2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2017 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 IPSEC_CONNECTION_CONFIG_SETTINGS
="\
41 IPSEC_DEFAULT_AUTH_MODE
="PSK"
42 IPSEC_DEFAULT_DPD_ACTION
="restart"
43 IPSEC_DEFAULT_DPD_DELAY
="30"
44 IPSEC_DEFAULT_DPD_TIMEOUT
="120"
45 IPSEC_DEFAULT_ENABLED
="true"
46 IPSEC_DEFAULT_INACTIVITY_TIMEOUT
="0"
47 IPSEC_DEFAULT_MODE
="tunnel"
48 IPSEC_DEFAULT_SECURITY_POLICY
="system"
49 IPSEC_DEFAULT_START_ACTION
="on-demand"
51 IPSEC_VALID_MODES
="gre-transport tunnel vti"
52 IPSEC_VALID_AUTH_MODES
="PSK"
60 cli_ipsec_connection $@
63 error
"Unrecognized argument: ${action}"
69 cli_ipsec_connection
() {
70 if ipsec_connection_exists
${1}; then
77 authentication|down|disable|dpd|
enable|inactivity_timeout|
local|mode|peer|remote|security_policy|start_action|up
)
78 ipsec_connection_
${key} ${connection} $@
81 cli_ipsec_connection_show
"${connection}"
85 error
"Unrecognized argument: ${key}"
95 ipsec_connection_new $@
98 cli_ipsec_connection_destroy $@
101 if [ -n "${action}" ]; then
102 error
"Unrecognized argument: '${action}'"
110 cli_ipsec_connection_destroy
() {
111 local connection
="${1}"
113 if ! ipsec_connection_destroy
"${connection}"; then
117 # Inform strongswan about the changes
118 ipsec_strongswan_load
120 # Configure strongswan autostart
121 ipsec_strongswan_autostart
124 cli_ipsec_connection_show
() {
125 local connection
="${1}"
127 # Read the config settings
128 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
129 if ! ipsec_connection_read_config
"${connection}"; then
130 error
"Could not read the connection configuration"
134 cli_headline
0 "IPsec VPN Connection: ${connection}"
139 cli_print_fmt1
1 "Peer" "${PEER}"
143 cli_print_fmt1
1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}"
146 cli_headline
2 "Authentication"
147 case "${AUTH_MODE^^}" in
149 cli_print_fmt1
2 "Mode" "Pre-Shared-Key"
152 cli_print_fmt1
2 "Pre-Shared-Key" "****"
154 cli_print_fmt1
2 "Pre-Shared-Key" "- is not set -"
164 for i
in LOCAL REMOTE
; do
167 cli_headline
2 "Local"
170 cli_headline
2 "Remote"
174 local id_var
="${i}_ID"
175 if [ -n "${!id_var}" ]; then
176 cli_print_fmt1
2 "ID" "${!id_var}"
179 local prefix_var
="${i}_PREFIX"
180 if isset
${prefix_var}; then
181 cli_headline
3 "Prefix(es)"
184 for prefix
in ${!prefix_var}; do
185 cli_print_fmt1
3 "${prefix}"
192 cli_headline
2 "Misc."
196 cli_print_fmt1
2 "Transport Mode" "GRE Transport"
199 cli_print_fmt1
2 "Transport Mode" "Tunnel"
202 cli_print_fmt1
2 "Transport Mode" "Virtual Tunnel Interface"
205 cli_print_fmt1
2 "Transport Mode" "- Unknown -"
210 if isset INACTIVITY_TIMEOUT
&& [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then
211 cli_print_fmt1
2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})"
218 ipsec_connection_disable
() {
219 local connection
=${1}
221 if ! ipsec_connection_write_config_key
"${connection}" "ENABLED" "false"; then
222 log ERROR
"Could not write configuration settings"
226 # Configure strongswan autostart
227 ipsec_strongswan_autostart
230 ipsec_connection_enable
() {
231 local connection
=${1}
233 if ! ipsec_connection_write_config_key
"${connection}" "ENABLED" "true"; then
234 log ERROR
"Could not write configuration settings"
238 # Configure strongswan autostart
239 ipsec_strongswan_autostart
242 # This function writes all values to a via ${connection} specificated VPN IPsec configuration file
243 ipsec_connection_write_config
() {
246 local connection
="${1}"
248 if ! ipsec_connection_exists
"${connection}"; then
249 log ERROR
"No such VPN IPsec connection: ${connection}"
253 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
255 if ! settings_write
"${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
256 log ERROR
"Could not write configuration settings for VPN IPsec connection ${connection}"
260 ipsec_reload
${connection}
263 # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
264 ipsec_connection_write_config_key
() {
267 local connection
=${1}
273 if ! ipsec_connection_exists
"${connection}"; then
274 log ERROR
"No such VPN ipsec connection: ${connection}"
278 log DEBUG
"Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
280 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
282 # Read the config settings
283 if ! ipsec_connection_read_config
"${connection}"; then
287 # Set the key to a new value
288 assign
"${key}" "${value}"
290 if ! ipsec_connection_write_config
"${connection}"; then
297 # Reads one or more keys out of a settings file or all if no key is provided.
298 ipsec_connection_read_config
() {
301 local connection
="${1}"
304 if ! ipsec_connection_exists
"${connection}"; then
305 log ERROR
"No such VPN IPsec connection : ${connection}"
311 if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
312 list_append args
${IPSEC_CONNECTION_CONFIG_SETTINGS}
317 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
319 if ! settings_read
"${path}" ${args}; then
320 log ERROR
"Could not read settings for VPN IPsec connection ${connection}"
325 # This function checks if a vpn ipsec connection exists
326 # Returns True when yes and false when not
327 ipsec_connection_exists
() {
330 local connection
=${1}
332 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}"
334 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
337 # Determines if strongswan should be automatically started
338 # when the system boots up.
339 ipsec_strongswan_autostart() {
340 local autostart_needed="false
"
343 for connection in $(ipsec_list_connections); do
346 if ! ipsec_connection_read_config "${connection}" "ENABLED
"; then
347 log WARNING "Could not
read configuation
"
351 if enabled ENABLED; then
352 autostart_needed="true
"
357 # Start strongswan when we need it and when it is not yet enabled
358 if ${autostart_needed}; then
359 if ! service_is_enabled "strongswan
"; then
360 service_enable "strongswan
"
363 if ! service_is_active "strongswan
"; then
364 service_start "strongswan
"
367 # Disable strongswan when we do not need it but it is enabled
368 elif ! ${autostart_needed}; then
369 if service_is_enabled "strongswan
"; then
370 service_disable "strongswan
"
373 if service_is_active "strongswan
"; then
374 service_stop "strongswan
"
379 ipsec_strongswan_load() {
380 # Do nothing if strongswan is not running
381 if ! service_is_active "strongswan
"; then
385 if ! cmd swanctl --load-all; then
386 log ERROR "Could not reload strongswan config
"
391 # Reloads the connection after config changes
393 local connection=${1}
397 if ! ipsec_connection_read_config "${connection}" "ENABLED
"; then
398 log ERROR "Could not
read configuration
for IPsec connection
${connection}"
402 if enabled ENABLED; then
403 if ! ipsec_connection_to_strongswan ${connection}; then
404 log ERROR "Could not generate strongswan config
for ${connnection}"
408 log DEBUG "Deleting strongswan config
${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
409 unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
412 ipsec_strongswan_load
415 # Handle the cli after authentification
416 ipsec_connection_authentication() {
417 if [ ! $# -gt 1 ]; then
418 log ERROR "Not enough arguments
"
422 local connection=${1}
428 ipsec_connection_authentication_mode "${connection}" $@
431 ipsec_connection_authentication_psk "${connection}" $@
434 log ERROR "Unrecognized argument
: ${cmd}"
440 # Set the authentification mode
441 ipsec_connection_authentication_mode() {
442 if [ ! $# -eq 2 ]; then
443 log ERROR "Not enough arguments
"
446 local connection=${1}
449 if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
450 log ERROR "Auth mode
'${mode}' is invalid
"
454 if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE
" ${mode^^}; then
455 log ERROR "Could not
write configuration settings
"
461 ipsec_connection_authentication_psk() {
462 if [ ! $# -eq 2 ]; then
463 log ERROR "Not enough arguments
"
467 local connection=${1}
472 if [ ${length} -lt 4 ]; then
473 error "The PSK must be longer than four characters
"
477 if [ ${length} -gt 128 ]; then
478 error "The PSK cannot be longer than
128 characters
"
482 if ! ipsec_connection_write_config_key "${connection}" "PSK
" "${psk}"; then
483 log ERROR "Could not
write configuration settings
"
490 ipsec_connection_up() {
491 local connection="${1}"
493 if ! ipsec_connection_exists "${connection}"; then
494 error "No such VPN IPsec connection
: ${connection}"
498 cmd swanctl --initiate --child "${connection}"
501 ipsec_connection_down() {
502 local connection="${1}"
504 if ! ipsec_connection_exists "${connection}"; then
505 error "No such VPN IPsec connection
: ${connection}"
509 cmd swanctl --terminate --ike "${connection}"
512 # Handle the cli after authentification
513 ipsec_connection_dpd() {
514 if [ ! $# -gt 1 ]; then
515 log ERROR "Not enough arguments
"
519 local connection=${1}
525 ipsec_connection_dpd_action "${connection}" $@
528 ipsec_connection_dpd_delay "${connection}" $@
531 ipsec_connection_dpd_timeout "${connection}" $@
534 log ERROR "Unrecognized argument
: ${cmd}"
540 # Set the default dpd action
541 ipsec_connection_dpd_action() {
542 if [ ! $# -eq 2 ]; then
543 log ERROR "Not enough arguments
"
546 local connection=${1}
549 if ! isoneof action "restart
" "clear"; then
550 log ERROR "dpd action
'${action}' is invalid
"
554 if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION
" ${action}; then
555 log ERROR "Could not
write configuration settings
"
561 ipsec_connection_dpd_delay() {
562 if [ ! $# -ge 2 ]; then
563 log ERROR "Not enough arguments
"
567 local connection=${1}
571 if ! isinteger value; then
572 value=$(parse_time $@)
573 if [ ! $? -eq 0 ]; then
574 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
579 if [ ${value} -lt 0 ]; then
580 log ERROR "The passed
time value must be
in the
sum greater or equal zero seconds.
"
584 if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY
" ${value}; then
585 log ERROR "Could not
write configuration settings
"
592 # Set the dpd timeout
593 ipsec_connection_dpd_timeout() {
594 if [ ! $# -ge 2 ]; then
595 log ERROR "Not enough arguments
"
599 local connection=${1}
603 if ! isinteger value; then
604 value=$(parse_time $@)
605 if [ ! $? -eq 0 ]; then
606 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
611 if [ ${value} -le 0 ]; then
612 log ERROR "The passed
time value must be
in the
sum greater or equal zero seconds.
"
616 if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT
" ${value}; then
617 log ERROR "Could not
write configuration settings
"
624 # Handle the cli after local
625 ipsec_connection_local() {
626 if [ ! $# -ge 2 ]; then
627 log ERROR "Not enough arguments
"
631 local connection=${1}
637 ipsec_connection_local_address "${connection}" $@
640 ipsec_connection_id "${connection}" "LOCAL
" $@
643 ipsec_connection_prefix "${connection}" "LOCAL
" $@
646 log ERROR "Unrecognized argument
: ${cmd}"
654 # Set the connection mode
655 ipsec_connection_mode() {
656 if [ ! $# -eq 2 ]; then
657 log ERROR "Not enough arguments
"
660 local connection=${1}
663 if ! isoneof mode ${IPSEC_VALID_MODES}; then
664 log ERROR "Mode
'${mode}' is invalid
"
668 if ! ipsec_connection_write_config_key "${connection}" "MODE
" ${mode}; then
669 log ERROR "Could not
write configuration settings
"
676 # Set the local address
677 ipsec_connection_local_address() {
678 if [ ! $# -eq 2 ]; then
679 log ERROR "Not enough arguments
"
682 local connection=${1}
683 local local_address=${2}
685 if ! ipsec_connection_check_peer ${local_address}; then
686 log ERROR "Local address
'${local_address}' is invalid
"
690 if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS
" ${local_address}; then
691 log ERROR "Could not
write configuration settings
"
698 # Set the peer to connect to
699 ipsec_connection_peer() {
700 if [ ! $# -eq 2 ]; then
701 log ERROR "Not enough arguments
"
704 local connection=${1}
707 if ! ipsec_connection_check_peer ${peer}; then
708 log ERROR "Peer
'${peer}' is invalid
"
712 if ! ipsec_connection_write_config_key "${connection}" "PEER
" ${peer}; then
713 log ERROR "Could not
write configuration settings
"
720 #Set the local or remote id
721 ipsec_connection_id() {
722 if [ ! $# -eq 3 ]; then
723 log ERROR "Not enough arguments
"
726 local connection=${1}
730 if ! ipsec_connection_check_id ${id}; then
731 log ERROR "Id
'${id}' is invalid
"
735 if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
736 log ERROR
"Could not write configuration settings"
743 # Set the local or remote prefix
744 ipsec_connection_prefix
() {
745 if [ ! $# -ge 3 ]; then
746 log ERROR
"Not enough arguments"
749 local connection
=${1}
753 local _prefix
="${type}_PREFIX"
755 if ! ipsec_connection_read_config
"${connection}" "${_prefix}"; then
759 # Remove duplicated entries to proceed the list safely
760 assign
"${_prefix}" "$(list_unique ${!_prefix} )"
763 local prefixes_removed
766 while [ $# -gt 0 ]; do
771 list_append prefixes_added
"${arg:1}"
774 list_append prefixes_removed
"${arg:1}"
777 list_append prefixes_set
"${arg}"
780 error
"Invalid argument: ${arg}"
787 # Check if the user is trying a mixed operation
788 if ! list_is_empty prefixes_set
&& (! list_is_empty prefixes_added ||
! list_is_empty prefixes_removed
); then
789 error
"You cannot reset the prefix list and add or remove prefixes at the same time"
793 # Set new prefix list
794 if ! list_is_empty prefixes_set
; then
795 # Check if all prefixes are valid
797 for prefix
in ${prefixes_set}; do
798 if ! ip_net_is_valid
${prefix}; then
799 error
"Unsupported prefix: ${prefix}"
804 assign
"${_prefix}" "${prefixes_set}"
806 # Perform incremental updates
810 # Perform all removals
811 for prefix
in ${prefixes_removed}; do
812 if ! list_remove
"${_prefix}" ${prefix}; then
813 warning
"${prefix} was not on the list and could not be removed"
818 for prefix
in ${prefixes_added}; do
819 if ip_net_is_valid
${prefix}; then
820 if ! list_append_unique
"${_prefix}" ${prefix}; then
821 warning
"${prefix} is already on the prefix list"
824 warning
"${prefix} is not a valid IP network and could not be added"
829 # Check if the list contain at least one valid prefix
830 if list_is_empty
${_prefix}; then
831 error
"Cannot save an empty prefix list"
836 if ! ipsec_connection_write_config_key
"${connection}" "${_prefix}" ${!_prefix}; then
837 log ERROR "Could not
write configuration settings
"
843 # Handle the cli after remote
844 ipsec_connection_remote() {
845 if [ ! $# -ge 2 ]; then
846 log ERROR "Not enough arguments
"
850 local connection=${1}
856 ipsec_connection_id "${connection}" "REMOTE
" $@
860 ipsec_connection_prefix "${connection}" "REMOTE
" $@
863 log ERROR "Unrecognized argument
: ${cmd}"
871 # Set the inactivity timeout
872 ipsec_connection_inactivity_timeout() {
873 if [ ! $# -ge 2 ]; then
874 log ERROR "Not enough arguments
"
878 local connection=${1}
882 if ! isinteger value; then
883 value=$(parse_time $@)
884 if [ ! $? -eq 0 ]; then
885 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
890 if [ ${value} -le 0 ]; then
891 log ERROR "The passed
time value must be
in the
sum greater zero seconds.
"
895 if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT
" ${value}; then
896 log ERROR "Could not
write configuration settings
"
903 # Set the default start action
904 ipsec_connection_start_action() {
905 if [ ! $# -eq 2 ]; then
906 log ERROR "Not enough arguments
"
909 local connection=${1}
912 if ! isoneof action "on-demand
" "always-on
"; then
913 log ERROR "Start action
'${action}' is invalid
"
917 if ! ipsec_connection_write_config_key "${connection}" "START_ACTION
" ${action}; then
918 log ERROR "Could not
write configuration settings
"
923 # Set the security policy to use
924 ipsec_connection_security_policy() {
925 if [ ! $# -eq 2 ]; then
926 log ERROR "Not enough arguments
"
929 local connection=${1}
930 local security_policy=${2}
932 if ! vpn_security_policy_exists ${security_policy}; then
933 log ERROR "No such vpn security policy
'${security_policy}'"
937 if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY
" ${security_policy}; then
938 log ERROR "Could not
write configuration settings
"
943 # Check if a id is valid
944 ipsec_connection_check_id() {
948 if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
955 # Checks if a peer is valid
956 ipsec_connection_check_peer() {
960 # TODO Accept also FQDNs
961 if ip_is_valid ${peer}; then
968 # This function checks if a VPN IPsec connection name is valid
969 # Allowed are only A-Za-z0-9
970 ipsec_connection_check_name() {
973 local connection=${1}
975 [[ "${connection}" =~ [^[:alnum:]$] ]]
978 # Function that creates one VPN IPsec connection
979 ipsec_connection_new() {
980 if [ $# -gt 1 ]; then
981 error "Too many arguments
"
985 local connection="${1}"
986 if ! isset connection; then
987 error "Please provide a connection name
"
991 # Check for duplicates
992 if ipsec_connection_exists "${connection}"; then
993 error "The VPN IPsec connection
${connection} already exists
"
997 # Check if the name of the connection is valid
998 if ipsec_connection_check_name "${connection}"; then
999 error "'${connection}' contains illegal characters
"
1000 return ${EXIT_ERROR}
1003 log DEBUG "Creating VPN IPsec connection
${connection}"
1005 if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1006 log ERROR "Could not create config directory
for ${connection}"
1007 return ${EXIT_ERROR}
1010 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1012 AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
1013 DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION}
1014 DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY}
1015 DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT}
1016 ENABLED=${IPSEC_DEFAULT_ENABLED}
1017 MODE=${IPSEC_DEFAULT_MODE}
1018 START_ACTION=${IPSEC_DEFAULT_START_ACTION}
1020 INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
1021 SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
1023 if ! ipsec_connection_write_config "${connection}"; then
1024 log ERROR "Could not
write new config
file"
1025 return ${EXIT_ERROR}
1028 # Configure strongswan autostart
1029 ipsec_strongswan_autostart
1032 # Function that deletes based on the passed parameters one ore more vpn security policies
1033 ipsec_connection_destroy() {
1035 for connection in $@; do
1036 if ! ipsec_connection_exists "${connection}"; then
1037 log ERROR "The VPN IPsec connection
${connection} does not exist.
"
1041 log DEBUG "Deleting VPN IPsec connection
${connection}"
1043 # Delete strongswan configuration file
1044 file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
1046 if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1047 log ERROR "Deleting the VPN IPsec connection
${connection} was not sucessful
"
1048 return ${EXIT_ERROR}
1054 # List all ipsec connections
1055 ipsec_list_connections() {
1057 for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do
1058 [ -d ${connection} ] || continue
1059 basename ${connection}
1063 ipsec_connection_to_strongswan() {
1064 local connection="${1}"
1066 # Read the config settings
1067 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1068 if ! ipsec_connection_read_config "${connection}"; then
1069 error "Could not
read the connection
${connection}"
1070 return ${EXIT_ERROR}
1073 local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
1076 # Write the connection section
1077 _ipsec_connection_to_strongswan_connection "${connection}"
1079 # Write the secrets section
1080 _ipsec_connection_to_strongswan_secrets "${connection}"
1085 _ipsec_connection_to_strongswan_connection() {
1086 local connection="${1}"
1088 # Read the security policy
1089 local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
1090 if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then
1091 return ${EXIT_ERROR}
1096 if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
1100 # Write configuration header
1101 config_header "strongSwan configuration
for ${connection}"
1103 print_indent 0 "connections
{"
1104 print_indent 1 "${connection} {"
1107 print_indent 2 "# IKE Version"
1108 case "${KEY_EXCHANGE^^}" in
1110 print_indent
2 "version = 1"
1113 # Fall back to IKEv2 for any random values
1115 print_indent
2 "version = 2"
1120 # Always only keep one connection open at a time
1121 print_indent
2 "# Unique IDs"
1122 print_indent
2 "unique = replace"
1126 print_indent
2 "# Local Address"
1127 if isset LOCAL_ADDRESS
; then
1128 print_indent
2 "local_addrs = ${LOCAL_ADDRESS}"
1130 print_indent
2 "local_addrs = %any"
1135 print_indent
2 "# Remote Address"
1137 print_indent
2 "remote_addrs = ${PEER}"
1139 print_indent
2 "remote_addrs = %any"
1144 print_indent
2 "# IKE Proposals"
1145 print_indent
2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})"
1149 if enabled dpd
; then
1150 print_indent
2 "# Dead Peer Detection"
1151 print_indent
2 "dpd_delay = ${DPD_DELAY}"
1153 if isset DPD_TIMEOUT
; then
1154 print_indent
2 "dpd_timeout = ${DPD_TIMEOUT}"
1161 print_indent
2 "# Fragmentation"
1162 print_indent
2 "fragmentation = yes"
1166 print_indent
2 "local {"
1169 if isset LOCAL_ID
; then
1170 print_indent
3 "id = ${LOCAL_ID}"
1174 case "${AUTH_MODE}" in
1176 print_indent
3 "auth = psk"
1184 print_indent
2 "remote {"
1187 if isset REMOTE_ID
; then
1188 print_indent
3 "id = ${REMOTE_ID}"
1192 case "${AUTH_MODE}" in
1194 print_indent
3 "auth = psk"
1203 print_indent
2 "children {"
1204 print_indent
3 "${connection} {"
1206 print_indent
4 "# ESP Proposals"
1207 print_indent
4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})"
1214 print_indent
4 "local_ts = dynamic[gre]"
1215 print_indent
4 "remote_ts = dynamic[gre]"
1219 if isset LOCAL_PREFIX
; then
1220 print_indent
4 "local_ts = $(list_join LOCAL_PREFIX ,)"
1222 print_indent
4 "local_ts = dynamic"
1226 if isset REMOTE_PREFIX
; then
1227 print_indent
4 "remote_ts = $(list_join REMOTE_PREFIX ,)"
1229 print_indent
4 "remote_ts = dynamic"
1238 print_indent
4 "# Netfilter Marks"
1239 print_indent
4 "mark_in = %unique"
1240 print_indent
4 "mark_out = %unique"
1245 # Dead Peer Detection
1246 if enabled dpd
; then
1247 print_indent
4 "# Dead Peer Detection"
1248 print_indent
4 "dpd_action = ${DPD_ACTION}"
1253 if isset LIFETIME
; then
1254 print_indent
4 "# Rekey Time"
1255 print_indent
4 "rekey_time = ${LIFETIME}"
1260 print_indent
4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown"
1264 print_indent
4 "# Mode"
1267 print_indent
4 "mode = transport"
1270 print_indent
4 "mode = tunnel"
1276 print_indent
4 "# Compression"
1277 if enabled COMPRESSION
; then
1278 print_indent
4 "ipcomp = yes"
1280 print_indent
4 "ipcomp = no"
1284 # Inactivity Timeout
1285 if isset INACTIVITY_TIMEOUT
; then
1286 print_indent
4 "# Inactivity Timeout"
1287 print_indent
4 "inactivity = ${INACTIVITY_TIMEOUT}"
1292 print_indent
4 "# Start Action"
1293 case "${START_ACTION}" in
1295 print_indent
4 "start_action = trap"
1296 print_indent
4 "close_action = trap"
1299 print_indent
4 "start_action = none"
1300 print_indent
4 "close_action = none"
1303 print_indent
4 "start_action = start"
1304 print_indent
4 "close_action = start"
1318 _ipsec_connection_to_strongswan_secrets
() {
1319 local connection
="${1}"
1321 print_indent
0 "secrets {"
1323 case "${AUTH_MODE}" in
1325 print_indent
1 "ike {"
1328 print_indent
2 "secret = ${PSK}"
1331 if isset REMOTE_ID
; then
1332 print_indent
2 "id = ${REMOTE_ID}"