exit ${EXIT_ERROR}
fi
-# Interface name for this IPsec connection
-case "${MODE}" in
- gre-*|vti)
- INTERFACE="ipsec-${CONNECTION}"
- ;;
-esac
-
log DEBUG "${0} called for ${CONNECTION}: ${PLUTO_VERB}"
case "${PLUTO_VERB}" in
up-client|up-client-v6|up-host|up-host-v6)
- case "${MODE}" in
- gre-*)
- if ! device_exists "${INTERFACE}"; then
- ip_tunnel_add "${INTERFACE}" \
- --mode="gre" \
- --local-address="${PLUTO_ME}" \
- --remote-address="${PLUTO_PEER}"
-
- device_set_up "${INTERFACE}"
- fi
- ;;
- vti)
- if device_exists "${INTERFACE}"; then
- ip_tunnel_change_keys "${INTERFACE}" \
- --ikey="${PLUTO_MARK_IN%/*}" \
- --okey="${PLUTO_MARK_OUT%/*}"
+ if isset ZONE && zone_exists "${ZONE}"; then
+ # Bring up the zone if not done, yet
+ if ! zone_is_up "${ZONE}"; then
+ zone_up "${ZONE}"
+ fi
+
+ # Update peer and local address
+ if ! ip_tunnel_change "${ZONE}" \
+ --remote="${PLUTO_PEER}" --local="${PLUTO_ME}"; then
+ return ${EXIT_ERROR}
+ fi
+ fi
- else
- if ! ip_tunnel_add "${INTERFACE}" \
- --mode="vti" \
- --local-address="${PLUTO_ME}" \
- --remote-address="${PLUTO_PEER}" \
- --ikey="${PLUTO_MARK_IN%/*}" \
- --okey="${PLUTO_MARK_OUT%/*}"; then
- log ERROR "Could not create VTI device for ${CONNECTION}"
- fi
- fi
+ # Get source IP for routes
+ SRC_IP=($(ip_get_assigned_addresses_from_net \
+ "${PLUTO_MY_CLIENT}" "permanent"))
- device_set_up "${INTERFACE}"
- ;;
- esac
+ # We take the lowest source IP we found,
+ # which is ugly because the value is unpredictable.
+ SRC_IP=${SRC_IP[0]}
- # Set routes
- if isset INTERFACE; then
- cmd ip route add "${PLUTO_PEER_CLIENT}" \
- dev "${INTERFACE}"
+ # Add routes to reach the remote subnet(s)
+ if isset ZONE; then
+ if ! cmd ip route add "${PLUTO_PEER_CLIENT}" proto static dev "${ZONE}" src "${SRC_IP}"; then
+ log ERROR "Could not create route for ${PLUTO_PEER_CLIENT}"
+ fi
else
- cmd ip route add "${PLUTO_PEER_CLIENT}" \
- via "${PLUTO_PEER}"
+ if ! cmd ip route add "${PLUTO_PEER_CLIENT}" proto static via "${PLUTO_PEER}" src "${SRC_IP}"; then
+ log ERROR "Could not create route for ${PLUTO_PEER_CLIENT} via ${PLUTO_PEER}"
+ fi
fi
;;
down-client|down-client-v6|down-host|down-host-v6)
# Remove routes
cmd ip route del "${PLUTO_PEER_CLIENT}"
-
- # Remove interfaces
- case "${MODE}" in
- gre-*|vti)
- if device_exists "${INTERFACE}"; then
- device_set_down "${INTERFACE}"
-
- ip_tunnel_del "${INTERFACE}"
- fi
- ;;
- esac
;;
esac
projects / people / ms / network.git / blobdiff