2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2017 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 IPSEC_CONNECTION_CONFIG_SETTINGS
="\
40 IPSEC_DEFAULT_AUTH_MODE
="PSK"
41 IPSEC_DEFAULT_DPD_ACTION
="restart"
42 IPSEC_DEFAULT_DPD_DELAY
="30"
43 IPSEC_DEFAULT_DPD_TIMEOUT
="120"
44 IPSEC_DEFAULT_ENABLED
="true"
45 IPSEC_DEFAULT_INACTIVITY_TIMEOUT
="0"
46 IPSEC_DEFAULT_MODE
="tunnel"
47 IPSEC_DEFAULT_SECURITY_POLICY
="system"
48 IPSEC_DEFAULT_START_ACTION
="on-demand"
50 IPSEC_VALID_MODES
="gre-transport tunnel vti"
51 IPSEC_VALID_AUTH_MODES
="PSK"
59 cli_ipsec_connection $@
62 error
"Unrecognized argument: ${action}"
68 cli_ipsec_connection
() {
69 if ipsec_connection_exists
${1}; then
76 authentication|down|disable|dpd|
enable|inactivity_timeout|
local|mode|peer|remote|security_policy|start_action|up
)
77 ipsec_connection_
${key} ${connection} $@
80 cli_ipsec_connection_show
"${connection}"
84 error
"Unrecognized argument: ${key}"
94 ipsec_connection_new $@
97 cli_ipsec_connection_destroy $@
100 if [ -n "${action}" ]; then
101 error
"Unrecognized argument: '${action}'"
109 cli_ipsec_connection_destroy
() {
110 local connection
="${1}"
112 if ! ipsec_connection_destroy
"${connection}"; then
116 # Inform strongswan about the changes
117 ipsec_strongswan_load
119 # Configure strongswan autostart
120 ipsec_strongswan_autostart
123 cli_ipsec_connection_show
() {
124 local connection
="${1}"
126 # Read the config settings
127 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
128 if ! ipsec_connection_read_config
"${connection}"; then
129 error
"Could not read the connection configuration"
133 cli_headline
0 "IPsec VPN Connection: ${connection}"
138 cli_print_fmt1
1 "Peer" "${PEER}"
142 cli_print_fmt1
1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}"
145 cli_headline
2 "Authentication"
146 case "${AUTH_MODE^^}" in
148 cli_print_fmt1
2 "Mode" "Pre-Shared-Key"
151 cli_print_fmt1
2 "Pre-Shared-Key" "****"
153 cli_print_fmt1
2 "Pre-Shared-Key" "- is not set -"
163 for i
in LOCAL REMOTE
; do
166 cli_headline
2 "Local"
169 cli_headline
2 "Remote"
173 local id_var
="${i}_ID"
174 if [ -n "${!id_var}" ]; then
175 cli_print_fmt1
2 "ID" "${!id_var}"
178 local prefix_var
="${i}_PREFIX"
179 if isset
${prefix_var}; then
180 cli_headline
3 "Prefix(es)"
183 for prefix
in ${!prefix_var}; do
184 cli_print_fmt1
3 "${prefix}"
191 cli_headline
2 "Misc."
195 cli_print_fmt1
2 "Transport Mode" "GRE Transport"
198 cli_print_fmt1
2 "Transport Mode" "Tunnel"
201 cli_print_fmt1
2 "Transport Mode" "Virtual Tunnel Interface"
204 cli_print_fmt1
2 "Transport Mode" "- Unknown -"
209 if isset INACTIVITY_TIMEOUT
&& [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then
210 cli_print_fmt1
2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})"
217 ipsec_connection_disable
() {
218 local connection
=${1}
220 if ! ipsec_connection_write_config_key
"${connection}" "ENABLED" "false"; then
221 log ERROR
"Could not write configuration settings"
225 # Configure strongswan autostart
226 ipsec_strongswan_autostart
229 ipsec_connection_enable
() {
230 local connection
=${1}
232 if ! ipsec_connection_write_config_key
"${connection}" "ENABLED" "true"; then
233 log ERROR
"Could not write configuration settings"
237 # Configure strongswan autostart
238 ipsec_strongswan_autostart
241 # This function writes all values to a via ${connection} specificated VPN IPsec configuration file
242 ipsec_connection_write_config
() {
245 local connection
="${1}"
247 if ! ipsec_connection_exists
"${connection}"; then
248 log ERROR
"No such VPN IPsec connection: ${connection}"
252 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
254 if ! settings_write
"${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
255 log ERROR
"Could not write configuration settings for VPN IPsec connection ${connection}"
259 ipsec_reload
${connection}
262 # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
263 ipsec_connection_write_config_key
() {
266 local connection
=${1}
272 if ! ipsec_connection_exists
"${connection}"; then
273 log ERROR
"No such VPN ipsec connection: ${connection}"
277 log DEBUG
"Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
279 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
281 # Read the config settings
282 if ! ipsec_connection_read_config
"${connection}"; then
286 # Set the key to a new value
287 assign
"${key}" "${value}"
289 if ! ipsec_connection_write_config
"${connection}"; then
296 # Reads one or more keys out of a settings file or all if no key is provided.
297 ipsec_connection_read_config
() {
300 local connection
="${1}"
303 if ! ipsec_connection_exists
"${connection}"; then
304 log ERROR
"No such VPN IPsec connection : ${connection}"
310 if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
311 list_append args
${IPSEC_CONNECTION_CONFIG_SETTINGS}
316 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
318 if ! settings_read
"${path}" ${args}; then
319 log ERROR
"Could not read settings for VPN IPsec connection ${connection}"
324 # This function checks if a vpn ipsec connection exists
325 # Returns True when yes and false when not
326 ipsec_connection_exists
() {
329 local connection
=${1}
331 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}"
333 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
336 # Determines if strongswan should be automatically started
337 # when the system boots up.
338 ipsec_strongswan_autostart() {
339 local autostart_needed="false
"
342 for connection in $(ipsec_list_connections); do
345 if ! ipsec_connection_read_config "${connection}" "ENABLED
"; then
346 log WARNING "Could not
read configuation
"
350 if enabled ENABLED; then
351 autostart_needed="true
"
356 # Start strongswan when we need it and when it is not yet enabled
357 if ${autostart_needed}; then
358 if ! service_is_enabled "strongswan
"; then
359 service_enable "strongswan
"
362 if ! service_is_active "strongswan
"; then
363 service_start "strongswan
"
366 # Disable strongswan when we do not need it but it is enabled
367 elif ! ${autostart_needed}; then
368 if service_is_enabled "strongswan
"; then
369 service_disable "strongswan
"
372 if service_is_active "strongswan
"; then
373 service_stop "strongswan
"
378 ipsec_strongswan_load() {
379 # Do nothing if strongswan is not running
380 if ! service_is_active "strongswan
"; then
384 if ! cmd swanctl --load-all; then
385 log ERROR "Could not reload strongswan config
"
390 # Reloads the connection after config changes
392 local connection=${1}
396 if ! ipsec_connection_read_config "${connection}" "ENABLED
"; then
397 log ERROR "Could not
read configuration
for IPsec connection
${connection}"
401 if enabled ENABLED; then
402 if ! ipsec_connection_to_strongswan ${connection}; then
403 log ERROR "Could not generate strongswan config
for ${connnection}"
407 log DEBUG "Deleting strongswan config
${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
408 unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
411 ipsec_strongswan_load
414 # Handle the cli after authentification
415 ipsec_connection_authentication() {
416 if [ ! $# -gt 1 ]; then
417 log ERROR "Not enough arguments
"
421 local connection=${1}
427 ipsec_connection_authentication_mode "${connection}" $@
430 ipsec_connection_authentication_psk "${connection}" $@
433 log ERROR "Unrecognized argument
: ${cmd}"
439 # Set the authentification mode
440 ipsec_connection_authentication_mode() {
441 if [ ! $# -eq 2 ]; then
442 log ERROR "Not enough arguments
"
445 local connection=${1}
448 if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
449 log ERROR "Auth mode
'${mode}' is invalid
"
453 if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE
" ${mode^^}; then
454 log ERROR "Could not
write configuration settings
"
460 ipsec_connection_authentication_psk() {
461 if [ ! $# -eq 2 ]; then
462 log ERROR "Not enough arguments
"
466 local connection=${1}
471 if [ ${length} -lt 4 ]; then
472 error "The PSK must be longer than four characters
"
476 if [ ${length} -gt 128 ]; then
477 error "The PSK cannot be longer than
128 characters
"
481 if ! ipsec_connection_write_config_key "${connection}" "PSK
" "${psk}"; then
482 log ERROR "Could not
write configuration settings
"
489 ipsec_connection_up() {
490 local connection="${1}"
492 if ! ipsec_connection_exists "${connection}"; then
493 error "No such VPN IPsec connection
: ${connection}"
497 cmd swanctl --initiate --child "${connection}"
500 ipsec_connection_down() {
501 local connection="${1}"
503 if ! ipsec_connection_exists "${connection}"; then
504 error "No such VPN IPsec connection
: ${connection}"
508 cmd swanctl --terminate --ike "${connection}"
511 # Handle the cli after authentification
512 ipsec_connection_dpd() {
513 if [ ! $# -gt 1 ]; then
514 log ERROR "Not enough arguments
"
518 local connection=${1}
524 ipsec_connection_dpd_action "${connection}" $@
527 ipsec_connection_dpd_delay "${connection}" $@
530 ipsec_connection_dpd_timeout "${connection}" $@
533 log ERROR "Unrecognized argument
: ${cmd}"
539 # Set the default dpd action
540 ipsec_connection_dpd_action() {
541 if [ ! $# -eq 2 ]; then
542 log ERROR "Not enough arguments
"
545 local connection=${1}
548 if ! isoneof action "restart
" "clear"; then
549 log ERROR "dpd action
'${action}' is invalid
"
553 if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION
" ${action}; then
554 log ERROR "Could not
write configuration settings
"
560 ipsec_connection_dpd_delay() {
561 if [ ! $# -ge 2 ]; then
562 log ERROR "Not enough arguments
"
566 local connection=${1}
570 if ! isinteger value; then
571 value=$(parse_time $@)
572 if [ ! $? -eq 0 ]; then
573 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
578 if [ ${value} -lt 0 ]; then
579 log ERROR "The passed
time value must be
in the
sum greater or equal zero seconds.
"
583 if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY
" ${value}; then
584 log ERROR "Could not
write configuration settings
"
591 # Set the dpd timeout
592 ipsec_connection_dpd_timeout() {
593 if [ ! $# -ge 2 ]; then
594 log ERROR "Not enough arguments
"
598 local connection=${1}
602 if ! isinteger value; then
603 value=$(parse_time $@)
604 if [ ! $? -eq 0 ]; then
605 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
610 if [ ${value} -le 0 ]; then
611 log ERROR "The passed
time value must be
in the
sum greater or equal zero seconds.
"
615 if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT
" ${value}; then
616 log ERROR "Could not
write configuration settings
"
623 # Handle the cli after local
624 ipsec_connection_local() {
625 if [ ! $# -ge 2 ]; then
626 log ERROR "Not enough arguments
"
630 local connection=${1}
636 ipsec_connection_local_address "${connection}" $@
639 ipsec_connection_id "${connection}" "LOCAL
" $@
642 ipsec_connection_prefix "${connection}" "LOCAL
" $@
645 log ERROR "Unrecognized argument
: ${cmd}"
653 # Set the connection mode
654 ipsec_connection_mode() {
655 if [ ! $# -eq 2 ]; then
656 log ERROR "Not enough arguments
"
659 local connection=${1}
662 if ! isoneof mode ${IPSEC_VALID_MODES}; then
663 log ERROR "Mode
'${mode}' is invalid
"
667 if ! ipsec_connection_write_config_key "${connection}" "MODE
" ${mode}; then
668 log ERROR "Could not
write configuration settings
"
675 # Set the local address
676 ipsec_connection_local_address() {
677 if [ ! $# -eq 2 ]; then
678 log ERROR "Not enough arguments
"
681 local connection=${1}
682 local local_address=${2}
684 if ! ipsec_connection_check_peer ${local_address}; then
685 log ERROR "Local address
'${local_address}' is invalid
"
689 if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS
" ${local_address}; then
690 log ERROR "Could not
write configuration settings
"
697 # Set the peer to connect to
698 ipsec_connection_peer() {
699 if [ ! $# -eq 2 ]; then
700 log ERROR "Not enough arguments
"
703 local connection=${1}
706 if ! ipsec_connection_check_peer ${peer}; then
707 log ERROR "Peer
'${peer}' is invalid
"
711 if ! ipsec_connection_write_config_key "${connection}" "PEER
" ${peer}; then
712 log ERROR "Could not
write configuration settings
"
719 #Set the local or remote id
720 ipsec_connection_id() {
721 if [ ! $# -eq 3 ]; then
722 log ERROR "Not enough arguments
"
725 local connection=${1}
729 if ! ipsec_connection_check_id ${id}; then
730 log ERROR "Id
'${id}' is invalid
"
734 if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
735 log ERROR
"Could not write configuration settings"
742 # Set the local or remote prefix
743 ipsec_connection_prefix
() {
744 if [ ! $# -ge 3 ]; then
745 log ERROR
"Not enough arguments"
748 local connection
=${1}
752 local _prefix
="${type}_PREFIX"
754 if ! ipsec_connection_read_config
"${connection}" "${_prefix}"; then
758 # Remove duplicated entries to proceed the list safely
759 assign
"${_prefix}" "$(list_unique ${!_prefix} )"
762 local prefixes_removed
765 while [ $# -gt 0 ]; do
770 list_append prefixes_added
"${arg:1}"
773 list_append prefixes_removed
"${arg:1}"
776 list_append prefixes_set
"${arg}"
779 error
"Invalid argument: ${arg}"
786 # Check if the user is trying a mixed operation
787 if ! list_is_empty prefixes_set
&& (! list_is_empty prefixes_added ||
! list_is_empty prefixes_removed
); then
788 error
"You cannot reset the prefix list and add or remove prefixes at the same time"
792 # Set new prefix list
793 if ! list_is_empty prefixes_set
; then
794 # Check if all prefixes are valid
796 for prefix
in ${prefixes_set}; do
797 if ! ip_net_is_valid
${prefix}; then
798 error
"Unsupported prefix: ${prefix}"
803 assign
"${_prefix}" "${prefixes_set}"
805 # Perform incremental updates
809 # Perform all removals
810 for prefix
in ${prefixes_removed}; do
811 if ! list_remove
"${_prefix}" ${prefix}; then
812 warning
"${prefix} was not on the list and could not be removed"
817 for prefix
in ${prefixes_added}; do
818 if ip_net_is_valid
${prefix}; then
819 if ! list_append_unique
"${_prefix}" ${prefix}; then
820 warning
"${prefix} is already on the prefix list"
823 warning
"${prefix} is not a valid IP network and could not be added"
828 # Check if the list contain at least one valid prefix
829 if list_is_empty
${_prefix}; then
830 error
"Cannot save an empty prefix list"
835 if ! ipsec_connection_write_config_key
"${connection}" "${_prefix}" ${!_prefix}; then
836 log ERROR "Could not
write configuration settings
"
842 # Handle the cli after remote
843 ipsec_connection_remote() {
844 if [ ! $# -ge 2 ]; then
845 log ERROR "Not enough arguments
"
849 local connection=${1}
855 ipsec_connection_id "${connection}" "REMOTE
" $@
859 ipsec_connection_prefix "${connection}" "REMOTE
" $@
862 log ERROR "Unrecognized argument
: ${cmd}"
870 # Set the inactivity timeout
871 ipsec_connection_inactivity_timeout() {
872 if [ ! $# -ge 2 ]; then
873 log ERROR "Not enough arguments
"
877 local connection=${1}
881 if ! isinteger value; then
882 value=$(parse_time $@)
883 if [ ! $? -eq 0 ]; then
884 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
889 if [ ${value} -le 0 ]; then
890 log ERROR "The passed
time value must be
in the
sum greater zero seconds.
"
894 if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT
" ${value}; then
895 log ERROR "Could not
write configuration settings
"
902 # Set the default start action
903 ipsec_connection_start_action() {
904 if [ ! $# -eq 2 ]; then
905 log ERROR "Not enough arguments
"
908 local connection=${1}
911 if ! isoneof action "on-demand
" "always-on
"; then
912 log ERROR "Start action
'${action}' is invalid
"
916 if ! ipsec_connection_write_config_key "${connection}" "START_ACTION
" ${action}; then
917 log ERROR "Could not
write configuration settings
"
922 # Set the security policy to use
923 ipsec_connection_security_policy() {
924 if [ ! $# -eq 2 ]; then
925 log ERROR "Not enough arguments
"
928 local connection=${1}
929 local security_policy=${2}
931 if ! vpn_security_policy_exists ${security_policy}; then
932 log ERROR "No such vpn security policy
'${security_policy}'"
936 if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY
" ${security_policy}; then
937 log ERROR "Could not
write configuration settings
"
942 # Check if a id is valid
943 ipsec_connection_check_id() {
947 if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
954 # Checks if a peer is valid
955 ipsec_connection_check_peer() {
959 # TODO Accept also FQDNs
960 if ip_is_valid ${peer}; then
967 # This function checks if a VPN IPsec connection name is valid
968 # Allowed are only A-Za-z0-9
969 ipsec_connection_check_name() {
972 local connection=${1}
974 [[ "${connection}" =~ [^[:alnum:]$] ]]
977 # Function that creates one VPN IPsec connection
978 ipsec_connection_new() {
979 if [ $# -gt 1 ]; then
980 error "Too many arguments
"
984 local connection="${1}"
985 if ! isset connection; then
986 error "Please provide a connection name
"
990 # Check for duplicates
991 if ipsec_connection_exists "${connection}"; then
992 error "The VPN IPsec connection
${connection} already exists
"
996 # Check if the name of the connection is valid
997 if ipsec_connection_check_name "${connection}"; then
998 error "'${connection}' contains illegal characters
"
1002 log DEBUG "Creating VPN IPsec connection
${connection}"
1004 if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1005 log ERROR "Could not create config directory
for ${connection}"
1006 return ${EXIT_ERROR}
1009 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1011 AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
1012 DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION}
1013 DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY}
1014 DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT}
1015 ENABLED=${IPSEC_DEFAULT_ENABLED}
1016 MODE=${IPSEC_DEFAULT_MODE}
1017 START_ACTION=${IPSEC_DEFAULT_START_ACTION}
1019 INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
1020 SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
1022 if ! ipsec_connection_write_config "${connection}"; then
1023 log ERROR "Could not
write new config
file"
1024 return ${EXIT_ERROR}
1027 # Configure strongswan autostart
1028 ipsec_strongswan_autostart
1031 # Function that deletes based on the passed parameters one ore more vpn security policies
1032 ipsec_connection_destroy() {
1034 for connection in $@; do
1035 if ! ipsec_connection_exists "${connection}"; then
1036 log ERROR "The VPN IPsec connection
${connection} does not exist.
"
1040 log DEBUG "Deleting VPN IPsec connection
${connection}"
1042 # Delete strongswan configuration file
1043 file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
1045 if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1046 log ERROR "Deleting the VPN IPsec connection
${connection} was not sucessful
"
1047 return ${EXIT_ERROR}
1053 # List all ipsec connections
1054 ipsec_list_connections() {
1056 for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do
1057 [ -d ${connection} ] || continue
1058 basename ${connection}
1062 ipsec_connection_to_strongswan() {
1063 local connection="${1}"
1065 # Read the config settings
1066 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1067 if ! ipsec_connection_read_config "${connection}"; then
1068 error "Could not
read the connection
${connection}"
1069 return ${EXIT_ERROR}
1072 local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
1075 # Write the connection section
1076 _ipsec_connection_to_strongswan_connection "${connection}"
1078 # Write the secrets section
1079 _ipsec_connection_to_strongswan_secrets "${connection}"
1084 _ipsec_connection_to_strongswan_connection() {
1085 local connection="${1}"
1087 # Read the security policy
1088 local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
1089 if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then
1090 return ${EXIT_ERROR}
1095 if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
1099 # Write configuration header
1100 config_header "strongSwan configuration
for ${connection}"
1102 print_indent 0 "connections
{"
1103 print_indent 1 "${connection} {"
1106 print_indent 2 "# IKE Version"
1107 case "${KEY_EXCHANGE^^}" in
1109 print_indent
2 "version = 1"
1112 # Fall back to IKEv2 for any random values
1114 print_indent
2 "version = 2"
1119 # Always only keep one connection open at a time
1120 print_indent
2 "# Unique IDs"
1121 print_indent
2 "unique = replace"
1125 print_indent
2 "# Local Address"
1126 if isset LOCAL_ADDRESS
; then
1127 print_indent
2 "local_addrs = ${LOCAL_ADDRESS}"
1129 print_indent
2 "local_addrs = %any"
1134 print_indent
2 "# Remote Address"
1136 print_indent
2 "remote_addrs = ${PEER}"
1138 print_indent
2 "remote_addrs = %any"
1143 print_indent
2 "# IKE Proposals"
1144 print_indent
2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})"
1148 if enabled dpd
; then
1149 print_indent
2 "# Dead Peer Detection"
1150 print_indent
2 "dpd_delay = ${DPD_DELAY}"
1152 if isset DPD_TIMEOUT
; then
1153 print_indent
2 "dpd_timeout = ${DPD_TIMEOUT}"
1160 print_indent
2 "# Fragmentation"
1161 print_indent
2 "fragmentation = yes"
1165 print_indent
2 "local {"
1168 if isset LOCAL_ID
; then
1169 print_indent
3 "id = ${LOCAL_ID}"
1173 case "${AUTH_MODE}" in
1175 print_indent
3 "auth = psk"
1183 print_indent
2 "remote {"
1186 if isset REMOTE_ID
; then
1187 print_indent
3 "id = ${REMOTE_ID}"
1191 case "${AUTH_MODE}" in
1193 print_indent
3 "auth = psk"
1202 print_indent
2 "children {"
1203 print_indent
3 "${connection} {"
1205 print_indent
4 "# ESP Proposals"
1206 print_indent
4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})"
1213 print_indent
4 "local_ts = dynamic[gre]"
1214 print_indent
4 "remote_ts = dynamic[gre]"
1218 if isset LOCAL_PREFIX
; then
1219 print_indent
4 "local_ts = $(list_join LOCAL_PREFIX ,)"
1221 print_indent
4 "local_ts = dynamic"
1225 if isset REMOTE_PREFIX
; then
1226 print_indent
4 "remote_ts = $(list_join REMOTE_PREFIX ,)"
1228 print_indent
4 "remote_ts = dynamic"
1237 print_indent
4 "# Netfilter Marks"
1238 print_indent
4 "mark_in = %unique"
1239 print_indent
4 "mark_out = %unique"
1244 # Dead Peer Detection
1245 if enabled dpd
; then
1246 print_indent
4 "# Dead Peer Detection"
1247 print_indent
4 "dpd_action = ${DPD_ACTION}"
1252 if isset LIFETIME
; then
1253 print_indent
4 "# Rekey Time"
1254 print_indent
4 "rekey_time = ${LIFETIME}"
1259 print_indent
4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown"
1263 print_indent
4 "# Mode"
1266 print_indent
4 "mode = transport"
1269 print_indent
4 "mode = tunnel"
1275 print_indent
4 "# Compression"
1276 if enabled COMPRESSION
; then
1277 print_indent
4 "ipcomp = yes"
1279 print_indent
4 "ipcomp = no"
1283 # Inactivity Timeout
1284 if isset INACTIVITY_TIMEOUT
; then
1285 print_indent
4 "# Inactivity Timeout"
1286 print_indent
4 "inactivity = ${INACTIVITY_TIMEOUT}"
1291 print_indent
4 "# Start Action"
1292 case "${START_ACTION}" in
1294 print_indent
4 "start_action = trap"
1295 print_indent
4 "close_action = trap"
1298 print_indent
4 "start_action = none"
1299 print_indent
4 "close_action = none"
1302 print_indent
4 "start_action = start"
1303 print_indent
4 "close_action = start"
1317 _ipsec_connection_to_strongswan_secrets
() {
1318 local connection
="${1}"
1320 print_indent
0 "secrets {"
1322 case "${AUTH_MODE}" in
1324 print_indent
1 "ike {"
1327 print_indent
2 "secret = ${PSK}"
1330 if isset REMOTE_ID
; then
1331 print_indent
2 "id = ${REMOTE_ID}"