]>
Commit | Line | Data |
---|---|---|
917a1aa0 JS |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2017 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
33944dfb MT |
22 | IPSEC_CONNECTION_CONFIG_SETTINGS="\ |
23 | AUTH_MODE \ | |
24 | DPD_ACTION \ | |
25 | DPD_DELAY \ | |
26 | DPD_TIMEOUT \ | |
27 | INACTIVITY_TIMEOUT \ | |
28 | LOCAL_ADDRESS \ | |
29 | LOCAL_ID \ | |
30 | LOCAL_PREFIX \ | |
31 | MODE \ | |
32 | PEER \ | |
96fdb077 | 33 | POOLS \ |
33944dfb MT |
34 | PSK \ |
35 | REMOTE_ID \ | |
36 | REMOTE_PREFIX \ | |
5601f4f5 | 37 | SECURITY_POLICY \ |
eb6fa666 | 38 | START_ACTION \ |
89d71d08 | 39 | TYPE \ |
80a752f2 MT |
40 | ENABLED \ |
41 | ZONE" | |
917a1aa0 JS |
42 | |
43 | # Default values | |
ab589039 | 44 | IPSEC_DEFAULT_AUTH_MODE="PSK" |
bb9fccaf JS |
45 | IPSEC_DEFAULT_DPD_ACTION="restart" |
46 | IPSEC_DEFAULT_DPD_DELAY="30" | |
47 | IPSEC_DEFAULT_DPD_TIMEOUT="120" | |
5601f4f5 | 48 | IPSEC_DEFAULT_ENABLED="true" |
917a1aa0 | 49 | IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0" |
bb9fccaf | 50 | IPSEC_DEFAULT_MODE="tunnel" |
917a1aa0 | 51 | IPSEC_DEFAULT_SECURITY_POLICY="system" |
bb9fccaf | 52 | IPSEC_DEFAULT_START_ACTION="on-demand" |
89d71d08 | 53 | IPSEC_DEFAULT_TYPE="net-to-net" |
917a1aa0 | 54 | |
c856b4ea | 55 | IPSEC_VALID_MODES="transport tunnel" |
ab589039 | 56 | IPSEC_VALID_AUTH_MODES="PSK" |
917a1aa0 | 57 | |
2da98f56 MT |
58 | cli_ipsec() { |
59 | local action=${1} | |
60 | shift 1 | |
61 | ||
62 | case "${action}" in | |
63 | connection) | |
2212045f | 64 | cli_ipsec_connection "$@" |
2da98f56 | 65 | ;; |
7c623df2 | 66 | pool) |
2212045f | 67 | cli_ipsec_pool "$@" |
7c623df2 | 68 | ;; |
2da98f56 MT |
69 | *) |
70 | error "Unrecognized argument: ${action}" | |
71 | exit ${EXIT_ERROR} | |
72 | ;; | |
73 | esac | |
74 | } | |
75 | ||
76 | cli_ipsec_connection() { | |
77 | if ipsec_connection_exists ${1}; then | |
78 | local connection=${1} | |
79 | local key=${2} | |
80 | key=${key//-/_} | |
81 | shift 2 | |
82 | ||
83 | case "${key}" in | |
80a752f2 | 84 | authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|pool|remote|security_policy|start_action|up|zone) |
2212045f | 85 | ipsec_connection_${key} ${connection} "$@" |
2da98f56 | 86 | ;; |
5bcadc60 JS |
87 | color) |
88 | color_cli "ipsec-connection" "${connection}" "$@" | |
89 | ;; | |
dc5dcfaf JS |
90 | description) |
91 | description_cli "ipsec-connection" ${connection} $@ | |
92 | ;; | |
c1e76e97 MT |
93 | show) |
94 | cli_ipsec_connection_show "${connection}" | |
95 | exit $? | |
96 | ;; | |
2da98f56 MT |
97 | *) |
98 | error "Unrecognized argument: ${key}" | |
99 | exit ${EXIT_ERROR} | |
100 | ;; | |
101 | esac | |
102 | else | |
103 | local action=${1} | |
104 | shift | |
105 | ||
106 | case "${action}" in | |
107 | new) | |
2212045f | 108 | ipsec_connection_new "$@" |
2da98f56 MT |
109 | ;; |
110 | destroy) | |
2212045f | 111 | cli_ipsec_connection_destroy "$@" |
2da98f56 MT |
112 | ;; |
113 | ""|*) | |
114 | if [ -n "${action}" ]; then | |
115 | error "Unrecognized argument: '${action}'" | |
116 | fi | |
117 | exit ${EXIT_ERROR} | |
118 | ;; | |
119 | esac | |
120 | fi | |
121 | } | |
122 | ||
fa33d830 MT |
123 | cli_ipsec_connection_destroy() { |
124 | local connection="${1}" | |
125 | ||
126 | if ! ipsec_connection_destroy "${connection}"; then | |
127 | return ${EXIT_ERROR} | |
128 | fi | |
129 | ||
130 | # Inform strongswan about the changes | |
131 | ipsec_strongswan_load | |
132 | ||
133 | # Configure strongswan autostart | |
134 | ipsec_strongswan_autostart | |
135 | } | |
136 | ||
5bcadc60 JS |
137 | ipsec_connection_get_color() { |
138 | # This function return the color of a zone | |
139 | assert [ $# -eq 1 ] | |
140 | ||
141 | local name=${1} | |
142 | color_read "ipsec-connection" ${name} | |
143 | } | |
144 | ||
dc5dcfaf JS |
145 | ipsec_connection_get_description_title() { |
146 | assert [ $# -eq 1 ] | |
147 | ||
148 | local name=${1} | |
149 | description_title_read $(description_format_filename "ipsec-connection" "${name}") | |
150 | } | |
151 | ||
c1e76e97 MT |
152 | cli_ipsec_connection_show() { |
153 | local connection="${1}" | |
154 | ||
155 | # Read the config settings | |
156 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
157 | if ! ipsec_connection_read_config "${connection}"; then | |
158 | error "Could not read the connection configuration" | |
159 | return ${EXIT_ERROR} | |
160 | fi | |
161 | ||
162 | cli_headline 0 "IPsec VPN Connection: ${connection}" | |
163 | cli_space | |
164 | ||
5bcadc60 | 165 | cli_print_fmt1 1 "Color" "$(cli_color_bar $(ipsec_connection_get_color ${connection}))" |
dc5dcfaf | 166 | cli_print_fmt1 1 "Description" "$(ipsec_connection_get_description_title ${connection})" |
5bcadc60 JS |
167 | cli_space |
168 | ||
c1e76e97 MT |
169 | # Peer |
170 | if isset PEER; then | |
171 | cli_print_fmt1 1 "Peer" "${PEER}" | |
172 | fi | |
173 | ||
65b56032 MT |
174 | # Zone |
175 | if isset ZONE; then | |
176 | cli_print_fmt1 1 "Zone" "${ZONE}" | |
177 | fi | |
178 | ||
c1e76e97 MT |
179 | # Security Policy |
180 | cli_print_fmt1 1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}" | |
181 | cli_space | |
182 | ||
183 | cli_headline 2 "Authentication" | |
184 | case "${AUTH_MODE^^}" in | |
185 | PSK) | |
186 | cli_print_fmt1 2 "Mode" "Pre-Shared-Key" | |
187 | ||
188 | if isset PSK; then | |
189 | cli_print_fmt1 2 "Pre-Shared-Key" "****" | |
190 | else | |
191 | cli_print_fmt1 2 "Pre-Shared-Key" "- is not set -" | |
192 | fi | |
193 | ;; | |
194 | X509) | |
195 | : # TODO | |
196 | ;; | |
197 | esac | |
198 | cli_space | |
199 | ||
200 | local i | |
201 | for i in LOCAL REMOTE; do | |
202 | case "${i}" in | |
203 | LOCAL) | |
204 | cli_headline 2 "Local" | |
205 | ;; | |
206 | REMOTE) | |
207 | cli_headline 2 "Remote" | |
208 | ;; | |
209 | esac | |
210 | ||
211 | local id_var="${i}_ID" | |
212 | if [ -n "${!id_var}" ]; then | |
213 | cli_print_fmt1 2 "ID" "${!id_var}" | |
214 | fi | |
215 | ||
216 | local prefix_var="${i}_PREFIX" | |
217 | if isset ${prefix_var}; then | |
218 | cli_headline 3 "Prefix(es)" | |
219 | ||
220 | local prefix | |
221 | for prefix in ${!prefix_var}; do | |
222 | cli_print_fmt1 3 "${prefix}" | |
223 | done | |
224 | fi | |
225 | ||
226 | cli_space | |
227 | done | |
228 | ||
229 | cli_headline 2 "Misc." | |
230 | ||
231 | case "${MODE}" in | |
c856b4ea MT |
232 | transport) |
233 | cli_print_fmt1 2 "Transport Mode" "Transport" | |
c1e76e97 MT |
234 | ;; |
235 | tunnel) | |
236 | cli_print_fmt1 2 "Transport Mode" "Tunnel" | |
237 | ;; | |
c1e76e97 MT |
238 | *) |
239 | cli_print_fmt1 2 "Transport Mode" "- Unknown -" | |
240 | ;; | |
241 | esac | |
242 | ||
243 | # Inactivity timeout | |
244 | if isset INACTIVITY_TIMEOUT && [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then | |
245 | cli_print_fmt1 2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})" | |
246 | fi | |
247 | cli_space | |
248 | ||
249 | return ${EXIT_OK} | |
250 | } | |
251 | ||
5601f4f5 JS |
252 | ipsec_connection_disable() { |
253 | local connection=${1} | |
254 | ||
255 | if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "false"; then | |
256 | log ERROR "Could not write configuration settings" | |
257 | return ${EXIT_ERROR} | |
258 | fi | |
259 | ||
c3f31173 MT |
260 | # Configure strongswan autostart |
261 | ipsec_strongswan_autostart | |
5601f4f5 JS |
262 | } |
263 | ||
264 | ipsec_connection_enable() { | |
265 | local connection=${1} | |
266 | ||
267 | if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "true"; then | |
268 | log ERROR "Could not write configuration settings" | |
269 | return ${EXIT_ERROR} | |
270 | fi | |
271 | ||
c3f31173 MT |
272 | # Configure strongswan autostart |
273 | ipsec_strongswan_autostart | |
5601f4f5 JS |
274 | } |
275 | ||
917a1aa0 JS |
276 | # This function writes all values to a via ${connection} specificated VPN IPsec configuration file |
277 | ipsec_connection_write_config() { | |
278 | assert [ $# -ge 1 ] | |
279 | ||
280 | local connection="${1}" | |
281 | ||
282 | if ! ipsec_connection_exists "${connection}"; then | |
283 | log ERROR "No such VPN IPsec connection: ${connection}" | |
284 | return ${EXIT_ERROR} | |
285 | fi | |
286 | ||
cf8685a1 | 287 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings" |
917a1aa0 JS |
288 | |
289 | if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then | |
290 | log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}" | |
291 | return ${EXIT_ERROR} | |
292 | fi | |
293 | ||
294 | ipsec_reload ${connection} | |
295 | } | |
296 | ||
297 | # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file | |
298 | ipsec_connection_write_config_key() { | |
299 | assert [ $# -ge 3 ] | |
300 | ||
301 | local connection=${1} | |
302 | local key=${2} | |
303 | shift 2 | |
304 | ||
305 | local value="$@" | |
306 | ||
307 | if ! ipsec_connection_exists "${connection}"; then | |
308 | log ERROR "No such VPN ipsec connection: ${connection}" | |
309 | return ${EXIT_ERROR} | |
310 | fi | |
311 | ||
312 | log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'" | |
313 | ||
314 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
315 | ||
316 | # Read the config settings | |
317 | if ! ipsec_connection_read_config "${connection}"; then | |
318 | return ${EXIT_ERROR} | |
319 | fi | |
320 | ||
321 | # Set the key to a new value | |
322 | assign "${key}" "${value}" | |
323 | ||
324 | if ! ipsec_connection_write_config "${connection}"; then | |
325 | return ${EXIT_ERROR} | |
326 | fi | |
327 | ||
328 | return ${EXIT_TRUE} | |
329 | } | |
330 | ||
331 | # Reads one or more keys out of a settings file or all if no key is provided. | |
332 | ipsec_connection_read_config() { | |
333 | assert [ $# -ge 1 ] | |
334 | ||
335 | local connection="${1}" | |
336 | shift 1 | |
337 | ||
338 | if ! ipsec_connection_exists "${connection}"; then | |
339 | log ERROR "No such VPN IPsec connection : ${connection}" | |
340 | return ${EXIT_ERROR} | |
341 | fi | |
342 | ||
343 | ||
344 | local args | |
345 | if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then | |
346 | list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
347 | else | |
2212045f | 348 | list_append args "$@" |
917a1aa0 JS |
349 | fi |
350 | ||
cf8685a1 | 351 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings" |
917a1aa0 JS |
352 | |
353 | if ! settings_read "${path}" ${args}; then | |
354 | log ERROR "Could not read settings for VPN IPsec connection ${connection}" | |
355 | return ${EXIT_ERROR} | |
356 | fi | |
357 | } | |
358 | ||
917a1aa0 JS |
359 | # This function checks if a vpn ipsec connection exists |
360 | # Returns True when yes and false when not | |
361 | ipsec_connection_exists() { | |
362 | assert [ $# -eq 1 ] | |
363 | ||
364 | local connection=${1} | |
365 | ||
cf8685a1 | 366 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}" |
917a1aa0 JS |
367 | |
368 | [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} | |
369 | } | |
370 | ||
c3f31173 MT |
371 | # Determines if strongswan should be automatically started |
372 | # when the system boots up. | |
373 | ipsec_strongswan_autostart() { | |
374 | local autostart_needed="false" | |
375 | ||
376 | local connection | |
377 | for connection in $(ipsec_list_connections); do | |
378 | local ENABLED | |
379 | ||
380 | if ! ipsec_connection_read_config "${connection}" "ENABLED"; then | |
381 | log WARNING "Could not read configuation" | |
382 | continue | |
383 | fi | |
384 | ||
385 | if enabled ENABLED; then | |
386 | autostart_needed="true" | |
387 | break | |
388 | fi | |
389 | done | |
390 | ||
391 | # Start strongswan when we need it and when it is not yet enabled | |
b863fe52 MT |
392 | if ${autostart_needed}; then |
393 | if ! service_is_enabled "strongswan"; then | |
394 | service_enable "strongswan" | |
395 | fi | |
396 | ||
397 | if ! service_is_active "strongswan"; then | |
398 | service_start "strongswan" | |
399 | fi | |
c3f31173 MT |
400 | |
401 | # Disable strongswan when we do not need it but it is enabled | |
b863fe52 MT |
402 | elif ! ${autostart_needed}; then |
403 | if service_is_enabled "strongswan"; then | |
404 | service_disable "strongswan" | |
405 | fi | |
406 | ||
407 | if service_is_active "strongswan"; then | |
408 | service_stop "strongswan" | |
409 | fi | |
c3f31173 MT |
410 | fi |
411 | } | |
412 | ||
f0e91d26 | 413 | ipsec_strongswan_load() { |
7fc57ebc MT |
414 | # Do nothing if strongswan is not running |
415 | if ! service_is_active "strongswan"; then | |
416 | return ${EXIT_OK} | |
417 | fi | |
418 | ||
f0e91d26 JS |
419 | if ! cmd swanctl --load-all; then |
420 | log ERROR "Could not reload strongswan config" | |
421 | return ${EXIT_ERROR} | |
422 | fi | |
423 | } | |
424 | ||
917a1aa0 JS |
425 | # Reloads the connection after config changes |
426 | ipsec_reload() { | |
39d87f20 JS |
427 | local connection=${1} |
428 | ||
5601f4f5 JS |
429 | local ENABLED |
430 | ||
431 | if ! ipsec_connection_read_config "${connection}" "ENABLED"; then | |
432 | log ERROR "Could not read configuration for IPsec connection ${connection}" | |
39d87f20 JS |
433 | return ${EXIT_ERROR} |
434 | fi | |
435 | ||
471f16bc | 436 | if enabled ENABLED; then |
5601f4f5 JS |
437 | if ! ipsec_connection_to_strongswan ${connection}; then |
438 | log ERROR "Could not generate strongswan config for ${connnection}" | |
439 | return ${EXIT_ERROR} | |
440 | fi | |
441 | else | |
ad482897 | 442 | log DEBUG "Deleting strongswan config ${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" |
5601f4f5 JS |
443 | unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" |
444 | fi | |
445 | ||
f0e91d26 | 446 | ipsec_strongswan_load |
917a1aa0 JS |
447 | } |
448 | ||
449 | # Handle the cli after authentification | |
450 | ipsec_connection_authentication() { | |
451 | if [ ! $# -gt 1 ]; then | |
452 | log ERROR "Not enough arguments" | |
453 | return ${EXIT_ERROR} | |
454 | fi | |
455 | ||
456 | local connection=${1} | |
457 | local cmd=${2} | |
458 | shift 2 | |
459 | ||
460 | case ${cmd} in | |
461 | mode) | |
2212045f | 462 | ipsec_connection_authentication_mode "${connection}" "$@" |
917a1aa0 JS |
463 | ;; |
464 | pre-shared-key) | |
2212045f | 465 | ipsec_connection_authentication_psk "${connection}" "$@" |
917a1aa0 JS |
466 | ;; |
467 | *) | |
468 | log ERROR "Unrecognized argument: ${cmd}" | |
469 | return ${EXIT_ERROR} | |
470 | ;; | |
471 | esac | |
472 | } | |
473 | ||
474 | # Set the authentification mode | |
475 | ipsec_connection_authentication_mode() { | |
476 | if [ ! $# -eq 2 ]; then | |
477 | log ERROR "Not enough arguments" | |
478 | return ${EXIT_ERROR} | |
479 | fi | |
480 | local connection=${1} | |
481 | local mode=${2} | |
482 | ||
483 | if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then | |
484 | log ERROR "Auth mode '${mode}' is invalid" | |
485 | return ${EXIT_ERROR} | |
486 | fi | |
487 | ||
ab589039 | 488 | if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode^^}; then |
917a1aa0 JS |
489 | log ERROR "Could not write configuration settings" |
490 | return ${EXIT_ERROR} | |
491 | fi | |
492 | } | |
493 | ||
494 | # Set the psk | |
495 | ipsec_connection_authentication_psk() { | |
db491d1d | 496 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
497 | log ERROR "Not enough arguments" |
498 | return ${EXIT_ERROR} | |
499 | fi | |
1bfc4f56 | 500 | |
917a1aa0 JS |
501 | local connection=${1} |
502 | local psk=${2} | |
503 | ||
1bfc4f56 MT |
504 | local length=${#psk} |
505 | ||
506 | if [ ${length} -lt 4 ]; then | |
507 | error "The PSK must be longer than four characters" | |
508 | return ${EXIT_ERROR} | |
509 | fi | |
510 | ||
511 | if [ ${length} -gt 128 ]; then | |
512 | error "The PSK cannot be longer than 128 characters" | |
513 | return ${EXIT_ERROR} | |
514 | fi | |
917a1aa0 | 515 | |
1bfc4f56 | 516 | if ! ipsec_connection_write_config_key "${connection}" "PSK" "${psk}"; then |
917a1aa0 JS |
517 | log ERROR "Could not write configuration settings" |
518 | return ${EXIT_ERROR} | |
519 | fi | |
520 | ||
521 | return ${EXIT_OK} | |
522 | } | |
523 | ||
3cde31b9 MT |
524 | ipsec_connection_up() { |
525 | local connection="${1}" | |
526 | ||
527 | if ! ipsec_connection_exists "${connection}"; then | |
528 | error "No such VPN IPsec connection: ${connection}" | |
529 | return ${EXIT_ERROR} | |
530 | fi | |
531 | ||
4f5f487a MT |
532 | # Read configuration options |
533 | local ZONE | |
534 | if ! ipsec_connection_read_config "${connection}" "ZONE"; then | |
535 | log ERROR "Could not read configuration for IPsec connection ${connection}" | |
536 | return ${EXIT_ERROR} | |
537 | fi | |
538 | ||
e354370a JS |
539 | if ! [ -f "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" ]; then |
540 | log DEBUG "Could not find a swanctl config, generating swanctl config" | |
541 | ipsec_connection_to_strongswan "${connection}" | |
542 | ipsec_strongswan_load | |
543 | fi | |
544 | ||
4f5f487a MT |
545 | # Bring up the zone |
546 | if isset ZONE; then | |
547 | zone_up "${ZONE}" | |
548 | fi | |
549 | ||
3cde31b9 MT |
550 | cmd swanctl --initiate --child "${connection}" |
551 | } | |
552 | ||
553 | ipsec_connection_down() { | |
554 | local connection="${1}" | |
555 | ||
556 | if ! ipsec_connection_exists "${connection}"; then | |
557 | error "No such VPN IPsec connection: ${connection}" | |
558 | return ${EXIT_ERROR} | |
559 | fi | |
560 | ||
4f5f487a MT |
561 | # Read configuration options |
562 | local ZONE | |
563 | if ! ipsec_connection_read_config "${connection}" "ZONE"; then | |
564 | log ERROR "Could not read configuration for IPsec connection ${connection}" | |
565 | return ${EXIT_ERROR} | |
566 | fi | |
567 | ||
568 | # Tell strongswan to bring down any tunnels | |
3cde31b9 | 569 | cmd swanctl --terminate --ike "${connection}" |
4f5f487a MT |
570 | |
571 | # Bring up the zone | |
572 | if isset ZONE; then | |
573 | zone_down "${ZONE}" | |
574 | fi | |
3cde31b9 | 575 | } |
bb9fccaf JS |
576 | |
577 | # Handle the cli after authentification | |
578 | ipsec_connection_dpd() { | |
579 | if [ ! $# -gt 1 ]; then | |
580 | log ERROR "Not enough arguments" | |
581 | return ${EXIT_ERROR} | |
582 | fi | |
583 | ||
584 | local connection=${1} | |
585 | local cmd=${2} | |
586 | shift 2 | |
587 | ||
588 | case ${cmd} in | |
589 | action) | |
2212045f | 590 | ipsec_connection_dpd_action "${connection}" "$@" |
bb9fccaf JS |
591 | ;; |
592 | delay) | |
2212045f | 593 | ipsec_connection_dpd_delay "${connection}" "$@" |
bb9fccaf JS |
594 | ;; |
595 | timeout) | |
2212045f | 596 | ipsec_connection_dpd_timeout "${connection}" "$@" |
bb9fccaf JS |
597 | ;; |
598 | *) | |
599 | log ERROR "Unrecognized argument: ${cmd}" | |
600 | return ${EXIT_ERROR} | |
601 | ;; | |
602 | esac | |
603 | } | |
604 | ||
605 | # Set the default dpd action | |
606 | ipsec_connection_dpd_action() { | |
607 | if [ ! $# -eq 2 ]; then | |
608 | log ERROR "Not enough arguments" | |
609 | return ${EXIT_ERROR} | |
610 | fi | |
611 | local connection=${1} | |
612 | local action=${2} | |
613 | ||
614 | if ! isoneof action "restart" "clear"; then | |
615 | log ERROR "dpd action '${action}' is invalid" | |
616 | return ${EXIT_ERROR} | |
617 | fi | |
618 | ||
619 | if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION" ${action}; then | |
620 | log ERROR "Could not write configuration settings" | |
621 | return ${EXIT_ERROR} | |
622 | fi | |
623 | } | |
624 | ||
625 | # Set the dpd delay | |
626 | ipsec_connection_dpd_delay() { | |
627 | if [ ! $# -ge 2 ]; then | |
628 | log ERROR "Not enough arguments" | |
629 | return ${EXIT_ERROR} | |
630 | fi | |
631 | ||
632 | local connection=${1} | |
633 | shift 1 | |
634 | local value=$@ | |
635 | ||
636 | if ! isinteger value; then | |
2212045f | 637 | value=$(parse_time "$@") |
bb9fccaf JS |
638 | if [ ! $? -eq 0 ]; then |
639 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
640 | return ${EXIT_ERROR} | |
641 | fi | |
642 | fi | |
643 | ||
644 | if [ ${value} -lt 0 ]; then | |
645 | log ERROR "The passed time value must be in the sum greater or equal zero seconds." | |
646 | return ${EXIT_ERROR} | |
647 | fi | |
648 | ||
649 | if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY" ${value}; then | |
650 | log ERROR "Could not write configuration settings" | |
651 | return ${EXIT_ERROR} | |
652 | fi | |
653 | ||
654 | return ${EXIT_OK} | |
655 | } | |
656 | ||
657 | # Set the dpd timeout | |
658 | ipsec_connection_dpd_timeout() { | |
659 | if [ ! $# -ge 2 ]; then | |
660 | log ERROR "Not enough arguments" | |
661 | return ${EXIT_ERROR} | |
662 | fi | |
663 | ||
664 | local connection=${1} | |
665 | shift 1 | |
666 | local value=$@ | |
667 | ||
668 | if ! isinteger value; then | |
2212045f | 669 | value=$(parse_time "$@") |
bb9fccaf JS |
670 | if [ ! $? -eq 0 ]; then |
671 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
672 | return ${EXIT_ERROR} | |
673 | fi | |
674 | fi | |
675 | ||
676 | if [ ${value} -le 0 ]; then | |
677 | log ERROR "The passed time value must be in the sum greater or equal zero seconds." | |
678 | return ${EXIT_ERROR} | |
679 | fi | |
680 | ||
681 | if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT" ${value}; then | |
682 | log ERROR "Could not write configuration settings" | |
683 | return ${EXIT_ERROR} | |
684 | fi | |
685 | ||
686 | return ${EXIT_OK} | |
687 | } | |
688 | ||
917a1aa0 JS |
689 | # Handle the cli after local |
690 | ipsec_connection_local() { | |
691 | if [ ! $# -ge 2 ]; then | |
692 | log ERROR "Not enough arguments" | |
693 | return ${EXIT_ERROR} | |
694 | fi | |
695 | ||
696 | local connection=${1} | |
697 | local cmd=${2} | |
698 | shift 2 | |
699 | ||
700 | case ${cmd} in | |
bb9fccaf | 701 | address) |
2212045f | 702 | ipsec_connection_local_address "${connection}" "$@" |
bb9fccaf | 703 | ;; |
917a1aa0 | 704 | id) |
2212045f | 705 | ipsec_connection_id "${connection}" "LOCAL" "$@" |
917a1aa0 JS |
706 | ;; |
707 | prefix) | |
2212045f | 708 | ipsec_connection_prefix "${connection}" "LOCAL" "$@" |
917a1aa0 JS |
709 | ;; |
710 | *) | |
711 | log ERROR "Unrecognized argument: ${cmd}" | |
712 | return ${EXIT_ERROR} | |
713 | ;; | |
714 | esac | |
715 | ||
716 | return ${EXIT_OK} | |
717 | } | |
718 | ||
719 | # Set the connection mode | |
720 | ipsec_connection_mode() { | |
5bdbc2ee | 721 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
722 | log ERROR "Not enough arguments" |
723 | return ${EXIT_ERROR} | |
724 | fi | |
725 | local connection=${1} | |
726 | local mode=${2} | |
727 | ||
728 | if ! isoneof mode ${IPSEC_VALID_MODES}; then | |
729 | log ERROR "Mode '${mode}' is invalid" | |
730 | return ${EXIT_ERROR} | |
731 | fi | |
732 | ||
733 | if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then | |
734 | log ERROR "Could not write configuration settings" | |
735 | return ${EXIT_ERROR} | |
736 | fi | |
737 | ||
738 | return ${EXIT_OK} | |
739 | } | |
740 | ||
80a752f2 MT |
741 | ipsec_connection_zone() { |
742 | local connection="${1}" | |
743 | local zone="${2}" | |
744 | shift 2 | |
745 | ||
746 | # Check if we got an argument | |
747 | if ! isset zone; then | |
748 | error "Zone is not set" | |
749 | return ${EXIT_ERROR} | |
750 | fi | |
751 | ||
752 | local ZONE | |
753 | case "${zone}" in | |
754 | -) | |
755 | if ! ipsec_connection_read_config "${connection}" "ZONE"; then | |
756 | log ERROR "Could not read configuration for IPsec connection ${connection}" | |
757 | return ${EXIT_ERROR} | |
758 | fi | |
759 | ||
760 | # Removes zone setting | |
761 | zone="" | |
762 | ||
763 | if isset ZONE; then | |
764 | log INFO "Removing zone ${ZONE} from IPsec connection '${connection}'" | |
765 | fi | |
766 | ;; | |
767 | ||
768 | *) | |
769 | # Check if the zone exists | |
770 | if ! zone_exists "${zone}"; then | |
771 | error "Zone ${zone} does not exist" | |
772 | return ${EXIT_ERROR} | |
773 | fi | |
774 | ||
775 | # Zone must be of type tunnel | |
776 | local hook="$(zone_get_hook "${zone}")" | |
777 | ||
778 | case "${hook}" in | |
779 | ip-tunnel) | |
780 | # We support ip-tunnels | |
781 | ;; | |
782 | ||
783 | *) | |
784 | error "Zones of type ${hook} are not supported" | |
785 | return ${EXIT_ERROR} | |
786 | ;; | |
787 | esac | |
788 | ||
789 | # Check if this zone is alreadz attached to another IPsec connection | |
790 | # XXX | |
791 | ||
792 | log INFO "Adding zone ${zone} to IPsec connection '${connection}'" | |
793 | ;; | |
794 | esac | |
795 | ||
796 | # Save settings | |
797 | if ! ipsec_connection_write_config_key "${connection}" "ZONE" "${zone}"; then | |
798 | error "Could not write configuration settings" | |
799 | return ${EXIT_ERROR} | |
800 | fi | |
801 | ||
802 | return ${EXIT_OK} | |
803 | } | |
804 | ||
bb9fccaf JS |
805 | # Set the local address |
806 | ipsec_connection_local_address() { | |
807 | if [ ! $# -eq 2 ]; then | |
808 | log ERROR "Not enough arguments" | |
809 | return ${EXIT_ERROR} | |
810 | fi | |
811 | local connection=${1} | |
812 | local local_address=${2} | |
813 | ||
814 | if ! ipsec_connection_check_peer ${local_address}; then | |
815 | log ERROR "Local address '${local_address}' is invalid" | |
816 | return ${EXIT_ERROR} | |
817 | fi | |
818 | ||
819 | if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS" ${local_address}; then | |
820 | log ERROR "Could not write configuration settings" | |
821 | return ${EXIT_ERROR} | |
822 | fi | |
823 | ||
824 | return ${EXIT_OK} | |
825 | } | |
826 | ||
917a1aa0 JS |
827 | # Set the peer to connect to |
828 | ipsec_connection_peer() { | |
0b962a64 | 829 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
830 | log ERROR "Not enough arguments" |
831 | return ${EXIT_ERROR} | |
832 | fi | |
833 | local connection=${1} | |
834 | local peer=${2} | |
835 | ||
836 | if ! ipsec_connection_check_peer ${peer}; then | |
837 | log ERROR "Peer '${peer}' is invalid" | |
838 | return ${EXIT_ERROR} | |
839 | fi | |
840 | ||
841 | if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then | |
842 | log ERROR "Could not write configuration settings" | |
843 | return ${EXIT_ERROR} | |
844 | fi | |
845 | ||
846 | return ${EXIT_OK} | |
847 | } | |
848 | ||
849 | #Set the local or remote id | |
850 | ipsec_connection_id() { | |
851 | if [ ! $# -eq 3 ]; then | |
852 | log ERROR "Not enough arguments" | |
853 | return ${EXIT_ERROR} | |
854 | fi | |
855 | local connection=${1} | |
856 | local type=${2} | |
857 | local id=${3} | |
858 | ||
859 | if ! ipsec_connection_check_id ${id}; then | |
860 | log ERROR "Id '${id}' is invalid" | |
861 | return ${EXIT_ERROR} | |
862 | fi | |
aaa72eef | 863 | |
917a1aa0 JS |
864 | if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then |
865 | log ERROR "Could not write configuration settings" | |
866 | return ${EXIT_ERROR} | |
867 | fi | |
aaa72eef | 868 | |
917a1aa0 JS |
869 | return ${EXIT_OK} |
870 | } | |
871 | ||
aaa72eef | 872 | # Set the local or remote prefix |
917a1aa0 JS |
873 | ipsec_connection_prefix() { |
874 | if [ ! $# -ge 3 ]; then | |
875 | log ERROR "Not enough arguments" | |
876 | return ${EXIT_ERROR} | |
877 | fi | |
878 | local connection=${1} | |
879 | local type=${2} | |
880 | shift 2 | |
aaa72eef | 881 | |
917a1aa0 JS |
882 | local _prefix="${type}_PREFIX" |
883 | local "${_prefix}" | |
884 | if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then | |
885 | return ${EXIT_ERROR} | |
886 | fi | |
887 | ||
888 | # Remove duplicated entries to proceed the list safely | |
889 | assign "${_prefix}" "$(list_unique ${!_prefix} )" | |
890 | ||
891 | local prefixes_added | |
892 | local prefixes_removed | |
893 | local prefixes_set | |
894 | ||
895 | while [ $# -gt 0 ]; do | |
896 | local arg="${1}" | |
897 | ||
898 | case "${arg}" in | |
899 | +*) | |
900 | list_append prefixes_added "${arg:1}" | |
901 | ;; | |
902 | -*) | |
903 | list_append prefixes_removed "${arg:1}" | |
904 | ;; | |
905 | [A-Fa-f0-9]*) | |
906 | list_append prefixes_set "${arg}" | |
907 | ;; | |
908 | *) | |
909 | error "Invalid argument: ${arg}" | |
910 | return ${EXIT_ERROR} | |
911 | ;; | |
912 | esac | |
913 | shift | |
914 | done | |
915 | ||
916 | # Check if the user is trying a mixed operation | |
917 | if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then | |
918 | error "You cannot reset the prefix list and add or remove prefixes at the same time" | |
919 | return ${EXIT_ERROR} | |
920 | fi | |
921 | ||
922 | # Set new prefix list | |
923 | if ! list_is_empty prefixes_set; then | |
924 | # Check if all prefixes are valid | |
925 | local prefix | |
926 | for prefix in ${prefixes_set}; do | |
927 | if ! ip_net_is_valid ${prefix}; then | |
928 | error "Unsupported prefix: ${prefix}" | |
929 | return ${EXIT_ERROR} | |
930 | fi | |
931 | done | |
932 | ||
933 | assign "${_prefix}" "${prefixes_set}" | |
934 | ||
935 | # Perform incremental updates | |
936 | else | |
937 | local prefix | |
938 | ||
939 | # Perform all removals | |
940 | for prefix in ${prefixes_removed}; do | |
941 | if ! list_remove "${_prefix}" ${prefix}; then | |
942 | warning "${prefix} was not on the list and could not be removed" | |
943 | fi | |
944 | done | |
945 | ||
946 | ||
947 | for prefix in ${prefixes_added}; do | |
948 | if ip_net_is_valid ${prefix}; then | |
949 | if ! list_append_unique "${_prefix}" ${prefix}; then | |
950 | warning "${prefix} is already on the prefix list" | |
951 | fi | |
952 | else | |
f03f29b7 | 953 | warning "${prefix} is not a valid IP network and could not be added" |
917a1aa0 JS |
954 | fi |
955 | done | |
956 | fi | |
957 | ||
958 | # Check if the list contain at least one valid prefix | |
959 | if list_is_empty ${_prefix}; then | |
960 | error "Cannot save an empty prefix list" | |
961 | return ${EXIT_ERROR} | |
962 | fi | |
963 | ||
964 | # Save everything | |
965 | if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then | |
966 | log ERROR "Could not write configuration settings" | |
967 | fi | |
968 | ||
969 | return ${EXIT_OK} | |
970 | } | |
971 | ||
96fdb077 JS |
972 | # Set the pools to use |
973 | ipsec_connection_pool() { | |
974 | if [ ! $# -ge 2 ]; then | |
975 | log ERROR "Not enough arguments" | |
976 | return ${EXIT_ERROR} | |
977 | fi | |
978 | local connection=${1} | |
979 | shift | |
980 | ||
981 | local POOLS | |
982 | if ! ipsec_connection_read_config "${connection}" "POOLS"; then | |
983 | return ${EXIT_ERROR} | |
984 | fi | |
985 | ||
986 | # Remove duplicated entries to proceed the list safely | |
987 | assign "POOLS" "$(list_unique ${POOLS})" | |
988 | ||
989 | local pools_added | |
990 | local pools_removed | |
991 | local pools_set | |
992 | ||
993 | while [ $# -gt 0 ]; do | |
994 | local arg="${1}" | |
995 | ||
996 | case "${arg}" in | |
997 | +*) | |
998 | list_append pools_added "${arg:1}" | |
999 | ;; | |
1000 | -*) | |
1001 | list_append pools_removed "${arg:1}" | |
1002 | ;; | |
1003 | [A-Za-z0-9]*) | |
1004 | list_append pools_set "${arg}" | |
1005 | ;; | |
1006 | *) | |
1007 | error "Invalid argument: ${arg}" | |
1008 | return ${EXIT_ERROR} | |
1009 | ;; | |
1010 | esac | |
1011 | shift | |
1012 | done | |
1013 | ||
1014 | # Check if the user is trying a mixed operation | |
1015 | if ! list_is_empty pools_set && (! list_is_empty pools_added || ! list_is_empty pools_removed); then | |
1016 | error "You cannot reset the pools list and add or remove pools at the same time" | |
1017 | return ${EXIT_ERROR} | |
1018 | fi | |
1019 | ||
1020 | # Set new pools list | |
1021 | if ! list_is_empty pools_set; then | |
1022 | # Check if all pools are valid | |
1023 | local pool | |
1024 | for pool in ${pools_set}; do | |
1025 | if ! ipsec_pool_exists ${pool} || ! ipsec_pool_check_config ${pool}; then | |
1026 | error "Pool ${pool} is not valid" | |
1027 | return ${EXIT_ERROR} | |
1028 | fi | |
1029 | done | |
1030 | ||
1031 | assign "POOLS" "${pools_set}" | |
1032 | ||
1033 | # Perform incremental updates | |
1034 | else | |
1035 | local pool | |
1036 | ||
1037 | # Perform all removals | |
1038 | for pool in ${pools_removed}; do | |
1039 | if ! list_remove "POOLS" ${pool}; then | |
1040 | warning "${pool} was not on the list and could not be removed" | |
1041 | fi | |
1042 | done | |
1043 | ||
1044 | ||
1045 | for pool in ${pools_added}; do | |
beb0ebbb | 1046 | if ipsec_pool_exists ${pool} && ipsec_pool_check_config ${pool}; then |
96fdb077 JS |
1047 | if ! list_append_unique "POOLS" ${pool}; then |
1048 | warning "${pool} is already on the prefix list" | |
1049 | fi | |
1050 | else | |
1051 | warning "${pool} is not a valid pool" | |
1052 | fi | |
1053 | done | |
1054 | fi | |
1055 | ||
1056 | # Check if the list contain at least one valid pool | |
1057 | if list_is_empty POOLS; then | |
1058 | error "Cannot save an empty pool list" | |
1059 | return ${EXIT_ERROR} | |
1060 | fi | |
1061 | ||
1062 | # Save everything | |
1063 | if ! ipsec_connection_write_config_key "${connection}" "POOLS" ${POOLS}; then | |
1064 | log ERROR "Could not write configuration settings" | |
1065 | fi | |
1066 | ||
1067 | return ${EXIT_OK} | |
1068 | } | |
1069 | ||
917a1aa0 JS |
1070 | # Handle the cli after remote |
1071 | ipsec_connection_remote() { | |
1072 | if [ ! $# -ge 2 ]; then | |
1073 | log ERROR "Not enough arguments" | |
1074 | return ${EXIT_ERROR} | |
1075 | fi | |
1076 | ||
1077 | local connection=${1} | |
1078 | local cmd=${2} | |
1079 | shift 2 | |
1080 | ||
1081 | case ${cmd} in | |
1082 | id) | |
2212045f | 1083 | ipsec_connection_id "${connection}" "REMOTE" "$@" |
917a1aa0 JS |
1084 | ;; |
1085 | ||
1086 | prefix) | |
2212045f | 1087 | ipsec_connection_prefix "${connection}" "REMOTE" "$@" |
917a1aa0 JS |
1088 | ;; |
1089 | *) | |
1090 | log ERROR "Unrecognized argument: ${cmd}" | |
1091 | return ${EXIT_ERROR} | |
1092 | ;; | |
1093 | esac | |
1094 | ||
1095 | return ${EXIT_OK} | |
1096 | } | |
1097 | ||
1098 | # Set the inactivity timeout | |
1099 | ipsec_connection_inactivity_timeout() { | |
1100 | if [ ! $# -ge 2 ]; then | |
1101 | log ERROR "Not enough arguments" | |
1102 | return ${EXIT_ERROR} | |
1103 | fi | |
1104 | ||
1105 | local connection=${1} | |
1106 | shift 1 | |
1107 | local value=$@ | |
1108 | ||
1109 | if ! isinteger value; then | |
2212045f | 1110 | value=$(parse_time "$@") |
917a1aa0 JS |
1111 | if [ ! $? -eq 0 ]; then |
1112 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
1113 | return ${EXIT_ERROR} | |
1114 | fi | |
1115 | fi | |
1116 | ||
1117 | if [ ${value} -le 0 ]; then | |
1118 | log ERROR "The passed time value must be in the sum greater zero seconds." | |
1119 | return ${EXIT_ERROR} | |
1120 | fi | |
1121 | ||
1122 | if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then | |
1123 | log ERROR "Could not write configuration settings" | |
1124 | return ${EXIT_ERROR} | |
1125 | fi | |
1126 | ||
1127 | return ${EXIT_OK} | |
1128 | } | |
1129 | ||
bb9fccaf JS |
1130 | # Set the default start action |
1131 | ipsec_connection_start_action() { | |
1132 | if [ ! $# -eq 2 ]; then | |
1133 | log ERROR "Not enough arguments" | |
1134 | return ${EXIT_ERROR} | |
1135 | fi | |
1136 | local connection=${1} | |
1137 | local action=${2} | |
1138 | ||
1139 | if ! isoneof action "on-demand" "always-on"; then | |
1140 | log ERROR "Start action '${action}' is invalid" | |
1141 | return ${EXIT_ERROR} | |
1142 | fi | |
1143 | ||
1144 | if ! ipsec_connection_write_config_key "${connection}" "START_ACTION" ${action}; then | |
1145 | log ERROR "Could not write configuration settings" | |
1146 | return ${EXIT_ERROR} | |
1147 | fi | |
1148 | } | |
917a1aa0 JS |
1149 | |
1150 | # Set the security policy to use | |
1151 | ipsec_connection_security_policy() { | |
1152 | if [ ! $# -eq 2 ]; then | |
1153 | log ERROR "Not enough arguments" | |
1154 | return ${EXIT_ERROR} | |
1155 | fi | |
1156 | local connection=${1} | |
1157 | local security_policy=${2} | |
1158 | ||
1159 | if ! vpn_security_policy_exists ${security_policy}; then | |
1160 | log ERROR "No such vpn security policy '${security_policy}'" | |
1161 | return ${EXIT_ERROR} | |
1162 | fi | |
1163 | ||
1164 | if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then | |
1165 | log ERROR "Could not write configuration settings" | |
1166 | return ${EXIT_ERROR} | |
1167 | fi | |
1168 | } | |
1169 | ||
1170 | # Check if a id is valid | |
1171 | ipsec_connection_check_id() { | |
1172 | assert [ $# -eq 1 ] | |
1173 | local id=${1} | |
1174 | ||
1175 | if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then | |
1176 | return ${EXIT_TRUE} | |
1177 | else | |
1178 | return ${EXIT_FALSE} | |
1179 | fi | |
1180 | } | |
1181 | ||
1182 | # Checks if a peer is valid | |
1183 | ipsec_connection_check_peer() { | |
1184 | assert [ $# -eq 1 ] | |
1185 | local peer=${1} | |
1186 | ||
01ff07e9 | 1187 | # IP addresses are accepted |
917a1aa0 JS |
1188 | if ip_is_valid ${peer}; then |
1189 | return ${EXIT_TRUE} | |
917a1aa0 | 1190 | fi |
01ff07e9 MT |
1191 | |
1192 | # FQDNs are okay, too | |
1193 | if fqdn_is_valid "${peer}"; then | |
1194 | return ${EXIT_TRUE} | |
1195 | fi | |
1196 | ||
1197 | # We cannot use anything else | |
1198 | return ${EXIT_FALSE} | |
917a1aa0 JS |
1199 | } |
1200 | ||
1201 | # This function checks if a VPN IPsec connection name is valid | |
1202 | # Allowed are only A-Za-z0-9 | |
1203 | ipsec_connection_check_name() { | |
1204 | assert [ $# -eq 1 ] | |
1205 | ||
1206 | local connection=${1} | |
1207 | ||
1208 | [[ "${connection}" =~ [^[:alnum:]$] ]] | |
1209 | } | |
1210 | ||
1211 | # Function that creates one VPN IPsec connection | |
1212 | ipsec_connection_new() { | |
89d71d08 | 1213 | if [ $# -gt 2 ]; then |
917a1aa0 JS |
1214 | error "Too many arguments" |
1215 | return ${EXIT_ERROR} | |
1216 | fi | |
1217 | ||
1218 | local connection="${1}" | |
89d71d08 JS |
1219 | local type="${2}" |
1220 | ||
917a1aa0 JS |
1221 | if ! isset connection; then |
1222 | error "Please provide a connection name" | |
1223 | return ${EXIT_ERROR} | |
1224 | fi | |
1225 | ||
1226 | # Check for duplicates | |
1227 | if ipsec_connection_exists "${connection}"; then | |
1228 | error "The VPN IPsec connection ${connection} already exists" | |
1229 | return ${EXIT_ERROR} | |
1230 | fi | |
1231 | ||
1232 | # Check if the name of the connection is valid | |
1233 | if ipsec_connection_check_name "${connection}"; then | |
1234 | error "'${connection}' contains illegal characters" | |
1235 | return ${EXIT_ERROR} | |
1236 | fi | |
1237 | ||
89d71d08 JS |
1238 | # Set TYPE to default if not set by the user |
1239 | if ! isset type; then | |
1240 | type="${IPSEC_DEFAULT_TYPE}" | |
1241 | fi | |
1242 | ||
1243 | if ! isoneof "type" "net-to-net" "host-to-net"; then | |
1244 | error "Type is invalid" | |
1245 | return ${EXIT_ERROR} | |
1246 | fi | |
1247 | ||
917a1aa0 JS |
1248 | log DEBUG "Creating VPN IPsec connection ${connection}" |
1249 | ||
cf8685a1 | 1250 | if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then |
917a1aa0 JS |
1251 | log ERROR "Could not create config directory for ${connection}" |
1252 | return ${EXIT_ERROR} | |
1253 | fi | |
1254 | ||
1255 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
1256 | ||
917a1aa0 | 1257 | AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE} |
bb9fccaf JS |
1258 | DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION} |
1259 | DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY} | |
1260 | DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT} | |
5601f4f5 | 1261 | ENABLED=${IPSEC_DEFAULT_ENABLED} |
bb9fccaf JS |
1262 | MODE=${IPSEC_DEFAULT_MODE} |
1263 | START_ACTION=${IPSEC_DEFAULT_START_ACTION} | |
89d71d08 | 1264 | TYPE="${type}" |
bb9fccaf | 1265 | |
917a1aa0 JS |
1266 | INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT} |
1267 | SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY} | |
1268 | ||
1269 | if ! ipsec_connection_write_config "${connection}"; then | |
1270 | log ERROR "Could not write new config file" | |
1271 | return ${EXIT_ERROR} | |
1272 | fi | |
c3f31173 MT |
1273 | |
1274 | # Configure strongswan autostart | |
1275 | ipsec_strongswan_autostart | |
917a1aa0 JS |
1276 | } |
1277 | ||
1278 | # Function that deletes based on the passed parameters one ore more vpn security policies | |
1279 | ipsec_connection_destroy() { | |
1280 | local connection | |
2212045f | 1281 | for connection in "$@"; do |
917a1aa0 JS |
1282 | if ! ipsec_connection_exists "${connection}"; then |
1283 | log ERROR "The VPN IPsec connection ${connection} does not exist." | |
1284 | continue | |
1285 | fi | |
1286 | ||
1287 | log DEBUG "Deleting VPN IPsec connection ${connection}" | |
fa33d830 MT |
1288 | |
1289 | # Delete strongswan configuration file | |
1290 | file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" | |
1291 | ||
cf8685a1 | 1292 | if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then |
917a1aa0 JS |
1293 | log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful" |
1294 | return ${EXIT_ERROR} | |
1295 | fi | |
c3f31173 | 1296 | |
fa33d830 | 1297 | done |
917a1aa0 | 1298 | } |
d6c852b8 JS |
1299 | |
1300 | # List all ipsec connections | |
1301 | ipsec_list_connections() { | |
60b1f378 | 1302 | list_directory "${NETWORK_IPSEC_CONNS_DIR}" |
d6c852b8 | 1303 | } |
67baa452 MT |
1304 | |
1305 | ipsec_connection_to_strongswan() { | |
1306 | local connection="${1}" | |
aaa72eef | 1307 | log DEBUG "Generating IPsec configuration for ${connection}" |
67baa452 MT |
1308 | |
1309 | # Read the config settings | |
1310 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
1311 | if ! ipsec_connection_read_config "${connection}"; then | |
1312 | error "Could not read the connection ${connection}" | |
1313 | return ${EXIT_ERROR} | |
1314 | fi | |
1315 | ||
1316 | local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" | |
1317 | ||
1318 | ( | |
1319 | # Write the connection section | |
1320 | _ipsec_connection_to_strongswan_connection "${connection}" | |
1321 | ||
1322 | # Write the secrets section | |
1323 | _ipsec_connection_to_strongswan_secrets "${connection}" | |
1324 | ||
1325 | ) > ${path} | |
1326 | } | |
1327 | ||
1328 | _ipsec_connection_to_strongswan_connection() { | |
1329 | local connection="${1}" | |
1330 | ||
1331 | # Read the security policy | |
1332 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
1333 | if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then | |
1334 | return ${EXIT_ERROR} | |
1335 | fi | |
1336 | ||
4e271faa MT |
1337 | # Is DPD enabled? |
1338 | local dpd="false" | |
1339 | if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then | |
1340 | dpd="true" | |
1341 | fi | |
1342 | ||
4f5f487a MT |
1343 | local zone_mode |
1344 | ||
1345 | # Are we connected to a zone? | |
1346 | if isset ZONE; then | |
1347 | # Store MODE | |
1348 | local mode="${MODE}" | |
1349 | ||
1350 | if ! zone_settings_read "${ZONE}" MARK MODE; then | |
1351 | log ERROR "Could not read zone settings from ${zone}" | |
1352 | return ${EXIT_ERROR} | |
1353 | fi | |
1354 | ||
1355 | local zone_mode="${MODE}" | |
1356 | MODE="${mode}" | |
1357 | fi | |
1358 | ||
b21fb175 MT |
1359 | # Write configuration header |
1360 | config_header "strongSwan configuration for ${connection}" | |
1361 | ||
67baa452 MT |
1362 | print_indent 0 "connections {" |
1363 | print_indent 1 "${connection} {" | |
1364 | ||
1365 | # IKE Version | |
1366 | print_indent 2 "# IKE Version" | |
1367 | case "${KEY_EXCHANGE^^}" in | |
1368 | IKEV1) | |
1369 | print_indent 2 "version = 1" | |
1370 | ;; | |
1371 | ||
1372 | # Fall back to IKEv2 for any random values | |
1373 | IKEV2|*) | |
1374 | print_indent 2 "version = 2" | |
1375 | ;; | |
1376 | esac | |
1377 | print # empty line | |
1378 | ||
4609d6b4 MT |
1379 | # Always only keep one connection open at a time |
1380 | print_indent 2 "# Unique IDs" | |
1381 | print_indent 2 "unique = replace" | |
1382 | ||
1383 | ||
3e8ad776 MT |
1384 | # Local Address |
1385 | print_indent 2 "# Local Address" | |
1386 | if isset LOCAL_ADDRESS; then | |
1387 | print_indent 2 "local_addrs = ${LOCAL_ADDRESS}" | |
1388 | else | |
1389 | print_indent 2 "local_addrs = %any" | |
1390 | fi | |
1391 | ||
67baa452 MT |
1392 | |
1393 | # Remote Address | |
1394 | print_indent 2 "# Remote Address" | |
1395 | if isset PEER; then | |
1396 | print_indent 2 "remote_addrs = ${PEER}" | |
1397 | else | |
1398 | print_indent 2 "remote_addrs = %any" | |
1399 | fi | |
1400 | ||
1401 | ||
1402 | # IKE Proposals | |
1403 | print_indent 2 "# IKE Proposals" | |
e3ffacf7 | 1404 | print_indent 2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})" |
67baa452 MT |
1405 | |
1406 | ||
117278c3 | 1407 | # DPD Settings |
4e271faa | 1408 | if enabled dpd; then |
117278c3 | 1409 | print_indent 2 "# Dead Peer Detection" |
117278c3 MT |
1410 | print_indent 2 "dpd_delay = ${DPD_DELAY}" |
1411 | ||
1412 | if isset DPD_TIMEOUT; then | |
1413 | print_indent 2 "dpd_timeout = ${DPD_TIMEOUT}" | |
1414 | fi | |
1415 | ||
1416 | ||
1417 | fi | |
67baa452 MT |
1418 | |
1419 | # Fragmentation | |
1420 | print_indent 2 "# Fragmentation" | |
1421 | print_indent 2 "fragmentation = yes" | |
1422 | ||
1423 | ||
dd66c192 MT |
1424 | |
1425 | # Host-to-Net specific settings | |
1426 | case "${TYPE}" in | |
1427 | host-to-net) | |
1428 | # Pools | |
1429 | if isset POOLS; then | |
1430 | print_indent 2 "# Pools" | |
1431 | print_indent 2 "pools = $(list_join POOLS ", ")" | |
1432 | ||
1433 | fi | |
1434 | ;; | |
1435 | esac | |
96fdb077 | 1436 | |
67baa452 MT |
1437 | # Local |
1438 | print_indent 2 "local {" | |
1439 | ||
1440 | # Local ID | |
1441 | if isset LOCAL_ID; then | |
1442 | print_indent 3 "id = ${LOCAL_ID}" | |
1443 | fi | |
1444 | ||
1445 | # Authentication | |
1446 | case "${AUTH_MODE}" in | |
1447 | PSK) | |
1448 | print_indent 3 "auth = psk" | |
1449 | ;; | |
1450 | esac | |
1451 | ||
1452 | print_indent 2 "}" | |
1453 | ||
1454 | ||
1455 | # Remote | |
1456 | print_indent 2 "remote {" | |
1457 | ||
1458 | # Remote ID | |
1459 | if isset REMOTE_ID; then | |
1460 | print_indent 3 "id = ${REMOTE_ID}" | |
1461 | fi | |
1462 | ||
1463 | # Authentication | |
1464 | case "${AUTH_MODE}" in | |
1465 | PSK) | |
1466 | print_indent 3 "auth = psk" | |
1467 | ;; | |
1468 | esac | |
1469 | ||
1470 | print_indent 2 "}" | |
1471 | ||
1472 | ||
1473 | # Children | |
1474 | ||
1475 | print_indent 2 "children {" | |
1476 | print_indent 3 "${connection} {" | |
1477 | ||
1478 | print_indent 4 "# ESP Proposals" | |
e3d8f3f6 | 1479 | print_indent 4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})" |
67baa452 MT |
1480 | |
1481 | ||
1482 | # Traffic Selectors | |
4f5f487a MT |
1483 | case "${MODE},${zone_mode}" in |
1484 | *,gre) | |
95835d23 MT |
1485 | print_indent 4 "local_ts = dynamic[gre]" |
1486 | print_indent 4 "remote_ts = dynamic[gre]" | |
1487 | ;; | |
1488 | *) | |
1489 | # Local Prefixes | |
1490 | if isset LOCAL_PREFIX; then | |
1491 | print_indent 4 "local_ts = $(list_join LOCAL_PREFIX ,)" | |
e0a73cdb MT |
1492 | elif isset ZONE; then |
1493 | print_indent 4 "local_ts = ::/0, 0.0.0.0/0" | |
95835d23 MT |
1494 | else |
1495 | print_indent 4 "local_ts = dynamic" | |
1496 | fi | |
67baa452 | 1497 | |
95835d23 MT |
1498 | # Remote Prefixes |
1499 | if isset REMOTE_PREFIX; then | |
1500 | print_indent 4 "remote_ts = $(list_join REMOTE_PREFIX ,)" | |
e0a73cdb MT |
1501 | elif isset ZONE; then |
1502 | print_indent 4 "remote_ts = ::/0, 0.0.0.0/0" | |
95835d23 MT |
1503 | else |
1504 | print_indent 4 "remote_ts = dynamic" | |
1505 | fi | |
1506 | ;; | |
1507 | esac | |
67baa452 MT |
1508 | |
1509 | ||
82fac748 | 1510 | # Netfilter Marks |
4f5f487a | 1511 | case "${zone_mode}" in |
8af22236 | 1512 | vti) |
4f5f487a MT |
1513 | assert isset MARK |
1514 | ||
8af22236 | 1515 | print_indent 4 "# Netfilter Marks" |
4f5f487a MT |
1516 | print_indent 4 "mark_in = ${MARK}" |
1517 | print_indent 4 "mark_out = ${MARK}" | |
8af22236 MT |
1518 | |
1519 | ;; | |
1520 | esac | |
82fac748 | 1521 | |
4e271faa MT |
1522 | # Dead Peer Detection |
1523 | if enabled dpd; then | |
1524 | print_indent 4 "# Dead Peer Detection" | |
1525 | print_indent 4 "dpd_action = ${DPD_ACTION}" | |
1526 | ||
1527 | fi | |
1528 | ||
67baa452 MT |
1529 | # Rekeying |
1530 | if isset LIFETIME; then | |
1531 | print_indent 4 "# Rekey Time" | |
1532 | print_indent 4 "rekey_time = ${LIFETIME}" | |
1533 | ||
1534 | fi | |
1535 | ||
1536 | # Updown Script | |
1537 | print_indent 4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown" | |
1538 | ||
1539 | ||
1540 | # Mode | |
1541 | print_indent 4 "# Mode" | |
1542 | case "${MODE}" in | |
c856b4ea | 1543 | transport) |
67baa452 MT |
1544 | print_indent 4 "mode = transport" |
1545 | ;; | |
c856b4ea | 1546 | tunnel) |
67baa452 MT |
1547 | print_indent 4 "mode = tunnel" |
1548 | ;; | |
c856b4ea MT |
1549 | *) |
1550 | log WARNING "Unsupported IPsec mode: ${mode}" | |
1551 | ;; | |
67baa452 MT |
1552 | esac |
1553 | ||
1554 | ||
1555 | # Compression | |
1556 | print_indent 4 "# Compression" | |
1557 | if enabled COMPRESSION; then | |
1558 | print_indent 4 "ipcomp = yes" | |
1559 | else | |
1560 | print_indent 4 "ipcomp = no" | |
1561 | fi | |
1562 | ||
1563 | ||
1564 | # Inactivity Timeout | |
1565 | if isset INACTIVITY_TIMEOUT; then | |
1566 | print_indent 4 "# Inactivity Timeout" | |
1567 | print_indent 4 "inactivity = ${INACTIVITY_TIMEOUT}" | |
1568 | ||
1569 | fi | |
1570 | ||
dd66c192 MT |
1571 | # Net-to-Net specific settings |
1572 | case "${TYPE}" in | |
1573 | net-to-net) | |
1574 | # Start Action | |
1575 | print_indent 4 "# Start Action" | |
1576 | case "${START_ACTION}" in | |
1577 | on-demand) | |
1578 | print_indent 4 "start_action = trap" | |
1579 | print_indent 4 "close_action = trap" | |
1580 | ;; | |
1581 | wait) | |
1582 | print_indent 4 "start_action = none" | |
1583 | print_indent 4 "close_action = none" | |
1584 | ;; | |
1585 | always-on|*) | |
1586 | print_indent 4 "start_action = start" | |
1587 | print_indent 4 "close_action = start" | |
1588 | ;; | |
1589 | esac | |
1590 | ||
37317b3e MT |
1591 | ;; |
1592 | esac | |
67baa452 MT |
1593 | |
1594 | print_indent 3 "}" | |
1595 | print_indent 2 "}" | |
1596 | ||
1597 | ||
1598 | print_indent 1 "}" | |
1599 | print_indent 0 "}" | |
1600 | ||
1601 | } | |
1602 | ||
1603 | _ipsec_connection_to_strongswan_secrets() { | |
1604 | local connection="${1}" | |
1605 | ||
1606 | print_indent 0 "secrets {" | |
1607 | ||
1608 | case "${AUTH_MODE}" in | |
1609 | PSK) | |
1610 | print_indent 1 "ike {" | |
1611 | ||
1612 | # Secret | |
1613 | print_indent 2 "secret = ${PSK}" | |
1614 | ||
1615 | # ID | |
1616 | if isset REMOTE_ID; then | |
1617 | print_indent 2 "id = ${REMOTE_ID}" | |
1618 | fi | |
1619 | ||
1620 | print_indent 1 "}" | |
1621 | ;; | |
1622 | esac | |
1623 | ||
1624 | print_indent 0 "}" | |
1625 | } |