VPN_CONFIG="/var/ipfire/vpn/config"
+eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
VARS=(
- id status name lefthost type ctype x1 x2 x3 leftsubnets
- remote righthost rightsubnets x5 x6 x7 x8 x9 x10 x11 x12
- x13 x14 x15 x16 x17 x18 x19 x20 x21 proto x22 x23 x24
- route x26 mode interface_mode interface_address interface_mtu rest
+ id status name lefthost type ctype psk local local_id leftsubnets
+ remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+ x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+ route x23 mode interface_mode interface_address interface_mtu rest
)
log() {
logger -t ipsec "$@"
}
+resolve_hostname() {
+ local hostname="${1}"
+
+ dig +short A "${hostname}" | tail -n1
+}
+
main() {
# Register local variables
local "${VARS[@]}"
local interfaces=()
- while IFS="," read -r "${VARS[@]}"; do
- # Check if the connection is enabled
- [ "${status}" = "on" ] || continue
-
- # Check if this a net-to-net connection
- [ "${type}" = "net" ] || continue
-
- # Determine the interface name
- case "${interface_mode}" in
- gre|vti)
- local intf="${interface_mode}${id}"
- ;;
- *)
- continue
- ;;
- esac
-
- # Add the interface to the list of all interfaces
- interfaces+=( "${intf}" )
+ # We are done when IPsec is not enabled
+ if [ "${ENABLED}" = "on" ]; then
+ while IFS="," read -r "${VARS[@]}"; do
+ # Check if the connection is enabled
+ [ "${status}" = "on" ] || continue
+
+ # Check if this a net-to-net connection
+ [ "${type}" = "net" ] || continue
+
+ # Determine the interface name
+ case "${interface_mode}" in
+ gre|vti)
+ local intf="${interface_mode}${id}"
+ ;;
+ *)
+ continue
+ ;;
+ esac
+
+ # Add the interface to the list of all interfaces
+ interfaces+=( "${intf}" )
+
+ # Compat for older connections
+ if [ "${local}" = "off" ]; then
+ if [ "${VPN_IP}" = "%defaultroute" ]; then
+ local=""
+ else
+ local="${VPN_IP}"
+ fi
+ fi
- local args=(
- "local" "${VPN_IP}"
- "remote" "${righthost}"
- "ttl" "255"
- )
+ # Handle %defaultroute
+ if [ -z "${local}" ]; then
+ if [ -r "/var/ipfire/red/local-ipaddress" ]; then
+ local="$(</var/ipfire/red/local-ipaddress)"
- # Add key for VTI
- if [ "${interface_mode}" = "vti" ]; then
- args+=( key "${id}" )
- fi
+ elif [ "${RED_TYPE}" = "STATIC" -a -n "${RED_ADDRESS}" ]; then
+ local="${RED_ADDRESS}"
+ fi
+ fi
- # Update the settings when the interface already exists
- if [ -d "/sys/class/net/${intf}" ]; then
- ip link change dev "${intf}" \
- type "${interface_mode}" "${args[@]}" &>/dev/null
+ # Resolve any hostnames
+ if [[ ! ${remote} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+ remote="$(resolve_hostname "${remote}")"
+ fi
- # Create a new interface and bring it up
- else
- log "Creating interface ${intf}"
- ip link add name "${intf}" type "${interface_mode}" "${args[@]}"
- fi
+ local args=(
+ "local" "${local}"
+ "remote" "${remote}"
+ )
+
+ case "${interface_mode}" in
+ gre)
+ # Add TTL
+ args+=( "ttl" "255" )
+ ;;
+
+ vti)
+ # Add key for VTI
+ args+=( "key" "${id}" )
+ ;;
+ esac
+
+ # Update the settings when the interface already exists
+ if [ -d "/sys/class/net/${intf}" ]; then
+ ip link change dev "${intf}" \
+ type "${interface_mode}" "${args[@]}" &>/dev/null
+
+ # Create a new interface and bring it up
+ else
+ log "Creating interface ${intf}"
+ if ! ip link add name "${intf}" type "${interface_mode}" "${args[@]}"; then
+ log "Could not create interface ${intf}"
+ continue
+ fi
+ fi
- # Add an IP address
- ip addr flush dev "${intf}"
- ip addr add "${interface_address}" dev "${intf}"
+ # Add an IP address
+ ip addr flush dev "${intf}"
+ ip addr add "${interface_address}" dev "${intf}"
- # Set MTU
- ip link set dev "${intf}" mtu "${interface_mtu}"
+ # Set MTU
+ ip link set dev "${intf}" mtu "${interface_mtu}"
- # Bring up the interface
- ip link set dev "${intf}" up
- done < "${VPN_CONFIG}"
+ # Bring up the interface
+ ip link set dev "${intf}" up
+ done < "${VPN_CONFIG}"
+ fi
# Delete all other interfaces
local intf
- for intf in /sys/class/net/gre* /sys/class/net/vti*; do
+ for intf in /sys/class/net/gre[0-9]* /sys/class/net/vti[0-9]*; do
intf="$(basename "${intf}")"
# Ignore a couple of interfaces that cannot be deleted
projects / people / pmueller / ipfire-2.x.git / blobdiff