]>
Commit | Line | Data |
---|---|---|
8be516b3 MT |
1 | --- strongswan-5.7.0/src/_updown/_updown.in.bak 2019-02-06 18:19:25.723893992 +0000 |
2 | +++ strongswan-5.7.0/src/_updown/_updown.in 2019-02-06 18:28:21.520560665 +0000 | |
3 | @@ -130,6 +130,13 @@ | |
4 | # address family. | |
5 | # | |
6 | ||
7 | +VARS=( | |
8 | + id status name lefthost type ctype psk local local_id leftsubnets | |
9 | + remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 | |
10 | + x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 | |
11 | + route x23 mode interface_mode interface_address interface_mtu rest | |
12 | +) | |
13 | + | |
14 | function ip_encode() { | |
15 | local IFS=. | |
16 | ||
17 | @@ -319,6 +326,13 @@ | |
18 | fi | |
19 | ;; | |
20 | up-client:iptables) | |
21 | + # Read IPsec configuration | |
22 | + while IFS="," read -r "${VARS[@]}"; do | |
23 | + if [ "${PLUTO_CONNECTION}" = "${name}" ]; then | |
24 | + break | |
25 | + fi | |
26 | + done < /var/ipfire/vpn/config | |
27 | + | |
28 | # connection to client subnet, with (left/right)firewall=yes, coming up | |
29 | # This is used only by the default updown script, not by your custom | |
30 | # ones, so do not mess with it; see CAUTION comment up at top. | |
31 | @@ -383,23 +397,25 @@ | |
32 | "tunnel+ $PLUTO_PEER -- $PLUTO_ME" | |
33 | fi | |
34 | ||
35 | - # Add source nat so also the gateway can access the other nets | |
36 | - eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) | |
37 | - for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do | |
38 | - ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" | |
39 | - if [ $? -eq 0 ]; then | |
40 | - src=${_src} | |
41 | - break | |
42 | + if [ -z "${interface_mode}" ]; then | |
43 | + # Add source nat so also the gateway can access the other nets | |
44 | + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) | |
45 | + for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do | |
46 | + ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" | |
47 | + if [ $? -eq 0 ]; then | |
48 | + src=${_src} | |
49 | + break | |
50 | + fi | |
51 | + done | |
52 | + | |
53 | + if [ -n "${src}" ]; then | |
54 | + iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src | |
55 | + logger -t $TAG -p $FAC_PRIO \ | |
56 | + "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
57 | + else | |
58 | + logger -t $TAG -p $FAC_PRIO \ | |
59 | + "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" | |
60 | fi | |
61 | - done | |
62 | - | |
63 | - if [ -n "${src}" ]; then | |
64 | - iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src | |
65 | - logger -t $TAG -p $FAC_PRIO \ | |
66 | - "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" | |
67 | - else | |
68 | - logger -t $TAG -p $FAC_PRIO \ | |
69 | - "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" | |
70 | fi | |
71 | ||
72 | # Flush routing cache |