[[ ${device} =~ ^dummy[0-9]+$ ]]
}
+device_is_ipsec() {
+ local device="${1}"
+
+ [[ ${device} =~ ^ipsec\- ]]
+}
+
# Check if the device is a wireless device
device_is_wireless() {
local device=${1}
ip tunnel del ${device}
assert [ $? -eq 0 ]
}
+
+ip_tunnel_change_keys() {
+ local device="${1}"
+ shift
+
+ if ! isset device; then
+ error "No device given"
+ return ${EXIT_ERROR}
+ fi
+
+ local ikey
+ local okey
+
+ while [ $# -gt 0 ]; do
+ case "${1}" in
+ --ikey=*)
+ ikey="$(cli_get_val ${1})"
+ ;;
+ --okey=*)
+ okey="$(cli_get_val ${1})"
+ ;;
+ *)
+ error "Invalid argument: ${1}"
+ return ${EXIT_ERROR}
+ ;;
+ esac
+ shift
+ done
+
+ if ! isset ikey || ! isset okey; then
+ error "You need to set --ikey= and --okey="
+ return ${EXIT_ERROR}
+ fi
+
+ if ! device_exists "${device}"; then
+ error "No such device: ${device}"
+ return ${EXIT_ERROR}
+ fi
+
+ if ! cmd ip link change dev "${device}" \
+ type vti ikey "${ikey}" okey "${okey}"; then
+ log ERROR "Could not change keys of device ${device}"
+ return ${EXIT_ERROR}
+ fi
+
+ return ${EXIT_OK}
+}
fi
print
+ # Netfilter Marks
+ print_indent 4 "# Netfilter Marks"
+ print_indent 4 "mark_in = %unique"
+ print_indent 4 "mark_out = %unique"
+ print
+
# Rekeying
if isset LIFETIME; then
print_indent 4 "# Rekey Time"
CONNECTION="${PLUTO_CONNECTION}"
+# Interface name for this IPsec connection
+INTERFACE="ipsec-${CONNECTION}"
+
if ! ipsec_connection_read_config "${CONNECTION}"; then
log ERROR "Could not read configuration for ${CONNECTION}"
exit ${EXIT_ERROR}
case "${PLUTO_VERB}" in
up-client)
+ case "${MODE}" in
+ vti)
+ if device_exists "${INTERFACE}"; then
+ ip_tunnel_change_keys "${INTERFACE}" \
+ --ikey="${PLUTO_MARK_IN%/*}" \
+ --okey="${PLUTO_MARK_OUT%/*}"
+
+ else
+ if ! ip_tunnel_add "${INTERFACE}" \
+ --mode="vti" \
+ --local-address="${PLUTO_ME}" \
+ --remote-address="${PLUTO_PEER}" \
+ --ikey="${PLUTO_MARK_IN%/*}" \
+ --okey="${PLUTO_MARK_OUT%/*}"; then
+ log ERROR "Could not create VTI device for ${CONNECTION}"
+ fi
+ fi
+
+ device_set_up "${INTERFACE}"
+ ;;
+ esac
;;
down-client)
+ case "${MODE}" in
+ vti)
+ if device_exists "${INTERFACE}"; then
+ device_set_down "${INTERFACE}"
+
+ ip_tunnel_del "${INTERFACE}"
+ fi
+ ;;
+ esac
;;
esac
elif device_is_loopback ${INTERFACE}; then
exit ${EXIT_OK}
+ # Stop processing rules for IPsec devices
+ elif device_is_ipsec ${INTERFACE}; then
+ exit ${EXIT_OK}
+
# Stop processing rules for wireless monitoring devices
elif device_is_wireless_monitor ${INTERFACE}; then
exit ${EXIT_OK}