[network.git] / src / functions / functions.ipsec

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2017  IPFire Network Development Team                         #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

IPSEC_CONNECTION_CONFIG_SETTINGS="AUTH_MODE INACTIVITY_TIMEOUT LOCAL_ID LOCAL_PREFIX"
IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} MODE PEER PSK"
IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} REMOTE_ID REMOTE_PREFIX"
IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} SECURITY_POLICY"

# Default values
IPSEC_DEFAULT_MODE="tunnel"
IPSEC_DEFAULT_AUTH_MODE="psk"
IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0"
IPSEC_DEFAULT_SECURITY_POLICY="system"

IPSEC_VALID_MODES="gre-transport tunnel vti"
IPSEC_VALID_AUTH_MODES="PSK psk"

# This function writes all values to a via ${connection} specificated VPN IPsec configuration file
ipsec_connection_write_config() {
	assert [ $# -ge 1 ]

	local connection="${1}"

	if ! ipsec_connection_exists "${connection}"; then
		log ERROR "No such VPN IPsec connection: ${connection}"
		return ${EXIT_ERROR}
	fi

	local path="$(ipsec_connection_path "${connection}")/settings"

	if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
		log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}"
		return ${EXIT_ERROR}
	fi

	ipsec_reload ${connection}
}

# This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
ipsec_connection_write_config_key() {
	assert [ $# -ge 3 ]

	local connection=${1}
	local key=${2}
	shift 2

	local value="$@"

	if ! ipsec_connection_exists "${connection}"; then
		log ERROR "No such VPN ipsec connection: ${connection}"
		return ${EXIT_ERROR}
	fi

	log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"

	local ${IPSEC_CONNECTION_CONFIG_SETTINGS}

	# Read the config settings
	if ! ipsec_connection_read_config "${connection}"; then
		return ${EXIT_ERROR}
	fi

	# Set the key to a new value
	assign "${key}" "${value}"

	if ! ipsec_connection_write_config "${connection}"; then
		return ${EXIT_ERROR}
	fi

	return ${EXIT_TRUE}
}

# Reads one or more keys out of a settings file or all if no key is provided.
ipsec_connection_read_config() {
	assert [ $# -ge 1 ]

	local connection="${1}"
	shift 1

	if ! ipsec_connection_exists "${connection}"; then
		log ERROR "No such VPN IPsec connection : ${connection}"
		return ${EXIT_ERROR}
	fi


	local args
	if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
		list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS}
	else
		list_append args $@
	fi

	local path="$(ipsec_connection_path "${connection}")/settings"

	if ! settings_read "${path}" ${args}; then
		log ERROR "Could not read settings for VPN IPsec connection ${connection}"
		return ${EXIT_ERROR}
	fi
}

# Returns the path to a the directory for given connection
ipsec_connection_path() {
	assert [ $# -eq 1 ]

	local connection=${1}

	echo "${NETWORK_CONFIG_DIR}/vpn/ipsec/connection/${connection}"
}

# This function checks if a vpn ipsec connection exists
# Returns True when yes and false when not
ipsec_connection_exists() {
	assert [ $# -eq 1 ]

	local connection=${1}

	local path=$(ipsec_connection_path "${connection}")

	[ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
}

# Reloads the connection after config changes
ipsec_reload() {
	return ${EXIT_TRUE}
}

# Handle the cli after authentification
ipsec_connection_authentication() {
	if [ ! $# -gt 1 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi

	local connection=${1}
	local cmd=${2}
	shift 2

	case ${cmd} in
		mode)
			ipsec_connection_authentication_mode "${connection}" $@
			;;
		pre-shared-key)
			ipsec_connection_authentication_psk "${connection}" $@
			;;
		*)
			log ERROR "Unrecognized argument: ${cmd}"
			return ${EXIT_ERROR}
			;;
	esac
}

# Set the authentification mode
ipsec_connection_authentication_mode() {
	if [ ! $# -eq 2 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local mode=${2}

	if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
		log ERROR "Auth mode '${mode}' is invalid"
		return ${EXIT_ERROR}
	fi

	if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode,,}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi
}

# Set the psk
ipsec_connection_authentication_psk() {
	if [ ! $# -eq 2]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local psk=${2}

	# TODO Check if psk is valid 

	if ! ipsec_connection_write_config_key "${connection}" "PSK" ${psk}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi

	return ${EXIT_OK}
}

# Handle the cli after local
ipsec_connection_local() {
	if [ ! $# -ge 2 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi

	local connection=${1}
	local cmd=${2}
	shift 2

	case ${cmd} in
		id)
			ipsec_connection_id "${connection}" "LOCAL" $@
			;;
		prefix)
			ipsec_connection_prefix "${connection}" "LOCAL" $@
			;;
		*)
			log ERROR "Unrecognized argument: ${cmd}"
			return ${EXIT_ERROR}
			;;
	esac

	return ${EXIT_OK}
}

# Set the connection mode
ipsec_connection_mode() {
	if [ ! $# -eq 2]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local mode=${2}

	if ! isoneof mode ${IPSEC_VALID_MODES}; then
		log ERROR "Mode '${mode}' is invalid"
		return ${EXIT_ERROR}
	fi

	if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi

	return ${EXIT_OK}
}

# Set the peer to connect to
ipsec_connection_peer() {
	if [ ! $# -eq 2]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local peer=${2}

	if ! ipsec_connection_check_peer ${peer}; then
		log ERROR "Peer '${peer}' is invalid"
		return ${EXIT_ERROR}
	fi

	if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi

	return ${EXIT_OK}
}

#Set the local or remote id
ipsec_connection_id() {
	if [ ! $# -eq 3 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local type=${2}
	local id=${3}

	if ! ipsec_connection_check_id ${id}; then
		log ERROR "Id '${id}' is invalid"
		return ${EXIT_ERROR}
	fi
	
	if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi
	
	return ${EXIT_OK}
}

# Set the local or remote prefix 
ipsec_connection_prefix() {
	if [ ! $# -ge 3 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local type=${2}
	shift 2
	
	local _prefix="${type}_PREFIX"
	local "${_prefix}"
	if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then
		return ${EXIT_ERROR}
	fi

	# Remove duplicated entries to proceed the list safely
	assign "${_prefix}" "$(list_unique ${!_prefix} )"

	local prefixes_added
	local prefixes_removed
	local prefixes_set

	while [ $# -gt 0 ]; do
		local arg="${1}"

		case "${arg}" in
			+*)
				list_append prefixes_added "${arg:1}"
				;;
			-*)
				list_append prefixes_removed "${arg:1}"
				;;
			[A-Fa-f0-9]*)
				list_append prefixes_set "${arg}"
				;;
			*)
				error "Invalid argument: ${arg}"
				return ${EXIT_ERROR}
				;;
		esac
		shift
	done

	# Check if the user is trying a mixed operation
	if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then
		error "You cannot reset the prefix list and add or remove prefixes at the same time"
		return ${EXIT_ERROR}
	fi

	# Set new prefix list
	if ! list_is_empty prefixes_set; then
		# Check if all prefixes are valid
		local prefix
		for prefix in ${prefixes_set}; do
			if ! ip_net_is_valid ${prefix}; then
				error "Unsupported prefix: ${prefix}"
				return ${EXIT_ERROR}
			fi
		done

		assign "${_prefix}" "${prefixes_set}"

	# Perform incremental updates
	else
		local prefix

		# Perform all removals
		for prefix in ${prefixes_removed}; do
			if ! list_remove "${_prefix}" ${prefix}; then
				warning "${prefix} was not on the list and could not be removed"
			fi
		done


		for prefix in ${prefixes_added}; do
			if ip_net_is_valid ${prefix}; then
				if ! list_append_unique "${_prefix}" ${prefix}; then
					warning "${prefix} is already on the prefix list"
				fi
			else
				warning "${prefix} is not a valiv IP net and could not be added"
			fi
		done
	fi

	# Check if the list contain at least one valid prefix
	if list_is_empty ${_prefix}; then
		error "Cannot save an empty prefix list"
		return ${EXIT_ERROR}
	fi

	# Save everything
	if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then
		log ERROR "Could not write configuration settings"
	fi

	return ${EXIT_OK}
}

# Handle the cli after remote
ipsec_connection_remote() {
	if [ ! $# -ge 2 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi

	local connection=${1}
	local cmd=${2}
	shift 2

	case ${cmd} in
		id)
			ipsec_connection_id "${connection}" "REMOTE" $@
			;;

		prefix)
			ipsec_connection_prefix "${connection}" "REMOTE" $@
			;;
		*)
			log ERROR "Unrecognized argument: ${cmd}"
			return ${EXIT_ERROR}
			;;
	esac

	return ${EXIT_OK}
}

# Set the inactivity timeout
ipsec_connection_inactivity_timeout() {
	if [ ! $# -ge 2 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi

	local connection=${1}
	shift 1
	local value=$@

	if ! isinteger value; then
		value=$(parse_time $@)
		if [ ! $? -eq 0 ]; then
			log ERROR "Parsing the passed time was not sucessful please check the passed values."
			return ${EXIT_ERROR}
		fi
	fi

	if [ ${value} -le 0 ]; then
		log ERROR "The passed time value must be in the sum greater zero seconds."
		return ${EXIT_ERROR}
	fi

	if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi

	return ${EXIT_OK}
}


# Set the security policy to use
ipsec_connection_security_policy() {
	if [ ! $# -eq 2 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local security_policy=${2}

	if ! vpn_security_policy_exists ${security_policy}; then
		log ERROR "No such vpn security policy '${security_policy}'"
		return ${EXIT_ERROR}
	fi

	if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi
}

# Check if a id is valid
ipsec_connection_check_id() {
	assert [ $# -eq 1 ]
	local id=${1}

	if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
		return ${EXIT_TRUE}
	else
		return ${EXIT_FALSE}
	fi
}

# Checks if a peer is valid
ipsec_connection_check_peer() {
	assert [ $# -eq 1 ]
	local peer=${1}

	# TODO Accept also FQDNs
	if ip_is_valid ${peer}; then
		return ${EXIT_TRUE}
	else
		return ${EXIT_FALSE}
	fi
}

# This function checks if a VPN IPsec connection name is valid
# Allowed are only A-Za-z0-9
ipsec_connection_check_name() {
	assert [ $# -eq 1 ]

	local connection=${1}

	[[ "${connection}" =~ [^[:alnum:]$] ]]
}

# Function that creates one VPN IPsec connection
ipsec_connection_new() {
	if [ $# -gt 1 ]; then
		error "Too many arguments"
		return ${EXIT_ERROR}
	fi

	local connection="${1}"
	if ! isset connection; then
		error "Please provide a connection name"
		return ${EXIT_ERROR}
	fi

	# Check for duplicates
	if ipsec_connection_exists "${connection}"; then
		error "The VPN IPsec connection ${connection} already exists"
		return ${EXIT_ERROR}
	fi

	# Check if the name of the connection is valid
	if  ipsec_connection_check_name "${connection}"; then
		error "'${connection}' contains illegal characters"
		return ${EXIT_ERROR}
	fi

	log DEBUG "Creating VPN IPsec connection ${connection}"

	if ! mkdir -p $(ipsec_connection_path "${connection}"); then
		log ERROR "Could not create config directory for ${connection}"
		return ${EXIT_ERROR}
	fi

	local ${IPSEC_CONNECTION_CONFIG_SETTINGS}

	MODE=${IPSEC_DEFAULT_MODE}
	AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
	INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
	SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}

	if ! ipsec_connection_write_config "${connection}"; then
		log ERROR "Could not write new config file"
		return ${EXIT_ERROR}
	fi
}

# Function that deletes based on the passed parameters one ore more vpn security policies
ipsec_connection_destroy() {
	local connection
	for connection in $@; do
		if ! ipsec_connection_exists "${connection}"; then
			log ERROR "The VPN IPsec connection ${connection} does not exist."
			continue
		fi

		log DEBUG "Deleting VPN IPsec connection ${connection}"
		if ! rm -rf $(ipsec_connection_path "${connection}"); then
			log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful"
			return ${EXIT_ERROR}
		fi
	done
}
Commit	Line	Data
917a1aa0 JS	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2017 IPFire Network Development Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	IPSEC_CONNECTION_CONFIG_SETTINGS="AUTH_MODE INACTIVITY_TIMEOUT LOCAL_ID LOCAL_PREFIX"
	23	IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} MODE PEER PSK"
	24	IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} REMOTE_ID REMOTE_PREFIX"
	25	IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} SECURITY_POLICY"
	26
	27	# Default values
	28	IPSEC_DEFAULT_MODE="tunnel"
	29	IPSEC_DEFAULT_AUTH_MODE="psk"
	30	IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0"
	31	IPSEC_DEFAULT_SECURITY_POLICY="system"
	32
	33	IPSEC_VALID_MODES="gre-transport tunnel vti"
	34	IPSEC_VALID_AUTH_MODES="PSK psk"
	35
	36	# This function writes all values to a via ${connection} specificated VPN IPsec configuration file
	37	ipsec_connection_write_config() {
	38	assert [ $# -ge 1 ]
	39
	40	local connection="${1}"
	41
	42	if ! ipsec_connection_exists "${connection}"; then
	43	log ERROR "No such VPN IPsec connection: ${connection}"
	44	return ${EXIT_ERROR}
	45	fi
	46
	47	local path="$(ipsec_connection_path "${connection}")/settings"
	48
	49	if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
	50	log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}"
	51	return ${EXIT_ERROR}
	52	fi
	53
	54	ipsec_reload ${connection}
	55	}
	56
	57	# This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
	58	ipsec_connection_write_config_key() {
	59	assert [ $# -ge 3 ]
	60
	61	local connection=${1}
	62	local key=${2}
	63	shift 2
	64
65	local value="$@"
66
67	if ! ipsec_connection_exists "${connection}"; then
68	log ERROR "No such VPN ipsec connection: ${connection}"
69	return ${EXIT_ERROR}
70	fi
71
72	log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
73
74	local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
75
76	# Read the config settings
77	if ! ipsec_connection_read_config "${connection}"; then
78	return ${EXIT_ERROR}
79	fi
80
81	# Set the key to a new value
82	assign "${key}" "${value}"
83
84	if ! ipsec_connection_write_config "${connection}"; then
85	return ${EXIT_ERROR}
86	fi
87
88	return ${EXIT_TRUE}
89	}
90
91	# Reads one or more keys out of a settings file or all if no key is provided.
92	ipsec_connection_read_config() {
93	assert [ $# -ge 1 ]
94
95	local connection="${1}"
96	shift 1
97
98	if ! ipsec_connection_exists "${connection}"; then
99	log ERROR "No such VPN IPsec connection : ${connection}"
100	return ${EXIT_ERROR}
101	fi
102
103
104	local args
105	if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
106	list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS}
107	else
108	list_append args $@
109	fi
110
111	local path="$(ipsec_connection_path "${connection}")/settings"
112
113	if ! settings_read "${path}" ${args}; then
114	log ERROR "Could not read settings for VPN IPsec connection ${connection}"
115	return ${EXIT_ERROR}
116	fi
117	}
118
119	# Returns the path to a the directory for given connection
120	ipsec_connection_path() {
121	assert [ $# -eq 1 ]
122
123	local connection=${1}
124
125	echo "${NETWORK_CONFIG_DIR}/vpn/ipsec/connection/${connection}"
126	}
127
128	# This function checks if a vpn ipsec connection exists
129	# Returns True when yes and false when not
130	ipsec_connection_exists() {
131	assert [ $# -eq 1 ]
132
133	local connection=${1}
134
135	local path=$(ipsec_connection_path "${connection}")
136
137	[ -d "${path}" ] && return ${EXIT_TRUE} \|\| return ${EXIT_FALSE}
138	}
139
140	# Reloads the connection after config changes
141	ipsec_reload() {
142	return ${EXIT_TRUE}
143	}
144
145	# Handle the cli after authentification
146	ipsec_connection_authentication() {
147	if [ ! $# -gt 1 ]; then
148	log ERROR "Not enough arguments"
149	return ${EXIT_ERROR}
150	fi
151
152	local connection=${1}
153	local cmd=${2}
154	shift 2
155
156	case ${cmd} in
157	mode)
158	ipsec_connection_authentication_mode "${connection}" $@
159	;;
160	pre-shared-key)
161	ipsec_connection_authentication_psk "${connection}" $@
162	;;
163	*)
164	log ERROR "Unrecognized argument: ${cmd}"
165	return ${EXIT_ERROR}
166	;;
167	esac
168	}
169
170	# Set the authentification mode
171	ipsec_connection_authentication_mode() {
172	if [ ! $# -eq 2 ]; then
173	log ERROR "Not enough arguments"
174	return ${EXIT_ERROR}
175	fi
176	local connection=${1}
177	local mode=${2}
178
179	if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
180	log ERROR "Auth mode '${mode}' is invalid"
181	return ${EXIT_ERROR}
182	fi
183
184	if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode,,}; then
185	log ERROR "Could not write configuration settings"
186	return ${EXIT_ERROR}
187	fi
188	}
189
190	# Set the psk
191	ipsec_connection_authentication_psk() {
192	if [ ! $# -eq 2]; then
193	log ERROR "Not enough arguments"
194	return ${EXIT_ERROR}
195	fi
196	local connection=${1}
197	local psk=${2}
198
199	# TODO Check if psk is valid
200
201	if ! ipsec_connection_write_config_key "${connection}" "PSK" ${psk}; then
202	log ERROR "Could not write configuration settings"
203	return ${EXIT_ERROR}
204	fi
205
206	return ${EXIT_OK}
207	}
208
209	# Handle the cli after local
210	ipsec_connection_local() {
211	if [ ! $# -ge 2 ]; then
212	log ERROR "Not enough arguments"
213	return ${EXIT_ERROR}
214	fi
215
216	local connection=${1}
217	local cmd=${2}
218	shift 2
219
220	case ${cmd} in
221	id)
222	ipsec_connection_id "${connection}" "LOCAL" $@
223	;;
224	prefix)
225	ipsec_connection_prefix "${connection}" "LOCAL" $@
226	;;
227	*)
228	log ERROR "Unrecognized argument: ${cmd}"
229	return ${EXIT_ERROR}
230	;;
231	esac
232
233	return ${EXIT_OK}
234	}
235
236	# Set the connection mode
237	ipsec_connection_mode() {
238	if [ ! $# -eq 2]; then
239	log ERROR "Not enough arguments"
240	return ${EXIT_ERROR}
241	fi
242	local connection=${1}
243	local mode=${2}
244
245	if ! isoneof mode ${IPSEC_VALID_MODES}; then
246	log ERROR "Mode '${mode}' is invalid"
247	return ${EXIT_ERROR}
248	fi
249
250	if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then
251	log ERROR "Could not write configuration settings"
252	return ${EXIT_ERROR}
253	fi
254
255	return ${EXIT_OK}
256	}
257
258	# Set the peer to connect to
259	ipsec_connection_peer() {
260	if [ ! $# -eq 2]; then
261	log ERROR "Not enough arguments"
262	return ${EXIT_ERROR}
263	fi
264	local connection=${1}
265	local peer=${2}
266
267	if ! ipsec_connection_check_peer ${peer}; then
268	log ERROR "Peer '${peer}' is invalid"
269	return ${EXIT_ERROR}
270	fi
271
272	if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then
273	log ERROR "Could not write configuration settings"
274	return ${EXIT_ERROR}
275	fi
276
277	return ${EXIT_OK}
278	}
279
280	#Set the local or remote id
281	ipsec_connection_id() {
282	if [ ! $# -eq 3 ]; then
283	log ERROR "Not enough arguments"
284	return ${EXIT_ERROR}
285	fi
286	local connection=${1}
287	local type=${2}
288	local id=${3}
289
290	if ! ipsec_connection_check_id ${id}; then
291	log ERROR "Id '${id}' is invalid"
292	return ${EXIT_ERROR}
293	fi
294
295	if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
296	log ERROR "Could not write configuration settings"
297	return ${EXIT_ERROR}
298	fi
299
300	return ${EXIT_OK}
301	}
302
303	# Set the local or remote prefix
304	ipsec_connection_prefix() {
305	if [ ! $# -ge 3 ]; then
306	log ERROR "Not enough arguments"
307	return ${EXIT_ERROR}
308	fi
309	local connection=${1}
310	local type=${2}
311	shift 2
312
313	local _prefix="${type}_PREFIX"
314	local "${_prefix}"
315	if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then
316	return ${EXIT_ERROR}
317	fi
318
319	# Remove duplicated entries to proceed the list safely
320	assign "${_prefix}" "$(list_unique ${!_prefix} )"
321
322	local prefixes_added
323	local prefixes_removed
324	local prefixes_set
325
326	while [ $# -gt 0 ]; do
327	local arg="${1}"
328
329	case "${arg}" in
330	+*)
331	list_append prefixes_added "${arg:1}"
332	;;
333	-*)
334	list_append prefixes_removed "${arg:1}"
335	;;
336	[A-Fa-f0-9]*)
337	list_append prefixes_set "${arg}"
338	;;
339	*)
340	error "Invalid argument: ${arg}"
341	return ${EXIT_ERROR}
342	;;
343	esac
344	shift
345	done
346
347	# Check if the user is trying a mixed operation
348	if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added \|\| ! list_is_empty prefixes_removed); then
349	error "You cannot reset the prefix list and add or remove prefixes at the same time"
350	return ${EXIT_ERROR}
351	fi
352
353	# Set new prefix list
354	if ! list_is_empty prefixes_set; then
355	# Check if all prefixes are valid
356	local prefix
357	for prefix in ${prefixes_set}; do
358	if ! ip_net_is_valid ${prefix}; then
359	error "Unsupported prefix: ${prefix}"
360	return ${EXIT_ERROR}
361	fi
362	done
363
364	assign "${_prefix}" "${prefixes_set}"
365
366	# Perform incremental updates
367	else
368	local prefix
369
370	# Perform all removals
371	for prefix in ${prefixes_removed}; do
372	if ! list_remove "${_prefix}" ${prefix}; then
373	warning "${prefix} was not on the list and could not be removed"
374	fi
375	done
376
377
378	for prefix in ${prefixes_added}; do
379	if ip_net_is_valid ${prefix}; then
380	if ! list_append_unique "${_prefix}" ${prefix}; then
381	warning "${prefix} is already on the prefix list"
382	fi
383	else
384	warning "${prefix} is not a valiv IP net and could not be added"
385	fi
386	done
387	fi
388
389	# Check if the list contain at least one valid prefix
390	if list_is_empty ${_prefix}; then
391	error "Cannot save an empty prefix list"
392	return ${EXIT_ERROR}
393	fi
394
395	# Save everything
396	if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then
397	log ERROR "Could not write configuration settings"
398	fi
399
400	return ${EXIT_OK}
401	}
402
403	# Handle the cli after remote
404	ipsec_connection_remote() {
405	if [ ! $# -ge 2 ]; then
406	log ERROR "Not enough arguments"
407	return ${EXIT_ERROR}
408	fi
409
410	local connection=${1}
411	local cmd=${2}
412	shift 2
413
414	case ${cmd} in
415	id)
416	ipsec_connection_id "${connection}" "REMOTE" $@
417	;;
418
419	prefix)
420	ipsec_connection_prefix "${connection}" "REMOTE" $@
421	;;
422	*)
423	log ERROR "Unrecognized argument: ${cmd}"
424	return ${EXIT_ERROR}
425	;;
426	esac
427
428	return ${EXIT_OK}
429	}
430
431	# Set the inactivity timeout
432	ipsec_connection_inactivity_timeout() {
433	if [ ! $# -ge 2 ]; then
434	log ERROR "Not enough arguments"
435	return ${EXIT_ERROR}
436	fi
437
438	local connection=${1}
439	shift 1
440	local value=$@
441
442	if ! isinteger value; then
443	value=$(parse_time $@)
444	if [ ! $? -eq 0 ]; then
445	log ERROR "Parsing the passed time was not sucessful please check the passed values."
446	return ${EXIT_ERROR}
447	fi
448	fi
449
450	if [ ${value} -le 0 ]; then
451	log ERROR "The passed time value must be in the sum greater zero seconds."
452	return ${EXIT_ERROR}
453	fi
454
455	if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then
456	log ERROR "Could not write configuration settings"
457	return ${EXIT_ERROR}
458	fi
459
460	return ${EXIT_OK}
461	}
462
463
464	# Set the security policy to use
465	ipsec_connection_security_policy() {
466	if [ ! $# -eq 2 ]; then
467	log ERROR "Not enough arguments"
468	return ${EXIT_ERROR}
469	fi
470	local connection=${1}
471	local security_policy=${2}
472
473	if ! vpn_security_policy_exists ${security_policy}; then
474	log ERROR "No such vpn security policy '${security_policy}'"
475	return ${EXIT_ERROR}
476	fi
477
478	if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then
479	log ERROR "Could not write configuration settings"
480	return ${EXIT_ERROR}
481	fi
482	}
483
484	# Check if a id is valid
485	ipsec_connection_check_id() {
486	assert [ $# -eq 1 ]
487	local id=${1}
488
489	if [[ ${id} =~ ^@[[:alnum:]]+$ ]] \|\| ip_is_valid ${id}; then
490	return ${EXIT_TRUE}
491	else
492	return ${EXIT_FALSE}
493	fi
494	}
495
496	# Checks if a peer is valid
497	ipsec_connection_check_peer() {
498	assert [ $# -eq 1 ]
499	local peer=${1}
500
501	# TODO Accept also FQDNs
502	if ip_is_valid ${peer}; then
503	return ${EXIT_TRUE}
504	else
505	return ${EXIT_FALSE}
506	fi
507	}
508
509	# This function checks if a VPN IPsec connection name is valid
510	# Allowed are only A-Za-z0-9
511	ipsec_connection_check_name() {
512	assert [ $# -eq 1 ]
513
514	local connection=${1}
515
516	[[ "${connection}" =~ [^[:alnum:]$] ]]
517	}
518
519	# Function that creates one VPN IPsec connection
520	ipsec_connection_new() {
521	if [ $# -gt 1 ]; then
522	error "Too many arguments"
523	return ${EXIT_ERROR}
524	fi
525
526	local connection="${1}"
527	if ! isset connection; then
528	error "Please provide a connection name"
529	return ${EXIT_ERROR}
530	fi
531
532	# Check for duplicates
533	if ipsec_connection_exists "${connection}"; then
534	error "The VPN IPsec connection ${connection} already exists"
535	return ${EXIT_ERROR}
536	fi
537
538	# Check if the name of the connection is valid
539	if ipsec_connection_check_name "${connection}"; then
540	error "'${connection}' contains illegal characters"
541	return ${EXIT_ERROR}
542	fi
543
544	log DEBUG "Creating VPN IPsec connection ${connection}"
545
546	if ! mkdir -p $(ipsec_connection_path "${connection}"); then
547	log ERROR "Could not create config directory for ${connection}"
548	return ${EXIT_ERROR}
549	fi
550
551	local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
552
553	MODE=${IPSEC_DEFAULT_MODE}
554	AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
555	INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
556	SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
557
558	if ! ipsec_connection_write_config "${connection}"; then
559	log ERROR "Could not write new config file"
560	return ${EXIT_ERROR}
561	fi
562	}
563
564	# Function that deletes based on the passed parameters one ore more vpn security policies
565	ipsec_connection_destroy() {
566	local connection
567	for connection in $@; do
568	if ! ipsec_connection_exists "${connection}"; then
569	log ERROR "The VPN IPsec connection ${connection} does not exist."
570	continue
571	fi
572
573	log DEBUG "Deleting VPN IPsec connection ${connection}"
574	if ! rm -rf $(ipsec_connection_path "${connection}"); then
575	log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful"
576	return ${EXIT_ERROR}
577	fi
578	done
579	}