S2S VPN: CS-15511: Add PFS support for VPN connection
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/84a1a311 Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/84a1a311 Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/84a1a311 Branch: refs/heads/vpc Commit: 84a1a311f991ba7816e9e8d50e84b2142c6111d6 Parents: a8cbba9 Author: Sheng Yang <[email protected]> Authored: Mon Aug 6 15:27:13 2012 -0700 Committer: Sheng Yang <[email protected]> Committed: Mon Aug 6 15:27:13 2012 -0700 ---------------------------------------------------------------------- .../debian/config/opt/cloud/bin/ipsectunnel.sh | 8 +++++++- utils/src/com/cloud/utils/net/NetUtils.java | 5 +---- utils/test/com/cloud/utils/net/NetUtilsTest.java | 10 +++++----- 3 files changed, 13 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/84a1a311/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh ---------------------------------------------------------------------- diff --git a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh index 74d3119..1bc2002 100755 --- a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh +++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh @@ -141,7 +141,7 @@ ipsec_tunnel_add() { sudo echo " ikelifetime=${ikelifetime}s" >> $vpnconffile && sudo echo " esp=$esppolicy" >> $vpnconffile && sudo echo " salifetime=${esplifetime}s" >> $vpnconffile && - sudo echo " pfs=no" >> $vpnconffile && + sudo echo " pfs=$pfs" >> $vpnconffile && sudo echo " keyingtries=3" >> $vpnconffile && sudo echo " auto=add" >> $vpnconffile && sudo echo "$leftpeer $rightpeer: PSK \"$secret\"" > $vpnsecretsfile && @@ -258,6 +258,12 @@ do done < /tmp/iflist rightnets=${rightnets//,/ } +pfs="no" +echo "$esppolicy" | grep "modp" > /dev/null +if [ $? -eq 0 ] +then + pfs="yes" +fi ret=0 #Firewall ports for one-to-one/static NAT http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/84a1a311/utils/src/com/cloud/utils/net/NetUtils.java ---------------------------------------------------------------------- diff --git a/utils/src/com/cloud/utils/net/NetUtils.java b/utils/src/com/cloud/utils/net/NetUtils.java index 0ebe7fb..65168ff 100755 --- a/utils/src/com/cloud/utils/net/NetUtils.java +++ b/utils/src/com/cloud/utils/net/NetUtils.java @@ -1069,8 +1069,7 @@ public class NetUtils { if (policy.isEmpty()) { return false; } - //String cipherHash = policy.split(";")[0]; - String cipherHash = policy; + String cipherHash = policy.split(";")[0]; if (cipherHash.isEmpty()) { return false; } @@ -1086,7 +1085,6 @@ public class NetUtils { if (!hash.matches("md5|sha1")) { return false; } - /* Disable pfsGroup support, see CS-15511 String pfsGroup = null; if (!policy.equals(cipherHash)) { pfsGroup = policy.split(";")[1]; @@ -1094,7 +1092,6 @@ public class NetUtils { if (pfsGroup != null && !pfsGroup.matches("modp1024|modp1536")) { return false; } - */ } return true; } http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/84a1a311/utils/test/com/cloud/utils/net/NetUtilsTest.java ---------------------------------------------------------------------- diff --git a/utils/test/com/cloud/utils/net/NetUtilsTest.java b/utils/test/com/cloud/utils/net/NetUtilsTest.java index 67465d7..bab1406 100644 --- a/utils/test/com/cloud/utils/net/NetUtilsTest.java +++ b/utils/test/com/cloud/utils/net/NetUtilsTest.java @@ -54,12 +54,12 @@ public class NetUtilsTest extends TestCase { } public void testVpnPolicy() { - assertTrue(NetUtils.isValidS2SVpnPolicy("aes-sha1")); + assertTrue(NetUtils.isValidS2SVpnPolicy("aes128-sha1")); assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1")); - assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1")); - assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024")); - assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes-sha1;modp1536")); - assertFalse(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes-sha1;modp1536")); + assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes256-sha1")); + assertTrue(NetUtils.isValidS2SVpnPolicy("3des-md5;modp1024")); + assertTrue(NetUtils.isValidS2SVpnPolicy("3des-sha1,aes128-sha1;modp1536")); + assertFalse(NetUtils.isValidS2SVpnPolicy("des-md5;modp1024,aes128-sha1;modp1536")); assertFalse(NetUtils.isValidS2SVpnPolicy("des-sha1")); assertFalse(NetUtils.isValidS2SVpnPolicy("abc-123,ase-sha1")); assertFalse(NetUtils.isValidS2SVpnPolicy("de-sh,aes-sha1"));
