2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2017 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 IPSEC_POOL_CONFIG_SETTINGS
="\
28 if ipsec_pool_exists
${1}; then
36 ipsec_pool_
${key} ${pool} "$@"
39 cli_ipsec_pool_show
"${pool}"
43 error
"Unrecognized argument: ${key}"
56 ipsec_pool_destroy
"$@"
59 if [ -n "${action}" ]; then
60 error
"Unrecognized argument: '${action}'"
68 # This function writes all values to a via ${pool} specificated VPN IPsec pool configuration file
69 ipsec_pool_write_config
() {
74 if ! ipsec_pool_exists
"${pool}"; then
75 log ERROR
"No such VPN IPsec pool: ${pool}"
79 local path
="${NETWORK_IPSEC_POOLS_DIR}/${pool}/settings"
81 if ! settings_write
"${path}" ${IPSEC_POOL_CONFIG_SETTINGS}; then
82 log ERROR
"Could not write configuration settings for VPN IPsec pool ${pool}"
86 if ! ipsec_pool_reload
${pool}; then
87 log WARNING
"Could not reload IPsec pool ${pool}"
90 # When we get here the writing of the config file was successful
94 # This funtion writes the value for one key to a via ${connection} specificated
95 # VPN IPsec pool configuration file
96 ipsec_pool_write_config_key
() {
105 if ! ipsec_pool_exists
"${pool}"; then
106 log ERROR
"No such VPN IPsec pool: ${pool}"
110 log DEBUG
"Set '${key}' to new value '${value}' in VPN IPsec pool '${pool}'"
112 local ${IPSEC_POOL_CONFIG_SETTINGS}
114 # Read the config settings
115 if ! ipsec_pool_read_config
"${pool}"; then
119 # Set the key to a new value
120 assign
"${key}" "${value}"
122 if ! ipsec_pool_write_config
"${pool}"; then
129 # Reads one or more keys out of a settings file or all if no key is provided.
130 ipsec_pool_read_config
() {
136 if ! ipsec_pool_exists
"${pool}"; then
137 log ERROR
"No such VPN IPsec pool : ${pool}"
142 if [ $# -eq 0 ] && [ -n "${IPSEC_POOL_CONFIG_SETTINGS}" ]; then
143 list_append args
${IPSEC_POOL_CONFIG_SETTINGS}
148 local path
="${NETWORK_IPSEC_POOLS_DIR}/${pool}/settings"
150 if ! settings_read
"${path}" ${args}; then
151 log ERROR
"Could not read settings for VPN IPsec pool ${pool}"
156 # This function checks if a vpn IPsec pool exists
157 # Returns True when yes and false when not
158 ipsec_pool_exists
() {
163 local path
="${NETWORK_IPSEC_POOLS_DIR}/${pool}"
165 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
168 # This function checks if a VPN IPsec pool name is valid
169 # Allowed are only A-Za-z0-9
170 ipsec_pool_check_name() {
175 # These are special words in strongswan
176 if isoneof pool dhcp radius; then
180 [[ "${pool}" =~ [^[:alnum:]$] ]]
184 if [ $# -gt 1 ]; then
185 error "Too many arguments
"
190 if ! isset pool; then
191 error "Please provide a pool name
"
195 # Check for duplicates
196 if ipsec_pool_exists "${pool}"; then
197 error "The VPN IPsec pool
${pool} already exists
"
201 # Check if the name of the connection is valid
202 if ipsec_pool_check_name "${pool}"; then
203 error "'${pool}' contains illegal characters
"
207 log DEBUG "Creating VPN IPsec pool
${pool}"
209 if ! mkdir -p "${NETWORK_IPSEC_POOLS_DIR}/${pool}"; then
210 log ERROR "Could not create config directory
for ${pool}"
214 local ${IPSEC_POOL_CONFIG_SETTINGS}
216 if ! ipsec_pool_write_config "${pool}"; then
217 log ERROR "Could not
write new config
file"
222 # Function that deletes based on the passed parameters
223 # one ore more vpn ipsec pools
224 ipsec_pool_destroy() {
227 if ! ipsec_pool_exists "${pool}"; then
228 log ERROR "The VPN IPsec pool
${pool} does not exist.
"
232 if [ -f "${NETWORK_IPSEC_SWANCTL_POOLS_DIR}/${pool}.conf
" ]; then
233 if ! file_delete "${NETWORK_IPSEC_SWANCTL_POOLS_DIR}/${pool}.conf
"; then
234 # We going on here to delete at least the configuration directory
235 log ERROR "Could not delete
${NETWORK_IPSEC_SWANCTL_POOLS_DIR}/${pool}.conf
"
239 log DEBUG "Deleting VPN IPsec pool
${pool}"
241 if ! rm -rf "${NETWORK_IPSEC_POOLS_DIR}/${pool}"; then
242 log ERROR "Deleting the VPN IPsec pool
${pool} was not sucessful
"
247 ipsec_strongswan_load_pools
250 ipsec_pool_set_type() {
256 local type=$(ip_detect_protocol ${ip})
258 if ! isset type; then
259 error "Cannot detect IP protocol of
${ip}"
262 log DEBUG "IP protocol of
${ip} is
${type}"
263 if ! ipsec_pool_write_config_key "${pool}" "TYPE
" ${type}; then
264 log ERROR "Could not
write configuration settings
"
270 ipsec_pool_network() {
271 if [ ! $# -eq 2 ]; then
272 log ERROR "Not enough arguments
"
279 if ! ipsec_pool_read_config ${pool} "TYPE
"; then
280 error "Failed to
read configuration settings
for pool
'${pool}'"
284 if ! isset TYPE; then
285 if ! ip_net_is_valid ${network}; then
286 log ERROR "Network
'${network}' is invalid
"
290 if ! ipsec_pool_set_type ${pool} ${network}; then
291 log ERROR "Could not
set type for IPsec pool
${pool}"
295 if ! ${TYPE}_net_is_valid ${network}; then
296 log ERROR "Network
'${network}' is invalid
"
301 if ! ipsec_pool_write_config_key "${pool}" "NETWORK
" ${network}; then
302 log ERROR "Could not
write configuration settings
"
307 ipsec_pool_dns_server() {
308 if [ ! $# -eq 2 ]; then
309 log ERROR "Not enough arguments
"
313 local dns_server=${2}
316 if ! ipsec_pool_read_config ${pool} "TYPE
"; then
317 error "Failed to
read configuration settings
for pool
'${pool}'"
321 if ! isset TYPE; then
322 if ! ip_is_valid ${dns_server}; then
323 log ERROR "DNS server
'${dns_server}' is invalid
"
327 if ! ipsec_pool_set_type ${pool} ${dns_server}; then
328 log ERROR "Could not
set type for IPsec pool
${pool}"
332 if ! ${TYPE}_is_valid ${dns_server}; then
333 log ERROR "DNS server
'${dns_server}' is invalid
"
338 if ! ipsec_pool_write_config_key "${pool}" "DNS_SERVER
" ${dns_server}; then
339 log ERROR "Could not
write configuration settings
"
344 ipsec_pool_check_config() {
348 local ${IPSEC_POOL_CONFIG_SETTINGS}
349 if ! ipsec_pool_read_config "${pool}"; then
350 log ERROR "Could not
read configuration settings
"
354 if ! isset NETWORK; then
355 log ERROR "Network
for IPSec pool
${pool} is not
set"
359 if ! isset TYPE; then
360 TYPE=$(ip_detect_protocol ${NETWORK})
361 log DEBUG "IP protocol of
${NETWORK} is
${TYPE}"
362 if ! isset TYPE; then
363 error "Cannot detect IP protocol of
${NETWORK}"
366 if ! ipsec_pool_write_config_key "${pool}" "TYPE
" ${TYPE}; then
367 log ERROR "Could not
write configuration settings
"
372 if ! ${TYPE}_net_is_valid ${NETWORK}; then
373 log ERROR "NETWORK
'${NETWORK}' is invalid
"
377 if isset DNS_SERVER && ! ${TYPE}_is_valid ${DNS_SERVER}; then
378 log ERROR "DNS server
'${DNS_SERVER}' is invalid
"
386 ipsec_pool_reload() {
389 if ! ipsec_pool_to_strongswan ${pool}; then
390 log ERROR "Could not generate strongswan config
for ${pool}"
394 ipsec_strongswan_load
397 ipsec_pool_to_strongswan() {
400 log DEBUG "Generating IPsec pool config
for ${pool}"
402 local ${IPSEC_POOL_CONFIG_SETTINGS}
403 if ! ipsec_pool_read_config "${pool}"; then
407 if isset NETWORK && ! ipsec_pool_check_config "${pool}"; then
408 log ERROR "Configuration of
${pool} seems to be invalid
"
412 local path="${NETWORK_IPSEC_SWANCTL_POOLS_DIR}/${pool}.conf
"
415 config_header "strongSwan pool configuration
"
417 if isset NETWORK; then
418 print_indent 0 "pools
{"
420 print_indent 1 "${pool} {"
421 print_indent 2 "addrs
= ${NETWORK}"
423 if isset DNS_SERVER; then
424 print_indent 2 "dns
= ${DNS_SERVER}"
433 # List all IPsec pools
436 for pool in ${NETWORK_IPSEC_POOLS_DIR}/*; do
437 [ -d "${pool}" ] || continue
442 # Reload all strongswan pools
443 ipsec_strongswan_load_pools() {
444 # Do nothing if strongswan is not running
445 if ! service_is_active "strongswan
"; then
449 if ! cmd swanctl --load-pools; then
450 log ERROR "Could not reload strongswan pools
"