2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2017 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 IPSEC_CONNECTION_CONFIG_SETTINGS
="\
43 IPSEC_DEFAULT_AUTH_MODE
="PSK"
44 IPSEC_DEFAULT_DPD_ACTION
="restart"
45 IPSEC_DEFAULT_DPD_DELAY
="30"
46 IPSEC_DEFAULT_DPD_TIMEOUT
="120"
47 IPSEC_DEFAULT_ENABLED
="true"
48 IPSEC_DEFAULT_INACTIVITY_TIMEOUT
="0"
49 IPSEC_DEFAULT_MODE
="tunnel"
50 IPSEC_DEFAULT_SECURITY_POLICY
="system"
51 IPSEC_DEFAULT_START_ACTION
="on-demand"
52 IPSEC_DEFAULT_TYPE
="net-to-net"
54 IPSEC_VALID_MODES
="gre-transport tunnel vti"
55 IPSEC_VALID_AUTH_MODES
="PSK"
63 cli_ipsec_connection
"$@"
69 error
"Unrecognized argument: ${action}"
75 cli_ipsec_connection
() {
76 if ipsec_connection_exists
${1}; then
83 authentication|down|disable|dpd|
enable|inactivity_timeout|
local|mode|peer|pool|remote|security_policy|start_action|up
)
84 ipsec_connection_
${key} ${connection} "$@"
87 color_cli
"ipsec-connection" "${connection}" "$@"
90 description_cli
"ipsec-connection" ${connection} $@
93 cli_ipsec_connection_show
"${connection}"
97 error
"Unrecognized argument: ${key}"
107 ipsec_connection_new
"$@"
110 cli_ipsec_connection_destroy
"$@"
113 if [ -n "${action}" ]; then
114 error
"Unrecognized argument: '${action}'"
122 cli_ipsec_connection_destroy
() {
123 local connection
="${1}"
125 if ! ipsec_connection_destroy
"${connection}"; then
129 # Inform strongswan about the changes
130 ipsec_strongswan_load
132 # Configure strongswan autostart
133 ipsec_strongswan_autostart
136 ipsec_connection_get_color
() {
137 # This function return the color of a zone
141 color_read
"ipsec-connection" ${name}
144 ipsec_connection_get_description_title
() {
148 description_title_read $
(description_format_filename
"ipsec-connection" "${name}")
151 cli_ipsec_connection_show
() {
152 local connection
="${1}"
154 # Read the config settings
155 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
156 if ! ipsec_connection_read_config
"${connection}"; then
157 error
"Could not read the connection configuration"
161 cli_headline
0 "IPsec VPN Connection: ${connection}"
164 cli_print_fmt1
1 "Color" "$(cli_color_bar $(ipsec_connection_get_color ${connection}))"
165 cli_print_fmt1
1 "Description" "$(ipsec_connection_get_description_title ${connection})"
170 cli_print_fmt1
1 "Peer" "${PEER}"
174 cli_print_fmt1
1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}"
177 cli_headline
2 "Authentication"
178 case "${AUTH_MODE^^}" in
180 cli_print_fmt1
2 "Mode" "Pre-Shared-Key"
183 cli_print_fmt1
2 "Pre-Shared-Key" "****"
185 cli_print_fmt1
2 "Pre-Shared-Key" "- is not set -"
195 for i
in LOCAL REMOTE
; do
198 cli_headline
2 "Local"
201 cli_headline
2 "Remote"
205 local id_var
="${i}_ID"
206 if [ -n "${!id_var}" ]; then
207 cli_print_fmt1
2 "ID" "${!id_var}"
210 local prefix_var
="${i}_PREFIX"
211 if isset
${prefix_var}; then
212 cli_headline
3 "Prefix(es)"
215 for prefix
in ${!prefix_var}; do
216 cli_print_fmt1
3 "${prefix}"
223 cli_headline
2 "Misc."
227 cli_print_fmt1
2 "Transport Mode" "GRE Transport"
230 cli_print_fmt1
2 "Transport Mode" "Tunnel"
233 cli_print_fmt1
2 "Transport Mode" "Virtual Tunnel Interface"
236 cli_print_fmt1
2 "Transport Mode" "- Unknown -"
241 if isset INACTIVITY_TIMEOUT
&& [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then
242 cli_print_fmt1
2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})"
249 ipsec_connection_disable
() {
250 local connection
=${1}
252 if ! ipsec_connection_write_config_key
"${connection}" "ENABLED" "false"; then
253 log ERROR
"Could not write configuration settings"
257 # Configure strongswan autostart
258 ipsec_strongswan_autostart
261 ipsec_connection_enable
() {
262 local connection
=${1}
264 if ! ipsec_connection_write_config_key
"${connection}" "ENABLED" "true"; then
265 log ERROR
"Could not write configuration settings"
269 # Configure strongswan autostart
270 ipsec_strongswan_autostart
273 # This function writes all values to a via ${connection} specificated VPN IPsec configuration file
274 ipsec_connection_write_config
() {
277 local connection
="${1}"
279 if ! ipsec_connection_exists
"${connection}"; then
280 log ERROR
"No such VPN IPsec connection: ${connection}"
284 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
286 if ! settings_write
"${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
287 log ERROR
"Could not write configuration settings for VPN IPsec connection ${connection}"
291 ipsec_reload
${connection}
294 # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
295 ipsec_connection_write_config_key
() {
298 local connection
=${1}
304 if ! ipsec_connection_exists
"${connection}"; then
305 log ERROR
"No such VPN ipsec connection: ${connection}"
309 log DEBUG
"Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
311 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
313 # Read the config settings
314 if ! ipsec_connection_read_config
"${connection}"; then
318 # Set the key to a new value
319 assign
"${key}" "${value}"
321 if ! ipsec_connection_write_config
"${connection}"; then
328 # Reads one or more keys out of a settings file or all if no key is provided.
329 ipsec_connection_read_config
() {
332 local connection
="${1}"
335 if ! ipsec_connection_exists
"${connection}"; then
336 log ERROR
"No such VPN IPsec connection : ${connection}"
342 if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
343 list_append args
${IPSEC_CONNECTION_CONFIG_SETTINGS}
345 list_append args
"$@"
348 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
350 if ! settings_read
"${path}" ${args}; then
351 log ERROR
"Could not read settings for VPN IPsec connection ${connection}"
356 # This function checks if a vpn ipsec connection exists
357 # Returns True when yes and false when not
358 ipsec_connection_exists
() {
361 local connection
=${1}
363 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}"
365 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
368 # Determines if strongswan should be automatically started
369 # when the system boots up.
370 ipsec_strongswan_autostart() {
371 local autostart_needed="false
"
374 for connection in $(ipsec_list_connections); do
377 if ! ipsec_connection_read_config "${connection}" "ENABLED
"; then
378 log WARNING "Could not
read configuation
"
382 if enabled ENABLED; then
383 autostart_needed="true
"
388 # Start strongswan when we need it and when it is not yet enabled
389 if ${autostart_needed}; then
390 if ! service_is_enabled "strongswan
"; then
391 service_enable "strongswan
"
394 if ! service_is_active "strongswan
"; then
395 service_start "strongswan
"
398 # Disable strongswan when we do not need it but it is enabled
399 elif ! ${autostart_needed}; then
400 if service_is_enabled "strongswan
"; then
401 service_disable "strongswan
"
404 if service_is_active "strongswan
"; then
405 service_stop "strongswan
"
410 ipsec_strongswan_load() {
411 # Do nothing if strongswan is not running
412 if ! service_is_active "strongswan
"; then
416 if ! cmd swanctl --load-all; then
417 log ERROR "Could not reload strongswan config
"
422 # Reloads the connection after config changes
424 local connection=${1}
428 if ! ipsec_connection_read_config "${connection}" "ENABLED
"; then
429 log ERROR "Could not
read configuration
for IPsec connection
${connection}"
433 if enabled ENABLED; then
434 if ! ipsec_connection_to_strongswan ${connection}; then
435 log ERROR "Could not generate strongswan config
for ${connnection}"
439 log DEBUG "Deleting strongswan config
${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
440 unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
443 ipsec_strongswan_load
446 # Handle the cli after authentification
447 ipsec_connection_authentication() {
448 if [ ! $# -gt 1 ]; then
449 log ERROR "Not enough arguments
"
453 local connection=${1}
459 ipsec_connection_authentication_mode "${connection}" "$@
"
462 ipsec_connection_authentication_psk "${connection}" "$@
"
465 log ERROR "Unrecognized argument
: ${cmd}"
471 # Set the authentification mode
472 ipsec_connection_authentication_mode() {
473 if [ ! $# -eq 2 ]; then
474 log ERROR "Not enough arguments
"
477 local connection=${1}
480 if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
481 log ERROR "Auth mode
'${mode}' is invalid
"
485 if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE
" ${mode^^}; then
486 log ERROR "Could not
write configuration settings
"
492 ipsec_connection_authentication_psk() {
493 if [ ! $# -eq 2 ]; then
494 log ERROR "Not enough arguments
"
498 local connection=${1}
503 if [ ${length} -lt 4 ]; then
504 error "The PSK must be longer than four characters
"
508 if [ ${length} -gt 128 ]; then
509 error "The PSK cannot be longer than
128 characters
"
513 if ! ipsec_connection_write_config_key "${connection}" "PSK
" "${psk}"; then
514 log ERROR "Could not
write configuration settings
"
521 ipsec_connection_up() {
522 local connection="${1}"
524 if ! ipsec_connection_exists "${connection}"; then
525 error "No such VPN IPsec connection
: ${connection}"
529 cmd swanctl --initiate --child "${connection}"
532 ipsec_connection_down() {
533 local connection="${1}"
535 if ! ipsec_connection_exists "${connection}"; then
536 error "No such VPN IPsec connection
: ${connection}"
540 cmd swanctl --terminate --ike "${connection}"
543 # Handle the cli after authentification
544 ipsec_connection_dpd() {
545 if [ ! $# -gt 1 ]; then
546 log ERROR "Not enough arguments
"
550 local connection=${1}
556 ipsec_connection_dpd_action "${connection}" "$@
"
559 ipsec_connection_dpd_delay "${connection}" "$@
"
562 ipsec_connection_dpd_timeout "${connection}" "$@
"
565 log ERROR "Unrecognized argument
: ${cmd}"
571 # Set the default dpd action
572 ipsec_connection_dpd_action() {
573 if [ ! $# -eq 2 ]; then
574 log ERROR "Not enough arguments
"
577 local connection=${1}
580 if ! isoneof action "restart
" "clear"; then
581 log ERROR "dpd action
'${action}' is invalid
"
585 if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION
" ${action}; then
586 log ERROR "Could not
write configuration settings
"
592 ipsec_connection_dpd_delay() {
593 if [ ! $# -ge 2 ]; then
594 log ERROR "Not enough arguments
"
598 local connection=${1}
602 if ! isinteger value; then
603 value=$(parse_time "$@
")
604 if [ ! $? -eq 0 ]; then
605 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
610 if [ ${value} -lt 0 ]; then
611 log ERROR "The passed
time value must be
in the
sum greater or equal zero seconds.
"
615 if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY
" ${value}; then
616 log ERROR "Could not
write configuration settings
"
623 # Set the dpd timeout
624 ipsec_connection_dpd_timeout() {
625 if [ ! $# -ge 2 ]; then
626 log ERROR "Not enough arguments
"
630 local connection=${1}
634 if ! isinteger value; then
635 value=$(parse_time "$@
")
636 if [ ! $? -eq 0 ]; then
637 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
642 if [ ${value} -le 0 ]; then
643 log ERROR "The passed
time value must be
in the
sum greater or equal zero seconds.
"
647 if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT
" ${value}; then
648 log ERROR "Could not
write configuration settings
"
655 # Handle the cli after local
656 ipsec_connection_local() {
657 if [ ! $# -ge 2 ]; then
658 log ERROR "Not enough arguments
"
662 local connection=${1}
668 ipsec_connection_local_address "${connection}" "$@
"
671 ipsec_connection_id "${connection}" "LOCAL
" "$@
"
674 ipsec_connection_prefix "${connection}" "LOCAL
" "$@
"
677 log ERROR "Unrecognized argument
: ${cmd}"
685 # Set the connection mode
686 ipsec_connection_mode() {
687 if [ ! $# -eq 2 ]; then
688 log ERROR "Not enough arguments
"
691 local connection=${1}
694 if ! isoneof mode ${IPSEC_VALID_MODES}; then
695 log ERROR "Mode
'${mode}' is invalid
"
699 if ! ipsec_connection_write_config_key "${connection}" "MODE
" ${mode}; then
700 log ERROR "Could not
write configuration settings
"
707 # Set the local address
708 ipsec_connection_local_address() {
709 if [ ! $# -eq 2 ]; then
710 log ERROR "Not enough arguments
"
713 local connection=${1}
714 local local_address=${2}
716 if ! ipsec_connection_check_peer ${local_address}; then
717 log ERROR "Local address
'${local_address}' is invalid
"
721 if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS
" ${local_address}; then
722 log ERROR "Could not
write configuration settings
"
729 # Set the peer to connect to
730 ipsec_connection_peer() {
731 if [ ! $# -eq 2 ]; then
732 log ERROR "Not enough arguments
"
735 local connection=${1}
738 if ! ipsec_connection_check_peer ${peer}; then
739 log ERROR "Peer
'${peer}' is invalid
"
743 if ! ipsec_connection_write_config_key "${connection}" "PEER
" ${peer}; then
744 log ERROR "Could not
write configuration settings
"
751 #Set the local or remote id
752 ipsec_connection_id() {
753 if [ ! $# -eq 3 ]; then
754 log ERROR "Not enough arguments
"
757 local connection=${1}
761 if ! ipsec_connection_check_id ${id}; then
762 log ERROR "Id
'${id}' is invalid
"
766 if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
767 log ERROR
"Could not write configuration settings"
774 # Set the local or remote prefix
775 ipsec_connection_prefix
() {
776 if [ ! $# -ge 3 ]; then
777 log ERROR
"Not enough arguments"
780 local connection
=${1}
784 local _prefix
="${type}_PREFIX"
786 if ! ipsec_connection_read_config
"${connection}" "${_prefix}"; then
790 # Remove duplicated entries to proceed the list safely
791 assign
"${_prefix}" "$(list_unique ${!_prefix} )"
794 local prefixes_removed
797 while [ $# -gt 0 ]; do
802 list_append prefixes_added
"${arg:1}"
805 list_append prefixes_removed
"${arg:1}"
808 list_append prefixes_set
"${arg}"
811 error
"Invalid argument: ${arg}"
818 # Check if the user is trying a mixed operation
819 if ! list_is_empty prefixes_set
&& (! list_is_empty prefixes_added ||
! list_is_empty prefixes_removed
); then
820 error
"You cannot reset the prefix list and add or remove prefixes at the same time"
824 # Set new prefix list
825 if ! list_is_empty prefixes_set
; then
826 # Check if all prefixes are valid
828 for prefix
in ${prefixes_set}; do
829 if ! ip_net_is_valid
${prefix}; then
830 error
"Unsupported prefix: ${prefix}"
835 assign
"${_prefix}" "${prefixes_set}"
837 # Perform incremental updates
841 # Perform all removals
842 for prefix
in ${prefixes_removed}; do
843 if ! list_remove
"${_prefix}" ${prefix}; then
844 warning
"${prefix} was not on the list and could not be removed"
849 for prefix
in ${prefixes_added}; do
850 if ip_net_is_valid
${prefix}; then
851 if ! list_append_unique
"${_prefix}" ${prefix}; then
852 warning
"${prefix} is already on the prefix list"
855 warning
"${prefix} is not a valid IP network and could not be added"
860 # Check if the list contain at least one valid prefix
861 if list_is_empty
${_prefix}; then
862 error
"Cannot save an empty prefix list"
867 if ! ipsec_connection_write_config_key
"${connection}" "${_prefix}" ${!_prefix}; then
868 log ERROR "Could not
write configuration settings
"
874 # Set the pools to use
875 ipsec_connection_pool() {
876 if [ ! $# -ge 2 ]; then
877 log ERROR "Not enough arguments
"
880 local connection=${1}
884 if ! ipsec_connection_read_config "${connection}" "POOLS
"; then
888 # Remove duplicated entries to proceed the list safely
889 assign "POOLS
" "$
(list_unique
${POOLS})"
895 while [ $# -gt 0 ]; do
900 list_append pools_added "${arg:1}"
903 list_append pools_removed "${arg:1}"
906 list_append pools_set "${arg}"
909 error "Invalid argument
: ${arg}"
916 # Check if the user is trying a mixed operation
917 if ! list_is_empty pools_set && (! list_is_empty pools_added || ! list_is_empty pools_removed); then
918 error "You cannot
reset the pools list and add or remove pools
at the same
time"
923 if ! list_is_empty pools_set; then
924 # Check if all pools are valid
926 for pool in ${pools_set}; do
927 if ! ipsec_pool_exists ${pool} || ! ipsec_pool_check_config ${pool}; then
928 error "Pool
${pool} is not valid
"
933 assign "POOLS
" "${pools_set}"
935 # Perform incremental updates
939 # Perform all removals
940 for pool in ${pools_removed}; do
941 if ! list_remove "POOLS
" ${pool}; then
942 warning "${pool} was not on the list and could not be removed
"
947 for pool in ${pools_added}; do
948 if ipsec_pool_exists ${pool} && ipsec_pool_check_config ${pool}; then
949 if ! list_append_unique "POOLS
" ${pool}; then
950 warning "${pool} is already on the prefix list
"
953 warning "${pool} is not a valid pool
"
958 # Check if the list contain at least one valid pool
959 if list_is_empty POOLS; then
960 error "Cannot save an empty pool list
"
965 if ! ipsec_connection_write_config_key "${connection}" "POOLS
" ${POOLS}; then
966 log ERROR "Could not
write configuration settings
"
972 # Handle the cli after remote
973 ipsec_connection_remote() {
974 if [ ! $# -ge 2 ]; then
975 log ERROR "Not enough arguments
"
979 local connection=${1}
985 ipsec_connection_id "${connection}" "REMOTE
" "$@
"
989 ipsec_connection_prefix "${connection}" "REMOTE
" "$@
"
992 log ERROR "Unrecognized argument
: ${cmd}"
1000 # Set the inactivity timeout
1001 ipsec_connection_inactivity_timeout() {
1002 if [ ! $# -ge 2 ]; then
1003 log ERROR "Not enough arguments
"
1004 return ${EXIT_ERROR}
1007 local connection=${1}
1011 if ! isinteger value; then
1012 value=$(parse_time "$@
")
1013 if [ ! $? -eq 0 ]; then
1014 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
1015 return ${EXIT_ERROR}
1019 if [ ${value} -le 0 ]; then
1020 log ERROR "The passed
time value must be
in the
sum greater zero seconds.
"
1021 return ${EXIT_ERROR}
1024 if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT
" ${value}; then
1025 log ERROR "Could not
write configuration settings
"
1026 return ${EXIT_ERROR}
1032 # Set the default start action
1033 ipsec_connection_start_action() {
1034 if [ ! $# -eq 2 ]; then
1035 log ERROR "Not enough arguments
"
1036 return ${EXIT_ERROR}
1038 local connection=${1}
1041 if ! isoneof action "on-demand
" "always-on
"; then
1042 log ERROR "Start action
'${action}' is invalid
"
1043 return ${EXIT_ERROR}
1046 if ! ipsec_connection_write_config_key "${connection}" "START_ACTION
" ${action}; then
1047 log ERROR "Could not
write configuration settings
"
1048 return ${EXIT_ERROR}
1052 # Set the security policy to use
1053 ipsec_connection_security_policy() {
1054 if [ ! $# -eq 2 ]; then
1055 log ERROR "Not enough arguments
"
1056 return ${EXIT_ERROR}
1058 local connection=${1}
1059 local security_policy=${2}
1061 if ! vpn_security_policy_exists ${security_policy}; then
1062 log ERROR "No such vpn security policy
'${security_policy}'"
1063 return ${EXIT_ERROR}
1066 if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY
" ${security_policy}; then
1067 log ERROR "Could not
write configuration settings
"
1068 return ${EXIT_ERROR}
1072 # Check if a id is valid
1073 ipsec_connection_check_id() {
1077 if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
1080 return ${EXIT_FALSE}
1084 # Checks if a peer is valid
1085 ipsec_connection_check_peer() {
1089 # TODO Accept also FQDNs
1090 if ip_is_valid ${peer}; then
1093 return ${EXIT_FALSE}
1097 # This function checks if a VPN IPsec connection name is valid
1098 # Allowed are only A-Za-z0-9
1099 ipsec_connection_check_name() {
1102 local connection=${1}
1104 [[ "${connection}" =~ [^[:alnum:]$] ]]
1107 # Function that creates one VPN IPsec connection
1108 ipsec_connection_new() {
1109 if [ $# -gt 2 ]; then
1110 error "Too many arguments
"
1111 return ${EXIT_ERROR}
1114 local connection="${1}"
1117 if ! isset connection; then
1118 error "Please provide a connection name
"
1119 return ${EXIT_ERROR}
1122 # Check for duplicates
1123 if ipsec_connection_exists "${connection}"; then
1124 error "The VPN IPsec connection
${connection} already exists
"
1125 return ${EXIT_ERROR}
1128 # Check if the name of the connection is valid
1129 if ipsec_connection_check_name "${connection}"; then
1130 error "'${connection}' contains illegal characters
"
1131 return ${EXIT_ERROR}
1134 # Set TYPE to default if not set by the user
1135 if ! isset type; then
1136 type="${IPSEC_DEFAULT_TYPE}"
1139 if ! isoneof "type" "net-to-net
" "host-to-net
"; then
1140 error "Type is invalid
"
1141 return ${EXIT_ERROR}
1144 log DEBUG "Creating VPN IPsec connection
${connection}"
1146 if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1147 log ERROR "Could not create config directory
for ${connection}"
1148 return ${EXIT_ERROR}
1151 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1153 AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
1154 DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION}
1155 DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY}
1156 DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT}
1157 ENABLED=${IPSEC_DEFAULT_ENABLED}
1158 MODE=${IPSEC_DEFAULT_MODE}
1159 START_ACTION=${IPSEC_DEFAULT_START_ACTION}
1162 INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
1163 SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
1165 if ! ipsec_connection_write_config "${connection}"; then
1166 log ERROR "Could not
write new config
file"
1167 return ${EXIT_ERROR}
1170 # Configure strongswan autostart
1171 ipsec_strongswan_autostart
1174 # Function that deletes based on the passed parameters one ore more vpn security policies
1175 ipsec_connection_destroy() {
1177 for connection in "$@
"; do
1178 if ! ipsec_connection_exists "${connection}"; then
1179 log ERROR "The VPN IPsec connection
${connection} does not exist.
"
1183 log DEBUG "Deleting VPN IPsec connection
${connection}"
1185 # Delete strongswan configuration file
1186 file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
1188 if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1189 log ERROR "Deleting the VPN IPsec connection
${connection} was not sucessful
"
1190 return ${EXIT_ERROR}
1196 # List all ipsec connections
1197 ipsec_list_connections() {
1199 for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do
1200 [ -d ${connection} ] || continue
1201 basename ${connection}
1205 ipsec_connection_to_strongswan() {
1206 local connection="${1}"
1207 log DEBUG "Generating IPsec configuration
for ${connection}"
1209 # Read the config settings
1210 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1211 if ! ipsec_connection_read_config "${connection}"; then
1212 error "Could not
read the connection
${connection}"
1213 return ${EXIT_ERROR}
1216 local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
1219 # Write the connection section
1220 _ipsec_connection_to_strongswan_connection "${connection}"
1222 # Write the secrets section
1223 _ipsec_connection_to_strongswan_secrets "${connection}"
1228 _ipsec_connection_to_strongswan_connection() {
1229 local connection="${1}"
1231 # Read the security policy
1232 local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
1233 if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then
1234 return ${EXIT_ERROR}
1239 if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
1243 # Write configuration header
1244 config_header "strongSwan configuration
for ${connection}"
1246 print_indent 0 "connections
{"
1247 print_indent 1 "${connection} {"
1250 print_indent 2 "# IKE Version"
1251 case "${KEY_EXCHANGE^^}" in
1253 print_indent
2 "version = 1"
1256 # Fall back to IKEv2 for any random values
1258 print_indent
2 "version = 2"
1263 # Always only keep one connection open at a time
1264 print_indent
2 "# Unique IDs"
1265 print_indent
2 "unique = replace"
1269 print_indent
2 "# Local Address"
1270 if isset LOCAL_ADDRESS
; then
1271 print_indent
2 "local_addrs = ${LOCAL_ADDRESS}"
1273 print_indent
2 "local_addrs = %any"
1278 print_indent
2 "# Remote Address"
1280 print_indent
2 "remote_addrs = ${PEER}"
1282 print_indent
2 "remote_addrs = %any"
1287 print_indent
2 "# IKE Proposals"
1288 print_indent
2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})"
1292 if enabled dpd
; then
1293 print_indent
2 "# Dead Peer Detection"
1294 print_indent
2 "dpd_delay = ${DPD_DELAY}"
1296 if isset DPD_TIMEOUT
; then
1297 print_indent
2 "dpd_timeout = ${DPD_TIMEOUT}"
1304 print_indent
2 "# Fragmentation"
1305 print_indent
2 "fragmentation = yes"
1309 # Host-to-Net specific settings
1313 if isset POOLS
; then
1314 print_indent
2 "# Pools"
1315 print_indent
2 "pools = $(list_join POOLS ", ")"
1322 print_indent
2 "local {"
1325 if isset LOCAL_ID
; then
1326 print_indent
3 "id = ${LOCAL_ID}"
1330 case "${AUTH_MODE}" in
1332 print_indent
3 "auth = psk"
1340 print_indent
2 "remote {"
1343 if isset REMOTE_ID
; then
1344 print_indent
3 "id = ${REMOTE_ID}"
1348 case "${AUTH_MODE}" in
1350 print_indent
3 "auth = psk"
1359 print_indent
2 "children {"
1360 print_indent
3 "${connection} {"
1362 print_indent
4 "# ESP Proposals"
1363 print_indent
4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})"
1370 print_indent
4 "local_ts = dynamic[gre]"
1371 print_indent
4 "remote_ts = dynamic[gre]"
1375 if isset LOCAL_PREFIX
; then
1376 print_indent
4 "local_ts = $(list_join LOCAL_PREFIX ,)"
1378 print_indent
4 "local_ts = dynamic"
1382 if isset REMOTE_PREFIX
; then
1383 print_indent
4 "remote_ts = $(list_join REMOTE_PREFIX ,)"
1385 print_indent
4 "remote_ts = dynamic"
1394 print_indent
4 "# Netfilter Marks"
1395 print_indent
4 "mark_in = %unique"
1396 print_indent
4 "mark_out = %unique"
1401 # Dead Peer Detection
1402 if enabled dpd
; then
1403 print_indent
4 "# Dead Peer Detection"
1404 print_indent
4 "dpd_action = ${DPD_ACTION}"
1409 if isset LIFETIME
; then
1410 print_indent
4 "# Rekey Time"
1411 print_indent
4 "rekey_time = ${LIFETIME}"
1416 print_indent
4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown"
1420 print_indent
4 "# Mode"
1423 print_indent
4 "mode = transport"
1426 print_indent
4 "mode = tunnel"
1432 print_indent
4 "# Compression"
1433 if enabled COMPRESSION
; then
1434 print_indent
4 "ipcomp = yes"
1436 print_indent
4 "ipcomp = no"
1440 # Inactivity Timeout
1441 if isset INACTIVITY_TIMEOUT
; then
1442 print_indent
4 "# Inactivity Timeout"
1443 print_indent
4 "inactivity = ${INACTIVITY_TIMEOUT}"
1447 # Net-to-Net specific settings
1451 print_indent
4 "# Start Action"
1452 case "${START_ACTION}" in
1454 print_indent
4 "start_action = trap"
1455 print_indent
4 "close_action = trap"
1458 print_indent
4 "start_action = none"
1459 print_indent
4 "close_action = none"
1462 print_indent
4 "start_action = start"
1463 print_indent
4 "close_action = start"
1479 _ipsec_connection_to_strongswan_secrets
() {
1480 local connection
="${1}"
1482 print_indent
0 "secrets {"
1484 case "${AUTH_MODE}" in
1486 print_indent
1 "ike {"
1489 print_indent
2 "secret = ${PSK}"
1492 if isset REMOTE_ID
; then
1493 print_indent
2 "id = ${REMOTE_ID}"