Merge pull request #1741 from swill/strongswanvpn

karuturi · karuturi · commit 13bfdd71e6ff · 2017-02-14T17:59:17.000+05:30
Updated StrongSwan VPN ImplementationThis PR is a merge of @jayapalu changes in #872 and the changes I had to make to get the functionality working. I have done pretty extensive testing of this code so far and we are looking to be in pretty good shape. One thing to note is that a `Diffie-Hellman` group **is required** in order for this feature to work correctly. It is not highlighted in the tests below, but I have shown that the `PFS` is not required for this feature to work. In #872 I have shown a more exhaustive set of tests of this code, but I have limited this set of tests to a recommended `IKE` and `ESP` configuration in order to reduce the noise and test the other areas of functionality. **Test Results** I am testing this functionality by creating two VPCs with VMs in each and creating a S2S VPN connection between the two VPCs. Then I SSH into a VM in one VPC and I ping the private IP of a VM in the other VPC. Then I tear it down and try a different configuration. _Setup_ ``` VPC 1 VPC 2 ===== ===== VPN Gateway VPN Gateway VPN Customer Gateway VPN Customer Gateway VPN Connection <---> VPN Connection - Passive = True - Passive = False ``` _Legend_ `SKIP` => At least one of the VPN Connections did not come up, so no test was run. `OK` => The ping test was successful over the S2S VPN connection. `FAIL` => The ping test failed over the S2S VPN connection. `Passive` => Specifies if either the `<vpc_1> : <vpc_2>` sides of the VPN Connection is set to passive. `Conn State` => Specifies the connection status of the `<vpc_1> : <vpc_2>` VPN Connection in the UI. `Requires Reset` => If the ping test does not result in an `OK`, then a VPN Connection Reset is performed on either `<vpc_1> : <vpc_2>` sides of the VPN Connection based on which side is not showing `Connected`. The results in the `Status` column is the final result after the reset is performed. _Results_ ``` +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | Status | IKE & ESP | DPD | Encap | IKE Life | ESP Life | Passive | Conn State | Requires Reset | +========+======================+=======+=======+==========+==========+===============+=============================+================+ | OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 | True : False | Disconnected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | True | 86400 | 3600 | True : False | Disconnected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | False | | 3600 | True : False | Disconnected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | False | 86400 | | True : False | Disconnected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | False | | | True : False | Disconnected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 | False : False | Connected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 | True : True | Disconnected : Disconnected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | True | False | 86400 | 3600 | False : True | Connected : Disconnected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 | False : False | Connected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 | True : False | Disconnected : Connected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 | True : True | Disconnected : Disconnected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | OK | aes128-sha1;modp1536 | False | False | 86400 | 3600 | False : True | Connected : Disconnected | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | SKIP | aes128-sha1 | True | False | 86400 | 3600 | True : False | Disconnected : Error | True : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | SKIP | aes128-sha1 | False | False | 86400 | 3600 | True : False | Disconnected : Error | True : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | FAIL | aes128-sha1 | True | False | 86400 | 3600 | True : True | Disconnected : Disconnected | True : True | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ | SKIP | aes128-sha1 | True | False | 86400 | 3600 | False : False | Connected : Error | False : False | +--------+----------------------+-------+-------+----------+----------+---------------+-----------------------------+----------------+ ``` * pr/1741: complete implementation of the StrongSwan VPN feature Signed-off-by: Rajani Karuturi <rajani.karuturi@accelerite.com>
diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java
@@ -190,10 +190,10 @@ public Site2SiteCustomerGateway createCustomerGateway(CreateVpnCustomerGatewayCm
         String ipsecPsk = cmd.getIpsecPsk();
         String ikePolicy = cmd.getIkePolicy();
         String espPolicy = cmd.getEspPolicy();
-        if (!NetUtils.isValidS2SVpnPolicy(ikePolicy)) {
-            throw new InvalidParameterValueException("The customer gateway IKE policy " + ikePolicy + " is invalid!");
+        if (!NetUtils.isValidS2SVpnPolicy("ike", ikePolicy)) {
+            throw new InvalidParameterValueException("The customer gateway IKE policy " + ikePolicy + " is invalid!  Verify the required Diffie Hellman (DH) group is specified.");
         }
-        if (!NetUtils.isValidS2SVpnPolicy(espPolicy)) {
+        if (!NetUtils.isValidS2SVpnPolicy("esp", espPolicy)) {
             throw new InvalidParameterValueException("The customer gateway ESP policy " + espPolicy + " is invalid!");
         }
         Long ikeLifetime = cmd.getIkeLifetime();
@@ -444,10 +444,10 @@ public Site2SiteCustomerGateway updateCustomerGateway(UpdateVpnCustomerGatewayCm
         String ipsecPsk = cmd.getIpsecPsk();
         String ikePolicy = cmd.getIkePolicy();
         String espPolicy = cmd.getEspPolicy();
-        if (!NetUtils.isValidS2SVpnPolicy(ikePolicy)) {
-            throw new InvalidParameterValueException("The customer gateway IKE policy" + ikePolicy + " is invalid!");
+        if (!NetUtils.isValidS2SVpnPolicy("ike", ikePolicy)) {
+            throw new InvalidParameterValueException("The customer gateway IKE policy" + ikePolicy + " is invalid!  Verify the required Diffie Hellman (DH) group is specified.");
         }
-        if (!NetUtils.isValidS2SVpnPolicy(espPolicy)) {
+        if (!NetUtils.isValidS2SVpnPolicy("esp", espPolicy)) {
             throw new InvalidParameterValueException("The customer gateway ESP policy" + espPolicy + " is invalid!");
         }
         Long ikeLifetime = cmd.getIkeLifetime();
@@ -517,7 +517,7 @@ public boolean deleteVpnConnection(DeleteVpnConnectionCmd cmd) throws ResourceUn
 
         _accountMgr.checkAccess(caller, null, false, conn);
 
-        if (conn.getState() == State.Connected) {
+        if (conn.getState() != State.Pending) {
             stopVpnConnection(id);
         }
         _vpnConnectionDao.remove(id);
@@ -531,8 +531,8 @@ private void stopVpnConnection(Long id) throws ResourceUnavailableException {
             throw new CloudRuntimeException("Unable to acquire lock on " + conn);
         }
         try {
-            if (conn.getState() != State.Connected && conn.getState() != State.Error) {
-                throw new InvalidParameterValueException("Site to site VPN connection with specified id is not in correct state(connected) to process disconnect!");
+            if (conn.getState() == State.Pending) {
+                throw new InvalidParameterValueException("Site to site VPN connection with specified id is currently Pending, unable to Disconnect!");
             }
 
             conn.setState(State.Disconnected);
diff --git a/systemvm/patches/debian/config/etc/logrotate.conf b/systemvm/patches/debian/config/etc/logrotate.conf
@@ -1,13 +1,14 @@
 # rotate log files daily
 daily
-# keep 5 days worth
-rotate 5
+# keep 3 days worth
+rotate 3
 # create new (empty) log files after rotating old ones
 create
 # use date as a suffix of the rotated file
 #dateext
 # max size 50M
 size 50M
+compress
 # RPM packages drop log rotation information into this directory
 include /etc/logrotate.d
 # no packages own wtmp and btmp -- we'll rotate them here
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh b/systemvm/patches/debian/config/opt/cloud/bin/checks2svpn.sh
@@ -22,18 +22,9 @@ then
     exit 1
 fi
 
-ipsec auto --status | grep vpn-$1 > /tmp/vpn-$1.status
+ipsec status  vpn-$1 > /tmp/vpn-$1.status
 
-cat /tmp/vpn-$1.status | grep "ISAKMP SA established" > /dev/null
-isakmpok=$?
-if [ $isakmpok -ne 0 ]
-then
-    echo -n "ISAKMP SA NOT found but checking IPsec;"
-else
-    echo -n "ISAKMP SA found;"
-fi
-
-cat /tmp/vpn-$1.status | grep "IPsec SA established" > /dev/null
+cat /tmp/vpn-$1.status | grep "ESTABLISHED" > /dev/null
 ipsecok=$?
 if [ $ipsecok -ne 0 ]
 then
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -471,13 +471,13 @@ def process(self):
 
     def deletevpn(self, ip):
         logging.info("Removing VPN configuration for %s", ip)
-        CsHelper.execute("ipsec auto --down vpn-%s" % ip)
-        CsHelper.execute("ipsec auto --delete vpn-%s" % ip)
+        CsHelper.execute("ipsec down vpn-%s" % ip)
+        CsHelper.execute("ipsec down vpn-%s" % ip)
         vpnconffile = "%s/ipsec.vpn-%s.conf" % (self.VPNCONFDIR, ip)
         vpnsecretsfile = "%s/ipsec.vpn-%s.secrets" % (self.VPNCONFDIR, ip)
         os.remove(vpnconffile)
         os.remove(vpnsecretsfile)
-        CsHelper.execute("ipsec auto --rereadall")
+        CsHelper.execute("ipsec reload")
 
     def configure_iptables(self, dev, obj):
         self.fw.append(["", "front", "-A INPUT -i %s -p udp -m udp --dport 500 -s %s -d %s -j ACCEPT" % (dev, obj['peer_gateway_ip'], obj['local_public_ip'])])
@@ -497,49 +497,56 @@ def configure_iptables(self, dev, obj):
     def configure_ipsec(self, obj):
         leftpeer = obj['local_public_ip']
         rightpeer = obj['peer_gateway_ip']
-        peerlist = obj['peer_guest_cidr_list'].lstrip().rstrip().replace(',', ' ')
+        peerlist = obj['peer_guest_cidr_list'].replace(' ', '')
         vpnconffile = "%s/ipsec.vpn-%s.conf" % (self.VPNCONFDIR, rightpeer)
         vpnsecretsfile = "%s/ipsec.vpn-%s.secrets" % (self.VPNCONFDIR, rightpeer)
+        ikepolicy=obj['ike_policy'].replace(';','-')
+        esppolicy=obj['esp_policy'].replace(';','-')
+
+        pfs='no'
+        if 'modp' in esppolicy:
+            pfs='yes'
+
         if rightpeer in self.confips:
             self.confips.remove(rightpeer)
         file = CsFile(vpnconffile)
+        file.add("#conn for vpn-%s" % rightpeer, 0)
         file.search("conn ", "conn vpn-%s" % rightpeer)
         file.addeq(" left=%s" % leftpeer)
         file.addeq(" leftsubnet=%s" % obj['local_guest_cidr'])
         file.addeq(" leftnexthop=%s" % obj['local_public_gateway'])
         file.addeq(" right=%s" % rightpeer)
-        file.addeq(" rightsubnets={%s}" % peerlist)
+        file.addeq(" rightsubnet=%s" % peerlist)
         file.addeq(" type=tunnel")
         file.addeq(" authby=secret")
         file.addeq(" keyexchange=ike")
-        file.addeq(" ike=%s" % obj['ike_policy'])
+        file.addeq(" ike=%s" % ikepolicy)
         file.addeq(" ikelifetime=%s" % self.convert_sec_to_h(obj['ike_lifetime']))
-        file.addeq(" esp=%s" % obj['esp_policy'])
-        file.addeq(" salifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime']))
-        if "modp" in obj['esp_policy']:
-            file.addeq(" pfs=yes")
-        else:
-            file.addeq(" pfs=no")
+        file.addeq(" esp=%s" % esppolicy)
+        file.addeq(" lifetime=%s" % self.convert_sec_to_h(obj['esp_lifetime']))
+        file.addeq(" pfs=%s" % pfs)
         file.addeq(" keyingtries=2")
         file.addeq(" auto=start")
         if 'encap' not in obj:
             obj['encap']=False
         file.addeq(" forceencaps=%s" % CsHelper.bool_to_yn(obj['encap']))
         if obj['dpd']:
-            file.addeq("  dpddelay=30")
-            file.addeq("  dpdtimeout=120")
-            file.addeq("  dpdaction=restart")
+            file.addeq(" dpddelay=30")
+            file.addeq(" dpdtimeout=120")
+            file.addeq(" dpdaction=restart")
         secret = CsFile(vpnsecretsfile)
-        secret.search("%s " % leftpeer, "%s %s: PSK \"%s\"" % (leftpeer, rightpeer, obj['ipsec_psk']))
+        secret.search("%s " % leftpeer, "%s %s : PSK \"%s\"" % (leftpeer, rightpeer, obj['ipsec_psk']))
         if secret.is_changed() or file.is_changed():
             secret.commit()
             file.commit()
             logging.info("Configured vpn %s %s", leftpeer, rightpeer)
-            CsHelper.execute("ipsec auto --rereadall")
-            CsHelper.execute("ipsec auto --add vpn-%s" % rightpeer)
-            if not obj['passive']:
-                CsHelper.execute("ipsec auto --up vpn-%s" % rightpeer)
-        os.chmod(vpnsecretsfile, 0o400)
+            CsHelper.execute("ipsec rereadsecrets")
+
+        CsHelper.execute("ipsec reload")
+        if not obj['passive']:
+            CsHelper.execute("sudo nohup ipsec down vpn-%s" % rightpeer)
+            CsHelper.execute("sudo nohup ipsec up vpn-%s &" % rightpeer)
+        os.chmod(vpnsecretsfile, 0400)
 
     def convert_sec_to_h(self, val):
         hrs = int(val) / 3600
@@ -628,25 +635,25 @@ def process(self):
                 logging.debug("Remote accessvpn  data bag %s",  self.dbag)
                 self.remoteaccessvpn_iptables(public_ip, self.dbag[public_ip])
 
-                CsHelper.execute("ipsec auto --rereadall")
+                CsHelper.execute("ipsec down L2TP-PSK")
+                CsHelper.execute("ipsec update")
                 CsHelper.execute("service xl2tpd stop")
                 CsHelper.execute("service xl2tpd start")
-                CsHelper.execute("ipsec auto --rereadsecrets")
-                CsHelper.execute("ipsec auto --replace L2TP-PSK")
+                CsHelper.execute("ipsec rereadsecrets")
             else:
                 logging.debug("Disabling remote access vpn .....")
                 #disable remote access vpn
-                CsHelper.execute("ipsec auto --down L2TP-PSK")
+                CsHelper.execute("ipsec down L2TP-PSK")
                 CsHelper.execute("service xl2tpd stop")
 
 
     def configure_l2tpIpsec(self, left,  obj):
-        vpnconffile="%s/l2tp.conf" % (self.VPNCONFDIR)
+        l2tpconffile="%s/l2tp.conf" % (self.VPNCONFDIR)
         vpnsecretfilte="%s/ipsec.any.secrets" % (self.VPNCONFDIR)
         xl2tpdconffile="/etc/xl2tpd/xl2tpd.conf"
         xl2tpoptionsfile='/etc/ppp/options.xl2tpd'
 
-        file = CsFile(vpnconffile)
+        file = CsFile(l2tpconffile)
         localip=obj['local_ip']
         localcidr=obj['local_cidr']
         publicIface=obj['public_interface']
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs_ip.py b/systemvm/patches/debian/config/opt/cloud/bin/cs_ip.py
@@ -15,21 +15,20 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-from pprint import pprint
-from netaddr import *
 
+from netaddr import *
 
 def merge(dbag, ip):
-    added = False
     nic_dev_id = None
+    index = -1 # a non-valid array index
     for dev in dbag:
         if dev == "id":
             continue
-        for address in dbag[dev]:
+        for i, address in enumerate(dbag[dev]):
             if address['public_ip'] == ip['public_ip']:
                 if 'nic_dev_id' in address:
                     nic_dev_id = address['nic_dev_id']
-                dbag[dev].remove(address)
+                index = i
 
     ipo = IPNetwork(ip['public_ip'] + '/' + ip['netmask'])
     if 'nic_dev_id' in ip:
@@ -44,8 +43,11 @@ def merge(dbag, ip):
     else:
         ip['nw_type'] = ip['nw_type'].lower()
     if ip['nw_type'] == 'control':
-        dbag['eth' + str(nic_dev_id)] = [ip]
+        dbag[ip['device']] = [ip]
     else:
-        dbag.setdefault('eth' + str(nic_dev_id), []).append(ip)
+        if index != -1:
+            dbag[ip['device']][index] = ip
+        else:
+            dbag.setdefault(ip['device'], []).append(ip)
 
     return dbag
diff --git a/systemvm/patches/debian/vpn/etc/ipsec.conf b/systemvm/patches/debian/vpn/etc/ipsec.conf
@@ -1,9 +1,5 @@
-# Manual:     ipsec.conf.5
-version	2.0	
+# ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	nat_traversal=yes
-	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
-	protostack=auto
-	
+
 include /etc/ipsec.d/*.conf
diff --git a/systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf b/systemvm/patches/debian/vpn/etc/ipsec.d/l2tp.conf
@@ -1,8 +1,14 @@
+#ipsec remote access vpn configuration
 conn L2TP-PSK
-        authby=secret
+        authby=psk
         pfs=no
         rekey=no
         keyingtries=3
+        keyexchange=ikev1
+        forceencaps=yes
+        leftfirewall=yes
+        leftnexthop=%defaultroute
+        type=transport
         #
         # ----------------------------------------------------------
         # The VPN server.
@@ -30,4 +36,5 @@ conn L2TP-PSK
         # ----------------------------------------------------------
         # Change 'ignore' to 'add' to enable this configuration.
         #
+        rightsubnetwithin=0.0.0.0/0
         auto=add
diff --git a/systemvm/patches/debian/vpn/etc/ipsec.secrets b/systemvm/patches/debian/vpn/etc/ipsec.secrets
@@ -1,2 +1,2 @@
-include /var/lib/openswan/ipsec.secrets.inc
+include /var/lib/strongswan/ipsec.conf.inc
 include /etc/ipsec.d/ipsec.*.secrets
diff --git a/test/integration/component/maint/test_vpc.py b/test/integration/component/maint/test_vpc.py
@@ -177,7 +177,7 @@ def __init__(self):
             },
             "vpn_customer_gw": {
                 "ipsecpsk": "s2svpn",
-                "ikepolicy": "3des-md5",
+                "ikepolicy": "3des-md5;modp1536",
                 "ikelifetime": "86400",
                 "esppolicy": "3des-md5",
                 "esplifetime": "3600",
diff --git a/test/integration/component/test_vpc.py b/test/integration/component/test_vpc.py
@@ -186,7 +186,7 @@ def __init__(self):
             },
             "vpn_customer_gw": {
                 "ipsecpsk": "s2svpn",
-                "ikepolicy": "3des-md5",
+                "ikepolicy": "3des-md5;modp1536",
                 "ikelifetime": "86400",
                 "esppolicy": "3des-md5",
                 "esplifetime": "3600",
diff --git a/tools/appliance/definitions/systemvmtemplate/configure_systemvm_services.sh b/tools/appliance/definitions/systemvmtemplate/configure_systemvm_services.sh
@@ -54,6 +54,11 @@ function do_signature() {
   echo "Cloudstack Release $CLOUDSTACK_RELEASE $(date)" > /etc/cloudstack-release
 }
 
+function configure_strongswan() {
+  # change the charon stroke timeout from 3 minutes to 30 seconds
+  sed -i "s/# timeout = 0/timeout = 30000/" /etc/strongswan.d/charon/stroke.conf
+}
+
 function configure_services() {
   mkdir -p /var/www/html
   mkdir -p /opt/cloud/bin
@@ -81,6 +86,7 @@ function configure_services() {
   chkconfig radvd off
 
   configure_apache2
+  configure_strongswan
 }
 
 return 2>/dev/null || configure_services
diff --git a/tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh b/tools/appliance/definitions/systemvmtemplate/install_systemvm_packages.sh
@@ -64,7 +64,6 @@ function install_packages() {
     nfs-common \
     samba-common cifs-utils \
     xl2tpd bcrelay ppp ipsec-tools tdb-tools \
-    openswan=1:2.6.37-3+deb7u1 \
     xenstore-utils libxenstore3.0 \
     conntrackd ipvsadm libnetfilter-conntrack3 libnl-3-200 libnl-genl-3-200 \
     ipcalc \
@@ -76,9 +75,8 @@ function install_packages() {
     sharutils
 
   ${apt_get} -t wheezy-backports install keepalived irqbalance open-vm-tools qemu-guest-agent
+  ${apt_get} -t wheezy-backports install strongswan libcharon-extra-plugins libstrongswan-extra-plugins
 
-  # hold on installed openswan version, upgrade rest of the packages (if any)
-  apt-mark hold openswan
   apt-get update
   apt-get -y --force-yes upgrade
 
diff --git a/ui/scripts/network.js b/ui/scripts/network.js
diff --git a/utils/src/main/java/com/cloud/utils/net/NetUtils.java b/utils/src/main/java/com/cloud/utils/net/NetUtils.java
diff --git a/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java b/utils/src/test/java/com/cloud/utils/net/NetUtilsTest.java

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-include /var/lib/openswan/ipsec.secrets.inc`
	`1`	`+include /var/lib/strongswan/ipsec.conf.inc`
`2`	`2`	`include /etc/ipsec.d/ipsec.*.secrets`