Gitiles
Code Review Sign In
gerrit.opencord.org / ansible / role / strongswan / 25979e26f4b2e47417145605896798f57f407616 / . / files / ipsec-vti.sh
blob: f6bb054b56ecd216a5f54676fc4579ecab385a9e [file] [log] [blame]
Hyunsun Moona5c3f642020-11-11 02:53:03 -0800[diff] [blame]1#!/bin/bash
2#
3# strongswan files/ipsec-vti.sh - Ansible managed: Do NOT edit this file manually!
4#
5# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
6# SPDX-License-Identifier: Apache-2.0
7
8set -o nounset
9set -o errexit
10
Hyunsun Moon6a19e042021-01-19 21:30:56 -0800[diff] [blame]11IP=$(which ip)
Hyunsun Moona5c3f642020-11-11 02:53:03 -0800[diff] [blame]12
Hyunsun Moon6a19e042021-01-19 21:30:56 -0800[diff] [blame]13PLUTO_MARK_OUT_ARR=(${PLUTO_MARK_OUT//// })
14PLUTO_MARK_IN_ARR=(${PLUTO_MARK_IN//// })
Hyunsun Moona5c3f642020-11-11 02:53:03 -0800[diff] [blame]15
Hyunsun Moon6a19e042021-01-19 21:30:56 -0800[diff] [blame]16VTI_TUNNEL_ID=${1}
17VTI_REMOTE=${2}
18VTI_LOCAL=${3}
Hyunsun Moona5c3f642020-11-11 02:53:03 -0800[diff] [blame]19
Hyunsun Moon6a19e042021-01-19 21:30:56 -0800[diff] [blame]20LOCAL_IF="${PLUTO_INTERFACE}"
21VTI_IF="${VTI_TUNNEL_ID}"
22# GCP's MTU is 1460, so it's hardcoded
23GCP_MTU="1460"
24# ipsec overhead is 73 bytes, we need to compute new mtu.
25VTI_MTU=$((GCP_MTU-73))
Hyunsun Moona5c3f642020-11-11 02:53:03 -0800[diff] [blame]26
27case "${PLUTO_VERB}" in
Hyunsun Moon6a19e042021-01-19 21:30:56 -0800[diff] [blame]28 up-client)
29 ${IP} link add ${VTI_IF} type vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
30 ${IP} addr add ${VTI_LOCAL} remote ${VTI_REMOTE} dev "${VTI_IF}"
31 ${IP} link set ${VTI_IF} up mtu ${VTI_MTU}
32
33 # Disable IPSEC Policy
34 sysctl -w net.ipv4.conf.${VTI_IF}.disable_policy=1
35
36 # Enable loosy source validation, if possible. Otherwise disable validation.
37 sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=2 || sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=0
38
39 # If you would like to use VTI for policy-based you shoud take care of routing by yourselv, e.x.
40 #if [[ "${PLUTO_PEER_CLIENT}" != "0.0.0.0/0" ]]; then
41 # ${IP} r add "${PLUTO_PEER_CLIENT}" dev "${VTI_IF}"
42 #fi
43 ;;
44 down-client)
45 ${IP} tunnel del "${VTI_IF}"
46 ;;
Hyunsun Moona5c3f642020-11-11 02:53:03 -0800[diff] [blame]47esac
Hyunsun Moon6a19e042021-01-19 21:30:56 -0800[diff] [blame]48
49# Enable IPv4 forwarding
50sysctl -w net.ipv4.ip_forward=1
51
52# Disable IPSEC Encryption on local net
53sysctl -w net.ipv4.conf.${LOCAL_IF}.disable_xfrm=1
54sysctl -w net.ipv4.conf.${LOCAL_IF}.disable_policy=1