2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2017 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 LOG_DISABLE_STDOUT
="true"
24 .
/usr
/lib
/network
/functions
26 # Read network settings
29 # Make sure we are called by strongSwan
30 assert isset PLUTO_VERSION
32 if enabled DEBUG
; then
34 [[ ${line} =~ ^PLUTO_
]] ||
continue
36 done <<< "$(printenv | sort)"
39 CONNECTION
="${PLUTO_CONNECTION}"
41 if ! ipsec_connection_read_config
"${CONNECTION}"; then
42 log ERROR
"Could not read configuration for ${CONNECTION}"
46 # Interface name for this IPsec connection
49 INTERFACE
="ipsec-${CONNECTION}"
53 log DEBUG
"${0} called for ${CONNECTION}: ${PLUTO_VERB}"
55 case "${PLUTO_VERB}" in
56 up-client|up-client-v6|up-host|up-host-v6
)
59 if ! device_exists
"${INTERFACE}"; then
60 ip_tunnel_add
"${INTERFACE}" \
62 --local-address="${PLUTO_ME}" \
63 --remote-address="${PLUTO_PEER}"
65 device_set_up
"${INTERFACE}"
69 if device_exists
"${INTERFACE}"; then
70 ip_tunnel_change_keys
"${INTERFACE}" \
71 --ikey="${PLUTO_MARK_IN%/*}" \
72 --okey="${PLUTO_MARK_OUT%/*}"
75 if ! ip_tunnel_add
"${INTERFACE}" \
77 --local-address="${PLUTO_ME}" \
78 --remote-address="${PLUTO_PEER}" \
79 --ikey="${PLUTO_MARK_IN%/*}" \
80 --okey="${PLUTO_MARK_OUT%/*}"; then
81 log ERROR
"Could not create VTI device for ${CONNECTION}"
85 device_set_up
"${INTERFACE}"
89 #Get sources IP for routes
90 SRC_IP
=($
(ip_get_assigned_addresses_from_net \
91 "${PLUTO_MY_CLIENT}" "permanent"))
93 # Set routes if we have a source IP.
94 # If not the machine does not has a leg on the net
95 # and we can go on without routes.
97 # We take the lowest source IP we found,
98 # which is ugly because the value is unpredictable.
101 if isset INTERFACE
; then
102 if ! cmd ip route add \
103 "${PLUTO_PEER_CLIENT}" \
105 src
"${SRC_IP}"; then
107 "Could not set routes for ${PLUTO_PEER_CLIENT}"
110 # Get the device which we use to peer with the other site.
111 ME_DEVICE
="$(device_get_by_assigned_ip_address "${PLUTO_ME}")"
113 # We can only go on if we found a device.
114 if isset ME_DEVICE
; then
115 if ! cmd ip route add \
116 "${PLUTO_PEER_CLIENT}" \
122 "Could not set routes for ${PLUTO_PEER_CLIENT}"
125 log ERROR
"Could not get device for ${PLUTO_ME}"
131 down-client|down-client-v6|down-host|down-host-v6
)
133 cmd ip route del
"${PLUTO_PEER_CLIENT}"
138 if device_exists
"${INTERFACE}"; then
139 device_set_down
"${INTERFACE}"
141 ip_tunnel_del
"${INTERFACE}"