def _pluto_start(self):
"""Start pluto."""
# cleanup has already been called when we come here, so extra PID files
# etc have been nuked already
try:
d = daemonstart.DaemonStart(_log)
d.start_daemon(command=constants.CMD_PLUTO,
pidfile=constants.PLUTO_PIDFILE,
args=[
'--secretsfile', testclientconst.PLUTO_PSK,
'--nat_traversal', '--nhelpers', '0',
'--debug-none'
])
except:
_log.exception('_pluto_start failed.')
raise
locks.whack_lock_acquire()
try:
[rv, ig1,
err] = run_command([constants.CMD_IPSEC, 'whack', '--listen'])
_log.debug('whack --listen return value: %d, stderr: %s' %
(rv, err))
except:
_log.exception('_pluto_start failed')
locks.whack_lock_release()
raise
locks.whack_lock_release()
def _pluto_start(self):
"""Start pluto."""
# cleanup has already been called when we come here, so extra PID files
# etc have been nuked already
try:
d = daemonstart.DaemonStart(_log)
d.start_daemon(command=constants.CMD_PLUTO,
pidfile=constants.PLUTO_PIDFILE,
args=['--secretsfile',
testclientconst.PLUTO_PSK,
'--nat_traversal',
'--nhelpers', '0',
'--debug-none'])
except:
_log.exception('_pluto_start failed.')
raise
locks.whack_lock_acquire()
try:
[rv, ig1, err] = run_command([constants.CMD_IPSEC, 'whack', '--listen'])
_log.debug('whack --listen return value: %d, stderr: %s' % (rv, err))
except:
_log.exception('_pluto_start failed')
locks.whack_lock_release()
raise
locks.whack_lock_release()
def _pluto_config(self, myip, router, gwip):
"""Configure and start pluto tunnel."""
_log.debug(
self._fmt('_pluto_config, whack params: ip=%s, router=%s' %
(myip, router)))
# Note: whack exit status is unreliable because it tries to
# deliver pluto progress status (if received) failing to convert
# some success progress statuses to 0. There is not much more to do
# than hope for the best..
#
# If pluto fails, ppp will eventually die and the TestConnection
# will exit. It would be nice to detect pluto failure, though.
locks.whack_lock_acquire()
# FIXME: for now use default port
our_port = 1701
try:
tunnel_name = 'tunnel-%s' % myip
ike_lifetime = 8 * 60 * 60
ipsec_lifetime = 8 * 60 * 60
keying_tries = 5 # FIXME: 0=persist, but we don't want that
# --forceencaps is not necessary: gateway will force anyway
[rv, ig, err] = run_command([
constants.CMD_IPSEC, 'whack', '--name', tunnel_name, '--host',
myip, '--nexthop', router, '--clientprotoport',
'17/%s' % str(our_port), '--updown', constants.CMD_TRUE,
'--to', '--host', gwip, '--clientprotoport', '17/1701',
'--updown', constants.CMD_TRUE, '--psk', '--encrypt',
'--ike=aes-128-sha1-160-modp1536', '--ikelifetime',
str(ike_lifetime), '--ipseclifetime',
str(ipsec_lifetime), '--keyingtries',
str(keying_tries)
])
_log.debug(
self._fmt('whack (tunnel) return value: %d, stderr: %s' %
(rv, err)))
# initiate sa in an asynchronous manner
(rv, ig, err) = run_command([
constants.CMD_IPSEC, 'whack', '--initiate', '--asynchronous',
'--name', tunnel_name
])
_log.debug(
self._fmt('whack (initiate) return value: %d, stderr: %s' %
(rv, err)))
except:
_log.exception(self._fmt('_pluto_config failed'))
locks.whack_lock_release()
def _pluto_config(self, myip, router, gwip):
"""Configure and start pluto tunnel."""
_log.debug(self._fmt('_pluto_config, whack params: ip=%s, router=%s' % (myip, router)))
# Note: whack exit status is unreliable because it tries to
# deliver pluto progress status (if received) failing to convert
# some success progress statuses to 0. There is not much more to do
# than hope for the best..
#
# If pluto fails, ppp will eventually die and the TestConnection
# will exit. It would be nice to detect pluto failure, though.
locks.whack_lock_acquire()
# FIXME: for now use default port
our_port = 1701
try:
tunnel_name = 'tunnel-%s' % myip
ike_lifetime = 8*60*60
ipsec_lifetime = 8*60*60
keying_tries = 5 # FIXME: 0=persist, but we don't want that
# --forceencaps is not necessary: gateway will force anyway
[rv, ig, err] = run_command([constants.CMD_IPSEC, 'whack',
'--name', tunnel_name,
'--host', myip,
'--nexthop', router,
'--clientprotoport', '17/%s' % str(our_port),
'--updown', constants.CMD_TRUE,
'--to', '--host', gwip,
'--clientprotoport', '17/1701',
'--updown', constants.CMD_TRUE,
'--psk',
'--encrypt',
'--ike=aes-128-sha1-160-modp1536',
'--ikelifetime', str(ike_lifetime),
'--ipseclifetime', str(ipsec_lifetime),
'--keyingtries', str(keying_tries)])
_log.debug(self._fmt('whack (tunnel) return value: %d, stderr: %s' % (rv, err)))
# initiate sa in an asynchronous manner
(rv, ig, err) = run_command([constants.CMD_IPSEC, 'whack', '--initiate',
'--asynchronous',
'--name', tunnel_name])
_log.debug(self._fmt('whack (initiate) return value: %d, stderr: %s' % (rv, err)))
except:
_log.exception(self._fmt('_pluto_config failed'))
locks.whack_lock_release()
def _pluto_cleanup(self, myip):
"""Remove pluto tunnel.
This also removes SAs and SPs (Pluto does that.
"""
_log.debug(self._fmt('_pluto_cleanup'))
locks.whack_lock_acquire()
try:
tunnel_name = 'tunnel-%s' % myip
[rv, ig, err] = run_command([constants.CMD_IPSEC, 'whack',
'--delete', '--name', tunnel_name])
_log.debug(self._fmt('delete (tunnel) return value: %d, stderr: %s' % (rv, err)))
except:
_log.exception(self._fmt('_pluto_cleanup failed'))
locks.whack_lock_release()
def _pluto_cleanup(self, myip):
"""Remove pluto tunnel.
This also removes SAs and SPs (Pluto does that.
"""
_log.debug(self._fmt('_pluto_cleanup'))
locks.whack_lock_acquire()
try:
tunnel_name = 'tunnel-%s' % myip
[rv, ig, err] = run_command([
constants.CMD_IPSEC, 'whack', '--delete', '--name', tunnel_name
])
_log.debug(
self._fmt('delete (tunnel) return value: %d, stderr: %s' %
(rv, err)))
except:
_log.exception(self._fmt('_pluto_cleanup failed'))
locks.whack_lock_release()
def _poll_pluto(self):
"""Update internal pluto info."""
# get stuff from pluto, remembering to get a global lock...
locks.whack_lock_acquire()
try:
# FIXME: can't have retval=FAIL because pluto is careless about retval
[rv, stdout, stderr] = run_command([constants.CMD_IPSEC, 'whack', '--status'])
except:
_log.exception('whack failed')
locks.whack_lock_release()
template_list = []
p1_list = []
p2_list = []
template = {}
connection = {}
def _create_pluto_template(t):
try:
return PlutoTemplateInfo(name=t['name'],
router=t['router'],
srcip=t['srcip'],
srcsel=t['srcsel'],
dstip=t['dstip'],
dstsel=t['dstsel'])
except:
_log.debug('incomplete template info: %s' % t)
return None
def _create_pluto_connection(t):
try:
return PlutoConnectionInfo(name=t['name'],
port=t['port'],
state=t['state'],
description=t['description'],
extrainfo=t['extrainfo'],
mode=t['mode'],
phase=t['phase'],
established=t['established'])
except:
_log.debug('incomplete template info: %s' % t)
return None
def _finish_element(template, connection):
if len(template.keys()) > 0:
t = _create_pluto_template(template)
template_list.append(t)
if len(connection.keys()) > 0:
t = _create_pluto_connection(connection)
if connection['phase'] == 1:
p1_list.append(t)
elif connection['phase'] == 2:
p2_list.append(t)
else:
_log.error('illegal phase: %s' % connection['phase'])
for l in stdout.split('\n'):
# start of a template?
m = _re_pluto_template_start.match(l)
if m is not None:
_finish_element(template, connection)
template = {}
connection = {}
template['name'] = m.group(1)
template['srcip'] = m.group(2)
template['srcsel'] = m.group(4)
template['router'] = m.group(5)
template['dstip'] = m.group(6)
template['dstsel'] = m.group(7)
continue
# start of a connection?
m = _re_pluto_connection_start.match(l)
if m is not None:
_finish_element(template, connection)
template = {}
connection = {}
desc = m.group(4)
state = m.group(3)
connection['name'] = m.group(1)
connection['port'] = m.group(2)
connection['state'] = state
connection['description'] = desc
connection['extrainfo'] = m.group(5)
mode, phase = None, None
if _re_pluto_connection_main_mode_state.match(state):
mode, phase = 'main', 1
if _re_pluto_connection_quick_mode_state.match(state):
mode, phase = 'quick', 2
connection['mode'] = mode
connection['phase'] = phase
if phase == 1:
if _re_pluto_connection_isakmp_sa_established.match(desc):
connection['established'] = True
else:
connection['established'] = False
elif phase == 2:
if _re_pluto_connection_ipsec_sa_established.match(desc):
connection['established'] = True
else:
connection['established'] = False
else:
_log.warning('cannot figure out phase from string: %s' % l)
continue
_finish_element(template, connection)
template = {}
connection = {}
self.pluto_template_list = template_list
self.pluto_p1_list = p1_list
self.pluto_p2_list = p2_list
