ovs-monitor-ipsec: Add ability to traverse NATs

Stable versions of ipsec-tools have a bug that prevents our using transport mode through a NAT box. Even though the bug has been fixed for years, it is only available in the 0.8 alpha release of ipsec-tools. This commit modifies our configuration to allow NAT traversal with that version of ipsec-tools. NB: An official package for this version of ipsec-tools is not yet available on Debian, so we're requiring a custom version number.
2025-08-31 22:35:15 +00:00 · 2010-10-17 22:43:14 -07:00
parent 5f906046c2
commit e97a103420
2 changed files with 12 additions and 6 deletions
--- a/debian/control
+++ b/debian/control
@@ -45,7 +45,9 @@ Description: Open vSwitch switch implementations
 Package: openvswitch-ipsec
 Architecture: any
 Depends:
- ${shlibs:Depends}, ${misc:Depends}, ${python:Depends}, ipsec-tools, racoon,
+ ${shlibs:Depends}, ${misc:Depends}, ${python:Depends}, 
+ ipsec-tools (>=0.8~alpha20090903), 
+ racoon (>=0.8~alpha20090903),
 openvswitch-common (= ${binary:Version}),
 openvswitch-switch (= ${binary:Version}),
 python-openvswitch (= ${binary:Version})
--- a/debian/ovs-monitor-ipsec
+++ b/debian/ovs-monitor-ipsec
@@ -66,6 +66,7 @@ path certificate "/etc/racoon/certs";

 remote anonymous {
        exchange_mode main;
+        nat_traversal on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
@@ -307,13 +308,16 @@ def main(argv):
        new_interfaces = {}
        for rec in idl.data["Interface"].itervalues():
            name = rec.name.as_scalar()
-            local_ip = rec.other_config.get("ipsec_local_ip")
-            if rec.type.as_scalar() == "gre" and local_ip:
+            ipsec_cert = rec.other_config.get("ipsec_cert")
+            ipsec_psk = rec.other_config.get("ipsec_psk")
+            is_ipsec = ipsec_cert or ipsec_psk
+
+            if rec.type.as_scalar() == "gre" and is_ipsec:
                new_interfaces[name] = {
                        "remote_ip": rec.options.get("remote_ip"),
-                        "local_ip": local_ip,
-                        "ipsec_cert": rec.other_config.get("ipsec_cert"),
-                        "ipsec_psk": rec.other_config.get("ipsec_psk") }
+                        "local_ip": rec.options.get("local_ip", "0.0.0.0/0"),
+                        "ipsec_cert": ipsec_cert,
+                        "ipsec_psk": ipsec_psk }
 
        if interfaces != new_interfaces:
            for name, vals in interfaces.items():