2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2017 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 IPSEC_CONNECTION_CONFIG_SETTINGS
="\
44 IPSEC_DEFAULT_AUTH_MODE
="PSK"
45 IPSEC_DEFAULT_DPD_ACTION
="restart"
46 IPSEC_DEFAULT_DPD_DELAY
="30"
47 IPSEC_DEFAULT_DPD_TIMEOUT
="120"
48 IPSEC_DEFAULT_ENABLED
="true"
49 IPSEC_DEFAULT_INACTIVITY_TIMEOUT
="0"
50 IPSEC_DEFAULT_MODE
="tunnel"
51 IPSEC_DEFAULT_SECURITY_POLICY
="system"
52 IPSEC_DEFAULT_START_ACTION
="on-demand"
53 IPSEC_DEFAULT_TYPE
="net-to-net"
55 IPSEC_VALID_MODES
="transport tunnel"
56 IPSEC_VALID_AUTH_MODES
="PSK"
64 cli_ipsec_connection
"$@"
70 error
"Unrecognized argument: ${action}"
76 cli_ipsec_connection
() {
77 if ipsec_connection_exists
${1}; then
84 authentication|down|disable|dpd|
enable|inactivity_timeout|
local|mode|peer|pool|remote|security_policy|start_action|up|zone
)
85 ipsec_connection_
${key} ${connection} "$@"
88 color_cli
"ipsec-connection" "${connection}" "$@"
91 description_cli
"ipsec-connection" ${connection} $@
94 cli_ipsec_connection_show
"${connection}"
98 error
"Unrecognized argument: ${key}"
108 ipsec_connection_new
"$@"
111 cli_ipsec_connection_destroy
"$@"
114 if [ -n "${action}" ]; then
115 error
"Unrecognized argument: '${action}'"
123 cli_ipsec_connection_destroy
() {
124 local connection
="${1}"
126 if ! ipsec_connection_destroy
"${connection}"; then
130 # Inform strongswan about the changes
131 ipsec_strongswan_load
133 # Configure strongswan autostart
134 ipsec_strongswan_autostart
137 ipsec_connection_get_color
() {
138 # This function return the color of a zone
142 color_read
"ipsec-connection" ${name}
145 ipsec_connection_get_description_title
() {
149 description_title_read $
(description_format_filename
"ipsec-connection" "${name}")
152 cli_ipsec_connection_show
() {
153 local connection
="${1}"
155 # Read the config settings
156 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
157 if ! ipsec_connection_read_config
"${connection}"; then
158 error
"Could not read the connection configuration"
162 cli_headline
0 "IPsec VPN Connection: ${connection}"
165 cli_print_fmt1
1 "Color" "$(cli_color_bar $(ipsec_connection_get_color ${connection}))"
166 cli_print_fmt1
1 "Description" "$(ipsec_connection_get_description_title ${connection})"
171 cli_print_fmt1
1 "Peer" "${PEER}"
176 cli_print_fmt1
1 "Zone" "${ZONE}"
180 cli_print_fmt1
1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}"
183 cli_headline
2 "Authentication"
184 case "${AUTH_MODE^^}" in
186 cli_print_fmt1
2 "Mode" "Pre-Shared-Key"
189 cli_print_fmt1
2 "Pre-Shared-Key" "****"
191 cli_print_fmt1
2 "Pre-Shared-Key" "- is not set -"
201 for i
in LOCAL REMOTE
; do
204 cli_headline
2 "Local"
207 cli_headline
2 "Remote"
211 local id_var
="${i}_ID"
212 if [ -n "${!id_var}" ]; then
213 cli_print_fmt1
2 "ID" "${!id_var}"
216 local prefix_var
="${i}_PREFIX"
217 if isset
${prefix_var}; then
218 cli_headline
3 "Prefix(es)"
221 for prefix
in ${!prefix_var}; do
222 cli_print_fmt1
3 "${prefix}"
229 cli_headline
2 "Misc."
233 cli_print_fmt1
2 "Transport Mode" "Transport"
236 cli_print_fmt1
2 "Transport Mode" "Tunnel"
239 cli_print_fmt1
2 "Transport Mode" "- Unknown -"
244 if isset INACTIVITY_TIMEOUT
&& [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then
245 cli_print_fmt1
2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})"
252 ipsec_connection_disable
() {
253 local connection
=${1}
255 if ! ipsec_connection_write_config_key
"${connection}" "ENABLED" "false"; then
256 log ERROR
"Could not write configuration settings"
260 # Configure strongswan autostart
261 ipsec_strongswan_autostart
264 ipsec_connection_enable
() {
265 local connection
=${1}
267 if ! ipsec_connection_write_config_key
"${connection}" "ENABLED" "true"; then
268 log ERROR
"Could not write configuration settings"
272 # Configure strongswan autostart
273 ipsec_strongswan_autostart
276 # This function writes all values to a via ${connection} specificated VPN IPsec configuration file
277 ipsec_connection_write_config
() {
280 local connection
="${1}"
282 if ! ipsec_connection_exists
"${connection}"; then
283 log ERROR
"No such VPN IPsec connection: ${connection}"
287 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
289 if ! settings_write
"${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
290 log ERROR
"Could not write configuration settings for VPN IPsec connection ${connection}"
294 ipsec_reload
${connection}
297 # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
298 ipsec_connection_write_config_key
() {
301 local connection
=${1}
307 if ! ipsec_connection_exists
"${connection}"; then
308 log ERROR
"No such VPN ipsec connection: ${connection}"
312 log DEBUG
"Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
314 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
316 # Read the config settings
317 if ! ipsec_connection_read_config
"${connection}"; then
321 # Set the key to a new value
322 assign
"${key}" "${value}"
324 if ! ipsec_connection_write_config
"${connection}"; then
331 # Reads one or more keys out of a settings file or all if no key is provided.
332 ipsec_connection_read_config
() {
335 local connection
="${1}"
338 if ! ipsec_connection_exists
"${connection}"; then
339 log ERROR
"No such VPN IPsec connection : ${connection}"
345 if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
346 list_append args
${IPSEC_CONNECTION_CONFIG_SETTINGS}
348 list_append args
"$@"
351 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
353 if ! settings_read
"${path}" ${args}; then
354 log ERROR
"Could not read settings for VPN IPsec connection ${connection}"
359 # This function checks if a vpn ipsec connection exists
360 # Returns True when yes and false when not
361 ipsec_connection_exists
() {
364 local connection
=${1}
366 local path
="${NETWORK_IPSEC_CONNS_DIR}/${connection}"
368 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
371 # Determines if strongswan should be automatically started
372 # when the system boots up.
373 ipsec_strongswan_autostart() {
374 local autostart_needed="false
"
377 for connection in $(ipsec_list_connections); do
380 if ! ipsec_connection_read_config "${connection}" "ENABLED
"; then
381 log WARNING "Could not
read configuation
"
385 if enabled ENABLED; then
386 autostart_needed="true
"
391 # Start strongswan when we need it and when it is not yet enabled
392 if ${autostart_needed}; then
393 if ! service_is_enabled "strongswan
"; then
394 service_enable "strongswan
"
397 if ! service_is_active "strongswan
"; then
398 service_start "strongswan
"
401 # Disable strongswan when we do not need it but it is enabled
402 elif ! ${autostart_needed}; then
403 if service_is_enabled "strongswan
"; then
404 service_disable "strongswan
"
407 if service_is_active "strongswan
"; then
408 service_stop "strongswan
"
413 ipsec_strongswan_load() {
414 # Do nothing if strongswan is not running
415 if ! service_is_active "strongswan
"; then
419 if ! cmd swanctl --load-all; then
420 log ERROR "Could not reload strongswan config
"
425 # Reloads the connection after config changes
427 local connection=${1}
431 if ! ipsec_connection_read_config "${connection}" "ENABLED
"; then
432 log ERROR "Could not
read configuration
for IPsec connection
${connection}"
436 if enabled ENABLED; then
437 if ! ipsec_connection_to_strongswan ${connection}; then
438 log ERROR "Could not generate strongswan config
for ${connnection}"
442 log DEBUG "Deleting strongswan config
${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
443 unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
446 ipsec_strongswan_load
449 # Handle the cli after authentification
450 ipsec_connection_authentication() {
451 if [ ! $# -gt 1 ]; then
452 log ERROR "Not enough arguments
"
456 local connection=${1}
462 ipsec_connection_authentication_mode "${connection}" "$@
"
465 ipsec_connection_authentication_psk "${connection}" "$@
"
468 log ERROR "Unrecognized argument
: ${cmd}"
474 # Set the authentification mode
475 ipsec_connection_authentication_mode() {
476 if [ ! $# -eq 2 ]; then
477 log ERROR "Not enough arguments
"
480 local connection=${1}
483 if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
484 log ERROR "Auth mode
'${mode}' is invalid
"
488 if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE
" ${mode^^}; then
489 log ERROR "Could not
write configuration settings
"
495 ipsec_connection_authentication_psk() {
496 if [ ! $# -eq 2 ]; then
497 log ERROR "Not enough arguments
"
501 local connection=${1}
506 if [ ${length} -lt 4 ]; then
507 error "The PSK must be longer than four characters
"
511 if [ ${length} -gt 128 ]; then
512 error "The PSK cannot be longer than
128 characters
"
516 if ! ipsec_connection_write_config_key "${connection}" "PSK
" "${psk}"; then
517 log ERROR "Could not
write configuration settings
"
524 ipsec_connection_up() {
525 local connection="${1}"
527 if ! ipsec_connection_exists "${connection}"; then
528 error "No such VPN IPsec connection
: ${connection}"
532 # Read configuration options
534 if ! ipsec_connection_read_config "${connection}" "ZONE
"; then
535 log ERROR "Could not
read configuration
for IPsec connection
${connection}"
539 if ! [ -f "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
" ]; then
540 log DEBUG "Could not
find a swanctl config
, generating swanctl config
"
541 ipsec_connection_to_strongswan "${connection}"
542 ipsec_strongswan_load
550 cmd swanctl --initiate --child "${connection}"
553 ipsec_connection_down() {
554 local connection="${1}"
556 if ! ipsec_connection_exists "${connection}"; then
557 error "No such VPN IPsec connection
: ${connection}"
561 # Read configuration options
563 if ! ipsec_connection_read_config "${connection}" "ZONE
"; then
564 log ERROR "Could not
read configuration
for IPsec connection
${connection}"
568 # Tell strongswan to bring down any tunnels
569 cmd swanctl --terminate --ike "${connection}"
577 # Handle the cli after authentification
578 ipsec_connection_dpd() {
579 if [ ! $# -gt 1 ]; then
580 log ERROR "Not enough arguments
"
584 local connection=${1}
590 ipsec_connection_dpd_action "${connection}" "$@
"
593 ipsec_connection_dpd_delay "${connection}" "$@
"
596 ipsec_connection_dpd_timeout "${connection}" "$@
"
599 log ERROR "Unrecognized argument
: ${cmd}"
605 # Set the default dpd action
606 ipsec_connection_dpd_action() {
607 if [ ! $# -eq 2 ]; then
608 log ERROR "Not enough arguments
"
611 local connection=${1}
614 if ! isoneof action "restart
" "clear"; then
615 log ERROR "dpd action
'${action}' is invalid
"
619 if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION
" ${action}; then
620 log ERROR "Could not
write configuration settings
"
626 ipsec_connection_dpd_delay() {
627 if [ ! $# -ge 2 ]; then
628 log ERROR "Not enough arguments
"
632 local connection=${1}
636 if ! isinteger value; then
637 value=$(parse_time "$@
")
638 if [ ! $? -eq 0 ]; then
639 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
644 if [ ${value} -lt 0 ]; then
645 log ERROR "The passed
time value must be
in the
sum greater or equal zero seconds.
"
649 if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY
" ${value}; then
650 log ERROR "Could not
write configuration settings
"
657 # Set the dpd timeout
658 ipsec_connection_dpd_timeout() {
659 if [ ! $# -ge 2 ]; then
660 log ERROR "Not enough arguments
"
664 local connection=${1}
668 if ! isinteger value; then
669 value=$(parse_time "$@
")
670 if [ ! $? -eq 0 ]; then
671 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
676 if [ ${value} -le 0 ]; then
677 log ERROR "The passed
time value must be
in the
sum greater or equal zero seconds.
"
681 if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT
" ${value}; then
682 log ERROR "Could not
write configuration settings
"
689 # Handle the cli after local
690 ipsec_connection_local() {
691 if [ ! $# -ge 2 ]; then
692 log ERROR "Not enough arguments
"
696 local connection=${1}
702 ipsec_connection_local_address "${connection}" "$@
"
705 ipsec_connection_id "${connection}" "LOCAL
" "$@
"
708 ipsec_connection_prefix "${connection}" "LOCAL
" "$@
"
711 log ERROR "Unrecognized argument
: ${cmd}"
719 # Set the connection mode
720 ipsec_connection_mode() {
721 if [ ! $# -eq 2 ]; then
722 log ERROR "Not enough arguments
"
725 local connection=${1}
728 if ! isoneof mode ${IPSEC_VALID_MODES}; then
729 log ERROR "Mode
'${mode}' is invalid
"
733 if ! ipsec_connection_write_config_key "${connection}" "MODE
" ${mode}; then
734 log ERROR "Could not
write configuration settings
"
741 ipsec_connection_zone() {
742 local connection="${1}"
746 # Check if we got an argument
747 if ! isset zone; then
748 error "Zone is not
set"
755 if ! ipsec_connection_read_config "${connection}" "ZONE
"; then
756 log ERROR "Could not
read configuration
for IPsec connection
${connection}"
760 # Removes zone setting
764 log INFO "Removing zone
${ZONE} from IPsec connection
'${connection}'"
769 # Check if the zone exists
770 if ! zone_exists "${zone}"; then
771 error "Zone
${zone} does not exist
"
775 # Zone must be of type tunnel
776 local hook="$
(zone_get_hook
"${zone}")"
780 # We support ip-tunnels
784 error "Zones of
type ${hook} are not supported
"
789 # Check if this zone is alreadz attached to another IPsec connection
792 log INFO "Adding zone
${zone} to IPsec connection
'${connection}'"
797 if ! ipsec_connection_write_config_key "${connection}" "ZONE
" "${zone}"; then
798 error "Could not
write configuration settings
"
805 # Set the local address
806 ipsec_connection_local_address() {
807 if [ ! $# -eq 2 ]; then
808 log ERROR "Not enough arguments
"
811 local connection=${1}
812 local local_address=${2}
814 if ! ipsec_connection_check_peer ${local_address}; then
815 log ERROR "Local address
'${local_address}' is invalid
"
819 if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS
" ${local_address}; then
820 log ERROR "Could not
write configuration settings
"
827 # Set the peer to connect to
828 ipsec_connection_peer() {
829 if [ ! $# -eq 2 ]; then
830 log ERROR "Not enough arguments
"
833 local connection=${1}
836 if ! ipsec_connection_check_peer ${peer}; then
837 log ERROR "Peer
'${peer}' is invalid
"
841 if ! ipsec_connection_write_config_key "${connection}" "PEER
" ${peer}; then
842 log ERROR "Could not
write configuration settings
"
849 #Set the local or remote id
850 ipsec_connection_id() {
851 if [ ! $# -eq 3 ]; then
852 log ERROR "Not enough arguments
"
855 local connection=${1}
859 if ! ipsec_connection_check_id ${id}; then
860 log ERROR "Id
'${id}' is invalid
"
864 if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
865 log ERROR
"Could not write configuration settings"
872 # Set the local or remote prefix
873 ipsec_connection_prefix
() {
874 if [ ! $# -ge 3 ]; then
875 log ERROR
"Not enough arguments"
878 local connection
=${1}
882 local _prefix
="${type}_PREFIX"
884 if ! ipsec_connection_read_config
"${connection}" "${_prefix}"; then
888 # Remove duplicated entries to proceed the list safely
889 assign
"${_prefix}" "$(list_unique ${!_prefix} )"
892 local prefixes_removed
895 while [ $# -gt 0 ]; do
900 list_append prefixes_added
"${arg:1}"
903 list_append prefixes_removed
"${arg:1}"
906 list_append prefixes_set
"${arg}"
909 error
"Invalid argument: ${arg}"
916 # Check if the user is trying a mixed operation
917 if ! list_is_empty prefixes_set
&& (! list_is_empty prefixes_added ||
! list_is_empty prefixes_removed
); then
918 error
"You cannot reset the prefix list and add or remove prefixes at the same time"
922 # Set new prefix list
923 if ! list_is_empty prefixes_set
; then
924 # Check if all prefixes are valid
926 for prefix
in ${prefixes_set}; do
927 if ! ip_net_is_valid
${prefix}; then
928 error
"Unsupported prefix: ${prefix}"
933 assign
"${_prefix}" "${prefixes_set}"
935 # Perform incremental updates
939 # Perform all removals
940 for prefix
in ${prefixes_removed}; do
941 if ! list_remove
"${_prefix}" ${prefix}; then
942 warning
"${prefix} was not on the list and could not be removed"
947 for prefix
in ${prefixes_added}; do
948 if ip_net_is_valid
${prefix}; then
949 if ! list_append_unique
"${_prefix}" ${prefix}; then
950 warning
"${prefix} is already on the prefix list"
953 warning
"${prefix} is not a valid IP network and could not be added"
958 # Check if the list contain at least one valid prefix
959 if list_is_empty
${_prefix}; then
960 error
"Cannot save an empty prefix list"
965 if ! ipsec_connection_write_config_key
"${connection}" "${_prefix}" ${!_prefix}; then
966 log ERROR "Could not
write configuration settings
"
972 # Set the pools to use
973 ipsec_connection_pool() {
974 if [ ! $# -ge 2 ]; then
975 log ERROR "Not enough arguments
"
978 local connection=${1}
982 if ! ipsec_connection_read_config "${connection}" "POOLS
"; then
986 # Remove duplicated entries to proceed the list safely
987 assign "POOLS
" "$
(list_unique
${POOLS})"
993 while [ $# -gt 0 ]; do
998 list_append pools_added "${arg:1}"
1001 list_append pools_removed "${arg:1}"
1004 list_append pools_set "${arg}"
1007 error "Invalid argument
: ${arg}"
1008 return ${EXIT_ERROR}
1014 # Check if the user is trying a mixed operation
1015 if ! list_is_empty pools_set && (! list_is_empty pools_added || ! list_is_empty pools_removed); then
1016 error "You cannot
reset the pools list and add or remove pools
at the same
time"
1017 return ${EXIT_ERROR}
1020 # Set new pools list
1021 if ! list_is_empty pools_set; then
1022 # Check if all pools are valid
1024 for pool in ${pools_set}; do
1025 if ! ipsec_pool_exists ${pool} || ! ipsec_pool_check_config ${pool}; then
1026 error "Pool
${pool} is not valid
"
1027 return ${EXIT_ERROR}
1031 assign "POOLS
" "${pools_set}"
1033 # Perform incremental updates
1037 # Perform all removals
1038 for pool in ${pools_removed}; do
1039 if ! list_remove "POOLS
" ${pool}; then
1040 warning "${pool} was not on the list and could not be removed
"
1045 for pool in ${pools_added}; do
1046 if ipsec_pool_exists ${pool} && ipsec_pool_check_config ${pool}; then
1047 if ! list_append_unique "POOLS
" ${pool}; then
1048 warning "${pool} is already on the prefix list
"
1051 warning "${pool} is not a valid pool
"
1056 # Check if the list contain at least one valid pool
1057 if list_is_empty POOLS; then
1058 error "Cannot save an empty pool list
"
1059 return ${EXIT_ERROR}
1063 if ! ipsec_connection_write_config_key "${connection}" "POOLS
" ${POOLS}; then
1064 log ERROR "Could not
write configuration settings
"
1070 # Handle the cli after remote
1071 ipsec_connection_remote() {
1072 if [ ! $# -ge 2 ]; then
1073 log ERROR "Not enough arguments
"
1074 return ${EXIT_ERROR}
1077 local connection=${1}
1083 ipsec_connection_id "${connection}" "REMOTE
" "$@
"
1087 ipsec_connection_prefix "${connection}" "REMOTE
" "$@
"
1090 log ERROR "Unrecognized argument
: ${cmd}"
1091 return ${EXIT_ERROR}
1098 # Set the inactivity timeout
1099 ipsec_connection_inactivity_timeout() {
1100 if [ ! $# -ge 2 ]; then
1101 log ERROR "Not enough arguments
"
1102 return ${EXIT_ERROR}
1105 local connection=${1}
1109 if ! isinteger value; then
1110 value=$(parse_time "$@
")
1111 if [ ! $? -eq 0 ]; then
1112 log ERROR "Parsing the passed
time was not sucessful please check the passed values.
"
1113 return ${EXIT_ERROR}
1117 if [ ${value} -le 0 ]; then
1118 log ERROR "The passed
time value must be
in the
sum greater zero seconds.
"
1119 return ${EXIT_ERROR}
1122 if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT
" ${value}; then
1123 log ERROR "Could not
write configuration settings
"
1124 return ${EXIT_ERROR}
1130 # Set the default start action
1131 ipsec_connection_start_action() {
1132 if [ ! $# -eq 2 ]; then
1133 log ERROR "Not enough arguments
"
1134 return ${EXIT_ERROR}
1136 local connection=${1}
1139 if ! isoneof action "on-demand
" "always-on
"; then
1140 log ERROR "Start action
'${action}' is invalid
"
1141 return ${EXIT_ERROR}
1144 if ! ipsec_connection_write_config_key "${connection}" "START_ACTION
" ${action}; then
1145 log ERROR "Could not
write configuration settings
"
1146 return ${EXIT_ERROR}
1150 # Set the security policy to use
1151 ipsec_connection_security_policy() {
1152 if [ ! $# -eq 2 ]; then
1153 log ERROR "Not enough arguments
"
1154 return ${EXIT_ERROR}
1156 local connection=${1}
1157 local security_policy=${2}
1159 if ! vpn_security_policy_exists ${security_policy}; then
1160 log ERROR "No such vpn security policy
'${security_policy}'"
1161 return ${EXIT_ERROR}
1164 if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY
" ${security_policy}; then
1165 log ERROR "Could not
write configuration settings
"
1166 return ${EXIT_ERROR}
1170 # Check if a id is valid
1171 ipsec_connection_check_id() {
1175 if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
1178 return ${EXIT_FALSE}
1182 # Checks if a peer is valid
1183 ipsec_connection_check_peer() {
1187 # IP addresses are accepted
1188 if ip_is_valid ${peer}; then
1192 # FQDNs are okay, too
1193 if fqdn_is_valid "${peer}"; then
1197 # We cannot use anything else
1198 return ${EXIT_FALSE}
1201 # This function checks if a VPN IPsec connection name is valid
1202 # Allowed are only A-Za-z0-9
1203 ipsec_connection_check_name() {
1206 local connection=${1}
1208 [[ "${connection}" =~ [^[:alnum:]$] ]]
1211 # Function that creates one VPN IPsec connection
1212 ipsec_connection_new() {
1213 if [ $# -gt 2 ]; then
1214 error "Too many arguments
"
1215 return ${EXIT_ERROR}
1218 local connection="${1}"
1221 if ! isset connection; then
1222 error "Please provide a connection name
"
1223 return ${EXIT_ERROR}
1226 # Check for duplicates
1227 if ipsec_connection_exists "${connection}"; then
1228 error "The VPN IPsec connection
${connection} already exists
"
1229 return ${EXIT_ERROR}
1232 # Check if the name of the connection is valid
1233 if ipsec_connection_check_name "${connection}"; then
1234 error "'${connection}' contains illegal characters
"
1235 return ${EXIT_ERROR}
1238 # Set TYPE to default if not set by the user
1239 if ! isset type; then
1240 type="${IPSEC_DEFAULT_TYPE}"
1243 if ! isoneof "type" "net-to-net
" "host-to-net
"; then
1244 error "Type is invalid
"
1245 return ${EXIT_ERROR}
1248 log DEBUG "Creating VPN IPsec connection
${connection}"
1250 if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1251 log ERROR "Could not create config directory
for ${connection}"
1252 return ${EXIT_ERROR}
1255 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1257 AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
1258 DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION}
1259 DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY}
1260 DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT}
1261 ENABLED=${IPSEC_DEFAULT_ENABLED}
1262 MODE=${IPSEC_DEFAULT_MODE}
1263 START_ACTION=${IPSEC_DEFAULT_START_ACTION}
1266 INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
1267 SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
1269 if ! ipsec_connection_write_config "${connection}"; then
1270 log ERROR "Could not
write new config
file"
1271 return ${EXIT_ERROR}
1274 # Configure strongswan autostart
1275 ipsec_strongswan_autostart
1278 # Function that deletes based on the passed parameters one ore more vpn security policies
1279 ipsec_connection_destroy() {
1281 for connection in "$@
"; do
1282 if ! ipsec_connection_exists "${connection}"; then
1283 log ERROR "The VPN IPsec connection
${connection} does not exist.
"
1287 log DEBUG "Deleting VPN IPsec connection
${connection}"
1289 # Delete strongswan configuration file
1290 file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
1292 if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
1293 log ERROR "Deleting the VPN IPsec connection
${connection} was not sucessful
"
1294 return ${EXIT_ERROR}
1300 # List all ipsec connections
1301 ipsec_list_connections() {
1302 list_directory "${NETWORK_IPSEC_CONNS_DIR}"
1305 ipsec_connection_to_strongswan() {
1306 local connection="${1}"
1307 log DEBUG "Generating IPsec configuration
for ${connection}"
1309 # Read the config settings
1310 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1311 if ! ipsec_connection_read_config "${connection}"; then
1312 error "Could not
read the connection
${connection}"
1313 return ${EXIT_ERROR}
1316 local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf
"
1319 # Write the connection section
1320 _ipsec_connection_to_strongswan_connection "${connection}"
1322 # Write the secrets section
1323 _ipsec_connection_to_strongswan_secrets "${connection}"
1328 _ipsec_connection_to_strongswan_connection() {
1329 local connection="${1}"
1331 # Read the security policy
1332 local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
1333 if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then
1334 return ${EXIT_ERROR}
1339 if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
1345 # Are we connected to a zone?
1348 local mode="${MODE}"
1350 if ! zone_settings_read "${ZONE}" MARK MODE; then
1351 log ERROR "Could not
read zone settings from
${zone}"
1352 return ${EXIT_ERROR}
1355 local zone_mode="${MODE}"
1359 # Write configuration header
1360 config_header "strongSwan configuration
for ${connection}"
1362 print_indent 0 "connections
{"
1363 print_indent 1 "${connection} {"
1366 print_indent 2 "# IKE Version"
1367 case "${KEY_EXCHANGE^^}" in
1369 print_indent
2 "version = 1"
1372 # Fall back to IKEv2 for any random values
1374 print_indent
2 "version = 2"
1379 # Always only keep one connection open at a time
1380 print_indent
2 "# Unique IDs"
1381 print_indent
2 "unique = replace"
1385 print_indent
2 "# Local Address"
1386 if isset LOCAL_ADDRESS
; then
1387 print_indent
2 "local_addrs = ${LOCAL_ADDRESS}"
1389 print_indent
2 "local_addrs = %any"
1394 print_indent
2 "# Remote Address"
1396 print_indent
2 "remote_addrs = ${PEER}"
1398 print_indent
2 "remote_addrs = %any"
1403 print_indent
2 "# IKE Proposals"
1404 print_indent
2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})"
1408 if enabled dpd
; then
1409 print_indent
2 "# Dead Peer Detection"
1410 print_indent
2 "dpd_delay = ${DPD_DELAY}"
1412 if isset DPD_TIMEOUT
; then
1413 print_indent
2 "dpd_timeout = ${DPD_TIMEOUT}"
1420 print_indent
2 "# Fragmentation"
1421 print_indent
2 "fragmentation = yes"
1425 # Host-to-Net specific settings
1429 if isset POOLS
; then
1430 print_indent
2 "# Pools"
1431 print_indent
2 "pools = $(list_join POOLS ", ")"
1438 print_indent
2 "local {"
1441 if isset LOCAL_ID
; then
1442 print_indent
3 "id = ${LOCAL_ID}"
1446 case "${AUTH_MODE}" in
1448 print_indent
3 "auth = psk"
1456 print_indent
2 "remote {"
1459 if isset REMOTE_ID
; then
1460 print_indent
3 "id = ${REMOTE_ID}"
1464 case "${AUTH_MODE}" in
1466 print_indent
3 "auth = psk"
1475 print_indent
2 "children {"
1476 print_indent
3 "${connection} {"
1478 print_indent
4 "# ESP Proposals"
1479 print_indent
4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})"
1483 case "${MODE},${zone_mode}" in
1485 print_indent
4 "local_ts = dynamic[gre]"
1486 print_indent
4 "remote_ts = dynamic[gre]"
1490 if isset LOCAL_PREFIX
; then
1491 print_indent
4 "local_ts = $(list_join LOCAL_PREFIX ,)"
1492 elif isset ZONE
; then
1493 print_indent
4 "local_ts = ::/0, 0.0.0.0/0"
1495 print_indent
4 "local_ts = dynamic"
1499 if isset REMOTE_PREFIX
; then
1500 print_indent
4 "remote_ts = $(list_join REMOTE_PREFIX ,)"
1501 elif isset ZONE
; then
1502 print_indent
4 "remote_ts = ::/0, 0.0.0.0/0"
1504 print_indent
4 "remote_ts = dynamic"
1511 case "${zone_mode}" in
1515 print_indent
4 "# Netfilter Marks"
1516 print_indent
4 "mark_in = ${MARK}"
1517 print_indent
4 "mark_out = ${MARK}"
1522 # Dead Peer Detection
1523 if enabled dpd
; then
1524 print_indent
4 "# Dead Peer Detection"
1525 print_indent
4 "dpd_action = ${DPD_ACTION}"
1530 if isset LIFETIME
; then
1531 print_indent
4 "# Rekey Time"
1532 print_indent
4 "rekey_time = ${LIFETIME}"
1537 print_indent
4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown"
1541 print_indent
4 "# Mode"
1544 print_indent
4 "mode = transport"
1547 print_indent
4 "mode = tunnel"
1550 log WARNING
"Unsupported IPsec mode: ${mode}"
1556 print_indent
4 "# Compression"
1557 if enabled COMPRESSION
; then
1558 print_indent
4 "ipcomp = yes"
1560 print_indent
4 "ipcomp = no"
1564 # Inactivity Timeout
1565 if isset INACTIVITY_TIMEOUT
; then
1566 print_indent
4 "# Inactivity Timeout"
1567 print_indent
4 "inactivity = ${INACTIVITY_TIMEOUT}"
1571 # Net-to-Net specific settings
1575 print_indent
4 "# Start Action"
1576 case "${START_ACTION}" in
1578 print_indent
4 "start_action = trap"
1579 print_indent
4 "close_action = trap"
1582 print_indent
4 "start_action = none"
1583 print_indent
4 "close_action = none"
1586 print_indent
4 "start_action = start"
1587 print_indent
4 "close_action = start"
1603 _ipsec_connection_to_strongswan_secrets
() {
1604 local connection
="${1}"
1606 print_indent
0 "secrets {"
1608 case "${AUTH_MODE}" in
1610 print_indent
1 "ike {"
1613 print_indent
2 "secret = ${PSK}"
1616 if isset REMOTE_ID
; then
1617 print_indent
2 "id = ${REMOTE_ID}"