[people/ms/network.git] / src / functions / functions.ipsec

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2017  IPFire Network Development Team                         #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

IPSEC_CONNECTION_CONFIG_SETTINGS="AUTH_MODE INACTIVITY_TIMEOUT LOCAL_ID LOCAL_PREFIX"
IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} MODE PEER PSK"
IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} REMOTE_ID REMOTE_PREFIX"
IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} SECURITY_POLICY"

# Default values
IPSEC_DEFAULT_MODE="tunnel"
IPSEC_DEFAULT_AUTH_MODE="psk"
IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0"
IPSEC_DEFAULT_SECURITY_POLICY="system"

IPSEC_VALID_MODES="gre-transport tunnel vti"
IPSEC_VALID_AUTH_MODES="PSK psk"

cli_ipsec() {
	local action=${1}
	shift 1

	case "${action}" in
		connection)
			cli_ipsec_connection $@
			;;
		*)
			error "Unrecognized argument: ${action}"
			exit ${EXIT_ERROR}
			;;
	esac
}

cli_ipsec_connection() {
	if ipsec_connection_exists ${1}; then
		local connection=${1}
		local key=${2}
		key=${key//-/_}
		shift 2

		case "${key}" in
			authentication|inactivity-timout|local|mode|peer|remote|security-policy)
				ipsec_connection_${key} ${connection} $@
				;;
			*)
				error "Unrecognized argument: ${key}"
				exit ${EXIT_ERROR}
				;;
		esac
	else
		local action=${1}
		shift

		case "${action}" in
			new)
				ipsec_connection_new $@
				;;
			destroy)
				ipsec_connection_destroy $@
				;;
			""|*)
				if [ -n "${action}" ]; then
					error "Unrecognized argument: '${action}'"
				fi
				exit ${EXIT_ERROR}
				;;
		esac
	fi
}

# This function writes all values to a via ${connection} specificated VPN IPsec configuration file
ipsec_connection_write_config() {
	assert [ $# -ge 1 ]

	local connection="${1}"

	if ! ipsec_connection_exists "${connection}"; then
		log ERROR "No such VPN IPsec connection: ${connection}"
		return ${EXIT_ERROR}
	fi

	local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"

	if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
		log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}"
		return ${EXIT_ERROR}
	fi

	ipsec_reload ${connection}
}

# This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
ipsec_connection_write_config_key() {
	assert [ $# -ge 3 ]

	local connection=${1}
	local key=${2}
	shift 2

	local value="$@"

	if ! ipsec_connection_exists "${connection}"; then
		log ERROR "No such VPN ipsec connection: ${connection}"
		return ${EXIT_ERROR}
	fi

	log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"

	local ${IPSEC_CONNECTION_CONFIG_SETTINGS}

	# Read the config settings
	if ! ipsec_connection_read_config "${connection}"; then
		return ${EXIT_ERROR}
	fi

	# Set the key to a new value
	assign "${key}" "${value}"

	if ! ipsec_connection_write_config "${connection}"; then
		return ${EXIT_ERROR}
	fi

	return ${EXIT_TRUE}
}

# Reads one or more keys out of a settings file or all if no key is provided.
ipsec_connection_read_config() {
	assert [ $# -ge 1 ]

	local connection="${1}"
	shift 1

	if ! ipsec_connection_exists "${connection}"; then
		log ERROR "No such VPN IPsec connection : ${connection}"
		return ${EXIT_ERROR}
	fi


	local args
	if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
		list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS}
	else
		list_append args $@
	fi

	local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"

	if ! settings_read "${path}" ${args}; then
		log ERROR "Could not read settings for VPN IPsec connection ${connection}"
		return ${EXIT_ERROR}
	fi
}

# This function checks if a vpn ipsec connection exists
# Returns True when yes and false when not
ipsec_connection_exists() {
	assert [ $# -eq 1 ]

	local connection=${1}

	local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}"

	[ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
}

# Reloads the connection after config changes
ipsec_reload() {
	return ${EXIT_TRUE}
}

# Handle the cli after authentification
ipsec_connection_authentication() {
	if [ ! $# -gt 1 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi

	local connection=${1}
	local cmd=${2}
	shift 2

	case ${cmd} in
		mode)
			ipsec_connection_authentication_mode "${connection}" $@
			;;
		pre-shared-key)
			ipsec_connection_authentication_psk "${connection}" $@
			;;
		*)
			log ERROR "Unrecognized argument: ${cmd}"
			return ${EXIT_ERROR}
			;;
	esac
}

# Set the authentification mode
ipsec_connection_authentication_mode() {
	if [ ! $# -eq 2 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local mode=${2}

	if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
		log ERROR "Auth mode '${mode}' is invalid"
		return ${EXIT_ERROR}
	fi

	if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode,,}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi
}

# Set the psk
ipsec_connection_authentication_psk() {
	if [ ! $# -eq 2]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local psk=${2}

	# TODO Check if psk is valid 

	if ! ipsec_connection_write_config_key "${connection}" "PSK" ${psk}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi

	return ${EXIT_OK}
}

# Handle the cli after local
ipsec_connection_local() {
	if [ ! $# -ge 2 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi

	local connection=${1}
	local cmd=${2}
	shift 2

	case ${cmd} in
		id)
			ipsec_connection_id "${connection}" "LOCAL" $@
			;;
		prefix)
			ipsec_connection_prefix "${connection}" "LOCAL" $@
			;;
		*)
			log ERROR "Unrecognized argument: ${cmd}"
			return ${EXIT_ERROR}
			;;
	esac

	return ${EXIT_OK}
}

# Set the connection mode
ipsec_connection_mode() {
	if [ ! $# -eq 2 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local mode=${2}

	if ! isoneof mode ${IPSEC_VALID_MODES}; then
		log ERROR "Mode '${mode}' is invalid"
		return ${EXIT_ERROR}
	fi

	if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi

	return ${EXIT_OK}
}

# Set the peer to connect to
ipsec_connection_peer() {
	if [ ! $# -eq 2 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local peer=${2}

	if ! ipsec_connection_check_peer ${peer}; then
		log ERROR "Peer '${peer}' is invalid"
		return ${EXIT_ERROR}
	fi

	if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi

	return ${EXIT_OK}
}

#Set the local or remote id
ipsec_connection_id() {
	if [ ! $# -eq 3 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local type=${2}
	local id=${3}

	if ! ipsec_connection_check_id ${id}; then
		log ERROR "Id '${id}' is invalid"
		return ${EXIT_ERROR}
	fi
	
	if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi
	
	return ${EXIT_OK}
}

# Set the local or remote prefix 
ipsec_connection_prefix() {
	if [ ! $# -ge 3 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local type=${2}
	shift 2
	
	local _prefix="${type}_PREFIX"
	local "${_prefix}"
	if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then
		return ${EXIT_ERROR}
	fi

	# Remove duplicated entries to proceed the list safely
	assign "${_prefix}" "$(list_unique ${!_prefix} )"

	local prefixes_added
	local prefixes_removed
	local prefixes_set

	while [ $# -gt 0 ]; do
		local arg="${1}"

		case "${arg}" in
			+*)
				list_append prefixes_added "${arg:1}"
				;;
			-*)
				list_append prefixes_removed "${arg:1}"
				;;
			[A-Fa-f0-9]*)
				list_append prefixes_set "${arg}"
				;;
			*)
				error "Invalid argument: ${arg}"
				return ${EXIT_ERROR}
				;;
		esac
		shift
	done

	# Check if the user is trying a mixed operation
	if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then
		error "You cannot reset the prefix list and add or remove prefixes at the same time"
		return ${EXIT_ERROR}
	fi

	# Set new prefix list
	if ! list_is_empty prefixes_set; then
		# Check if all prefixes are valid
		local prefix
		for prefix in ${prefixes_set}; do
			if ! ip_net_is_valid ${prefix}; then
				error "Unsupported prefix: ${prefix}"
				return ${EXIT_ERROR}
			fi
		done

		assign "${_prefix}" "${prefixes_set}"

	# Perform incremental updates
	else
		local prefix

		# Perform all removals
		for prefix in ${prefixes_removed}; do
			if ! list_remove "${_prefix}" ${prefix}; then
				warning "${prefix} was not on the list and could not be removed"
			fi
		done


		for prefix in ${prefixes_added}; do
			if ip_net_is_valid ${prefix}; then
				if ! list_append_unique "${_prefix}" ${prefix}; then
					warning "${prefix} is already on the prefix list"
				fi
			else
				warning "${prefix} is not a valiv IP net and could not be added"
			fi
		done
	fi

	# Check if the list contain at least one valid prefix
	if list_is_empty ${_prefix}; then
		error "Cannot save an empty prefix list"
		return ${EXIT_ERROR}
	fi

	# Save everything
	if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then
		log ERROR "Could not write configuration settings"
	fi

	return ${EXIT_OK}
}

# Handle the cli after remote
ipsec_connection_remote() {
	if [ ! $# -ge 2 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi

	local connection=${1}
	local cmd=${2}
	shift 2

	case ${cmd} in
		id)
			ipsec_connection_id "${connection}" "REMOTE" $@
			;;

		prefix)
			ipsec_connection_prefix "${connection}" "REMOTE" $@
			;;
		*)
			log ERROR "Unrecognized argument: ${cmd}"
			return ${EXIT_ERROR}
			;;
	esac

	return ${EXIT_OK}
}

# Set the inactivity timeout
ipsec_connection_inactivity_timeout() {
	if [ ! $# -ge 2 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi

	local connection=${1}
	shift 1
	local value=$@

	if ! isinteger value; then
		value=$(parse_time $@)
		if [ ! $? -eq 0 ]; then
			log ERROR "Parsing the passed time was not sucessful please check the passed values."
			return ${EXIT_ERROR}
		fi
	fi

	if [ ${value} -le 0 ]; then
		log ERROR "The passed time value must be in the sum greater zero seconds."
		return ${EXIT_ERROR}
	fi

	if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi

	return ${EXIT_OK}
}


# Set the security policy to use
ipsec_connection_security_policy() {
	if [ ! $# -eq 2 ]; then
		log ERROR "Not enough arguments"
		return ${EXIT_ERROR}
	fi
	local connection=${1}
	local security_policy=${2}

	if ! vpn_security_policy_exists ${security_policy}; then
		log ERROR "No such vpn security policy '${security_policy}'"
		return ${EXIT_ERROR}
	fi

	if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then
		log ERROR "Could not write configuration settings"
		return ${EXIT_ERROR}
	fi
}

# Check if a id is valid
ipsec_connection_check_id() {
	assert [ $# -eq 1 ]
	local id=${1}

	if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
		return ${EXIT_TRUE}
	else
		return ${EXIT_FALSE}
	fi
}

# Checks if a peer is valid
ipsec_connection_check_peer() {
	assert [ $# -eq 1 ]
	local peer=${1}

	# TODO Accept also FQDNs
	if ip_is_valid ${peer}; then
		return ${EXIT_TRUE}
	else
		return ${EXIT_FALSE}
	fi
}

# This function checks if a VPN IPsec connection name is valid
# Allowed are only A-Za-z0-9
ipsec_connection_check_name() {
	assert [ $# -eq 1 ]

	local connection=${1}

	[[ "${connection}" =~ [^[:alnum:]$] ]]
}

# Function that creates one VPN IPsec connection
ipsec_connection_new() {
	if [ $# -gt 1 ]; then
		error "Too many arguments"
		return ${EXIT_ERROR}
	fi

	local connection="${1}"
	if ! isset connection; then
		error "Please provide a connection name"
		return ${EXIT_ERROR}
	fi

	# Check for duplicates
	if ipsec_connection_exists "${connection}"; then
		error "The VPN IPsec connection ${connection} already exists"
		return ${EXIT_ERROR}
	fi

	# Check if the name of the connection is valid
	if  ipsec_connection_check_name "${connection}"; then
		error "'${connection}' contains illegal characters"
		return ${EXIT_ERROR}
	fi

	log DEBUG "Creating VPN IPsec connection ${connection}"

	if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
		log ERROR "Could not create config directory for ${connection}"
		return ${EXIT_ERROR}
	fi

	local ${IPSEC_CONNECTION_CONFIG_SETTINGS}

	MODE=${IPSEC_DEFAULT_MODE}
	AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
	INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
	SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}

	if ! ipsec_connection_write_config "${connection}"; then
		log ERROR "Could not write new config file"
		return ${EXIT_ERROR}
	fi
}

# Function that deletes based on the passed parameters one ore more vpn security policies
ipsec_connection_destroy() {
	local connection
	for connection in $@; do
		if ! ipsec_connection_exists "${connection}"; then
			log ERROR "The VPN IPsec connection ${connection} does not exist."
			continue
		fi

		log DEBUG "Deleting VPN IPsec connection ${connection}"
		if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
			log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful"
			return ${EXIT_ERROR}
		fi
	done
}
Commit	Line	Data
917a1aa0 JS	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2017 IPFire Network Development Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	IPSEC_CONNECTION_CONFIG_SETTINGS="AUTH_MODE INACTIVITY_TIMEOUT LOCAL_ID LOCAL_PREFIX"
	23	IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} MODE PEER PSK"
	24	IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} REMOTE_ID REMOTE_PREFIX"
	25	IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} SECURITY_POLICY"
	26
	27	# Default values
	28	IPSEC_DEFAULT_MODE="tunnel"
	29	IPSEC_DEFAULT_AUTH_MODE="psk"
	30	IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0"
	31	IPSEC_DEFAULT_SECURITY_POLICY="system"
	32
	33	IPSEC_VALID_MODES="gre-transport tunnel vti"
	34	IPSEC_VALID_AUTH_MODES="PSK psk"
	35
2da98f56 MT	36	cli_ipsec() {
	37	local action=${1}
	38	shift 1
	39
	40	case "${action}" in
	41	connection)
	42	cli_ipsec_connection $@
	43	;;
	44	*)
	45	error "Unrecognized argument: ${action}"
	46	exit ${EXIT_ERROR}
	47	;;
	48	esac
	49	}
	50
	51	cli_ipsec_connection() {
	52	if ipsec_connection_exists ${1}; then
	53	local connection=${1}
	54	local key=${2}
	55	key=${key//-/_}
	56	shift 2
	57
	58	case "${key}" in
	59	authentication\|inactivity-timout\|local\|mode\|peer\|remote\|security-policy)
	60	ipsec_connection_${key} ${connection} $@
	61	;;
	62	*)
	63	error "Unrecognized argument: ${key}"
	64	exit ${EXIT_ERROR}
	65	;;
	66	esac
	67	else
	68	local action=${1}
	69	shift
	70
	71	case "${action}" in
	72	new)
	73	ipsec_connection_new $@
	74	;;
	75	destroy)
	76	ipsec_connection_destroy $@
	77	;;
	78	""\|*)
	79	if [ -n "${action}" ]; then
	80	error "Unrecognized argument: '${action}'"
	81	fi
	82	exit ${EXIT_ERROR}
	83	;;
	84	esac
	85	fi
	86	}
	87
917a1aa0 JS	88	# This function writes all values to a via ${connection} specificated VPN IPsec configuration file
	89	ipsec_connection_write_config() {
	90	assert [ $# -ge 1 ]
	91
	92	local connection="${1}"
	93
	94	if ! ipsec_connection_exists "${connection}"; then
	95	log ERROR "No such VPN IPsec connection: ${connection}"
	96	return ${EXIT_ERROR}
	97	fi
	98
cf8685a1	99	local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
917a1aa0 JS	100
	101	if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
	102	log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}"
	103	return ${EXIT_ERROR}
	104	fi
	105
	106	ipsec_reload ${connection}
	107	}
	108
	109	# This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
	110	ipsec_connection_write_config_key() {
	111	assert [ $# -ge 3 ]
	112
	113	local connection=${1}
	114	local key=${2}
	115	shift 2
	116
	117	local value="$@"
	118
	119	if ! ipsec_connection_exists "${connection}"; then
	120	log ERROR "No such VPN ipsec connection: ${connection}"
	121	return ${EXIT_ERROR}
	122	fi
	123
	124	log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
	125
	126	local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
	127
	128	# Read the config settings
	129	if ! ipsec_connection_read_config "${connection}"; then
	130	return ${EXIT_ERROR}
	131	fi
	132
	133	# Set the key to a new value
	134	assign "${key}" "${value}"
	135
	136	if ! ipsec_connection_write_config "${connection}"; then
	137	return ${EXIT_ERROR}
	138	fi
	139
	140	return ${EXIT_TRUE}
	141	}
	142
	143	# Reads one or more keys out of a settings file or all if no key is provided.
	144	ipsec_connection_read_config() {
	145	assert [ $# -ge 1 ]
	146
	147	local connection="${1}"
	148	shift 1
	149
	150	if ! ipsec_connection_exists "${connection}"; then
	151	log ERROR "No such VPN IPsec connection : ${connection}"
	152	return ${EXIT_ERROR}
	153	fi
	154
	155
	156	local args
	157	if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
	158	list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS}
	159	else
	160	list_append args $@
	161	fi
	162
cf8685a1	163	local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
917a1aa0 JS	164
	165	if ! settings_read "${path}" ${args}; then
	166	log ERROR "Could not read settings for VPN IPsec connection ${connection}"
	167	return ${EXIT_ERROR}
	168	fi
	169	}
	170
917a1aa0 JS	171	# This function checks if a vpn ipsec connection exists
	172	# Returns True when yes and false when not
	173	ipsec_connection_exists() {
	174	assert [ $# -eq 1 ]
	175
	176	local connection=${1}
	177
cf8685a1	178	local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}"
917a1aa0 JS	179
	180	[ -d "${path}" ] && return ${EXIT_TRUE} \|\| return ${EXIT_FALSE}
	181	}
	182
	183	# Reloads the connection after config changes
	184	ipsec_reload() {
	185	return ${EXIT_TRUE}
	186	}
	187
	188	# Handle the cli after authentification
	189	ipsec_connection_authentication() {
	190	if [ ! $# -gt 1 ]; then
	191	log ERROR "Not enough arguments"
	192	return ${EXIT_ERROR}
	193	fi
	194
	195	local connection=${1}
	196	local cmd=${2}
	197	shift 2
	198
	199	case ${cmd} in
	200	mode)
	201	ipsec_connection_authentication_mode "${connection}" $@
	202	;;
	203	pre-shared-key)
	204	ipsec_connection_authentication_psk "${connection}" $@
	205	;;
	206	*)
	207	log ERROR "Unrecognized argument: ${cmd}"
	208	return ${EXIT_ERROR}
	209	;;
	210	esac
	211	}
	212
	213	# Set the authentification mode
	214	ipsec_connection_authentication_mode() {
	215	if [ ! $# -eq 2 ]; then
	216	log ERROR "Not enough arguments"
	217	return ${EXIT_ERROR}
	218	fi
	219	local connection=${1}
	220	local mode=${2}
	221
	222	if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
	223	log ERROR "Auth mode '${mode}' is invalid"
	224	return ${EXIT_ERROR}
	225	fi
	226
	227	if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode,,}; then
	228	log ERROR "Could not write configuration settings"
	229	return ${EXIT_ERROR}
	230	fi
	231	}
	232
	233	# Set the psk
	234	ipsec_connection_authentication_psk() {
	235	if [ ! $# -eq 2]; then
	236	log ERROR "Not enough arguments"
	237	return ${EXIT_ERROR}
	238	fi
	239	local connection=${1}
	240	local psk=${2}
	241
	242	# TODO Check if psk is valid
243
244	if ! ipsec_connection_write_config_key "${connection}" "PSK" ${psk}; then
245	log ERROR "Could not write configuration settings"
246	return ${EXIT_ERROR}
247	fi
248
249	return ${EXIT_OK}
250	}
251
252	# Handle the cli after local
253	ipsec_connection_local() {
254	if [ ! $# -ge 2 ]; then
255	log ERROR "Not enough arguments"
256	return ${EXIT_ERROR}
257	fi
258
259	local connection=${1}
260	local cmd=${2}
261	shift 2
262
263	case ${cmd} in
264	id)
265	ipsec_connection_id "${connection}" "LOCAL" $@
266	;;
267	prefix)
268	ipsec_connection_prefix "${connection}" "LOCAL" $@
269	;;
270	*)
271	log ERROR "Unrecognized argument: ${cmd}"
272	return ${EXIT_ERROR}
273	;;
274	esac
275
276	return ${EXIT_OK}
277	}
278
279	# Set the connection mode
280	ipsec_connection_mode() {
5bdbc2ee	281	if [ ! $# -eq 2 ]; then
917a1aa0 JS	282	log ERROR "Not enough arguments"
	283	return ${EXIT_ERROR}
	284	fi
	285	local connection=${1}
	286	local mode=${2}
	287
	288	if ! isoneof mode ${IPSEC_VALID_MODES}; then
	289	log ERROR "Mode '${mode}' is invalid"
	290	return ${EXIT_ERROR}
	291	fi
	292
	293	if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then
	294	log ERROR "Could not write configuration settings"
	295	return ${EXIT_ERROR}
	296	fi
	297
	298	return ${EXIT_OK}
	299	}
	300
	301	# Set the peer to connect to
	302	ipsec_connection_peer() {
0b962a64	303	if [ ! $# -eq 2 ]; then
917a1aa0 JS	304	log ERROR "Not enough arguments"
	305	return ${EXIT_ERROR}
	306	fi
	307	local connection=${1}
	308	local peer=${2}
	309
	310	if ! ipsec_connection_check_peer ${peer}; then
	311	log ERROR "Peer '${peer}' is invalid"
	312	return ${EXIT_ERROR}
	313	fi
	314
	315	if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then
	316	log ERROR "Could not write configuration settings"
	317	return ${EXIT_ERROR}
	318	fi
	319
	320	return ${EXIT_OK}
	321	}
	322
	323	#Set the local or remote id
	324	ipsec_connection_id() {
	325	if [ ! $# -eq 3 ]; then
	326	log ERROR "Not enough arguments"
	327	return ${EXIT_ERROR}
	328	fi
	329	local connection=${1}
	330	local type=${2}
	331	local id=${3}
	332
	333	if ! ipsec_connection_check_id ${id}; then
	334	log ERROR "Id '${id}' is invalid"
	335	return ${EXIT_ERROR}
	336	fi
	337
	338	if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
	339	log ERROR "Could not write configuration settings"
	340	return ${EXIT_ERROR}
	341	fi
	342
	343	return ${EXIT_OK}
	344	}
	345
	346	# Set the local or remote prefix
	347	ipsec_connection_prefix() {
	348	if [ ! $# -ge 3 ]; then
	349	log ERROR "Not enough arguments"
	350	return ${EXIT_ERROR}
	351	fi
	352	local connection=${1}
	353	local type=${2}
	354	shift 2
	355
	356	local _prefix="${type}_PREFIX"
	357	local "${_prefix}"
	358	if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then
	359	return ${EXIT_ERROR}
	360	fi
	361
	362	# Remove duplicated entries to proceed the list safely
	363	assign "${_prefix}" "$(list_unique ${!_prefix} )"
	364
	365	local prefixes_added
	366	local prefixes_removed
	367	local prefixes_set
368
369	while [ $# -gt 0 ]; do
370	local arg="${1}"
371
372	case "${arg}" in
373	+*)
374	list_append prefixes_added "${arg:1}"
375	;;
376	-*)
377	list_append prefixes_removed "${arg:1}"
378	;;
379	[A-Fa-f0-9]*)
380	list_append prefixes_set "${arg}"
381	;;
382	*)
383	error "Invalid argument: ${arg}"
384	return ${EXIT_ERROR}
385	;;
386	esac
387	shift
388	done
389
390	# Check if the user is trying a mixed operation
391	if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added \|\| ! list_is_empty prefixes_removed); then
392	error "You cannot reset the prefix list and add or remove prefixes at the same time"
393	return ${EXIT_ERROR}
394	fi
395
396	# Set new prefix list
397	if ! list_is_empty prefixes_set; then
398	# Check if all prefixes are valid
399	local prefix
400	for prefix in ${prefixes_set}; do
401	if ! ip_net_is_valid ${prefix}; then
402	error "Unsupported prefix: ${prefix}"
403	return ${EXIT_ERROR}
404	fi
405	done
406
407	assign "${_prefix}" "${prefixes_set}"
408
409	# Perform incremental updates
410	else
411	local prefix
412
413	# Perform all removals
414	for prefix in ${prefixes_removed}; do
415	if ! list_remove "${_prefix}" ${prefix}; then
416	warning "${prefix} was not on the list and could not be removed"
417	fi
418	done
419
420
421	for prefix in ${prefixes_added}; do
422	if ip_net_is_valid ${prefix}; then
423	if ! list_append_unique "${_prefix}" ${prefix}; then
424	warning "${prefix} is already on the prefix list"
425	fi
426	else
427	warning "${prefix} is not a valiv IP net and could not be added"
428	fi
429	done
430	fi
431
432	# Check if the list contain at least one valid prefix
433	if list_is_empty ${_prefix}; then
434	error "Cannot save an empty prefix list"
435	return ${EXIT_ERROR}
436	fi
437
438	# Save everything
439	if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then
440	log ERROR "Could not write configuration settings"
441	fi
442
443	return ${EXIT_OK}
444	}
445
446	# Handle the cli after remote
447	ipsec_connection_remote() {
448	if [ ! $# -ge 2 ]; then
449	log ERROR "Not enough arguments"
450	return ${EXIT_ERROR}
451	fi
452
453	local connection=${1}
454	local cmd=${2}
455	shift 2
456
457	case ${cmd} in
458	id)
459	ipsec_connection_id "${connection}" "REMOTE" $@
460	;;
461
462	prefix)
463	ipsec_connection_prefix "${connection}" "REMOTE" $@
464	;;
465	*)
466	log ERROR "Unrecognized argument: ${cmd}"
467	return ${EXIT_ERROR}
468	;;
469	esac
470
471	return ${EXIT_OK}
472	}
473
474	# Set the inactivity timeout
475	ipsec_connection_inactivity_timeout() {
476	if [ ! $# -ge 2 ]; then
477	log ERROR "Not enough arguments"
478	return ${EXIT_ERROR}
479	fi
480
481	local connection=${1}
482	shift 1
483	local value=$@
484
485	if ! isinteger value; then
486	value=$(parse_time $@)
487	if [ ! $? -eq 0 ]; then
488	log ERROR "Parsing the passed time was not sucessful please check the passed values."
489	return ${EXIT_ERROR}
490	fi
491	fi
492
493	if [ ${value} -le 0 ]; then
494	log ERROR "The passed time value must be in the sum greater zero seconds."
495	return ${EXIT_ERROR}
496	fi
497
498	if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then
499	log ERROR "Could not write configuration settings"
500	return ${EXIT_ERROR}
501	fi
502
503	return ${EXIT_OK}
504	}
505
506
507	# Set the security policy to use
508	ipsec_connection_security_policy() {
509	if [ ! $# -eq 2 ]; then
510	log ERROR "Not enough arguments"
511	return ${EXIT_ERROR}
512	fi
513	local connection=${1}
514	local security_policy=${2}
515
516	if ! vpn_security_policy_exists ${security_policy}; then
517	log ERROR "No such vpn security policy '${security_policy}'"
518	return ${EXIT_ERROR}
519	fi
520
521	if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then
522	log ERROR "Could not write configuration settings"
523	return ${EXIT_ERROR}
524	fi
525	}
526
527	# Check if a id is valid
528	ipsec_connection_check_id() {
529	assert [ $# -eq 1 ]
530	local id=${1}
531
532	if [[ ${id} =~ ^@[[:alnum:]]+$ ]] \|\| ip_is_valid ${id}; then
533	return ${EXIT_TRUE}
534	else
535	return ${EXIT_FALSE}
536	fi
537	}
538
539	# Checks if a peer is valid
540	ipsec_connection_check_peer() {
541	assert [ $# -eq 1 ]
542	local peer=${1}
543
544	# TODO Accept also FQDNs
545	if ip_is_valid ${peer}; then
546	return ${EXIT_TRUE}
547	else
548	return ${EXIT_FALSE}
549	fi
550	}
551
552	# This function checks if a VPN IPsec connection name is valid
553	# Allowed are only A-Za-z0-9
554	ipsec_connection_check_name() {
555	assert [ $# -eq 1 ]
556
557	local connection=${1}
558
559	[[ "${connection}" =~ [^[:alnum:]$] ]]
560	}
561
562	# Function that creates one VPN IPsec connection
563	ipsec_connection_new() {
564	if [ $# -gt 1 ]; then
565	error "Too many arguments"
566	return ${EXIT_ERROR}
567	fi
568
569	local connection="${1}"
570	if ! isset connection; then
571	error "Please provide a connection name"
572	return ${EXIT_ERROR}
573	fi
574
575	# Check for duplicates
576	if ipsec_connection_exists "${connection}"; then
577	error "The VPN IPsec connection ${connection} already exists"
578	return ${EXIT_ERROR}
579	fi
580
581	# Check if the name of the connection is valid
582	if ipsec_connection_check_name "${connection}"; then
583	error "'${connection}' contains illegal characters"
584	return ${EXIT_ERROR}
585	fi
586
587	log DEBUG "Creating VPN IPsec connection ${connection}"
588
cf8685a1	589	if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
917a1aa0 JS	590	log ERROR "Could not create config directory for ${connection}"
	591	return ${EXIT_ERROR}
	592	fi
	593
	594	local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
	595
	596	MODE=${IPSEC_DEFAULT_MODE}
	597	AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
	598	INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
	599	SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
	600
	601	if ! ipsec_connection_write_config "${connection}"; then
	602	log ERROR "Could not write new config file"
	603	return ${EXIT_ERROR}
	604	fi
	605	}
	606
	607	# Function that deletes based on the passed parameters one ore more vpn security policies
	608	ipsec_connection_destroy() {
	609	local connection
	610	for connection in $@; do
	611	if ! ipsec_connection_exists "${connection}"; then
	612	log ERROR "The VPN IPsec connection ${connection} does not exist."
	613	continue
	614	fi
	615
	616	log DEBUG "Deleting VPN IPsec connection ${connection}"
cf8685a1	617	if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
917a1aa0 JS	618	log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful"
	619	return ${EXIT_ERROR}
	620	fi
	621	done
	622	}