2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2017 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 LOG_DISABLE_STDOUT
="true"
24 .
/usr
/lib
/network
/functions
26 # Read network settings
29 # Make sure we are called by strongSwan
30 assert isset PLUTO_VERSION
32 if enabled DEBUG
; then
34 [[ ${line} =~ ^PLUTO_
]] ||
continue
36 done <<< "$(printenv | sort)"
39 CONNECTION
="${PLUTO_CONNECTION}"
41 if ! ipsec_connection_read_config
"${CONNECTION}"; then
42 log ERROR
"Could not read configuration for ${CONNECTION}"
46 # Interface name for this IPsec connection
49 INTERFACE
="ipsec-${CONNECTION}"
53 log DEBUG
"${0} called for ${CONNECTION}: ${PLUTO_VERB}"
55 case "${PLUTO_VERB}" in
56 up-client|up-client-v6|up-host|up-host-v6
)
57 if isset ZONE
&& zone_exists
"${ZONE}"; then
58 # Bring up the zone if not done, yet
59 if ! zone_is_up
"${ZONE}"; then
63 # Update peer and local address
64 if ! ip_tunnel_change
"${ZONE}" --remote="${PLUTO_PEER}" --local="${PLUTO_ME}"; then
68 # Set keys for VTI devices
69 if device_is_vti6
"${ZONE}" || device_is_vti
"${ZONE}"; then
70 ip_tunnel_change_keys
"${ZONE}" \
71 --ikey="${PLUTO_MARK_IN%/*}" \
72 --okey="${PLUTO_MARK_OUT%/*}"
76 #Get sources IP for routes
77 SRC_IP
=($
(ip_get_assigned_addresses_from_net \
78 "${PLUTO_MY_CLIENT}" "permanent"))
80 # Set routes if we have a source IP.
81 # If not the machine does not has a leg on the net
82 # and we can go on without routes.
84 # We take the lowest source IP we found,
85 # which is ugly because the value is unpredictable.
88 if isset INTERFACE
; then
89 if ! cmd ip route add \
90 "${PLUTO_PEER_CLIENT}" \
94 "Could not set routes for ${PLUTO_PEER_CLIENT}"
97 # Get the device which we use to peer with the other site.
98 ME_DEVICE
="$(device_get_by_assigned_ip_address "${PLUTO_ME}")"
100 # We can only go on if we found a device.
101 if isset ME_DEVICE
; then
102 if ! cmd ip route add \
103 "${PLUTO_PEER_CLIENT}" \
109 "Could not set routes for ${PLUTO_PEER_CLIENT}"
112 log ERROR
"Could not get device for ${PLUTO_ME}"
118 down-client|down-client-v6|down-host|down-host-v6
)
120 cmd ip route del
"${PLUTO_PEER_CLIENT}"