diff options
| author | Justin Pettit <jpettit@nicira.com> | 2010-10-17 22:43:14 -0700 |
|---|---|---|
| committer | Justin Pettit <jpettit@nicira.com> | 2010-10-17 22:43:14 -0700 |
| commit | e97a10342018f992634fa90d25c007eb60c25662 (patch) | |
| tree | 1dffcc5ee2146997f5331c038a817e6110126325 /debian/ovs-monitor-ipsec | |
| parent | 5f906046c22bd9a55bd1185b2c03d27894b7a425 (diff) | |
| download | openvswitch-e97a10342018f992634fa90d25c007eb60c25662.tar.gz | |
ovs-monitor-ipsec: Add ability to traverse NATs
Stable versions of ipsec-tools have a bug that prevents our using
transport mode through a NAT box. Even though the bug has been fixed
for years, it is only available in the 0.8 alpha release of ipsec-tools.
This commit modifies our configuration to allow NAT traversal with that
version of ipsec-tools.
NB: An official package for this version of ipsec-tools is not yet
available on Debian, so we're requiring a custom version number.
Diffstat (limited to 'debian/ovs-monitor-ipsec')
| -rwxr-xr-x | debian/ovs-monitor-ipsec | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec index 184b00469..1cea8009b 100755 --- a/debian/ovs-monitor-ipsec +++ b/debian/ovs-monitor-ipsec @@ -66,6 +66,7 @@ path certificate "/etc/racoon/certs"; remote anonymous { exchange_mode main; + nat_traversal on; proposal { encryption_algorithm aes; hash_algorithm sha1; @@ -307,13 +308,16 @@ def main(argv): new_interfaces = {} for rec in idl.data["Interface"].itervalues(): name = rec.name.as_scalar() - local_ip = rec.other_config.get("ipsec_local_ip") - if rec.type.as_scalar() == "gre" and local_ip: + ipsec_cert = rec.other_config.get("ipsec_cert") + ipsec_psk = rec.other_config.get("ipsec_psk") + is_ipsec = ipsec_cert or ipsec_psk + + if rec.type.as_scalar() == "gre" and is_ipsec: new_interfaces[name] = { "remote_ip": rec.options.get("remote_ip"), - "local_ip": local_ip, - "ipsec_cert": rec.other_config.get("ipsec_cert"), - "ipsec_psk": rec.other_config.get("ipsec_psk") } + "local_ip": rec.options.get("local_ip", "0.0.0.0/0"), + "ipsec_cert": ipsec_cert, + "ipsec_psk": ipsec_psk } if interfaces != new_interfaces: for name, vals in interfaces.items(): |