2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2017 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 IPSEC_CONNECTION_CONFIG_SETTINGS
="\
40 IPSEC_POOL_CONFIG_SETTINGS
="\
46 IPSEC_DEFAULT_AUTH_MODE
="PSK"
47 IPSEC_DEFAULT_DPD_ACTION
="restart"
48 IPSEC_DEFAULT_DPD_DELAY
="30"
49 IPSEC_DEFAULT_DPD_TIMEOUT
="120"
50 IPSEC_DEFAULT_ENABLED
="true"
51 IPSEC_DEFAULT_INACTIVITY_TIMEOUT
="0"
52 IPSEC_DEFAULT_MODE
="tunnel"
53 IPSEC_DEFAULT_SECURITY_POLICY
="system"
54 IPSEC_DEFAULT_START_ACTION
="on-demand"
56 IPSEC_VALID_MODES
="gre-transport tunnel vti"
57 IPSEC_VALID_AUTH_MODES
="PSK"
65 cli_ipsec_connection $@
71 error
"Unrecognized argument: ${action}"
77 cli_ipsec_connection
() {
78 if ipsec_connection_exists
${1}; then
85 authentication|down|disable|dpd|
enable|inactivity_timeout|
local|mode|peer|remote|security_policy|start_action|up
)
86 ipsec_connection_
${key} ${connection} $@
89 cli_ipsec_connection_show
"${connection}"
93 error
"Unrecognized argument: ${key}"
103 ipsec_connection_new $@
106 cli_ipsec_connection_destroy $@
109 if [ -n "${action}" ]; then
110 error
"Unrecognized argument: '${action}'"
119 if ipsec_pool_exists
${1}; then
127 ipsec_pool_
${key} ${pool} $@
130 cli_ipsec_pool_show
"${pool}"
134 error
"Unrecognized argument: ${key}"
147 ipsec_pool_destroy $@
150 if [ -n "${action}" ]; then
151 error
"Unrecognized argument: '${action}'"
159 cli_ipsec_connection_destroy
() {
160 local connection
="${1}"
162 if ! ipsec_connection_destroy
"${connection}"; then
166 # Inform strongswan about the changes
167 ipsec_strongswan_load
169 # Configure strongswan autostart
170 ipsec_strongswan_autostart
173 cli_ipsec_connection_show
() {
174 local connection
="${1}"
176 # Read the config settings
177 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
178 if ! ipsec_connection_read_config
"${connection}"; then
179 error
"Could not read the connection configuration"
183 cli_headline
0 "IPsec VPN Connection: ${connection}"
188 cli_print_fmt1
1 "Peer" "${PEER}"
192 cli_print_fmt1
1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}"
195 cli_headline
2 "Authentication"
196 case "${AUTH_MODE^^}" in
198 cli_print_fmt1
2 "Mode" "Pre-Shared-Key"
201 cli_print_fmt1
2 "Pre-Shared-Key" "****"
203 cli_print_fmt1
2 "Pre-Shared-Key" "- is not set -"
213 for i
in LOCAL REMOTE
; do
216 cli_headline
2 "Local"
219 cli_headline
2 "Remote"
223 local id_var
="${i}_ID"
224 if [ -n "${!id_var}" ]; then
225 cli_print_fmt1
2 "ID" "${!id_var}"
228 local prefix_var
="${i}_PREFIX"
229 if isset
${prefix_var}; then
230 cli_headline
3 "Prefix(es)"
233 for prefix
in ${!prefix_var}; do
234 cli_print_fmt1
3 "${prefix}"
241 cli_headline
2 "Misc."
245 cli_print_fmt1
2 "Transport Mode" "GRE Transport"
248 cli_print_fmt1
2 "Transport Mode" "Tunnel"
251 cli_print_fmt1
2 "Transport Mode" "Virtual Tunnel Interface"
254 cli_print_fmt1
2 "Transport Mode" "- Unknown -"
259 if isset INACTIVITY_TIMEOUT
&& [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then
260 cli_print_fmt1
2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})"
267 ipsec_connection_disable
() {
268 local connection
=${1}
270 if ! ipsec_connection_write_config_key
"${connection}" "ENABLED" "false"; then
271 log ERROR
"Could not write configuration settings"
275 # Configure strongswan autostart
276 ipsec_strongswan_autostart
279 ipsec_connection_enable
() {
280 local connection
=${1}
282 if ! ipsec_connection_write_config_key
"${connection}" "ENABLED" "true"; then
283 log ERROR
"Could not write configuration settings"
287 # Configure strongswan autostart
288 ipsec_strongswan_autostart
291 # This function writes all values to a via ${connection} specificated VPN IPsec configuration file
292 ipsec_connection_write_config
() {
295 local connection
="${1}"
297 if ! ipsec_connection_exists
"${connection}"; then
298 log ERROR
"No such VPN IPsec connection: ${connection}"
302 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
304 if ! settings_write
"${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
305 log ERROR
"Could not write configuration settings for VPN IPsec connection ${connection}"
309 ipsec_reload
${connection}
312 # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
313 ipsec_connection_write_config_key
() {
316 local connection
=${1}
322 if ! ipsec_connection_exists
"${connection}"; then
323 log ERROR
"No such VPN ipsec connection: ${connection}"
327 log DEBUG
"Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
329 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
331 # Read the config settings
332 if ! ipsec_connection_read_config
"${connection}"; then
336 # Set the key to a new value
337 assign
"${key}" "${value}"
339 if ! ipsec_connection_write_config
"${connection}"; then
346 # Reads one or more keys out of a settings file or all if no key is provided.
347 ipsec_connection_read_config
() {
350 local connection
="${1}"
353 if ! ipsec_connection_exists
"${connection}"; then
354 log ERROR
"No such VPN IPsec connection : ${connection}"
360 if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
361 list_append args
${IPSEC_CONNECTION_CONFIG_SETTINGS}
366 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
368 if ! settings_read
"${path}" ${args}; then
369 log ERROR
"Could not read settings for VPN IPsec connection ${connection}"
374 # This function checks if a vpn ipsec connection exists
375 # Returns True when yes and false when not
376 ipsec_connection_exists
() {
379 local connection
=${1}
381 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}"
383 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
386 # Determines if strongswan should be automatically started
387 # when the system boots up.
388 ipsec_strongswan_autostart() {
389 local autostart_needed="false
"
392 for connection in $(ipsec_list_connections); do
395 if ! ipsec_connection_read_config "${connection}" "ENABLED
"; then
396 log WARNING "Could not
read configuation
"
400 if enabled ENABLED; then
401 autostart_needed="true
"
406 # Start strongswan when we need it and when it is not yet enabled
407 if ${autostart_needed}; then
408 if ! service_is_enabled "strongswan
"; then
409 service_enable "strongswan
"
412 if ! service_is_active "strongswan
"; then
413 service_start "strongswan
"
416 # Disable strongswan when we do not need it but it is enabled
417 elif ! ${autostart_needed}; then
418 if service_is_enabled "strongswan
"; then
419 service_disable "strongswan
"
422 if service_is_active "strongswan
"; then
423 service_stop "strongswan
"
428 ipsec_strongswan_load() {
429 # Do nothing if strongswan is not running
430 if ! service_is_active "strongswan
"; then
434 if ! cmd swanctl --load-all; then
435 log ERROR "Could not reload strongswan config
"
440 # Reloads the connection after config changes
442 local connection=${1}
446 if ! ipsec_connection_read_config "${connection}" "ENABLED
"; then
447 log ERROR "Could not
read configuration
for IPsec connection
${connection}"
451 if enabled ENABLED; then
452 if ! ipsec_connection_to_strongswan ${connection}; then
453 log ERROR "Could not generate strongswan config
for ${connnection}"
457 log DEBUG "Deleting strongswan config
${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
458 unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
461 ipsec_strongswan_load
464 # Handle the cli after authentification
465 ipsec_connection_authentication() {
466 if [ ! $# -gt 1 ]; then
467 log ERROR "Not enough arguments
"
471 local connection=${1}
477 ipsec_connection_authentication_mode "${connection}" $@
480 ipsec_connection_authentication_psk "${connection}" $@
483 log ERROR "Unrecognized argument
: ${cmd}"
489 # Set the authentification mode
490 ipsec_connection_authentication_mode() {
491 if [ ! $# -eq 2 ]; then
492 log ERROR "Not enough arguments
"
495 local connection=${1}
498 if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
499 log ERROR "Auth mode
'${mode}' is invalid
"
503 if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE
" ${mode^^}; then
504 log ERROR "Could not
write configuration settings
"
510 ipsec_connection_authentication_psk() {
511 if [ ! $# -eq 2 ]; then
512 log ERROR "Not enough arguments
"
516 local connection=${1}
521 if [ ${length} -lt 4 ]; then
522 error "The PSK must be longer than four characters
"
526 if [ ${length} -gt 128 ]; then
527 error "The PSK cannot be longer than
128 characters
"
531 if ! ipsec_connection_write_config_key "${connection}" "PSK
" "${psk}"; then
532 log ERROR "Could not
write configuration settings
"
539 ipsec_connection_up() {
540 local connection="${1}"
542 if ! ipsec_connection_exists "${connection}"; then
543 error "No such VPN IPsec connection
: ${connection}"
547 cmd swanctl --initiate --child "${connection}"
550 ipsec_connection_down() {
551 local connection="${1}"
553 if ! ipsec_connection_exists "${connection}"; then
554 error "No such VPN IPsec connection
: ${connection}"
558 cmd swanctl --terminate --ike "${connection}"
561 # Handle the cli after authentification
562 ipsec_connection_dpd() {
563 if [ ! $# -gt 1 ]; then
564 log ERROR "Not enough arguments
"
568 local connection=${1}
574 ipsec_connection_dpd_action "${connection}" $@
577 ipsec_connection_dpd_delay "${connection}" $@
580 ipsec_connection_dpd_timeout "${connection}" $@
583 log ERROR "Unrecognized argument
: ${cmd}"
589 # Set the default dpd action
590 ipsec_connection_dpd_action() {
591 if [ ! $# -eq 2 ]; then
592 log ERROR "Not enough arguments
"
595 local connection=${1}
598 if ! isoneof action "restart
" "clear"; then
599 log ERROR "dpd action
'${action}' is invalid
"
603 if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION
" ${action}; then
604 log ERROR "Could not
write configuration settings
"
610 ipsec_connection_dpd_delay() {
611 if [ ! $# -ge 2 ]; then
612 log ERROR "Not enough arguments
"
616 local connection=${1}
620 if ! isinteger value; then
621 value=$(parse_time $@)
622 if [ ! $? -eq 0 ]; then
623 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
628 if [ ${value} -lt 0 ]; then
629 log ERROR "The passed
time value must be
in the
sum greater or equal zero seconds.
"
633 if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY
" ${value}; then
634 log ERROR "Could not
write configuration settings
"
641 # Set the dpd timeout
642 ipsec_connection_dpd_timeout() {
643 if [ ! $# -ge 2 ]; then
644 log ERROR "Not enough arguments
"
648 local connection=${1}
652 if ! isinteger value; then
653 value=$(parse_time $@)
654 if [ ! $? -eq 0 ]; then
655 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
660 if [ ${value} -le 0 ]; then
661 log ERROR "The passed
time value must be
in the
sum greater or equal zero seconds.
"
665 if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT
" ${value}; then
666 log ERROR "Could not
write configuration settings
"
673 # Handle the cli after local
674 ipsec_connection_local() {
675 if [ ! $# -ge 2 ]; then
676 log ERROR "Not enough arguments
"
680 local connection=${1}
686 ipsec_connection_local_address "${connection}" $@
689 ipsec_connection_id "${connection}" "LOCAL
" $@
692 ipsec_connection_prefix "${connection}" "LOCAL
" $@
695 log ERROR "Unrecognized argument
: ${cmd}"
703 # Set the connection mode
704 ipsec_connection_mode() {
705 if [ ! $# -eq 2 ]; then
706 log ERROR "Not enough arguments
"
709 local connection=${1}
712 if ! isoneof mode ${IPSEC_VALID_MODES}; then
713 log ERROR "Mode
'${mode}' is invalid
"
717 if ! ipsec_connection_write_config_key "${connection}" "MODE
" ${mode}; then
718 log ERROR "Could not
write configuration settings
"
725 # Set the local address
726 ipsec_connection_local_address() {
727 if [ ! $# -eq 2 ]; then
728 log ERROR "Not enough arguments
"
731 local connection=${1}
732 local local_address=${2}
734 if ! ipsec_connection_check_peer ${local_address}; then
735 log ERROR "Local address
'${local_address}' is invalid
"
739 if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS
" ${local_address}; then
740 log ERROR "Could not
write configuration settings
"
747 # Set the peer to connect to
748 ipsec_connection_peer() {
749 if [ ! $# -eq 2 ]; then
750 log ERROR "Not enough arguments
"
753 local connection=${1}
756 if ! ipsec_connection_check_peer ${peer}; then
757 log ERROR "Peer
'${peer}' is invalid
"
761 if ! ipsec_connection_write_config_key "${connection}" "PEER
" ${peer}; then
762 log ERROR "Could not
write configuration settings
"
769 #Set the local or remote id
770 ipsec_connection_id() {
771 if [ ! $# -eq 3 ]; then
772 log ERROR "Not enough arguments
"
775 local connection=${1}
779 if ! ipsec_connection_check_id ${id}; then
780 log ERROR "Id
'${id}' is invalid
"
784 if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
785 log ERROR
"Could not write configuration settings"
792 # Set the local or remote prefix
793 ipsec_connection_prefix
() {
794 if [ ! $# -ge 3 ]; then
795 log ERROR
"Not enough arguments"
798 local connection
=${1}
802 local _prefix
="${type}_PREFIX"
804 if ! ipsec_connection_read_config
"${connection}" "${_prefix}"; then
808 # Remove duplicated entries to proceed the list safely
809 assign
"${_prefix}" "$(list_unique ${!_prefix} )"
812 local prefixes_removed
815 while [ $# -gt 0 ]; do
820 list_append prefixes_added
"${arg:1}"
823 list_append prefixes_removed
"${arg:1}"
826 list_append prefixes_set
"${arg}"
829 error
"Invalid argument: ${arg}"
836 # Check if the user is trying a mixed operation
837 if ! list_is_empty prefixes_set
&& (! list_is_empty prefixes_added ||
! list_is_empty prefixes_removed
); then
838 error
"You cannot reset the prefix list and add or remove prefixes at the same time"
842 # Set new prefix list
843 if ! list_is_empty prefixes_set
; then
844 # Check if all prefixes are valid
846 for prefix
in ${prefixes_set}; do
847 if ! ip_net_is_valid
${prefix}; then
848 error
"Unsupported prefix: ${prefix}"
853 assign
"${_prefix}" "${prefixes_set}"
855 # Perform incremental updates
859 # Perform all removals
860 for prefix
in ${prefixes_removed}; do
861 if ! list_remove
"${_prefix}" ${prefix}; then
862 warning
"${prefix} was not on the list and could not be removed"
867 for prefix
in ${prefixes_added}; do
868 if ip_net_is_valid
${prefix}; then
869 if ! list_append_unique
"${_prefix}" ${prefix}; then
870 warning
"${prefix} is already on the prefix list"
873 warning
"${prefix} is not a valid IP network and could not be added"
878 # Check if the list contain at least one valid prefix
879 if list_is_empty
${_prefix}; then
880 error
"Cannot save an empty prefix list"
885 if ! ipsec_connection_write_config_key
"${connection}" "${_prefix}" ${!_prefix}; then
886 log ERROR "Could not
write configuration settings
"
892 # Handle the cli after remote
893 ipsec_connection_remote() {
894 if [ ! $# -ge 2 ]; then
895 log ERROR "Not enough arguments
"
899 local connection=${1}
905 ipsec_connection_id "${connection}" "REMOTE
" $@
909 ipsec_connection_prefix "${connection}" "REMOTE
" $@
912 log ERROR "Unrecognized argument
: ${cmd}"
920 # Set the inactivity timeout
921 ipsec_connection_inactivity_timeout() {
922 if [ ! $# -ge 2 ]; then
923 log ERROR "Not enough arguments
"
927 local connection=${1}
931 if ! isinteger value; then
932 value=$(parse_time $@)
933 if [ ! $? -eq 0 ]; then
934 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
939 if [ ${value} -le 0 ]; then
940 log ERROR "The passed
time value must be
in the
sum greater zero seconds.
"
944 if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT
" ${value}; then
945 log ERROR "Could not
write configuration settings
"
952 # Set the default start action
953 ipsec_connection_start_action() {
954 if [ ! $# -eq 2 ]; then
955 log ERROR "Not enough arguments
"
958 local connection=${1}
961 if ! isoneof action "on-demand
" "always-on
"; then
962 log ERROR "Start action
'${action}' is invalid
"
966 if ! ipsec_connection_write_config_key "${connection}" "START_ACTION
" ${action}; then
967 log ERROR "Could not
write configuration settings
"
972 # Set the security policy to use
973 ipsec_connection_security_policy() {
974 if [ ! $# -eq 2 ]; then
975 log ERROR "Not enough arguments
"
978 local connection=${1}
979 local security_policy=${2}
981 if ! vpn_security_policy_exists ${security_policy}; then
982 log ERROR "No such vpn security policy
'${security_policy}'"
986 if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY
" ${security_policy}; then
987 log ERROR "Could not
write configuration settings
"
992 # Check if a id is valid
993 ipsec_connection_check_id() {
997 if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
1000 return ${EXIT_FALSE}
1004 # Checks if a peer is valid
1005 ipsec_connection_check_peer() {
1009 # TODO Accept also FQDNs
1010 if ip_is_valid ${peer}; then
1013 return ${EXIT_FALSE}
1017 # This function checks if a VPN IPsec connection name is valid
1018 # Allowed are only A-Za-z0-9
1019 ipsec_connection_check_name() {
1022 local connection=${1}
1024 [[ "${connection}" =~ [^[:alnum:]$] ]]
1027 # Function that creates one VPN IPsec connection
1028 ipsec_connection_new() {
1029 if [ $# -gt 1 ]; then
1030 error "Too many arguments
"
1031 return ${EXIT_ERROR}
1034 local connection="${1}"
1035 if ! isset connection; then
1036 error "Please provide a connection name
"
1037 return ${EXIT_ERROR}
1040 # Check for duplicates
1041 if ipsec_connection_exists "${connection}"; then
1042 error "The VPN IPsec connection
${connection} already exists
"
1043 return ${EXIT_ERROR}
1046 # Check if the name of the connection is valid
1047 if ipsec_connection_check_name "${connection}"; then
1048 error "'${connection}' contains illegal characters
"
1049 return ${EXIT_ERROR}
1052 log DEBUG "Creating VPN IPsec connection
${connection}"
1054 if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1055 log ERROR "Could not create config directory
for ${connection}"
1056 return ${EXIT_ERROR}
1059 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1061 AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
1062 DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION}
1063 DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY}
1064 DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT}
1065 ENABLED=${IPSEC_DEFAULT_ENABLED}
1066 MODE=${IPSEC_DEFAULT_MODE}
1067 START_ACTION=${IPSEC_DEFAULT_START_ACTION}
1069 INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
1070 SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
1072 if ! ipsec_connection_write_config "${connection}"; then
1073 log ERROR "Could not
write new config
file"
1074 return ${EXIT_ERROR}
1077 # Configure strongswan autostart
1078 ipsec_strongswan_autostart
1081 # Function that deletes based on the passed parameters one ore more vpn security policies
1082 ipsec_connection_destroy() {
1084 for connection in $@; do
1085 if ! ipsec_connection_exists "${connection}"; then
1086 log ERROR "The VPN IPsec connection
${connection} does not exist.
"
1090 log DEBUG "Deleting VPN IPsec connection
${connection}"
1092 # Delete strongswan configuration file
1093 file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
1095 if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1096 log ERROR "Deleting the VPN IPsec connection
${connection} was not sucessful
"
1097 return ${EXIT_ERROR}
1103 # List all ipsec connections
1104 ipsec_list_connections() {
1106 for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do
1107 [ -d ${connection} ] || continue
1108 basename ${connection}
1112 ipsec_connection_to_strongswan() {
1113 local connection="${1}"
1115 # Read the config settings
1116 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1117 if ! ipsec_connection_read_config "${connection}"; then
1118 error "Could not
read the connection
${connection}"
1119 return ${EXIT_ERROR}
1122 local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
1125 # Write the connection section
1126 _ipsec_connection_to_strongswan_connection "${connection}"
1128 # Write the secrets section
1129 _ipsec_connection_to_strongswan_secrets "${connection}"
1134 _ipsec_connection_to_strongswan_connection() {
1135 local connection="${1}"
1137 # Read the security policy
1138 local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
1139 if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then
1140 return ${EXIT_ERROR}
1145 if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
1149 # Write configuration header
1150 config_header "strongSwan configuration
for ${connection}"
1152 print_indent 0 "connections
{"
1153 print_indent 1 "${connection} {"
1156 print_indent 2 "# IKE Version"
1157 case "${KEY_EXCHANGE^^}" in
1159 print_indent
2 "version = 1"
1162 # Fall back to IKEv2 for any random values
1164 print_indent
2 "version = 2"
1169 # Always only keep one connection open at a time
1170 print_indent
2 "# Unique IDs"
1171 print_indent
2 "unique = replace"
1175 print_indent
2 "# Local Address"
1176 if isset LOCAL_ADDRESS
; then
1177 print_indent
2 "local_addrs = ${LOCAL_ADDRESS}"
1179 print_indent
2 "local_addrs = %any"
1184 print_indent
2 "# Remote Address"
1186 print_indent
2 "remote_addrs = ${PEER}"
1188 print_indent
2 "remote_addrs = %any"
1193 print_indent
2 "# IKE Proposals"
1194 print_indent
2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})"
1198 if enabled dpd
; then
1199 print_indent
2 "# Dead Peer Detection"
1200 print_indent
2 "dpd_delay = ${DPD_DELAY}"
1202 if isset DPD_TIMEOUT
; then
1203 print_indent
2 "dpd_timeout = ${DPD_TIMEOUT}"
1210 print_indent
2 "# Fragmentation"
1211 print_indent
2 "fragmentation = yes"
1215 print_indent
2 "local {"
1218 if isset LOCAL_ID
; then
1219 print_indent
3 "id = ${LOCAL_ID}"
1223 case "${AUTH_MODE}" in
1225 print_indent
3 "auth = psk"
1233 print_indent
2 "remote {"
1236 if isset REMOTE_ID
; then
1237 print_indent
3 "id = ${REMOTE_ID}"
1241 case "${AUTH_MODE}" in
1243 print_indent
3 "auth = psk"
1252 print_indent
2 "children {"
1253 print_indent
3 "${connection} {"
1255 print_indent
4 "# ESP Proposals"
1256 print_indent
4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})"
1263 print_indent
4 "local_ts = dynamic[gre]"
1264 print_indent
4 "remote_ts = dynamic[gre]"
1268 if isset LOCAL_PREFIX
; then
1269 print_indent
4 "local_ts = $(list_join LOCAL_PREFIX ,)"
1271 print_indent
4 "local_ts = dynamic"
1275 if isset REMOTE_PREFIX
; then
1276 print_indent
4 "remote_ts = $(list_join REMOTE_PREFIX ,)"
1278 print_indent
4 "remote_ts = dynamic"
1287 print_indent
4 "# Netfilter Marks"
1288 print_indent
4 "mark_in = %unique"
1289 print_indent
4 "mark_out = %unique"
1294 # Dead Peer Detection
1295 if enabled dpd
; then
1296 print_indent
4 "# Dead Peer Detection"
1297 print_indent
4 "dpd_action = ${DPD_ACTION}"
1302 if isset LIFETIME
; then
1303 print_indent
4 "# Rekey Time"
1304 print_indent
4 "rekey_time = ${LIFETIME}"
1309 print_indent
4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown"
1313 print_indent
4 "# Mode"
1316 print_indent
4 "mode = transport"
1319 print_indent
4 "mode = tunnel"
1325 print_indent
4 "# Compression"
1326 if enabled COMPRESSION
; then
1327 print_indent
4 "ipcomp = yes"
1329 print_indent
4 "ipcomp = no"
1333 # Inactivity Timeout
1334 if isset INACTIVITY_TIMEOUT
; then
1335 print_indent
4 "# Inactivity Timeout"
1336 print_indent
4 "inactivity = ${INACTIVITY_TIMEOUT}"
1341 print_indent
4 "# Start Action"
1342 case "${START_ACTION}" in
1344 print_indent
4 "start_action = trap"
1345 print_indent
4 "close_action = trap"
1348 print_indent
4 "start_action = none"
1349 print_indent
4 "close_action = none"
1352 print_indent
4 "start_action = start"
1353 print_indent
4 "close_action = start"
1367 _ipsec_connection_to_strongswan_secrets
() {
1368 local connection
="${1}"
1370 print_indent
0 "secrets {"
1372 case "${AUTH_MODE}" in
1374 print_indent
1 "ike {"
1377 print_indent
2 "secret = ${PSK}"
1380 if isset REMOTE_ID
; then
1381 print_indent
2 "id = ${REMOTE_ID}"
1391 # This function writes all values to a via ${pool} specificated VPN IPsec pool configuration file
1392 ipsec_pool_write_config
() {
1397 if ! ipsec_pool_exists
"${pool}"; then
1398 log ERROR
"No such VPN IPsec pool: ${pool}"
1399 return ${EXIT_ERROR}
1402 local path
="${NETWORK_IPSEC_POOLS_DIR}/${pool}/settings"
1404 if ! settings_write
"${path}" ${IPSEC_POOL_CONFIG_SETTINGS}; then
1405 log ERROR
"Could not write configuration settings for VPN IPsec pool ${pool}"
1406 return ${EXIT_ERROR}
1409 if ! ipsec_pool_reload
${pool}; then
1410 log WARNING
"Could not reload IPsec pool ${pool}"
1413 # When we get here the writing of the config file was successful
1417 # This funtion writes the value for one key to a via ${connection} specificated
1418 # VPN IPsec pool configuration file
1419 ipsec_pool_write_config_key
() {
1428 if ! ipsec_pool_exists
"${pool}"; then
1429 log ERROR
"No such VPN IPsec pool: ${pool}"
1430 return ${EXIT_ERROR}
1433 log DEBUG
"Set '${key}' to new value '${value}' in VPN IPsec pool '${pool}'"
1435 local ${IPSEC_POOL_CONFIG_SETTINGS}
1437 # Read the config settings
1438 if ! ipsec_pool_read_config
"${pool}"; then
1439 return ${EXIT_ERROR}
1442 # Set the key to a new value
1443 assign
"${key}" "${value}"
1445 if ! ipsec_pool_write_config
"${pool}"; then
1446 return ${EXIT_ERROR}
1452 # Reads one or more keys out of a settings file or all if no key is provided.
1453 ipsec_pool_read_config
() {
1459 if ! ipsec_pool_exists
"${pool}"; then
1460 log ERROR
"No such VPN IPsec pool : ${pool}"
1461 return ${EXIT_ERROR}
1465 if [ $# -eq 0 ] && [ -n "${IPSEC_POOL_CONFIG_SETTINGS}" ]; then
1466 list_append args
${IPSEC_POOL_CONFIG_SETTINGS}
1471 local path
="${NETWORK_IPSEC_POOLS_DIR}/${pool}/settings"
1473 if ! settings_read
"${path}" ${args}; then
1474 log ERROR
"Could not read settings for VPN IPsec pool ${pool}"
1475 return ${EXIT_ERROR}
1479 # This function checks if a vpn IPsec pool exists
1480 # Returns True when yes and false when not
1481 ipsec_pool_exists
() {
1486 local path
="${NETWORK_IPSEC_POOLS_DIR}/${pool}"
1488 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
1491 # This function checks if a VPN IPsec pool name is valid
1492 # Allowed are only A-Za-z0-9
1493 ipsec_pool_check_name() {
1498 # These are special words in strongswan
1499 if isoneof pool dhcp radius; then
1500 return ${EXIT_ERROR}
1503 [[ "${pool}" =~ [^[:alnum:]$] ]]
1507 if [ $# -gt 1 ]; then
1508 error "Too many arguments
"
1509 return ${EXIT_ERROR}
1513 if ! isset pool; then
1514 error "Please provide a pool name
"
1515 return ${EXIT_ERROR}
1518 # Check for duplicates
1519 if ipsec_pool_exists "${pool}"; then
1520 error "The VPN IPsec pool
${pool} already exists
"
1521 return ${EXIT_ERROR}
1524 # Check if the name of the connection is valid
1525 if ipsec_pool_check_name "${pool}"; then
1526 error "'${pool}' contains illegal characters
"
1527 return ${EXIT_ERROR}
1530 log DEBUG "Creating VPN IPsec pool
${pool}"
1532 if ! mkdir -p "${NETWORK_IPSEC_POOLS_DIR}/${pool}"; then
1533 log ERROR "Could not create config directory
for ${pool}"
1534 return ${EXIT_ERROR}
1537 local ${IPSEC_POOL_CONFIG_SETTINGS}
1539 if ! ipsec_pool_write_config "${pool}"; then
1540 log ERROR "Could not
write new config
file"
1541 return ${EXIT_ERROR}
1545 # Function that deletes based on the passed parameters
1546 # one ore more vpn ipsec pools
1547 ipsec_pool_destroy() {
1550 if ! ipsec_pool_exists "${pool}"; then
1551 log ERROR "The VPN IPsec pool
${pool} does not exist.
"
1555 log DEBUG "Deleting VPN IPsec pool
${pool}"
1557 if ! rm -rf "${NETWORK_IPSEC_POOLS_DIR}/${pool}"; then
1558 log ERROR "Deleting the VPN IPsec pool
${pool} was not sucessful
"
1559 return ${EXIT_ERROR}
1564 ipsec_pool_set_type() {
1570 local type=$(ip_detect_protocol ${ip})
1572 if ! isset type; then
1573 error "Cannot detect IP protocol of
${ip}"
1574 return ${EXIT_ERROR}
1576 log DEBUG "IP protocol of
${ip} is
${type}"
1577 if ! ipsec_pool_write_config_key "${pool}" "TYPE
" ${type}; then
1578 log ERROR "Could not
write configuration settings
"
1579 return ${EXIT_ERROR}
1584 ipsec_pool_network() {
1585 if [ ! $# -eq 2 ]; then
1586 log ERROR "Not enough arguments
"
1587 return ${EXIT_ERROR}
1593 if ! ipsec_pool_read_config ${pool} "TYPE
"; then
1594 error "Failed to
read configuration settings
for pool
'${pool}'"
1595 return ${EXIT_ERROR}
1598 if ! isset TYPE; then
1599 if ! ip_net_is_valid ${network}; then
1600 log ERROR "Network
'${network}' is invalid
"
1601 return ${EXIT_ERROR}
1604 if ! ipsec_pool_set_type ${pool} ${network}; then
1605 log ERROR "Could not
set type for IPsec pool
${pool}"
1606 return ${EXIT_ERROR}
1609 if ! ${TYPE}_net_is_valid ${network}; then
1610 log ERROR "Network
'${network}' is invalid
"
1611 return ${EXIT_ERROR}
1615 if ! ipsec_pool_write_config_key "${pool}" "NETWORK
" ${network}; then
1616 log ERROR "Could not
write configuration settings
"
1617 return ${EXIT_ERROR}
1621 ipsec_pool_dns_server() {
1622 if [ ! $# -eq 2 ]; then
1623 log ERROR "Not enough arguments
"
1624 return ${EXIT_ERROR}
1627 local dns_server=${2}
1630 if ! ipsec_pool_read_config ${pool} "TYPE
"; then
1631 error "Failed to
read configuration settings
for pool
'${pool}'"
1632 return ${EXIT_ERROR}
1635 if ! isset TYPE; then
1636 if ! ip_is_valid ${dns_server}; then
1637 log ERROR "DNS server
'${dns_server}' is invalid
"
1638 return ${EXIT_ERROR}
1641 if ! ipsec_pool_set_type ${pool} ${dns_server}; then
1642 log ERROR "Could not
set type for IPsec pool
${pool}"
1643 return ${EXIT_ERROR}
1646 if ! ${TYPE}_is_valid ${dns_server}; then
1647 log ERROR "DNS server
'${dns_server}' is invalid
"
1648 return ${EXIT_ERROR}
1652 if ! ipsec_pool_write_config_key "${pool}" "DNS_SERVER
" ${dns_server}; then
1653 log ERROR "Could not
write configuration settings
"
1654 return ${EXIT_ERROR}
1658 ipsec_pool_check_config() {
1662 local ${IPSEC_POOL_CONFIG_SETTINGS}
1663 if ! ipsec_pool_read_config "${pool}"; then
1664 log ERROR "Could not
read configuration settings
"
1665 return ${EXIT_ERROR}
1668 if ! isset NETWORK; then
1669 log ERROR "Network
for IPSec pool
${pool} is not
set"
1670 return ${EXIT_ERROR}
1673 if ! isset TYPE; then
1674 TYPE=$(ip_detect_protocol ${NETWORK})
1675 log DEBUG "IP protocol of
${NETWORK} is
${TYPE}"
1676 if ! isset TYPE; then
1677 error "Cannot detect IP protocol of
${NETWORK}"
1678 return ${EXIT_ERROR}
1680 if ! ipsec_pool_write_config_key "${pool}" "TYPE
" ${TYPE}; then
1681 log ERROR "Could not
write configuration settings
"
1682 return ${EXIT_ERROR}
1686 if ! ${TYPE}_net_is_valid ${NETWORK}; then
1687 log ERROR "NETWORK
'${NETWORK}' is invalid
"
1688 return ${EXIT_ERROR}
1691 if isset DNS_SERVER && ! ${TYPE}_is_valid ${DNS_SERVER}; then
1692 log ERROR "DNS server
'${DNS_SERVER}' is invalid
"
1693 return ${EXIT_ERROR}
1700 ipsec_pool_reload() {
1703 if ! ipsec_pool_to_strongswan ${pool}; then
1704 log ERROR "Could not generate strongswan config
for ${pool}"
1705 return ${EXIT_ERROR}
1708 ipsec_strongswan_load
1711 ipsec_pool_to_strongswan() {
1714 log DEBUG "Generating IPsec pool config
for ${pool}"
1716 local ${IPSEC_POOL_CONFIG_SETTINGS}
1717 if ! ipsec_pool_read_config "${pool}"; then
1718 return ${EXIT_ERROR}
1721 if isset NETWORK && ! ipsec_pool_check_config "${pool}"; then
1722 log ERROR "Configuration of
${pool} seems to be invalid
"
1723 return ${EXIT_ERROR}
1726 local path="${NETWORK_IPSEC_SWANCTL_POOLS_DIR}/${pool}.conf
"
1729 config_header "strongSwan pool configuration
"
1731 if isset NETWORK; then
1732 print_indent 0 "pools
{"
1734 print_indent 1 "${pool} {"
1735 print_indent 2 "addrs
= ${NETWORK}"
1737 if isset DNS_SERVER; then
1738 print_indent 2 "dns
= ${DNS_SERVER}"