mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-09-04 16:25:17 +00:00
Code Issues Releases Wiki Activity

ovs-monitor-ipsec: Add ability to traverse NATs

Browse Source 
Stable versions of ipsec-tools have a bug that prevents our using
transport mode through a NAT box.  Even though the bug has been fixed
for years, it is only available in the 0.8 alpha release of ipsec-tools.
This commit modifies our configuration to allow NAT traversal with that
version of ipsec-tools.

NB: An official package for this version of ipsec-tools is not yet
available on Debian, so we're requiring a custom version number.
This commit is contained in:
Justin Pettit
2010-10-17 22:43:14 -07:00
parent 5f906046c2
commit e97a103420
2 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
debian/control vendored
View File

@@ -45,7 +45,9 @@ Description: Open vSwitch switch implementations
Package: openvswitch-ipsec Package: openvswitch-ipsec
Architecture: any Architecture: any
Depends: Depends:
${shlibs:Depends}, ${misc:Depends}, ${python:Depends}, ipsec-tools, racoon, ${shlibs:Depends}, ${misc:Depends}, ${python:Depends},
ipsec-tools (>=0.8~alpha20090903),
racoon (>=0.8~alpha20090903),
openvswitch-common (= ${binary:Version}), openvswitch-common (= ${binary:Version}),
openvswitch-switch (= ${binary:Version}), openvswitch-switch (= ${binary:Version}),
python-openvswitch (= ${binary:Version}) python-openvswitch (= ${binary:Version})

14
debian/ovs-monitor-ipsec vendored
View File

@@ -66,6 +66,7 @@ path certificate "/etc/racoon/certs";
remote anonymous { remote anonymous {
exchange_mode main; exchange_mode main;
nat_traversal on;
proposal { proposal {
encryption_algorithm aes; encryption_algorithm aes;
hash_algorithm sha1; hash_algorithm sha1;
@@ -307,13 +308,16 @@ def main(argv):
new_interfaces = {} new_interfaces = {}
for rec in idl.data["Interface"].itervalues(): for rec in idl.data["Interface"].itervalues():
name = rec.name.as_scalar() name = rec.name.as_scalar()
local_ip = rec.other_config.get("ipsec_local_ip") ipsec_cert = rec.other_config.get("ipsec_cert")
if rec.type.as_scalar() == "gre" and local_ip: ipsec_psk = rec.other_config.get("ipsec_psk")
is_ipsec = ipsec_cert or ipsec_psk
if rec.type.as_scalar() == "gre" and is_ipsec:
new_interfaces[name] = { new_interfaces[name] = {
"remote_ip": rec.options.get("remote_ip"), "remote_ip": rec.options.get("remote_ip"),
"local_ip": local_ip, "local_ip": rec.options.get("local_ip", "0.0.0.0/0"),
"ipsec_cert": rec.other_config.get("ipsec_cert"), "ipsec_cert": ipsec_cert,
"ipsec_psk": rec.other_config.get("ipsec_psk") } "ipsec_psk": ipsec_psk }
if interfaces != new_interfaces: if interfaces != new_interfaces:
for name, vals in interfaces.items(): for name, vals in interfaces.items():