fea: ipsec tunnels for vxlan and gre.

luscis · Jun 14, 2024 · a3ba978 · a3ba978
1 parent 5220f9b
commit a3ba978
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 63 deletions.
diff --git a/Makefile b/Makefile
@@ -64,13 +64,20 @@ builder:
 	docker run -d -it \
 		--env http_proxy="${http_proxy}" --env https_proxy="${https_proxy}" \
 		--volume $(SD)/:/opt/openlan --volume $(shell echo ~)/.ssh:/root/.ssh \
-		--name openlan_builder debian:buster bash
-	docker exec openlan_builder bash -c "apt update && apt install -y git lsb-release wget make gcc"
+		--name openlan_builder debian:bullseye bash
+	docker exec openlan_builder bash -c "apt update && apt install -y git lsb-release wget make gcc devscripts"
+	docker exec openlan_builder bash -c "apt install -y net-tools make build-essential libnss3-dev pkg-config libevent-dev libunbound-dev bison flex libsystemd-dev libcurl4-nss-dev libpam0g-dev libcap-ng-dev libldns-dev xmlto"
+	docker exec openlan_builder badh -c "apt install -y htmldoc libaudit-dev libkrb5-dev libldap2-dev libnss3-tools libselinux1-dev man2html"
 	docker exec openlan_builder bash -c "wget https://golang.google.cn/dl/go1.16.linux-amd64.tar.gz && tar -xf go1.16.linux-amd64.tar.gz -C /usr/local"
 	docker exec openlan_builder bash -c "cd /usr/local/bin && ln -s ../go/bin/go . && ln -s ../go/bin/gofmt ."
 	docker exec openlan_builder git config --global --add safe.directory /opt/openlan
 	docker exec openlan_builder git config --global --add safe.directory /opt/openlan/dist/cert
 
+## build libreswan
+# wget http://deb.debian.org/debian/pool/main/libr/libreswan/libreswan_4.10.orig.tar.gz
+# tar xvf libreswan_4.10.orig.tar.gz
+# cd libreswan-4.10 && make deb
+
 docker-bin:
 	docker exec openlan_builder bash -c "cd /opt/openlan && make linux-bin"
 

diff --git a/dist/rootfs/var/openlan/script/install.sh b/dist/rootfs/var/openlan/script/install.sh
@@ -15,7 +15,7 @@ OS="linux"
 if type yum 2> /dev/null; then
   OS="centos"
 elif type apt 2> /dev/null; then
-  OS="ubuntu"
+  OS="debian"
 fi
 
 function download() {
@@ -29,9 +29,11 @@ function requires() {
   if [ "$OS"x == "centos"x ]; then
     yum install -y openssl net-tools iptables iputils iperf3 tcpdump
     yum install -y openvpn dnsmasq bridge-utils ipset libreswan procps
-  elif [ "$OS"x == "ubuntu"x ]; then
-    apt-get install -y net-tools iptables iproute2 tcpdump ca-certificates iperf3
-    apt-get install -y openvpn dnsmasq bridge-utils ipset libreswan procps
+  elif [ "$OS"x == "debian"x ]; then
+    apt install -y net-tools iptables iproute2 tcpdump ca-certificates iperf3
+    apt install -y openvpn dnsmasq bridge-utils ipset procps wget
+    wget -O /tmp/libreswan_4.10-1_amd64.deb https://github.com/luscis/packages/raw/main/debian/bullseye/libreswan_4.10-1_amd64.deb
+    apt install -y /tmp/libreswan_4.10-1_amd64.deb
   else
     echo "We didn't find any packet tool: $OS"
   fi
@@ -64,7 +66,7 @@ function post() {
     ## Install CA.
     cp -rf /var/openlan/cert/ca.crt /etc/pki/ca-trust/source/anchors/OpenLAN_CA.crt
     update-ca-trust
-  elif [ "$OS"x == "ubuntu"x ]; then
+  elif [ "$OS"x == "debian"x ]; then
     ## Prepare openvpn.
     [ -e "/var/openlan/openvpn/dh.pem" ] || {
       openssl dhparam -out /var/openlan/openvpn/dh.pem 2048

diff --git a/pkg/config/ipsec.go b/pkg/config/ipsec.go
@@ -1,24 +1,33 @@
 package config
 
+import "fmt"
+
 type IPSecTunnel struct {
+	Name      string `json:"-"`
 	Left      string `json:"local"`
 	LeftId    string `json:"localid"`
 	LeftPort  string `json:"localport"`
 	Right     string `json:"remote"`
 	RightId   string `json:"remoteid"`
 	RightPort string `json:"remoteport"`
 	Transport string `json:"transport"`
+	Secret    string `json:"secret"`
 }
 
 func (s *IPSecTunnel) Correct() {
 	if s.Left == "" {
 		s.Left = "%defaultroute"
 	}
+	s.Name = s.Id()
+}
+
+func (s *IPSecTunnel) Id() string {
+	return fmt.Sprintf("%s-%s", s.Right, s.Transport)
 }
 
 type IPSecSpecifies struct {
-	Name    string        `json:"name"`
-	Tunnels []IPSecTunnel `json:"tunnels"`
+	Name    string         `json:"name"`
+	Tunnels []*IPSecTunnel `json:"tunnels"`
 }
 
 func (s *IPSecSpecifies) Correct() {

diff --git a/pkg/switch/ipsec.go b/pkg/switch/ipsec.go
@@ -23,52 +23,6 @@ func NewIPSecWorker(c *co.Network) *IPSecWorker {
 	return w
 }
 
-// conn vxlan11252
-//     keyexchange=ike
-//     ikev2=no
-//     type=transport
-//     left=%defaultroute
-//     right=45.135.117.235
-//     rightikeport=4501
-//     authby=secret
-
-// conn vxlan11252-c2
-//     auto=start
-//     also=vxlan11252
-//     leftid=@c2.vxlan11252.com
-//     leftprotoport=udp/8472
-//     rightprotoport=udp
-
-// conn vxlan11252-c1
-//     auto=start
-//     also=vxlan11252
-//     leftid=@c1.vxlan11252.com
-//     leftprotoport=udp
-//     rightprotoport=udp/8472
-
-// conn vxlan11252
-//     keyexchange=ike
-//     ikev2=no
-//     type=transport
-//     left=%defaultroute
-//     leftikeport=4501
-//     right=218.94.118.90
-//     authby=secret
-
-// conn vxlan11252-c1
-//     auto=start
-//     also=vxlan11252
-//     rightid=@c1.vxlan11252.com
-//     leftprotoport=udp/8472
-//     rightprotoport=udp
-
-// conn vxlan11252-c2
-//     auto=start
-//     also=vxlan11252
-//     rightid=@c2.vxlan11252.com
-//     leftprotoport=udp
-//     rightprotoport=udp/8472
-
 const (
 	vxlanTmpl = `
 conn {{ .Name }}
@@ -92,20 +46,20 @@ conn {{ .Name }}
     authby=secret
 
 conn {{ .Name }}-c1
-    auto=start
+    auto=add
     also={{ .Name }}
     leftprotoport=udp/8472
     rightprotoport=udp
 
 conn {{ .Name }}-c2
-    auto=start
-    also={{ .Remote }}-{{ .Protocol }}
+    auto=add
+    also={{ .Name }}
     leftprotoport=udp
     rightprotoport=udp/8472
 `
 	greTmpl = `
 conn {{ .Name }}-c1
-    auto=start
+    auto=add
     ikev2=insist
     type=transport
     left={{ .Left }}
@@ -115,7 +69,7 @@ conn {{ .Name }}-c1
     rightprotoport=gre
 `
 	secretTmpl = `
-%any {{ .Remote }} : PSK "{{ .Secret }}"
+%any {{ .Right }} : PSK "{{ .Secret }}"
 `
 )
 
@@ -156,7 +110,7 @@ func (w *IPSecWorker) AddTunnel(tunnel *co.IPSecTunnel) error {
 	connTmpl := ""
 	secTmpl := ""
 
-	name := fmt.Sprintf("%s-%s", tunnel.Right, tunnel.Transport)
+	name := tunnel.Name
 	if tunnel.Transport == "vxlan" {
 		connTmpl = vxlanTmpl
 		secTmpl = secretTmpl
@@ -191,11 +145,13 @@ func (w *IPSecWorker) AddTunnel(tunnel *co.IPSecTunnel) error {
 func (w *IPSecWorker) Start(v api.Switcher) {
 	w.uuid = v.UUID()
 	w.out.Info("IPSecWorker.Start")
+	for _, tunnel := range w.spec.Tunnels {
+		w.AddTunnel(tunnel)
+	}
 }
 
 func (w *IPSecWorker) RemoveTunnel(tunnel *co.IPSecTunnel) error {
-
-	name := fmt.Sprintf("%s-%s", tunnel.Right, tunnel.Transport)
+	name := tunnel.Name
 	if tunnel.Transport == "vxlan" {
 		libol.Exec("ipsec", "auto", "--delete", "--asynchronous", name+"-c1")
 		libol.Exec("ipsec", "auto", "--delete", "--asynchronous", name+"-c2")
@@ -221,6 +177,9 @@ func (w *IPSecWorker) RemoveTunnel(tunnel *co.IPSecTunnel) error {
 
 func (w *IPSecWorker) Stop() {
 	w.out.Info("IPSecWorker.Stop")
+	for _, tunnel := range w.spec.Tunnels {
+		w.RemoveTunnel(tunnel)
+	}
 }
 
 func (w *IPSecWorker) Reload(v api.Switcher) {