REMOTE_PREFIX \
SECURITY_POLICY \
START_ACTION \
+ TYPE \
ENABLED"
IPSEC_POOL_CONFIG_SETTINGS="\
IPSEC_DEFAULT_MODE="tunnel"
IPSEC_DEFAULT_SECURITY_POLICY="system"
IPSEC_DEFAULT_START_ACTION="on-demand"
+IPSEC_DEFAULT_TYPE="net-to-net"
IPSEC_VALID_MODES="gre-transport tunnel vti"
IPSEC_VALID_AUTH_MODES="PSK"
case "${action}" in
connection)
- cli_ipsec_connection $@
+ cli_ipsec_connection "$@"
;;
pool)
- cli_ipsec_pool $@
+ cli_ipsec_pool "$@"
;;
*)
error "Unrecognized argument: ${action}"
case "${key}" in
authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|pool|remote|security_policy|start_action|up)
- ipsec_connection_${key} ${connection} $@
+ ipsec_connection_${key} ${connection} "$@"
;;
show)
cli_ipsec_connection_show "${connection}"
case "${action}" in
new)
- ipsec_connection_new $@
+ ipsec_connection_new "$@"
;;
destroy)
- cli_ipsec_connection_destroy $@
+ cli_ipsec_connection_destroy "$@"
;;
""|*)
if [ -n "${action}" ]; then
case "${key}" in
dns_server|network)
- ipsec_pool_${key} ${pool} $@
+ ipsec_pool_${key} ${pool} "$@"
;;
show)
cli_ipsec_pool_show "${pool}"
case "${action}" in
new)
- ipsec_pool_new $@
+ ipsec_pool_new "$@"
;;
destroy)
- ipsec_pool_destroy $@
+ ipsec_pool_destroy "$@"
;;
""|*)
if [ -n "${action}" ]; then
if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS}
else
- list_append args $@
+ list_append args "$@"
fi
local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
case ${cmd} in
mode)
- ipsec_connection_authentication_mode "${connection}" $@
+ ipsec_connection_authentication_mode "${connection}" "$@"
;;
pre-shared-key)
- ipsec_connection_authentication_psk "${connection}" $@
+ ipsec_connection_authentication_psk "${connection}" "$@"
;;
*)
log ERROR "Unrecognized argument: ${cmd}"
case ${cmd} in
action)
- ipsec_connection_dpd_action "${connection}" $@
+ ipsec_connection_dpd_action "${connection}" "$@"
;;
delay)
- ipsec_connection_dpd_delay "${connection}" $@
+ ipsec_connection_dpd_delay "${connection}" "$@"
;;
timeout)
- ipsec_connection_dpd_timeout "${connection}" $@
+ ipsec_connection_dpd_timeout "${connection}" "$@"
;;
*)
log ERROR "Unrecognized argument: ${cmd}"
local value=$@
if ! isinteger value; then
- value=$(parse_time $@)
+ value=$(parse_time "$@")
if [ ! $? -eq 0 ]; then
log ERROR "Parsing the passed time was not sucessful please check the passed values."
return ${EXIT_ERROR}
local value=$@
if ! isinteger value; then
- value=$(parse_time $@)
+ value=$(parse_time "$@")
if [ ! $? -eq 0 ]; then
log ERROR "Parsing the passed time was not sucessful please check the passed values."
return ${EXIT_ERROR}
case ${cmd} in
address)
- ipsec_connection_local_address "${connection}" $@
+ ipsec_connection_local_address "${connection}" "$@"
;;
id)
- ipsec_connection_id "${connection}" "LOCAL" $@
+ ipsec_connection_id "${connection}" "LOCAL" "$@"
;;
prefix)
- ipsec_connection_prefix "${connection}" "LOCAL" $@
+ ipsec_connection_prefix "${connection}" "LOCAL" "$@"
;;
*)
log ERROR "Unrecognized argument: ${cmd}"
for pool in ${pools_added}; do
- if ! ipsec_pool_exists ${pool} && ! ipsec_pool_check_config ${pool}; then
+ if ipsec_pool_exists ${pool} && ipsec_pool_check_config ${pool}; then
if ! list_append_unique "POOLS" ${pool}; then
warning "${pool} is already on the prefix list"
fi
case ${cmd} in
id)
- ipsec_connection_id "${connection}" "REMOTE" $@
+ ipsec_connection_id "${connection}" "REMOTE" "$@"
;;
prefix)
- ipsec_connection_prefix "${connection}" "REMOTE" $@
+ ipsec_connection_prefix "${connection}" "REMOTE" "$@"
;;
*)
log ERROR "Unrecognized argument: ${cmd}"
local value=$@
if ! isinteger value; then
- value=$(parse_time $@)
+ value=$(parse_time "$@")
if [ ! $? -eq 0 ]; then
log ERROR "Parsing the passed time was not sucessful please check the passed values."
return ${EXIT_ERROR}
# Function that creates one VPN IPsec connection
ipsec_connection_new() {
- if [ $# -gt 1 ]; then
+ if [ $# -gt 2 ]; then
error "Too many arguments"
return ${EXIT_ERROR}
fi
local connection="${1}"
+ local type="${2}"
+
if ! isset connection; then
error "Please provide a connection name"
return ${EXIT_ERROR}
return ${EXIT_ERROR}
fi
+ # Set TYPE to default if not set by the user
+ if ! isset type; then
+ type="${IPSEC_DEFAULT_TYPE}"
+ fi
+
+ if ! isoneof "type" "net-to-net" "host-to-net"; then
+ error "Type is invalid"
+ return ${EXIT_ERROR}
+ fi
+
log DEBUG "Creating VPN IPsec connection ${connection}"
if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
ENABLED=${IPSEC_DEFAULT_ENABLED}
MODE=${IPSEC_DEFAULT_MODE}
START_ACTION=${IPSEC_DEFAULT_START_ACTION}
+ TYPE="${type}"
INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
# Function that deletes based on the passed parameters one ore more vpn security policies
ipsec_connection_destroy() {
local connection
- for connection in $@; do
+ for connection in "$@"; do
if ! ipsec_connection_exists "${connection}"; then
log ERROR "The VPN IPsec connection ${connection} does not exist."
continue
print_indent 2 "fragmentation = yes"
print
- # Pools
- if isset POOLS; then
- print_indent 2 "# Pools"
- print_indent 2 "pools = $(list_join POOLS ", ")"
- print
- fi
+
+ # Host-to-Net specific settings
+ case "${TYPE}" in
+ host-to-net)
+ # Pools
+ if isset POOLS; then
+ print_indent 2 "# Pools"
+ print_indent 2 "pools = $(list_join POOLS ", ")"
+ print
+ fi
+ ;;
+ esac
# Local
print_indent 2 "local {"
print
fi
- # Start Action
- print_indent 4 "# Start Action"
- case "${START_ACTION}" in
- on-demand)
- print_indent 4 "start_action = trap"
- print_indent 4 "close_action = trap"
- ;;
- wait)
- print_indent 4 "start_action = none"
- print_indent 4 "close_action = none"
- ;;
- always-on|*)
- print_indent 4 "start_action = start"
- print_indent 4 "close_action = start"
+ # Net-to-Net specific settings
+ case "${TYPE}" in
+ net-to-net)
+ # Start Action
+ print_indent 4 "# Start Action"
+ case "${START_ACTION}" in
+ on-demand)
+ print_indent 4 "start_action = trap"
+ print_indent 4 "close_action = trap"
+ ;;
+ wait)
+ print_indent 4 "start_action = none"
+ print_indent 4 "close_action = none"
+ ;;
+ always-on|*)
+ print_indent 4 "start_action = start"
+ print_indent 4 "close_action = start"
+ ;;
+ esac
+ print
;;
esac
- print
print_indent 3 "}"
print_indent 2 "}"
if [ $# -eq 0 ] && [ -n "${IPSEC_POOL_CONFIG_SETTINGS}" ]; then
list_append args ${IPSEC_POOL_CONFIG_SETTINGS}
else
- list_append args $@
+ list_append args "$@"
fi
local path="${NETWORK_IPSEC_POOLS_DIR}/${pool}/settings"
# one ore more vpn ipsec pools
ipsec_pool_destroy() {
local pool
- for pool in $@; do
+ for pool in "$@"; do
if ! ipsec_pool_exists "${pool}"; then
log ERROR "The VPN IPsec pool ${pool} does not exist."
continue