[people/ms/network.git] / src / helpers / ipsec-updown

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2017  IPFire Network Development Team                         #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

LOG_DISABLE_STDOUT="true"

. /usr/lib/network/functions

# Read network settings
network_settings_read

# Make sure we are called by strongSwan
assert isset PLUTO_VERSION

if enabled DEBUG; then
	while read line; do
		[[ ${line} =~ ^PLUTO_ ]] || continue
		log DEBUG "  ${line}"
	done <<< "$(printenv | sort)"
fi

CONNECTION="${PLUTO_CONNECTION}"

if ! ipsec_connection_read_config "${CONNECTION}"; then
	log ERROR "Could not read configuration for ${CONNECTION}"
	exit ${EXIT_ERROR}
fi

# Interface name for this IPsec connection
case "${MODE}" in
	gre-*|vti)
		INTERFACE="ipsec-${CONNECTION}"
		;;
esac

log DEBUG "${0} called for ${CONNECTION}: ${PLUTO_VERB}"

case "${PLUTO_VERB}" in
	up-client|up-client-v6|up-host|up-host-v6)
		case "${MODE}" in
			gre-*)
				if ! device_exists "${INTERFACE}"; then
					ip_tunnel_add "${INTERFACE}" \
						--mode="gre" \
						--local-address="${PLUTO_ME}" \
						--remote-address="${PLUTO_PEER}"

					device_set_up "${INTERFACE}"
				fi
				;;
			vti)
				if device_exists "${INTERFACE}"; then
					ip_tunnel_change_keys "${INTERFACE}" \
						--ikey="${PLUTO_MARK_IN%/*}" \
						--okey="${PLUTO_MARK_OUT%/*}"

				else
					if ! ip_tunnel_add "${INTERFACE}" \
						--mode="vti" \
						--local-address="${PLUTO_ME}" \
						--remote-address="${PLUTO_PEER}" \
						--ikey="${PLUTO_MARK_IN%/*}" \
						--okey="${PLUTO_MARK_OUT%/*}"; then
						log ERROR "Could not create VTI device for ${CONNECTION}"
					fi
				fi

				device_set_up "${INTERFACE}"
				;;
		esac

		# Set routes
		if isset INTERFACE; then
			cmd ip route add "${PLUTO_PEER_CLIENT}" \
				dev "${INTERFACE}"
		else
			cmd ip route add "${PLUTO_PEER_CLIENT}" \
				via "${PLUTO_PEER}"
		fi
		;;

	down-client|down-client-v6|down-host|down-host-v6)
		# Remove routes
		cmd ip route del "${PLUTO_PEER_CLIENT}"

		# Remove interfaces
		case "${MODE}" in
			gre-*|vti)
				if device_exists "${INTERFACE}"; then
					device_set_down "${INTERFACE}"

					ip_tunnel_del "${INTERFACE}"
				fi
				;;
		esac
		;;
esac

exit ${EXIT_OK}
Commit	Line	Data
67baa452 MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2017 IPFire Network Development Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	LOG_DISABLE_STDOUT="true"
	23
	24	. /usr/lib/network/functions
	25
	26	# Read network settings
	27	network_settings_read
	28
	29	# Make sure we are called by strongSwan
	30	assert isset PLUTO_VERSION
	31
93a9eeb0 JS	32	if enabled DEBUG; then
	33	while read line; do
	34	[[ ${line} =~ ^PLUTO_ ]] \|\| continue
	35	log DEBUG " ${line}"
	36	done <<< "$(printenv \| sort)"
	37	fi
	38
67baa452 MT	39	CONNECTION="${PLUTO_CONNECTION}"
	40
	41	if ! ipsec_connection_read_config "${CONNECTION}"; then
	42	log ERROR "Could not read configuration for ${CONNECTION}"
	43	exit ${EXIT_ERROR}
	44	fi
	45
202aa309 MT	46	# Interface name for this IPsec connection
	47	case "${MODE}" in
	48	gre-*\|vti)
	49	INTERFACE="ipsec-${CONNECTION}"
	50	;;
	51	esac
	52
67baa452 MT	53	log DEBUG "${0} called for ${CONNECTION}: ${PLUTO_VERB}"
	54
	55	case "${PLUTO_VERB}" in
7bb41ec4	56	up-client\|up-client-v6\|up-host\|up-host-v6)
82fac748	57	case "${MODE}" in
95835d23 MT	58	gre-*)
	59	if ! device_exists "${INTERFACE}"; then
	60	ip_tunnel_add "${INTERFACE}" \
	61	--mode="gre" \
b1b6f6c8 MT	62	--local-address="${PLUTO_ME}" \
b1b6f6c8 MT	63	--remote-address="${PLUTO_PEER}"
95835d23 MT	64
	65	device_set_up "${INTERFACE}"
	66	fi
	67	;;
82fac748 MT	68	vti)
	69	if device_exists "${INTERFACE}"; then
	70	ip_tunnel_change_keys "${INTERFACE}" \
	71	--ikey="${PLUTO_MARK_IN%/*}" \
	72	--okey="${PLUTO_MARK_OUT%/*}"
	73
	74	else
	75	if ! ip_tunnel_add "${INTERFACE}" \
	76	--mode="vti" \
	77	--local-address="${PLUTO_ME}" \
	78	--remote-address="${PLUTO_PEER}" \
	79	--ikey="${PLUTO_MARK_IN%/*}" \
	80	--okey="${PLUTO_MARK_OUT%/*}"; then
	81	log ERROR "Could not create VTI device for ${CONNECTION}"
	82	fi
	83	fi
	84
	85	device_set_up "${INTERFACE}"
	86	;;
	87	esac
202aa309 MT	88
	89	# Set routes
	90	if isset INTERFACE; then
	91	cmd ip route add "${PLUTO_PEER_CLIENT}" \
	92	dev "${INTERFACE}"
	93	else
	94	cmd ip route add "${PLUTO_PEER_CLIENT}" \
	95	via "${PLUTO_PEER}"
	96	fi
67baa452 MT	97	;;
67baa452 MT	98
7bb41ec4	99	down-client\|down-client-v6\|down-host\|down-host-v6)
202aa309 MT	100	# Remove routes
	101	cmd ip route del "${PLUTO_PEER_CLIENT}"
	102
	103	# Remove interfaces
82fac748	104	case "${MODE}" in
b1b6f6c8	105	gre-*\|vti)
82fac748 MT	106	if device_exists "${INTERFACE}"; then
	107	device_set_down "${INTERFACE}"
	108
	109	ip_tunnel_del "${INTERFACE}"
	110	fi
	111	;;
	112	esac
67baa452 MT	113	;;
	114	esac
	115
	116	exit ${EXIT_OK}