*/
-#define phystable "IPSECPHYSICAL"
-#define virtualtable "IPSECVIRTUAL"
-
void usage() {
fprintf (stderr, "Usage:\n");
fprintf (stderr, "\tipsecctrl S [connectionkey]\n");
fprintf (stderr, "\tipsecctrl D [connectionkey]\n");
fprintf (stderr, "\tipsecctrl R\n");
+ fprintf (stderr, "\tipsecctrl I\n");
fprintf (stderr, "\t\tS : Start/Restart Connection\n");
fprintf (stderr, "\t\tD : Stop Connection\n");
fprintf (stderr, "\t\tR : Reload Certificates and Secrets\n");
-}
-
-void load_modules() {
- safe_system("/sbin/modprobe ipsec");
+ fprintf (stderr, "\t\tI : Print Statusinfo\n");
}
/*
char str[STRING_SIZE];
// GRE ???
- sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface);
- safe_system(str);
+// sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface);
+// safe_system(str);
// ESP
- sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface);
- safe_system(str);
+// sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface);
+// safe_system(str);
// AH
- sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface);
- safe_system(str);
+// sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface);
+// safe_system(str);
// IKE
- sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface);
+
+ sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT >/dev/null 2>&1", interface);
+ safe_system(str);
+ sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface);
safe_system(str);
if (! nat_traversal_port)
return;
- sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
+ sprintf(str, "/sbin/iptables -D IPSECINPUT -p udp -i %s --dport %i -j ACCEPT >/dev/null 2>&1", interface, nat_traversal_port);
+ safe_system(str);
+ sprintf(str, "/sbin/iptables -A IPSECINPUT -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
safe_system(str);
-}
-
-/*
- Basic control for what can flow from/to ipsecX interfaces.
-
- rc.firewall call this chain just before ACCEPTing everything
- from green (-i DEV_GREEN -j ACCEPT).
-*/
-void open_virtual (void) {
- // allow anything from any ipsec to go on all interface, including other ipsec
- safe_system("/sbin/iptables -A " virtualtable " -i ipsec+ -j ACCEPT");
- //todo: BOT extension?; allowing ipsec0<<==port-list-filter==>>GREEN ?
}
void ipsec_norules() {
/* clear input rules */
- safe_system("/sbin/iptables -F " phystable);
- safe_system("/sbin/iptables -F " virtualtable);
-
- // unmap red alias ????
-}
-
-
-void add_alias_interfaces(char *configtype,
- char *redtype,
- char *redif,
- int offset) //reserve room for ipsec0=red, ipsec1=green, ipsec2=orange,ipsec3=blue
-{
- FILE *file = NULL;
- char s[STRING_SIZE];
- int alias=0;
-
- /* Check for CONFIG_TYPE=2 or 3 i.e. RED ethernet present. If not,
- * exit gracefully. This is not an error... */
- if (!((strcmp(configtype, "1")==0) || (strcmp(configtype, "2")==0) || (strcmp(configtype, "3")==0) || (strcmp(configtype, "4")==0)))
- return;
-
- /* Now check the RED_TYPE - aliases only work with STATIC. */
- if (!(strcmp(redtype, "STATIC")==0))
- return;
-
- /* Now set up the new aliases from the config file */
- if (!(file = fopen(CONFIG_ROOT "/ethernet/aliases", "r")))
- {
- fprintf(stderr, "Unable to open aliases configuration file\n");
- return;
- }
- while (fgets(s, STRING_SIZE, file) != NULL && (offset+alias) < 16 )
- {
- if (s[strlen(s) - 1] == '\n')
- s[strlen(s) - 1] = '\0';
- int count = 0;
- char *aliasip=NULL;
- char *enabled=NULL;
- char *comment=NULL;
- char *sptr = strtok(s, ",");
- while (sptr)
- {
- if (count == 0)
- aliasip = sptr;
- if (count == 1)
- enabled = sptr;
- else
- comment = sptr;
- count++;
- sptr = strtok(NULL, ",");
- }
-
- if (!(aliasip && enabled))
- continue;
-
- if (!VALID_IP(aliasip))
- {
- fprintf(stderr, "Bad alias : %s\n", aliasip);
- return;
- }
+ safe_system("/sbin/iptables -F IPSECINPUT");
+ safe_system("/sbin/iptables -F IPSECFORWARD");
+ safe_system("/sbin/iptables -F IPSECOUTPUT");
- if (strcmp(enabled, "on") == 0)
- {
- memset(s, 0, STRING_SIZE);
- snprintf(s, STRING_SIZE-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", offset+alias, redif, alias);
- safe_system(s);
- alias++;
- }
- }
}
/*
issue ipsec commmands to turn on connection 'name'
*/
void turn_connection_on (char *name, char *type) {
- char command[STRING_SIZE];
-
- safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");
- memset(command, 0, STRING_SIZE);
- snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec auto --replace %s >/dev/null", name);
- safe_system(command);
- if (strcmp(type, "net") == 0) {
- memset(command, 0, STRING_SIZE);
- snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec auto --asynchronous --up %s >/dev/null", name);
- safe_system(command);
- }
+/*
+ if you find a way to start a single connection without changing all add it
+ here. Change also vpn-watch.
+*/
+ safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
}
/*
issue ipsec commmands to turn off connection 'name'
*/
void turn_connection_off (char *name) {
char command[STRING_SIZE];
-
- memset(command, 0, STRING_SIZE);
- snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec auto --down %s >/dev/null", name);
- safe_system(command);
memset(command, 0, STRING_SIZE);
snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec auto --delete %s >/dev/null", name);
+ "/usr/sbin/ipsec whack --delete --name %s >/dev/null", name);
safe_system(command);
- safe_system("/usr/sbin/ipsec auto --rereadsecrets >/dev/null");
+ safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null");
}
FILE *file = NULL;
+
+ if (strcmp(argv[1], "I") == 0) {
+ safe_system("/usr/sbin/ipsec whack --status");
+ exit(0);
+ }
+
+ if (strcmp(argv[1], "R") == 0) {
+ safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null");
+ exit(0);
+ }
+
/* Get vpnwatch pid */
- if ( (argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) {
- safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
- safe_system("unlink /var/run/vpn-watch.pid");
- close(file);
- }
+
+ if ((argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) {
+ safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
+ safe_system("unlink /var/run/vpn-watch.pid");
+ close(file);
+ }
/* FIXME: workaround for pclose() issue - still no real idea why
* this is happening */
/* handle operations that doesn't need start the ipsec system */
if (argc == 2) {
if (strcmp(argv[1], "D") == 0) {
- ipsec_norules();
/* Only shutdown pluto if it really is running */
/* Get pluto pid */
if (file = fopen("/var/run/pluto.pid", "r")) {
safe_system("/etc/rc.d/init.d/ipsec stop 2> /dev/null >/dev/null");
close(file);
}
+ ipsec_norules();
exit(0);
}
- if (strcmp(argv[1], "R") == 0) {
- safe_system("/usr/sbin/ipsec auto --rereadall");
- exit(0);
- }
}
- /* clear iptables vpn rules */
- ipsec_norules();
-
/* read vpn config */
kv=initkeyvalues();
if (!readkeyvalues(kv, CONFIG_ROOT "/vpn/settings"))
if (enable_blue==2)
open_physical(if_blue, 4500);
- // then open the ipsecX
- open_virtual();
-
// start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
- load_modules();
- safe_system("/usr/sbin/ipsec tncfg --clear >/dev/null");
- safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
- add_alias_interfaces(configtype, redtype, if_red, (enable_red+enable_green+enable_orange+enable_blue) >>1 );
- safe_system("/usr/local/bin/vpn-watch &");
+ safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
+ safe_system("/usr/local/bin/vpn-watch &");
exit(0);
}
// it is a selective start or stop
// second param is only a number 'key'
if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) {
- ipsec_norules();
fprintf(stderr, "Bad arg\n");
usage();
exit(1);
// search the vpn pointed by 'key'
if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {
- ipsec_norules();
fprintf(stderr, "Couldn't open vpn settings file");
exit(1);
}
if (strcmp(argv[1], "D") == 0)
turn_connection_off (name);
else {
- ipsec_norules();
fprintf(stderr, "Bad command\n");
exit(1);
}