]> git.ipfire.org Git - people/stevee/network.git/blob - src/functions/functions.ipsec
ipsec: Save START_ACTION parameter
[people/stevee/network.git] / src / functions / functions.ipsec
1 #!/bin/bash
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2017 IPFire Network Development Team #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 IPSEC_CONNECTION_CONFIG_SETTINGS="\
23 AUTH_MODE \
24 DPD_ACTION \
25 DPD_DELAY \
26 DPD_TIMEOUT \
27 INACTIVITY_TIMEOUT \
28 LOCAL_ADDRESS \
29 LOCAL_ID \
30 LOCAL_PREFIX \
31 MODE \
32 PEER \
33 PSK \
34 REMOTE_ID \
35 REMOTE_PREFIX \
36 SECURITY_POLICY \
37 START_ACTION \
38 ENABLED"
39
40 # Default values
41 IPSEC_DEFAULT_AUTH_MODE="PSK"
42 IPSEC_DEFAULT_DPD_ACTION="restart"
43 IPSEC_DEFAULT_DPD_DELAY="30"
44 IPSEC_DEFAULT_DPD_TIMEOUT="120"
45 IPSEC_DEFAULT_ENABLED="true"
46 IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0"
47 IPSEC_DEFAULT_MODE="tunnel"
48 IPSEC_DEFAULT_SECURITY_POLICY="system"
49 IPSEC_DEFAULT_START_ACTION="on-demand"
50
51 IPSEC_VALID_MODES="gre-transport tunnel vti"
52 IPSEC_VALID_AUTH_MODES="PSK"
53
54 cli_ipsec() {
55 local action=${1}
56 shift 1
57
58 case "${action}" in
59 connection)
60 cli_ipsec_connection $@
61 ;;
62 *)
63 error "Unrecognized argument: ${action}"
64 exit ${EXIT_ERROR}
65 ;;
66 esac
67 }
68
69 cli_ipsec_connection() {
70 if ipsec_connection_exists ${1}; then
71 local connection=${1}
72 local key=${2}
73 key=${key//-/_}
74 shift 2
75
76 case "${key}" in
77 authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|remote|security_policy|start_action|up)
78 ipsec_connection_${key} ${connection} $@
79 ;;
80 show)
81 cli_ipsec_connection_show "${connection}"
82 exit $?
83 ;;
84 *)
85 error "Unrecognized argument: ${key}"
86 exit ${EXIT_ERROR}
87 ;;
88 esac
89 else
90 local action=${1}
91 shift
92
93 case "${action}" in
94 new)
95 ipsec_connection_new $@
96 ;;
97 destroy)
98 cli_ipsec_connection_destroy $@
99 ;;
100 ""|*)
101 if [ -n "${action}" ]; then
102 error "Unrecognized argument: '${action}'"
103 fi
104 exit ${EXIT_ERROR}
105 ;;
106 esac
107 fi
108 }
109
110 cli_ipsec_connection_destroy() {
111 local connection="${1}"
112
113 if ! ipsec_connection_destroy "${connection}"; then
114 return ${EXIT_ERROR}
115 fi
116
117 # Inform strongswan about the changes
118 ipsec_strongswan_load
119
120 # Configure strongswan autostart
121 ipsec_strongswan_autostart
122 }
123
124 cli_ipsec_connection_show() {
125 local connection="${1}"
126
127 # Read the config settings
128 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
129 if ! ipsec_connection_read_config "${connection}"; then
130 error "Could not read the connection configuration"
131 return ${EXIT_ERROR}
132 fi
133
134 cli_headline 0 "IPsec VPN Connection: ${connection}"
135 cli_space
136
137 # Peer
138 if isset PEER; then
139 cli_print_fmt1 1 "Peer" "${PEER}"
140 fi
141
142 # Security Policy
143 cli_print_fmt1 1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}"
144 cli_space
145
146 cli_headline 2 "Authentication"
147 case "${AUTH_MODE^^}" in
148 PSK)
149 cli_print_fmt1 2 "Mode" "Pre-Shared-Key"
150
151 if isset PSK; then
152 cli_print_fmt1 2 "Pre-Shared-Key" "****"
153 else
154 cli_print_fmt1 2 "Pre-Shared-Key" "- is not set -"
155 fi
156 ;;
157 X509)
158 : # TODO
159 ;;
160 esac
161 cli_space
162
163 local i
164 for i in LOCAL REMOTE; do
165 case "${i}" in
166 LOCAL)
167 cli_headline 2 "Local"
168 ;;
169 REMOTE)
170 cli_headline 2 "Remote"
171 ;;
172 esac
173
174 local id_var="${i}_ID"
175 if [ -n "${!id_var}" ]; then
176 cli_print_fmt1 2 "ID" "${!id_var}"
177 fi
178
179 local prefix_var="${i}_PREFIX"
180 if isset ${prefix_var}; then
181 cli_headline 3 "Prefix(es)"
182
183 local prefix
184 for prefix in ${!prefix_var}; do
185 cli_print_fmt1 3 "${prefix}"
186 done
187 fi
188
189 cli_space
190 done
191
192 cli_headline 2 "Misc."
193
194 case "${MODE}" in
195 gre-transport)
196 cli_print_fmt1 2 "Transport Mode" "GRE Transport"
197 ;;
198 tunnel)
199 cli_print_fmt1 2 "Transport Mode" "Tunnel"
200 ;;
201 vti)
202 cli_print_fmt1 2 "Transport Mode" "Virtual Tunnel Interface"
203 ;;
204 *)
205 cli_print_fmt1 2 "Transport Mode" "- Unknown -"
206 ;;
207 esac
208
209 # Inactivity timeout
210 if isset INACTIVITY_TIMEOUT && [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then
211 cli_print_fmt1 2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})"
212 fi
213 cli_space
214
215 return ${EXIT_OK}
216 }
217
218 ipsec_connection_disable() {
219 local connection=${1}
220
221 if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "false"; then
222 log ERROR "Could not write configuration settings"
223 return ${EXIT_ERROR}
224 fi
225
226 # Configure strongswan autostart
227 ipsec_strongswan_autostart
228 }
229
230 ipsec_connection_enable() {
231 local connection=${1}
232
233 if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "true"; then
234 log ERROR "Could not write configuration settings"
235 return ${EXIT_ERROR}
236 fi
237
238 # Configure strongswan autostart
239 ipsec_strongswan_autostart
240 }
241
242 # This function writes all values to a via ${connection} specificated VPN IPsec configuration file
243 ipsec_connection_write_config() {
244 assert [ $# -ge 1 ]
245
246 local connection="${1}"
247
248 if ! ipsec_connection_exists "${connection}"; then
249 log ERROR "No such VPN IPsec connection: ${connection}"
250 return ${EXIT_ERROR}
251 fi
252
253 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
254
255 if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
256 log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}"
257 return ${EXIT_ERROR}
258 fi
259
260 ipsec_reload ${connection}
261 }
262
263 # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
264 ipsec_connection_write_config_key() {
265 assert [ $# -ge 3 ]
266
267 local connection=${1}
268 local key=${2}
269 shift 2
270
271 local value="$@"
272
273 if ! ipsec_connection_exists "${connection}"; then
274 log ERROR "No such VPN ipsec connection: ${connection}"
275 return ${EXIT_ERROR}
276 fi
277
278 log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
279
280 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
281
282 # Read the config settings
283 if ! ipsec_connection_read_config "${connection}"; then
284 return ${EXIT_ERROR}
285 fi
286
287 # Set the key to a new value
288 assign "${key}" "${value}"
289
290 if ! ipsec_connection_write_config "${connection}"; then
291 return ${EXIT_ERROR}
292 fi
293
294 return ${EXIT_TRUE}
295 }
296
297 # Reads one or more keys out of a settings file or all if no key is provided.
298 ipsec_connection_read_config() {
299 assert [ $# -ge 1 ]
300
301 local connection="${1}"
302 shift 1
303
304 if ! ipsec_connection_exists "${connection}"; then
305 log ERROR "No such VPN IPsec connection : ${connection}"
306 return ${EXIT_ERROR}
307 fi
308
309
310 local args
311 if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
312 list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS}
313 else
314 list_append args $@
315 fi
316
317 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
318
319 if ! settings_read "${path}" ${args}; then
320 log ERROR "Could not read settings for VPN IPsec connection ${connection}"
321 return ${EXIT_ERROR}
322 fi
323 }
324
325 # This function checks if a vpn ipsec connection exists
326 # Returns True when yes and false when not
327 ipsec_connection_exists() {
328 assert [ $# -eq 1 ]
329
330 local connection=${1}
331
332 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}"
333
334 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
335 }
336
337 # Determines if strongswan should be automatically started
338 # when the system boots up.
339 ipsec_strongswan_autostart() {
340 local autostart_needed="false"
341
342 local connection
343 for connection in $(ipsec_list_connections); do
344 local ENABLED
345
346 if ! ipsec_connection_read_config "${connection}" "ENABLED"; then
347 log WARNING "Could not read configuation"
348 continue
349 fi
350
351 if enabled ENABLED; then
352 autostart_needed="true"
353 break
354 fi
355 done
356
357 # Start strongswan when we need it and when it is not yet enabled
358 if ${autostart_needed}; then
359 if ! service_is_enabled "strongswan"; then
360 service_enable "strongswan"
361 fi
362
363 if ! service_is_active "strongswan"; then
364 service_start "strongswan"
365 fi
366
367 # Disable strongswan when we do not need it but it is enabled
368 elif ! ${autostart_needed}; then
369 if service_is_enabled "strongswan"; then
370 service_disable "strongswan"
371 fi
372
373 if service_is_active "strongswan"; then
374 service_stop "strongswan"
375 fi
376 fi
377 }
378
379 ipsec_strongswan_load() {
380 # Do nothing if strongswan is not running
381 if ! service_is_active "strongswan"; then
382 return ${EXIT_OK}
383 fi
384
385 if ! cmd swanctl --load-all; then
386 log ERROR "Could not reload strongswan config"
387 return ${EXIT_ERROR}
388 fi
389 }
390
391 # Reloads the connection after config changes
392 ipsec_reload() {
393 local connection=${1}
394
395 local ENABLED
396
397 if ! ipsec_connection_read_config "${connection}" "ENABLED"; then
398 log ERROR "Could not read configuration for IPsec connection ${connection}"
399 return ${EXIT_ERROR}
400 fi
401
402 if enabled ENABLED; then
403 if ! ipsec_connection_to_strongswan ${connection}; then
404 log ERROR "Could not generate strongswan config for ${connnection}"
405 return ${EXIT_ERROR}
406 fi
407 else
408 log DEBUG "Deleting strongswan config ${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
409 unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
410 fi
411
412 ipsec_strongswan_load
413 }
414
415 # Handle the cli after authentification
416 ipsec_connection_authentication() {
417 if [ ! $# -gt 1 ]; then
418 log ERROR "Not enough arguments"
419 return ${EXIT_ERROR}
420 fi
421
422 local connection=${1}
423 local cmd=${2}
424 shift 2
425
426 case ${cmd} in
427 mode)
428 ipsec_connection_authentication_mode "${connection}" $@
429 ;;
430 pre-shared-key)
431 ipsec_connection_authentication_psk "${connection}" $@
432 ;;
433 *)
434 log ERROR "Unrecognized argument: ${cmd}"
435 return ${EXIT_ERROR}
436 ;;
437 esac
438 }
439
440 # Set the authentification mode
441 ipsec_connection_authentication_mode() {
442 if [ ! $# -eq 2 ]; then
443 log ERROR "Not enough arguments"
444 return ${EXIT_ERROR}
445 fi
446 local connection=${1}
447 local mode=${2}
448
449 if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
450 log ERROR "Auth mode '${mode}' is invalid"
451 return ${EXIT_ERROR}
452 fi
453
454 if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode^^}; then
455 log ERROR "Could not write configuration settings"
456 return ${EXIT_ERROR}
457 fi
458 }
459
460 # Set the psk
461 ipsec_connection_authentication_psk() {
462 if [ ! $# -eq 2 ]; then
463 log ERROR "Not enough arguments"
464 return ${EXIT_ERROR}
465 fi
466
467 local connection=${1}
468 local psk=${2}
469
470 local length=${#psk}
471
472 if [ ${length} -lt 4 ]; then
473 error "The PSK must be longer than four characters"
474 return ${EXIT_ERROR}
475 fi
476
477 if [ ${length} -gt 128 ]; then
478 error "The PSK cannot be longer than 128 characters"
479 return ${EXIT_ERROR}
480 fi
481
482 if ! ipsec_connection_write_config_key "${connection}" "PSK" "${psk}"; then
483 log ERROR "Could not write configuration settings"
484 return ${EXIT_ERROR}
485 fi
486
487 return ${EXIT_OK}
488 }
489
490 ipsec_connection_up() {
491 local connection="${1}"
492
493 if ! ipsec_connection_exists "${connection}"; then
494 error "No such VPN IPsec connection: ${connection}"
495 return ${EXIT_ERROR}
496 fi
497
498 cmd swanctl --initiate --child "${connection}"
499 }
500
501 ipsec_connection_down() {
502 local connection="${1}"
503
504 if ! ipsec_connection_exists "${connection}"; then
505 error "No such VPN IPsec connection: ${connection}"
506 return ${EXIT_ERROR}
507 fi
508
509 cmd swanctl --terminate --ike "${connection}"
510 }
511
512 # Handle the cli after authentification
513 ipsec_connection_dpd() {
514 if [ ! $# -gt 1 ]; then
515 log ERROR "Not enough arguments"
516 return ${EXIT_ERROR}
517 fi
518
519 local connection=${1}
520 local cmd=${2}
521 shift 2
522
523 case ${cmd} in
524 action)
525 ipsec_connection_dpd_action "${connection}" $@
526 ;;
527 delay)
528 ipsec_connection_dpd_delay "${connection}" $@
529 ;;
530 timeout)
531 ipsec_connection_dpd_timeout "${connection}" $@
532 ;;
533 *)
534 log ERROR "Unrecognized argument: ${cmd}"
535 return ${EXIT_ERROR}
536 ;;
537 esac
538 }
539
540 # Set the default dpd action
541 ipsec_connection_dpd_action() {
542 if [ ! $# -eq 2 ]; then
543 log ERROR "Not enough arguments"
544 return ${EXIT_ERROR}
545 fi
546 local connection=${1}
547 local action=${2}
548
549 if ! isoneof action "restart" "clear"; then
550 log ERROR "dpd action '${action}' is invalid"
551 return ${EXIT_ERROR}
552 fi
553
554 if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION" ${action}; then
555 log ERROR "Could not write configuration settings"
556 return ${EXIT_ERROR}
557 fi
558 }
559
560 # Set the dpd delay
561 ipsec_connection_dpd_delay() {
562 if [ ! $# -ge 2 ]; then
563 log ERROR "Not enough arguments"
564 return ${EXIT_ERROR}
565 fi
566
567 local connection=${1}
568 shift 1
569 local value=$@
570
571 if ! isinteger value; then
572 value=$(parse_time $@)
573 if [ ! $? -eq 0 ]; then
574 log ERROR "Parsing the passed time was not sucessful please check the passed values."
575 return ${EXIT_ERROR}
576 fi
577 fi
578
579 if [ ${value} -lt 0 ]; then
580 log ERROR "The passed time value must be in the sum greater or equal zero seconds."
581 return ${EXIT_ERROR}
582 fi
583
584 if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY" ${value}; then
585 log ERROR "Could not write configuration settings"
586 return ${EXIT_ERROR}
587 fi
588
589 return ${EXIT_OK}
590 }
591
592 # Set the dpd timeout
593 ipsec_connection_dpd_timeout() {
594 if [ ! $# -ge 2 ]; then
595 log ERROR "Not enough arguments"
596 return ${EXIT_ERROR}
597 fi
598
599 local connection=${1}
600 shift 1
601 local value=$@
602
603 if ! isinteger value; then
604 value=$(parse_time $@)
605 if [ ! $? -eq 0 ]; then
606 log ERROR "Parsing the passed time was not sucessful please check the passed values."
607 return ${EXIT_ERROR}
608 fi
609 fi
610
611 if [ ${value} -le 0 ]; then
612 log ERROR "The passed time value must be in the sum greater or equal zero seconds."
613 return ${EXIT_ERROR}
614 fi
615
616 if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT" ${value}; then
617 log ERROR "Could not write configuration settings"
618 return ${EXIT_ERROR}
619 fi
620
621 return ${EXIT_OK}
622 }
623
624 # Handle the cli after local
625 ipsec_connection_local() {
626 if [ ! $# -ge 2 ]; then
627 log ERROR "Not enough arguments"
628 return ${EXIT_ERROR}
629 fi
630
631 local connection=${1}
632 local cmd=${2}
633 shift 2
634
635 case ${cmd} in
636 address)
637 ipsec_connection_local_address "${connection}" $@
638 ;;
639 id)
640 ipsec_connection_id "${connection}" "LOCAL" $@
641 ;;
642 prefix)
643 ipsec_connection_prefix "${connection}" "LOCAL" $@
644 ;;
645 *)
646 log ERROR "Unrecognized argument: ${cmd}"
647 return ${EXIT_ERROR}
648 ;;
649 esac
650
651 return ${EXIT_OK}
652 }
653
654 # Set the connection mode
655 ipsec_connection_mode() {
656 if [ ! $# -eq 2 ]; then
657 log ERROR "Not enough arguments"
658 return ${EXIT_ERROR}
659 fi
660 local connection=${1}
661 local mode=${2}
662
663 if ! isoneof mode ${IPSEC_VALID_MODES}; then
664 log ERROR "Mode '${mode}' is invalid"
665 return ${EXIT_ERROR}
666 fi
667
668 if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then
669 log ERROR "Could not write configuration settings"
670 return ${EXIT_ERROR}
671 fi
672
673 return ${EXIT_OK}
674 }
675
676 # Set the local address
677 ipsec_connection_local_address() {
678 if [ ! $# -eq 2 ]; then
679 log ERROR "Not enough arguments"
680 return ${EXIT_ERROR}
681 fi
682 local connection=${1}
683 local local_address=${2}
684
685 if ! ipsec_connection_check_peer ${local_address}; then
686 log ERROR "Local address '${local_address}' is invalid"
687 return ${EXIT_ERROR}
688 fi
689
690 if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS" ${local_address}; then
691 log ERROR "Could not write configuration settings"
692 return ${EXIT_ERROR}
693 fi
694
695 return ${EXIT_OK}
696 }
697
698 # Set the peer to connect to
699 ipsec_connection_peer() {
700 if [ ! $# -eq 2 ]; then
701 log ERROR "Not enough arguments"
702 return ${EXIT_ERROR}
703 fi
704 local connection=${1}
705 local peer=${2}
706
707 if ! ipsec_connection_check_peer ${peer}; then
708 log ERROR "Peer '${peer}' is invalid"
709 return ${EXIT_ERROR}
710 fi
711
712 if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then
713 log ERROR "Could not write configuration settings"
714 return ${EXIT_ERROR}
715 fi
716
717 return ${EXIT_OK}
718 }
719
720 #Set the local or remote id
721 ipsec_connection_id() {
722 if [ ! $# -eq 3 ]; then
723 log ERROR "Not enough arguments"
724 return ${EXIT_ERROR}
725 fi
726 local connection=${1}
727 local type=${2}
728 local id=${3}
729
730 if ! ipsec_connection_check_id ${id}; then
731 log ERROR "Id '${id}' is invalid"
732 return ${EXIT_ERROR}
733 fi
734
735 if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
736 log ERROR "Could not write configuration settings"
737 return ${EXIT_ERROR}
738 fi
739
740 return ${EXIT_OK}
741 }
742
743 # Set the local or remote prefix
744 ipsec_connection_prefix() {
745 if [ ! $# -ge 3 ]; then
746 log ERROR "Not enough arguments"
747 return ${EXIT_ERROR}
748 fi
749 local connection=${1}
750 local type=${2}
751 shift 2
752
753 local _prefix="${type}_PREFIX"
754 local "${_prefix}"
755 if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then
756 return ${EXIT_ERROR}
757 fi
758
759 # Remove duplicated entries to proceed the list safely
760 assign "${_prefix}" "$(list_unique ${!_prefix} )"
761
762 local prefixes_added
763 local prefixes_removed
764 local prefixes_set
765
766 while [ $# -gt 0 ]; do
767 local arg="${1}"
768
769 case "${arg}" in
770 +*)
771 list_append prefixes_added "${arg:1}"
772 ;;
773 -*)
774 list_append prefixes_removed "${arg:1}"
775 ;;
776 [A-Fa-f0-9]*)
777 list_append prefixes_set "${arg}"
778 ;;
779 *)
780 error "Invalid argument: ${arg}"
781 return ${EXIT_ERROR}
782 ;;
783 esac
784 shift
785 done
786
787 # Check if the user is trying a mixed operation
788 if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then
789 error "You cannot reset the prefix list and add or remove prefixes at the same time"
790 return ${EXIT_ERROR}
791 fi
792
793 # Set new prefix list
794 if ! list_is_empty prefixes_set; then
795 # Check if all prefixes are valid
796 local prefix
797 for prefix in ${prefixes_set}; do
798 if ! ip_net_is_valid ${prefix}; then
799 error "Unsupported prefix: ${prefix}"
800 return ${EXIT_ERROR}
801 fi
802 done
803
804 assign "${_prefix}" "${prefixes_set}"
805
806 # Perform incremental updates
807 else
808 local prefix
809
810 # Perform all removals
811 for prefix in ${prefixes_removed}; do
812 if ! list_remove "${_prefix}" ${prefix}; then
813 warning "${prefix} was not on the list and could not be removed"
814 fi
815 done
816
817
818 for prefix in ${prefixes_added}; do
819 if ip_net_is_valid ${prefix}; then
820 if ! list_append_unique "${_prefix}" ${prefix}; then
821 warning "${prefix} is already on the prefix list"
822 fi
823 else
824 warning "${prefix} is not a valid IP network and could not be added"
825 fi
826 done
827 fi
828
829 # Check if the list contain at least one valid prefix
830 if list_is_empty ${_prefix}; then
831 error "Cannot save an empty prefix list"
832 return ${EXIT_ERROR}
833 fi
834
835 # Save everything
836 if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then
837 log ERROR "Could not write configuration settings"
838 fi
839
840 return ${EXIT_OK}
841 }
842
843 # Handle the cli after remote
844 ipsec_connection_remote() {
845 if [ ! $# -ge 2 ]; then
846 log ERROR "Not enough arguments"
847 return ${EXIT_ERROR}
848 fi
849
850 local connection=${1}
851 local cmd=${2}
852 shift 2
853
854 case ${cmd} in
855 id)
856 ipsec_connection_id "${connection}" "REMOTE" $@
857 ;;
858
859 prefix)
860 ipsec_connection_prefix "${connection}" "REMOTE" $@
861 ;;
862 *)
863 log ERROR "Unrecognized argument: ${cmd}"
864 return ${EXIT_ERROR}
865 ;;
866 esac
867
868 return ${EXIT_OK}
869 }
870
871 # Set the inactivity timeout
872 ipsec_connection_inactivity_timeout() {
873 if [ ! $# -ge 2 ]; then
874 log ERROR "Not enough arguments"
875 return ${EXIT_ERROR}
876 fi
877
878 local connection=${1}
879 shift 1
880 local value=$@
881
882 if ! isinteger value; then
883 value=$(parse_time $@)
884 if [ ! $? -eq 0 ]; then
885 log ERROR "Parsing the passed time was not sucessful please check the passed values."
886 return ${EXIT_ERROR}
887 fi
888 fi
889
890 if [ ${value} -le 0 ]; then
891 log ERROR "The passed time value must be in the sum greater zero seconds."
892 return ${EXIT_ERROR}
893 fi
894
895 if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then
896 log ERROR "Could not write configuration settings"
897 return ${EXIT_ERROR}
898 fi
899
900 return ${EXIT_OK}
901 }
902
903 # Set the default start action
904 ipsec_connection_start_action() {
905 if [ ! $# -eq 2 ]; then
906 log ERROR "Not enough arguments"
907 return ${EXIT_ERROR}
908 fi
909 local connection=${1}
910 local action=${2}
911
912 if ! isoneof action "on-demand" "always-on"; then
913 log ERROR "Start action '${action}' is invalid"
914 return ${EXIT_ERROR}
915 fi
916
917 if ! ipsec_connection_write_config_key "${connection}" "START_ACTION" ${action}; then
918 log ERROR "Could not write configuration settings"
919 return ${EXIT_ERROR}
920 fi
921 }
922
923 # Set the security policy to use
924 ipsec_connection_security_policy() {
925 if [ ! $# -eq 2 ]; then
926 log ERROR "Not enough arguments"
927 return ${EXIT_ERROR}
928 fi
929 local connection=${1}
930 local security_policy=${2}
931
932 if ! vpn_security_policy_exists ${security_policy}; then
933 log ERROR "No such vpn security policy '${security_policy}'"
934 return ${EXIT_ERROR}
935 fi
936
937 if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then
938 log ERROR "Could not write configuration settings"
939 return ${EXIT_ERROR}
940 fi
941 }
942
943 # Check if a id is valid
944 ipsec_connection_check_id() {
945 assert [ $# -eq 1 ]
946 local id=${1}
947
948 if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
949 return ${EXIT_TRUE}
950 else
951 return ${EXIT_FALSE}
952 fi
953 }
954
955 # Checks if a peer is valid
956 ipsec_connection_check_peer() {
957 assert [ $# -eq 1 ]
958 local peer=${1}
959
960 # TODO Accept also FQDNs
961 if ip_is_valid ${peer}; then
962 return ${EXIT_TRUE}
963 else
964 return ${EXIT_FALSE}
965 fi
966 }
967
968 # This function checks if a VPN IPsec connection name is valid
969 # Allowed are only A-Za-z0-9
970 ipsec_connection_check_name() {
971 assert [ $# -eq 1 ]
972
973 local connection=${1}
974
975 [[ "${connection}" =~ [^[:alnum:]$] ]]
976 }
977
978 # Function that creates one VPN IPsec connection
979 ipsec_connection_new() {
980 if [ $# -gt 1 ]; then
981 error "Too many arguments"
982 return ${EXIT_ERROR}
983 fi
984
985 local connection="${1}"
986 if ! isset connection; then
987 error "Please provide a connection name"
988 return ${EXIT_ERROR}
989 fi
990
991 # Check for duplicates
992 if ipsec_connection_exists "${connection}"; then
993 error "The VPN IPsec connection ${connection} already exists"
994 return ${EXIT_ERROR}
995 fi
996
997 # Check if the name of the connection is valid
998 if ipsec_connection_check_name "${connection}"; then
999 error "'${connection}' contains illegal characters"
1000 return ${EXIT_ERROR}
1001 fi
1002
1003 log DEBUG "Creating VPN IPsec connection ${connection}"
1004
1005 if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1006 log ERROR "Could not create config directory for ${connection}"
1007 return ${EXIT_ERROR}
1008 fi
1009
1010 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1011
1012 AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
1013 DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION}
1014 DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY}
1015 DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT}
1016 ENABLED=${IPSEC_DEFAULT_ENABLED}
1017 MODE=${IPSEC_DEFAULT_MODE}
1018 START_ACTION=${IPSEC_DEFAULT_START_ACTION}
1019
1020 INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
1021 SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
1022
1023 if ! ipsec_connection_write_config "${connection}"; then
1024 log ERROR "Could not write new config file"
1025 return ${EXIT_ERROR}
1026 fi
1027
1028 # Configure strongswan autostart
1029 ipsec_strongswan_autostart
1030 }
1031
1032 # Function that deletes based on the passed parameters one ore more vpn security policies
1033 ipsec_connection_destroy() {
1034 local connection
1035 for connection in $@; do
1036 if ! ipsec_connection_exists "${connection}"; then
1037 log ERROR "The VPN IPsec connection ${connection} does not exist."
1038 continue
1039 fi
1040
1041 log DEBUG "Deleting VPN IPsec connection ${connection}"
1042
1043 # Delete strongswan configuration file
1044 file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
1045
1046 if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1047 log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful"
1048 return ${EXIT_ERROR}
1049 fi
1050
1051 done
1052 }
1053
1054 # List all ipsec connections
1055 ipsec_list_connections() {
1056 local connection
1057 for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do
1058 [ -d ${connection} ] || continue
1059 basename ${connection}
1060 done
1061 }
1062
1063 ipsec_connection_to_strongswan() {
1064 local connection="${1}"
1065
1066 # Read the config settings
1067 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1068 if ! ipsec_connection_read_config "${connection}"; then
1069 error "Could not read the connection ${connection}"
1070 return ${EXIT_ERROR}
1071 fi
1072
1073 local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
1074
1075 (
1076 # Write the connection section
1077 _ipsec_connection_to_strongswan_connection "${connection}"
1078
1079 # Write the secrets section
1080 _ipsec_connection_to_strongswan_secrets "${connection}"
1081
1082 ) > ${path}
1083 }
1084
1085 _ipsec_connection_to_strongswan_connection() {
1086 local connection="${1}"
1087
1088 # Read the security policy
1089 local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
1090 if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then
1091 return ${EXIT_ERROR}
1092 fi
1093
1094 # Is DPD enabled?
1095 local dpd="false"
1096 if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
1097 dpd="true"
1098 fi
1099
1100 # Write configuration header
1101 config_header "strongSwan configuration for ${connection}"
1102
1103 print_indent 0 "connections {"
1104 print_indent 1 "${connection} {"
1105
1106 # IKE Version
1107 print_indent 2 "# IKE Version"
1108 case "${KEY_EXCHANGE^^}" in
1109 IKEV1)
1110 print_indent 2 "version = 1"
1111 ;;
1112
1113 # Fall back to IKEv2 for any random values
1114 IKEV2|*)
1115 print_indent 2 "version = 2"
1116 ;;
1117 esac
1118 print # empty line
1119
1120 # Always only keep one connection open at a time
1121 print_indent 2 "# Unique IDs"
1122 print_indent 2 "unique = replace"
1123 print
1124
1125 # Local Address
1126 print_indent 2 "# Local Address"
1127 if isset LOCAL_ADDRESS; then
1128 print_indent 2 "local_addrs = ${LOCAL_ADDRESS}"
1129 else
1130 print_indent 2 "local_addrs = %any"
1131 fi
1132 print
1133
1134 # Remote Address
1135 print_indent 2 "# Remote Address"
1136 if isset PEER; then
1137 print_indent 2 "remote_addrs = ${PEER}"
1138 else
1139 print_indent 2 "remote_addrs = %any"
1140 fi
1141 print
1142
1143 # IKE Proposals
1144 print_indent 2 "# IKE Proposals"
1145 print_indent 2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})"
1146 print
1147
1148 # DPD Settings
1149 if enabled dpd; then
1150 print_indent 2 "# Dead Peer Detection"
1151 print_indent 2 "dpd_delay = ${DPD_DELAY}"
1152
1153 if isset DPD_TIMEOUT; then
1154 print_indent 2 "dpd_timeout = ${DPD_TIMEOUT}"
1155 fi
1156
1157 print
1158 fi
1159
1160 # Fragmentation
1161 print_indent 2 "# Fragmentation"
1162 print_indent 2 "fragmentation = yes"
1163 print
1164
1165 # Local
1166 print_indent 2 "local {"
1167
1168 # Local ID
1169 if isset LOCAL_ID; then
1170 print_indent 3 "id = ${LOCAL_ID}"
1171 fi
1172
1173 # Authentication
1174 case "${AUTH_MODE}" in
1175 PSK)
1176 print_indent 3 "auth = psk"
1177 ;;
1178 esac
1179
1180 print_indent 2 "}"
1181 print
1182
1183 # Remote
1184 print_indent 2 "remote {"
1185
1186 # Remote ID
1187 if isset REMOTE_ID; then
1188 print_indent 3 "id = ${REMOTE_ID}"
1189 fi
1190
1191 # Authentication
1192 case "${AUTH_MODE}" in
1193 PSK)
1194 print_indent 3 "auth = psk"
1195 ;;
1196 esac
1197
1198 print_indent 2 "}"
1199 print
1200
1201 # Children
1202
1203 print_indent 2 "children {"
1204 print_indent 3 "${connection} {"
1205
1206 print_indent 4 "# ESP Proposals"
1207 print_indent 4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})"
1208 print
1209
1210 # Traffic Selectors
1211
1212 case "${MODE}" in
1213 gre-*)
1214 print_indent 4 "local_ts = dynamic[gre]"
1215 print_indent 4 "remote_ts = dynamic[gre]"
1216 ;;
1217 *)
1218 # Local Prefixes
1219 if isset LOCAL_PREFIX; then
1220 print_indent 4 "local_ts = $(list_join LOCAL_PREFIX ,)"
1221 else
1222 print_indent 4 "local_ts = dynamic"
1223 fi
1224
1225 # Remote Prefixes
1226 if isset REMOTE_PREFIX; then
1227 print_indent 4 "remote_ts = $(list_join REMOTE_PREFIX ,)"
1228 else
1229 print_indent 4 "remote_ts = dynamic"
1230 fi
1231 ;;
1232 esac
1233 print
1234
1235 # Netfilter Marks
1236 case "${MODE}" in
1237 vti)
1238 print_indent 4 "# Netfilter Marks"
1239 print_indent 4 "mark_in = %unique"
1240 print_indent 4 "mark_out = %unique"
1241 print
1242 ;;
1243 esac
1244
1245 # Dead Peer Detection
1246 if enabled dpd; then
1247 print_indent 4 "# Dead Peer Detection"
1248 print_indent 4 "dpd_action = ${DPD_ACTION}"
1249 print
1250 fi
1251
1252 # Rekeying
1253 if isset LIFETIME; then
1254 print_indent 4 "# Rekey Time"
1255 print_indent 4 "rekey_time = ${LIFETIME}"
1256 print
1257 fi
1258
1259 # Updown Script
1260 print_indent 4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown"
1261 print
1262
1263 # Mode
1264 print_indent 4 "# Mode"
1265 case "${MODE}" in
1266 gre-transport)
1267 print_indent 4 "mode = transport"
1268 ;;
1269 tunnel|vti|*)
1270 print_indent 4 "mode = tunnel"
1271 ;;
1272 esac
1273 print
1274
1275 # Compression
1276 print_indent 4 "# Compression"
1277 if enabled COMPRESSION; then
1278 print_indent 4 "ipcomp = yes"
1279 else
1280 print_indent 4 "ipcomp = no"
1281 fi
1282 print
1283
1284 # Inactivity Timeout
1285 if isset INACTIVITY_TIMEOUT; then
1286 print_indent 4 "# Inactivity Timeout"
1287 print_indent 4 "inactivity = ${INACTIVITY_TIMEOUT}"
1288 print
1289 fi
1290
1291 # Start Action
1292 print_indent 4 "# Start Action"
1293 case "${START_ACTION}" in
1294 on-demand)
1295 print_indent 4 "start_action = trap"
1296 print_indent 4 "close_action = trap"
1297 ;;
1298 wait)
1299 print_indent 4 "start_action = none"
1300 print_indent 4 "close_action = none"
1301 ;;
1302 always-on|*)
1303 print_indent 4 "start_action = start"
1304 print_indent 4 "close_action = start"
1305 ;;
1306 esac
1307 print
1308
1309 print_indent 3 "}"
1310 print_indent 2 "}"
1311 print
1312
1313 print_indent 1 "}"
1314 print_indent 0 "}"
1315 print
1316 }
1317
1318 _ipsec_connection_to_strongswan_secrets() {
1319 local connection="${1}"
1320
1321 print_indent 0 "secrets {"
1322
1323 case "${AUTH_MODE}" in
1324 PSK)
1325 print_indent 1 "ike {"
1326
1327 # Secret
1328 print_indent 2 "secret = ${PSK}"
1329
1330 # ID
1331 if isset REMOTE_ID; then
1332 print_indent 2 "id = ${REMOTE_ID}"
1333 fi
1334
1335 print_indent 1 "}"
1336 ;;
1337 esac
1338
1339 print_indent 0 "}"
1340 }