURCEIP}"
+        ip tunnel del "${VTI_IF}"
+        ;;
+esac