]> git.ipfire.org Git - people/ms/network.git/blame - src/functions/functions.ipsec
projects / people / ms / network.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ipsec: Set traffic selectors to all when using GRE/VTI devices
[people/ms/network.git] / src / functions / functions.ipsec
CommitLineData
917a1aa0
JS		 1#!/bin/bash
2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
5# Copyright (C) 2017 IPFire Network Development Team #
6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
21
33944dfb
MT		 22IPSEC_CONNECTION_CONFIG_SETTINGS="\
23 AUTH_MODE \
24 DPD_ACTION \
25 DPD_DELAY \
26 DPD_TIMEOUT \
27 INACTIVITY_TIMEOUT \
28 LOCAL_ADDRESS \
29 LOCAL_ID \
30 LOCAL_PREFIX \
31 MODE \
32 PEER \
96fdb077 33 POOLS \
33944dfb
MT		 34 PSK \
35 REMOTE_ID \
36 REMOTE_PREFIX \
5601f4f5 37 SECURITY_POLICY \
eb6fa666 38 START_ACTION \
89d71d08 39 TYPE \
80a752f2
MT		 40 ENABLED \
41 ZONE"
917a1aa0
JS		 42
43# Default values
ab589039 44IPSEC_DEFAULT_AUTH_MODE="PSK"
bb9fccaf
JS		 45IPSEC_DEFAULT_DPD_ACTION="restart"
46IPSEC_DEFAULT_DPD_DELAY="30"
47IPSEC_DEFAULT_DPD_TIMEOUT="120"
5601f4f5 48IPSEC_DEFAULT_ENABLED="true"
917a1aa0 49IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0"
bb9fccaf 50IPSEC_DEFAULT_MODE="tunnel"
917a1aa0 51IPSEC_DEFAULT_SECURITY_POLICY="system"
bb9fccaf 52IPSEC_DEFAULT_START_ACTION="on-demand"
89d71d08 53IPSEC_DEFAULT_TYPE="net-to-net"
917a1aa0 54
c856b4ea 55IPSEC_VALID_MODES="transport tunnel"
ab589039 56IPSEC_VALID_AUTH_MODES="PSK"
917a1aa0 57
2da98f56
MT		 58cli_ipsec() {
59 local action=${1}
60 shift 1
61
62 case "${action}" in
63 connection)
2212045f 64 cli_ipsec_connection "$@"
2da98f56 65 ;;
7c623df2 66 pool)
2212045f 67 cli_ipsec_pool "$@"
7c623df2 68 ;;
2da98f56
MT		 69 *)
70 error "Unrecognized argument: ${action}"
71 exit ${EXIT_ERROR}
72 ;;
73 esac
74}
75
76cli_ipsec_connection() {
77 if ipsec_connection_exists ${1}; then
78 local connection=${1}
79 local key=${2}
80 key=${key//-/_}
81 shift 2
82
83 case "${key}" in
80a752f2 84 authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|pool|remote|security_policy|start_action|up|zone)
2212045f 85 ipsec_connection_${key} ${connection} "$@"
2da98f56 86 ;;
5bcadc60
JS		 87 color)
88 color_cli "ipsec-connection" "${connection}" "$@"
89 ;;
dc5dcfaf
JS		 90 description)
91 description_cli "ipsec-connection" ${connection} $@
92 ;;
c1e76e97
MT		 93 show)
94 cli_ipsec_connection_show "${connection}"
95 exit $?
96 ;;
2da98f56
MT		 97 *)
98 error "Unrecognized argument: ${key}"
99 exit ${EXIT_ERROR}
100 ;;
101 esac
102 else
103 local action=${1}
104 shift
105
106 case "${action}" in
107 new)
2212045f 108 ipsec_connection_new "$@"
2da98f56
MT		 109 ;;
110 destroy)
2212045f 111 cli_ipsec_connection_destroy "$@"
2da98f56
MT		 112 ;;
113 ""|*)
114 if [ -n "${action}" ]; then
115 error "Unrecognized argument: '${action}'"
116 fi
117 exit ${EXIT_ERROR}
118 ;;
119 esac
120 fi
121}
122
fa33d830
MT		 123cli_ipsec_connection_destroy() {
124 local connection="${1}"
125
126 if ! ipsec_connection_destroy "${connection}"; then
127 return ${EXIT_ERROR}
128 fi
129
130 # Inform strongswan about the changes
131 ipsec_strongswan_load
132
133 # Configure strongswan autostart
134 ipsec_strongswan_autostart
135}
136
5bcadc60
JS		 137ipsec_connection_get_color() {
138 # This function return the color of a zone
139 assert [ $# -eq 1 ]
140
141 local name=${1}
142 color_read "ipsec-connection" ${name}
143}
144
dc5dcfaf
JS		 145ipsec_connection_get_description_title() {
146 assert [ $# -eq 1 ]
147
148 local name=${1}
149 description_title_read $(description_format_filename "ipsec-connection" "${name}")
150}
151
c1e76e97
MT		 152cli_ipsec_connection_show() {
153 local connection="${1}"
154
155 # Read the config settings
156 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
157 if ! ipsec_connection_read_config "${connection}"; then
158 error "Could not read the connection configuration"
159 return ${EXIT_ERROR}
160 fi
161
162 cli_headline 0 "IPsec VPN Connection: ${connection}"
163 cli_space
164
5bcadc60 165 cli_print_fmt1 1 "Color" "$(cli_color_bar $(ipsec_connection_get_color ${connection}))"
dc5dcfaf 166 cli_print_fmt1 1 "Description" "$(ipsec_connection_get_description_title ${connection})"
5bcadc60
JS		 167 cli_space
168
c1e76e97
MT		 169 # Peer
170 if isset PEER; then
171 cli_print_fmt1 1 "Peer" "${PEER}"
172 fi
173
65b56032
MT		 174 # Zone
175 if isset ZONE; then
176 cli_print_fmt1 1 "Zone" "${ZONE}"
177 fi
178
c1e76e97
MT		 179 # Security Policy
180 cli_print_fmt1 1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}"
181 cli_space
182
183 cli_headline 2 "Authentication"
184 case "${AUTH_MODE^^}" in
185 PSK)
186 cli_print_fmt1 2 "Mode" "Pre-Shared-Key"
187
188 if isset PSK; then
189 cli_print_fmt1 2 "Pre-Shared-Key" "****"
190 else
191 cli_print_fmt1 2 "Pre-Shared-Key" "- is not set -"
192 fi
193 ;;
194 X509)
195 : # TODO
196 ;;
197 esac
198 cli_space
199
200 local i
201 for i in LOCAL REMOTE; do
202 case "${i}" in
203 LOCAL)
204 cli_headline 2 "Local"
205 ;;
206 REMOTE)
207 cli_headline 2 "Remote"
208 ;;
209 esac
210
211 local id_var="${i}_ID"
212 if [ -n "${!id_var}" ]; then
213 cli_print_fmt1 2 "ID" "${!id_var}"
214 fi
215
216 local prefix_var="${i}_PREFIX"
217 if isset ${prefix_var}; then
218 cli_headline 3 "Prefix(es)"
219
220 local prefix
221 for prefix in ${!prefix_var}; do
222 cli_print_fmt1 3 "${prefix}"
223 done
224 fi
225
226 cli_space
227 done
228
229 cli_headline 2 "Misc."
230
231 case "${MODE}" in
c856b4ea
MT		 232 transport)
233 cli_print_fmt1 2 "Transport Mode" "Transport"
c1e76e97
MT		 234 ;;
235 tunnel)
236 cli_print_fmt1 2 "Transport Mode" "Tunnel"
237 ;;
c1e76e97
MT		 238 *)
239 cli_print_fmt1 2 "Transport Mode" "- Unknown -"
240 ;;
241 esac
242
243 # Inactivity timeout
244 if isset INACTIVITY_TIMEOUT && [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then
245 cli_print_fmt1 2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})"
246 fi
247 cli_space
248
249 return ${EXIT_OK}
250}
251
5601f4f5
JS		 252ipsec_connection_disable() {
253 local connection=${1}
254
255 if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "false"; then
256 log ERROR "Could not write configuration settings"
257 return ${EXIT_ERROR}
258 fi
259
c3f31173
MT		 260 # Configure strongswan autostart
261 ipsec_strongswan_autostart
5601f4f5
JS		 262}
263
264ipsec_connection_enable() {
265 local connection=${1}
266
267 if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "true"; then
268 log ERROR "Could not write configuration settings"
269 return ${EXIT_ERROR}
270 fi
271
c3f31173
MT		 272 # Configure strongswan autostart
273 ipsec_strongswan_autostart
5601f4f5
JS		 274}
275
917a1aa0
JS		 276# This function writes all values to a via ${connection} specificated VPN IPsec configuration file
277ipsec_connection_write_config() {
278 assert [ $# -ge 1 ]
279
280 local connection="${1}"
281
282 if ! ipsec_connection_exists "${connection}"; then
283 log ERROR "No such VPN IPsec connection: ${connection}"
284 return ${EXIT_ERROR}
285 fi
286
cf8685a1 287 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
917a1aa0
JS		 288
289 if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
290 log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}"
291 return ${EXIT_ERROR}
292 fi
293
294 ipsec_reload ${connection}
295}
296
297# This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
298ipsec_connection_write_config_key() {
299 assert [ $# -ge 3 ]
300
301 local connection=${1}
302 local key=${2}
303 shift 2
304
305 local value="$@"
306
307 if ! ipsec_connection_exists "${connection}"; then
308 log ERROR "No such VPN ipsec connection: ${connection}"
309 return ${EXIT_ERROR}
310 fi
311
312 log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
313
314 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
315
316 # Read the config settings
317 if ! ipsec_connection_read_config "${connection}"; then
318 return ${EXIT_ERROR}
319 fi
320
321 # Set the key to a new value
322 assign "${key}" "${value}"
323
324 if ! ipsec_connection_write_config "${connection}"; then
325 return ${EXIT_ERROR}
326 fi
327
328 return ${EXIT_TRUE}
329}
330
331# Reads one or more keys out of a settings file or all if no key is provided.
332ipsec_connection_read_config() {
333 assert [ $# -ge 1 ]
334
335 local connection="${1}"
336 shift 1
337
338 if ! ipsec_connection_exists "${connection}"; then
339 log ERROR "No such VPN IPsec connection : ${connection}"
340 return ${EXIT_ERROR}
341 fi
342
343
344 local args
345 if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
346 list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS}
347 else
2212045f 348 list_append args "$@"
917a1aa0
JS		 349 fi
350
cf8685a1 351 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
917a1aa0
JS		 352
353 if ! settings_read "${path}" ${args}; then
354 log ERROR "Could not read settings for VPN IPsec connection ${connection}"
355 return ${EXIT_ERROR}
356 fi
357}
358
917a1aa0
JS		 359# This function checks if a vpn ipsec connection exists
360# Returns True when yes and false when not
361ipsec_connection_exists() {
362 assert [ $# -eq 1 ]
363
364 local connection=${1}
365
cf8685a1 366 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}"
917a1aa0
JS		 367
368 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
369}
370
c3f31173
MT		 371# Determines if strongswan should be automatically started
372# when the system boots up.
373ipsec_strongswan_autostart() {
374 local autostart_needed="false"
375
376 local connection
377 for connection in $(ipsec_list_connections); do
378 local ENABLED
379
380 if ! ipsec_connection_read_config "${connection}" "ENABLED"; then
381 log WARNING "Could not read configuation"
382 continue
383 fi
384
385 if enabled ENABLED; then
386 autostart_needed="true"
387 break
388 fi
389 done
390
391 # Start strongswan when we need it and when it is not yet enabled
b863fe52
MT		 392 if ${autostart_needed}; then
393 if ! service_is_enabled "strongswan"; then
394 service_enable "strongswan"
395 fi
396
397 if ! service_is_active "strongswan"; then
398 service_start "strongswan"
399 fi
c3f31173
MT		 400
401 # Disable strongswan when we do not need it but it is enabled
b863fe52
MT		 402 elif ! ${autostart_needed}; then
403 if service_is_enabled "strongswan"; then
404 service_disable "strongswan"
405 fi
406
407 if service_is_active "strongswan"; then
408 service_stop "strongswan"
409 fi
c3f31173
MT		 410 fi
411}
412
f0e91d26 413ipsec_strongswan_load() {
7fc57ebc
MT		 414 # Do nothing if strongswan is not running
415 if ! service_is_active "strongswan"; then
416 return ${EXIT_OK}
417 fi
418
f0e91d26
JS		 419 if ! cmd swanctl --load-all; then
420 log ERROR "Could not reload strongswan config"
421 return ${EXIT_ERROR}
422 fi
423}
424
917a1aa0
JS		 425# Reloads the connection after config changes
426ipsec_reload() {
39d87f20
JS		 427 local connection=${1}
428
5601f4f5
JS		 429 local ENABLED
430
431 if ! ipsec_connection_read_config "${connection}" "ENABLED"; then
432 log ERROR "Could not read configuration for IPsec connection ${connection}"
39d87f20
JS		 433 return ${EXIT_ERROR}
434 fi
435
471f16bc 436 if enabled ENABLED; then
5601f4f5
JS		 437 if ! ipsec_connection_to_strongswan ${connection}; then
438 log ERROR "Could not generate strongswan config for ${connnection}"
439 return ${EXIT_ERROR}
440 fi
441 else
ad482897 442 log DEBUG "Deleting strongswan config ${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
5601f4f5
JS		 443 unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
444 fi
445
f0e91d26 446 ipsec_strongswan_load
917a1aa0
JS		 447}
448
449# Handle the cli after authentification
450ipsec_connection_authentication() {
451 if [ ! $# -gt 1 ]; then
452 log ERROR "Not enough arguments"
453 return ${EXIT_ERROR}
454 fi
455
456 local connection=${1}
457 local cmd=${2}
458 shift 2
459
460 case ${cmd} in
461 mode)
2212045f 462 ipsec_connection_authentication_mode "${connection}" "$@"
917a1aa0
JS		 463 ;;
464 pre-shared-key)
2212045f 465 ipsec_connection_authentication_psk "${connection}" "$@"
917a1aa0
JS		 466 ;;
467 *)
468 log ERROR "Unrecognized argument: ${cmd}"
469 return ${EXIT_ERROR}
470 ;;
471 esac
472}
473
474# Set the authentification mode
475ipsec_connection_authentication_mode() {
476 if [ ! $# -eq 2 ]; then
477 log ERROR "Not enough arguments"
478 return ${EXIT_ERROR}
479 fi
480 local connection=${1}
481 local mode=${2}
482
483 if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
484 log ERROR "Auth mode '${mode}' is invalid"
485 return ${EXIT_ERROR}
486 fi
487
ab589039 488 if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode^^}; then
917a1aa0
JS		 489 log ERROR "Could not write configuration settings"
490 return ${EXIT_ERROR}
491 fi
492}
493
494# Set the psk
495ipsec_connection_authentication_psk() {
db491d1d 496 if [ ! $# -eq 2 ]; then
917a1aa0
JS		 497 log ERROR "Not enough arguments"
498 return ${EXIT_ERROR}
499 fi
1bfc4f56 500
917a1aa0
JS		 501 local connection=${1}
502 local psk=${2}
503
1bfc4f56
MT		 504 local length=${#psk}
505
506 if [ ${length} -lt 4 ]; then
507 error "The PSK must be longer than four characters"
508 return ${EXIT_ERROR}
509 fi
510
511 if [ ${length} -gt 128 ]; then
512 error "The PSK cannot be longer than 128 characters"
513 return ${EXIT_ERROR}
514 fi
917a1aa0 515
1bfc4f56 516 if ! ipsec_connection_write_config_key "${connection}" "PSK" "${psk}"; then
917a1aa0
JS		 517 log ERROR "Could not write configuration settings"
518 return ${EXIT_ERROR}
519 fi
520
521 return ${EXIT_OK}
522}
523
3cde31b9
MT		 524ipsec_connection_up() {
525 local connection="${1}"
526
527 if ! ipsec_connection_exists "${connection}"; then
528 error "No such VPN IPsec connection: ${connection}"
529 return ${EXIT_ERROR}
530 fi
531
4f5f487a
MT		 532 # Read configuration options
533 local ZONE
534 if ! ipsec_connection_read_config "${connection}" "ZONE"; then
535 log ERROR "Could not read configuration for IPsec connection ${connection}"
536 return ${EXIT_ERROR}
537 fi
538
e354370a
JS		 539 if ! [ -f "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" ]; then
540 log DEBUG "Could not find a swanctl config, generating swanctl config"
541 ipsec_connection_to_strongswan "${connection}"
542 ipsec_strongswan_load
543 fi
544
4f5f487a
MT		 545 # Bring up the zone
546 if isset ZONE; then
547 zone_up "${ZONE}"
548 fi
549
3cde31b9
MT		 550 cmd swanctl --initiate --child "${connection}"
551}
552
553ipsec_connection_down() {
554 local connection="${1}"
555
556 if ! ipsec_connection_exists "${connection}"; then
557 error "No such VPN IPsec connection: ${connection}"
558 return ${EXIT_ERROR}
559 fi
560
4f5f487a
MT		 561 # Read configuration options
562 local ZONE
563 if ! ipsec_connection_read_config "${connection}" "ZONE"; then
564 log ERROR "Could not read configuration for IPsec connection ${connection}"
565 return ${EXIT_ERROR}
566 fi
567
568 # Tell strongswan to bring down any tunnels
3cde31b9 569 cmd swanctl --terminate --ike "${connection}"
4f5f487a
MT		 570
571 # Bring up the zone
572 if isset ZONE; then
573 zone_down "${ZONE}"
574 fi
3cde31b9 575}
bb9fccaf
JS		 576
577# Handle the cli after authentification
578ipsec_connection_dpd() {
579 if [ ! $# -gt 1 ]; then
580 log ERROR "Not enough arguments"
581 return ${EXIT_ERROR}
582 fi
583
584 local connection=${1}
585 local cmd=${2}
586 shift 2
587
588 case ${cmd} in
589 action)
2212045f 590 ipsec_connection_dpd_action "${connection}" "$@"
bb9fccaf
JS		 591 ;;
592 delay)
2212045f 593 ipsec_connection_dpd_delay "${connection}" "$@"
bb9fccaf
JS		 594 ;;
595 timeout)
2212045f 596 ipsec_connection_dpd_timeout "${connection}" "$@"
bb9fccaf
JS		 597 ;;
598 *)
599 log ERROR "Unrecognized argument: ${cmd}"
600 return ${EXIT_ERROR}
601 ;;
602 esac
603}
604
605# Set the default dpd action
606ipsec_connection_dpd_action() {
607 if [ ! $# -eq 2 ]; then
608 log ERROR "Not enough arguments"
609 return ${EXIT_ERROR}
610 fi
611 local connection=${1}
612 local action=${2}
613
614 if ! isoneof action "restart" "clear"; then
615 log ERROR "dpd action '${action}' is invalid"
616 return ${EXIT_ERROR}
617 fi
618
619 if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION" ${action}; then
620 log ERROR "Could not write configuration settings"
621 return ${EXIT_ERROR}
622 fi
623}
624
625# Set the dpd delay
626ipsec_connection_dpd_delay() {
627 if [ ! $# -ge 2 ]; then
628 log ERROR "Not enough arguments"
629 return ${EXIT_ERROR}
630 fi
631
632 local connection=${1}
633 shift 1
634 local value=$@
635
636 if ! isinteger value; then
2212045f 637 value=$(parse_time "$@")
bb9fccaf
JS		 638 if [ ! $? -eq 0 ]; then
639 log ERROR "Parsing the passed time was not sucessful please check the passed values."
640 return ${EXIT_ERROR}
641 fi
642 fi
643
644 if [ ${value} -lt 0 ]; then
645 log ERROR "The passed time value must be in the sum greater or equal zero seconds."
646 return ${EXIT_ERROR}
647 fi
648
649 if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY" ${value}; then
650 log ERROR "Could not write configuration settings"
651 return ${EXIT_ERROR}
652 fi
653
654 return ${EXIT_OK}
655}
656
657# Set the dpd timeout
658ipsec_connection_dpd_timeout() {
659 if [ ! $# -ge 2 ]; then
660 log ERROR "Not enough arguments"
661 return ${EXIT_ERROR}
662 fi
663
664 local connection=${1}
665 shift 1
666 local value=$@
667
668 if ! isinteger value; then
2212045f 669 value=$(parse_time "$@")
bb9fccaf
JS		 670 if [ ! $? -eq 0 ]; then
671 log ERROR "Parsing the passed time was not sucessful please check the passed values."
672 return ${EXIT_ERROR}
673 fi
674 fi
675
676 if [ ${value} -le 0 ]; then
677 log ERROR "The passed time value must be in the sum greater or equal zero seconds."
678 return ${EXIT_ERROR}
679 fi
680
681 if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT" ${value}; then
682 log ERROR "Could not write configuration settings"
683 return ${EXIT_ERROR}
684 fi
685
686 return ${EXIT_OK}
687}
688
917a1aa0
JS		 689# Handle the cli after local
690ipsec_connection_local() {
691 if [ ! $# -ge 2 ]; then
692 log ERROR "Not enough arguments"
693 return ${EXIT_ERROR}
694 fi
695
696 local connection=${1}
697 local cmd=${2}
698 shift 2
699
700 case ${cmd} in
bb9fccaf 701 address)
2212045f 702 ipsec_connection_local_address "${connection}" "$@"
bb9fccaf 703 ;;
917a1aa0 704 id)
2212045f 705 ipsec_connection_id "${connection}" "LOCAL" "$@"
917a1aa0
JS		 706 ;;
707 prefix)
2212045f 708 ipsec_connection_prefix "${connection}" "LOCAL" "$@"
917a1aa0
JS		 709 ;;
710 *)
711 log ERROR "Unrecognized argument: ${cmd}"
712 return ${EXIT_ERROR}
713 ;;
714 esac
715
716 return ${EXIT_OK}
717}
718
719# Set the connection mode
720ipsec_connection_mode() {
5bdbc2ee 721 if [ ! $# -eq 2 ]; then
917a1aa0
JS		 722 log ERROR "Not enough arguments"
723 return ${EXIT_ERROR}
724 fi
725 local connection=${1}
726 local mode=${2}
727
728 if ! isoneof mode ${IPSEC_VALID_MODES}; then
729 log ERROR "Mode '${mode}' is invalid"
730 return ${EXIT_ERROR}
731 fi
732
733 if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then
734 log ERROR "Could not write configuration settings"
735 return ${EXIT_ERROR}
736 fi
737
738 return ${EXIT_OK}
739}
740
80a752f2
MT		 741ipsec_connection_zone() {
742 local connection="${1}"
743 local zone="${2}"
744 shift 2
745
746 # Check if we got an argument
747 if ! isset zone; then
748 error "Zone is not set"
749 return ${EXIT_ERROR}
750 fi
751
752 local ZONE
753 case "${zone}" in
754 -)
755 if ! ipsec_connection_read_config "${connection}" "ZONE"; then
756 log ERROR "Could not read configuration for IPsec connection ${connection}"
757 return ${EXIT_ERROR}
758 fi
759
760 # Removes zone setting
761 zone=""
762
763 if isset ZONE; then
764 log INFO "Removing zone ${ZONE} from IPsec connection '${connection}'"
765 fi
766 ;;
767
768 *)
769 # Check if the zone exists
770 if ! zone_exists "${zone}"; then
771 error "Zone ${zone} does not exist"
772 return ${EXIT_ERROR}
773 fi
774
775 # Zone must be of type tunnel
776 local hook="$(zone_get_hook "${zone}")"
777
778 case "${hook}" in
779 ip-tunnel)
780 # We support ip-tunnels
781 ;;
782
783 *)
784 error "Zones of type ${hook} are not supported"
785 return ${EXIT_ERROR}
786 ;;
787 esac
788
789 # Check if this zone is alreadz attached to another IPsec connection
790 # XXX
791
792 log INFO "Adding zone ${zone} to IPsec connection '${connection}'"
793 ;;
794 esac
795
796 # Save settings
797 if ! ipsec_connection_write_config_key "${connection}" "ZONE" "${zone}"; then
798 error "Could not write configuration settings"
799 return ${EXIT_ERROR}
800 fi
801
802 return ${EXIT_OK}
803}
804
bb9fccaf
JS		 805# Set the local address
806ipsec_connection_local_address() {
807 if [ ! $# -eq 2 ]; then
808 log ERROR "Not enough arguments"
809 return ${EXIT_ERROR}
810 fi
811 local connection=${1}
812 local local_address=${2}
813
814 if ! ipsec_connection_check_peer ${local_address}; then
815 log ERROR "Local address '${local_address}' is invalid"
816 return ${EXIT_ERROR}
817 fi
818
819 if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS" ${local_address}; then
820 log ERROR "Could not write configuration settings"
821 return ${EXIT_ERROR}
822 fi
823
824 return ${EXIT_OK}
825}
826
917a1aa0
JS		 827# Set the peer to connect to
828ipsec_connection_peer() {
0b962a64 829 if [ ! $# -eq 2 ]; then
917a1aa0
JS		 830 log ERROR "Not enough arguments"
831 return ${EXIT_ERROR}
832 fi
833 local connection=${1}
834 local peer=${2}
835
836 if ! ipsec_connection_check_peer ${peer}; then
837 log ERROR "Peer '${peer}' is invalid"
838 return ${EXIT_ERROR}
839 fi
840
841 if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then
842 log ERROR "Could not write configuration settings"
843 return ${EXIT_ERROR}
844 fi
845
846 return ${EXIT_OK}
847}
848
849#Set the local or remote id
850ipsec_connection_id() {
851 if [ ! $# -eq 3 ]; then
852 log ERROR "Not enough arguments"
853 return ${EXIT_ERROR}
854 fi
855 local connection=${1}
856 local type=${2}
857 local id=${3}
858
859 if ! ipsec_connection_check_id ${id}; then
860 log ERROR "Id '${id}' is invalid"
861 return ${EXIT_ERROR}
862 fi
aaa72eef 863
917a1aa0
JS		 864 if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
865 log ERROR "Could not write configuration settings"
866 return ${EXIT_ERROR}
867 fi
aaa72eef 868
917a1aa0
JS		 869 return ${EXIT_OK}
870}
871
aaa72eef 872# Set the local or remote prefix
917a1aa0
JS		 873ipsec_connection_prefix() {
874 if [ ! $# -ge 3 ]; then
875 log ERROR "Not enough arguments"
876 return ${EXIT_ERROR}
877 fi
878 local connection=${1}
879 local type=${2}
880 shift 2
aaa72eef 881
917a1aa0
JS		 882 local _prefix="${type}_PREFIX"
883 local "${_prefix}"
884 if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then
885 return ${EXIT_ERROR}
886 fi
887
888 # Remove duplicated entries to proceed the list safely
889 assign "${_prefix}" "$(list_unique ${!_prefix} )"
890
891 local prefixes_added
892 local prefixes_removed
893 local prefixes_set
894
895 while [ $# -gt 0 ]; do
896 local arg="${1}"
897
898 case "${arg}" in
899 +*)
900 list_append prefixes_added "${arg:1}"
901 ;;
902 -*)
903 list_append prefixes_removed "${arg:1}"
904 ;;
905 [A-Fa-f0-9]*)
906 list_append prefixes_set "${arg}"
907 ;;
908 *)
909 error "Invalid argument: ${arg}"
910 return ${EXIT_ERROR}
911 ;;
912 esac
913 shift
914 done
915
916 # Check if the user is trying a mixed operation
917 if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then
918 error "You cannot reset the prefix list and add or remove prefixes at the same time"
919 return ${EXIT_ERROR}
920 fi
921
922 # Set new prefix list
923 if ! list_is_empty prefixes_set; then
924 # Check if all prefixes are valid
925 local prefix
926 for prefix in ${prefixes_set}; do
927 if ! ip_net_is_valid ${prefix}; then
928 error "Unsupported prefix: ${prefix}"
929 return ${EXIT_ERROR}
930 fi
931 done
932
933 assign "${_prefix}" "${prefixes_set}"
934
935 # Perform incremental updates
936 else
937 local prefix
938
939 # Perform all removals
940 for prefix in ${prefixes_removed}; do
941 if ! list_remove "${_prefix}" ${prefix}; then
942 warning "${prefix} was not on the list and could not be removed"
943 fi
944 done
945
946
947 for prefix in ${prefixes_added}; do
948 if ip_net_is_valid ${prefix}; then
949 if ! list_append_unique "${_prefix}" ${prefix}; then
950 warning "${prefix} is already on the prefix list"
951 fi
952 else
f03f29b7 953 warning "${prefix} is not a valid IP network and could not be added"
917a1aa0
JS		 954 fi
955 done
956 fi
957
958 # Check if the list contain at least one valid prefix
959 if list_is_empty ${_prefix}; then
960 error "Cannot save an empty prefix list"
961 return ${EXIT_ERROR}
962 fi
963
964 # Save everything
965 if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then
966 log ERROR "Could not write configuration settings"
967 fi
968
969 return ${EXIT_OK}
970}
971
96fdb077
JS		 972# Set the pools to use
973ipsec_connection_pool() {
974 if [ ! $# -ge 2 ]; then
975 log ERROR "Not enough arguments"
976 return ${EXIT_ERROR}
977 fi
978 local connection=${1}
979 shift
980
981 local POOLS
982 if ! ipsec_connection_read_config "${connection}" "POOLS"; then
983 return ${EXIT_ERROR}
984 fi
985
986 # Remove duplicated entries to proceed the list safely
987 assign "POOLS" "$(list_unique ${POOLS})"
988
989 local pools_added
990 local pools_removed
991 local pools_set
992
993 while [ $# -gt 0 ]; do
994 local arg="${1}"
995
996 case "${arg}" in
997 +*)
998 list_append pools_added "${arg:1}"
999 ;;
1000 -*)
1001 list_append pools_removed "${arg:1}"
1002 ;;
1003 [A-Za-z0-9]*)
1004 list_append pools_set "${arg}"
1005 ;;
1006 *)
1007 error "Invalid argument: ${arg}"
1008 return ${EXIT_ERROR}
1009 ;;
1010 esac
1011 shift
1012 done
1013
1014 # Check if the user is trying a mixed operation
1015 if ! list_is_empty pools_set && (! list_is_empty pools_added || ! list_is_empty pools_removed); then
1016 error "You cannot reset the pools list and add or remove pools at the same time"
1017 return ${EXIT_ERROR}
1018 fi
1019
1020 # Set new pools list
1021 if ! list_is_empty pools_set; then
1022 # Check if all pools are valid
1023 local pool
1024 for pool in ${pools_set}; do
1025 if ! ipsec_pool_exists ${pool} || ! ipsec_pool_check_config ${pool}; then
1026 error "Pool ${pool} is not valid"
1027 return ${EXIT_ERROR}
1028 fi
1029 done
1030
1031 assign "POOLS" "${pools_set}"
1032
1033 # Perform incremental updates
1034 else
1035 local pool
1036
1037 # Perform all removals
1038 for pool in ${pools_removed}; do
1039 if ! list_remove "POOLS" ${pool}; then
1040 warning "${pool} was not on the list and could not be removed"
1041 fi
1042 done
1043
1044
1045 for pool in ${pools_added}; do
beb0ebbb 1046 if ipsec_pool_exists ${pool} && ipsec_pool_check_config ${pool}; then
96fdb077
JS		 1047 if ! list_append_unique "POOLS" ${pool}; then
1048 warning "${pool} is already on the prefix list"
1049 fi
1050 else
1051 warning "${pool} is not a valid pool"
1052 fi
1053 done
1054 fi
1055
1056 # Check if the list contain at least one valid pool
1057 if list_is_empty POOLS; then
1058 error "Cannot save an empty pool list"
1059 return ${EXIT_ERROR}
1060 fi
1061
1062 # Save everything
1063 if ! ipsec_connection_write_config_key "${connection}" "POOLS" ${POOLS}; then
1064 log ERROR "Could not write configuration settings"
1065 fi
1066
1067 return ${EXIT_OK}
1068}
1069
917a1aa0
JS		 1070# Handle the cli after remote
1071ipsec_connection_remote() {
1072 if [ ! $# -ge 2 ]; then
1073 log ERROR "Not enough arguments"
1074 return ${EXIT_ERROR}
1075 fi
1076
1077 local connection=${1}
1078 local cmd=${2}
1079 shift 2
1080
1081 case ${cmd} in
1082 id)
2212045f 1083 ipsec_connection_id "${connection}" "REMOTE" "$@"
917a1aa0
JS		 1084 ;;
1085
1086 prefix)
2212045f 1087 ipsec_connection_prefix "${connection}" "REMOTE" "$@"
917a1aa0
JS		 1088 ;;
1089 *)
1090 log ERROR "Unrecognized argument: ${cmd}"
1091 return ${EXIT_ERROR}
1092 ;;
1093 esac
1094
1095 return ${EXIT_OK}
1096}
1097
1098# Set the inactivity timeout
1099ipsec_connection_inactivity_timeout() {
1100 if [ ! $# -ge 2 ]; then
1101 log ERROR "Not enough arguments"
1102 return ${EXIT_ERROR}
1103 fi
1104
1105 local connection=${1}
1106 shift 1
1107 local value=$@
1108
1109 if ! isinteger value; then
2212045f 1110 value=$(parse_time "$@")
917a1aa0
JS		 1111 if [ ! $? -eq 0 ]; then
1112 log ERROR "Parsing the passed time was not sucessful please check the passed values."
1113 return ${EXIT_ERROR}
1114 fi
1115 fi
1116
1117 if [ ${value} -le 0 ]; then
1118 log ERROR "The passed time value must be in the sum greater zero seconds."
1119 return ${EXIT_ERROR}
1120 fi
1121
1122 if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then
1123 log ERROR "Could not write configuration settings"
1124 return ${EXIT_ERROR}
1125 fi
1126
1127 return ${EXIT_OK}
1128}
1129
bb9fccaf
JS		 1130# Set the default start action
1131ipsec_connection_start_action() {
1132 if [ ! $# -eq 2 ]; then
1133 log ERROR "Not enough arguments"
1134 return ${EXIT_ERROR}
1135 fi
1136 local connection=${1}
1137 local action=${2}
1138
1139 if ! isoneof action "on-demand" "always-on"; then
1140 log ERROR "Start action '${action}' is invalid"
1141 return ${EXIT_ERROR}
1142 fi
1143
1144 if ! ipsec_connection_write_config_key "${connection}" "START_ACTION" ${action}; then
1145 log ERROR "Could not write configuration settings"
1146 return ${EXIT_ERROR}
1147 fi
1148}
917a1aa0
JS		 1149
1150# Set the security policy to use
1151ipsec_connection_security_policy() {
1152 if [ ! $# -eq 2 ]; then
1153 log ERROR "Not enough arguments"
1154 return ${EXIT_ERROR}
1155 fi
1156 local connection=${1}
1157 local security_policy=${2}
1158
1159 if ! vpn_security_policy_exists ${security_policy}; then
1160 log ERROR "No such vpn security policy '${security_policy}'"
1161 return ${EXIT_ERROR}
1162 fi
1163
1164 if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then
1165 log ERROR "Could not write configuration settings"
1166 return ${EXIT_ERROR}
1167 fi
1168}
1169
1170# Check if a id is valid
1171ipsec_connection_check_id() {
1172 assert [ $# -eq 1 ]
1173 local id=${1}
1174
1175 if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
1176 return ${EXIT_TRUE}
1177 else
1178 return ${EXIT_FALSE}
1179 fi
1180}
1181
1182# Checks if a peer is valid
1183ipsec_connection_check_peer() {
1184 assert [ $# -eq 1 ]
1185 local peer=${1}
1186
01ff07e9 1187 # IP addresses are accepted
917a1aa0
JS		 1188 if ip_is_valid ${peer}; then
1189 return ${EXIT_TRUE}
917a1aa0 1190 fi
01ff07e9
MT		 1191
1192 # FQDNs are okay, too
1193 if fqdn_is_valid "${peer}"; then
1194 return ${EXIT_TRUE}
1195 fi
1196
1197 # We cannot use anything else
1198 return ${EXIT_FALSE}
917a1aa0
JS		 1199}
1200
1201# This function checks if a VPN IPsec connection name is valid
1202# Allowed are only A-Za-z0-9
1203ipsec_connection_check_name() {
1204 assert [ $# -eq 1 ]
1205
1206 local connection=${1}
1207
1208 [[ "${connection}" =~ [^[:alnum:]$] ]]
1209}
1210
1211# Function that creates one VPN IPsec connection
1212ipsec_connection_new() {
89d71d08 1213 if [ $# -gt 2 ]; then
917a1aa0
JS		 1214 error "Too many arguments"
1215 return ${EXIT_ERROR}
1216 fi
1217
1218 local connection="${1}"
89d71d08
JS		 1219 local type="${2}"
1220
917a1aa0
JS		 1221 if ! isset connection; then
1222 error "Please provide a connection name"
1223 return ${EXIT_ERROR}
1224 fi
1225
1226 # Check for duplicates
1227 if ipsec_connection_exists "${connection}"; then
1228 error "The VPN IPsec connection ${connection} already exists"
1229 return ${EXIT_ERROR}
1230 fi
1231
1232 # Check if the name of the connection is valid
1233 if ipsec_connection_check_name "${connection}"; then
1234 error "'${connection}' contains illegal characters"
1235 return ${EXIT_ERROR}
1236 fi
1237
89d71d08
JS		 1238 # Set TYPE to default if not set by the user
1239 if ! isset type; then
1240 type="${IPSEC_DEFAULT_TYPE}"
1241 fi
1242
1243 if ! isoneof "type" "net-to-net" "host-to-net"; then
1244 error "Type is invalid"
1245 return ${EXIT_ERROR}
1246 fi
1247
917a1aa0
JS		 1248 log DEBUG "Creating VPN IPsec connection ${connection}"
1249
cf8685a1 1250 if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
917a1aa0
JS		 1251 log ERROR "Could not create config directory for ${connection}"
1252 return ${EXIT_ERROR}
1253 fi
1254
1255 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1256
917a1aa0 1257 AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
bb9fccaf
JS		 1258 DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION}
1259 DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY}
1260 DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT}
5601f4f5 1261 ENABLED=${IPSEC_DEFAULT_ENABLED}
bb9fccaf
JS		 1262 MODE=${IPSEC_DEFAULT_MODE}
1263 START_ACTION=${IPSEC_DEFAULT_START_ACTION}
89d71d08 1264 TYPE="${type}"
bb9fccaf 1265
917a1aa0
JS		 1266 INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
1267 SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
1268
1269 if ! ipsec_connection_write_config "${connection}"; then
1270 log ERROR "Could not write new config file"
1271 return ${EXIT_ERROR}
1272 fi
c3f31173
MT		 1273
1274 # Configure strongswan autostart
1275 ipsec_strongswan_autostart
917a1aa0
JS		 1276}
1277
1278# Function that deletes based on the passed parameters one ore more vpn security policies
1279ipsec_connection_destroy() {
1280 local connection
2212045f 1281 for connection in "$@"; do
917a1aa0
JS		 1282 if ! ipsec_connection_exists "${connection}"; then
1283 log ERROR "The VPN IPsec connection ${connection} does not exist."
1284 continue
1285 fi
1286
1287 log DEBUG "Deleting VPN IPsec connection ${connection}"
fa33d830
MT		 1288
1289 # Delete strongswan configuration file
1290 file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
1291
cf8685a1 1292 if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
917a1aa0
JS		 1293 log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful"
1294 return ${EXIT_ERROR}
1295 fi
c3f31173 1296
fa33d830 1297 done
917a1aa0 1298}
d6c852b8
JS		 1299
1300# List all ipsec connections
1301ipsec_list_connections() {
60b1f378 1302 list_directory "${NETWORK_IPSEC_CONNS_DIR}"
d6c852b8 1303}
67baa452
MT		 1304
1305ipsec_connection_to_strongswan() {
1306 local connection="${1}"
aaa72eef 1307 log DEBUG "Generating IPsec configuration for ${connection}"
67baa452
MT		 1308
1309 # Read the config settings
1310 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1311 if ! ipsec_connection_read_config "${connection}"; then
1312 error "Could not read the connection ${connection}"
1313 return ${EXIT_ERROR}
1314 fi
1315
1316 local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
1317
1318 (
1319 # Write the connection section
1320 _ipsec_connection_to_strongswan_connection "${connection}"
1321
1322 # Write the secrets section
1323 _ipsec_connection_to_strongswan_secrets "${connection}"
1324
1325 ) > ${path}
1326}
1327
1328_ipsec_connection_to_strongswan_connection() {
1329 local connection="${1}"
1330
1331 # Read the security policy
1332 local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
1333 if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then
1334 return ${EXIT_ERROR}
1335 fi
1336
4e271faa
MT		 1337 # Is DPD enabled?
1338 local dpd="false"
1339 if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
1340 dpd="true"
1341 fi
1342
4f5f487a
MT		 1343 local zone_mode
1344
1345 # Are we connected to a zone?
1346 if isset ZONE; then
1347 # Store MODE
1348 local mode="${MODE}"
1349
1350 if ! zone_settings_read "${ZONE}" MARK MODE; then
1351 log ERROR "Could not read zone settings from ${zone}"
1352 return ${EXIT_ERROR}
1353 fi
1354
1355 local zone_mode="${MODE}"
1356 MODE="${mode}"
1357 fi
1358
b21fb175
MT		 1359 # Write configuration header
1360 config_header "strongSwan configuration for ${connection}"
1361
67baa452
MT		 1362 print_indent 0 "connections {"
1363 print_indent 1 "${connection} {"
1364
1365 # IKE Version
1366 print_indent 2 "# IKE Version"
1367 case "${KEY_EXCHANGE^^}" in
1368 IKEV1)
1369 print_indent 2 "version = 1"
1370 ;;
1371
1372 # Fall back to IKEv2 for any random values
1373 IKEV2|*)
1374 print_indent 2 "version = 2"
1375 ;;
1376 esac
1377 print # empty line
1378
4609d6b4
MT		 1379 # Always only keep one connection open at a time
1380 print_indent 2 "# Unique IDs"
1381 print_indent 2 "unique = replace"
1382 print
1383
3e8ad776
MT		 1384 # Local Address
1385 print_indent 2 "# Local Address"
1386 if isset LOCAL_ADDRESS; then
1387 print_indent 2 "local_addrs = ${LOCAL_ADDRESS}"
1388 else
1389 print_indent 2 "local_addrs = %any"
1390 fi
1391 print
67baa452
MT		 1392
1393 # Remote Address
1394 print_indent 2 "# Remote Address"
1395 if isset PEER; then
1396 print_indent 2 "remote_addrs = ${PEER}"
1397 else
1398 print_indent 2 "remote_addrs = %any"
1399 fi
1400 print
1401
1402 # IKE Proposals
1403 print_indent 2 "# IKE Proposals"
e3ffacf7 1404 print_indent 2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})"
67baa452
MT		 1405 print
1406
117278c3 1407 # DPD Settings
4e271faa 1408 if enabled dpd; then
117278c3 1409 print_indent 2 "# Dead Peer Detection"
117278c3
MT		 1410 print_indent 2 "dpd_delay = ${DPD_DELAY}"
1411
1412 if isset DPD_TIMEOUT; then
1413 print_indent 2 "dpd_timeout = ${DPD_TIMEOUT}"
1414 fi
1415
1416 print
1417 fi
67baa452
MT		 1418
1419 # Fragmentation
1420 print_indent 2 "# Fragmentation"
1421 print_indent 2 "fragmentation = yes"
1422 print
1423
dd66c192
MT		 1424
1425 # Host-to-Net specific settings
1426 case "${TYPE}" in
1427 host-to-net)
1428 # Pools
1429 if isset POOLS; then
1430 print_indent 2 "# Pools"
1431 print_indent 2 "pools = $(list_join POOLS ", ")"
1432 print
1433 fi
1434 ;;
1435 esac
96fdb077 1436
67baa452
MT		 1437 # Local
1438 print_indent 2 "local {"
1439
1440 # Local ID
1441 if isset LOCAL_ID; then
1442 print_indent 3 "id = ${LOCAL_ID}"
1443 fi
1444
1445 # Authentication
1446 case "${AUTH_MODE}" in
1447 PSK)
1448 print_indent 3 "auth = psk"
1449 ;;
1450 esac
1451
1452 print_indent 2 "}"
1453 print
1454
1455 # Remote
1456 print_indent 2 "remote {"
1457
1458 # Remote ID
1459 if isset REMOTE_ID; then
1460 print_indent 3 "id = ${REMOTE_ID}"
1461 fi
1462
1463 # Authentication
1464 case "${AUTH_MODE}" in
1465 PSK)
1466 print_indent 3 "auth = psk"
1467 ;;
1468 esac
1469
1470 print_indent 2 "}"
1471 print
1472
1473 # Children
1474
1475 print_indent 2 "children {"
1476 print_indent 3 "${connection} {"
1477
1478 print_indent 4 "# ESP Proposals"
e3d8f3f6 1479 print_indent 4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})"
67baa452
MT		 1480 print
1481
1482 # Traffic Selectors
4f5f487a
MT		 1483 case "${MODE},${zone_mode}" in
1484 *,gre)
95835d23
MT		 1485 print_indent 4 "local_ts = dynamic[gre]"
1486 print_indent 4 "remote_ts = dynamic[gre]"
1487 ;;
1488 *)
1489 # Local Prefixes
1490 if isset LOCAL_PREFIX; then
1491 print_indent 4 "local_ts = $(list_join LOCAL_PREFIX ,)"
e0a73cdb
MT		 1492 elif isset ZONE; then
1493 print_indent 4 "local_ts = ::/0, 0.0.0.0/0"
95835d23
MT		 1494 else
1495 print_indent 4 "local_ts = dynamic"
1496 fi
67baa452 1497
95835d23
MT		 1498 # Remote Prefixes
1499 if isset REMOTE_PREFIX; then
1500 print_indent 4 "remote_ts = $(list_join REMOTE_PREFIX ,)"
e0a73cdb
MT		 1501 elif isset ZONE; then
1502 print_indent 4 "remote_ts = ::/0, 0.0.0.0/0"
95835d23
MT		 1503 else
1504 print_indent 4 "remote_ts = dynamic"
1505 fi
1506 ;;
1507 esac
67baa452
MT		 1508 print
1509
82fac748 1510 # Netfilter Marks
4f5f487a 1511 case "${zone_mode}" in
8af22236 1512 vti)
4f5f487a
MT		 1513 assert isset MARK
1514
8af22236 1515 print_indent 4 "# Netfilter Marks"
4f5f487a
MT		 1516 print_indent 4 "mark_in = ${MARK}"
1517 print_indent 4 "mark_out = ${MARK}"
8af22236
MT		 1518 print
1519 ;;
1520 esac
82fac748 1521
4e271faa
MT		 1522 # Dead Peer Detection
1523 if enabled dpd; then
1524 print_indent 4 "# Dead Peer Detection"
1525 print_indent 4 "dpd_action = ${DPD_ACTION}"
1526 print
1527 fi
1528
67baa452
MT		 1529 # Rekeying
1530 if isset LIFETIME; then
1531 print_indent 4 "# Rekey Time"
1532 print_indent 4 "rekey_time = ${LIFETIME}"
1533 print
1534 fi
1535
1536 # Updown Script
1537 print_indent 4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown"
1538 print
1539
1540 # Mode
1541 print_indent 4 "# Mode"
1542 case "${MODE}" in
c856b4ea 1543 transport)
67baa452
MT		 1544 print_indent 4 "mode = transport"
1545 ;;
c856b4ea 1546 tunnel)
67baa452
MT		 1547 print_indent 4 "mode = tunnel"
1548 ;;
c856b4ea
MT		 1549 *)
1550 log WARNING "Unsupported IPsec mode: ${mode}"
1551 ;;
67baa452
MT		 1552 esac
1553 print
1554
1555 # Compression
1556 print_indent 4 "# Compression"
1557 if enabled COMPRESSION; then
1558 print_indent 4 "ipcomp = yes"
1559 else
1560 print_indent 4 "ipcomp = no"
1561 fi
1562 print
1563
1564 # Inactivity Timeout
1565 if isset INACTIVITY_TIMEOUT; then
1566 print_indent 4 "# Inactivity Timeout"
1567 print_indent 4 "inactivity = ${INACTIVITY_TIMEOUT}"
1568 print
1569 fi
1570
dd66c192
MT		 1571 # Net-to-Net specific settings
1572 case "${TYPE}" in
1573 net-to-net)
1574 # Start Action
1575 print_indent 4 "# Start Action"
1576 case "${START_ACTION}" in
1577 on-demand)
1578 print_indent 4 "start_action = trap"
1579 print_indent 4 "close_action = trap"
1580 ;;
1581 wait)
1582 print_indent 4 "start_action = none"
1583 print_indent 4 "close_action = none"
1584 ;;
1585 always-on|*)
1586 print_indent 4 "start_action = start"
1587 print_indent 4 "close_action = start"
1588 ;;
1589 esac
1590 print
37317b3e
MT		 1591 ;;
1592 esac
67baa452
MT		 1593
1594 print_indent 3 "}"
1595 print_indent 2 "}"
1596 print
1597
1598 print_indent 1 "}"
1599 print_indent 0 "}"
1600 print
1601}
1602
1603_ipsec_connection_to_strongswan_secrets() {
1604 local connection="${1}"
1605
1606 print_indent 0 "secrets {"
1607
1608 case "${AUTH_MODE}" in
1609 PSK)
1610 print_indent 1 "ike {"
1611
1612 # Secret
1613 print_indent 2 "secret = ${PSK}"
1614
1615 # ID
1616 if isset REMOTE_ID; then
1617 print_indent 2 "id = ${REMOTE_ID}"
1618 fi
1619
1620 print_indent 1 "}"
1621 ;;
1622 esac
1623
1624 print_indent 0 "}"
1625}
Networking code of IPFire 3.x.