# Make sure we are called by strongSwan
assert isset PLUTO_VERSION
-CONNECTION="${PLUTO_CONNECTION}"
+if enabled DEBUG; then
+ while read line; do
+ [[ ${line} =~ ^PLUTO_ ]] || continue
+ log DEBUG " ${line}"
+ done <<< "$(printenv | sort)"
+fi
-# Interface name for this IPsec connection
-INTERFACE="ipsec-${CONNECTION}"
+CONNECTION="${PLUTO_CONNECTION}"
if ! ipsec_connection_read_config "${CONNECTION}"; then
log ERROR "Could not read configuration for ${CONNECTION}"
case "${PLUTO_VERB}" in
up-client|up-client-v6|up-host|up-host-v6)
- case "${MODE}" in
- gre-*)
- if ! device_exists "${INTERFACE}"; then
- ip_tunnel_add "${INTERFACE}" \
- --mode="gre" \
- --local-address="${PLUTO_ME}" \
- --remote-address="${PLUTO_PEER}"
+ if isset ZONE && zone_exists "${ZONE}"; then
+ # Bring up the zone if not done, yet
+ if ! zone_is_up "${ZONE}"; then
+ zone_up "${ZONE}"
+ fi
- device_set_up "${INTERFACE}"
- fi
- ;;
- vti)
- if device_exists "${INTERFACE}"; then
- ip_tunnel_change_keys "${INTERFACE}" \
- --ikey="${PLUTO_MARK_IN%/*}" \
- --okey="${PLUTO_MARK_OUT%/*}"
+ # Update peer and local address
+ if ! ip_tunnel_change "${ZONE}" \
+ --remote="${PLUTO_PEER}" --local="${PLUTO_ME}"; then
+ return ${EXIT_ERROR}
+ fi
+ fi
- else
- if ! ip_tunnel_add "${INTERFACE}" \
- --mode="vti" \
- --local-address="${PLUTO_ME}" \
- --remote-address="${PLUTO_PEER}" \
- --ikey="${PLUTO_MARK_IN%/*}" \
- --okey="${PLUTO_MARK_OUT%/*}"; then
- log ERROR "Could not create VTI device for ${CONNECTION}"
- fi
- fi
+ # Get source IP for routes
+ SRC_IP=($(ip_get_assigned_addresses_from_net \
+ "${PLUTO_MY_CLIENT}" "permanent"))
- device_set_up "${INTERFACE}"
- ;;
- esac
+ # We take the lowest source IP we found,
+ # which is ugly because the value is unpredictable.
+ SRC_IP=${SRC_IP[0]}
+
+ # Add routes to reach the remote subnet(s)
+ if isset ZONE; then
+ if ! cmd ip route add "${PLUTO_PEER_CLIENT}" proto static dev "${ZONE}" src "${SRC_IP}"; then
+ log ERROR "Could not create route for ${PLUTO_PEER_CLIENT}"
+ fi
+ else
+ if ! cmd ip route add "${PLUTO_PEER_CLIENT}" proto static via "${PLUTO_PEER}" src "${SRC_IP}"; then
+ log ERROR "Could not create route for ${PLUTO_PEER_CLIENT} via ${PLUTO_PEER}"
+ fi
+ fi
;;
down-client|down-client-v6|down-host|down-host-v6)
- case "${MODE}" in
- gre-*|vti)
- if device_exists "${INTERFACE}"; then
- device_set_down "${INTERFACE}"
-
- ip_tunnel_del "${INTERFACE}"
- fi
- ;;
- esac
+ # Remove routes
+ cmd ip route del "${PLUTO_PEER_CLIENT}"
;;
esac
projects / people / ms / network.git / blobdiff