src/helpers/ipsec-updown

   1 #!/bin/bash
   2 ###############################################################################
   3 #                                                                             #
   4 # IPFire.org - A linux based firewall                                         #
   5 # Copyright (C) 2017  IPFire Network Development Team                         #
   6 #                                                                             #
   7 # This program is free software: you can redistribute it and/or modify        #
   8 # it under the terms of the GNU General Public License as published by        #
   9 # the Free Software Foundation, either version 3 of the License, or           #
  10 # (at your option) any later version.                                         #
  11 #                                                                             #
  12 # This program is distributed in the hope that it will be useful,             #
  13 # but WITHOUT ANY WARRANTY; without even the implied warranty of              #
  14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
  15 # GNU General Public License for more details.                                #
  16 #                                                                             #
  17 # You should have received a copy of the GNU General Public License           #
  18 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
  19 #                                                                             #
  20 ###############################################################################
  21
  22 LOG_DISABLE_STDOUT="true"
  23
  24 . /usr/lib/network/functions
  25
  26 # Read network settings
  27 network_settings_read
  28
  29 # Make sure we are called by strongSwan
  30 assert isset PLUTO_VERSION
  31
  32 if enabled DEBUG; then
  33         while read line; do
  34                 [[ ${line} =~ ^PLUTO_ ]] || continue
  35                 log DEBUG "  ${line}"
  36         done <<< "$(printenv | sort)"
  37 fi
  38
  39 CONNECTION="${PLUTO_CONNECTION}"
  40
  41 if ! ipsec_connection_read_config "${CONNECTION}"; then
  42         log ERROR "Could not read configuration for ${CONNECTION}"
  43         exit ${EXIT_ERROR}
  44 fi
  45
  46 # Interface name for this IPsec connection
  47 case "${MODE}" in
  48         gre-*|vti)
  49                 INTERFACE="ipsec-${CONNECTION}"
  50                 ;;
  51 esac
  52
  53 log DEBUG "${0} called for ${CONNECTION}: ${PLUTO_VERB}"
  54
  55 case "${PLUTO_VERB}" in
  56         up-client|up-client-v6|up-host|up-host-v6)
  57                 case "${MODE}" in
  58                         gre-*)
  59                                 if ! device_exists "${INTERFACE}"; then
  60                                         ip_tunnel_add "${INTERFACE}" \
  61                                                 --mode="gre" \
  62                                                 --local-address="${PLUTO_ME}" \
  63                                                 --remote-address="${PLUTO_PEER}"
  64
  65                                         device_set_up "${INTERFACE}"
  66                                 fi
  67                                 ;;
  68                         vti)
  69                                 if device_exists "${INTERFACE}"; then
  70                                         ip_tunnel_change_keys "${INTERFACE}" \
  71                                                 --ikey="${PLUTO_MARK_IN%/*}" \
  72                                                 --okey="${PLUTO_MARK_OUT%/*}"
  73
  74                                 else
  75                                         if ! ip_tunnel_add "${INTERFACE}" \
  76                                                 --mode="vti" \
  77                                                 --local-address="${PLUTO_ME}" \
  78                                                 --remote-address="${PLUTO_PEER}" \
  79                                                 --ikey="${PLUTO_MARK_IN%/*}" \
  80                                                 --okey="${PLUTO_MARK_OUT%/*}"; then
  81                                                 log ERROR "Could not create VTI device for ${CONNECTION}"
  82                                         fi
  83                                 fi
  84
  85                                 device_set_up "${INTERFACE}"
  86                                 ;;
  87                 esac
  88
  89                 #Get sources IP for routes
  90                 SRC_IP=($(ip_get_assigned_addresses_from_net \
  91                         "${PLUTO_MY_CLIENT}" "permanent"))
  92
  93                 # Set routes if we have a source IP.
  94                 # If not the machine does not has a leg on the net
  95                 # and we can go on without routes.
  96                 if isset SRC_IP; then
  97                         # We take the lowest source IP we found,
  98                         # which is ugly because the value is unpredictable.
  99                         SRC_IP=${SRC_IP[0]}
 100
 101                         if isset INTERFACE; then
 102                                 if ! cmd ip route add \
 103                                         "${PLUTO_PEER_CLIENT}" \
 104                                         dev "${INTERFACE}" \
 105                                         src "${SRC_IP}"; then
 106                                                 log ERROR \
 107                                                         "Could not set routes for ${PLUTO_PEER_CLIENT}"
 108                                 fi
 109                         else
 110                                 # Get the device which we use to peer with the other site.
 111                                 ME_DEVICE="$(device_get_by_assigned_ip_address "${PLUTO_ME}")"
 112
 113                                 # We can only go on if we found a device.
 114                                 if isset ME_DEVICE; then
 115                                         if ! cmd ip route add \
 116                                                 "${PLUTO_PEER_CLIENT}" \
 117                                                 dev "${ME_DEVICE}" \
 118                                                 proto static \
 119                                                 src "${SRC_IP}" \
 120                                                 table 220; then
 121                                                         log ERROR \
 122                                                                 "Could not set routes for ${PLUTO_PEER_CLIENT}"
 123                                         fi
 124                                 else
 125                                         log ERROR "Could not get device for ${PLUTO_ME}"
 126                                 fi
 127                         fi
 128                 fi
 129                 ;;
 130
 131         down-client|down-client-v6|down-host|down-host-v6)
 132                 # Remove routes
 133                 cmd ip route del "${PLUTO_PEER_CLIENT}"
 134
 135                 # Remove interfaces
 136                 case "${MODE}" in
 137                         gre-*|vti)
 138                                 if device_exists "${INTERFACE}"; then
 139                                         device_set_down "${INTERFACE}"
 140
 141                                         ip_tunnel_del "${INTERFACE}"
 142                                 fi
 143                                 ;;
 144                 esac
 145                 ;;
 146 esac
 147
 148 exit ${EXIT_OK}