├── scripts
    ├── FILES.d
    │   ├── quagga
    │   │   ├── bgpd.conf
    │   │   ├── ospfd.conf
    │   │   ├── ospfd.conf.SAMPLE
    │   │   ├── zebra.conf
    │   │   ├── reset_vti.sh
    │   │   └── quagga-config.SAMPLE
    │   │   │   ├── zebra.conf
    │   │   │   ├── ospfd.conf
    │   │   │   └── bgpd.conf
    │   ├── strongswan
    │   │   ├── vti.d
    │   │   │   ├── .DISABLED
    │   │   │   │   └── .keep
    │   │   │   ├── vtiN.secrets.sample
    │   │   │   ├── vtiN.init.sample
    │   │   │   └── vtiN.conf.sample
    │   │   ├── ipsec.secrets
    │   │   ├── strongswan.d
    │   │   │   ├── charon
    │   │   │   │   └── farp.conf
    │   │   │   └── charon.conf
    │   │   ├── ipsec.conf
    │   │   ├── restart_vti.sh
    │   │   └── ipsec-vti.sh
    │   ├── sysctl.d
    │   │   ├── 83-nopanic.conf
    │   │   ├── 81-disable-ipv6.conf
    │   │   ├── 84-disable-rpp.conf
    │   │   └── 82-router-ok.conf
    │   ├── monit.d
    │   │   ├── snmpd
    │   │   ├── strongswan
    │   │   └── quuagga
    │   ├── crontab
    │   └── sysconfig
    │   │   └── iptables
    ├── SYNC_AVAIL.sh
    ├── add_restarts.sh
    ├── refresh_scripts.sh
    ├── update_kernel.sh
    ├── VTI_RM.sh
    ├── README.txt
    ├── VTI_ADDAWS.sh
    ├── VTI_ADD.sh
    ├── VTI_OPS.sh
    ├── INITIAL_SETUP.sh
    └── RPM.list
├── License-And-Disclimer.txt
├── DOCS
    ├── 01-VTI_ROUTER_Implementation.pdf
    ├── 02-IPSEC-AZURE-CONFIGURATION.pdf
    └── 00-VTI_ROUTER_APPLIANCE_Introduction.pdf
└── README.md


/scripts/FILES.d/quagga/bgpd.conf:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/quagga/ospfd.conf:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/strongswan/vti.d/.DISABLED/.keep:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/sysctl.d/83-nopanic.conf:
--------------------------------------------------------------------------------
1 | kernel.panic=100
2 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/sysctl.d/81-disable-ipv6.conf:
--------------------------------------------------------------------------------
1 | net.ipv6.conf.all.disable_ipv6=1
2 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/strongswan/ipsec.secrets:
--------------------------------------------------------------------------------
1 | # VPC IPSEC
2 | include /etc/strongswan/vti.d/*.secrets
3 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/strongswan/vti.d/vtiN.secrets.sample:
--------------------------------------------------------------------------------
1 | %VTI_OIP_LOCAL% %VTI_OIP_REMOTE% : PSK   %VTI_SECRET%
2 | 


--------------------------------------------------------------------------------
/License-And-Disclimer.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eis-group-opensource/vti-router/HEAD/License-And-Disclimer.txt


--------------------------------------------------------------------------------
/scripts/SYNC_AVAIL.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | mkdir -p ~/scripts/WORK
3 | rsync -av WORK/`hostname -s`.d ~/scripts/WORK/.
4 | 


--------------------------------------------------------------------------------
/DOCS/01-VTI_ROUTER_Implementation.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eis-group-opensource/vti-router/HEAD/DOCS/01-VTI_ROUTER_Implementation.pdf


--------------------------------------------------------------------------------
/DOCS/02-IPSEC-AZURE-CONFIGURATION.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eis-group-opensource/vti-router/HEAD/DOCS/02-IPSEC-AZURE-CONFIGURATION.pdf


--------------------------------------------------------------------------------
/scripts/FILES.d/sysctl.d/84-disable-rpp.conf:
--------------------------------------------------------------------------------
1 | net.ipv4.conf.default.rp_filter=0
2 | net.ipv4.conf.all.rp_filter=0
3 | net.ipv4.conf.eth0.rp_filter=0
4 | 


--------------------------------------------------------------------------------
/DOCS/00-VTI_ROUTER_APPLIANCE_Introduction.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/eis-group-opensource/vti-router/HEAD/DOCS/00-VTI_ROUTER_APPLIANCE_Introduction.pdf


--------------------------------------------------------------------------------
/scripts/FILES.d/sysctl.d/82-router-ok.conf:
--------------------------------------------------------------------------------
1 | # Enable IPv4 forwarding
2 | net.ipv4.ip_forward=1
3 | net.ipv4.conf.eth0.disable_xfrm=1
4 | net.ipv4.conf.eth0.disable_policy=1
5 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/strongswan/vti.d/vtiN.init.sample:
--------------------------------------------------------------------------------
1 | #
2 | VTI_INTERFACE=%VTI%
3 | VTI_LOCALADDR=%VTI_IIP_LOCAL%
4 | VTI_REMOTEADDR=%VTI_IIP_REMOTE%
5 | VTI_DESRITION=%VTI_NAME%
6 | VTI_MTU=%VTI_MTU%
7 | 
8 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/strongswan/strongswan.d/charon/farp.conf:
--------------------------------------------------------------------------------
1 | farp {
2 | 
3 |     # Whether to load the plugin. Can also be an integer to increase the
4 |     # priority of this plugin.
5 |     load = no
6 | 
7 | }
8 | 
9 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/strongswan/vti.d/vtiN.conf.sample:
--------------------------------------------------------------------------------
 1 | 
 2 | #BEGIN:%VTI%
 3 | conn %VTI%
 4 |         left=%VTI_OIP_LOCAL%
 5 |         right=%VTI_OIP_REMOTE%
 6 |         auto=start
 7 |         mark=%VTI_MARK%
 8 | 	forceencaps=yes
 9 | #END:%VTI%
10 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/monit.d/snmpd:
--------------------------------------------------------------------------------
1 | check process snmpd with pidfile /var/run/net-snmp/snmpd.pid
2 | start program = "/bin/systemctl start snmpd.service" with timeout 10 seconds
3 | stop program = "/bin/systemctl stop snmpd.service"
4 | if failed port 161 type udp then restart
5 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/quagga/ospfd.conf.SAMPLE:
--------------------------------------------------------------------------------
 1 | ! -*- ospf -*-
 2 | !
 3 | ! OSPFd sample configuration file
 4 | !
 5 | !
 6 | !hostname ospfd
 7 | !password zebra
 8 | !enable password please-set-at-here
 9 | !
10 | router ospf
11 |   network 10.25.23.0/24 area 0
12 |   network 10.25.223.0/24 area 0
13 | !
14 | log stdout
15 | 
16 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/quagga/zebra.conf:
--------------------------------------------------------------------------------
 1 | !
 2 | ! Zebra configuration saved from vty
 3 | !   2016/06/20 18:52:50
 4 | !
 5 | hostname %HOSTNAME%
 6 | !
 7 | interface eth0
 8 |  ipv6 nd suppress-ra
 9 | !
10 | interface eth1
11 |  ipv6 nd suppress-ra
12 | !
13 | interface lo
14 | !
15 | ip forwarding
16 | !
17 | !
18 | line vty
19 | !
20 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/monit.d/strongswan:
--------------------------------------------------------------------------------
 1 | check process starter with pidfile /var/run/starter.charon.pid
 2 | start program = "/bin/systemctl start strongswan.service" with timeout 10 seconds
 3 | stop program = "/bin/systemctl stop strongswan.service"
 4 | 
 5 | check process charon with pidfile /var/run/charon.pid
 6 | start program = "/bin/systemctl start strongswan.service" with timeout 10 seconds
 7 | stop program = "/bin/systemctl stop strongswan.service"
 8 | if failed port 500 type udp then restart
 9 | if failed port 4500 type udp then restart
10 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/crontab:
--------------------------------------------------------------------------------
 1 | SHELL=/bin/bash
 2 | PATH=/sbin:/bin:/usr/sbin:/usr/bin
 3 | MAILTO=root
 4 | 
 5 | # For details see man 4 crontabs
 6 | 
 7 | # Example of job definition:
 8 | # .---------------- minute (0 - 59)
 9 | # |  .------------- hour (0 - 23)
10 | # |  |  .---------- day of month (1 - 31)
11 | # |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
12 | # |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
13 | # |  |  |  |  |
14 | # *  *  *  *  * user-name  command to be executed
15 | */10 * * * * root /etc/strongswan/restart_vti.sh > /tmp/restart_vti.log 2>& 1
16 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/quagga/reset_vti.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | ###################################################
 3 | # (c) EIS Group LTD, 2016                         #
 4 | # (License) GPL                                   #
 5 | # Donated to OpenSource by EIS Group, 2016.       #
 6 | # Authors: Alexei Roudnev , Andrey Saveliev       #
 7 | #                                                 #
 8 | #       open-source@eisgroup.com                  #
 9 | #  or   aprudnev@gmail.com                        #
10 | #  URL; http://eisgroup.com                       #
11 | ###################################################
12 | 
13 | # Argument - interface name
14 | #
15 | vtysh -c "conf t" -c "interface $1" -c "ip ospf network point-to-point"
16 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/monit.d/quuagga:
--------------------------------------------------------------------------------
 1 | check process zebra with pidfile /var/run/quagga/zebra.pid
 2 | start program = "/bin/systemctl start zebra.service" with timeout 10 seconds
 3 | stop program = "/bin/systemctl stop  zebra.service"
 4 | if failed port 2601 then restart
 5 | 
 6 | check process ospfd with pidfile /var/run/quagga/ospfd.pid
 7 | start program = "/bin/systemctl start ospfd.service" with timeout 10 seconds
 8 | stop program = "/bin/systemctl stop ospfd.service"
 9 | if failed port 2604 then restart
10 | 
11 | check process bgpd with pidfile /var/run/quagga/bgpd.pid
12 | start program = "/bin/systemctl start bgpd.service" with timeout 10 seconds
13 | stop program = "/bin/systemctl stop bgpd.service"
14 | if failed port 179 then restart
15 | 
16 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/quagga/quagga-config.SAMPLE/zebra.conf:
--------------------------------------------------------------------------------
 1 | !
 2 | ! Zebra configuration saved from vty
 3 | !   2016/06/30 16:48:57
 4 | !
 5 | !
 6 | interface eth0
 7 |  ipv6 nd suppress-ra
 8 | !
 9 | interface eth1
10 |  ipv6 nd suppress-ra
11 | !
12 | interface ip_vti0
13 |  ipv6 nd suppress-ra
14 | !
15 | interface lo
16 | !
17 | interface vti1
18 |  ipv6 nd suppress-ra
19 | !
20 | interface vti2
21 |  ipv6 nd suppress-ra
22 | !
23 | interface vti3
24 |  ipv6 nd suppress-ra
25 | !
26 | ip route 50.112.38.111/32 209.44.73.1
27 | ip route 52.25.200.12/32 209.44.73.1
28 | ip route 65.49.55.38/32 209.44.73.1
29 | !
30 | access-list from_aws remark Newtork we want to accept from AWS
31 | access-list from_aws permit 10.20.0.0/16
32 | !
33 | route-map from_aws permit 10
34 |  match ip address from_aws
35 | !
36 | ip forwarding
37 | !
38 | !
39 | line vty
40 | !
41 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/quagga/quagga-config.SAMPLE/ospfd.conf:
--------------------------------------------------------------------------------
 1 | !
 2 | ! Zebra configuration saved from vty
 3 | !   2016/06/30 16:48:57
 4 | !
 5 | !
 6 | !
 7 | !
 8 | interface eth0
 9 |  ip ospf authentication message-digest
10 |  ip ospf message-digest-key 1 md5 XXX/23
11 | !
12 | interface eth1
13 | !
14 | interface ip_vti0
15 | !
16 | interface lo
17 | !
18 | interface vti1
19 | !
20 | interface vti2
21 |  ip ospf network broadcast
22 | !
23 | interface vti3
24 | !
25 | router ospf
26 |  redistribute bgp route-map from_aws
27 |  network 10.23.23.0/24 area 0.0.0.0
28 |  network 10.25.223.0/24 area 0.0.0.0
29 |  area 0.0.0.0 authentication message-digest
30 | !
31 | access-list from_aws remark Network we want to accept from AWS
32 | access-list from_aws permit 10.20.0.0/16
33 | !
34 | route-map from_aws permit 10
35 |  match ip address from_aws
36 | !
37 | line vty
38 | !
39 | 


--------------------------------------------------------------------------------
/scripts/add_restarts.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | ###################################################
 3 | # (c) EIS Group LTD, 2016                         #
 4 | # (License) GPL                                   #
 5 | # Donated to OpenSource by EIS Group, 2016.       #
 6 | # Authors: Alexei Roudnev , Andrey Saveliev       #
 7 | #                                                 #
 8 | #       open-source@eisgroup.com                  #
 9 | #  or   aprudnev@gmail.com                        #
10 | #  URL; http://eisgroup.com                       #
11 | ###################################################
12 | 
13 | if ! grep -q restart_vti.sh /etc/crontab 
14 | then
15 | echo "*/10 * * * * root /etc/strongswan/restart_vti.sh > /tmp/restart_vti.log 2>& 1" >> /etc/crontab
16 |     echo "Restart check every 10 minutes added"
17 | else
18 |     echo "Restarts are already in place"
19 | fi
20 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/strongswan/ipsec.conf:
--------------------------------------------------------------------------------
 1 | config setup
 2 | 
 3 | conn %default
 4 |         leftauth=psk
 5 |         rightauth=psk
 6 |         ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024!
 7 |         ikelifetime=28800s
 8 |         aggressive=no
 9 |         esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024!
10 |         lifetime=3600s
11 |         type=tunnel
12 |         dpddelay=10s
13 |         dpdtimeout=30s
14 |         keyexchange=ikev1
15 |         rekey=yes
16 |         reauth=no
17 |         dpdaction=restart
18 |         closeaction=restart
19 |         left=%defaultroute
20 |         leftsubnet=0.0.0.0/0,::/0
21 |         rightsubnet=0.0.0.0/0,::/0
22 |         leftupdown=/etc/strongswan/ipsec-vti.sh
23 |         installpolicy=yes
24 |         compress=no
25 |         mobike=no
26 |         keyingtries=%forever
27 | 
28 | include /etc/strongswan/vti.d/*.conf
29 | 
30 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/quagga/quagga-config.SAMPLE/bgpd.conf:
--------------------------------------------------------------------------------
 1 | !
 2 | ! Zebra configuration saved from vty
 3 | !   2016/06/30 16:48:57
 4 | !
 5 | !
 6 | router bgp 65003
 7 |  network 10.0.0.0/8
 8 |  network 192.168.0.0/16
 9 |  neighbor 10.255.254.21 remote-as 64600
10 |  neighbor 10.255.254.21 ebgp-multihop 255
11 |  neighbor 10.255.254.21 update-source eth0
12 |  neighbor 10.255.254.22 remote-as 64600
13 |  neighbor 10.255.254.22 ebgp-multihop 255
14 |  neighbor 10.255.254.22 update-source eth0
15 |  neighbor 169.254.12.49 remote-as 7224
16 |  neighbor 169.254.12.49 route-map from_aws in
17 |  neighbor 169.254.12.213 remote-as 7224
18 |  neighbor 169.254.12.213 route-map from_aws in
19 | !
20 | access-list from_aws remark Newtork we want to accept from AWS
21 | access-list from_aws permit 10.20.0.0/16
22 | !
23 | route-map from_aws permit 10
24 |  match ip address from_aws
25 | !
26 | line vty
27 | !
28 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/sysconfig/iptables:
--------------------------------------------------------------------------------
 1 | # Generated by iptables-save v1.4.21 on Mon Jun 20 20:07:34 2016
 2 | *filter
 3 | :INPUT ACCEPT [0:0]
 4 | :FORWARD ACCEPT [0:0]
 5 | :OUTPUT ACCEPT [1738:245262]
 6 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 7 | -A INPUT -p icmp -j ACCEPT
 8 | -A INPUT -i lo -j ACCEPT
 9 | -A INPUT -i eth0 -j ACCEPT
10 | -A INPUT -i tun+ -j ACCEPT
11 | -A INPUT -i vti+ -j ACCEPT
12 | -A INPUT -p ah -j ACCEPT
13 | -A INPUT -p esp -j ACCEPT
14 | -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
15 | -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
16 | -A INPUT -j REJECT --reject-with icmp-host-prohibited
17 | -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
18 | -A FORWARD -p icmp -j ACCEPT
19 | -A FORWARD -i lo -j ACCEPT
20 | -A FORWARD -i eth0 -j ACCEPT
21 | -A FORWARD -i tun+ -j ACCEPT
22 | -A FORWARD -i vti+ -j ACCEPT
23 | -A FORWARD -j REJECT --reject-with icmp-host-prohibited
24 | COMMIT
25 | 


--------------------------------------------------------------------------------
/scripts/refresh_scripts.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | ###################################################
 3 | # (c) EIS Group LTD, 2016                         #
 4 | # (License) GPL                                   #
 5 | # Donated to OpenSource by EIS Group, 2016.       #
 6 | # Authors: Alexei Roudnev , Andrey Saveliev       #
 7 | #                                                 #
 8 | #       open-source@eisgroup.com                  #
 9 | #  or   aprudnev@gmail.com                        #
10 | #  URL; http://eisgroup.com                       #
11 | ###################################################
12 | 
13 | cp FILES.d/strongswan/*.sh /etc/strongswan/.
14 | cp FILES.d/quagga/*.sh /etc/quagga/.
15 | cp FILES.d/sysctl.d/* /etc/sysctl.d/. && sysctl -p
16 | if [ ! -d /usr/local/scripts ]
17 | then
18 | 	(cd ~ && mv scripts /usr/local/. && ln -s /usr/local/scripts .)
19 | fi
20 | cat > /usr/sbin/VTI <<EOF
21 | #!/bin/bash
22 | cd /usr/local/scripts && exec ./VTI_OPS.sh \$*
23 | EOF
24 | rsync -av [A-Z]*.sh FILES.d /usr/local/scripts/.
25 | ln -s /usr/sbin/strongswan /usr/sbin/ipsec
26 | 


--------------------------------------------------------------------------------
/scripts/update_kernel.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | ###################################################
 3 | # (c) EIS Group LTD, 2016                         #
 4 | # (License) GPL                                   #
 5 | # Donated to OpenSource by EIS Group, 2016.       #
 6 | # Authors: Alexei Roudnev , Andrey Saveliev       #
 7 | #                                                 #
 8 | #       open-source@eisgroup.com                  #
 9 | #  or   aprudnev@gmail.com                        #
10 | #  URL; http://eisgroup.com                       #
11 | ###################################################
12 | 
13 | # This is APPROXIMATELY what we did to update kernel
14 | # Need to adjust and debug it yet (for example I do not know what 'awk' did and what nano did)
15 | #
16 | #
17 | if [[ ! -f /etc/yum.repos.d/elrepo.repo ]]
18 | then
19 | 	rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
20 | 	yum install http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
21 | 	#nano /etc/yum.repos.d/elrepo.repo
22 | 	sed -i /kernel/,/extra/s/enabled=0/enabled=1/ /etc/yum.repos.d/elrepo*
23 | 	yum --enablerepo=elrepo-kernel install kernel-ml kernel-ml-devel kernel-ml-headers
24 | 	awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg
25 | else
26 |        yum --enablerepo=elrepo-kernel update kernel-ml kernel-ml-devel kernel-ml-headers
27 | fi
28 | awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg
29 | echo "Run grub2-set-default N with proper number for the new kernel"
30 | grub2-set-default 0
31 | 
32 | 


--------------------------------------------------------------------------------
/scripts/VTI_RM.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | ###################################################
 3 | # (c) EIS Group LTD, 2016                         #
 4 | # (License) GPL                                   #
 5 | # Donated to OpenSource by EIS Group, 2016.       #
 6 | # Authors: Alexei Roudnev , Andrey Saveliev       #
 7 | #                                                 #
 8 | #       open-source@eisgroup.com                  #
 9 | #  or   aprudnev@gmail.com                        #
10 | #  URL; http://eisgroup.com                       #
11 | ###################################################
12 | 
13 | #
14 | # Call this from current directory 
15 | #
16 | # IT wil create property files in WORK/<HOST.d/vti<N>.properties
17 | # Options:
18 | # -d <work directory>
19 | # -r <work directory for reverse tunnel>
20 | #
21 | 
22 | # Remove property files# 
23 | LIST=
24 | ask() {
25 | 	var=$1
26 | 	LIST="$LIST $var"
27 | 	default=$2
28 | 	echo "Enter $3"
29 | 	echo -n "$1= [$2]_"
30 | 	eval read X
31 | 	if [ "$X" = "" ]
32 | 	then
33 | 		eval $var='"$default"'
34 | 	else
35 | 		eval $var='"$X"'
36 | 	fi
37 | }
38 | HOST=`hostname -s`
39 | opt=1
40 | DIR=WORK/$HOST.d
41 | while [[ "$opt" != "0" ]]
42 | do
43 | case $1 in
44 | -d) 
45 | 	shift
46 | 	DIR=$1
47 | 	shift
48 | 	;;
49 | -r)
50 | 	shift
51 | 	RDIR=$1
52 | 	shift
53 | 	;;
54 | *)	opt=0
55 | 	;;
56 | esac
57 | done
58 | echo "WORK DIRECTORY is$DIR"
59 | if [[ "$RDIR" != "" ]]
60 | then
61 | 	echo "REVERSE WORK DIRECTORY is $RDIR"
62 | fi
63 | 
64 | for v in $*
65 | do
66 |  if [[ -f $DIR/$v.properties ]]
67 |  then
68 |     rm -f $DIR/$v.properties
69 |     echo "Removed $DIR/$v.properties"
70 |  fi
71 |  if [[ "$RDIR" != "" && -f $RDIR/$v.properties ]]
72 |  then
73 |     rm -f $RDIR/$v.properties
74 |     echo "Removed $RDIR/$v.properties"
75 |  fi
76 | done
77 | 
78 | 
79 | 
80 | 
81 | 	
82 | 	
83 | 
84 | 
85 | 
86 | 
87 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/strongswan/restart_vti.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | ###################################################
 3 | # (c) EIS Group LTD, 2016                         #
 4 | # (License) GPL                                   #
 5 | # Donated to OpenSource by EIS Group, 2016.       #
 6 | # Authors: Alexei Roudnev , Andrey Saveliev       #
 7 | #                                                 #
 8 | #       open-source@eisgroup.com                  #
 9 | #  or   aprudnev@gmail.com                        #
10 | #  URL; http://eisgroup.com                       #
11 | ###################################################
12 | # Options - -
13 | # 1. Protection against frozen script
14 | # 
15 | list=`ps aux | grep swanctl | grep -v grep | awk '{print $2}'`
16 | if [[ "$list" != "" ]]
17 | then
18 | 	echo "Some swanctl processes running, we wait 20 seci then kill them"
19 | 	sleep 20
20 | 	kill -9 $list  > /dev/null 2>& 1
21 | 	sleep 1
22 | fi
23 | 
24 | # This script check connections which gave up
25 | # and restarts them
26 | # Additionally it restarts dead vti interfaces (it MAY happen sometimes)
27 | #
28 | for i in /etc/strongswan/vti.d/vti*.conf
29 | do
30 |  # set -x
31 |  conn=`grep '^conn ' $i | awk '{print $2}'`
32 |  echo -n "$conn... "
33 |  if ! swanctl -list-sas | grep -q $conn 
34 |  then
35 |     swanctl -i -c $conn  >> /tmp/restarts.log &
36 |     echo "Restarting"
37 |  else
38 |     if swanctl -list-sas | grep -q $conn
39 |     then
40 |     	vti=`echo $conn | sed 's/\..*$//'`
41 | 	ip=`ifconfig $vti | sed -n "s/^.*destination //p"`
42 | 	#
43 | 	# In case of AZURE, remote IP can be not pingable
44 | 	# So we compare RX stats in 10 seconds (or while ping try to send pings)
45 | 	# If RX is different == there is inbound traffic in interface == it is healthy
46 | 	# Else, if no RX traffic and no pings, restart
47 | 	before=`ifconfig $vti | grep RX`
48 | 	n=0
49 | 	if [[ "$ip" != "" ]]
50 | 	then
51 | 		n=`ping -r -n -c 5 -q $ip | grep received | awk '{print $4;}'`
52 | 	        if [[ "$n" = "" ]]
53 | 		then
54 | 			sleep 10
55 | 		fi
56 | 	else
57 | 		sleep 10
58 | 	fi
59 | 	after=`ifconfig $vti | grep RX`
60 |     	if [[ "$before" != "$after" ||  $n != "0" && $n != "" ]]
61 |     	then
62 |     		echo OK
63 |     	else
64 | 	(
65 | 		echo " OK but no vti, resetting... see /tmp/${vti}_up.log"
66 |                 echo `date` resetting $conn > /tmp/${vti}_up.log
67 | 		strongswan down $conn >> /tmp/${vti}_up.log 2>& 1
68 | 		sleep 2
69 | 		strongswan up $conn   >> /tmp/${vti}_up.log 2>& 1
70 | 		echo DONE $conn
71 | 	) &
72 | 	fi
73 |     else
74 | 	echo IN PROGRESS
75 |     fi
76 |  fi
77 | done
78 | wait
79 | 
80 | 
81 | 


--------------------------------------------------------------------------------
/scripts/README.txt:
--------------------------------------------------------------------------------
 1 | #
 2 | # (c) EIS Group LTD, 2016
 3 | # (License) GPL
 4 | # Donated to OpenSource by EIS Group, 2016.
 5 | # Authors: Alexei Roudnev , Sergey Saveliev
 6 | # 	
 7 | #       open-source@eisgroup.com
 8 | #  or   aprudnev@gmail.com
 9 | #
10 | # This is quick description of VTI management scripts.
11 | #
12 | This is VTI VPN router, compatible with AWS.
13 | 
14 | Layouts:
15 | 
16 |    WORK - work directory
17 | 
18 |    WORK/<host>.d/vtiN.properties - properti files for Available VTI
19 |    /etc/strongswan - main IPSEC system
20 |    /etc/sysconfig/<host>.properties - host properties
21 | 
22 | SYSTEM USAGE:
23 | 
24 | 1) SET UP system after cloning or initial setting by running
25 | 
26 |    ./INITIAL_SETUP.sh
27 |       (You wil have an option to install packages and/or to reset configuration of IPSEC
28 |         and router).
29 | 
30 | You may want, then, to manually edit /etc/quagga files.
31 | 
32 | 2) Prepare VTI. You have 2 ways
33 |    2.1. Parse AWS file. To do it
34 |     - copy AWS file into WORK directory, better with some meaning name like aws-lab20-1.txt
35 |     - parse it by running ./VTI_ADDAWS.sh [-d work-dir] <aws-file> [vti1 vti2]
36 |      (By default it will make available vti1 and vti2 but if they are used, you can specify
37 |      different names)
38 |    2.2. Manually, by running
39 |        ./VTI_ADD.sh [-d <work directory> [-r <directory for reverse tunnel>]
40 | 
41 |    (Both commands have options allowing to change work directory
42 | 
43 | 3) Review files (they wil be created in work directory as vtiN.properties)
44 | 
45 | 4) Then you can use VTI_OPS.sh to add|delete disable|enable tunnels and to check status.
46 |    ./VTI_OPS.sh [-e </etc>] [-d <DIR>] [-reload] [-nobgp] {-add|-delete|-enable|-disable} vti1 ...
47 |    ./VTI_OPS.sh [-e </etc>] p-d <dir>] -status|-list
48 | 
49 |  -e allows to specify differnt /etc
50 |  -reload enable automatic strongswan reload
51 |  -nobgp blocks changes in bgpd.conf even if bgp specified in properties
52 |  
53 | 
54 | You can enter VTI instedas of '(cd /usr/local/src; ./VTI_OPS.sh).
55 | 
56 | Normal procedure is:
57 | 
58 | - copy aws file into /usr/local/scripts/WORK, for example, lab20-aws-1.txt
59 | - Prepare vti
60 |    cd /usr/local/scripts && ./VTI_ADDAWS.sh WORK/lab20-aws-1.txt
61 | - Check files
62 |    cat WORK/`hostname -s`.d/vti*.properties
63 | - Add vti-s
64 |    VTI -list
65 |    VTI -add vti1
66 |    VTI -add vti2
67 |    VTI -list
68 | 
69 | - Enable this tunnels
70 |    VTI -enable vti1 vti2
71 | 
72 | - check results
73 |   VTI -status
74 | 
75 | You can disable tunnel
76 |   VTI -disable vti1
77 | 
78 | and enable it later
79 |   VTI -enable vti1
80 | 
81 | Normally, you do not need to restart strongswan and quagga (system reload them smoothly).
82 | 
83 | VTI is just alias for
84 | 
85 |  (cd /usr/local/scripts && ./VTI_OPS.sh)
86 | 
87 | refresh_scripts.sh allows to refresh system scripts from this copy in different place.
88 | update_kernel.sh should update old standard kernel into the strongswan-compatible version.
89 | 
90 | if you make parsing on teh different place (not /usr/local/scripts), then SYNC_AVAIL.sh script required to make parsed properties to be available for the VTI command.
91 | 
92 | 
93 | 
94 | 
95 |       
96 | 
97 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/strongswan/ipsec-vti.sh:
--------------------------------------------------------------------------------
  1 | # AWS VPC Hardware VPN Strongswan updown Script
  2 | ###################################################
  3 | # (c) EIS Group LTD, 2016                         #
  4 | # (License) GPL                                   #
  5 | # Donated to OpenSource by EIS Group, 2016.       #
  6 | # Authors: Alexei Roudnev , Andrey Saveliev       #
  7 | #                                                 #
  8 | #       open-source@eisgroup.com                  #
  9 | #  or   aprudnev@gmail.com                        #
 10 | #  URL; http://eisgroup.com                       #
 11 | ###################################################
 12 | 
 13 | LOG=/tmp/vti-`echo ${PLUTO_CONNECTION} | sed 's/\..*$//'`.log
 14 | (
 15 | echo "*** `date` $0 $*"
 16 | set -x
 17 | #
 18 | # We use only part before . in CONN name to find out init file
 19 | #
 20 | NAME=`echo ${PLUTO_CONNECTION} | sed 's/\..*$//'`
 21 | if [[ -f /etc/strongswan/vti.d/${NAME}.init ]]
 22 | then
 23 | 	exist=1
 24 | 	. /etc/strongswan/vti.d/${NAME}.init 
 25 | else
 26 | 	exist=0
 27 | 	VTI_INTERFACE=$NAME
 28 | fi
 29 | if [ "$VTI_INTERFACE" == "" ]
 30 | then
 31 | 	echo "No $VTI_INTERFACE defined"
 32 | 	exit 1
 33 | fi
 34 | #    VTI_INTERFACE
 35 | #    VTI_LOCALADDR
 36 | #    VTI_REMOTEADDR
 37 | #    VTI_MTU 
 38 | #    VTI_UP= 
 39 | #    VTI_DOWN=
 40 | #    AWS_ID= 
 41 | if [ "$VTI_MTU" = "" ]
 42 | then
 43 |     VTI_MTU=1420
 44 | fi
 45 | 
 46 | if [ "$VTI_UP" = "" ]
 47 | then
 48 | 	VTI_UP="/etc/quagga/reset_vti.sh $NAME"
 49 | fi
 50 | 
 51 | if [ "$VTI_DOWN" = "" ]
 52 | then
 53 | 	VTI_DOWN=""
 54 | fi
 55 | 
 56 | #
 57 | # Usage Instructions:
 58 | # Add "install_routes = no" to /etc/strongswan/strongswan.d/charon.conf or /etc/strongswan.d/charon.conf
 59 | # Add "install_virtual_ip = no" to /etc/strongswan/strongswan.d/charon.conf or /etc/strongswan.d/charon.conf
 60 | # For Ubuntu: Add "leftupdown=/etc/strongswan.d/ipsec-vti.sh" to /etc/ipsec.conf
 61 | # For RHEL/Centos: Add "leftupdown=/etc/strongswan/ipsec-vti.sh" to /etc/strongswan/ipsec.conf
 62 | # For RHEL/Centos 6 and below: git clone git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git && cd iproute2 && make && cp ./ip/ip /usr/local/sbin/ip
 63 | IP=$(which ip)
 64 | IPTABLES=$(which iptables)
 65 | 
 66 | PLUTO_MARK_OUT_ARR=(${PLUTO_MARK_OUT//// })
 67 | PLUTO_MARK_IN_ARR=(${PLUTO_MARK_IN//// })
 68 | echo "`date` ${PLUTO_VERB} $VTI_INTERFACE" >> /tmp/vtitrace.log
 69 | 
 70 | case "${PLUTO_VERB}" in
 71 |     up-client)
 72 |        	$IP tunnel add ${VTI_INTERFACE} mode vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
 73 |         sysctl -w net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1
 74 | 	# We have many cases when we need this check to be disabled. SO we set up 0 not 2.
 75 | 	#sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2 || sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=0
 76 | 	sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=0
 77 |         $IP addr add ${VTI_LOCALADDR} remote ${VTI_REMOTEADDR} dev ${VTI_INTERFACE}
 78 |         $IP link set ${VTI_INTERFACE} up mtu $VTI_MTU
 79 |         $IPTABLES -t mangle -I FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 80 |         $IPTABLES -t mangle -I INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
 81 |         $IP route flush table 220
 82 |         #
 83 |         eval $VTI_UP
 84 |         ;;
 85 |     down-client)
 86 | 	if [[ $exist == 0 ]]
 87 | 	then
 88 |         	$IP tunnel del ${VTI_INTERFACE}
 89 | 	else
 90 | 		echo $IP link set ${VTI_INTERFACE} down mtu $VTI_MTU	
 91 | 	fi       
 92 |  	$IPTABLES -t mangle -D FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 93 |         $IPTABLES -t mangle -D INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
 94 | 	#$IP route flush table 220
 95 | 	eval $VTI_DOWN
 96 |         ;;
 97 | esac
 98 | 
 99 | # Enable IPv4 forwarding
100 | sysctl -w net.ipv4.ip_forward=1
101 | sysctl -w net.ipv4.conf.eth0.disable_xfrm=1
102 | sysctl -w net.ipv4.conf.eth0.disable_policy=1
103 | date
104 | ) > $LOG 2>& 1
105 | 


--------------------------------------------------------------------------------
/scripts/VTI_ADDAWS.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | ###################################################
  3 | # (c) EIS Group LTD, 2016                         #
  4 | # (License) GPL                                   #
  5 | # Donated to OpenSource by EIS Group, 2016.       #
  6 | # Authors: Alexei Roudnev , Andrey Saveliev       #
  7 | #                                                 #
  8 | #       open-source@eisgroup.com                  #
  9 | #  or   aprudnev@gmail.com                        #
 10 | #  URL; http://eisgroup.com                       #
 11 | ###################################################
 12 | 
 13 | #
 14 | # Call this from current directory 
 15 | #
 16 | # IT wil create property files in WORK/<HOST.d/vti<N>.properties or in $DIR/vti<N>.properties
 17 | #  Default is WORK/<hostname>.d (will be /etc/sysconfig later)
 18 | #
 19 | 
 20 | exec 2>&1
 21 | 
 22 | error() {
 23 |     echo "$@" >&2
 24 |     exit 1
 25 | }
 26 | 
 27 | HOST=`hostname -s`
 28 | opt=1
 29 | enforce=0
 30 | DIR=WORK/$HOST.d
 31 | while [[ "$opt" != "0" ]]
 32 | do
 33 | case $1 in
 34 | -d) 
 35 | 	shift
 36 | 	DIR=$1
 37 | 	shift
 38 | 	;;
 39 | -f)
 40 | 	enforce=1
 41 | 	shift
 42 | 	;;
 43 | *)	opt=0
 44 | 	;;
 45 | esac
 46 | done
 47 | 
 48 | echo "Using directory $DIR - you can change it by -d <dir> option"
 49 | [ -z "$1" ] && error "Usage: $0 [-d directory] [-f] <generic-config-file-from-amazon.txt> [vti1 [vti2]]"
 50 | [ -r "$1" ] || error "Could not read VPN config file $1."
 51 | 
 52 | #
 53 | # Options after and including ID are optional (but must exist in aws file).
 54 | #
 55 | VTI1_LIST="VTI1 VTI1_MTU VTI1_OIP_LOCAL VTI1_OIP_REMOTE LOCAL_GW VTI1_IIP_LOCAL VTI1_IIP_REMOTE VTI1_PSK VTI1_MARK ID AWS_ID VTI1_BGP_LOCAL_AS VTI1_BGP_REMOTE_AS VTI1_BGP_LOCAL_IP VTI1_BGP_REMOTE_IP"
 56 | 
 57 | VTI2_LIST="VTI2 VTI2_MTU VTI2_OIP_LOCAL VTI2_OIP_REMOTE LOCAL_GW VTI2_IIP_LOCAL VTI2_IIP_REMOTE VTI2_PSK VTI2_MARK ID AWS_ID VTI2_BGP_LOCAL_AS VTI2_BGP_REMOTE_AS VTI2_BGP_LOCAL_IP VTI2_BGP_REMOTE_IP"
 58 | VAR_LIST="$VTI1_LIST $VTI2_LIST"
 59 | 
 60 | 
 61 | # Local WAN interface
 62 | LAN_INT="eth0"
 63 | WAN_INT="eth1"
 64 | 
 65 | # 
 66 | ID=`basename $1 .txt`
 67 |  
 68 | VTI1="vti1"
 69 | VTI2="vti2"
 70 | 	
 71 | # VTI2 can be empty, it means that we do not generate it at all.
 72 | if [ "$2" != "" ]
 73 | then
 74 | VTI1=$2
 75 | VTI2=$3
 76 | fi
 77 | 
 78 | #
 79 | # PARSER of AWS config file
 80 | #
 81 | VTI1_OIP_LOCAL=$(cat $1 |grep -m 1 "\- Customer Gateway" | tail -1 | awk '{print $5}')
 82 | VTI1_OIP_REMOTE=$(cat $1 |grep -m 1 "\- Virtual Private Gateway" | tail -1 | awk '{print $6}')
 83 | VTI1_IIP_LOCAL=$(cat $1 |grep -m 2 "\- Customer Gateway" | tail -1 | awk '{print $5}')
 84 | VTI1_IIP_REMOTE=$(cat $1 |grep -m 2 "\- Virtual Private Gateway" | tail -1 | awk '{print $6}')
 85 | VTI2_OIP_LOCAL=$(cat $1 |grep -m 4 "\- Customer Gateway" | tail -1  | awk '{print $5}')
 86 | VTI2_OIP_REMOTE=$(cat $1 |grep -m 3 "\- Virtual Private Gateway" | tail -1 | awk '{print $6}')
 87 | VTI2_IIP_LOCAL=$(cat $1 |grep -m 5 "\- Customer Gateway" | tail -1 | awk '{print $5}')
 88 | VTI2_IIP_REMOTE=$(cat $1 |grep -m 4 "\- Virtual Private Gateway" | tail -1 | awk '{print $6}')
 89 | VTI1_PSK=$(cat $1 | grep  -m 1 "\- Pre-Shared Key" | tail -1 | awk '{print $5}')
 90 | VTI2_PSK=$(cat $1 | grep  -m 2 "\- Pre-Shared Key" | tail -1 | awk '{print $5}')
 91 | VTI1_BGP_LOCAL_AS=$(cat $1 | grep -m 1 'Customer Gateway ASN' | tail -1 |  awk '{print $6}')
 92 | VTI1_BGP_REMOTE_AS=$(cat $1 | grep -m 1 'Virtual Private  Gateway ASN' | tail -1 |  awk '{print $7}')
 93 | VTI2_BGP_LOCAL_AS=$(cat $1 | grep -m 2 'Customer Gateway ASN' | tail -1 |  awk '{print $6}')
 94 | VTI2_BGP_REMOTE_AS=$(cat $1 | grep -m 2 'Virtual Private  Gateway ASN' | tail -1 |  awk '{print $7}')
 95 | VTI1_BGP_REMOTE_IP=$(cat $1 | grep -m 1 "Neighbor IP Address" | tail -1 | awk '{print $6}')
 96 | VTI2_BGP_REMOTE_IP=$(cat $1 | grep -m 2 "Neighbor IP Address" | tail -1 | awk '{print $6}')
 97 | # For easier reverse BGP configuration just in case
 98 | VTI1_BGP_LOCAL_IP=$VTI1_IIP_LOCAL
 99 | VTI2_BGP_LOCAL_IP=$VTI2_IIP_LOCAL
100 | 
101 | AWS_ID=$(cat $1 | grep 'Your VPN Connection ID' | awk '{print $6}')
102 | LOCAL_GW=`echo $VTI1_OIP_LOCAL | sed 's/[^.]*$/1/'`
103 | VTI1_MTU=1420
104 | VTI2_MTU=1420
105 | #VTI1_MARK=`echo $VTI1 | sed 's/^vti//;s/$/00/'`
106 | #VTI2_MARK=`echo $VTI2 | sed 's/^vti//;s/$/00/'`
107 | VTI1_MARK_DEC=`echo $VTI1 | sed 's/^vti//;s/$/0/'`
108 | VTI2_MARK_DEC=`echo $VTI2 | sed 's/^vti//;s/$/0/'`
109 | VTI1_MARK=`bc <<< "obase=8; $VTI1_MARK_DEC"`
110 | VTI2_MARK=`bc <<< "obase=8; $VTI2_MARK_DEC"`
111 | 
112 | # Check weather we got all the values
113 | if [ "$VTI2" != "" ]
114 | then
115 | 	list="$VAR_LIST $VTI2_LIST"
116 | else
117 | 	list=$VTI1_LIST
118 | fi
119 | #
120 | for i in $list
121 | do
122 | eval "[ -z \"\$$i\" ]		&& error \"Could not extract $i from \$1.\""
123 | done
124 | 
125 | mkdir -p $DIR
126 | if [[ -f $DIR/$VTI1.properties && ! "$enforce" = "1" ]]
127 | then
128 |     echo "$VTI1 already exists in $DIR, 
129 |     rm $DIR/$VTI1.properties , use -f option,  or specify another vti"
130 |     echo "Aborted"
131 |     exit 1
132 | fi
133 | if grep '"'$VTI1_IIP_LOCAL'"' $DIR/*.properties
134 | then
135 | 	if [[ "$enforce" != "1" ]]
136 | 	then
137 | 		echo "Duplicated IP address $VTI1_IIP_LOCAL found, aborted. You can use -f to override it"
138 | 		exit 1
139 | 	else
140 | 		echo "Warning: $VTI1_IIP_LOCAL address duplicated.. we continue on your own risk..."
141 | 		sleep 2
142 | 	fi
143 | fi
144 | if grep '"'$VTI2_IIP_LOCAL'"' $DIR/*.properties
145 | then
146 | 	if [[ "$enforce" != "1" ]]
147 | 	then
148 | 		echo "Duplicated IP address $VTI2_IIP_LOCAL found, aborted. You can use -f to override it"
149 | 		exit 1
150 | 	else
151 | 		echo "Warning: $VTI2_IIP_LOCAL address duplicated.. we continue on your own risk..."
152 | 		sleep 2
153 | 	fi
154 | fi
155 | 
156 | 
157 | id=$ID
158 | #
159 | ID="${id}_GW1"
160 | echo "### Generated `date`" > $DIR/$VTI1.properties
161 | for i in $VTI1_LIST
162 | do
163 | if [ "$i" = "ID" ]
164 | then
165 |  echo "#### OPTIONAL " >> $DIR/$VTI1.properties
166 | fi
167 | j=`echo $i | sed 's/VTI[12]/VTI/'`
168 | eval 'echo '$j'=\"$'$i'\"' >> $DIR/$VTI1.properties
169 | done
170 | echo "Created $DIR/$VTI1.properties"
171 | 
172 | if [ "$VTI2" == "" ]
173 | then
174 | 	echo "no vti2 requested, skipping second VPN"
175 | 	exit 0
176 | fi
177 | if [[ -f $DIR/$VTI2.properties && ! "$enforce" = "1" ]]
178 | then
179 |   	echo "$VTI2 alredy exists in $DIR, 
180 |         rm $DIR/$VTI2.properties , add -f option, or specify another vti"
181 |    	echo "Aborted"
182 |  	exit 1
183 | fi
184 | 
185 | ID="${id}_GW2"
186 | echo "### Generated `date`" > $DIR/$VTI2.properties
187 | 
188 | for i in $VTI2_LIST
189 | do
190 | if [ "$i" = "ID" ]
191 | then
192 |  echo "#### OPTIONAL " >> $DIR/$VTI2.properties
193 | fi
194 | j=`echo $i | sed 's/^VTI[12]/VTI/'`
195 | eval 'echo '$j'=\"$'$i'\"' >> $DIR/$VTI2.properties
196 | done
197 | echo "Created $DIR/$VTI2.properties"
198 | 
199 | 
200 | 
201 | 


--------------------------------------------------------------------------------
/scripts/VTI_ADD.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | ###################################################
  3 | # (c) EIS Group LTD, 2016                         #
  4 | # (License) GPL                                   #
  5 | # Donated to OpenSource by EIS Group, 2016.       #
  6 | # Authors: Alexei Roudnev , Andrey Saveliev       #
  7 | #                                                 #
  8 | #       open-source@eisgroup.com                  #
  9 | #  or   aprudnev@gmail.com                        #
 10 | #  URL; http://eisgroup.com                       #
 11 | ###################################################
 12 | 
 13 | #
 14 | # Call this from current directory 
 15 | #
 16 | # IT wil create property files in WORK/<HOST.d/vti<N>.properties
 17 | # Options:
 18 | # -d <work directory>
 19 | # -r <work directory for reverse tunnel>
 20 | #
 21 | 
 22 | # Manually enter parameters
 23 | # 
 24 | LIST=
 25 | ask() {
 26 | 	var=$1
 27 | 	LIST="$LIST $var"
 28 | 	default=$2
 29 | 	echo "Enter $3"
 30 | 	echo -n "$1= [$2]_"
 31 | 	eval read X
 32 | 	if [ "$X" = "" ]
 33 | 	then
 34 | 		eval $var='"$default"'
 35 | 	else if [ "$X" = "#" ]
 36 | 	     then
 37 | 	     	eval $var='""'
 38 | 	     else
 39 | 		eval $var='"$X"'
 40 | 	     fi
 41 | 	fi
 42 | }
 43 | HOST=`hostname -s`
 44 | opt=1
 45 | DIR=WORK/$HOST.d
 46 | while [[ "$opt" != "0" ]]
 47 | do
 48 | case $1 in
 49 | -d) 
 50 | 	shift
 51 | 	DIR=$1
 52 | 	shift
 53 | 	;;
 54 | -r)
 55 | 	shift
 56 | 	RDIR=$1
 57 | 	shift
 58 | 	;;
 59 | "")	opt=0
 60 | 	;;
 61 | *)
 62 | 	echo "Usage: $0 [-d directory] [-r reverse-directory]"
 63 | 	exit 1
 64 | 	;;
 65 | esac
 66 | done
 67 | echo "Results will be in $DIR"
 68 | if [[ "$RDIR" != "" ]]
 69 | then
 70 | 	echo "Results for other end in $RDIR"
 71 | fi
 72 | 
 73 | 
 74 | # Let's find free vti
 75 | i=0
 76 | 
 77 | while (( ++i ))
 78 | do
 79 |    if [ ! -f $DIR/vti$i.properties ]
 80 |    then
 81 |        break
 82 |    fi
 83 | done
 84 | 
 85 | ask ID "" "Connection name, will be added to connection name in IPSEC
 86 | Recommended format: local-gw_remote-gw"
 87 | ask N $i "Interface number (1 - 99)"
 88 | VTI="vti$N"
 89 | # RESET var list as we do not need N here
 90 | LIST="ID VTI"
 91 | 
 92 | ask VTI_MTU 1420 "MTU of this VTI"
 93 | # Find local IPADDR
 94 | IP=`sed -n 's/^IPADDR=//p' /etc/sysconfig/network-scripts/ifcfg-eth1`
 95 | ask VTI_OIP_LOCAL "$IP" "OUTSIDE IP of tunnel, local"
 96 | 
 97 | #
 98 | ask VTI_OIP_REMOTE "" "OUTSIDE IP of tunnel, remote (no default)"
 99 | #
100 | GW=`echo $VTI_OIP_LOCAL | sed 's/[^.]*$/1/'`
101 | ask LOCAL_GW $GW "Default gateway for $VTI_OIP_REMOTE on local gateway"
102 | 
103 | if [[ "$RDIR" != "" ]]
104 | then
105 | GW=`echo $VTI_OIP_REMOTE | sed 's/[^.]*$/1/'`
106 | ask REMOTE_GW $GW "Default gateway for $VTI_OIP_LOCAL on remote gateway"
107 | fi
108 | 
109 | ask VTI_IIP_LOCAL "" "Inside IP of tunnel, local, without /"
110 | VTI_IIP_LOCAL="$VTI_IIP_LOCAL"
111 | 
112 | ask VTI_IIP_REMOTE "" "Inside IP of tunnel, remote, without /"
113 | VTI_IIP_REMOTE="$VTI_IIP_REMOTE"
114 | 
115 | ask VTI_IIP_PREFIX "/30" "Netmask prefix with / (/30 means 255.255.255.252, and so on)"
116 | #
117 | ask VTI_PSK "" "Shared Secret"
118 | #
119 | VTI_MARK=`echo $VTI | sed 's/^vti//;s/$/0/'`
120 | VTI_MARK=`bc <<< "obase=8; $VTI_MARK"`
121 | ask VTI_MARK "$VTI_MARK" "MARK for this VTI, must be different on different VTI"
122 | 
123 | #
124 | ask VTI_PROVIDER ""                     "Enter provider - AZURE, AWS - for pre-configured settings. Enter to use defaults"
125 | case "$VTI_PROVIDER" in 
126 | AZURE)	
127 | 	VTI_O1="ike=aes256-sha1-modp1024"
128 |         VTI_O2="esp=aes128-sha1,aes256-sha1!"
129 |         VTI_O3="keyexchange=ike"
130 |         VTI_O4="ikelifetime=10800s"
131 |         VTI_O5="keylife=3600s"
132 |  	VTI_O6="keyingtries=%forever"
133 | 
134 | 
135 | 	VTI_BGP1="route-map from_azure in"
136 | 	VTI_BGP2="ebgp-multihop"
137 | 	echo " Added
138 | 	VTI_O1=$VTI_O1
139 | 	VTI_O2=$VTI_O2
140 | 	VTI_O3=$VTI_O3
141 | 	VTI_O4=$VTI_O4
142 | 	VTI_O5=$VTI_O5
143 | 	VTI_O6=$VTI_O6
144 | 	VTI_BGP1=$VTI_BGP1
145 | 	VTI_BGP2=$VTI_BGP2
146 | 	
147 | 	You can change them later or ADD extra options."
148 | 	;;
149 | AWS)    VTI_BGP1="route-map from_aws in"
150 | 	VTI_O1="keyingtries=%forever"
151 | 		echo " Added
152 | 		VTI_O1=$VTI_O1
153 | 		VTI_BGP1=$VTI_BGP1
154 | 		
155 | 		You can change them later"
156 | 
157 | 	;;
158 | "")	VTI_O1="keyingtries=%forever"
159 | 	;;
160 | *)	echo "Unknown provider $VTI_PROVIDER, skipped"
161 | 	;;
162 | esac
163 | #
164 | echo "You can add up to 5 connection options in format key=value . No syntax check here."
165 | #
166 | ask VTI_O1 "$VTI_O1" 	 		 "Option 1. Enter # to skip"
167 | ask VTI_O2 "$VTI_O2"                     "Option 2. Enter # to skip"
168 | ask VTI_O3 "$VTI_O3"                     "Option 3. Enter # to skip"
169 | ask VTI_O4 "$VTI_O4"                     "Option 4. Enter # to skip"
170 | ask VTI_O5 "$VTI_O5"                     "Option 5. Enter # to skip"
171 | ask VTI_O6 "$VTI_O6"                     "Option 6. Enter # to skip"
172 | 
173 | 
174 | echo "Now enter BGP information if we use it"
175 | ask VTI_BGP_REMOTE_AS "" "Enter AS of remote neighbor (ENTER if no BGP)"
176 | if [ "$VTI_BGP_REMOTE_AS" != "" ]
177 | then
178 | 	ask VTI_BGP_LOCAL_AS  "" "Enter AS of our system"
179 | 	ask VTI_BGP_REMOTE_IP "$VTI_IIP_REMOTE" "Enter IP of neighbor"
180 | 	ask VTI_BGP_LOCAL_IP  "$VTI_IIP_LOCAL" "Enter local IP for BGP"
181 | 	#
182 | 	#
183 | 	#
184 | 	echo "You can add up to 5 bgp options  here (they added with neighbor $VTI_BGP_REMOTE_IP). No syntax check here."
185 | 	#
186 | 	ask VTI_BGP1 "$VTI_BGP1" 	 	     "neighbor $VTI_BGP_REMOTE_IP Option 1. Enter # to skip"
187 | 	ask VTI_BGP2 "$VTI_BGP2"                     "neighbor $VTI_BGP_REMOTE_IP Option 2. Enter # to skip"
188 | 	ask VTI_BGP3 "$VTI_BGP3"                     "neighbor $VTI_BGP_REMOTE_IP Option 3. Enter # to skip"
189 | 	ask VTI_BGP4 "$VTI_BGP4"                     "neighbor $VTI_BGP_REMOTE_IP Option 4. Enter # to skip"
190 | 	ask VTI_BGP5 "$VTI_BGP5"                     "neighbor $VTI_BGP_REMOTE_IP Option 5. Enter # to skip"
191 | fi
192 | 
193 | #
194 | # Now add netmasks
195 | #
196 | VTI_IIP_LOCAL="$VTI_IIP_LOCAL$VTI_IIP_PREFIX"
197 | VTI_IIP_REMOTE="$VTI_IIP_REMOTE$VTI_IIP_PREFIX"
198 | echo "We adjusted addresses as VTI_IIP_LOCAL=$VTI_IIP_LOCAL and VTI_IIP_REMOTE=$VTI_IIP_REMOTE"
199 | #
200 | #
201 | # Create REVERSE properties if requested, first, so we can abort if number is used
202 | #
203 | if [[ "$RDIR" != "" ]]
204 | then
205 | 	mkdir -p $RDIR
206 | 	if [[ -f $RDIR/$VTI.properties ]]
207 | 	then
208 | 		echo "File $RDIR/$VTI.properties already exists, can not rewrite it. Aborting"
209 | 		exit 1
210 | 	fi
211 | 	echo "### MANUALLY CREATED `date`" > $RDIR/$VTI.properties
212 | 	for i in $LIST
213 | 	do
214 | 		j=`echo $i | sed 's/LOCAL/LCL/;s/REMOTE/LOCAL/;s/LCL/REMOTE/'`
215 | 		eval 'echo '$j'=\"$'$i'\"' >> $RDIR/$VTI.properties
216 | 	done
217 | 	echo "Created REVERSE properties $RDIR/$VTI.properties"
218 | 	cat $RDIR/$VTI.properties
219 | fi
220 | 
221 | mkdir -p $DIR
222 | echo "### MANUALLY CREATED `date`" > $DIR/$VTI.properties
223 | for i in $LIST
224 | do
225 | eval 'echo '$i'=\"$'$i'\"' >> $DIR/$VTI.properties
226 | done
227 | echo "Created $DIR/$VTI.properties"
228 | cat $DIR/$VTI.properties
229 | 
230 | 	
231 | 	
232 | 
233 | 
234 | 
235 | 
236 | 


--------------------------------------------------------------------------------
/scripts/VTI_OPS.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | ###################################################
  3 | # (c) EIS Group LTD, 2016                         #
  4 | # (License) GPL                                   #
  5 | # Donated to OpenSource by EIS Group, 2016.       #
  6 | # Authors: Alexei Roudnev , Andrey Saveliev       #
  7 | #                                                 #
  8 | #       open-source@eisgroup.com                  #
  9 | #  or   aprudnev@gmail.com                        #
 10 | #  URL; http://eisgroup.com                       #
 11 | ###################################################
 12 | 
 13 | # 
 14 | # Add / delete / enable / disablei VTI
 15 | #
 16 | # usage - $0 [-e etc] [-d directory] [-reload] {-status|-list|-add|-delete|-enable|-disable} LIST 
 17 | #
 18 | # ENABLE | DISABLE - we move vtiN.conf from/to /etc/strongswan/vti.d/.DISABLED
 19 | # ADD|DELETE - we create or update config files.
 20 | # -e - where /etc is (default /etc)
 21 | # -d - where directory with properties is (default WORK/<hostname>.d
 22 | # -reload - reload strongswan after operation
 23 | # -nobgp - do not generate record in bgpd.conf
 24 | #
 25 | error() {
 26 | 	echo "$*"
 27 | 	echo "Usage: $0 [-e </etc>] [-d <DIR>] [-noreload] [-nobgp] {-add|-delete|-enable|-disable} vti1 ...
 28 |    $0 [-e </etc>] p-d <dir>] -status|-list [vtiN]"
 29 | 	exit 1
 30 | }
 31 | 
 32 | ETC=/etc
 33 | HOST=`hostname -s`
 34 | DIR=WORK/$HOST.d
 35 | OP=
 36 | QUIET=
 37 | #
 38 | nosrv=0
 39 | nobgp=0
 40 | 
 41 | while [[ "$OP" == "" ]]
 42 | do
 43 | case $1 in
 44 | -e) 
 45 | 	shift
 46 | 	ETC=$1
 47 | 	shift
 48 | 	;;
 49 | -d)
 50 | 	shift
 51 | 	DIR=$1
 52 | 	shift
 53 | 	;;
 54 | -noreload)	
 55 | 	nosrv=1
 56 | 	shift
 57 | 	;;
 58 | -nobgp)
 59 | 	nobgp=1
 60 | 	shift
 61 | 	;;
 62 | -add|-delete|-enable|-disable|-list|-status)
 63 | 	OP=$1
 64 | 	shift
 65 | 	;;
 66 | *)
 67 | 	error "Unknown option $1"
 68 | 	;;
 69 | esac
 70 | done
 71 | VDIR=$ETC/strongswan/vti.d
 72 | 
 73 | #
 74 | # Verify directories
 75 | #
 76 | test -d $ETC/quagga || error "Error: No $ETC/quagga directory"
 77 | test -d $ETC/strongswan/vti.d || error "No $ETC/strongswan/vti.d directory"
 78 | test -d $DIR || mkdir -p $DIR
 79 | #
 80 | if [[ -f $ETC/sysconfig/$HOST.properties ]]
 81 | then
 82 | 	. $ETC/sysconfig/$HOST.properties
 83 | else
 84 | 	echo "Warning: no $ETC/sysconfig/$HOST.properties file"
 85 | 	echo "It is created when you run INITIAL_SETUP.sh script"
 86 | 	echo "Not a problem but we can not verify some information"
 87 | fi
 88 | #
 89 | cnt=0
 90 | case $OP in
 91 | -list)
 92 | 	echo "Active: `cd $VDIR && echo *.conf | sed 's/.conf//g'`" 
 93 | 	echo "Disabled: `cd $VDIR/.DISABLED && echo *.conf | sed 's/.conf//g'`" 
 94 | 	echo "Available: `cd $DIR && echo *.properties | sed 's/.properties//g'`"
 95 | 	exit 0
 96 | 	;;
 97 | -status)
 98 | 	if [ "$1" != "" ]
 99 | 	then
100 | 		for v in $*
101 | 		do
102 | 		(
103 | 	        swanctl -list-sas;
104 |         	ifconfig | grep vti
105 |         	netstat -rn | grep vti
106 | 		) | grep $v
107 | 		done
108 | 	else
109 | 		swanctl -list-sas;
110 | 		ifconfig | grep vti
111 | 		netstat -rn | grep vti
112 | 	fi
113 | 	exit 0
114 | 	;;
115 | -disable)
116 | 	for i in $*
117 | 	do
118 | 		if [[ -f $VDIR/$i.conf ]]
119 | 		then
120 | 			conn=`grep '^conn' $VDIR/$i.conf | awk '{print $2}'`
121 | 			mkdir -p $VDIR/.DISABLED
122 | 			mv -f $VDIR/$i.conf $VDIR/.DISABLED
123 | 			strongswan update
124 | 			sleep 5
125 | 			strongswan down $conn
126 | 			ifconfig $i down
127 | 			echo $i disabled
128 | 			(( cnt++ ))
129 | 		else
130 | 			echo "$i not active so can not disable"
131 | 		fi
132 | 	done
133 | 	;;
134 | -enable)
135 | 	for i in $*
136 | 	do
137 | 		if [[ -f $VDIR/.DISABLED/$i.conf ]]
138 | 		then
139 | 			mv -f $VDIR/.DISABLED/$i.conf $VDIR/
140 | 			echo $i enabled
141 | 			strongswan update
142 | 			sleep 5
143 | 			conn=`grep '^conn' $VDIR/$i.conf | awk '{print $2}'`
144 | 			strongswan down $conn
145 | 			sleep 2	
146 | 			strongswan up $conn
147 | 			(( cnt++ ))
148 | 		else
149 | 			echo "$i not disabled so can not enable"
150 | 		fi	
151 | 	done
152 | 	;;
153 | -add)
154 | 	#
155 | 	# Check all interfaces. We do not want to run partial operations
156 | 	#
157 | 	for v in $*
158 | 	do
159 |    	    test -r $DIR/$v.properties || error "Error: no $DIR/$v.properties; use VTI_ADD.sh or VTI_ADDAWS.sh to create it"
160 | 	    test -f $VDIR/$v.conf && error "$VDIR/$v.conf exists, delete $v first"
161 | 	    test -f $VDIR/.DISABLED/$v.conf && error "$VDIR/.DISABLED/$v.conf exists, delete $v first"
162 | 	done
163 | 	for v in $*
164 | 	do
165 | 	(
166 | 	    . $DIR/$v.properties || error "Can not read properties $DIR/$v.properties"
167 | 	    rsync -a $DIR/$v.properties ~/scripts/WORK/`hostname -s`.d/.
168 | 	    if [[ "$LOCAL_GW" == "" && "$EXT_GW" != "" ]]
169 | 	    then
170 | 		LOCAL_GW=$EXT_GW
171 | 	        echo "Used $EXT_GW as LOCAL_GW"
172 | 	    fi
173 | 	    for i in VTI_OIP_LOCAL VTI_OIP_REMOTE VTI_PSK VTI_IIP_LOCAL VTI_IIP_REMOTE LOCAL_GW
174 | 	    do
175 | 		eval "[ -z \"\$$i\" ]		&& error \"Could not extract $i from \$DIR/$v.properties.\""
176 | 	    done
177 | 	    conn=$v
178 | 	    if [[ "$ID" != "" ]]
179 | 	    then
180 |                 conn=$v.$ID
181 |             fi
182 | 	    echo "1. Creating $VDIR/$v.init, $v.secret, $v.conf"
183 | 	    cat > $VDIR/$v.init <<EOF
184 | # Created `date`
185 | # $ID
186 | # $AWS_ID
187 | VTI_INTERFACE=$v
188 | VTI_LOCALADDR=$VTI_IIP_LOCAL
189 | VTI_REMOTEADDR=$VTI_IIP_REMOTE
190 | VTI_MTU=$VTI_MTU
191 | VTI_UP="/etc/quagga/reset_vti.sh $v"
192 | VTI_DOWN="/etc/quagga/reset_vti.sh $v"
193 | EOF
194 | 	echo "$VTI_OIP_LOCAL $VTI_OIP_REMOTE : PSK $VTI_PSK" > $VDIR/$v.secrets
195 | 	cat > $VDIR/.DISABLED/$v.conf <<EOF
196 | #BEGIN:$v
197 | conn $conn
198 |         left=$VTI_OIP_LOCAL
199 |         right=$VTI_OIP_REMOTE
200 |         auto=start
201 |         mark=$VTI_MARK
202 | 	forceencaps=yes
203 | 	$VTI_O1
204 |         $VTI_O2
205 | 	$VTI_O3
206 | 	$VTI_O4
207 | 	$VTI_O5
208 | 	$VTI_O6
209 | #END:$v
210 | EOF
211 | 	
212 | 	#
213 | 	# 2. Add external routing
214 |         #
215 | 	echo "quagga: Adding ip route $VTI_OIP_REMOTE/32 $LOCAL_GW"
216 |         vtysh <<EOF
217 | 	conf t
218 | 		ip route $VTI_OIP_REMOTE/32 $LOCAL_GW
219 | 		exit
220 | 	write mem
221 | EOF
222 | 	#
223 | 	# Adding record into bgpd.conf IF BGP is specified.
224 | 	#
225 | 	if [[ "$VTI_BGP_REMOTE_AS" != "" && "$nobgp" != "1" ]]
226 | 	then
227 | 		bgp=`grep -i 'router bgp' $ETC/quagga/bgpd.conf | head -1 | awk '{print $3}'`
228 | 		if [[ "$bgp" != "" && "$bgp" != "$VTI_BGP_LOCAL_AS" ]]
229 | 		then
230 | 			echo "Attention - different BGP as numbers, $bgp != $VTI_BGP_LOCAL_AS"
231 |                 fi
232 |                 bo=""
233 | 		echo "quagga: Adding neighbor $VTI_BGP_REMOTE_IP remote-as $VTI_BGP_REMOTE_AS route map from_aws"
234 | 		( cat <<EOF
235 | 		conf t
236 | 			router bgp $bgp
237 | 				neighbor $VTI_BGP_REMOTE_IP remote-as $VTI_BGP_REMOTE_AS
238 | 				neighbor $VTI_BGP_REMOTE_IP local-as $VTI_BGP_LOCAL_AS
239 | EOF
240 | 		for bo in "$VTI_BGP1" "$VTI_BGP2" "$VTI_BGP3" "$VTI_BGP4" "$VTI_BGP5"
241 | 		do
242 | 			if [[ "$bo" != "" ]]
243 | 			then
244 | 				echo "	neighbor $VTI_BGP_REMOTE_IP $bo"
245 | 			fi
246 | 		done
247 | 		cat <<EOF
248 | 				exit
249 | 			exit
250 | 		write mem
251 | EOF
252 | 		) | vtysh
253 | 	fi
254 | 	# end BGP
255 | 	strongswan rereadall
256 | 	echo "***INFO: $v created as DISABLED, run $0 -enable $v to activate"
257 | 	echo "***INFO: You may wish to edit $VDIR/$v.init and $VDIR/.DISABLED/$v.conf first"
258 |     )
259 |     done
260 |     ;;
261 | -delete)
262 | 	for v in $*
263 | 	do
264 | 	(
265 | 	    if [[ -f $VDIR/$v.conf ]]
266 |             then
267 | 	        echo "***ERROR: $v active. DISABLE IT FIRST."
268 | 		continue
269 | 	    fi
270 | 	    . $DIR/$v.properties
271 | 	    rm -f  $VDIR/$v.secrets $VDIR/$v.conf $VDIR/.DISABLED/$v.conf $VDIR/$v.conf
272 | 	    vtysh <<EOF
273 | 	    conf t
274 | 	    	no ip route $VTI_OIP_REMOTE/32 $LOCAL_GW
275 | 	    	exit
276 | 	    write mem
277 | EOF
278 | 	    if [[ "$VTI_BGP_REMOTE_AS" != "" && "$nobgp" != "1"  ]]
279 | 	    then
280 |          	bgp=`grep -i 'router bgp' $ETC/quagga/bgpd.conf | head -1 | awk '{print $3}'`
281 | 	        vtysh <<EOF
282 | 		conf t
283 | 			router bgp $bgp
284 | 				no neighbor $VTI_BGP_REMOTE_IP remote-as $VTI_BGP_REMOTE_AS
285 | 				no neighbor $VTI_BGP_REMOTE_IP local-as $VTI_BGP_LOCAL_AS
286 | 				exit
287 |                 	exit
288 | 		write mem
289 | EOF
290 | 	    ip tunnel del $v
291 | 	    fi
292 | 	)
293 |         done
294 |         cnt=1
295 | 	;;
296 | *)
297 | 	error "Unknown command $OP"
298 | 	;;
299 | esac
300 | if [[ $cnt != 0 ]]
301 | then
302 |     if [[ $nosrv != 1 ]]
303 |     then
304 | 	strongswan rereadsecrets
305 | 	sleep 4
306 |         strongswan update
307 | 	#systemctl force-reload strongswan
308 |     else
309 | 	echo "Check new config and run 
310 | 	strongswan rereadsecrets
311 | 	strongswan update
312 | 	# systemctl force-reload strongswan"
313 |     fi
314 | else
315 |     echo "No changes"
316 | fi
317 | 
318 | 
319 | 
320 | 
321 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Project Title
  2 | 
  3 | VTI IPSEC router with AWS and AZURE compatibility
  4 | 
  5 | ## Getting Started
  6 | This is linux router, compatible with Azure and AWS IPSEC VPN's. 
  7 | 
  8 | See DOCS directory, 'Introduction' document. In short, this is Virtual Appliance 
  9 | (but we post scripts separately so you can recreate it) which works as a router,
 10 | is compatible with IPSEC variant used in both, AWS (Amazon Web Services cloud) and Azure (Microsoft cloud service, for Route based VPN), and called VTI (Virtual Tunnel
 11 | Interface) in Cisco world. System can be imported from ovf template, or build manually from CentOS7. Once done, it can run as a router (with OSPF, BGP, static,
 12 | and if necessary extra quagga supported routing protocols) and keep IPSEC connections with AWS ior AZURE using BGP (or other) routing.
 13 | It is tested with AWS and AZURE in production environment and (with all these scripts and changes we did on standard CentOS7) is very stable (counted as production ready in our environments).
 14 | System allows automated parsing of AWS VPN descriptions, or manual VTI descriptioni, and knows AZURE specifics. 
 15 | 
 16 | Documentation sources are held on Google Drive to allow easy collaboration 
 17 | - https://drive.google.com/drive/u/0/folders/0B4R1SzsWIJVfWm5icWtVTjNJX2s
 18 | 
 19 | Ready to use application (CentOS7 with all installed software) is available for download here (root pwd GitHub.2016, change it ASAP once deployed):
 20 | - https://drive.google.com/drive/u/0/folders/0B4R1SzsWIJVfLW9ZNzY1clJfTnM
 21 | 
 22 | ### Prerequisites
 23 | 
 24 | See Introduction in DOCS section. In short, you need 2 networks, one DMZ (or INSIDE) and one OUTSIDE, and need private (Vmware) cloud with access to both, OR 
 25 | you need Hardware / Virtual Linux CentOS 7, connected to both DMZ (or INSIDE) and OUTSIDE networks. Router do not use OUTSIDE for default routing so it is relatively safe against scans and attacks 
 26 | (and do not create a hole into the network, and in addition we recommend using DMZ and not INSIDE network for internal connection).
 27 | 
 28 | You need static IP in both networks (maybe, can use DHCP inside). For serious usage, you may need OSPF or BGP (or any quagga compatible) routing protocol inside your DMZ network.
 29 | 
 30 | ### Ready to run appliance
 31 | 
 32 | This project contains 2 parts - scripts and files (here), and Virtual Appliance, ready to run. Appliance moved out of the project file structure to simplify
 33 | management.
 34 | 
 35 | 
 36 | 
 37 | Future versions can me moved to GigHub using Large Files support, but wil be held in different project (vti-router-images)
 38 | 
 39 | ### Installing
 40 | 
 41 | See installation example in DOCS section in 'Introduction', and see detailed description of the system components in DOCS section in 'Implementation'. 
 42 | 
 43 | There are 2 ways to install it:
 44 | 
 45 | (1) Import appliance from ovf file into Vmware (or compatible) cloud. Login as a root using password provided with appliance (GitHub.2016 for now). 
 46 | Change password. cd to ~/scripts; run initial setup as
 47 | 
 48 |   ./INITIAL_SETUP.sh
 49 |   
 50 | (2) Install Linux CentOS 7 64 bit, with normal set of packages (see RPM-LIST.txt to compare). Extract 'scripts' from this project into /usr/local/scripts 
 51 | (you can extract them into other place but, then, you must run INITIAL_SETUP.sh and refresh_scripts.sh from this directory, the very first time). Make sure that 
 52 | system has access to Internet, then run
 53 |    
 54 |    ./update_kernel.sh
 55 |    
 56 |    (Modify it as required, as something may change in time).
 57 |   
 58 |   Create symlink ln -s /usr/local/scripts ~/scripts .
 59 |   
 60 |   Restart, cd /usr/local/scripts; run ./INITIAL_SETUP.sh and select Reinstall option. 
 61 |   
 62 |   it will reinstall required packages.
 63 |   
 64 |   
 65 |   
 66 |  Then follow instructions (Introduction, first of all) - configure quagga according to your network, 
 67 |  parse AWS configuration or create tunnel manually, then VTI -add, then VTI -enable, VTI -status, etc...
 68 | 
 69 | ## Directories
 70 |   scripts - VTI system scripts; can be copied as is to /usr/local/scripts
 71 |   
 72 |   DOCS - local copy of documentation
 73 |     
 74 | 
 75 | See 'Implementation' document for extra details.
 76 | 
 77 | ## Contributing
 78 | 
 79 | Project includes both, Appliance and Scripts (which are used inside it). I expect that appliance will not change too often (when changed, v01 will be changed to v02 and so on),
 80 | but scripts can be keept 'updated' all the time. We can add apliances for different platforms, if they are posted.
 81 | 
 82 | Any fixes for the bugs, parsing for the new VPN providers (I added only parser for AWS VPN), compatibility fixes for other cloud providers will be welcome.
 83 | 
 84 | Ubuntu version can be interesting (through we do not support Ubuntu in our Linux zoo). Ansible playbook for system set up (up to the scripts deployment) can be useful.
 85 | 
 86 | 
 87 | ## Versioning
 88 | 
 89 | Major.Minor numbers will be used, with extra tags for specific (Ubuntu for example) versions.
 90 | We will keep major versions for appliance, and minor for scripts (so scripts 1.20 for example can be always applied on appliance 1.0).
 91 | 
 92 | 
 93 | ## Authors
 94 | 
 95 | * **Alexei Roudnev** - *Initial work* - aprudnev@gmail.com
 96 | * **EIS Group open source group** - open-source@eisgroup.com
 97 | 
 98 | 
 99 | ## License
100 | 
101 | This project is licensed under the GPL license, and is donated by EIS Group (http://eisgroup.com) to the open source community (as it is based on mostly open source products, 
102 | but contains our code and was carefully tested in different conditions). 
103 | 
104 | 
105 | ## Acknowledgments
106 | 
107 | I used this (https://gist.github.com/heri16/2f59d22d1d5980796bfb) document as initial startig point; it was a huge help for us (even if it has only basic changes required for the production support).
108 | 
109 | ## UPDATE - restart_vti.sh adapted for AZURE
110 | We can not ping remote VTI end in azure, so health script restarted good vti tunnels. To fix it,
111 | it now check inbound traffic on interface, and if it exists, do not restart,  even
112 | if it can not ping.
113 | 
114 | One more update - I find out, that it can freeze in ETSBLISHED (but not INSTALLED) state, so
115 | script now do not try to find out connection state - if it is active, then it test pings and
116 | inbound traffic, and if no any exists for 20 seconds, then reset tunnel.
117 | 
118 | Ideally it should remember previous state and if no RX apckets come for 10 minutes, ONLY then
119 | restart.
120 | 
121 | PINGS did not work, because you must explicitly add route to our end of VTI into Azure VNET.
122 | 
123 | ## UPDATE - AZURE connectivity.
124 | 
125 | 
126 | Updated VTI_ADD.sh has now AZURE mode (just answer AZURE when it ask about provider), which adds necessary options for VTI (and propose options for BGP). 
127 | It is tested and works with Azure pretty well, aside of azure gateway restart time, which can be up to 1 hour (so be patient when testing).
128 | 
129 | On positive side, azure BGP reconnection time is about few seconds (compared with 5 minutes in AWS); on negative, they support multihop EBGP only and
130 | routing must be planned carefully, plus their gateway has so long restarting time, that it looks as failure sometimes. 
131 | BGP with their multihop BGP need careful planning, of course.
132 | 
133 | For azure, use your own local IP with /32 mask, and set up remote IP (on interface) as IP of
134 | their BGP gateway, configure your local IP on AZURE as IP of the tunnel (one you set up here).
135 | 
136 | This way ping will work for far end of tunnel (as this end is BGP router and for them, your IP is tunnel IP).
137 | 
138 | AZURE specific options are now:
139 | (They are added as VTI_O1 - VTI_O5):
140 | 
141 |         ike=aes256-sha1-modp1024
142 | 
143 |         esp=aes128-sha1,aes256-sha1!
144 | 
145 |         keyexchange=ike
146 | 
147 |         ikelifetime=10800s
148 | 
149 |         keyingtries=%forever
150 | 
151 | We add bgp multihop and route-map from_azure in, into BGP, too.
152 | You can modify them manually (in propperties file) or when running VTI_ADD.sh
153 | )
154 | 
155 | restart_vti.sh script improved now - it first kills all frozen swanctl 
156 | as they have a tendency to freeze when something go wrong.
157 | 
158 | In addition, we added monitoring for /tmp/vtitrace.log 
159 | 
160 | VTI_OPS.sh (the same as VTI) fixed to use proper method of configuration updates.
161 | 
162 | ## IMAGES
163 | Image version 2 uploaded. You can find images here (in subfolder) - https://drive.google.com/drive/folders/0B4R1SzsWIJVfWm5icWtVTjNJX2s?usp=sharing
164 | 
165 | ## KNOWN BUGS.
166 | 
167 | 1. FIXED - we must use strongswan update instead of reload. Usig reload caused creating a few more CHILD_SA (IPSEC SA) and confuze AZURE
168 | 
169 | 2. FIXED. We now set up rp_filter option = 0 for all vti interfaces and for eth0, 
170 | It is 1 for eth1. So assymmetrical traffic allowed everywhere
171 | except eth1 (to protect against attacks).
172 | IT is done in both ipsec-vti.sh script and by sysctl.d configs (see FILES.d subdirectories)
173 | 
174 | NOTICE - CentOS7 sort sysctl files by file name, so names started with 01 - 049 run 
175 | before system defaults (which has number 50). So we renamed our configs into 8N .
176 | 
177 | As on 3-May-2017, we run 10 VTI routers with more then 40 tunnels, with AWS, AZURE and VTI/VTI, without a single glitch or failure.
178 | ## UPDATE
179 | We reach 1/2 year of crash-less run for our 10+ VTI routers. Both, AZURE, AWS and VTI/VTI connections, works very well.
180 | 
181 | 


--------------------------------------------------------------------------------
/scripts/INITIAL_SETUP.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | ###################################################
  3 | # (c) EIS Group LTD, 2016                         #
  4 | # (License) GPL                                   #
  5 | # Donated to OpenSource by EIS Group, 2016.       #
  6 | # Authors: Alexei Roudnev , Andrey Saveliev       #
  7 | #                                                 #
  8 | #       open-source@eisgroup.com                  #
  9 | #  or   aprudnev@gmail.com                        #
 10 | #  URL; http://eisgroup.com                       #
 11 | ###################################################
 12 | 
 13 | #
 14 | # Basic setup for EIS VPC/AWS gateway, configures:
 15 | # - /etc/sysconfig/network
 16 | # - /etc/sysconfig/network-scripts/ifcfg-eth0
 17 | # - /etc/sysconfig/network-scripts/ifcfg-eth1
 18 | # - /etc/resolv.conf
 19 | # - install strongswan and quagga
 20 | # - install scripts to parse aws files and add/remove VTI tunnels
 21 | # 
 22 | 
 23 | script_name="$(readlink -f $0)"
 24 | if [[ ! -d FILES.d ]]
 25 | then
 26 | 	echo "Run script from it's directory so it can see FILES.d. ABORTED"
 27 | 	exit 1
 28 | fi
 29 | 
 30 | # default values,
 31 | domain='net.exigengroup.com'
 32 | dnsservers='10.25.168.31 10.23.5.31 192.168.8.24 '
 33 | #
 34 | LIST="LIST"
 35 | # ASK VAR default COMMENT 
 36 | ask() {
 37 |         var=$1
 38 | 	LIST="$LIST $var"
 39 | 	default=$2
 40 | 	echo "$3"
 41 | 	echo -n "$1= [$2]_"
 42 | 	eval read X
 43 | 	if [ "$X" = "" ]
 44 | 	then
 45 | 		eval $var='"$default"'
 46 | 	else
 47 | 		eval $var='"$X"'
 48 | 	fi
 49 | }
 50 | ask host "`hostname -s`" "Enter short hostname"
 51 | if [[ -f /etc/sysconfig/$host.properties ]]
 52 | then
 53 |    echo "### SAVED PROPERTIES FOUND ***"
 54 |    cat /etc/sysconfig/$host.properties
 55 |    echo -n "Do you want to reuse them? (y|n) [n]_ "
 56 |    read x
 57 |    if [[ "$x" = "y" ]]
 58 |    then
 59 |    echo "Reusing..."
 60 |    . /etc/sysconfig/$host.properties
 61 |    reuse=1
 62 |    fi
 63 | fi
 64 | if [[ "$reuse" != "1" ]]
 65 | then
 66 | ask host "$host" "Enter short hostname"
 67 | ask domain "net.exigengroup.com" "Enter domain name"
 68 | ask IP "" "Enter my INSIDE IP address"
 69 | NETMASK=255.255.255.0
 70 | GATEWAY=`echo $IP | sed 's/\.[0-9]*$/.1/'`
 71 | ask NETMASK "$NETMASK" "Enter netmask for $IP"
 72 | ask GATEWAY "$GATEWAY" "Enter gateway for $IP"
 73 | ask dnsservers "$dnsservers" "Enter list of DNS servers (IP, space delimited)"
 74 | #
 75 | ask EXT_IP "" "Enter OUTSIDE IP address"
 76 | ask EXT_NETMASK "255.255.255.0" "Enter OUTSIDE IP netmask"
 77 | EXT_GW=`echo $EXT_IP | sed 's/[^.]*$/1/'`
 78 | ask EXT_GW "$EXT_GW" "Enter OUTSIDE IP Gateway"
 79 | ask LOCAL_AS "" "Enter LOCAL AS number, no BGP if empty"
 80 | ask OSPF_NETWORKS "" "Enter list of OSPF networks in N.N.N.N/prefix format delimited by spaces"
 81 | ask SNMP_COMM "" "SNMP v1/v2 communities (no SNMP if empty)"
 82 | fi
 83 | ask REINSTALL "n" "Reinstall or install software and system variables? 
 84 | (require INTERNET connection)"
 85 | ask RESET "y" "Reset IPSEC and quagga configuration files?"
 86 | #
 87 | if [[ "$RESET" = "y" && ! -d FILES.d/strongswan ]]
 88 | then
 89 |    echo "RESET not allowed as it required FILES.d/strongswan directory which is absent"
 90 |    RESET="n"
 91 | fi
 92 | 
 93 | #
 94 | echo "
 95 | *** VERIFY:
 96 | HOST $host.$domain
 97 | IP: $IP
 98 | NETMASK: $NETMASK
 99 | GATEWAY: $GATEWAY
100 | EXT_IP:  $EXT_IP
101 | EXT_NETMASK: $EXT_NETMASK
102 | EXT_GW:  $EXT_GW
103 | LOCAL_AS: $LOCAL_AS
104 | OSPF_NETWORKS: $OSPF_NETWORKS
105 | RESET: $RESET
106 | REINSTALL: $REINSTALL
107 | SNMP_COMM: $SNMP_COMM
108 | "
109 | echo -n "^C to abort, ENTER to proceed_"
110 | read x
111 | if [[ "$x" != "" && "$x" != "yes" ]]
112 | then
113 | 	echo "ABORTED , try again"
114 | 	exit 1
115 | fi
116 | echo -e "WILL PROCEED\n"
117 | 
118 | 
119 | #
120 | # update network configuration
121 | #
122 | 
123 | # centos7 configuration stores hostname in /etc/hostname
124 | echo "$host.$domain" > /etc/hostname
125 | grep NOZEROCONF -q /etc/sysconfig/network || echo NOZEROCONF=yes >> /etc/sysconfig/network
126 | 
127 | #
128 | cat > /etc/resolv.conf <<EOF
129 | # /etc/resolv.conf
130 | # configured by $script_name script
131 | search $domain net.exigengroup.com exigengroup.com
132 | EOF
133 | 
134 | for dns in $dnsservers ; do
135 | 	echo "nameserver $dns" >> /etc/resolv.conf
136 | done
137 | 
138 | cat > /etc/sysconfig/network-scripts/ifcfg-eth0 <<EOF
139 | #
140 | # Run $script_name to reconfigure 
141 | #
142 | 
143 | DEVICE="eth0"
144 | TYPE="Ethernet"
145 | ONBOOT="yes"
146 | 
147 | IPV6INIT="no"
148 | NM_CONTROLLED="no"
149 | USERCTL="no"
150 | 
151 | BOOTPROTO="none"
152 | PEERDNS="no"
153 | 
154 | IPADDR=$IP
155 | NETMASK=$NETMASK
156 | GATEWAY=$GATEWAY
157 | EOF
158 | 
159 | cat > /etc/sysconfig/network-scripts/ifcfg-eth1 <<EOF
160 | #
161 | # Run $script_name to reconfigure 
162 | #
163 | 
164 | DEVICE="eth1"
165 | TYPE="Ethernet"
166 | ONBOOT="yes"
167 | 
168 | IPV6INIT="no"
169 | NM_CONTROLLED="no"
170 | USERCTL="no"
171 | 
172 | BOOTPROTO="none"
173 | PEERDNS="no"
174 | 
175 | IPADDR=$EXT_IP
176 | NETMASK=$EXT_NETMASK
177 | EOF
178 | 
179 | 
180 | # apply updated network configuration
181 | echo -e '\n*** Applying network coniguration, please update VLAN connection for VM accordingly ***\n'
182 | service network restart
183 | 
184 | hostname $HOSTNAME
185 | #
186 | if [[ "$reuse" != "1" ]]
187 | then
188 |     echo "Saving /etc/sysconfig/$host.properties"
189 |     cat > /etc/sysconfig/$host.properties <<EOF
190 | # Created `date`
191 | EOF
192 |     for i in $LIST
193 |     do
194 |         eval 'echo '$i'=\"$'$i'\"' >> /etc/sysconfig/$host.properties
195 |     done
196 | fi
197 | 
198 | if [[ "$REINSTALL" != "n" ]]
199 | then
200 |     yum -y remove libreswan
201 |     yum -y remove firewalld
202 |     yum -y remove monit
203 |     yum -y install net-snmp
204 |     yum -y install --enablerepo=epel strongswan quagga system-config-firewall monit 
205 | 
206 |     rm -rf /etc/ipsec.d
207 |     rm -f /etc/ipsec.conf
208 |     rm -f /etc/ipsec.secrets
209 |     if [[ `pwd -P` != `cd ~/scripts && pwd -P` ]]
210 |     then
211 |     	rsync -a README* *.sh VTI* FILES.d ~/scripts/
212 |         mkdir -p ~/scripts/WORK
213 | 	rsync -a WORK/`hostname -s`.d ~/scripts/WORK/.
214 |         cat > /usr/sbin/VTI <<EOF
215 | #!/bin/bash
216 | cd ~/scripts && . ./VTI_OPS.sh \$*
217 | EOF
218 | 	chmod a+rx /usr/sbin/VTI
219 |         grep -q VTI /etc/motd || echo "To manage VTI use VTI command, scripts at ~/scripts" >> /etc/motd
220 |     fi
221 |     #
222 | fi
223 | 
224 | if [[ "$RESET" = "y" ]]
225 | then
226 |     #
227 | echo " "
228 | echo "Resetting configuration..."
229 |     #
230 |     echo "3.Removing /etc/strongswan/vti.d/*.{conf,init,secrets} /etc/quagga/*.conf"
231 |     rm -rf /etc/strongswan/vti.d /etc/quagga
232 |     echo "4. Copyying files from FILES.d to /etc"
233 |     service zebra stop  
234 |     (cd FILES.d && tar cf - * ) | (cd /etc && tar xf -) 
235 |     chown -R quagga:quagga /etc/quagga
236 |     for i in zebra ospfd bgpd
237 |     do
238 |       systemctl enable $i
239 |       systemctl start $i
240 |       systemctl status $i
241 |     done
242 |     chmod 600 /etc/strongswan/ipsec.secrets
243 |     chmod +x /etc/strongswan/ipsec-vti.sh 
244 | echo "5. Recreating /etc/sysconfig/network-scripts/route-eth1"
245 | cat > /etc/sysconfig/network-scripts/route-eth1 <<EOF
246 | # Created by $0 script `date`
247 | EOF
248 | 
249 | echo "6. Recreating /etc/sysconfig/iptables"
250 | cat > /etc/sysconfig/iptables <<EOF
251 | # Generated by iptables-save v1.4.21 on Mon Jun 20 20:07:34 2016
252 | *filter
253 | :INPUT ACCEPT [0:0]
254 | :FORWARD ACCEPT [0:0]
255 | :OUTPUT ACCEPT [1738:245262]
256 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
257 | -A INPUT -p icmp -j ACCEPT
258 | -A INPUT -i lo -j ACCEPT
259 | -A INPUT -i eth0 -j ACCEPT
260 | -A INPUT -i tun+ -j ACCEPT
261 | -A INPUT -i vti+ -j ACCEPT
262 | -A INPUT -p ah -j ACCEPT
263 | -A INPUT -p esp -j ACCEPT
264 | -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
265 | -A INPUT -j REJECT --reject-with icmp-host-prohibited
266 | -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
267 | -A FORWARD -p icmp -j ACCEPT
268 | -A FORWARD -i lo -j ACCEPT
269 | -A FORWARD -i eth0 -j ACCEPT
270 | -A FORWARD -i tun+ -j ACCEPT
271 | -A FORWARD -i vti+ -j ACCEPT
272 | -A FORWARD -j REJECT --reject-with icmp-host-prohibited
273 | COMMIT
274 | EOF
275 | echo "7. Enabling iptables, zebra, monit  and strongswan"
276 | systemctl enable iptables
277 | systemctl enable strongswan
278 | systemctl enable zebra
279 | #BLOCKED# systemctl enable monit
280 | 
281 | fi
282 | 
283 | if [[ "$OSPF_NETWORKS" != "" ]]
284 | then
285 | echo "8a. Creating /etc/quagga/ospfd.conf"
286 | cat > /tmp/conf.$$ <<EOF
287 | !
288 | conf t
289 | router ospf
290 | EOF
291 | for i in $OSPF_NETWORKS
292 | do
293 |   echo "network $i area 0" >> /tmp/conf.$$
294 | done
295 | cat >> /tmp/conf.$$ <<EOF
296 | exit
297 | exit
298 | wr mem
299 | EOF
300 | echo "Applying: `cat /tmp/conf.$$`"
301 | vtysh < /tmp/conf.$$
302 | rm -f /tmp/conf.$$
303 | echo "8b. Enabling ospfd"
304 | systemctl enable ospfd
305 | fi
306 | 
307 | if [[ $LOCAL_AS != "" && ! -f /etc/quagga/bgpd.conf ]]
308 | then 
309 | 	echo "9a. Creating /etc/quagga/bgpd.conf"
310 | cat > /tmp/conf.$$ <<EOF
311 | conf t
312 | router bgp $LOCAL_AS
313 |   bgp router-id $EXT_IP
314 | exit
315 | wr mem
316 | EOF
317 | echo "Applying: `cat /tmp/conf.$$`"
318 | vtysh < /tmp/conf.$$
319 | 
320 |          echo "9b. Enabling bgpd"
321 |          systemctl enable bgpd
322 | fi
323 | 
324 | echo "10. Setting monit"
325 | sed -i 's/set daemon  30/set daemon  5/g' /etc/monitrc
326 | if [[ "$SNMP_COMM" != "" ]]
327 | then
328 | echo 'OPTIONS="-LS0-6d -p /var/run/net-snmp/snmpd.pid"' >> /etc/sysconfig/snmpd
329 | cat > /etc/snmp/snmpd.conf <<EOF
330 | rocommunity $SNMP_COMM
331 | EOF
332 | systemctl enable snmpd
333 | else
334 | systemctl disable snmpd
335 | fi
336 | 
337 | echo "Now restart router to test that we did it correct way
338 | You MUST have few important adjustments in strongswan, verify them
339 | Must be no - `grep install_virtual_ip /etc/strongswan/strongswan.d/charon.conf | grep -v '#'`
340 | Must be no - `grep install_routes /etc/strongswan/strongswan.d/charon.conf | grep -v '#'`
341 | Must be no - `grep load /etc/strongswan/strongswan.d/charon/farp.conf | grep -v '#'`
342 | "
343 | 
344 | 
345 | 


--------------------------------------------------------------------------------
/scripts/FILES.d/strongswan/strongswan.d/charon.conf:
--------------------------------------------------------------------------------
  1 | # Options for the charon IKE daemon.
  2 | charon {
  3 | 
  4 |     # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
  5 |     # accept_unencrypted_mainmode_messages = no
  6 | 
  7 |     # Maximum number of half-open IKE_SAs for a single peer IP.
  8 |     # block_threshold = 5
  9 | 
 10 |     # Whether relations in validated certificate chains should be cached in
 11 |     # memory.
 12 |     # cert_cache = yes
 13 | 
 14 |     # Send Cisco Unity vendor ID payload (IKEv1 only).
 15 |     # cisco_unity = no
 16 | 
 17 |     # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
 18 |     # close_ike_on_child_failure = no
 19 | 
 20 |     # Number of half-open IKE_SAs that activate the cookie mechanism.
 21 |     # cookie_threshold = 10
 22 | 
 23 |     # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
 24 |     # strength.
 25 |     # dh_exponent_ansi_x9_42 = yes
 26 | 
 27 |     # DNS server assigned to peer via configuration payload (CP).
 28 |     # dns1 =
 29 | 
 30 |     # DNS server assigned to peer via configuration payload (CP).
 31 |     # dns2 =
 32 | 
 33 |     # Enable Denial of Service protection using cookies and aggressiveness
 34 |     # checks.
 35 |     # dos_protection = yes
 36 | 
 37 |     # Compliance with the errata for RFC 4753.
 38 |     # ecp_x_coordinate_only = yes
 39 | 
 40 |     # Free objects during authentication (might conflict with plugins).
 41 |     # flush_auth_cfg = no
 42 | 
 43 |     # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
 44 |     # when using proprietary IKEv1 or standardized IKEv2 fragmentation (0 for
 45 |     # address family specific        default values). If specified this limit is
 46 |     # used for both IPv4 and IPv6.
 47 |     # fragment_size = 0
 48 | 
 49 |     # Name of the group the daemon changes to after startup.
 50 |     # group =
 51 | 
 52 |     # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 53 |     # half_open_timeout = 30
 54 | 
 55 |     # Enable hash and URL support.
 56 |     # hash_and_url = no
 57 | 
 58 |     # Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
 59 |     # i_dont_care_about_security_and_use_aggressive_mode_psk = no
 60 | 
 61 |     # Whether to ignore the traffic selectors from the kernel's acquire events
 62 |     # for IKEv2 connections (they are not used for IKEv1).
 63 |     # ignore_acquire_ts = no
 64 | 
 65 |     # A space-separated list of routing tables to be excluded from route
 66 |     # lookups.
 67 |     # ignore_routing_tables =
 68 | 
 69 |     # Maximum number of IKE_SAs that can be established at the same time before
 70 |     # new connection attempts are blocked.
 71 |     # ikesa_limit = 0
 72 | 
 73 |     # Number of exclusively locked segments in the hash table.
 74 |     # ikesa_table_segments = 1
 75 | 
 76 |     # Size of the IKE_SA hash table.
 77 |     # ikesa_table_size = 1
 78 | 
 79 |     # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
 80 |     # inactivity_close_ike = no
 81 | 
 82 |     # Limit new connections based on the current number of half open IKE_SAs,
 83 |     # see IKE_SA_INIT DROPPING in strongswan.conf(5).
 84 |     # init_limit_half_open = 0
 85 | 
 86 |     # Limit new connections based on the number of queued jobs.
 87 |     # init_limit_job_load = 0
 88 | 
 89 |     # Causes charon daemon to ignore IKE initiation requests.
 90 |     # initiator_only = no
 91 | 
 92 |     # Install routes into a separate routing table for established IPsec
 93 |     # tunnels.
 94 |     install_routes = no
 95 | 
 96 |     # Install virtual IP addresses.
 97 |     install_virtual_ip = no
 98 | 
 99 |     # The name of the interface on which virtual IP addresses should be
100 |     # installed.
101 |     # install_virtual_ip_on =
102 | 
103 |     # Check daemon, libstrongswan and plugin integrity at startup.
104 |     # integrity_test = no
105 | 
106 |     # A comma-separated list of network interfaces that should be ignored, if
107 |     # interfaces_use is specified this option has no effect.
108 |     # interfaces_ignore =
109 | 
110 |     # A comma-separated list of network interfaces that should be used by
111 |     # charon. All other interfaces are ignored.
112 |     # interfaces_use =
113 | 
114 |     # NAT keep alive interval.
115 |     # keep_alive = 20s
116 | 
117 |     # Plugins to load in the IKE daemon charon.
118 |     # load =
119 | 
120 |     # Determine plugins to load via each plugin's load option.
121 |     # load_modular = no
122 | 
123 |     # Initiate IKEv2 reauthentication with a make-before-break scheme.
124 |     # make_before_break = no
125 | 
126 |     # Maximum packet size accepted by charon.
127 |     # max_packet = 10000
128 | 
129 |     # Enable multiple authentication exchanges (RFC 4739).
130 |     # multiple_authentication = yes
131 | 
132 |     # WINS servers assigned to peer via configuration payload (CP).
133 |     # nbns1 =
134 | 
135 |     # WINS servers assigned to peer via configuration payload (CP).
136 |     # nbns2 =
137 | 
138 |     # UDP port used locally. If set to 0 a random port will be allocated.
139 |     # port = 500
140 | 
141 |     # UDP port used locally in case of NAT-T. If set to 0 a random port will be
142 |     # allocated.  Has to be different from charon.port, otherwise a random port
143 |     # will be allocated.
144 |     # port_nat_t = 4500
145 | 
146 |     # By default public IPv6 addresses are preferred over temporary ones (RFC
147 |     # 4941), to make connections more stable. Enable this option to reverse
148 |     # this.
149 |     # prefer_temporary_addrs = no
150 | 
151 |     # Process RTM_NEWROUTE and RTM_DELROUTE events.
152 |     # process_route = yes
153 | 
154 |     # Delay in ms for receiving packets, to simulate larger RTT.
155 |     # receive_delay = 0
156 | 
157 |     # Delay request messages.
158 |     # receive_delay_request = yes
159 | 
160 |     # Delay response messages.
161 |     # receive_delay_response = yes
162 | 
163 |     # Specific IKEv2 message type to delay, 0 for any.
164 |     # receive_delay_type = 0
165 | 
166 |     # Size of the AH/ESP replay window, in packets.
167 |     # replay_window = 32
168 | 
169 |     # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
170 |     # in strongswan.conf(5).
171 |     # retransmit_base = 1.8
172 | 
173 |     # Timeout in seconds before sending first retransmit.
174 |     # retransmit_timeout = 4.0
175 | 
176 |     # Number of times to retransmit a packet before giving up.
177 |     # retransmit_tries = 5
178 | 
179 |     # Interval to use when retrying to initiate an IKE_SA (e.g. if DNS
180 |     # resolution failed), 0 to disable retries.
181 |     # retry_initiate_interval = 0
182 | 
183 |     # Initiate CHILD_SA within existing IKE_SAs.
184 |     # reuse_ikesa = yes
185 | 
186 |     # Numerical routing table to install routes to.
187 |     # routing_table =
188 | 
189 |     # Priority of the routing table.
190 |     # routing_table_prio =
191 | 
192 |     # Delay in ms for sending packets, to simulate larger RTT.
193 |     # send_delay = 0
194 | 
195 |     # Delay request messages.
196 |     # send_delay_request = yes
197 | 
198 |     # Delay response messages.
199 |     # send_delay_response = yes
200 | 
201 |     # Specific IKEv2 message type to delay, 0 for any.
202 |     # send_delay_type = 0
203 | 
204 |     # Send strongSwan vendor ID payload
205 |     # send_vendor_id = no
206 | 
207 |     # Whether to enable Signature Authentication as per RFC 7427.
208 |     # signature_authentication = yes
209 | 
210 |     # Whether to enable constraints against IKEv2 signature schemes.
211 |     # signature_authentication_constraints = yes
212 | 
213 |     # Number of worker threads in charon.
214 |     # threads = 16
215 | 
216 |     # Name of the user the daemon changes to after startup.
217 |     # user =
218 | 
219 |     crypto_test {
220 | 
221 |         # Benchmark crypto algorithms and order them by efficiency.
222 |         # bench = no
223 | 
224 |         # Buffer size used for crypto benchmark.
225 |         # bench_size = 1024
226 | 
227 |         # Number of iterations to test each algorithm.
228 |         # bench_time = 50
229 | 
230 |         # Test crypto algorithms during registration (requires test vectors
231 |         # provided by the test-vectors plugin).
232 |         # on_add = no
233 | 
234 |         # Test crypto algorithms on each crypto primitive instantiation.
235 |         # on_create = no
236 | 
237 |         # Strictly require at least one test vector to enable an algorithm.
238 |         # required = no
239 | 
240 |         # Whether to test RNG with TRUE quality; requires a lot of entropy.
241 |         # rng_true = no
242 | 
243 |     }
244 | 
245 |     host_resolver {
246 | 
247 |         # Maximum number of concurrent resolver threads (they are terminated if
248 |         # unused).
249 |         # max_threads = 3
250 | 
251 |         # Minimum number of resolver threads to keep around.
252 |         # min_threads = 0
253 | 
254 |     }
255 | 
256 |     leak_detective {
257 | 
258 |         # Includes source file names and line numbers in leak detective output.
259 |         # detailed = yes
260 | 
261 |         # Threshold in bytes for leaks to be reported (0 to report all).
262 |         # usage_threshold = 10240
263 | 
264 |         # Threshold in number of allocations for leaks to be reported (0 to
265 |         # report all).
266 |         # usage_threshold_count = 0
267 | 
268 |     }
269 | 
270 |     processor {
271 | 
272 |         # Section to configure the number of reserved threads per priority class
273 |         # see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
274 |         priority_threads {
275 | 
276 |         }
277 | 
278 |     }
279 | 
280 |     # Section containing a list of scripts (name = path) that are executed when
281 |     # the daemon is started.
282 |     start-scripts {
283 | 
284 |     }
285 | 
286 |     # Section containing a list of scripts (name = path) that are executed when
287 |     # the daemon is terminated.
288 |     stop-scripts {
289 | 
290 |     }
291 | 
292 |     tls {
293 | 
294 |         # List of TLS encryption ciphers.
295 |         # cipher =
296 | 
297 |         # List of TLS key exchange methods.
298 |         # key_exchange =
299 | 
300 |         # List of TLS MAC algorithms.
301 |         # mac =
302 | 
303 |         # List of TLS cipher suites.
304 |         # suites =
305 | 
306 |     }
307 | 
308 |     x509 {
309 | 
310 |         # Discard certificates with unsupported or unknown critical extensions.
311 |         # enforce_critical = yes
312 | 
313 |     }
314 | 
315 | }
316 | 
317 | 


--------------------------------------------------------------------------------
/scripts/RPM.list:
--------------------------------------------------------------------------------
  1 | exiv2-libs-0.23-6.el7.x86_64
  2 | libtirpc-0.2.4-0.6.el7.x86_64
  3 | lldpad-1.0.1-2.git986eb2e.el7.x86_64
  4 | filesystem-3.2-20.el7.x86_64
  5 | checkpolicy-2.1.12-6.el7.x86_64
  6 | libverto-tevent-0.2.5-4.el7.x86_64
  7 | dnsmasq-2.66-14.el7_1.x86_64
  8 | gpm-libs-1.20.7-5.el7.x86_64
  9 | libsmi-0.4.8-13.el7.x86_64
 10 | appstream-data-7-6.el7.noarch
 11 | lm_sensors-libs-3.3.4-11.el7.x86_64
 12 | geocode-glib-3.14.0-2.el7.x86_64
 13 | python-2.7.5-34.el7.x86_64
 14 | ebtables-2.0.10-13.el7.x86_64
 15 | libselinux-2.2.2-6.el7.x86_64
 16 | libselinux-python-2.2.2-6.el7.x86_64
 17 | mercurial-2.6.2-6.el7_2.x86_64
 18 | libcom_err-1.42.9-7.el7.x86_64
 19 | python-decorator-3.4.0-3.el7.noarch
 20 | net-snmp-5.7.2-24.el7_2.1.x86_64
 21 | lockdev-1.0.4-0.13.20111007git.el7.x86_64
 22 | plymouth-graphics-libs-0.8.9-0.24.20140113.el7.centos.x86_64
 23 | selinux-policy-3.13.1-60.el7_2.7.noarch
 24 | fcoe-utils-1.0.30-3.git91c0c8c.el7.x86_64
 25 | sqlite-3.7.17-8.el7.x86_64
 26 | rsyslog-7.4.7-12.el7.x86_64
 27 | gettext-0.18.2.1-4.el7.x86_64
 28 | openssl-libs-1.0.1e-51.el7_2.5.x86_64
 29 | libattr-2.4.46-12.el7.x86_64
 30 | PackageKit-command-not-found-1.0.7-5.el7.centos.x86_64
 31 | libmount-2.23.2-26.el7_2.2.x86_64
 32 | shared-mime-info-1.1-9.el7.x86_64
 33 | net-tools-2.0-0.17.20131004git.el7.x86_64
 34 | btrfs-progs-3.19.1-1.el7.x86_64
 35 | iproute-3.10.0-54.el7_2.1.x86_64
 36 | p11-kit-0.20.7-3.el7.x86_64
 37 | python-ntplib-0.3.2-1.el7.noarch
 38 | nss-3.21.0-9.el7_2.x86_64
 39 | libnl3-3.2.21-10.el7.x86_64
 40 | yum-langpacks-0.4.2-4.el7.noarch
 41 | newt-python-0.52.15-4.el7.x86_64
 42 | device-mapper-event-1.02.107-5.el7_2.4.x86_64
 43 | libXau-1.0.8-2.1.el7.x86_64
 44 | mailx-12.5-12.el7_0.x86_64
 45 | iscsi-initiator-utils-6.2.0.873-33.el7_2.1.x86_64
 46 | libicu-50.1.2-15.el7.x86_64
 47 | hunspell-en-0.20121024-5.el7.noarch
 48 | libwbclient-4.2.10-6.2.el7_2.x86_64
 49 | libv4l-0.9.5-4.el7.x86_64
 50 | nano-2.3.1-10.el7.x86_64
 51 | rpm-libs-4.11.3-17.el7.x86_64
 52 | libxml2-python-2.9.1-6.el7_2.3.x86_64
 53 | libtasn1-3.8-2.el7.x86_64
 54 | bridge-utils-1.5-9.el7.x86_64
 55 | libreport-web-2.1.11-32.el7.centos.x86_64
 56 | sssd-client-1.13.0-40.el7_2.9.x86_64
 57 | libudisks2-2.1.2-6.el7.x86_64
 58 | iwl4965-firmware-228.61.2.24-43.el7.noarch
 59 | libreport-rhel-anaconda-bugzilla-2.1.11-32.el7.centos.x86_64
 60 | ntp-perl-4.2.6p5-22.el7.centos.2.noarch
 61 | libdvdread-4.2.0-6.el7.x86_64
 62 | iwl6000-firmware-9.221.4.1-43.el7.noarch
 63 | python-urlgrabber-3.10-7.el7.noarch
 64 | libcacard-1.5.3-105.el7_2.4.x86_64
 65 | libdaemon-0.14-7.el7.x86_64
 66 | iwl100-firmware-39.31.5.1-43.el7.noarch
 67 | rpm-build-libs-4.11.3-17.el7.x86_64
 68 | openssl-1.0.1e-51.el7_2.5.x86_64
 69 | libnl3-cli-3.2.21-10.el7.x86_64
 70 | avahi-libs-0.6.31-15.el7_2.1.x86_64
 71 | bzip2-1.0.6-13.el7.x86_64
 72 | kernel-ml-4.8.4-1.el7.elrepo.x86_64
 73 | libtar-1.2.11-29.el7.x86_64
 74 | libsemanage-2.1.10-18.el7.x86_64
 75 | libconfig-1.4.9-5.el7.x86_64
 76 | grub2-tools-2.02-0.34.el7.centos.x86_64
 77 | keyutils-libs-1.5.8-3.el7.x86_64
 78 | procps-ng-3.3.10-5.el7_2.x86_64
 79 | dmidecode-2.12-9.el7.x86_64
 80 | polkit-pkla-compat-0.1-4.el7.x86_64
 81 | perl-HTTP-Tiny-0.033-3.el7.noarch
 82 | avahi-0.6.31-15.el7_2.1.x86_64
 83 | libpciaccess-0.13.4-2.el7.x86_64
 84 | perl-libs-5.16.3-286.el7.x86_64
 85 | accountsservice-libs-0.6.35-9.el7.x86_64
 86 | perl-Scalar-List-Utils-1.27-248.el7.x86_64
 87 | libssh2-1.4.3-10.el7_2.1.x86_64
 88 | crontabs-1.11-6.20121102git.el7.noarch
 89 | perl-Getopt-Long-2.40-2.el7.noarch
 90 | kpatch-0.3.1-1.el7_2.noarch
 91 | autogen-libopts-5.18-5.el7.x86_64
 92 | usbmuxd-1.0.8-11.el7.x86_64
 93 | libdwarf-20130207-4.el7.x86_64
 94 | fontpackages-filesystem-1.44-8.el7.noarch
 95 | kbd-1.15.5-11.el7.x86_64
 96 | libnfsidmap-0.25-12.el7.x86_64
 97 | libss-1.42.9-7.el7.x86_64
 98 | libstoragemgmt-python-1.2.3-4.el7.noarch
 99 | poppler-data-0.4.6-3.el7.noarch
100 | dump-0.4-0.22.b44.el7.x86_64
101 | redhat-menus-12.0.2-7.el7.noarch
102 | oddjob-mkhomedir-0.31.5-4.el7.x86_64
103 | mesa-filesystem-10.6.5-3.20150824.el7.x86_64
104 | yum-cron-3.4.3-132.el7.centos.0.1.noarch
105 | soundtouch-1.4.0-9.el7.x86_64
106 | libimobiledevice-1.1.5-6.el7.x86_64
107 | kbd-misc-1.15.5-11.el7.noarch
108 | gupnp-0.20.13-1.el7.x86_64
109 | ncurses-libs-5.9-13.20130511.el7.x86_64
110 | system-config-firewall-tui-1.2.29-10.el7.noarch
111 | centos-logos-70.0.6-3.el7.centos.noarch
112 | usb_modeswitch-data-20130807-2.el7.noarch
113 | dbus-libs-1.6.12-13.el7.x86_64
114 | git-1.8.3.1-6.el7_2.1.x86_64
115 | policycoreutils-python-2.2.5-20.el7.x86_64
116 | bzip2-libs-1.0.6-13.el7.x86_64
117 | pcsc-lite-libs-1.8.8-6.el7.x86_64
118 | libgcrypt-1.5.3-12.el7_1.1.x86_64
119 | glibc-2.17-106.el7_2.6.x86_64
120 | compat-libpackagekit-glib2-16-0.8.9-1.el7.x86_64
121 | libvisual-0.4.0-16.el7.x86_64
122 | elfutils-libelf-0.163-3.el7.x86_64
123 | libuuid-2.23.2-26.el7_2.2.x86_64
124 | opus-1.0.2-6.el7.x86_64
125 | augeas-libs-1.4.0-2.el7.x86_64
126 | rng-tools-5-7.el7.x86_64
127 | systemd-sysv-219-19.el7_2.11.x86_64
128 | python-slip-0.4.0-2.el7.noarch
129 | vim-common-7.4.160-1.el7.x86_64
130 | json-glib-1.0.2-1.el7.x86_64
131 | dracut-033-360.el7_2.1.x86_64
132 | python-configobj-4.7.2-7.el7.noarch
133 | systemtap-runtime-2.8-10.el7.x86_64
134 | nss-tools-3.21.0-9.el7_2.x86_64
135 | python-backports-ssl_match_hostname-3.4.0.2-4.el7.noarch
136 | desktop-file-utils-0.22-1.el7.x86_64
137 | ntpdate-4.2.6p5-22.el7.centos.2.x86_64
138 | ldns-1.6.16-7.el7.x86_64
139 | which-2.20-7.el7.x86_64
140 | nmap-ncat-6.40-7.el7.x86_64
141 | systemd-python-219-19.el7_2.11.x86_64
142 | python-nss-0.16.0-3.el7.x86_64
143 | glibmm24-2.42.0-1.el7.x86_64
144 | bash-completion-2.1-6.el7.noarch
145 | libndp-1.2-6.el7_2.x86_64
146 | libplist-1.10-4.el7.x86_64
147 | rfkill-0.4-9.el7.x86_64
148 | libsss_idmap-1.13.0-40.el7_2.9.x86_64
149 | libreport-2.1.11-32.el7.centos.x86_64
150 | libpcap-1.5.3-8.el7.x86_64
151 | rootfiles-8.1-11.el7.noarch
152 | tuned-2.5.1-4.el7_2.3.noarch
153 | deltarpm-3.6-3.el7.x86_64
154 | iwl105-firmware-18.168.6.1-43.el7.noarch
155 | libreport-cli-2.1.11-32.el7.centos.x86_64
156 | libxshmfence-1.2-1.el7.x86_64
157 | dracut-config-rescue-033-360.el7_2.1.x86_64
158 | gnupg2-2.0.22-3.el7.x86_64
159 | yum-utils-1.1.31-34.el7.noarch
160 | celt051-0.5.1.3-8.el7.x86_64
161 | ca-certificates-2015.2.6-70.1.el7_2.noarch
162 | gpg-pubkey-baadae52-49beffa4
163 | genisoimage-1.1.11-23.el7.x86_64
164 | libgomp-4.8.5-4.el7.x86_64
165 | kernel-ml-devel-4.8.4-1.el7.elrepo.x86_64
166 | libpipeline-1.2.3-3.el7.x86_64
167 | libXfont-1.5.1-2.el7.x86_64
168 | createrepo-0.9.9-25.el7_2.noarch
169 | policycoreutils-2.2.5-20.el7.x86_64
170 | slang-2.2.4-11.el7.x86_64
171 | libsemanage-python-2.1.10-18.el7.x86_64
172 | libevdev-1.4.1-1.el7.x86_64
173 | libvpx-1.3.0-5.el7_0.x86_64
174 | libavc1394-0.5.3-14.el7.x86_64
175 | perl-Pod-Escapes-1.04-286.el7.noarch
176 | avahi-gobject-0.6.31-15.el7_2.1.x86_64
177 | PackageKit-yum-1.0.7-5.el7.centos.x86_64
178 | perl-Exporter-5.68-3.el7.noarch
179 | plymouth-0.8.9-0.24.20140113.el7.centos.x86_64
180 | perl-Carp-1.26-244.el7.noarch
181 | numactl-libs-2.0.9-6.el7_2.x86_64
182 | tcp_wrappers-7.6-77.el7.x86_64
183 | telnet-0.17-59.el7.x86_64
184 | bluez-5.23-4.el7.x86_64
185 | tar-1.26-29.el7.x86_64
186 | cups-client-1.6.3-22.el7.x86_64
187 | dyninst-8.2.0-2.el7.x86_64
188 | control-center-filesystem-3.14.5-8.el7.x86_64
189 | libbasicobjects-0.1.1-25.el7.x86_64
190 | dmraid-events-1.0.0.rc16-26.el7.x86_64
191 | unzip-6.0-15.el7.x86_64
192 | centos-release-7-2.1511.el7.centos.2.10.x86_64
193 | make-3.82-21.el7.x86_64
194 | liberation-fonts-common-1.07.2-15.el7.noarch
195 | libpath_utils-0.2.1-25.el7.x86_64
196 | libhbalinux-1.0.17-2.el7.x86_64
197 | lsof-4.87-4.el7.x86_64
198 | langtable-data-0.0.31-3.el7.noarch
199 | oddjob-0.31.5-4.el7.x86_64
200 | emacs-filesystem-24.3-18.el7.noarch
201 | dstat-0.7.2-12.el7.noarch
202 | rtkit-0.11-10.el7.x86_64
203 | libproxy-0.4.11-8.el7.x86_64
204 | adwaita-cursor-theme-3.14.1-1.el7.noarch
205 | libsrtp-1.4.4-10.20101004cvs.el7.x86_64
206 | vte-profile-0.38.3-2.el7.x86_64
207 | iftop-1.0-0.7.pre4.el7.x86_64
208 | libsoup-2.48.1-3.el7.x86_64
209 | ncurses-base-5.9-13.20130511.el7.noarch
210 | gpg-pubkey-79ea5ed4-508d25a6
211 | gssdp-0.14.3-3.el7.x86_64
212 | fontconfig-2.10.95-7.el7.x86_64
213 | libstdc++-4.8.5-4.el7.x86_64
214 | dleyna-connector-dbus-0.2.0-1.el7.x86_64
215 | libarchive-3.1.2-7.el7.x86_64
216 | libsepol-2.1.9-3.el7.x86_64
217 | system-config-firewall-base-1.2.29-10.el7.noarch
218 | usb_modeswitch-1.2.7-6.el7.x86_64
219 | alsa-lib-1.0.28-2.el7.x86_64
220 | perl-Error-0.17020-2.el7.noarch
221 | hicolor-icon-theme-0.12-7.el7.noarch
222 | perl-Git-1.8.3.1-6.el7_2.1.noarch
223 | libcgroup-0.41-8.el7.x86_64
224 | pygobject2-2.28.6-11.el7.x86_64
225 | libjpeg-turbo-1.2.90-5.el7.x86_64
226 | net-snmp-agent-libs-5.7.2-24.el7_2.1.x86_64
227 | alsa-firmware-1.0.28-2.el7.noarch
228 | cracklib-dicts-2.9.0-11.el7.x86_64
229 | libgpg-error-1.12-3.el7.x86_64
230 | tigervnc-license-1.3.1-4.el7_2.noarch
231 | libgusb-0.1.6-3.el7.x86_64
232 | sed-4.2.2-5.el7.x86_64
233 | nss-softokn-freebl-3.16.2.3-14.2.el7_2.x86_64
234 | cdparanoia-libs-10.2-17.el7.x86_64
235 | e2fsprogs-1.42.9-7.el7.x86_64
236 | nspr-4.11.0-1.el7_2.x86_64
237 | neon-0.30.0-3.el7.x86_64
238 | pyliblzma-0.5.3-11.el7.x86_64
239 | libdb-5.3.21-19.el7.x86_64
240 | chkconfig-1.3.61-5.el7_2.1.x86_64
241 | libthai-0.1.14-9.el7.x86_64
242 | audit-libs-python-2.4.1-5.el7.x86_64
243 | libacl-2.2.51-12.el7.x86_64
244 | poppler-0.26.5-5.el7.x86_64
245 | fipscheck-1.4.1-5.el7.x86_64
246 | pkgconfig-0.27.1-4.el7.x86_64
247 | vim-filesystem-7.4.160-1.el7.x86_64
248 | python-slip-dbus-0.4.0-2.el7.noarch
249 | dbus-glib-0.100-7.el7.x86_64
250 | python-kitchen-1.1.1-5.el7.noarch
251 | gstreamer1-1.4.5-1.el7.x86_64
252 | python-six-1.9.0-2.el7.noarch
253 | pyxattr-0.5.1-5.el7.x86_64
254 | libexif-0.6.21-6.el7.x86_64
255 | python-setuptools-0.9.8-4.el7.noarch
256 | telepathy-glib-0.24.0-1.el7.x86_64
257 | python-ethtool-0.8-5.el7.x86_64
258 | cpio-2.11-24.el7.x86_64
259 | libidn-1.28-4.el7.x86_64
260 | hunspell-en-US-0.20121024-5.el7.noarch
261 | tcp_wrappers-libs-7.6-77.el7.x86_64
262 | lua-5.1.4-14.el7.x86_64
263 | libcurl-7.29.0-25.el7.centos.x86_64
264 | diffutils-3.3-4.el7.x86_64
265 | libuser-0.60-7.el7_1.x86_64
266 | lzo-2.06-8.el7.x86_64
267 | libreport-plugin-reportuploader-2.1.11-32.el7.centos.x86_64
268 | nettle-2.7.1-4.el7.x86_64
269 | python-deltarpm-3.6-3.el7.x86_64
270 | libtheora-1.1.1-8.el7.x86_64
271 | libreport-anaconda-2.1.11-32.el7.centos.x86_64
272 | e2fsprogs-libs-1.42.9-7.el7.x86_64
273 | color-filesystem-1-13.el7.noarch
274 | pciutils-libs-3.2.1-4.el7.x86_64
275 | lsscsi-0.27-3.el7.x86_64
276 | libieee1284-0.2.11-15.el7.x86_64
277 | gpgme-1.3.2-5.el7.x86_64
278 | p11-kit-trust-0.20.7-3.el7.x86_64
279 | yum-plugin-fastestmirror-1.1.31-34.el7.noarch
280 | file-5.11-31.el7.x86_64
281 | ncompress-4.2.4.4-3.el7.x86_64
282 | libgtop2-2.28.4-7.el7.x86_64
283 | libusb-0.1.4-3.el7.x86_64
284 | monit-5.14-1.el7.x86_64
285 | libepoxy-1.2-2.el7.x86_64
286 | mozjs17-17.0.0-12.el7.x86_64
287 | kernel-ml-4.6.3-1.el7.elrepo.x86_64
288 | wavpack-4.60.1-9.el7.x86_64
289 | xml-common-0.6.3-39.el7.noarch
290 | kernel-ml-headers-4.8.4-1.el7.elrepo.x86_64
291 | libfontenc-1.1.2-3.el7.x86_64
292 | ncdu-1.12-1.el7.x86_64
293 | mesa-libglapi-10.6.5-3.20150824.el7.x86_64
294 | authconfig-6.2.8-10.el7.x86_64
295 | libnl-1.1.4-3.el7.x86_64
296 | python-meh-0.25.2-1.el7.noarch
297 | gsm-1.0.13-11.el7.x86_64
298 | sbc-1.0-5.el7.x86_64
299 | libnfnetlink-1.0.1-4.el7.x86_64
300 | libmnl-1.0.3-7.el7.x86_64
301 | hostname-3.13-3.el7.x86_64
302 | qrencode-libs-3.4.1-3.el7.x86_64
303 | harfbuzz-0.9.36-1.el7.x86_64
304 | cryptsetup-libs-1.6.7-1.el7.x86_64
305 | gettext-libs-0.18.2.1-4.el7.x86_64
306 | dbus-1.6.12-13.el7.x86_64
307 | libshout-2.2.2-11.el7.x86_64
308 | less-458-9.el7.x86_64
309 | dconf-0.22.0-2.el7.x86_64
310 | perl-Pod-Perldoc-3.20-4.el7.noarch
311 | mesa-libgbm-10.6.5-3.20150824.el7.x86_64
312 | perl-Pod-Usage-1.63-3.el7.noarch
313 | PackageKit-1.0.7-5.el7.centos.x86_64
314 | perl-Filter-1.49-3.el7.x86_64
315 | perl-Socket-2.010-3.el7.x86_64
316 | perl-Storable-2.45-3.el7.x86_64
317 | perl-PathTools-3.40-5.el7.x86_64
318 | lzop-1.03-10.el7.x86_64
319 | ftp-0.17-66.el7.x86_64
320 | fuse-2.9.2-6.el7.x86_64
321 | lftp-4.4.8-7.el7.x86_64
322 | os-prober-1.58-5.el7.x86_64
323 | compat-libcolord1-1.0.4-1.el7.x86_64
324 | attr-2.4.46-12.el7.x86_64
325 | spax-1.5.2-13.el7.x86_64
326 | vim-enhanced-7.4.160-1.el7.x86_64
327 | usbutils-007-5.el7.x86_64
328 | libgudev1-219-19.el7_2.11.x86_64
329 | postfix-2.10.1-6.el7.x86_64
330 | util-linux-2.23.2-26.el7_2.2.x86_64
331 | smartmontools-6.2-4.el7.x86_64
332 | device-mapper-1.02.107-5.el7_2.4.x86_64
333 | biosdevname-0.6.2-1.el7.x86_64
334 | kpartx-0.4.9-85.el7_2.5.x86_64
335 | polkit-0.112-7.el7_2.x86_64
336 | NetworkManager-libnm-1.0.6-30.el7_2.x86_64
337 | man-db-2.6.3-9.el7.x86_64
338 | quota-4.01-11.el7_2.1.x86_64
339 | libreport-plugin-mailx-2.1.11-32.el7.centos.x86_64
340 | device-mapper-multipath-libs-0.4.9-85.el7_2.5.x86_64
341 | pinfo-0.6.10-9.el7.x86_64
342 | blktrace-1.0.5-6.el7.x86_64
343 | cronie-1.4.11-14.el7_2.1.x86_64
344 | ledmon-0.79-4.el7.x86_64
345 | samba-common-tools-4.2.10-6.2.el7_2.x86_64
346 | samba-common-libs-4.2.10-6.2.el7_2.x86_64
347 | bc-1.06.95-13.el7.x86_64
348 | kernel-tools-libs-3.10.0-327.22.2.el7.x86_64
349 | strace-4.8-11.el7.x86_64
350 | setroubleshoot-server-3.2.24-4.el7_2.x86_64
351 | libsysfs-2.1.0-16.el7.x86_64
352 | teamd-1.17-6.el7_2.x86_64
353 | iwl6050-firmware-41.28.5.1-43.el7.noarch
354 | kernel-tools-3.10.0-327.22.2.el7.x86_64
355 | man-pages-overrides-7.2.4-1.el7.x86_64
356 | libsmbclient-4.2.10-6.2.el7_2.x86_64
357 | iwl6000g2a-firmware-17.168.5.3-43.el7.noarch
358 | lvm2-2.02.130-5.el7_2.4.x86_64
359 | iwl3945-firmware-15.32.2.9-43.el7.noarch
360 | openssh-clients-6.6.1p1-25.el7_2.x86_64
361 | iwl5150-firmware-8.24.2.2-43.el7.noarch
362 | NetworkManager-glib-1.0.6-30.el7_2.x86_64
363 | words-3.0-22.el7.noarch
364 | bind-license-9.9.4-29.el7_2.3.noarch
365 | pcre-8.32-15.el7_2.1.x86_64
366 | selinux-policy-targeted-3.13.1-60.el7_2.7.noarch
367 | gmp-6.0.0-12.el7_1.x86_64
368 | cyrus-sasl-lib-2.1.26-20.el7_2.x86_64
369 | bind-libs-9.9.4-29.el7_2.3.x86_64
370 | python-pyudev-0.15-7.el7_2.1.noarch
371 | rdma-7.2_4.1_rc6-2.el7.noarch
372 | sos-3.2-35.el7.centos.3.noarch
373 | avahi-autoipd-0.6.31-15.el7_2.1.x86_64
374 | libunwind-1.1-5.el7_2.2.x86_64
375 | libgcc-4.8.5-4.el7.x86_64
376 | redhat-lsb-core-4.1-27.el7.centos.1.x86_64
377 | setools-libs-3.3.7-46.el7.x86_64
378 | dmraid-1.0.0.rc16-26.el7.x86_64
379 | libcollection-0.6.2-25.el7.x86_64
380 | zip-3.0-10.el7.x86_64
381 | telepathy-filesystem-0.0.2-6.el7.noarch
382 | keyutils-1.5.8-3.el7.x86_64
383 | check-0.9.9-5.el7.x86_64
384 | mesa-libxatracker-10.6.5-3.20150824.el7.x86_64
385 | langtable-0.0.31-3.el7.noarch
386 | gssproxy-0.4.1-7.el7.x86_64
387 | liberation-sans-fonts-1.07.2-15.el7.noarch
388 | audit-2.4.1-5.el7.x86_64
389 | basesystem-10.0-7.el7.centos.noarch
390 | iptraf-ng-1.1.4-4.el7.x86_64
391 | ncurses-5.9-13.20130511.el7.x86_64
392 | cups-pk-helper-0.2.4-5.el7.x86_64
393 | linux-firmware-20150904-43.git6ebf5d5.el7.noarch
394 | wireshark-1.10.14-7.el7.x86_64
395 | snappy-1.1.0-3.el7.x86_64
396 | trousers-0.3.13-1.el7.x86_64
397 | libwacom-data-0.12-1.el7.noarch
398 | gpg-pubkey-352c64e5-52ae6884
399 | sg3_utils-libs-1.37-5.el7.x86_64
400 | glib-networking-2.42.0-1.el7.x86_64
401 | centos-indexhtml-7-9.el7.centos.noarch
402 | atop-2.1-1.el7.x86_64
403 | rest-0.7.92-3.el7.x86_64
404 | python-libs-2.7.5-34.el7.x86_64
405 | geoclue2-2.1.10-2.el7.x86_64
406 | xz-libs-5.1.2-12alpha.el7.x86_64
407 | iptables-services-1.4.21-16.el7.x86_64
408 | cups-libs-1.6.3-22.el7.x86_64
409 | zlib-1.2.7-15.el7.x86_64
410 | gzip-1.5-8.el7.x86_64
411 | unbound-libs-1.4.20-26.el7.x86_64
412 | info-5.1-4.el7.x86_64
413 | fxload-2002_04_11-16.el7.x86_64
414 | popt-1.13-16.el7.x86_64
415 | pam-1.1.8-12.el7_1.1.x86_64
416 | libmtp-1.1.6-3.el7.x86_64
417 | expat-2.1.0-8.el7.x86_64
418 | plymouth-core-libs-0.8.9-0.24.20140113.el7.centos.x86_64
419 | cryptsetup-python-1.6.7-1.el7.x86_64
420 | libICE-1.0.9-2.el7.x86_64
421 | tzdata-2016e-1.el7.noarch
422 | colord-libs-1.2.7-2.el7.x86_64
423 | python-blivet-0.61.15.37-1.el7.noarch
424 | libSM-1.2.2-2.el7.x86_64
425 | xfsprogs-3.2.2-2.el7.x86_64
426 | pakchois-0.4-10.el7.x86_64
427 | json-c-0.11-4.el7_0.x86_64
428 | python-IPy-0.75-6.el7.noarch
429 | libasyncns-0.8-7.el7.x86_64
430 | libcap-2.22-8.el7.x86_64
431 | xdg-utils-1.1.0-0.16.20120809git.el7.noarch
432 | libtiff-4.0.3-14.el7.x86_64
433 | libffi-3.0.13-16.el7.x86_64
434 | libatasmart-0.19-6.el7.x86_64
435 | atk-2.14.0-1.el7.x86_64
436 | grubby-8.28-17.el7.x86_64
437 | libX11-common-1.6.3-2.el7.noarch
438 | gobject-introspection-1.42.0-1.el7.x86_64
439 | fros-1.0-2.el7.noarch
440 | libcap-ng-0.7.5-4.el7.x86_64
441 | python-coverage-3.6-0.5.b3.el7.x86_64
442 | elfutils-libs-0.163-3.el7.x86_64
443 | ghostscript-fonts-5.50-32.el7.noarch
444 | libxcb-1.11-4.el7.x86_64
445 | file-libs-5.11-31.el7.x86_64
446 | librados2-0.80.7-3.el7.x86_64
447 | sound-theme-freedesktop-0.8-3.el7.noarch
448 | libcroco-0.6.8-5.el7.x86_64
449 | findutils-4.5.11-5.el7.x86_64
450 | curl-7.29.0-25.el7.centos.x86_64
451 | adwaita-icon-theme-3.14.1-1.el7.noarch
452 | satyr-0.13-12.el7.x86_64
453 | orc-0.4.22-5.el7.x86_64
454 | xmlrpc-c-client-1.32.5-1905.svn2451.el7.x86_64
455 | boost-thread-1.53.0-25.el7.x86_64
456 | libreport-plugin-bugzilla-2.1.11-32.el7.centos.x86_64
457 | flac-libs-1.3.0-5.el7_1.x86_64
458 | dhcp-common-4.2.5-42.el7.centos.x86_64
459 | exempi-2.2.0-8.el7.x86_64
460 | libuser-python-0.60-7.el7_1.x86_64
461 | libraw1394-2.1.0-2.el7.x86_64
462 | python-pycurl-7.19.0-17.el7.x86_64
463 | libXdmcp-1.1.1-6.1.el7.x86_64
464 | hardlink-1.0-19.el7.x86_64
465 | libaio-0.3.109-13.el7.x86_64
466 | pygpgme-0.3-9.el7.x86_64
467 | enchant-1.6.0-8.el7.x86_64
468 | yum-3.4.3-132.el7.centos.0.1.noarch
469 | ModemManager-glib-1.1.0-8.git20130913.el7.x86_64
470 | libiptcdata-1.0.4-11.el7.x86_64
471 | usbredir-0.6-7.el7.x86_64
472 | libdv-1.0.0-17.el7.x86_64
473 | mozjs24-24.2.0-6.el7.x86_64
474 | kernel-ml-devel-4.6.3-1.el7.elrepo.x86_64
475 | fuse-libs-2.9.2-6.el7.x86_64
476 | libunistring-0.9.3-9.el7.x86_64
477 | htop-2.0.2-1.el7.x86_64
478 | yajl-2.0.4-4.el7.x86_64
479 | taglib-1.8-7.20130218git.el7.x86_64
480 | python-perf-4.8.4-1.el7.elrepo.x86_64
481 | ustr-1.0.4-16.el7.x86_64
482 | kmod-libs-20-5.el7.x86_64
483 | libutempter-1.1.6-4.el7.x86_64
484 | mesa-private-llvm-3.6.2-2.el7.x86_64
485 | usermode-1.111-5.el7.x86_64
486 | dosfstools-3.0.20-9.el7.x86_64
487 | sysvinit-tools-2.88-14.dsf.el7.x86_64
488 | sgpio-1.2.0.10-13.el7.x86_64
489 | openjpeg-libs-1.5.1-10.el7.x86_64
490 | libnetfilter_conntrack-1.0.4-2.el7.x86_64
491 | iw-3.10-6.el7.x86_64
492 | device-mapper-persistent-data-0.5.5-1.el7.x86_64
493 | libdvdnav-4.2.0-8.el7.x86_64
494 | GConf2-3.2.6-8.el7.x86_64
495 | perl-podlators-2.5.1-3.el7.noarch
496 | hwdata-0.252-8.1.el7.x86_64
497 | perl-Encode-2.51-7.el7.x86_64
498 | parted-3.1-23.el7.x86_64
499 | perl-threads-1.87-4.el7.x86_64
500 | accountsservice-0.6.35-9.el7.x86_64
501 | perl-constant-1.27-2.el7.noarch
502 | dhclient-4.2.5-42.el7.centos.x86_64
503 | perl-Time-Local-1.2300-2.el7.noarch
504 | perl-File-Path-2.09-2.el7.noarch
505 | perl-5.16.3-286.el7.x86_64
506 | screen-4.1.0-0.23.20120314git3c2946.el7_2.x86_64
507 | hunspell-en-GB-0.20121024-5.el7.noarch
508 | wpa_supplicant-2.0-17.el7_1.x86_64
509 | mc-4.8.7-8.el7.x86_64
510 | gom-0.2.1-3.el7.x86_64
511 | mdadm-3.3.2-7.el7.x86_64
512 | patch-2.7.1-8.el7.x86_64
513 | vim-minimal-7.4.160-1.el7.x86_64
514 | cryptsetup-1.6.7-1.el7.x86_64
515 | pm-utils-1.4.1-27.el7.x86_64
516 | perl-TermReadKey-2.30-20.el7.x86_64
517 | net-snmp-libs-5.7.2-24.el7_2.1.x86_64
518 | quagga-0.99.22.4-4.el7.x86_64
519 | systemd-libs-219-19.el7_2.11.x86_64
520 | krb5-libs-1.13.2-12.el7_2.x86_64
521 | pciutils-3.2.1-4.el7.x86_64
522 | libblkid-2.23.2-26.el7_2.2.x86_64
523 | systemd-219-19.el7_2.11.x86_64
524 | irqbalance-1.0.7-5.el7.x86_64
525 | device-mapper-libs-1.02.107-5.el7_2.4.x86_64
526 | initscripts-9.49.30-1.el7_2.2.x86_64
527 | crda-1.1.3_2015.04.06-2.el7.x86_64
528 | rpcbind-0.2.0-33.el7_2.1.x86_64
529 | setuptool-1.19.11-8.el7.x86_64
530 | nss-sysinit-3.21.0-9.el7_2.x86_64
531 | openssh-6.6.1p1-25.el7_2.x86_64
532 | lvm2-libs-2.02.130-5.el7_2.4.x86_64
533 | xfsdump-3.1.4-1.el7.x86_64
534 | hplip-common-3.13.7-6.el7_2.1.x86_64
535 | tcsh-6.18.01-8.el7.x86_64
536 | cronie-anacron-1.4.11-14.el7_2.1.x86_64
537 | libproxy-mozjs-0.4.11-8.el7.x86_64
538 | samba-libs-4.2.10-6.2.el7_2.x86_64
539 | mtr-0.85-7.el7.x86_64
540 | samba-client-libs-4.2.10-6.2.el7_2.x86_64
541 | ed-1.9-4.el7.x86_64
542 | traceroute-2.0.19-5.el7.x86_64
543 | setroubleshoot-plugins-3.0.59-2.el7_2.noarch
544 | rdate-1.4-25.el7.x86_64
545 | libteam-1.17-6.el7_2.x86_64
546 | iwl3160-firmware-22.0.7.0-43.el7.noarch
547 | iwl5000-firmware-8.83.5.1_1-43.el7.noarch
548 | iwl6000g2b-firmware-17.168.5.2-43.el7.noarch
549 | device-mapper-multipath-0.4.9-85.el7_2.5.x86_64
550 | iwl2000-firmware-18.168.6.1-43.el7.noarch
551 | openssh-server-6.6.1p1-25.el7_2.x86_64
552 | man-pages-3.53-5.el7.noarch
553 | iwl7260-firmware-22.0.7.0-43.el7.noarch
554 | dracut-network-033-360.el7_2.1.x86_64
555 | mariadb-libs-5.5.47-1.el7_2.x86_64
556 | kexec-tools-2.0.7-38.el7_2.1.x86_64
557 | bind-utils-9.9.4-29.el7_2.3.x86_64
558 | cyrus-sasl-plain-2.1.26-20.el7_2.x86_64
559 | bind-libs-lite-9.9.4-29.el7_2.3.x86_64
560 | libtool-ltdl-2.4.2-21.el7_2.x86_64
561 | redhat-lsb-submod-security-4.1-27.el7.centos.1.x86_64
562 | xkeyboard-config-2.14-1.el7.noarch
563 | kbd-legacy-1.15.5-11.el7.noarch
564 | jasper-libs-1.900.1-29.el7.x86_64
565 | rmt-1.5.2-13.el7.x86_64
566 | libstoragemgmt-1.2.3-4.el7.x86_64
567 | libreport-filesystem-2.1.11-32.el7.centos.x86_64
568 | abattis-cantarell-fonts-0.0.16-3.el7.noarch
569 | iotop-0.6-2.el7.noarch
570 | realmd-0.16.1-5.el7.x86_64
571 | yelp-xsl-3.14.0-1.el7.noarch
572 | webrtc-audio-processing-0.1-5.el7.x86_64
573 | upower-0.99.2-1.el7.x86_64
574 | mobile-broadband-provider-info-1.20120614-4.el7.noarch
575 | dleyna-core-0.4.0-1.el7.x86_64
576 | bash-4.2.46-19.el7.x86_64
577 | dbus-python-1.1.1-9.el7.x86_64
578 | rsync-3.0.9-17.el7.x86_64
579 | freetype-2.4.11-11.el7.x86_64
580 | cracklib-2.9.0-11.el7.x86_64
581 | git-hg-1.8.3.1-6.el7_2.1.noarch
582 | audit-libs-2.4.1-5.el7.x86_64
583 | libpwquality-1.2.3-4.el7.x86_64
584 | grep-2.20-2.el7.x86_64
585 | glibc-common-2.17-106.el7_2.6.x86_64
586 | libestr-0.1.9-2.el7.x86_64
587 | libogg-1.3.0-7.el7.x86_64
588 | sysstat-10.1.5-7.el7.x86_64
589 | langtable-python-0.0.31-3.el7.noarch
590 | libtalloc-2.1.5-1.el7_2.x86_64
591 | jbigkit-libs-2.0-11.el7.x86_64
592 | libbluray-0.2.3-5.el7.x86_64
593 | at-3.1.13-20.el7.x86_64
594 | python-pwquality-1.2.3-4.el7.x86_64
595 | libtevent-0.9.26-1.el7_2.1.x86_64
596 | libsecret-0.18.2-2.el7.x86_64
597 | microcode_ctl-2.1-12.el7.x86_64
598 | python-di-0.3-2.el7.noarch
599 | libldb-1.1.25-1.el7_2.x86_64
600 | libvorbis-1.3.3-8.el7.x86_64
601 | tcpdump-4.5.1-3.el7.x86_64
602 | python-backports-1.0-8.el7.x86_64
603 | openldap-2.4.40-9.el7_2.x86_64
604 | gawk-4.0.2-4.el7.x86_64
605 | urw-fonts-2.4-16.el7.noarch
606 | ntp-4.2.6p5-22.el7.centos.2.x86_64
607 | xmlrpc-c-1.32.5-1905.svn2451.el7.x86_64
608 | wget-1.14-10.el7_0.1.x86_64
609 | librbd1-0.80.7-3.el7.x86_64
610 | pytalloc-2.1.5-1.el7_2.x86_64
611 | nautilus-sendto-3.8.0-5.el7.x86_64
612 | libevent-2.0.21-4.el7.x86_64
613 | xz-5.1.2-12alpha.el7.x86_64
614 | scl-utils-20130529-17.el7_1.x86_64
615 | libreport-python-2.1.11-32.el7.centos.x86_64
616 | libsss_nss_idmap-1.13.0-40.el7_2.9.x86_64
617 | gdbm-1.10-8.el7.x86_64
618 | iwl2030-firmware-18.168.6.1-43.el7.noarch
619 | dhcp-libs-4.2.5-42.el7.centos.x86_64
620 | groff-base-1.22.2-8.el7.x86_64
621 | ivtv-firmware-20080701-26.el7.noarch
622 | passwd-0.79-4.el7.x86_64
623 | nfs-utils-1.3.0-0.21.el7_2.1.x86_64
624 | libical-1.0.1-1.el7.x86_64
625 | iwl135-firmware-18.168.6.1-43.el7.noarch
626 | pth-2.0.7-23.el7.x86_64
627 | atkmm-2.22.7-3.el7.x86_64
628 | graphite2-1.3.6-1.el7_2.x86_64
629 | libassuan-2.1.0-3.el7.x86_64
630 | coreutils-8.22-15.el7_2.1.x86_64
631 | libusal-1.1.11-23.el7.x86_64
632 | elrepo-release-7.0-2.el7.elrepo.noarch
633 | libcdio-0.92-1.el7.x86_64
634 | avahi-glib-0.6.31-15.el7_2.1.x86_64
635 | strongswan-5.4.0-2.el7.x86_64
636 | newt-0.52.15-4.el7.x86_64
637 | virt-what-1.13-6.el7.x86_64
638 | ethtool-3.15-2.el7.x86_64
639 | iptables-1.4.21-16.el7.x86_64
640 | harfbuzz-icu-0.9.36-1.el7.x86_64
641 | kmod-20-5.el7.x86_64
642 | libiec61883-1.2.0-10.el7.x86_64
643 | PackageKit-glib-1.0.7-5.el7.centos.x86_64
644 | perl-Text-ParseWords-3.29-4.el7.noarch
645 | pyparted-3.9-13.el7.x86_64
646 | perl-Time-HiRes-1.9725-3.el7.x86_64
647 | logrotate-3.8.6-7.el7_2.x86_64
648 | plymouth-scripts-0.8.9-0.24.20140113.el7.centos.x86_64
649 | perl-File-Temp-0.23.01-3.el7.noarch
650 | libpng-1.5.13-7.el7_2.x86_64
651 | gdisk-0.8.6-5.el7.x86_64
652 | dos2unix-6.0.3-4.el7.x86_64
653 | colord-1.2.7-2.el7.x86_64
654 | acl-2.2.51-12.el7.x86_64
655 | m4-1.4.16-10.el7.x86_64
656 | udisks2-2.1.2-6.el7.x86_64
657 | libref_array-0.1.5-25.el7.x86_64
658 | isomd5sum-1.0.10-5.el7.x86_64
659 | python-pyblock-0.53-6.el7.x86_64
660 | setup-2.8.71-6.el7.noarch
661 | libini_config-1.2.0-25.el7.x86_64
662 | libselinux-utils-2.2.2-6.el7.x86_64
663 | libosinfo-0.2.12-3.el7.x86_64
664 | mozilla-filesystem-1.9-11.el7.x86_64
665 | c-ares-1.10.0-3.el7.x86_64
666 | libmodman-2.0.1-8.el7.x86_64
667 | ibus-libs-1.5.3-13.el7.x86_64
668 | libverto-0.2.5-4.el7.x86_64
669 | totem-pl-parser-3.10.5-1.el7.x86_64
670 | gupnp-av-0.12.2-3.el7.x86_64
671 | pygobject3-base-3.14.0-3.el7.x86_64
672 | ppp-2.4.5-33.el7.x86_64
673 | perl-Data-Dumper-2.145-3.el7.x86_64
674 | binutils-2.23.52.0.1-55.el7.x86_64
675 | alsa-tools-firmware-1.0.28-2.el7.x86_64
676 | libusbx-1.0.15-4.el7.x86_64
677 | quota-nls-4.01-11.el7_2.1.noarch
678 | libwacom-0.12-1.el7.x86_64
679 | readline-6.2-9.el7.x86_64
680 | nss-util-3.21.0-2.2.el7_2.x86_64
681 | yum-metadata-parser-1.1.4-10.el7.x86_64
682 | libmusicbrainz5-5.0.1-9.el7.x86_64
683 | lcms2-2.6-2.el7.x86_64
684 | psacct-6.6.1-9.el7.x86_64
685 | libtdb-1.3.8-1.el7_2.x86_64
686 | fipscheck-lib-1.4.1-5.el7.x86_64
687 | jansson-2.4-6.el7.x86_64
688 | glib2-2.42.2-5.el7.x86_64
689 | aic94xx-firmware-30-6.el7.noarch
690 | device-mapper-event-libs-1.02.107-5.el7_2.4.x86_64
691 | python-chardet-2.2.1-1.el7_1.noarch
692 | gsettings-desktop-schemas-3.14.2-1.el7.x86_64
693 | nss-softokn-3.16.2.3-14.2.el7_2.x86_64
694 | python-iniparse-0.4-9.el7.noarch
695 | pixman-0.32.6-3.el7.x86_64
696 | pytz-2012d-5.el7.noarch
697 | libsigc++20-2.3.1-4.el7.x86_64
698 | iscsi-initiator-utils-iscsiuio-6.2.0.873-33.el7_2.1.x86_64
699 | hunspell-1.3.2-13.el7.x86_64
700 | samba-common-4.2.10-6.2.el7_2.noarch
701 | libxslt-1.1.28-5.el7.x86_64
702 | time-1.7-45.el7.x86_64
703 | libxml2-2.9.1-6.el7_2.3.x86_64
704 | rpm-4.11.3-17.el7.x86_64
705 | boost-system-1.53.0-25.el7.x86_64
706 | setserial-2.17-33.el7.x86_64
707 | liboauth-0.9.7-4.el7.x86_64
708 | libgee-0.10.1-3.el7.x86_64
709 | iwl7265-firmware-22.0.7.0-43.el7.noarch
710 | libreport-plugin-rhtsupport-2.1.11-32.el7.centos.x86_64
711 | psmisc-22.20-9.el7.x86_64
712 | iwl1000-firmware-39.31.5.1-43.el7.noarch
713 | sudo-1.8.6p7-17.el7_2.x86_64
714 | pykickstart-1.99.66.6-1.el7.noarch
715 | speex-1.2-0.19.rc1.el7.x86_64
716 | gpg-pubkey-f4a80eb5-53a7ff4b
717 | ntsysv-1.3.61-5.el7_2.1.x86_64
718 | rpm-python-4.11.3-17.el7.x86_64
719 | xcb-util-0.4.0-2.el7.x86_64
720 | gperftools-libs-2.4-7.el7.x86_64
721 | pinentry-0.8.1-14.el7.x86_64
722 | mtdev-1.1.5-5.el7.x86_64
723 | iso-codes-3.46-2.el7.noarch
724 | epel-release-7-8.noarch
725 | shadow-utils-4.1.5.1-18.el7.x86_64
726 | libedit-3.0-12.20121213cvs.el7.x86_64
727 | libsndfile-1.0.25-10.el7.x86_64
728 | libwebp-0.3.0-3.el7.x86_64
729 | libhbaapi-2.2.9-6.el7.x86_64
730 | libcdio-paranoia-10.2+0.90-11.el7.x86_64
731 | grub2-2.02-0.34.el7.centos.x86_64
732 | perl-parent-0.225-244.el7.noarch
733 | libdrm-2.4.60-3.el7.x86_64
734 | perl-macros-5.16.3-286.el7.x86_64
735 | iputils-20121221-7.el7.x86_64
736 | perl-threads-shared-1.43-6.el7.x86_64
737 | gnutls-3.3.8-14.el7_2.x86_64
738 | perl-Pod-Simple-3.28-4.el7.noarch
739 | dialog-1.2-4.20130523.el7.x86_64
740 | mesa-dri-drivers-10.6.5-3.20150824.el7.x86_64
741 | telepathy-logger-0.8.0-5.el7.x86_64
742 | libdb-utils-5.3.21-19.el7.x86_64
743 | 


--------------------------------------------------------------------------------