]> git.ipfire.org Git - people/ms/network.git/blob - src/helpers/ipsec-updown
projects / people / ms / network.git / blob
? search:


1e6c69551110fe8fc27e7e6815da03a0c1aa40ce
[people/ms/network.git] / src / helpers / ipsec-updown
1 #!/bin/bash
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2017 IPFire Network Development Team #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 LOG_DISABLE_STDOUT="true"
23
24 . /usr/lib/network/functions
25
26 # Read network settings
27 network_settings_read
28
29 # Make sure we are called by strongSwan
30 assert isset PLUTO_VERSION
31
32 if enabled DEBUG; then
33 while read line; do
34 [[ ${line} =~ ^PLUTO_ ]] || continue
35 log DEBUG " ${line}"
36 done <<< "$(printenv | sort)"
37 fi
38
39 CONNECTION="${PLUTO_CONNECTION}"
40
41 if ! ipsec_connection_read_config "${CONNECTION}"; then
42 log ERROR "Could not read configuration for ${CONNECTION}"
43 exit ${EXIT_ERROR}
44 fi
45
46 # Interface name for this IPsec connection
47 case "${MODE}" in
48 gre-*|vti)
49 INTERFACE="ipsec-${CONNECTION}"
50 ;;
51 esac
52
53 log DEBUG "${0} called for ${CONNECTION}: ${PLUTO_VERB}"
54
55 case "${PLUTO_VERB}" in
56 up-client|up-client-v6|up-host|up-host-v6)
57 if isset ZONE && zone_exists "${ZONE}"; then
58 # Bring up the zone if not done, yet
59 if ! zone_is_up "${ZONE}"; then
60 zone_up "${ZONE}"
61 fi
62
63 # Update peer and local address
64 if ! ip_tunnel_change "${ZONE}" --remote="${PLUTO_PEER}" --local="${PLUTO_ME}"; then
65 return ${EXIT_ERROR}
66 fi
67
68 # Set keys for VTI devices
69 if device_is_vti6 "${ZONE}" || device_is_vti "${ZONE}"; then
70 ip_tunnel_change_keys "${ZONE}" \
71 --ikey="${PLUTO_MARK_IN%/*}" \
72 --okey="${PLUTO_MARK_OUT%/*}"
73 fi
74 fi
75
76 #Get sources IP for routes
77 SRC_IP=($(ip_get_assigned_addresses_from_net \
78 "${PLUTO_MY_CLIENT}" "permanent"))
79
80 # Set routes if we have a source IP.
81 # If not the machine does not has a leg on the net
82 # and we can go on without routes.
83 if isset SRC_IP; then
84 # We take the lowest source IP we found,
85 # which is ugly because the value is unpredictable.
86 SRC_IP=${SRC_IP[0]}
87
88 if isset INTERFACE; then
89 if ! cmd ip route add \
90 "${PLUTO_PEER_CLIENT}" \
91 dev "${INTERFACE}" \
92 src "${SRC_IP}"; then
93 log ERROR \
94 "Could not set routes for ${PLUTO_PEER_CLIENT}"
95 fi
96 else
97 # Get the device which we use to peer with the other site.
98 ME_DEVICE="$(device_get_by_assigned_ip_address "${PLUTO_ME}")"
99
100 # We can only go on if we found a device.
101 if isset ME_DEVICE; then
102 if ! cmd ip route add \
103 "${PLUTO_PEER_CLIENT}" \
104 dev "${ME_DEVICE}" \
105 proto static \
106 src "${SRC_IP}" \
107 table 220; then
108 log ERROR \
109 "Could not set routes for ${PLUTO_PEER_CLIENT}"
110 fi
111 else
112 log ERROR "Could not get device for ${PLUTO_ME}"
113 fi
114 fi
115 fi
116 ;;
117
118 down-client|down-client-v6|down-host|down-host-v6)
119 # Remove routes
120 cmd ip route del "${PLUTO_PEER_CLIENT}"
121 ;;
122 esac
123
124 exit ${EXIT_OK}
Networking code of IPFire 3.x.