scottk/wlan-lanforge-scripts
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-lanforge-scripts.git synced 2025-11-05 21:28:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:greearb/lanforge-scripts

Browse Source
This commit is contained in:
Ben Greear
2019-10-09 07:52:12 -07:00
parent f001c1df41 c92154abdd
commit 2823d7bbdd
6 changed files with 770 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
every_vrf.sh Executable file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
[[ $# < 2 ]] && {
echo "Usage: $0 'a command' eth1 eth2 sta2 st3"
echo "Runs 'a command' in a vrf environment for all following stations"
exit 1
}
[[ -f lib_vrf.bash ]] || {
echo "missing lib_vrf.bash, cannot continue"
exit 1
}
. lib_vrf.bash
execthis="$1"
shift
for eth in "$@"; do
[[ $execthis = $eth ]] && continue
vrf=${IFNAMES[$eth]}
if [[ x$vrf = x ]] || [[ $vrf = unknown ]]; then
echo "Skipping interface $eth"
continue
fi
echo "[$execthis] $vrf"
ip vrf exec $vrf $execthis &
done

130
hires_cxreport.pl Executable file
View File

@@ -0,0 +1,130 @@
#!/usr/bin/perl
package main;
if (defined $ENV{DEBUG}) {
use strict;
use warnings;
use diagnostics;
use Carp;
use Data::Dumper;
}
use Time::HiRes qw(usleep ualarm gettimeofday stat lstat utime);
#use Time::Format qw/%time/;
if ( -f "./LANforge/Utils.pm" ) {
use lib '.';
}
elsif ( -f "/home/lanforge/scripts/LANforge/Utils.pm" ) {
use lib "/home/lanforge/scripts/LANforge";
}
use LANforge::Utils;
use Net::Telnet ();
use Getopt::Long;
our $quiet = 1;
my $report_filename = "/tmp/hires_report.txt";
my $duration_sec = 60;
my $cx = "rdtest";
our $lfmgr_host = 'localhost';
our $lfmgr_port = 4001;
$| = 1;
my $t = new Net::Telnet(Prompt => '/default\@btbits\>\>/',
Timeout => 60);
$t->open(Host => $::lfmgr_host,
Port => $::lfmgr_port,
Timeout => 10);
$t->max_buffer_length(16 * 1024 * 1000); # 16 MB buffer
$t->waitfor("/btbits\>\>/");
# Configure our utils.
our $utils = new LANforge::Utils();
$::utils->telnet($t); # Set our telnet object.
if ($::utils->isQuiet()) {
if (defined $ENV{'LOG_CLI'} && $ENV{'LOG_CLI'} ne "") {
$::utils->cli_send_silent(0);
}
else {
$::utils->cli_send_silent(1); # Do not show input to telnet
}
$::utils->cli_rcv_silent(1); # Repress output from telnet
}
else {
$::utils->cli_send_silent(0); # Show input to telnet
$::utils->cli_rcv_silent(0); # Show output from telnet
}
#$::utils->log_cli("# $0 ".`date "+%Y-%m-%d %H:%M:%S"`);
$SIG{'INT'} = sub {
$::utils->doCmd("set_cx_state all $cx STOPPED");
exit 0;
};
# start rdtest
my %times = ();
$times{gettimeofday().'_before_set_cx_state'} = gettimeofday() ." before_start_cx 0 0";
$::utils->doCmd("set_cx_report_timer all $cx 250");
$::utils->doCmd("set_cx_state all $cx RUNNING");
$times{gettimeofday().'_after_set_cx_state'} = gettimeofday() ." after_start_cx 0 0";
my $timelimit = $duration_sec + time();
my $show_cx_str = '';
my $lastline = '';
my $lasttime = 0;
my @hunks = ();
my $delta = 0;
my $tod = gettimeofday();
my $last_a = 0;
my $last_b = 0;
my $step_a = 0;
my $step_b = 0;
while ($tod < $timelimit) {
# the command below does not indicate last reported timestamp, skip it
# $show_cx_str = $::utils->doAsyncCmd("show_cxe all $cx");
# $times{gettimeofday()."_show_cxe"} = $show_cx_str;
$tod = gettimeofday();
$lastline=`tail -1 /home/lanforge/lf_reports/${cx}-A*`;
@hunks = split(',', $lastline);
$hunks[0] = $hunks[0]/1000 if ($hunks[0] > 0);
$last_a = $hunks[0] if ($last_a == 0);
if ($hunks[0] gt $last_a){
print "\nnew report A entry!\n";
$step_a = $hunks[0] - $last_a;
$last_a = $hunks[0];
$delta = $tod - $hunks[0];
$times{"${tod}_tail_csv-A"} = "$hunks[0] $hunks[1] $step_a $delta";
}
$lastline=`tail -1 /home/lanforge/lf_reports/${cx}-B*`;
@hunks = split(',', $lastline);
$hunks[0] = $hunks[0]/1000 if ($hunks[0] > 0);
$last_b = $hunks[0] if ($last_b == 0);
if ($hunks[0] gt $last_b) {
print "\nnew report B entry!\n";
$step_b = $hunks[0] - $last_b;
$last_b = $hunks[0];
$delta = $tod - $hunks[0];
$times{"${tod}_tail_csv-B"} = "$hunks[0] $hunks[1] $step_b $delta";
}
usleep(125);
if (time() gt $lasttime) {
print "\r".($timelimit - time())." sec remaining ";
$lasttime = time();
}
} #~while
$::utils->doCmd("set_cx_state all $cx STOPPED");
print "...collected.\n";
die unless open(my $fh, ">", $report_filename);
#print $fh "TimeKeyInput csv_record_tstampsecs endpoint sec_since_last_report seconds_lag_since_last_report\n";
print $fh "clock csv_tstamp_secs endpoint sec_btwn_reports tstamp_lag_sec\n";
foreach $key (sort {$a cmp $b} (keys %times)) {
my ($clock) = $key =~ m/^([^_]+)/;
@hunks = split(' ', $times{$key});
print$fh sprintf "%14.3f %15.3f %18s %20.3f %15.3f\n", 0.0+$clock, $hunks[0], $hunks[1], $hunks[2], $hunks[3];
}
close $fh;
print "View the report at $report_filename\n";
#eof

95
lf_curl.sh
View File

@@ -1,7 +1,14 @@
#!/bin/bash #!/bin/bash
[ -f /home/lanforge/lanforge.profile ] && . /home/lanforge/lanforge.profile if [ -f /home/lanforge/lanforge.profile ]; then
CURL=`which curl`; . /home/lanforge/lanforge.profile
else
echo "/home/lanforge/lanforge.profile not found, bye."
exit 1
fi
CURL=`which curl`
IP=`which ip`
#echo $CURL; #echo $CURL;
[ -f lib_vrf.bash ] && . ./lib_vrf.bash
SOURCE_IP="" SOURCE_IP=""
SOURCE_PORT="" SOURCE_PORT=""
@@ -11,21 +18,22 @@ NUM_LOOPS=1
help="$0 options: help="$0 options:
-d {destination_url} -d {destination_url}
-h this help -h # this help
-i {source ip} -i {source ip}
-n {number of times, 0 = infinite} -n {number of times, 0 = infinite}
-o {output file prefix, /dev/null is default} -o {output file prefix, /dev/null is default}
-p {source port} -p {source port}
-v # verbose curl option -#
E.G.: E.G.:
$0 -i 10.0.0.1 -p eth1 -o /tmp/output -d http://example.com/ $0 -i 10.0.0.1 -p eth1 -o /tmp/output -d http://example.com/
becomes becomes
curl -sqLk --interface 10.0.0.1 -o /tmp/output_eth1 http://example.com/ curl -sq. ~Lk --interface 10.0.0.1 -o /tmp/output_eth1 http://example.com/
Best if used from lf_generic_ping.pl to construct commands referencing this script: Best if used from lf_generic_ping.pl to construct commands referencing this script:
./lf_generic_ping.pl --mgr cholla-f19 -r 2 -n curl_ex_ --match 'eth2#' --cmd 'lf_curl.sh -o /tmp/curl_%p.out -i %i -d %d -p %p' --dest http://localhost/ ./lf_generic_ping.pl --mgr cholla-f19 -r 2 -n curl_ex_ --match 'eth2#' --cmd 'lf_curl.sh -o /tmp/curl_%p.out -i %i -d %d -p %p' --dest http://localhost/
" "
LFCURL=''
while getopts ":d:hi:n:o:p:" OPT ; do while getopts ":d:vhi:n:o:p:" OPT ; do
#echo "OPT[$OPT] OPTARG[$OPTARG]" #echo "OPT[$OPT] OPTARG[$OPTARG]"
case $OPT in case $OPT in
h) h)
@@ -36,10 +44,9 @@ while getopts ":d:hi:n:o:p:" OPT ; do
DEST_HOST="$OPTARG" DEST_HOST="$OPTARG"
;; ;;
i) i)
if [[ $CURL = ~/local/bin/curl ]]; then PORT_IP="$OPTARG"
SOURCE_IP="--dns-ipv4-addr $OPTARG --interface $OPTARG" if [[ $CURL = ~/local/bin/curl ]] || [[ $CURL = /home/lanforge/local/bin/curl ]]; then
else LFCURL=1
SOURCE_IP="--interface $OPTARG"
fi fi
;; ;;
n) n)
@@ -49,8 +56,12 @@ while getopts ":d:hi:n:o:p:" OPT ; do
OUT_FILE="$OPTARG" OUT_FILE="$OPTARG"
;; ;;
p) p)
PORT="$OPTARG"
SOURCE_PORT="--interface $OPTARG" SOURCE_PORT="--interface $OPTARG"
;; ;;
v)
PROGRESS='-#'
;;
*) *)
echo "Unknown option [$OPT] [$OPTARG]" echo "Unknown option [$OPT] [$OPTARG]"
;; ;;
@@ -64,27 +75,67 @@ fi
if [[ x$OUT_FILE != x/dev/null ]] && [[ x$SOURCE_PORT != x ]] ; then if [[ x$OUT_FILE != x/dev/null ]] && [[ x$SOURCE_PORT != x ]] ; then
OUT_FILE="-o ${OUT_FILE}_${SOURCE_PORT}" OUT_FILE="-o ${OUT_FILE}_${SOURCE_PORT}"
elif [[ $OUT_FILE = /dev/null ]]; then
OUT_FILE="-o ${OUT_FILE}"
fi fi
VRF=''
NUM_GOOD=0 NUM_GOOD=0
LB='#'
L_SOURCE_PORT="$PORT"
if [[ $PORT = *$LB* ]] && [[ $PORT != *@* ]]; then
L_SOURCE_PORT="${PORT}@${PORT//#*/}"
fi
if [[ ${#IFNAMES[@]} -lt 1 ]]; then
[[ x$PROGRESS != x ]] && echo "NO VRF PORTS: ${#IFNAMES[@]}"
else
[[ x$PROGRESS != x ]] && echo "SOME VRF PORTS: ${#IFNAMES[@]}"
if [[ x${IFNAMES[$L_SOURCE_PORT]} = x ]]; then
[[ x$PROGRESS != x ]] && echo "No vrf port detected for $L_SOURCE_PORT"
else
[[ x$PROGRESS != x ]] && echo "VRF port: ${IFNAMES[$L_SOURCE_PORT]}"
VRF=1
fi
fi
if [[ $VRF = 1 ]]; then
SOURCE_IP=''
elif [[ $LFCURL = 1 ]]; then
SOURCE_IP="--dns-ipv4-addr $OPTARG --interface $OPTARG"
else
SOURCE_IP="--interface $OPTARG"
fi
STD_O="/tmp/lf_curl_so.$$"
if [[ x$PROGRESS = x ]]; then
VERB="-s"
STD_E="/tmp/lf_curl_se.$$"
else
VERB=""
STD_E=""
fi
CCMD="$CURL $VERB -Lk --connect-timeout 2 --max-time 10 $PROGRESS \
-D /tmp/lf_curl_h.$$ $OUT_FILE $SOURCE_IP $DEST_HOST"
if [[ x$VRF != x ]]; then
CCMD="$IP vrf exec ${IFNAMES[$L_SOURCE_PORT]} $CCMD"
fi
for N in `seq 1 $NUM_LOOPS`; do for N in `seq 1 $NUM_LOOPS`; do
$CURL -sqLk --connect-timeout 1 \ if [[ x$PROGRESS = x ]]; then
--max-time 10 \ $CCMD > $STD_O &> $STD_E
-D /tmp/lf_curl_h.$$ \ else
$OUT_FILE \ echo "Running $CCMD"
$SOURCE_IP \ $CCMD
$DEST_HOST \ fi
> /tmp/lf_curl_so.$$ \
2> /tmp/lf_curl_se.$$
if [[ $? > 0 ]]; then if [[ $? > 0 ]]; then
echo "Failed $DEST_HOST" echo "Failed $DEST_HOST"
head -1 /tmp/lf_curl_se.$$ [ -f /tmp/lf_curl_se.$$ ] && head -1 /tmp/lf_curl_se.$$
else else
NUM_GOOD=$(( $NUM_GOOD +1)) NUM_GOOD=$(( $NUM_GOOD +1))
head -1 /tmp/lf_curl_so.$$ [ -f /tmp/lf_curl_so.$$ ] && head -1 /tmp/lf_curl_so.$$
head -1 /tmp/lf_curl_h.$$ [ -f /tmp/lf_curl_h.$$ ] && head -1 /tmp/lf_curl_h.$$
fi fi
sleep 1 sleep 1
done done

51
lib_vrf.bash Executable file
View File

@@ -0,0 +1,51 @@
#!/bin/bash
# create an associative array of vrf interfaces and their ports
IFLINES=()
declare -A IFNAMES
export IFNAMES
declare -A VRFNAMES
export VRFNAMES
while read line; do
IFLINES+=("$line")
done < <(ip -o link show)
RE_MASTER=' master ([^ ]+) state '
for item in "${IFLINES[@]}"; do
#echo -e "\t$item"
[[ x$item = x ]] && continue
IFS=': ' hunks=($item)
[[ "${hunks[1]}" = "" ]] && continue
ifname="${hunks[1]}"
[[ "$ifname" = *NOARP,MASTER* ]] && continue
IFNAMES["$ifname"]="unknown"
if [[ $item = *master* ]] && [[ $item = *vrf* ]]; then
#echo "Looking for vrf in $ifname"
if [[ $item =~ $RE_MASTER ]]; then
[[ x${BASH_REMATCH[1]} = x ]] && continue;
vrfname=${BASH_REMATCH[1]};
#echo "[[[$ifname]]] [[[$vrfname]]]"
IFNAMES["$ifname"]="$vrfname"
VRFNAMES["$vrfname"]="$ifname"
fi
fi
done
if [[ x$VRF_DEBUG = x1 ]]; then
echo "Interfaces: "
for ifname in "${!IFNAMES[@]}"; do
echo "IFN $ifname => ${IFNAMES[$ifname]}"
done
echo "virtual routers: "
for vrfname in "${!VRFNAMES[@]}"; do
echo "VRF $vrfname => ${VRFNAMES[$vrfname]}"
done
fi
#

29
setup-concentrator.sh
View File

@@ -162,7 +162,8 @@ EOF
function create_station_peer() { function create_station_peer() {
if [ -f "$SWANC/peers-available/${1}.conf-remote" ]; then if [ -f "$SWANC/peers-available/${1}.conf-remote" ]; then
echo "Peer $1 remote config already exists." echo "Peer $1 remote config already exists."
return; echo "Remove $SWANC/peers-available/${1}.conf-remote to continue."
exit 1;
fi fi
cat > "$SWANC/peers-available/${1}.conf-remote" <<EOF cat > "$SWANC/peers-available/${1}.conf-remote" <<EOF
@@ -236,10 +237,9 @@ function create_station_key() {
lines+=($line) lines+=($line)
done done
for line in "${lines}"; do for line in "${lines}"; do
echo "L1NE $line"
echo "$line" echo "$line"
done > $SWANC/remote-${1}-secrets.conf done > $SWANC/${1}-secrets.conf-remote
echo "created $SWANC/remote-${1}-secrets.conf" echo "created $SWANC/${1}-secrets.conf-remote"
} }
function get_vrf_for_if() { function get_vrf_for_if() {
@@ -284,12 +284,18 @@ function activate_all() {
done done
} }
function copy_config() {
local vrf=`get_vrf_for_if $WAN_IF`
ip vrf exec $vrf scp $WAN_IP:$SWANC/${1}-secrets.conf-remote $SWANC/${1}-secrets.conf
ip vrf exec $vrf scp $WAN_IP:$SWANC/peers-available/${1}.conf-remote $SWANC/peers-available/${1}.conf
}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# M A I N # M A I N
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
while getopts "a:c:d:p:v:behi" arg; do while getopts "a:c:d:f:p:v:behi" arg; do
case $arg in case $arg in
a) a)
check_arg $OPTARG check_arg $OPTARG
@@ -297,7 +303,7 @@ while getopts "a:c:d:p:v:behi" arg; do
activate_peer $OPTARG activate_peer $OPTARG
;; ;;
b) b)
enable_ipsec_if $WLAN_IF enable_ipsec_if $WAN_IF
;; ;;
c) c)
check_arg $OPTARG check_arg $OPTARG
@@ -315,16 +321,22 @@ while getopts "a:c:d:p:v:behi" arg; do
e) e)
activate_all activate_all
;; ;;
f)
check_arg $OPTARG
copy_config $OPTARG
;;
h) h)
cat <<EOF cat <<EOF
$0 -i : initialize /etc/strongswan directories $0 -i : initialize /etc/strongswan directories
-b : enable ipsec transform interface on [$WLAN_IF] -b : enable ipsec transform interface on [$WAN_IF]
-c peer : create_station_peer then create_station_key -c peer : create_station_peer then create_station_key
-a peer : activate peer -a peer : activate peer
-d peer : deactivate peer -d peer : deactivate peer
-e : activate all peers -e : activate all peers
-f peer : copy config files from $WAN_IF:/etc/strongswan/swanctl/\$peer.conf-remote
-p : print peers -p : print peers
-v intf : get vrf for interface
-h : help
EOF EOF
;; ;;
i) i)
@@ -340,6 +352,7 @@ EOF
check_arg $OPTARG check_arg $OPTARG
get_vrf_for_if $OPTARG get_vrf_for_if $OPTARG
;; ;;
*) echo "Unknown option: $arg" *) echo "Unknown option: $arg"
esac esac
done done

466
setup-concentrator2.sh Executable file
View File

@@ -0,0 +1,466 @@
#!/bin/bash
set -x
set -e
[ -f /root/strongswan-config ] && . /root/strongswan-config ||:
ETC=${ETC:=/etc/strongswan}
SWAND="$ETC/strongswan.d"
IPSECD="$ETC/ipsec.d"
SWANC="$ETC/swanctl"
NOWSEC=`date +%s`
SWAN_LIBX=${SWAN_LIBX:=/usr/libexec/strongswan}
[ -d $SWAN_LIBX ] || {
echo "SWAN_LIBX $SWAN_LIBX not found. Plese set SWAN_LIBX in /root/strongswan-config"
exit 1
}
export LD_LIBRARY_PATH="$SWAN_LIBX:$LD_LIBRARY_PATH"
WAN_IF=${WAN_IF:=eth1}
WAN_IP=${WAN_IP:=10.1.99.1}
WAN_CONCENTRATOR_IP=${WAN_CONCENTRATOR_IP:=10.1.99.1}
# most for the concentrator
XIF_IP=${XIF_IP:=10.9.99.1} # for concentrator
XIF_CLIENT_IP=${XIF_IP:=10.9.99.2} # for station
CLIENT_OUTTER_IP=${CLIENT_OUTTER_IP:=10.4.99.1}
CLIENT_NETNS_IP=${CLIENT_NETNS_IP:=10.4.99.2}
function initialize_vrf() {
local WANDEV=$WAN_IF
local vrfid=$1
[[ $vrfid = _* ]] && vrfid=${vrfid#_}
[[ $vrfid = vrf* ]] && vrfid=${vrfid#vrf}
local vrf_if="vrf${vrfid}"
local xfrm_if="xfrm${vrfid}"
# do you need this?
#sysctl -w net.ipv4.ip_forward=1
#sysctl -w net.ipv4.conf.all.rp_filter=0
# setup vrf
ip link add $vrf_if type vrf table $vrfid ||:
ip link set dev $vrf_if up ||:
ip route add unreachable default metric 4278198272 vrf $vrf_if ||:
# create tunnel device
ip li del $xfrm_if >/dev/null 2>&1 ||:
$SWAN_LIBX/xfrmi -n $xfrm_if -i $vrfid -d $WANDEV ||:
ip li set dev $xfrm_if up
ip li set dev $xfrm_if master $vrf_if ||:
ip a add 169.254.24.201/32 dev $xfrm_if scope link ||:
ip ro add default dev $xfrm_if vrf $vrf_if ||:
#ip -6 ro add default dev $xfrm_if vrf $vrf_if
}
function initialize_client_if() {
local intf=$1
local vrfid=`get_vrf_for_if $1`
[[ $vrfid = _* ]] && vrfid=${vrfid#_}
[[ $vrfid = vrf* ]] && vrfid=${vrfid#vrf}
local vrf_if="vrf${vrfid}"
local xfrm_if="xfrm${vrfid}"
# do you need this?
#sysctl -w net.ipv4.ip_forward=1
#sysctl -w net.ipv4.conf.all.rp_filter=0
# setup vrf
ip link add $vrf_if type vrf table $vrfid ||:
ip link set dev $vrf_if up ||:
ip route add unreachable default metric 4278198272 vrf $vrf_if ||:
# create tunnel device
ip li del $xfrm_if >/dev/null 2>&1 ||:
$SWAN_LIBX/xfrmi -n $xfrm_if -i $vrfid -d $intf ||:
ip li set dev $xfrm_if up
ip li set dev $xfrm_if master $vrf_if ||:
ip a add 169.254.24.201/32 dev $xfrm_if scope link ||:
ip ro add default dev $xfrm_if vrf $vrf_if ||:
#ip -6 ro add default dev $xfrm_if vrf $vrf_if
}
function initialize_fake_client_netns() {
local vrfid=$1
local wan_if=$1
[[ x$vrfid = x ]] && echo "cannot use blank argument" && exit 1
if [[ $1 != *vrf* ]]; then
vrfid=`get_vrf_for_if $1`
fi
[[ $vrfid = _* ]] && vrfid=${vrfid#_}
[[ $vrfid = vrf* ]] && vrfid=${vrfid#vrf}
echo "VRFID $vrfid"
sleep 5
sysctl net.ipv4.conf.all.rp_filter=0
sysctl net.ipv4.conf.default.rp_filter=0
ip netns add ts-vrf-${vrfid} ||:
ip netns exec ts-vrf-${vrfid} ip li set dev lo up ||:
ip li del ts-vrf-${vrfid}a ||:
ip link add ts-vrf-${vrfid}a type veth peer name ts-vrf-${vrfid}b netns ts-vrf-${vrfid} ||:
ip netns exec ts-vrf-${vrfid} ip link set dev ts-vrf-${vrfid}b up ||:
ip netns exec ts-vrf-${vrfid} ip a add dev ts-vrf-${vrfid}b $CLIENT_NETNS_IP/24 ||:
ip netns exec ts-vrf-${vrfid} ip ro add default via $CLIENT_OUTTER_IP ||:
ip li set dev ts-vrf-${vrfid}a up
ip li set dev ts-vrf-${vrfid}a master vrf${vrfid} ||:
ip a add $CLIENT_OUTTER_IP/24 dev ts-vrf-${vrfid}a ||:
}
function initialize() {
[ -d "$SWANC/peers-available" ] || mkdir "$SWANC/peers-available"
[ -d "$SWANC/peers-enabled" ] || mkdir "$SWANC/peers-enabled"
[ -f "$SWANC/secrets.conf" ] || touch "$SWANC/secrets.conf"
systemctl enable strongswan
systemctl daemon-reload
systemct start strongswan || {
journalctl -xe
}
}
function vrf_ping() {
local vrfid=$1
ip netns exec ts-vrf-$vrfid ping 10.0.201.2
}
function backup_keys() {
if [ -f $SWANC/secrets.conf ]; then
cp $SWANC/secrets.conf $SWANC/.secrets.conf.$NOWSEC
fi
}
function deactivate_peer() {
[ -e "$SWANC/peers-enabled/${1}.conf" ] || {
if [ -e "$SWANC/peers-available/${1}.conf" ]; then
echo "Peer $1 deactivated."
else
echo "No peer config at $SWANC/peers-available/${1}.conf"
fi
exit 0
}
echo -n "Deactivating $1..."
rm "$SWANC/peers-enabled/${1}.conf"
swanctl --load-all
echo "done"
}
function activate_peer() {
[ -f "$SWANC/peers-available/${1}.conf" ] || {
echo "No peer config at $SWANC/peers-available/${1}.conf"
exit 1
}
if [ -e "$SWANC/peers-enabled/${1}.conf" ]; then
echo "Peer $1 actiated."
else
echo -n "Activating $1..."
ln -s" $SWANC/peers-available/${1}.conf" "$SWANC/peers-enabled/"
swanctl --load-all
echo "done"
fi
}
function create_concentrator_peer() {
if [ -f "$SWANC/peers-available/${1}.conf" ]; then
echo "Peer $1 config already exists."
return;
fi
cat > "$SWANC/peers-available/${1}.conf" <<EOF
$1 {
local_addrs = %any
remote_addrs = %any
unique = replace
local {
auth = psk
id = @${1}-slave.loc # identifier, use VRF ID
}
remote {
auth = psk
id = @${1}-master.loc # remote id, use VRF ID
}
children {
${1}_sa {
local_ts = 0.0.0.0/0, ::/0
remote_ts = 0.0.0.0/0, ::/0
if_id_out = 1 # xfrm interface id, use VRF ID
if_id_in = 1 # xfrm interface id, use VRF ID
start_action = trap
life_time = 1h
rekey_time = 55m
esp_proposals = aes256gcm128-modp3072 # good for Intel HW
dpd_action = trap
}
}
keyingtries = 0
dpd_delay = 30
version = 2
mobike = yes
rekey_time = 23h
over_time = 1h
proposals = aes256-sha256-modp3072
}
EOF
}
function create_station_peer() {
if [ -f "$SWANC/peers-available/${1}.conf-remote" ]; then
echo "Peer $1 remote config already exists."
echo "Remove $SWANC/peers-available/${1}.conf-remote to continue."
exit 1;
fi
cat > "$SWANC/peers-available/${1}.conf-remote" <<EOF
$1 {
local_addrs = %any # use any local ip to connect to remote
remote_addrs = $WAN_CONCENTRATOR_IP
unique = replace
local {
auth = psk
id = @${1}-master.loc # identifier, use VRF ID
}
remote {
auth = psk
id = @${1}-slave.loc # remote id, use VRF ID
}
children {
${1}_sa {
local_ts = 0.0.0.0/0, ::/0
remote_ts = 0.0.0.0/0, ::/0
if_id_out = 1 # xfrm interface id, use VRF ID
if_id_in = 1 # xfrm interface id, use VRF ID
start_action = trap
life_time = 1h
rekey_time = 55m
esp_proposals = aes256gcm128-modp3072 # good for Intel HW
dpd_action = trap
}
}
keyingtries = 0
dpd_delay = 30
version = 2
mobike = yes
rekey_time = 23h
over_time = 1h
proposals = aes256-sha256-modp3072
}
EOF
}
function create_concentrator_key() {
[ -f "$SWANC/secrets.conf" ] || {
echo "$SWANC/secrets.conf not found!"
exit 1
}
backup_keys
k=`dd if=/dev/urandom bs=20 count=1 | base64`
cat >> "$SWANC/secrets.conf" <<EOF
ike-${1}-master {
id = ${1}-master.loc # use remote id specified in tunnel config
secret = "$k"
}
EOF
echo "created $1 key"
}
function create_station_key() {
[ -f "$SWANC/secrets.conf" ] || {
echo "$SWANC/secrets.conf not found!"
exit 1
}
backup_keys
local conc_keys=(`egrep -B4 "^ike-${1}-master \{" $SWANC/secrets.conf`)
local lines=()
local foundit=0
local line
for line in "${conc_keys[@]}"; do
echo "LINE $line"
[[ $line = *-master.loc ]] && {
line=${line/master.loc/slave.loc}
} ||:
lines+=($line)
done
for line in "${lines}"; do
echo "$line"
done > $SWANC/${1}-secrets.conf-remote
echo "created $SWANC/${1}-secrets.conf-remote"
}
function get_vrf_for_if() {
local ifmaster=`ip -o li show $1 | egrep -o '(master \S+)'`
[[ x${ifmaster} = x ]] && echo "\nNo master found for $1" && exit 1
echo ${ifmaster#master }
}
function enable_concentrator_ipsec_if() {
local vrf_if=$1
if [[ $vrf_if != vrf* ]]; then
vrf_if=$(get_vrf_for_if $1)
fi
local vrfnum=${vrf_if#vrf}
local xif="xfrm${vrfnum}"
sleep 1
$SWAN_LIBX/xfrmi -n $xif -i ${vrfnum} -d $WAN_IF ||:
sleep 1
ip link set dev $xif up ||:
ip link set dev $xif master $vrf_if ||:
ip address add $XIF_IP/32 dev $xif scope link ||:
#ip route add default dev $xif vrf $vrfnum ||: # doesn't work quite this way
#ip route add 10.0.0.0/8 dev $xif vrf $vrfnum ||: # not quite
ip route add default dev $xif vrf $vrf_if ||:
sleep 1
}
function enable_station_ipsec_if() {
local vrf_if=$1
local wan_if=$1
if [[ $wan_if = *vrf* ]]; then
echo "enable_station_ipsec_if wants L2 interface, not vrf"
exit 1
fi
if [[ $vrf_if != vrf* ]]; then
vrf_if=$(get_vrf_for_if $1)
fi
[[ $vrf_if = _* ]] && vrf_if=${vrf_if#_}
local vrfnum=${vrf_if#vrf}
local xif="xfrm${vrfnum}"
sleep 1
$SWAN_LIBX/xfrmi -n $xif -i ${vrfnum} -d $wan_if ||:
sleep 1
ip link set dev $xif up ||:
ip link set dev $xif master $vrf_if ||:
ip address add $XIF_CLIENT_IP/32 dev $xif scope link ||:
#ip route add default dev $xif vrf $vrfnum ||: # doesn't work quite this way
#ip route add 10.0.0.0/8 dev $xif vrf $vrfnum ||: # not quite
sleep 1
ip route add 10.4.99.1/32 dev $xif vrf $vrf_if ||:
ip route add 10.9.99.1/32 dev $xif vrf $vrf_if ||:
ip route add 10.1.99.0/24 dev $xif vrf $vrf_if ||:
sleep 1
}
function check_arg() {
if [ ! -f "$SWANC/secrets.conf" ] ; then
echo "$SWANC/secrets.conf not found. Suggest running $0 -i, bye."
exit 1
fi
[[ z$1 != z ]] || {
echo "Please give me a peer name, bye."
exit 1
}
}
function activate_all() {
local f
for f in $SWANC/*.conf; do
echo "CONF $f"
f=`basename $f`
[[ $f = secrets.conf ]] && continue ||:
[[ $f = swanctl.conf ]] && continue ||:
[[ $f = *.conf ]] && f=${f%.conf}
echo "f now $f"
activate_peer $f
done
}
function copy_config() {
local vrf=`get_vrf_for_if $WAN_IF`
ip vrf exec $vrf scp $WAN_IP:$SWANC/${1}-secrets.conf-remote $SWANC/${1}-secrets.conf
ip vrf exec $vrf scp $WAN_IP:$SWANC/peers-available/${1}.conf-remote $SWANC/peers-available/${1}.conf
}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# M A I N
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
while getopts "a:c:d:f:g:p:v:b:ehi" arg; do
case $arg in
a)
check_arg $OPTARG
echo "Activating $OPTARG"
activate_peer $OPTARG
;;
b)
check_arg $OPTARG
initialize_vrf $OPTARG
enable_concentrator_ipsec_if $OPTARG
initialize_fake_client_netns $OPTARG
swanctl --load-all
sleep 1
swanctl --list-conns
;;
c)
check_arg $OPTARG
echo "Creating $OPTARG"
create_concentrator_peer $OPTARG
create_station_peer $OPTARG
create_concentrator_key $OPTARG
create_station_key $OPTARG
;;
d)
check_arg $OPTARG
echo "Deactivating $OPTARG"
deactivate_peer $OPTARG
;;
e)
activate_all
swanctl --load-all
sleep 1
swanctl --list-conns
;;
f)
check_arg $OPTARG
copy_config $OPTARG
;;
g)
check_arg $OPTARG
initialize_client_if $OPTARG
enable_station_ipsec_if $OPTARG
initialize_fake_client_netns $OPTARG
swanctl --load-all
sleep 1
swanctl --list-conns
;;
h)
cat <<EOF
$0 -i : initialize /etc/strongswan directories
-b vrfX : enable ipsec transform intf on concentrator vrfX
-c vrfX : create_station_peer then create_station_key
-a vrfX : activate peer
-d vrfX : deactivate peer
-e : activate all peers
-f vrfX : copy config files from $WAN_IF:/etc/strongswan/swanctl/\$peer.conf-remote
-g ethX : enable ipsec transform intf on station ethX
-p : print peers
-v intf : get vrf for interface
-h : help
EOF
;;
i)
initialize
echo "Initialized."
exit 0;
;;
p)
#echo " print peers"
strongswan list
;;
v)
check_arg $OPTARG
get_vrf_for_if $OPTARG
;;
*) echo "Unknown option: $arg"
esac
done