]> git.ipfire.org Git - people/stevee/network.git/blob - src/functions/functions.ipsec
ipsec: Add commands to bring connections up and down
[people/stevee/network.git] / src / functions / functions.ipsec
1 #!/bin/bash
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2017 IPFire Network Development Team #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 IPSEC_CONNECTION_CONFIG_SETTINGS="AUTH_MODE DPD_ACTION DPD_DELAY DPD_TIMEOUT"
23 IPSEC_CONNECTION_CONFIG_SETTINGS="INACTIVITY_TIMEOUT LOCAL_ADDRESS LOCAL_ID LOCAL_PREFIX"
24 IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} MODE PEER PSK"
25 IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} REMOTE_ID REMOTE_PREFIX"
26 IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} SECURITY_POLICY"
27
28 # Default values
29 IPSEC_DEFAULT_AUTH_MODE="PSK"
30 IPSEC_DEFAULT_DPD_ACTION="restart"
31 IPSEC_DEFAULT_DPD_DELAY="30"
32 IPSEC_DEFAULT_DPD_TIMEOUT="120"
33 IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0"
34 IPSEC_DEFAULT_MODE="tunnel"
35 IPSEC_DEFAULT_SECURITY_POLICY="system"
36 IPSEC_DEFAULT_START_ACTION="on-demand"
37
38 IPSEC_VALID_MODES="gre-transport tunnel vti"
39 IPSEC_VALID_AUTH_MODES="PSK"
40
41 cli_ipsec() {
42 local action=${1}
43 shift 1
44
45 case "${action}" in
46 connection)
47 cli_ipsec_connection $@
48 ;;
49 *)
50 error "Unrecognized argument: ${action}"
51 exit ${EXIT_ERROR}
52 ;;
53 esac
54 }
55
56 cli_ipsec_connection() {
57 if ipsec_connection_exists ${1}; then
58 local connection=${1}
59 local key=${2}
60 key=${key//-/_}
61 shift 2
62
63 case "${key}" in
64 authentication|down|dpd|inactivity_timeout|local|mode|peer|remote|security_policy|start_action|up)
65 ipsec_connection_${key} ${connection} $@
66 ;;
67 show)
68 cli_ipsec_connection_show "${connection}"
69 exit $?
70 ;;
71 *)
72 error "Unrecognized argument: ${key}"
73 exit ${EXIT_ERROR}
74 ;;
75 esac
76 else
77 local action=${1}
78 shift
79
80 case "${action}" in
81 new)
82 ipsec_connection_new $@
83 ;;
84 destroy)
85 ipsec_connection_destroy $@
86 ;;
87 ""|*)
88 if [ -n "${action}" ]; then
89 error "Unrecognized argument: '${action}'"
90 fi
91 exit ${EXIT_ERROR}
92 ;;
93 esac
94 fi
95 }
96
97 cli_ipsec_connection_show() {
98 local connection="${1}"
99
100 # Read the config settings
101 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
102 if ! ipsec_connection_read_config "${connection}"; then
103 error "Could not read the connection configuration"
104 return ${EXIT_ERROR}
105 fi
106
107 cli_headline 0 "IPsec VPN Connection: ${connection}"
108 cli_space
109
110 # Peer
111 if isset PEER; then
112 cli_print_fmt1 1 "Peer" "${PEER}"
113 fi
114
115 # Security Policy
116 cli_print_fmt1 1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}"
117 cli_space
118
119 cli_headline 2 "Authentication"
120 case "${AUTH_MODE^^}" in
121 PSK)
122 cli_print_fmt1 2 "Mode" "Pre-Shared-Key"
123
124 if isset PSK; then
125 cli_print_fmt1 2 "Pre-Shared-Key" "****"
126 else
127 cli_print_fmt1 2 "Pre-Shared-Key" "- is not set -"
128 fi
129 ;;
130 X509)
131 : # TODO
132 ;;
133 esac
134 cli_space
135
136 local i
137 for i in LOCAL REMOTE; do
138 case "${i}" in
139 LOCAL)
140 cli_headline 2 "Local"
141 ;;
142 REMOTE)
143 cli_headline 2 "Remote"
144 ;;
145 esac
146
147 local id_var="${i}_ID"
148 if [ -n "${!id_var}" ]; then
149 cli_print_fmt1 2 "ID" "${!id_var}"
150 fi
151
152 local prefix_var="${i}_PREFIX"
153 if isset ${prefix_var}; then
154 cli_headline 3 "Prefix(es)"
155
156 local prefix
157 for prefix in ${!prefix_var}; do
158 cli_print_fmt1 3 "${prefix}"
159 done
160 fi
161
162 cli_space
163 done
164
165 cli_headline 2 "Misc."
166
167 case "${MODE}" in
168 gre-transport)
169 cli_print_fmt1 2 "Transport Mode" "GRE Transport"
170 ;;
171 tunnel)
172 cli_print_fmt1 2 "Transport Mode" "Tunnel"
173 ;;
174 vti)
175 cli_print_fmt1 2 "Transport Mode" "Virtual Tunnel Interface"
176 ;;
177 *)
178 cli_print_fmt1 2 "Transport Mode" "- Unknown -"
179 ;;
180 esac
181
182 # Inactivity timeout
183 if isset INACTIVITY_TIMEOUT && [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then
184 cli_print_fmt1 2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})"
185 fi
186 cli_space
187
188 return ${EXIT_OK}
189 }
190
191 # This function writes all values to a via ${connection} specificated VPN IPsec configuration file
192 ipsec_connection_write_config() {
193 assert [ $# -ge 1 ]
194
195 local connection="${1}"
196
197 if ! ipsec_connection_exists "${connection}"; then
198 log ERROR "No such VPN IPsec connection: ${connection}"
199 return ${EXIT_ERROR}
200 fi
201
202 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
203
204 if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
205 log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}"
206 return ${EXIT_ERROR}
207 fi
208
209 ipsec_reload ${connection}
210 }
211
212 # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
213 ipsec_connection_write_config_key() {
214 assert [ $# -ge 3 ]
215
216 local connection=${1}
217 local key=${2}
218 shift 2
219
220 local value="$@"
221
222 if ! ipsec_connection_exists "${connection}"; then
223 log ERROR "No such VPN ipsec connection: ${connection}"
224 return ${EXIT_ERROR}
225 fi
226
227 log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
228
229 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
230
231 # Read the config settings
232 if ! ipsec_connection_read_config "${connection}"; then
233 return ${EXIT_ERROR}
234 fi
235
236 # Set the key to a new value
237 assign "${key}" "${value}"
238
239 if ! ipsec_connection_write_config "${connection}"; then
240 return ${EXIT_ERROR}
241 fi
242
243 return ${EXIT_TRUE}
244 }
245
246 # Reads one or more keys out of a settings file or all if no key is provided.
247 ipsec_connection_read_config() {
248 assert [ $# -ge 1 ]
249
250 local connection="${1}"
251 shift 1
252
253 if ! ipsec_connection_exists "${connection}"; then
254 log ERROR "No such VPN IPsec connection : ${connection}"
255 return ${EXIT_ERROR}
256 fi
257
258
259 local args
260 if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
261 list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS}
262 else
263 list_append args $@
264 fi
265
266 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
267
268 if ! settings_read "${path}" ${args}; then
269 log ERROR "Could not read settings for VPN IPsec connection ${connection}"
270 return ${EXIT_ERROR}
271 fi
272 }
273
274 # This function checks if a vpn ipsec connection exists
275 # Returns True when yes and false when not
276 ipsec_connection_exists() {
277 assert [ $# -eq 1 ]
278
279 local connection=${1}
280
281 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}"
282
283 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
284 }
285
286 # Reloads the connection after config changes
287 ipsec_reload() {
288 return ${EXIT_TRUE}
289 }
290
291 # Handle the cli after authentification
292 ipsec_connection_authentication() {
293 if [ ! $# -gt 1 ]; then
294 log ERROR "Not enough arguments"
295 return ${EXIT_ERROR}
296 fi
297
298 local connection=${1}
299 local cmd=${2}
300 shift 2
301
302 case ${cmd} in
303 mode)
304 ipsec_connection_authentication_mode "${connection}" $@
305 ;;
306 pre-shared-key)
307 ipsec_connection_authentication_psk "${connection}" $@
308 ;;
309 *)
310 log ERROR "Unrecognized argument: ${cmd}"
311 return ${EXIT_ERROR}
312 ;;
313 esac
314 }
315
316 # Set the authentification mode
317 ipsec_connection_authentication_mode() {
318 if [ ! $# -eq 2 ]; then
319 log ERROR "Not enough arguments"
320 return ${EXIT_ERROR}
321 fi
322 local connection=${1}
323 local mode=${2}
324
325 if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
326 log ERROR "Auth mode '${mode}' is invalid"
327 return ${EXIT_ERROR}
328 fi
329
330 if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode^^}; then
331 log ERROR "Could not write configuration settings"
332 return ${EXIT_ERROR}
333 fi
334 }
335
336 # Set the psk
337 ipsec_connection_authentication_psk() {
338 if [ ! $# -eq 2 ]; then
339 log ERROR "Not enough arguments"
340 return ${EXIT_ERROR}
341 fi
342
343 local connection=${1}
344 local psk=${2}
345
346 local length=${#psk}
347
348 if [ ${length} -lt 4 ]; then
349 error "The PSK must be longer than four characters"
350 return ${EXIT_ERROR}
351 fi
352
353 if [ ${length} -gt 128 ]; then
354 error "The PSK cannot be longer than 128 characters"
355 return ${EXIT_ERROR}
356 fi
357
358 if ! ipsec_connection_write_config_key "${connection}" "PSK" "${psk}"; then
359 log ERROR "Could not write configuration settings"
360 return ${EXIT_ERROR}
361 fi
362
363 return ${EXIT_OK}
364 }
365
366 ipsec_connection_up() {
367 local connection="${1}"
368
369 if ! ipsec_connection_exists "${connection}"; then
370 error "No such VPN IPsec connection: ${connection}"
371 return ${EXIT_ERROR}
372 fi
373
374 cmd swanctl --initiate --child "${connection}"
375 }
376
377 ipsec_connection_down() {
378 local connection="${1}"
379
380 if ! ipsec_connection_exists "${connection}"; then
381 error "No such VPN IPsec connection: ${connection}"
382 return ${EXIT_ERROR}
383 fi
384
385 cmd swanctl --terminate --ike "${connection}"
386 }
387
388 # Handle the cli after authentification
389 ipsec_connection_dpd() {
390 if [ ! $# -gt 1 ]; then
391 log ERROR "Not enough arguments"
392 return ${EXIT_ERROR}
393 fi
394
395 local connection=${1}
396 local cmd=${2}
397 shift 2
398
399 case ${cmd} in
400 action)
401 ipsec_connection_dpd_action "${connection}" $@
402 ;;
403 delay)
404 ipsec_connection_dpd_delay "${connection}" $@
405 ;;
406 timeout)
407 ipsec_connection_dpd_timeout "${connection}" $@
408 ;;
409 *)
410 log ERROR "Unrecognized argument: ${cmd}"
411 return ${EXIT_ERROR}
412 ;;
413 esac
414 }
415
416 # Set the default dpd action
417 ipsec_connection_dpd_action() {
418 if [ ! $# -eq 2 ]; then
419 log ERROR "Not enough arguments"
420 return ${EXIT_ERROR}
421 fi
422 local connection=${1}
423 local action=${2}
424
425 if ! isoneof action "restart" "clear"; then
426 log ERROR "dpd action '${action}' is invalid"
427 return ${EXIT_ERROR}
428 fi
429
430 if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION" ${action}; then
431 log ERROR "Could not write configuration settings"
432 return ${EXIT_ERROR}
433 fi
434 }
435
436 # Set the dpd delay
437 ipsec_connection_dpd_delay() {
438 if [ ! $# -ge 2 ]; then
439 log ERROR "Not enough arguments"
440 return ${EXIT_ERROR}
441 fi
442
443 local connection=${1}
444 shift 1
445 local value=$@
446
447 if ! isinteger value; then
448 value=$(parse_time $@)
449 if [ ! $? -eq 0 ]; then
450 log ERROR "Parsing the passed time was not sucessful please check the passed values."
451 return ${EXIT_ERROR}
452 fi
453 fi
454
455 if [ ${value} -lt 0 ]; then
456 log ERROR "The passed time value must be in the sum greater or equal zero seconds."
457 return ${EXIT_ERROR}
458 fi
459
460 if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY" ${value}; then
461 log ERROR "Could not write configuration settings"
462 return ${EXIT_ERROR}
463 fi
464
465 return ${EXIT_OK}
466 }
467
468 # Set the dpd timeout
469 ipsec_connection_dpd_timeout() {
470 if [ ! $# -ge 2 ]; then
471 log ERROR "Not enough arguments"
472 return ${EXIT_ERROR}
473 fi
474
475 local connection=${1}
476 shift 1
477 local value=$@
478
479 if ! isinteger value; then
480 value=$(parse_time $@)
481 if [ ! $? -eq 0 ]; then
482 log ERROR "Parsing the passed time was not sucessful please check the passed values."
483 return ${EXIT_ERROR}
484 fi
485 fi
486
487 if [ ${value} -le 0 ]; then
488 log ERROR "The passed time value must be in the sum greater or equal zero seconds."
489 return ${EXIT_ERROR}
490 fi
491
492 if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT" ${value}; then
493 log ERROR "Could not write configuration settings"
494 return ${EXIT_ERROR}
495 fi
496
497 return ${EXIT_OK}
498 }
499
500 # Handle the cli after local
501 ipsec_connection_local() {
502 if [ ! $# -ge 2 ]; then
503 log ERROR "Not enough arguments"
504 return ${EXIT_ERROR}
505 fi
506
507 local connection=${1}
508 local cmd=${2}
509 shift 2
510
511 case ${cmd} in
512 address)
513 ipsec_connection_local_address "${connection}" $@
514 ;;
515 id)
516 ipsec_connection_id "${connection}" "LOCAL" $@
517 ;;
518 prefix)
519 ipsec_connection_prefix "${connection}" "LOCAL" $@
520 ;;
521 *)
522 log ERROR "Unrecognized argument: ${cmd}"
523 return ${EXIT_ERROR}
524 ;;
525 esac
526
527 return ${EXIT_OK}
528 }
529
530 # Set the connection mode
531 ipsec_connection_mode() {
532 if [ ! $# -eq 2 ]; then
533 log ERROR "Not enough arguments"
534 return ${EXIT_ERROR}
535 fi
536 local connection=${1}
537 local mode=${2}
538
539 if ! isoneof mode ${IPSEC_VALID_MODES}; then
540 log ERROR "Mode '${mode}' is invalid"
541 return ${EXIT_ERROR}
542 fi
543
544 if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then
545 log ERROR "Could not write configuration settings"
546 return ${EXIT_ERROR}
547 fi
548
549 return ${EXIT_OK}
550 }
551
552 # Set the local address
553 ipsec_connection_local_address() {
554 if [ ! $# -eq 2 ]; then
555 log ERROR "Not enough arguments"
556 return ${EXIT_ERROR}
557 fi
558 local connection=${1}
559 local local_address=${2}
560
561 if ! ipsec_connection_check_peer ${local_address}; then
562 log ERROR "Local address '${local_address}' is invalid"
563 return ${EXIT_ERROR}
564 fi
565
566 if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS" ${local_address}; then
567 log ERROR "Could not write configuration settings"
568 return ${EXIT_ERROR}
569 fi
570
571 return ${EXIT_OK}
572 }
573
574 # Set the peer to connect to
575 ipsec_connection_peer() {
576 if [ ! $# -eq 2 ]; then
577 log ERROR "Not enough arguments"
578 return ${EXIT_ERROR}
579 fi
580 local connection=${1}
581 local peer=${2}
582
583 if ! ipsec_connection_check_peer ${peer}; then
584 log ERROR "Peer '${peer}' is invalid"
585 return ${EXIT_ERROR}
586 fi
587
588 if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then
589 log ERROR "Could not write configuration settings"
590 return ${EXIT_ERROR}
591 fi
592
593 return ${EXIT_OK}
594 }
595
596 #Set the local or remote id
597 ipsec_connection_id() {
598 if [ ! $# -eq 3 ]; then
599 log ERROR "Not enough arguments"
600 return ${EXIT_ERROR}
601 fi
602 local connection=${1}
603 local type=${2}
604 local id=${3}
605
606 if ! ipsec_connection_check_id ${id}; then
607 log ERROR "Id '${id}' is invalid"
608 return ${EXIT_ERROR}
609 fi
610
611 if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
612 log ERROR "Could not write configuration settings"
613 return ${EXIT_ERROR}
614 fi
615
616 return ${EXIT_OK}
617 }
618
619 # Set the local or remote prefix
620 ipsec_connection_prefix() {
621 if [ ! $# -ge 3 ]; then
622 log ERROR "Not enough arguments"
623 return ${EXIT_ERROR}
624 fi
625 local connection=${1}
626 local type=${2}
627 shift 2
628
629 local _prefix="${type}_PREFIX"
630 local "${_prefix}"
631 if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then
632 return ${EXIT_ERROR}
633 fi
634
635 # Remove duplicated entries to proceed the list safely
636 assign "${_prefix}" "$(list_unique ${!_prefix} )"
637
638 local prefixes_added
639 local prefixes_removed
640 local prefixes_set
641
642 while [ $# -gt 0 ]; do
643 local arg="${1}"
644
645 case "${arg}" in
646 +*)
647 list_append prefixes_added "${arg:1}"
648 ;;
649 -*)
650 list_append prefixes_removed "${arg:1}"
651 ;;
652 [A-Fa-f0-9]*)
653 list_append prefixes_set "${arg}"
654 ;;
655 *)
656 error "Invalid argument: ${arg}"
657 return ${EXIT_ERROR}
658 ;;
659 esac
660 shift
661 done
662
663 # Check if the user is trying a mixed operation
664 if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then
665 error "You cannot reset the prefix list and add or remove prefixes at the same time"
666 return ${EXIT_ERROR}
667 fi
668
669 # Set new prefix list
670 if ! list_is_empty prefixes_set; then
671 # Check if all prefixes are valid
672 local prefix
673 for prefix in ${prefixes_set}; do
674 if ! ip_net_is_valid ${prefix}; then
675 error "Unsupported prefix: ${prefix}"
676 return ${EXIT_ERROR}
677 fi
678 done
679
680 assign "${_prefix}" "${prefixes_set}"
681
682 # Perform incremental updates
683 else
684 local prefix
685
686 # Perform all removals
687 for prefix in ${prefixes_removed}; do
688 if ! list_remove "${_prefix}" ${prefix}; then
689 warning "${prefix} was not on the list and could not be removed"
690 fi
691 done
692
693
694 for prefix in ${prefixes_added}; do
695 if ip_net_is_valid ${prefix}; then
696 if ! list_append_unique "${_prefix}" ${prefix}; then
697 warning "${prefix} is already on the prefix list"
698 fi
699 else
700 warning "${prefix} is not a valid IP network and could not be added"
701 fi
702 done
703 fi
704
705 # Check if the list contain at least one valid prefix
706 if list_is_empty ${_prefix}; then
707 error "Cannot save an empty prefix list"
708 return ${EXIT_ERROR}
709 fi
710
711 # Save everything
712 if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then
713 log ERROR "Could not write configuration settings"
714 fi
715
716 return ${EXIT_OK}
717 }
718
719 # Handle the cli after remote
720 ipsec_connection_remote() {
721 if [ ! $# -ge 2 ]; then
722 log ERROR "Not enough arguments"
723 return ${EXIT_ERROR}
724 fi
725
726 local connection=${1}
727 local cmd=${2}
728 shift 2
729
730 case ${cmd} in
731 id)
732 ipsec_connection_id "${connection}" "REMOTE" $@
733 ;;
734
735 prefix)
736 ipsec_connection_prefix "${connection}" "REMOTE" $@
737 ;;
738 *)
739 log ERROR "Unrecognized argument: ${cmd}"
740 return ${EXIT_ERROR}
741 ;;
742 esac
743
744 return ${EXIT_OK}
745 }
746
747 # Set the inactivity timeout
748 ipsec_connection_inactivity_timeout() {
749 if [ ! $# -ge 2 ]; then
750 log ERROR "Not enough arguments"
751 return ${EXIT_ERROR}
752 fi
753
754 local connection=${1}
755 shift 1
756 local value=$@
757
758 if ! isinteger value; then
759 value=$(parse_time $@)
760 if [ ! $? -eq 0 ]; then
761 log ERROR "Parsing the passed time was not sucessful please check the passed values."
762 return ${EXIT_ERROR}
763 fi
764 fi
765
766 if [ ${value} -le 0 ]; then
767 log ERROR "The passed time value must be in the sum greater zero seconds."
768 return ${EXIT_ERROR}
769 fi
770
771 if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then
772 log ERROR "Could not write configuration settings"
773 return ${EXIT_ERROR}
774 fi
775
776 return ${EXIT_OK}
777 }
778
779 # Set the default start action
780 ipsec_connection_start_action() {
781 if [ ! $# -eq 2 ]; then
782 log ERROR "Not enough arguments"
783 return ${EXIT_ERROR}
784 fi
785 local connection=${1}
786 local action=${2}
787
788 if ! isoneof action "on-demand" "always-on"; then
789 log ERROR "Start action '${action}' is invalid"
790 return ${EXIT_ERROR}
791 fi
792
793 if ! ipsec_connection_write_config_key "${connection}" "START_ACTION" ${action}; then
794 log ERROR "Could not write configuration settings"
795 return ${EXIT_ERROR}
796 fi
797 }
798
799 # Set the security policy to use
800 ipsec_connection_security_policy() {
801 if [ ! $# -eq 2 ]; then
802 log ERROR "Not enough arguments"
803 return ${EXIT_ERROR}
804 fi
805 local connection=${1}
806 local security_policy=${2}
807
808 if ! vpn_security_policy_exists ${security_policy}; then
809 log ERROR "No such vpn security policy '${security_policy}'"
810 return ${EXIT_ERROR}
811 fi
812
813 if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then
814 log ERROR "Could not write configuration settings"
815 return ${EXIT_ERROR}
816 fi
817 }
818
819 # Check if a id is valid
820 ipsec_connection_check_id() {
821 assert [ $# -eq 1 ]
822 local id=${1}
823
824 if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
825 return ${EXIT_TRUE}
826 else
827 return ${EXIT_FALSE}
828 fi
829 }
830
831 # Checks if a peer is valid
832 ipsec_connection_check_peer() {
833 assert [ $# -eq 1 ]
834 local peer=${1}
835
836 # TODO Accept also FQDNs
837 if ip_is_valid ${peer}; then
838 return ${EXIT_TRUE}
839 else
840 return ${EXIT_FALSE}
841 fi
842 }
843
844 # This function checks if a VPN IPsec connection name is valid
845 # Allowed are only A-Za-z0-9
846 ipsec_connection_check_name() {
847 assert [ $# -eq 1 ]
848
849 local connection=${1}
850
851 [[ "${connection}" =~ [^[:alnum:]$] ]]
852 }
853
854 # Function that creates one VPN IPsec connection
855 ipsec_connection_new() {
856 if [ $# -gt 1 ]; then
857 error "Too many arguments"
858 return ${EXIT_ERROR}
859 fi
860
861 local connection="${1}"
862 if ! isset connection; then
863 error "Please provide a connection name"
864 return ${EXIT_ERROR}
865 fi
866
867 # Check for duplicates
868 if ipsec_connection_exists "${connection}"; then
869 error "The VPN IPsec connection ${connection} already exists"
870 return ${EXIT_ERROR}
871 fi
872
873 # Check if the name of the connection is valid
874 if ipsec_connection_check_name "${connection}"; then
875 error "'${connection}' contains illegal characters"
876 return ${EXIT_ERROR}
877 fi
878
879 log DEBUG "Creating VPN IPsec connection ${connection}"
880
881 if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
882 log ERROR "Could not create config directory for ${connection}"
883 return ${EXIT_ERROR}
884 fi
885
886 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
887
888 AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
889 DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION}
890 DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY}
891 DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT}
892 MODE=${IPSEC_DEFAULT_MODE}
893 START_ACTION=${IPSEC_DEFAULT_START_ACTION}
894
895 INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
896 SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
897
898 if ! ipsec_connection_write_config "${connection}"; then
899 log ERROR "Could not write new config file"
900 return ${EXIT_ERROR}
901 fi
902 }
903
904 # Function that deletes based on the passed parameters one ore more vpn security policies
905 ipsec_connection_destroy() {
906 local connection
907 for connection in $@; do
908 if ! ipsec_connection_exists "${connection}"; then
909 log ERROR "The VPN IPsec connection ${connection} does not exist."
910 continue
911 fi
912
913 log DEBUG "Deleting VPN IPsec connection ${connection}"
914 if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
915 log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful"
916 return ${EXIT_ERROR}
917 fi
918 done
919 }
920
921 # List all ipsec connections
922 ipsec_list_connections() {
923 local connection
924 for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do
925 [ -d ${connection} ] || continue
926 basename ${connection}
927 done
928 }
929
930 ipsec_connection_to_strongswan() {
931 local connection="${1}"
932
933 # Read the config settings
934 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
935 if ! ipsec_connection_read_config "${connection}"; then
936 error "Could not read the connection ${connection}"
937 return ${EXIT_ERROR}
938 fi
939
940 local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
941
942 (
943 # Write the connection section
944 _ipsec_connection_to_strongswan_connection "${connection}"
945
946 # Write the secrets section
947 _ipsec_connection_to_strongswan_secrets "${connection}"
948
949 ) > ${path}
950 }
951
952 _ipsec_connection_to_strongswan_connection() {
953 local connection="${1}"
954
955 # Read the security policy
956 local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
957 if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then
958 return ${EXIT_ERROR}
959 fi
960
961 print_indent 0 "connections {"
962 print_indent 1 "${connection} {"
963
964 # IKE Version
965 print_indent 2 "# IKE Version"
966 case "${KEY_EXCHANGE^^}" in
967 IKEV1)
968 print_indent 2 "version = 1"
969 ;;
970
971 # Fall back to IKEv2 for any random values
972 IKEV2|*)
973 print_indent 2 "version = 2"
974 ;;
975 esac
976 print # empty line
977
978 # Local Address
979 print_indent 2 "# Local Address"
980 if isset LOCAL_ADDRESS; then
981 print_indent 2 "local_addrs = ${LOCAL_ADDRESS}"
982 else
983 print_indent 2 "local_addrs = %any"
984 fi
985 print
986
987 # Remote Address
988 print_indent 2 "# Remote Address"
989 if isset PEER; then
990 print_indent 2 "remote_addrs = ${PEER}"
991 else
992 print_indent 2 "remote_addrs = %any"
993 fi
994 print
995
996 # IKE Proposals
997 print_indent 2 "# IKE Proposals"
998 print_indent 2 "proposals = $(vpn_security_policies_make_ah_proposal ${SECURITY_POLICY})"
999 print
1000
1001 # DPD Settings
1002 if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
1003 print_indent 2 "# Dead Peer Detection"
1004
1005 print_indent 2 "dpd_action = ${DPD_ACTION}"
1006 print_indent 2 "dpd_delay = ${DPD_DELAY}"
1007
1008 if isset DPD_TIMEOUT; then
1009 print_indent 2 "dpd_timeout = ${DPD_TIMEOUT}"
1010 fi
1011
1012 print
1013 fi
1014
1015 # Fragmentation
1016 print_indent 2 "# Fragmentation"
1017 print_indent 2 "fragmentation = yes"
1018 print
1019
1020 # Local
1021 print_indent 2 "local {"
1022
1023 # Local ID
1024 if isset LOCAL_ID; then
1025 print_indent 3 "id = ${LOCAL_ID}"
1026 fi
1027
1028 # Authentication
1029 case "${AUTH_MODE}" in
1030 PSK)
1031 print_indent 3 "auth = psk"
1032 ;;
1033 esac
1034
1035 print_indent 2 "}"
1036 print
1037
1038 # Remote
1039 print_indent 2 "remote {"
1040
1041 # Remote ID
1042 if isset REMOTE_ID; then
1043 print_indent 3 "id = ${REMOTE_ID}"
1044 fi
1045
1046 # Authentication
1047 case "${AUTH_MODE}" in
1048 PSK)
1049 print_indent 3 "auth = psk"
1050 ;;
1051 esac
1052
1053 print_indent 2 "}"
1054 print
1055
1056 # Children
1057
1058 print_indent 2 "children {"
1059 print_indent 3 "${connection} {"
1060
1061 print_indent 4 "# ESP Proposals"
1062 print_indent 4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})"
1063 print
1064
1065 # Traffic Selectors
1066
1067 # Local Prefixes
1068 if isset LOCAL_PREFIX; then
1069 print_indent 4 "local_ts = $(list_join LOCAL_PREFIX ,)"
1070 else
1071 print_indent 4 "local_ts = dynamic"
1072 fi
1073
1074 # Remote Prefixes
1075 if isset REMOTE_PREFIX; then
1076 print_indent 4 "remote_ts = $(list_join REMOTE_PREFIX ,)"
1077 else
1078 print_indent 4 "remote_ts = dynamic"
1079 fi
1080 print
1081
1082 # Rekeying
1083 if isset LIFETIME; then
1084 print_indent 4 "# Rekey Time"
1085 print_indent 4 "rekey_time = ${LIFETIME}"
1086 print
1087 fi
1088
1089 # Updown Script
1090 print_indent 4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown"
1091 print
1092
1093 # Mode
1094 print_indent 4 "# Mode"
1095 case "${MODE}" in
1096 gre-transport)
1097 print_indent 4 "mode = transport"
1098 ;;
1099 tunnel|vti|*)
1100 print_indent 4 "mode = tunnel"
1101 ;;
1102 esac
1103 print
1104
1105 # Compression
1106 print_indent 4 "# Compression"
1107 if enabled COMPRESSION; then
1108 print_indent 4 "ipcomp = yes"
1109 else
1110 print_indent 4 "ipcomp = no"
1111 fi
1112 print
1113
1114 # Inactivity Timeout
1115 if isset INACTIVITY_TIMEOUT; then
1116 print_indent 4 "# Inactivity Timeout"
1117 print_indent 4 "inactivity = ${INACTIVITY_TIMEOUT}"
1118 print
1119 fi
1120
1121 # Start Action
1122 print_indent 4 "# Start Action"
1123 case "${START_ACTION}" in
1124 on-demand)
1125 print_indent 4 "start_action = trap"
1126 print_indent 4 "close_action = trap"
1127 ;;
1128 wait)
1129 print_indent 4 "start_action = none"
1130 print_indent 4 "close_action = none"
1131 ;;
1132 always-on|*)
1133 print_indent 4 "start_action = start"
1134 print_indent 4 "close_action = start"
1135 ;;
1136 esac
1137 print
1138
1139 print_indent 3 "}"
1140 print_indent 2 "}"
1141 print
1142
1143 print_indent 1 "}"
1144 print_indent 0 "}"
1145 print
1146 }
1147
1148 _ipsec_connection_to_strongswan_secrets() {
1149 local connection="${1}"
1150
1151 print_indent 0 "secrets {"
1152
1153 case "${AUTH_MODE}" in
1154 PSK)
1155 print_indent 1 "ike {"
1156
1157 # Secret
1158 print_indent 2 "secret = ${PSK}"
1159
1160 # ID
1161 if isset REMOTE_ID; then
1162 print_indent 2 "id = ${REMOTE_ID}"
1163 fi
1164
1165 print_indent 1 "}"
1166 ;;
1167 esac
1168
1169 print_indent 0 "}"
1170 }