TYPE \
ENABLED"
-IPSEC_POOL_CONFIG_SETTINGS="\
- DNS_SERVER \
- NETWORK \
- TYPE"
-
# Default values
IPSEC_DEFAULT_AUTH_MODE="PSK"
IPSEC_DEFAULT_DPD_ACTION="restart"
case "${action}" in
connection)
- cli_ipsec_connection $@
+ cli_ipsec_connection "$@"
;;
pool)
- cli_ipsec_pool $@
+ cli_ipsec_pool "$@"
;;
*)
error "Unrecognized argument: ${action}"
case "${key}" in
authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|pool|remote|security_policy|start_action|up)
- ipsec_connection_${key} ${connection} $@
- ;;
- show)
- cli_ipsec_connection_show "${connection}"
- exit $?
- ;;
- *)
- error "Unrecognized argument: ${key}"
- exit ${EXIT_ERROR}
+ ipsec_connection_${key} ${connection} "$@"
;;
- esac
- else
- local action=${1}
- shift
-
- case "${action}" in
- new)
- ipsec_connection_new $@
+ color)
+ color_cli "ipsec-connection" "${connection}" "$@"
;;
- destroy)
- cli_ipsec_connection_destroy $@
- ;;
- ""|*)
- if [ -n "${action}" ]; then
- error "Unrecognized argument: '${action}'"
- fi
- exit ${EXIT_ERROR}
- ;;
- esac
- fi
-}
-
-cli_ipsec_pool() {
- if ipsec_pool_exists ${1}; then
- local pool=${1}
- local key=${2}
- key=${key//-/_}
- shift 2
-
- case "${key}" in
- dns_server|network)
- ipsec_pool_${key} ${pool} $@
+ description)
+ description_cli "ipsec-connection" ${connection} $@
;;
show)
- cli_ipsec_pool_show "${pool}"
+ cli_ipsec_connection_show "${connection}"
exit $?
;;
*)
case "${action}" in
new)
- ipsec_pool_new $@
+ ipsec_connection_new "$@"
;;
destroy)
- ipsec_pool_destroy $@
+ cli_ipsec_connection_destroy "$@"
;;
""|*)
if [ -n "${action}" ]; then
ipsec_strongswan_autostart
}
+ipsec_connection_get_color() {
+ # This function return the color of a zone
+ assert [ $# -eq 1 ]
+
+ local name=${1}
+ color_read "ipsec-connection" ${name}
+}
+
+ipsec_connection_get_description_title() {
+ assert [ $# -eq 1 ]
+
+ local name=${1}
+ description_title_read $(description_format_filename "ipsec-connection" "${name}")
+}
+
cli_ipsec_connection_show() {
local connection="${1}"
cli_headline 0 "IPsec VPN Connection: ${connection}"
cli_space
+ cli_print_fmt1 1 "Color" "$(cli_color_bar $(ipsec_connection_get_color ${connection}))"
+ cli_print_fmt1 1 "Description" "$(ipsec_connection_get_description_title ${connection})"
+ cli_space
+
# Peer
if isset PEER; then
cli_print_fmt1 1 "Peer" "${PEER}"
if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS}
else
- list_append args $@
+ list_append args "$@"
fi
local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
case ${cmd} in
mode)
- ipsec_connection_authentication_mode "${connection}" $@
+ ipsec_connection_authentication_mode "${connection}" "$@"
;;
pre-shared-key)
- ipsec_connection_authentication_psk "${connection}" $@
+ ipsec_connection_authentication_psk "${connection}" "$@"
;;
*)
log ERROR "Unrecognized argument: ${cmd}"
return ${EXIT_ERROR}
fi
+ if ! [ -f "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" ]; then
+ log DEBUG "Could not find a swanctl config, generating swanctl config"
+ ipsec_connection_to_strongswan "${connection}"
+ ipsec_strongswan_load
+ fi
+
cmd swanctl --initiate --child "${connection}"
}
case ${cmd} in
action)
- ipsec_connection_dpd_action "${connection}" $@
+ ipsec_connection_dpd_action "${connection}" "$@"
;;
delay)
- ipsec_connection_dpd_delay "${connection}" $@
+ ipsec_connection_dpd_delay "${connection}" "$@"
;;
timeout)
- ipsec_connection_dpd_timeout "${connection}" $@
+ ipsec_connection_dpd_timeout "${connection}" "$@"
;;
*)
log ERROR "Unrecognized argument: ${cmd}"
local value=$@
if ! isinteger value; then
- value=$(parse_time $@)
+ value=$(parse_time "$@")
if [ ! $? -eq 0 ]; then
log ERROR "Parsing the passed time was not sucessful please check the passed values."
return ${EXIT_ERROR}
local value=$@
if ! isinteger value; then
- value=$(parse_time $@)
+ value=$(parse_time "$@")
if [ ! $? -eq 0 ]; then
log ERROR "Parsing the passed time was not sucessful please check the passed values."
return ${EXIT_ERROR}
case ${cmd} in
address)
- ipsec_connection_local_address "${connection}" $@
+ ipsec_connection_local_address "${connection}" "$@"
;;
id)
- ipsec_connection_id "${connection}" "LOCAL" $@
+ ipsec_connection_id "${connection}" "LOCAL" "$@"
;;
prefix)
- ipsec_connection_prefix "${connection}" "LOCAL" $@
+ ipsec_connection_prefix "${connection}" "LOCAL" "$@"
;;
*)
log ERROR "Unrecognized argument: ${cmd}"
case ${cmd} in
id)
- ipsec_connection_id "${connection}" "REMOTE" $@
+ ipsec_connection_id "${connection}" "REMOTE" "$@"
;;
prefix)
- ipsec_connection_prefix "${connection}" "REMOTE" $@
+ ipsec_connection_prefix "${connection}" "REMOTE" "$@"
;;
*)
log ERROR "Unrecognized argument: ${cmd}"
local value=$@
if ! isinteger value; then
- value=$(parse_time $@)
+ value=$(parse_time "$@")
if [ ! $? -eq 0 ]; then
log ERROR "Parsing the passed time was not sucessful please check the passed values."
return ${EXIT_ERROR}
assert [ $# -eq 1 ]
local peer=${1}
- # TODO Accept also FQDNs
+ # IP addresses are accepted
if ip_is_valid ${peer}; then
return ${EXIT_TRUE}
- else
- return ${EXIT_FALSE}
fi
+
+ # FQDNs are okay, too
+ if fqdn_is_valid "${peer}"; then
+ return ${EXIT_TRUE}
+ fi
+
+ # We cannot use anything else
+ return ${EXIT_FALSE}
}
# This function checks if a VPN IPsec connection name is valid
# Function that deletes based on the passed parameters one ore more vpn security policies
ipsec_connection_destroy() {
local connection
- for connection in $@; do
+ for connection in "$@"; do
if ! ipsec_connection_exists "${connection}"; then
log ERROR "The VPN IPsec connection ${connection} does not exist."
continue
# List all ipsec connections
ipsec_list_connections() {
- local connection
- for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do
- [ -d ${connection} ] || continue
- basename ${connection}
- done
+ list_directory "${NETWORK_IPSEC_CONNS_DIR}"
}
ipsec_connection_to_strongswan() {
print_indent 2 "fragmentation = yes"
print
- # Pools
- if isset POOLS; then
- print_indent 2 "# Pools"
- print_indent 2 "pools = $(list_join POOLS ", ")"
- print
- fi
+
+ # Host-to-Net specific settings
+ case "${TYPE}" in
+ host-to-net)
+ # Pools
+ if isset POOLS; then
+ print_indent 2 "# Pools"
+ print_indent 2 "pools = $(list_join POOLS ", ")"
+ print
+ fi
+ ;;
+ esac
# Local
print_indent 2 "local {"
print
fi
- # Start Action
- print_indent 4 "# Start Action"
- case "${START_ACTION}" in
- on-demand)
- print_indent 4 "start_action = trap"
- print_indent 4 "close_action = trap"
- ;;
- wait)
- print_indent 4 "start_action = none"
- print_indent 4 "close_action = none"
- ;;
- always-on|*)
- print_indent 4 "start_action = start"
- print_indent 4 "close_action = start"
+ # Net-to-Net specific settings
+ case "${TYPE}" in
+ net-to-net)
+ # Start Action
+ print_indent 4 "# Start Action"
+ case "${START_ACTION}" in
+ on-demand)
+ print_indent 4 "start_action = trap"
+ print_indent 4 "close_action = trap"
+ ;;
+ wait)
+ print_indent 4 "start_action = none"
+ print_indent 4 "close_action = none"
+ ;;
+ always-on|*)
+ print_indent 4 "start_action = start"
+ print_indent 4 "close_action = start"
+ ;;
+ esac
+ print
;;
esac
- print
print_indent 3 "}"
print_indent 2 "}"
print_indent 0 "}"
}
-
-# This function writes all values to a via ${pool} specificated VPN IPsec pool configuration file
-ipsec_pool_write_config() {
- assert [ $# -ge 1 ]
-
- local pool="${1}"
-
- if ! ipsec_pool_exists "${pool}"; then
- log ERROR "No such VPN IPsec pool: ${pool}"
- return ${EXIT_ERROR}
- fi
-
- local path="${NETWORK_IPSEC_POOLS_DIR}/${pool}/settings"
-
- if ! settings_write "${path}" ${IPSEC_POOL_CONFIG_SETTINGS}; then
- log ERROR "Could not write configuration settings for VPN IPsec pool ${pool}"
- return ${EXIT_ERROR}
- fi
-
- if ! ipsec_pool_reload ${pool}; then
- log WARNING "Could not reload IPsec pool ${pool}"
- fi
-
- # When we get here the writing of the config file was successful
- return ${EXIT_OK}
-}
-
-# This funtion writes the value for one key to a via ${connection} specificated
-# VPN IPsec pool configuration file
-ipsec_pool_write_config_key() {
- assert [ $# -ge 3 ]
-
- local pool=${1}
- local key=${2}
- shift 2
-
- local value="$@"
-
- if ! ipsec_pool_exists "${pool}"; then
- log ERROR "No such VPN IPsec pool: ${pool}"
- return ${EXIT_ERROR}
- fi
-
- log DEBUG "Set '${key}' to new value '${value}' in VPN IPsec pool '${pool}'"
-
- local ${IPSEC_POOL_CONFIG_SETTINGS}
-
- # Read the config settings
- if ! ipsec_pool_read_config "${pool}"; then
- return ${EXIT_ERROR}
- fi
-
- # Set the key to a new value
- assign "${key}" "${value}"
-
- if ! ipsec_pool_write_config "${pool}"; then
- return ${EXIT_ERROR}
- fi
-
- return ${EXIT_TRUE}
-}
-
-# Reads one or more keys out of a settings file or all if no key is provided.
-ipsec_pool_read_config() {
- assert [ $# -ge 1 ]
-
- local pool="${1}"
- shift 1
-
- if ! ipsec_pool_exists "${pool}"; then
- log ERROR "No such VPN IPsec pool : ${pool}"
- return ${EXIT_ERROR}
- fi
-
- local args
- if [ $# -eq 0 ] && [ -n "${IPSEC_POOL_CONFIG_SETTINGS}" ]; then
- list_append args ${IPSEC_POOL_CONFIG_SETTINGS}
- else
- list_append args $@
- fi
-
- local path="${NETWORK_IPSEC_POOLS_DIR}/${pool}/settings"
-
- if ! settings_read "${path}" ${args}; then
- log ERROR "Could not read settings for VPN IPsec pool ${pool}"
- return ${EXIT_ERROR}
- fi
-}
-
-# This function checks if a vpn IPsec pool exists
-# Returns True when yes and false when not
-ipsec_pool_exists() {
- assert [ $# -eq 1 ]
-
- local pool=${1}
-
- local path="${NETWORK_IPSEC_POOLS_DIR}/${pool}"
-
- [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
-}
-
-# This function checks if a VPN IPsec pool name is valid
-# Allowed are only A-Za-z0-9
-ipsec_pool_check_name() {
- assert [ $# -eq 1 ]
-
- local pool=${1}
-
- # These are special words in strongswan
- if isoneof pool dhcp radius; then
- return ${EXIT_ERROR}
- fi
-
- [[ "${pool}" =~ [^[:alnum:]$] ]]
-}
-
-ipsec_pool_new() {
- if [ $# -gt 1 ]; then
- error "Too many arguments"
- return ${EXIT_ERROR}
- fi
-
- local pool="${1}"
- if ! isset pool; then
- error "Please provide a pool name"
- return ${EXIT_ERROR}
- fi
-
- # Check for duplicates
- if ipsec_pool_exists "${pool}"; then
- error "The VPN IPsec pool ${pool} already exists"
- return ${EXIT_ERROR}
- fi
-
- # Check if the name of the connection is valid
- if ipsec_pool_check_name "${pool}"; then
- error "'${pool}' contains illegal characters"
- return ${EXIT_ERROR}
- fi
-
- log DEBUG "Creating VPN IPsec pool ${pool}"
-
- if ! mkdir -p "${NETWORK_IPSEC_POOLS_DIR}/${pool}"; then
- log ERROR "Could not create config directory for ${pool}"
- return ${EXIT_ERROR}
- fi
-
- local ${IPSEC_POOL_CONFIG_SETTINGS}
-
- if ! ipsec_pool_write_config "${pool}"; then
- log ERROR "Could not write new config file"
- return ${EXIT_ERROR}
- fi
-}
-
-# Function that deletes based on the passed parameters
-# one ore more vpn ipsec pools
-ipsec_pool_destroy() {
- local pool
- for pool in $@; do
- if ! ipsec_pool_exists "${pool}"; then
- log ERROR "The VPN IPsec pool ${pool} does not exist."
- continue
- fi
-
- log DEBUG "Deleting VPN IPsec pool ${pool}"
-
- if ! rm -rf "${NETWORK_IPSEC_POOLS_DIR}/${pool}"; then
- log ERROR "Deleting the VPN IPsec pool ${pool} was not sucessful"
- return ${EXIT_ERROR}
- fi
- done
-}
-
-ipsec_pool_set_type() {
- local pool=${1}
- local ip=${2}
- assert isset pool
- assert isset ip
-
- local type=$(ip_detect_protocol ${ip})
-
- if ! isset type; then
- error "Cannot detect IP protocol of ${ip}"
- return ${EXIT_ERROR}
- else
- log DEBUG "IP protocol of ${ip} is ${type}"
- if ! ipsec_pool_write_config_key "${pool}" "TYPE" ${type}; then
- log ERROR "Could not write configuration settings"
- return ${EXIT_ERROR}
- fi
- fi
-}
-
-ipsec_pool_network() {
- if [ ! $# -eq 2 ]; then
- log ERROR "Not enough arguments"
- return ${EXIT_ERROR}
- fi
- local pool=${1}
- local network=${2}
-
- local TYPE
- if ! ipsec_pool_read_config ${pool} "TYPE"; then
- error "Failed to read configuration settings for pool '${pool}'"
- return ${EXIT_ERROR}
- fi
-
- if ! isset TYPE; then
- if ! ip_net_is_valid ${network}; then
- log ERROR "Network '${network}' is invalid"
- return ${EXIT_ERROR}
- fi
-
- if ! ipsec_pool_set_type ${pool} ${network}; then
- log ERROR "Could not set type for IPsec pool ${pool}"
- return ${EXIT_ERROR}
- fi
- else
- if ! ${TYPE}_net_is_valid ${network}; then
- log ERROR "Network '${network}' is invalid"
- return ${EXIT_ERROR}
- fi
- fi
-
- if ! ipsec_pool_write_config_key "${pool}" "NETWORK" ${network}; then
- log ERROR "Could not write configuration settings"
- return ${EXIT_ERROR}
- fi
-}
-
-ipsec_pool_dns_server() {
- if [ ! $# -eq 2 ]; then
- log ERROR "Not enough arguments"
- return ${EXIT_ERROR}
- fi
- local pool=${1}
- local dns_server=${2}
-
- local TYPE
- if ! ipsec_pool_read_config ${pool} "TYPE"; then
- error "Failed to read configuration settings for pool '${pool}'"
- return ${EXIT_ERROR}
- fi
-
- if ! isset TYPE; then
- if ! ip_is_valid ${dns_server}; then
- log ERROR "DNS server '${dns_server}' is invalid"
- return ${EXIT_ERROR}
- fi
-
- if ! ipsec_pool_set_type ${pool} ${dns_server}; then
- log ERROR "Could not set type for IPsec pool ${pool}"
- return ${EXIT_ERROR}
- fi
- else
- if ! ${TYPE}_is_valid ${dns_server}; then
- log ERROR "DNS server '${dns_server}' is invalid"
- return ${EXIT_ERROR}
- fi
- fi
-
- if ! ipsec_pool_write_config_key "${pool}" "DNS_SERVER" ${dns_server}; then
- log ERROR "Could not write configuration settings"
- return ${EXIT_ERROR}
- fi
-}
-
-ipsec_pool_check_config() {
- local pool=${1}
- assert isset pool
-
- local ${IPSEC_POOL_CONFIG_SETTINGS}
- if ! ipsec_pool_read_config "${pool}"; then
- log ERROR "Could not read configuration settings"
- return ${EXIT_ERROR}
- fi
-
- if ! isset NETWORK; then
- log ERROR "Network for IPSec pool ${pool} is not set"
- return ${EXIT_ERROR}
- fi
-
- if ! isset TYPE; then
- TYPE=$(ip_detect_protocol ${NETWORK})
- log DEBUG "IP protocol of ${NETWORK} is ${TYPE}"
- if ! isset TYPE; then
- error "Cannot detect IP protocol of ${NETWORK}"
- return ${EXIT_ERROR}
- else
- if ! ipsec_pool_write_config_key "${pool}" "TYPE" ${TYPE}; then
- log ERROR "Could not write configuration settings"
- return ${EXIT_ERROR}
- fi
- fi
- else
- if ! ${TYPE}_net_is_valid ${NETWORK}; then
- log ERROR "NETWORK '${NETWORK}' is invalid"
- return ${EXIT_ERROR}
- fi
-
- if isset DNS_SERVER && ! ${TYPE}_is_valid ${DNS_SERVER}; then
- log ERROR "DNS server '${DNS_SERVER}' is invalid"
- return ${EXIT_ERROR}
- fi
- fi
-
- return ${EXIT_OK}
-}
-
-ipsec_pool_reload() {
- local pool=${1}
-
- if ! ipsec_pool_to_strongswan ${pool}; then
- log ERROR "Could not generate strongswan config for ${pool}"
- return ${EXIT_ERROR}
- fi
-
- ipsec_strongswan_load
-}
-
-ipsec_pool_to_strongswan() {
- local pool=${1}
-
- log DEBUG "Generating IPsec pool config for ${pool}"
-
- local ${IPSEC_POOL_CONFIG_SETTINGS}
- if ! ipsec_pool_read_config "${pool}"; then
- return ${EXIT_ERROR}
- fi
-
- if isset NETWORK && ! ipsec_pool_check_config "${pool}"; then
- log ERROR "Configuration of ${pool} seems to be invalid"
- return ${EXIT_ERROR}
- fi
-
- local path="${NETWORK_IPSEC_SWANCTL_POOLS_DIR}/${pool}.conf"
-
- (
- config_header "strongSwan pool configuration"
-
- if isset NETWORK; then
- print_indent 0 "pools {"
-
- print_indent 1 "${pool} {"
- print_indent 2 "addrs = ${NETWORK}"
-
- if isset DNS_SERVER; then
- print_indent 2 "dns = ${DNS_SERVER}"
- fi
-
- print_indent 1 "}"
- print_indent 0 "}"
- fi
- ) > ${path}
-}