contrail

# Add a new strongSwan entry, and inform strongSwan that there
# is a new entry.
#
# Usage:
#    safeconfig add-strongswan-entry.conf <connection-id>
#         <source-address> <target-address>
#         <source-host-address> <target-host-address>
#
# Where <connection-id> is the identifier of
# this particular connection, and the remaining parameters are
# host or vin addresses.

parameters CONNID SOURCE TARGET SOURCE_HOST TARGET_HOST

# Do sanity checks on the parameters.

# Require that an identifier only consists of alphanumeric characters, or 
#  '-'. (Note that the '-' must be at the end, otherwise it introduces a range.)
assertmatch [[:alnum:]-]+ $(CONNID)

# Require that the addresses only consists of hex digits or ':' or '.' characters.
# This matches ipv4 and ipv6 addresses
assertmatch [[:xdigit:]:.]+ $(SOURCE)
assertmatch [[:xdigit:]:.]+ $(TARGET)
assertmatch [[:xdigit:]:.]+ $(SOURCE_HOST)
assertmatch [[:xdigit:]:.]+ $(TARGET_HOST)

# Place of the ipsec executable and the STRONGSWANDIR we use
set IPSEC /usr/sbin/ipsec
set STRONGSWANDIR /var/lib/contrail/vin/strongSwan

debugprint "FLAGS=$(FLAGS) CONNID=$(CONNID) SOURCE=$(SOURCE) TARGET=$(TARGET) SOURCE_HOST=$(SOURCE_HOST) TARGET_HOST=$(TARGET_HOST)"
debugrun /usr/bin/id

# Now construct the name of the file where the config should be stored.
CONFIGFILE=$STRONGSWANDIR/"$CONNID".conf

cat > $CONFIGFILE <<EOF

# Entry for  CONNID=$CONNID
conn $CONNID
    left=$SOURCE_HOST
    leftsourceip=$SOURCE
    leftsubnet=$SOURCE/32
    right=$TARGET_HOST
    rightsourceip=$TARGET
    rightsubnet=$TARGET/32
    keyexchange=ikev2
    auto=start
EOF
run $(IPSEC) update

debugrun $(IPSEC) statusall