2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2017 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 IPSEC_CONNECTION_CONFIG_SETTINGS
="\
40 IPSEC_DEFAULT_AUTH_MODE
="PSK"
41 IPSEC_DEFAULT_DPD_ACTION
="restart"
42 IPSEC_DEFAULT_DPD_DELAY
="30"
43 IPSEC_DEFAULT_DPD_TIMEOUT
="120"
44 IPSEC_DEFAULT_ENABLED
="true"
45 IPSEC_DEFAULT_INACTIVITY_TIMEOUT
="0"
46 IPSEC_DEFAULT_MODE
="tunnel"
47 IPSEC_DEFAULT_SECURITY_POLICY
="system"
48 IPSEC_DEFAULT_START_ACTION
="on-demand"
50 IPSEC_VALID_MODES
="gre-transport tunnel vti"
51 IPSEC_VALID_AUTH_MODES
="PSK"
59 cli_ipsec_connection $@
62 error
"Unrecognized argument: ${action}"
68 cli_ipsec_connection
() {
69 if ipsec_connection_exists
${1}; then
76 authentication|down|disable|dpd|
enable|inactivity_timeout|
local|mode|peer|remote|security_policy|start_action|up
)
77 ipsec_connection_
${key} ${connection} $@
80 cli_ipsec_connection_show
"${connection}"
84 error
"Unrecognized argument: ${key}"
94 ipsec_connection_new $@
97 cli_ipsec_connection_destroy $@
100 if [ -n "${action}" ]; then
101 error
"Unrecognized argument: '${action}'"
109 cli_ipsec_connection_destroy
() {
110 local connection
="${1}"
112 if ! ipsec_connection_destroy
"${connection}"; then
116 # Inform strongswan about the changes
117 ipsec_strongswan_load
119 # Configure strongswan autostart
120 ipsec_strongswan_autostart
123 cli_ipsec_connection_show
() {
124 local connection
="${1}"
126 # Read the config settings
127 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
128 if ! ipsec_connection_read_config
"${connection}"; then
129 error
"Could not read the connection configuration"
133 cli_headline
0 "IPsec VPN Connection: ${connection}"
138 cli_print_fmt1
1 "Peer" "${PEER}"
142 cli_print_fmt1
1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}"
145 cli_headline
2 "Authentication"
146 case "${AUTH_MODE^^}" in
148 cli_print_fmt1
2 "Mode" "Pre-Shared-Key"
151 cli_print_fmt1
2 "Pre-Shared-Key" "****"
153 cli_print_fmt1
2 "Pre-Shared-Key" "- is not set -"
163 for i
in LOCAL REMOTE
; do
166 cli_headline
2 "Local"
169 cli_headline
2 "Remote"
173 local id_var
="${i}_ID"
174 if [ -n "${!id_var}" ]; then
175 cli_print_fmt1
2 "ID" "${!id_var}"
178 local prefix_var
="${i}_PREFIX"
179 if isset
${prefix_var}; then
180 cli_headline
3 "Prefix(es)"
183 for prefix
in ${!prefix_var}; do
184 cli_print_fmt1
3 "${prefix}"
191 cli_headline
2 "Misc."
195 cli_print_fmt1
2 "Transport Mode" "GRE Transport"
198 cli_print_fmt1
2 "Transport Mode" "Tunnel"
201 cli_print_fmt1
2 "Transport Mode" "Virtual Tunnel Interface"
204 cli_print_fmt1
2 "Transport Mode" "- Unknown -"
209 if isset INACTIVITY_TIMEOUT
&& [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then
210 cli_print_fmt1
2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})"
217 ipsec_connection_disable
() {
218 local connection
=${1}
220 if ! ipsec_connection_write_config_key
"${connection}" "ENABLED" "false"; then
221 log ERROR
"Could not write configuration settings"
225 # Configure strongswan autostart
226 ipsec_strongswan_autostart
229 ipsec_connection_enable
() {
230 local connection
=${1}
232 if ! ipsec_connection_write_config_key
"${connection}" "ENABLED" "true"; then
233 log ERROR
"Could not write configuration settings"
237 # Configure strongswan autostart
238 ipsec_strongswan_autostart
241 # This function writes all values to a via ${connection} specificated VPN IPsec configuration file
242 ipsec_connection_write_config
() {
245 local connection
="${1}"
247 if ! ipsec_connection_exists
"${connection}"; then
248 log ERROR
"No such VPN IPsec connection: ${connection}"
252 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
254 if ! settings_write
"${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
255 log ERROR
"Could not write configuration settings for VPN IPsec connection ${connection}"
259 ipsec_reload
${connection}
262 # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
263 ipsec_connection_write_config_key
() {
266 local connection
=${1}
272 if ! ipsec_connection_exists
"${connection}"; then
273 log ERROR
"No such VPN ipsec connection: ${connection}"
277 log DEBUG
"Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
279 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
281 # Read the config settings
282 if ! ipsec_connection_read_config
"${connection}"; then
286 # Set the key to a new value
287 assign
"${key}" "${value}"
289 if ! ipsec_connection_write_config
"${connection}"; then
296 # Reads one or more keys out of a settings file or all if no key is provided.
297 ipsec_connection_read_config
() {
300 local connection
="${1}"
303 if ! ipsec_connection_exists
"${connection}"; then
304 log ERROR
"No such VPN IPsec connection : ${connection}"
310 if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
311 list_append args
${IPSEC_CONNECTION_CONFIG_SETTINGS}
316 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
318 if ! settings_read
"${path}" ${args}; then
319 log ERROR
"Could not read settings for VPN IPsec connection ${connection}"
324 # This function checks if a vpn ipsec connection exists
325 # Returns True when yes and false when not
326 ipsec_connection_exists
() {
329 local connection
=${1}
331 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}"
333 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
336 # Determines if strongswan should be automatically started
337 # when the system boots up.
338 ipsec_strongswan_autostart() {
339 local autostart_needed="false
"
342 for connection in $(ipsec_list_connections); do
345 if ! ipsec_connection_read_config "${connection}" "ENABLED
"; then
346 log WARNING "Could not
read configuation
"
350 if enabled ENABLED; then
351 autostart_needed="true
"
356 # Start strongswan when we need it and when it is not yet enabled
357 if ${autostart_needed}; then
358 if ! service_is_enabled "strongswan
"; then
359 service_enable "strongswan
"
362 if ! service_is_active "strongswan
"; then
363 service_start "strongswan
"
366 # Disable strongswan when we do not need it but it is enabled
367 elif ! ${autostart_needed}; then
368 if service_is_enabled "strongswan
"; then
369 service_disable "strongswan
"
372 if service_is_active "strongswan
"; then
373 service_stop "strongswan
"
378 ipsec_strongswan_load() {
379 # Do nothing if strongswan is not running
380 if ! service_is_active "strongswan
"; then
384 if ! cmd swanctl --load-all; then
385 log ERROR "Could not reload strongswan config
"
390 # Reloads the connection after config changes
392 local connection=${1}
396 if ! ipsec_connection_read_config "${connection}" "ENABLED
"; then
397 log ERROR "Could not
read configuration
for IPsec connection
${connection}"
401 if enabled ENABLED; then
402 if ! ipsec_connection_to_strongswan ${connection}; then
403 log ERROR "Could not generate strongswan config
for ${connnection}"
407 unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
410 ipsec_strongswan_load
413 # Handle the cli after authentification
414 ipsec_connection_authentication() {
415 if [ ! $# -gt 1 ]; then
416 log ERROR "Not enough arguments
"
420 local connection=${1}
426 ipsec_connection_authentication_mode "${connection}" $@
429 ipsec_connection_authentication_psk "${connection}" $@
432 log ERROR "Unrecognized argument
: ${cmd}"
438 # Set the authentification mode
439 ipsec_connection_authentication_mode() {
440 if [ ! $# -eq 2 ]; then
441 log ERROR "Not enough arguments
"
444 local connection=${1}
447 if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
448 log ERROR "Auth mode
'${mode}' is invalid
"
452 if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE
" ${mode^^}; then
453 log ERROR "Could not
write configuration settings
"
459 ipsec_connection_authentication_psk() {
460 if [ ! $# -eq 2 ]; then
461 log ERROR "Not enough arguments
"
465 local connection=${1}
470 if [ ${length} -lt 4 ]; then
471 error "The PSK must be longer than four characters
"
475 if [ ${length} -gt 128 ]; then
476 error "The PSK cannot be longer than
128 characters
"
480 if ! ipsec_connection_write_config_key "${connection}" "PSK
" "${psk}"; then
481 log ERROR "Could not
write configuration settings
"
488 ipsec_connection_up() {
489 local connection="${1}"
491 if ! ipsec_connection_exists "${connection}"; then
492 error "No such VPN IPsec connection
: ${connection}"
496 cmd swanctl --initiate --child "${connection}"
499 ipsec_connection_down() {
500 local connection="${1}"
502 if ! ipsec_connection_exists "${connection}"; then
503 error "No such VPN IPsec connection
: ${connection}"
507 cmd swanctl --terminate --ike "${connection}"
510 # Handle the cli after authentification
511 ipsec_connection_dpd() {
512 if [ ! $# -gt 1 ]; then
513 log ERROR "Not enough arguments
"
517 local connection=${1}
523 ipsec_connection_dpd_action "${connection}" $@
526 ipsec_connection_dpd_delay "${connection}" $@
529 ipsec_connection_dpd_timeout "${connection}" $@
532 log ERROR "Unrecognized argument
: ${cmd}"
538 # Set the default dpd action
539 ipsec_connection_dpd_action() {
540 if [ ! $# -eq 2 ]; then
541 log ERROR "Not enough arguments
"
544 local connection=${1}
547 if ! isoneof action "restart
" "clear"; then
548 log ERROR "dpd action
'${action}' is invalid
"
552 if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION
" ${action}; then
553 log ERROR "Could not
write configuration settings
"
559 ipsec_connection_dpd_delay() {
560 if [ ! $# -ge 2 ]; then
561 log ERROR "Not enough arguments
"
565 local connection=${1}
569 if ! isinteger value; then
570 value=$(parse_time $@)
571 if [ ! $? -eq 0 ]; then
572 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
577 if [ ${value} -lt 0 ]; then
578 log ERROR "The passed
time value must be
in the
sum greater or equal zero seconds.
"
582 if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY
" ${value}; then
583 log ERROR "Could not
write configuration settings
"
590 # Set the dpd timeout
591 ipsec_connection_dpd_timeout() {
592 if [ ! $# -ge 2 ]; then
593 log ERROR "Not enough arguments
"
597 local connection=${1}
601 if ! isinteger value; then
602 value=$(parse_time $@)
603 if [ ! $? -eq 0 ]; then
604 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
609 if [ ${value} -le 0 ]; then
610 log ERROR "The passed
time value must be
in the
sum greater or equal zero seconds.
"
614 if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT
" ${value}; then
615 log ERROR "Could not
write configuration settings
"
622 # Handle the cli after local
623 ipsec_connection_local() {
624 if [ ! $# -ge 2 ]; then
625 log ERROR "Not enough arguments
"
629 local connection=${1}
635 ipsec_connection_local_address "${connection}" $@
638 ipsec_connection_id "${connection}" "LOCAL
" $@
641 ipsec_connection_prefix "${connection}" "LOCAL
" $@
644 log ERROR "Unrecognized argument
: ${cmd}"
652 # Set the connection mode
653 ipsec_connection_mode() {
654 if [ ! $# -eq 2 ]; then
655 log ERROR "Not enough arguments
"
658 local connection=${1}
661 if ! isoneof mode ${IPSEC_VALID_MODES}; then
662 log ERROR "Mode
'${mode}' is invalid
"
666 if ! ipsec_connection_write_config_key "${connection}" "MODE
" ${mode}; then
667 log ERROR "Could not
write configuration settings
"
674 # Set the local address
675 ipsec_connection_local_address() {
676 if [ ! $# -eq 2 ]; then
677 log ERROR "Not enough arguments
"
680 local connection=${1}
681 local local_address=${2}
683 if ! ipsec_connection_check_peer ${local_address}; then
684 log ERROR "Local address
'${local_address}' is invalid
"
688 if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS
" ${local_address}; then
689 log ERROR "Could not
write configuration settings
"
696 # Set the peer to connect to
697 ipsec_connection_peer() {
698 if [ ! $# -eq 2 ]; then
699 log ERROR "Not enough arguments
"
702 local connection=${1}
705 if ! ipsec_connection_check_peer ${peer}; then
706 log ERROR "Peer
'${peer}' is invalid
"
710 if ! ipsec_connection_write_config_key "${connection}" "PEER
" ${peer}; then
711 log ERROR "Could not
write configuration settings
"
718 #Set the local or remote id
719 ipsec_connection_id() {
720 if [ ! $# -eq 3 ]; then
721 log ERROR "Not enough arguments
"
724 local connection=${1}
728 if ! ipsec_connection_check_id ${id}; then
729 log ERROR "Id
'${id}' is invalid
"
733 if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
734 log ERROR
"Could not write configuration settings"
741 # Set the local or remote prefix
742 ipsec_connection_prefix
() {
743 if [ ! $# -ge 3 ]; then
744 log ERROR
"Not enough arguments"
747 local connection
=${1}
751 local _prefix
="${type}_PREFIX"
753 if ! ipsec_connection_read_config
"${connection}" "${_prefix}"; then
757 # Remove duplicated entries to proceed the list safely
758 assign
"${_prefix}" "$(list_unique ${!_prefix} )"
761 local prefixes_removed
764 while [ $# -gt 0 ]; do
769 list_append prefixes_added
"${arg:1}"
772 list_append prefixes_removed
"${arg:1}"
775 list_append prefixes_set
"${arg}"
778 error
"Invalid argument: ${arg}"
785 # Check if the user is trying a mixed operation
786 if ! list_is_empty prefixes_set
&& (! list_is_empty prefixes_added ||
! list_is_empty prefixes_removed
); then
787 error
"You cannot reset the prefix list and add or remove prefixes at the same time"
791 # Set new prefix list
792 if ! list_is_empty prefixes_set
; then
793 # Check if all prefixes are valid
795 for prefix
in ${prefixes_set}; do
796 if ! ip_net_is_valid
${prefix}; then
797 error
"Unsupported prefix: ${prefix}"
802 assign
"${_prefix}" "${prefixes_set}"
804 # Perform incremental updates
808 # Perform all removals
809 for prefix
in ${prefixes_removed}; do
810 if ! list_remove
"${_prefix}" ${prefix}; then
811 warning
"${prefix} was not on the list and could not be removed"
816 for prefix
in ${prefixes_added}; do
817 if ip_net_is_valid
${prefix}; then
818 if ! list_append_unique
"${_prefix}" ${prefix}; then
819 warning
"${prefix} is already on the prefix list"
822 warning
"${prefix} is not a valid IP network and could not be added"
827 # Check if the list contain at least one valid prefix
828 if list_is_empty
${_prefix}; then
829 error
"Cannot save an empty prefix list"
834 if ! ipsec_connection_write_config_key
"${connection}" "${_prefix}" ${!_prefix}; then
835 log ERROR "Could not
write configuration settings
"
841 # Handle the cli after remote
842 ipsec_connection_remote() {
843 if [ ! $# -ge 2 ]; then
844 log ERROR "Not enough arguments
"
848 local connection=${1}
854 ipsec_connection_id "${connection}" "REMOTE
" $@
858 ipsec_connection_prefix "${connection}" "REMOTE
" $@
861 log ERROR "Unrecognized argument
: ${cmd}"
869 # Set the inactivity timeout
870 ipsec_connection_inactivity_timeout() {
871 if [ ! $# -ge 2 ]; then
872 log ERROR "Not enough arguments
"
876 local connection=${1}
880 if ! isinteger value; then
881 value=$(parse_time $@)
882 if [ ! $? -eq 0 ]; then
883 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
888 if [ ${value} -le 0 ]; then
889 log ERROR "The passed
time value must be
in the
sum greater zero seconds.
"
893 if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT
" ${value}; then
894 log ERROR "Could not
write configuration settings
"
901 # Set the default start action
902 ipsec_connection_start_action() {
903 if [ ! $# -eq 2 ]; then
904 log ERROR "Not enough arguments
"
907 local connection=${1}
910 if ! isoneof action "on-demand
" "always-on
"; then
911 log ERROR "Start action
'${action}' is invalid
"
915 if ! ipsec_connection_write_config_key "${connection}" "START_ACTION
" ${action}; then
916 log ERROR "Could not
write configuration settings
"
921 # Set the security policy to use
922 ipsec_connection_security_policy() {
923 if [ ! $# -eq 2 ]; then
924 log ERROR "Not enough arguments
"
927 local connection=${1}
928 local security_policy=${2}
930 if ! vpn_security_policy_exists ${security_policy}; then
931 log ERROR "No such vpn security policy
'${security_policy}'"
935 if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY
" ${security_policy}; then
936 log ERROR "Could not
write configuration settings
"
941 # Check if a id is valid
942 ipsec_connection_check_id() {
946 if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
953 # Checks if a peer is valid
954 ipsec_connection_check_peer() {
958 # TODO Accept also FQDNs
959 if ip_is_valid ${peer}; then
966 # This function checks if a VPN IPsec connection name is valid
967 # Allowed are only A-Za-z0-9
968 ipsec_connection_check_name() {
971 local connection=${1}
973 [[ "${connection}" =~ [^[:alnum:]$] ]]
976 # Function that creates one VPN IPsec connection
977 ipsec_connection_new() {
978 if [ $# -gt 1 ]; then
979 error "Too many arguments
"
983 local connection="${1}"
984 if ! isset connection; then
985 error "Please provide a connection name
"
989 # Check for duplicates
990 if ipsec_connection_exists "${connection}"; then
991 error "The VPN IPsec connection
${connection} already exists
"
995 # Check if the name of the connection is valid
996 if ipsec_connection_check_name "${connection}"; then
997 error "'${connection}' contains illegal characters
"
1001 log DEBUG "Creating VPN IPsec connection
${connection}"
1003 if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1004 log ERROR "Could not create config directory
for ${connection}"
1005 return ${EXIT_ERROR}
1008 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1010 AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
1011 DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION}
1012 DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY}
1013 DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT}
1014 ENABLED=${IPSEC_DEFAULT_ENABLED}
1015 MODE=${IPSEC_DEFAULT_MODE}
1016 START_ACTION=${IPSEC_DEFAULT_START_ACTION}
1018 INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
1019 SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
1021 if ! ipsec_connection_write_config "${connection}"; then
1022 log ERROR "Could not
write new config
file"
1023 return ${EXIT_ERROR}
1026 # Configure strongswan autostart
1027 ipsec_strongswan_autostart
1030 # Function that deletes based on the passed parameters one ore more vpn security policies
1031 ipsec_connection_destroy() {
1033 for connection in $@; do
1034 if ! ipsec_connection_exists "${connection}"; then
1035 log ERROR "The VPN IPsec connection
${connection} does not exist.
"
1039 log DEBUG "Deleting VPN IPsec connection
${connection}"
1041 # Delete strongswan configuration file
1042 file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
1044 if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1045 log ERROR "Deleting the VPN IPsec connection
${connection} was not sucessful
"
1046 return ${EXIT_ERROR}
1052 # List all ipsec connections
1053 ipsec_list_connections() {
1055 for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do
1056 [ -d ${connection} ] || continue
1057 basename ${connection}
1061 ipsec_connection_to_strongswan() {
1062 local connection="${1}"
1064 # Read the config settings
1065 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1066 if ! ipsec_connection_read_config "${connection}"; then
1067 error "Could not
read the connection
${connection}"
1068 return ${EXIT_ERROR}
1071 local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
1074 # Write the connection section
1075 _ipsec_connection_to_strongswan_connection "${connection}"
1077 # Write the secrets section
1078 _ipsec_connection_to_strongswan_secrets "${connection}"
1083 _ipsec_connection_to_strongswan_connection() {
1084 local connection="${1}"
1086 # Read the security policy
1087 local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
1088 if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then
1089 return ${EXIT_ERROR}
1094 if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
1098 # Write configuration header
1099 config_header "strongSwan configuration
for ${connection}"
1101 print_indent 0 "connections
{"
1102 print_indent 1 "${connection} {"
1105 print_indent 2 "# IKE Version"
1106 case "${KEY_EXCHANGE^^}" in
1108 print_indent
2 "version = 1"
1111 # Fall back to IKEv2 for any random values
1113 print_indent
2 "version = 2"
1118 # Always only keep one connection open at a time
1119 print_indent
2 "# Unique IDs"
1120 print_indent
2 "unique = replace"
1124 print_indent
2 "# Local Address"
1125 if isset LOCAL_ADDRESS
; then
1126 print_indent
2 "local_addrs = ${LOCAL_ADDRESS}"
1128 print_indent
2 "local_addrs = %any"
1133 print_indent
2 "# Remote Address"
1135 print_indent
2 "remote_addrs = ${PEER}"
1137 print_indent
2 "remote_addrs = %any"
1142 print_indent
2 "# IKE Proposals"
1143 print_indent
2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})"
1147 if enabled dpd
; then
1148 print_indent
2 "# Dead Peer Detection"
1149 print_indent
2 "dpd_delay = ${DPD_DELAY}"
1151 if isset DPD_TIMEOUT
; then
1152 print_indent
2 "dpd_timeout = ${DPD_TIMEOUT}"
1159 print_indent
2 "# Fragmentation"
1160 print_indent
2 "fragmentation = yes"
1164 print_indent
2 "local {"
1167 if isset LOCAL_ID
; then
1168 print_indent
3 "id = ${LOCAL_ID}"
1172 case "${AUTH_MODE}" in
1174 print_indent
3 "auth = psk"
1182 print_indent
2 "remote {"
1185 if isset REMOTE_ID
; then
1186 print_indent
3 "id = ${REMOTE_ID}"
1190 case "${AUTH_MODE}" in
1192 print_indent
3 "auth = psk"
1201 print_indent
2 "children {"
1202 print_indent
3 "${connection} {"
1204 print_indent
4 "# ESP Proposals"
1205 print_indent
4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})"
1212 print_indent
4 "local_ts = dynamic[gre]"
1213 print_indent
4 "remote_ts = dynamic[gre]"
1217 if isset LOCAL_PREFIX
; then
1218 print_indent
4 "local_ts = $(list_join LOCAL_PREFIX ,)"
1220 print_indent
4 "local_ts = dynamic"
1224 if isset REMOTE_PREFIX
; then
1225 print_indent
4 "remote_ts = $(list_join REMOTE_PREFIX ,)"
1227 print_indent
4 "remote_ts = dynamic"
1236 print_indent
4 "# Netfilter Marks"
1237 print_indent
4 "mark_in = %unique"
1238 print_indent
4 "mark_out = %unique"
1243 # Dead Peer Detection
1244 if enabled dpd
; then
1245 print_indent
4 "# Dead Peer Detection"
1246 print_indent
4 "dpd_action = ${DPD_ACTION}"
1251 if isset LIFETIME
; then
1252 print_indent
4 "# Rekey Time"
1253 print_indent
4 "rekey_time = ${LIFETIME}"
1258 print_indent
4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown"
1262 print_indent
4 "# Mode"
1265 print_indent
4 "mode = transport"
1268 print_indent
4 "mode = tunnel"
1274 print_indent
4 "# Compression"
1275 if enabled COMPRESSION
; then
1276 print_indent
4 "ipcomp = yes"
1278 print_indent
4 "ipcomp = no"
1282 # Inactivity Timeout
1283 if isset INACTIVITY_TIMEOUT
; then
1284 print_indent
4 "# Inactivity Timeout"
1285 print_indent
4 "inactivity = ${INACTIVITY_TIMEOUT}"
1290 print_indent
4 "# Start Action"
1291 case "${START_ACTION}" in
1293 print_indent
4 "start_action = trap"
1294 print_indent
4 "close_action = trap"
1297 print_indent
4 "start_action = none"
1298 print_indent
4 "close_action = none"
1301 print_indent
4 "start_action = start"
1302 print_indent
4 "close_action = start"
1316 _ipsec_connection_to_strongswan_secrets
() {
1317 local connection
="${1}"
1319 print_indent
0 "secrets {"
1321 case "${AUTH_MODE}" in
1323 print_indent
1 "ike {"
1326 print_indent
2 "secret = ${PSK}"
1329 if isset REMOTE_ID
; then
1330 print_indent
2 "id = ${REMOTE_ID}"