From 8be516b3bcc2b9f30f8d44f44450be57b68d0025 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 4 Feb 2019 18:38:24 +0000 Subject: [PATCH] strongswan: Do not create any NAT rules when using VTI/GRE Signed-off-by: Michael Tremer --- lfs/strongswan | 1 + .../strongswan-ipfire-interfaces.patch | 72 +++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 src/patches/strongswan-ipfire-interfaces.patch diff --git a/lfs/strongswan b/lfs/strongswan index 99261ce934..4174f78fe5 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -72,6 +72,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch cd $(DIR_APP) && ./configure \ --prefix="/usr" \ diff --git a/src/patches/strongswan-ipfire-interfaces.patch b/src/patches/strongswan-ipfire-interfaces.patch new file mode 100644 index 0000000000..5ec96a48a2 --- /dev/null +++ b/src/patches/strongswan-ipfire-interfaces.patch @@ -0,0 +1,72 @@ +--- strongswan-5.7.0/src/_updown/_updown.in.bak 2019-02-06 18:19:25.723893992 +0000 ++++ strongswan-5.7.0/src/_updown/_updown.in 2019-02-06 18:28:21.520560665 +0000 +@@ -130,6 +130,13 @@ + # address family. + # + ++VARS=( ++ id status name lefthost type ctype psk local local_id leftsubnets ++ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 ++ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 ++ route x23 mode interface_mode interface_address interface_mtu rest ++) ++ + function ip_encode() { + local IFS=. + +@@ -319,6 +326,13 @@ + fi + ;; + up-client:iptables) ++ # Read IPsec configuration ++ while IFS="," read -r "${VARS[@]}"; do ++ if [ "${PLUTO_CONNECTION}" = "${name}" ]; then ++ break ++ fi ++ done < /var/ipfire/vpn/config ++ + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +@@ -383,23 +397,25 @@ + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" + fi + +- # Add source nat so also the gateway can access the other nets +- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do +- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" +- if [ $? -eq 0 ]; then +- src=${_src} +- break ++ if [ -z "${interface_mode}" ]; then ++ # Add source nat so also the gateway can access the other nets ++ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) ++ for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do ++ ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" ++ if [ $? -eq 0 ]; then ++ src=${_src} ++ break ++ fi ++ done ++ ++ if [ -n "${src}" ]; then ++ iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src ++ logger -t $TAG -p $FAC_PRIO \ ++ "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" ++ else ++ logger -t $TAG -p $FAC_PRIO \ ++ "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" + fi +- done +- +- if [ -n "${src}" ]; then +- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src +- logger -t $TAG -p $FAC_PRIO \ +- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" +- else +- logger -t $TAG -p $FAC_PRIO \ +- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" + fi + + # Flush routing cache -- 2.39.2