#!/bin/bash ############################################################################### # # # IPFire.org - A linux based firewall # # Copyright (C) 2017 IPFire Network Development Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation, either version 3 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program. If not, see . # # # ############################################################################### LOG_DISABLE_STDOUT="true" . /usr/lib/network/functions # Read network settings network_settings_read # Make sure we are called by strongSwan assert isset PLUTO_VERSION if enabled DEBUG; then while read line; do [[ ${line} =~ ^PLUTO_ ]] || continue log DEBUG " ${line}" done <<< "$(printenv | sort)" fi CONNECTION="${PLUTO_CONNECTION}" if ! ipsec_connection_read_config "${CONNECTION}"; then log ERROR "Could not read configuration for ${CONNECTION}" exit ${EXIT_ERROR} fi # Interface name for this IPsec connection case "${MODE}" in gre-*|vti) INTERFACE="ipsec-${CONNECTION}" ;; esac log DEBUG "${0} called for ${CONNECTION}: ${PLUTO_VERB}" case "${PLUTO_VERB}" in up-client|up-client-v6|up-host|up-host-v6) case "${MODE}" in gre-*) if ! device_exists "${INTERFACE}"; then ip_tunnel_add "${INTERFACE}" \ --mode="gre" \ --local-address="${PLUTO_ME}" \ --remote-address="${PLUTO_PEER}" device_set_up "${INTERFACE}" fi ;; vti) if device_exists "${INTERFACE}"; then ip_tunnel_change_keys "${INTERFACE}" \ --ikey="${PLUTO_MARK_IN%/*}" \ --okey="${PLUTO_MARK_OUT%/*}" else if ! ip_tunnel_add "${INTERFACE}" \ --mode="vti" \ --local-address="${PLUTO_ME}" \ --remote-address="${PLUTO_PEER}" \ --ikey="${PLUTO_MARK_IN%/*}" \ --okey="${PLUTO_MARK_OUT%/*}"; then log ERROR "Could not create VTI device for ${CONNECTION}" fi fi device_set_up "${INTERFACE}" ;; esac #Get sources IP for routes SRC_IP=($(ip_get_assigned_addresses_from_net \ "${PLUTO_MY_CLIENT}" "permanent")) # Set routes if we have a source IP. # If not the machine does not has a leg on the net # and we can go on without routes. if isset SRC_IP; then # We take the lowest source IP we found, # which is ugly because the value is unpredictable. SRC_IP=${SRC_IP[0]} if isset INTERFACE; then if ! cmd ip route add \ "${PLUTO_PEER_CLIENT}" \ dev "${INTERFACE}" \ src "${SRC_IP}"; then log ERROR \ "Could not set routes for ${PLUTO_PEER_CLIENT}" fi else # Get the device which we use to peer with the other site. ME_DEVICE = "$(device_get_by_ip_address "${PLUTO_ME}")" # We can only go on if we found a device. if isset ME_DEVICE; then if ! cmd ip route add \ "${PLUTO_PEER_CLIENT}" \ dev "${ME_DEVICE}" \ proto static \ src "${SRC_IP}" \ table 220; then log ERROR \ "Could not set routes for ${PLUTO_PEER_CLIENT}" fi else log ERROR "Could not get device for ${PLUTO_ME}" fi fi fi ;; down-client|down-client-v6|down-host|down-host-v6) # Remove routes cmd ip route del "${PLUTO_PEER_CLIENT}" # Remove interfaces case "${MODE}" in gre-*|vti) if device_exists "${INTERFACE}"; then device_set_down "${INTERFACE}" ip_tunnel_del "${INTERFACE}" fi ;; esac ;; esac exit ${EXIT_OK}