def _pluto_start(self): """Start pluto.""" # cleanup has already been called when we come here, so extra PID files # etc have been nuked already try: d = daemonstart.DaemonStart(_log) d.start_daemon(command=constants.CMD_PLUTO, pidfile=constants.PLUTO_PIDFILE, args=[ '--secretsfile', testclientconst.PLUTO_PSK, '--nat_traversal', '--nhelpers', '0', '--debug-none' ]) except: _log.exception('_pluto_start failed.') raise locks.whack_lock_acquire() try: [rv, ig1, err] = run_command([constants.CMD_IPSEC, 'whack', '--listen']) _log.debug('whack --listen return value: %d, stderr: %s' % (rv, err)) except: _log.exception('_pluto_start failed') locks.whack_lock_release() raise locks.whack_lock_release()
def _pluto_start(self): """Start pluto.""" # cleanup has already been called when we come here, so extra PID files # etc have been nuked already try: d = daemonstart.DaemonStart(_log) d.start_daemon(command=constants.CMD_PLUTO, pidfile=constants.PLUTO_PIDFILE, args=['--secretsfile', testclientconst.PLUTO_PSK, '--nat_traversal', '--nhelpers', '0', '--debug-none']) except: _log.exception('_pluto_start failed.') raise locks.whack_lock_acquire() try: [rv, ig1, err] = run_command([constants.CMD_IPSEC, 'whack', '--listen']) _log.debug('whack --listen return value: %d, stderr: %s' % (rv, err)) except: _log.exception('_pluto_start failed') locks.whack_lock_release() raise locks.whack_lock_release()
def _pluto_config(self, myip, router, gwip): """Configure and start pluto tunnel.""" _log.debug( self._fmt('_pluto_config, whack params: ip=%s, router=%s' % (myip, router))) # Note: whack exit status is unreliable because it tries to # deliver pluto progress status (if received) failing to convert # some success progress statuses to 0. There is not much more to do # than hope for the best.. # # If pluto fails, ppp will eventually die and the TestConnection # will exit. It would be nice to detect pluto failure, though. locks.whack_lock_acquire() # FIXME: for now use default port our_port = 1701 try: tunnel_name = 'tunnel-%s' % myip ike_lifetime = 8 * 60 * 60 ipsec_lifetime = 8 * 60 * 60 keying_tries = 5 # FIXME: 0=persist, but we don't want that # --forceencaps is not necessary: gateway will force anyway [rv, ig, err] = run_command([ constants.CMD_IPSEC, 'whack', '--name', tunnel_name, '--host', myip, '--nexthop', router, '--clientprotoport', '17/%s' % str(our_port), '--updown', constants.CMD_TRUE, '--to', '--host', gwip, '--clientprotoport', '17/1701', '--updown', constants.CMD_TRUE, '--psk', '--encrypt', '--ike=aes-128-sha1-160-modp1536', '--ikelifetime', str(ike_lifetime), '--ipseclifetime', str(ipsec_lifetime), '--keyingtries', str(keying_tries) ]) _log.debug( self._fmt('whack (tunnel) return value: %d, stderr: %s' % (rv, err))) # initiate sa in an asynchronous manner (rv, ig, err) = run_command([ constants.CMD_IPSEC, 'whack', '--initiate', '--asynchronous', '--name', tunnel_name ]) _log.debug( self._fmt('whack (initiate) return value: %d, stderr: %s' % (rv, err))) except: _log.exception(self._fmt('_pluto_config failed')) locks.whack_lock_release()
def _pluto_config(self, myip, router, gwip): """Configure and start pluto tunnel.""" _log.debug(self._fmt('_pluto_config, whack params: ip=%s, router=%s' % (myip, router))) # Note: whack exit status is unreliable because it tries to # deliver pluto progress status (if received) failing to convert # some success progress statuses to 0. There is not much more to do # than hope for the best.. # # If pluto fails, ppp will eventually die and the TestConnection # will exit. It would be nice to detect pluto failure, though. locks.whack_lock_acquire() # FIXME: for now use default port our_port = 1701 try: tunnel_name = 'tunnel-%s' % myip ike_lifetime = 8*60*60 ipsec_lifetime = 8*60*60 keying_tries = 5 # FIXME: 0=persist, but we don't want that # --forceencaps is not necessary: gateway will force anyway [rv, ig, err] = run_command([constants.CMD_IPSEC, 'whack', '--name', tunnel_name, '--host', myip, '--nexthop', router, '--clientprotoport', '17/%s' % str(our_port), '--updown', constants.CMD_TRUE, '--to', '--host', gwip, '--clientprotoport', '17/1701', '--updown', constants.CMD_TRUE, '--psk', '--encrypt', '--ike=aes-128-sha1-160-modp1536', '--ikelifetime', str(ike_lifetime), '--ipseclifetime', str(ipsec_lifetime), '--keyingtries', str(keying_tries)]) _log.debug(self._fmt('whack (tunnel) return value: %d, stderr: %s' % (rv, err))) # initiate sa in an asynchronous manner (rv, ig, err) = run_command([constants.CMD_IPSEC, 'whack', '--initiate', '--asynchronous', '--name', tunnel_name]) _log.debug(self._fmt('whack (initiate) return value: %d, stderr: %s' % (rv, err))) except: _log.exception(self._fmt('_pluto_config failed')) locks.whack_lock_release()
def _pluto_cleanup(self, myip): """Remove pluto tunnel. This also removes SAs and SPs (Pluto does that. """ _log.debug(self._fmt('_pluto_cleanup')) locks.whack_lock_acquire() try: tunnel_name = 'tunnel-%s' % myip [rv, ig, err] = run_command([constants.CMD_IPSEC, 'whack', '--delete', '--name', tunnel_name]) _log.debug(self._fmt('delete (tunnel) return value: %d, stderr: %s' % (rv, err))) except: _log.exception(self._fmt('_pluto_cleanup failed')) locks.whack_lock_release()
def _pluto_cleanup(self, myip): """Remove pluto tunnel. This also removes SAs and SPs (Pluto does that. """ _log.debug(self._fmt('_pluto_cleanup')) locks.whack_lock_acquire() try: tunnel_name = 'tunnel-%s' % myip [rv, ig, err] = run_command([ constants.CMD_IPSEC, 'whack', '--delete', '--name', tunnel_name ]) _log.debug( self._fmt('delete (tunnel) return value: %d, stderr: %s' % (rv, err))) except: _log.exception(self._fmt('_pluto_cleanup failed')) locks.whack_lock_release()
def _poll_pluto(self): """Update internal pluto info.""" # get stuff from pluto, remembering to get a global lock... locks.whack_lock_acquire() try: # FIXME: can't have retval=FAIL because pluto is careless about retval [rv, stdout, stderr] = run_command([constants.CMD_IPSEC, 'whack', '--status']) except: _log.exception('whack failed') locks.whack_lock_release() template_list = [] p1_list = [] p2_list = [] template = {} connection = {} def _create_pluto_template(t): try: return PlutoTemplateInfo(name=t['name'], router=t['router'], srcip=t['srcip'], srcsel=t['srcsel'], dstip=t['dstip'], dstsel=t['dstsel']) except: _log.debug('incomplete template info: %s' % t) return None def _create_pluto_connection(t): try: return PlutoConnectionInfo(name=t['name'], port=t['port'], state=t['state'], description=t['description'], extrainfo=t['extrainfo'], mode=t['mode'], phase=t['phase'], established=t['established']) except: _log.debug('incomplete template info: %s' % t) return None def _finish_element(template, connection): if len(template.keys()) > 0: t = _create_pluto_template(template) template_list.append(t) if len(connection.keys()) > 0: t = _create_pluto_connection(connection) if connection['phase'] == 1: p1_list.append(t) elif connection['phase'] == 2: p2_list.append(t) else: _log.error('illegal phase: %s' % connection['phase']) for l in stdout.split('\n'): # start of a template? m = _re_pluto_template_start.match(l) if m is not None: _finish_element(template, connection) template = {} connection = {} template['name'] = m.group(1) template['srcip'] = m.group(2) template['srcsel'] = m.group(4) template['router'] = m.group(5) template['dstip'] = m.group(6) template['dstsel'] = m.group(7) continue # start of a connection? m = _re_pluto_connection_start.match(l) if m is not None: _finish_element(template, connection) template = {} connection = {} desc = m.group(4) state = m.group(3) connection['name'] = m.group(1) connection['port'] = m.group(2) connection['state'] = state connection['description'] = desc connection['extrainfo'] = m.group(5) mode, phase = None, None if _re_pluto_connection_main_mode_state.match(state): mode, phase = 'main', 1 if _re_pluto_connection_quick_mode_state.match(state): mode, phase = 'quick', 2 connection['mode'] = mode connection['phase'] = phase if phase == 1: if _re_pluto_connection_isakmp_sa_established.match(desc): connection['established'] = True else: connection['established'] = False elif phase == 2: if _re_pluto_connection_ipsec_sa_established.match(desc): connection['established'] = True else: connection['established'] = False else: _log.warning('cannot figure out phase from string: %s' % l) continue _finish_element(template, connection) template = {} connection = {} self.pluto_template_list = template_list self.pluto_p1_list = p1_list self.pluto_p2_list = p2_list