]>
Commit | Line | Data |
---|---|---|
917a1aa0 JS |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2017 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | IPSEC_CONNECTION_CONFIG_SETTINGS="AUTH_MODE INACTIVITY_TIMEOUT LOCAL_ID LOCAL_PREFIX" | |
23 | IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} MODE PEER PSK" | |
24 | IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} REMOTE_ID REMOTE_PREFIX" | |
25 | IPSEC_CONNECTION_CONFIG_SETTINGS="${IPSEC_CONNECTION_CONFIG_SETTINGS} SECURITY_POLICY" | |
26 | ||
27 | # Default values | |
28 | IPSEC_DEFAULT_MODE="tunnel" | |
ab589039 | 29 | IPSEC_DEFAULT_AUTH_MODE="PSK" |
917a1aa0 JS |
30 | IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0" |
31 | IPSEC_DEFAULT_SECURITY_POLICY="system" | |
32 | ||
33 | IPSEC_VALID_MODES="gre-transport tunnel vti" | |
ab589039 | 34 | IPSEC_VALID_AUTH_MODES="PSK" |
917a1aa0 | 35 | |
2da98f56 MT |
36 | cli_ipsec() { |
37 | local action=${1} | |
38 | shift 1 | |
39 | ||
40 | case "${action}" in | |
41 | connection) | |
42 | cli_ipsec_connection $@ | |
43 | ;; | |
44 | *) | |
45 | error "Unrecognized argument: ${action}" | |
46 | exit ${EXIT_ERROR} | |
47 | ;; | |
48 | esac | |
49 | } | |
50 | ||
51 | cli_ipsec_connection() { | |
52 | if ipsec_connection_exists ${1}; then | |
53 | local connection=${1} | |
54 | local key=${2} | |
55 | key=${key//-/_} | |
56 | shift 2 | |
57 | ||
58 | case "${key}" in | |
78f1803f | 59 | authentication|inactivity_timeout|local|mode|peer|remote|security_policy) |
2da98f56 MT |
60 | ipsec_connection_${key} ${connection} $@ |
61 | ;; | |
c1e76e97 MT |
62 | show) |
63 | cli_ipsec_connection_show "${connection}" | |
64 | exit $? | |
65 | ;; | |
2da98f56 MT |
66 | *) |
67 | error "Unrecognized argument: ${key}" | |
68 | exit ${EXIT_ERROR} | |
69 | ;; | |
70 | esac | |
71 | else | |
72 | local action=${1} | |
73 | shift | |
74 | ||
75 | case "${action}" in | |
76 | new) | |
77 | ipsec_connection_new $@ | |
78 | ;; | |
79 | destroy) | |
80 | ipsec_connection_destroy $@ | |
81 | ;; | |
82 | ""|*) | |
83 | if [ -n "${action}" ]; then | |
84 | error "Unrecognized argument: '${action}'" | |
85 | fi | |
86 | exit ${EXIT_ERROR} | |
87 | ;; | |
88 | esac | |
89 | fi | |
90 | } | |
91 | ||
c1e76e97 MT |
92 | cli_ipsec_connection_show() { |
93 | local connection="${1}" | |
94 | ||
95 | # Read the config settings | |
96 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
97 | if ! ipsec_connection_read_config "${connection}"; then | |
98 | error "Could not read the connection configuration" | |
99 | return ${EXIT_ERROR} | |
100 | fi | |
101 | ||
102 | cli_headline 0 "IPsec VPN Connection: ${connection}" | |
103 | cli_space | |
104 | ||
105 | # Peer | |
106 | if isset PEER; then | |
107 | cli_print_fmt1 1 "Peer" "${PEER}" | |
108 | fi | |
109 | ||
110 | # Security Policy | |
111 | cli_print_fmt1 1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}" | |
112 | cli_space | |
113 | ||
114 | cli_headline 2 "Authentication" | |
115 | case "${AUTH_MODE^^}" in | |
116 | PSK) | |
117 | cli_print_fmt1 2 "Mode" "Pre-Shared-Key" | |
118 | ||
119 | if isset PSK; then | |
120 | cli_print_fmt1 2 "Pre-Shared-Key" "****" | |
121 | else | |
122 | cli_print_fmt1 2 "Pre-Shared-Key" "- is not set -" | |
123 | fi | |
124 | ;; | |
125 | X509) | |
126 | : # TODO | |
127 | ;; | |
128 | esac | |
129 | cli_space | |
130 | ||
131 | local i | |
132 | for i in LOCAL REMOTE; do | |
133 | case "${i}" in | |
134 | LOCAL) | |
135 | cli_headline 2 "Local" | |
136 | ;; | |
137 | REMOTE) | |
138 | cli_headline 2 "Remote" | |
139 | ;; | |
140 | esac | |
141 | ||
142 | local id_var="${i}_ID" | |
143 | if [ -n "${!id_var}" ]; then | |
144 | cli_print_fmt1 2 "ID" "${!id_var}" | |
145 | fi | |
146 | ||
147 | local prefix_var="${i}_PREFIX" | |
148 | if isset ${prefix_var}; then | |
149 | cli_headline 3 "Prefix(es)" | |
150 | ||
151 | local prefix | |
152 | for prefix in ${!prefix_var}; do | |
153 | cli_print_fmt1 3 "${prefix}" | |
154 | done | |
155 | fi | |
156 | ||
157 | cli_space | |
158 | done | |
159 | ||
160 | cli_headline 2 "Misc." | |
161 | ||
162 | case "${MODE}" in | |
163 | gre-transport) | |
164 | cli_print_fmt1 2 "Transport Mode" "GRE Transport" | |
165 | ;; | |
166 | tunnel) | |
167 | cli_print_fmt1 2 "Transport Mode" "Tunnel" | |
168 | ;; | |
169 | vti) | |
170 | cli_print_fmt1 2 "Transport Mode" "Virtual Tunnel Interface" | |
171 | ;; | |
172 | *) | |
173 | cli_print_fmt1 2 "Transport Mode" "- Unknown -" | |
174 | ;; | |
175 | esac | |
176 | ||
177 | # Inactivity timeout | |
178 | if isset INACTIVITY_TIMEOUT && [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then | |
179 | cli_print_fmt1 2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})" | |
180 | fi | |
181 | cli_space | |
182 | ||
183 | return ${EXIT_OK} | |
184 | } | |
185 | ||
917a1aa0 JS |
186 | # This function writes all values to a via ${connection} specificated VPN IPsec configuration file |
187 | ipsec_connection_write_config() { | |
188 | assert [ $# -ge 1 ] | |
189 | ||
190 | local connection="${1}" | |
191 | ||
192 | if ! ipsec_connection_exists "${connection}"; then | |
193 | log ERROR "No such VPN IPsec connection: ${connection}" | |
194 | return ${EXIT_ERROR} | |
195 | fi | |
196 | ||
cf8685a1 | 197 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings" |
917a1aa0 JS |
198 | |
199 | if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then | |
200 | log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}" | |
201 | return ${EXIT_ERROR} | |
202 | fi | |
203 | ||
204 | ipsec_reload ${connection} | |
205 | } | |
206 | ||
207 | # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file | |
208 | ipsec_connection_write_config_key() { | |
209 | assert [ $# -ge 3 ] | |
210 | ||
211 | local connection=${1} | |
212 | local key=${2} | |
213 | shift 2 | |
214 | ||
215 | local value="$@" | |
216 | ||
217 | if ! ipsec_connection_exists "${connection}"; then | |
218 | log ERROR "No such VPN ipsec connection: ${connection}" | |
219 | return ${EXIT_ERROR} | |
220 | fi | |
221 | ||
222 | log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'" | |
223 | ||
224 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
225 | ||
226 | # Read the config settings | |
227 | if ! ipsec_connection_read_config "${connection}"; then | |
228 | return ${EXIT_ERROR} | |
229 | fi | |
230 | ||
231 | # Set the key to a new value | |
232 | assign "${key}" "${value}" | |
233 | ||
234 | if ! ipsec_connection_write_config "${connection}"; then | |
235 | return ${EXIT_ERROR} | |
236 | fi | |
237 | ||
238 | return ${EXIT_TRUE} | |
239 | } | |
240 | ||
241 | # Reads one or more keys out of a settings file or all if no key is provided. | |
242 | ipsec_connection_read_config() { | |
243 | assert [ $# -ge 1 ] | |
244 | ||
245 | local connection="${1}" | |
246 | shift 1 | |
247 | ||
248 | if ! ipsec_connection_exists "${connection}"; then | |
249 | log ERROR "No such VPN IPsec connection : ${connection}" | |
250 | return ${EXIT_ERROR} | |
251 | fi | |
252 | ||
253 | ||
254 | local args | |
255 | if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then | |
256 | list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
257 | else | |
258 | list_append args $@ | |
259 | fi | |
260 | ||
cf8685a1 | 261 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings" |
917a1aa0 JS |
262 | |
263 | if ! settings_read "${path}" ${args}; then | |
264 | log ERROR "Could not read settings for VPN IPsec connection ${connection}" | |
265 | return ${EXIT_ERROR} | |
266 | fi | |
267 | } | |
268 | ||
917a1aa0 JS |
269 | # This function checks if a vpn ipsec connection exists |
270 | # Returns True when yes and false when not | |
271 | ipsec_connection_exists() { | |
272 | assert [ $# -eq 1 ] | |
273 | ||
274 | local connection=${1} | |
275 | ||
cf8685a1 | 276 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}" |
917a1aa0 JS |
277 | |
278 | [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} | |
279 | } | |
280 | ||
281 | # Reloads the connection after config changes | |
282 | ipsec_reload() { | |
283 | return ${EXIT_TRUE} | |
284 | } | |
285 | ||
286 | # Handle the cli after authentification | |
287 | ipsec_connection_authentication() { | |
288 | if [ ! $# -gt 1 ]; then | |
289 | log ERROR "Not enough arguments" | |
290 | return ${EXIT_ERROR} | |
291 | fi | |
292 | ||
293 | local connection=${1} | |
294 | local cmd=${2} | |
295 | shift 2 | |
296 | ||
297 | case ${cmd} in | |
298 | mode) | |
299 | ipsec_connection_authentication_mode "${connection}" $@ | |
300 | ;; | |
301 | pre-shared-key) | |
302 | ipsec_connection_authentication_psk "${connection}" $@ | |
303 | ;; | |
304 | *) | |
305 | log ERROR "Unrecognized argument: ${cmd}" | |
306 | return ${EXIT_ERROR} | |
307 | ;; | |
308 | esac | |
309 | } | |
310 | ||
311 | # Set the authentification mode | |
312 | ipsec_connection_authentication_mode() { | |
313 | if [ ! $# -eq 2 ]; then | |
314 | log ERROR "Not enough arguments" | |
315 | return ${EXIT_ERROR} | |
316 | fi | |
317 | local connection=${1} | |
318 | local mode=${2} | |
319 | ||
320 | if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then | |
321 | log ERROR "Auth mode '${mode}' is invalid" | |
322 | return ${EXIT_ERROR} | |
323 | fi | |
324 | ||
ab589039 | 325 | if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode^^}; then |
917a1aa0 JS |
326 | log ERROR "Could not write configuration settings" |
327 | return ${EXIT_ERROR} | |
328 | fi | |
329 | } | |
330 | ||
331 | # Set the psk | |
332 | ipsec_connection_authentication_psk() { | |
db491d1d | 333 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
334 | log ERROR "Not enough arguments" |
335 | return ${EXIT_ERROR} | |
336 | fi | |
1bfc4f56 | 337 | |
917a1aa0 JS |
338 | local connection=${1} |
339 | local psk=${2} | |
340 | ||
1bfc4f56 MT |
341 | local length=${#psk} |
342 | ||
343 | if [ ${length} -lt 4 ]; then | |
344 | error "The PSK must be longer than four characters" | |
345 | return ${EXIT_ERROR} | |
346 | fi | |
347 | ||
348 | if [ ${length} -gt 128 ]; then | |
349 | error "The PSK cannot be longer than 128 characters" | |
350 | return ${EXIT_ERROR} | |
351 | fi | |
917a1aa0 | 352 | |
1bfc4f56 | 353 | if ! ipsec_connection_write_config_key "${connection}" "PSK" "${psk}"; then |
917a1aa0 JS |
354 | log ERROR "Could not write configuration settings" |
355 | return ${EXIT_ERROR} | |
356 | fi | |
357 | ||
358 | return ${EXIT_OK} | |
359 | } | |
360 | ||
361 | # Handle the cli after local | |
362 | ipsec_connection_local() { | |
363 | if [ ! $# -ge 2 ]; then | |
364 | log ERROR "Not enough arguments" | |
365 | return ${EXIT_ERROR} | |
366 | fi | |
367 | ||
368 | local connection=${1} | |
369 | local cmd=${2} | |
370 | shift 2 | |
371 | ||
372 | case ${cmd} in | |
373 | id) | |
374 | ipsec_connection_id "${connection}" "LOCAL" $@ | |
375 | ;; | |
376 | prefix) | |
377 | ipsec_connection_prefix "${connection}" "LOCAL" $@ | |
378 | ;; | |
379 | *) | |
380 | log ERROR "Unrecognized argument: ${cmd}" | |
381 | return ${EXIT_ERROR} | |
382 | ;; | |
383 | esac | |
384 | ||
385 | return ${EXIT_OK} | |
386 | } | |
387 | ||
388 | # Set the connection mode | |
389 | ipsec_connection_mode() { | |
5bdbc2ee | 390 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
391 | log ERROR "Not enough arguments" |
392 | return ${EXIT_ERROR} | |
393 | fi | |
394 | local connection=${1} | |
395 | local mode=${2} | |
396 | ||
397 | if ! isoneof mode ${IPSEC_VALID_MODES}; then | |
398 | log ERROR "Mode '${mode}' is invalid" | |
399 | return ${EXIT_ERROR} | |
400 | fi | |
401 | ||
402 | if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then | |
403 | log ERROR "Could not write configuration settings" | |
404 | return ${EXIT_ERROR} | |
405 | fi | |
406 | ||
407 | return ${EXIT_OK} | |
408 | } | |
409 | ||
410 | # Set the peer to connect to | |
411 | ipsec_connection_peer() { | |
0b962a64 | 412 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
413 | log ERROR "Not enough arguments" |
414 | return ${EXIT_ERROR} | |
415 | fi | |
416 | local connection=${1} | |
417 | local peer=${2} | |
418 | ||
419 | if ! ipsec_connection_check_peer ${peer}; then | |
420 | log ERROR "Peer '${peer}' is invalid" | |
421 | return ${EXIT_ERROR} | |
422 | fi | |
423 | ||
424 | if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then | |
425 | log ERROR "Could not write configuration settings" | |
426 | return ${EXIT_ERROR} | |
427 | fi | |
428 | ||
429 | return ${EXIT_OK} | |
430 | } | |
431 | ||
432 | #Set the local or remote id | |
433 | ipsec_connection_id() { | |
434 | if [ ! $# -eq 3 ]; then | |
435 | log ERROR "Not enough arguments" | |
436 | return ${EXIT_ERROR} | |
437 | fi | |
438 | local connection=${1} | |
439 | local type=${2} | |
440 | local id=${3} | |
441 | ||
442 | if ! ipsec_connection_check_id ${id}; then | |
443 | log ERROR "Id '${id}' is invalid" | |
444 | return ${EXIT_ERROR} | |
445 | fi | |
446 | ||
447 | if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then | |
448 | log ERROR "Could not write configuration settings" | |
449 | return ${EXIT_ERROR} | |
450 | fi | |
451 | ||
452 | return ${EXIT_OK} | |
453 | } | |
454 | ||
455 | # Set the local or remote prefix | |
456 | ipsec_connection_prefix() { | |
457 | if [ ! $# -ge 3 ]; then | |
458 | log ERROR "Not enough arguments" | |
459 | return ${EXIT_ERROR} | |
460 | fi | |
461 | local connection=${1} | |
462 | local type=${2} | |
463 | shift 2 | |
464 | ||
465 | local _prefix="${type}_PREFIX" | |
466 | local "${_prefix}" | |
467 | if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then | |
468 | return ${EXIT_ERROR} | |
469 | fi | |
470 | ||
471 | # Remove duplicated entries to proceed the list safely | |
472 | assign "${_prefix}" "$(list_unique ${!_prefix} )" | |
473 | ||
474 | local prefixes_added | |
475 | local prefixes_removed | |
476 | local prefixes_set | |
477 | ||
478 | while [ $# -gt 0 ]; do | |
479 | local arg="${1}" | |
480 | ||
481 | case "${arg}" in | |
482 | +*) | |
483 | list_append prefixes_added "${arg:1}" | |
484 | ;; | |
485 | -*) | |
486 | list_append prefixes_removed "${arg:1}" | |
487 | ;; | |
488 | [A-Fa-f0-9]*) | |
489 | list_append prefixes_set "${arg}" | |
490 | ;; | |
491 | *) | |
492 | error "Invalid argument: ${arg}" | |
493 | return ${EXIT_ERROR} | |
494 | ;; | |
495 | esac | |
496 | shift | |
497 | done | |
498 | ||
499 | # Check if the user is trying a mixed operation | |
500 | if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then | |
501 | error "You cannot reset the prefix list and add or remove prefixes at the same time" | |
502 | return ${EXIT_ERROR} | |
503 | fi | |
504 | ||
505 | # Set new prefix list | |
506 | if ! list_is_empty prefixes_set; then | |
507 | # Check if all prefixes are valid | |
508 | local prefix | |
509 | for prefix in ${prefixes_set}; do | |
510 | if ! ip_net_is_valid ${prefix}; then | |
511 | error "Unsupported prefix: ${prefix}" | |
512 | return ${EXIT_ERROR} | |
513 | fi | |
514 | done | |
515 | ||
516 | assign "${_prefix}" "${prefixes_set}" | |
517 | ||
518 | # Perform incremental updates | |
519 | else | |
520 | local prefix | |
521 | ||
522 | # Perform all removals | |
523 | for prefix in ${prefixes_removed}; do | |
524 | if ! list_remove "${_prefix}" ${prefix}; then | |
525 | warning "${prefix} was not on the list and could not be removed" | |
526 | fi | |
527 | done | |
528 | ||
529 | ||
530 | for prefix in ${prefixes_added}; do | |
531 | if ip_net_is_valid ${prefix}; then | |
532 | if ! list_append_unique "${_prefix}" ${prefix}; then | |
533 | warning "${prefix} is already on the prefix list" | |
534 | fi | |
535 | else | |
f03f29b7 | 536 | warning "${prefix} is not a valid IP network and could not be added" |
917a1aa0 JS |
537 | fi |
538 | done | |
539 | fi | |
540 | ||
541 | # Check if the list contain at least one valid prefix | |
542 | if list_is_empty ${_prefix}; then | |
543 | error "Cannot save an empty prefix list" | |
544 | return ${EXIT_ERROR} | |
545 | fi | |
546 | ||
547 | # Save everything | |
548 | if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then | |
549 | log ERROR "Could not write configuration settings" | |
550 | fi | |
551 | ||
552 | return ${EXIT_OK} | |
553 | } | |
554 | ||
555 | # Handle the cli after remote | |
556 | ipsec_connection_remote() { | |
557 | if [ ! $# -ge 2 ]; then | |
558 | log ERROR "Not enough arguments" | |
559 | return ${EXIT_ERROR} | |
560 | fi | |
561 | ||
562 | local connection=${1} | |
563 | local cmd=${2} | |
564 | shift 2 | |
565 | ||
566 | case ${cmd} in | |
567 | id) | |
568 | ipsec_connection_id "${connection}" "REMOTE" $@ | |
569 | ;; | |
570 | ||
571 | prefix) | |
572 | ipsec_connection_prefix "${connection}" "REMOTE" $@ | |
573 | ;; | |
574 | *) | |
575 | log ERROR "Unrecognized argument: ${cmd}" | |
576 | return ${EXIT_ERROR} | |
577 | ;; | |
578 | esac | |
579 | ||
580 | return ${EXIT_OK} | |
581 | } | |
582 | ||
583 | # Set the inactivity timeout | |
584 | ipsec_connection_inactivity_timeout() { | |
585 | if [ ! $# -ge 2 ]; then | |
586 | log ERROR "Not enough arguments" | |
587 | return ${EXIT_ERROR} | |
588 | fi | |
589 | ||
590 | local connection=${1} | |
591 | shift 1 | |
592 | local value=$@ | |
593 | ||
594 | if ! isinteger value; then | |
595 | value=$(parse_time $@) | |
596 | if [ ! $? -eq 0 ]; then | |
597 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
598 | return ${EXIT_ERROR} | |
599 | fi | |
600 | fi | |
601 | ||
602 | if [ ${value} -le 0 ]; then | |
603 | log ERROR "The passed time value must be in the sum greater zero seconds." | |
604 | return ${EXIT_ERROR} | |
605 | fi | |
606 | ||
607 | if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then | |
608 | log ERROR "Could not write configuration settings" | |
609 | return ${EXIT_ERROR} | |
610 | fi | |
611 | ||
612 | return ${EXIT_OK} | |
613 | } | |
614 | ||
615 | ||
616 | # Set the security policy to use | |
617 | ipsec_connection_security_policy() { | |
618 | if [ ! $# -eq 2 ]; then | |
619 | log ERROR "Not enough arguments" | |
620 | return ${EXIT_ERROR} | |
621 | fi | |
622 | local connection=${1} | |
623 | local security_policy=${2} | |
624 | ||
625 | if ! vpn_security_policy_exists ${security_policy}; then | |
626 | log ERROR "No such vpn security policy '${security_policy}'" | |
627 | return ${EXIT_ERROR} | |
628 | fi | |
629 | ||
630 | if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then | |
631 | log ERROR "Could not write configuration settings" | |
632 | return ${EXIT_ERROR} | |
633 | fi | |
634 | } | |
635 | ||
636 | # Check if a id is valid | |
637 | ipsec_connection_check_id() { | |
638 | assert [ $# -eq 1 ] | |
639 | local id=${1} | |
640 | ||
641 | if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then | |
642 | return ${EXIT_TRUE} | |
643 | else | |
644 | return ${EXIT_FALSE} | |
645 | fi | |
646 | } | |
647 | ||
648 | # Checks if a peer is valid | |
649 | ipsec_connection_check_peer() { | |
650 | assert [ $# -eq 1 ] | |
651 | local peer=${1} | |
652 | ||
653 | # TODO Accept also FQDNs | |
654 | if ip_is_valid ${peer}; then | |
655 | return ${EXIT_TRUE} | |
656 | else | |
657 | return ${EXIT_FALSE} | |
658 | fi | |
659 | } | |
660 | ||
661 | # This function checks if a VPN IPsec connection name is valid | |
662 | # Allowed are only A-Za-z0-9 | |
663 | ipsec_connection_check_name() { | |
664 | assert [ $# -eq 1 ] | |
665 | ||
666 | local connection=${1} | |
667 | ||
668 | [[ "${connection}" =~ [^[:alnum:]$] ]] | |
669 | } | |
670 | ||
671 | # Function that creates one VPN IPsec connection | |
672 | ipsec_connection_new() { | |
673 | if [ $# -gt 1 ]; then | |
674 | error "Too many arguments" | |
675 | return ${EXIT_ERROR} | |
676 | fi | |
677 | ||
678 | local connection="${1}" | |
679 | if ! isset connection; then | |
680 | error "Please provide a connection name" | |
681 | return ${EXIT_ERROR} | |
682 | fi | |
683 | ||
684 | # Check for duplicates | |
685 | if ipsec_connection_exists "${connection}"; then | |
686 | error "The VPN IPsec connection ${connection} already exists" | |
687 | return ${EXIT_ERROR} | |
688 | fi | |
689 | ||
690 | # Check if the name of the connection is valid | |
691 | if ipsec_connection_check_name "${connection}"; then | |
692 | error "'${connection}' contains illegal characters" | |
693 | return ${EXIT_ERROR} | |
694 | fi | |
695 | ||
696 | log DEBUG "Creating VPN IPsec connection ${connection}" | |
697 | ||
cf8685a1 | 698 | if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then |
917a1aa0 JS |
699 | log ERROR "Could not create config directory for ${connection}" |
700 | return ${EXIT_ERROR} | |
701 | fi | |
702 | ||
703 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
704 | ||
705 | MODE=${IPSEC_DEFAULT_MODE} | |
706 | AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE} | |
707 | INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT} | |
708 | SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY} | |
709 | ||
710 | if ! ipsec_connection_write_config "${connection}"; then | |
711 | log ERROR "Could not write new config file" | |
712 | return ${EXIT_ERROR} | |
713 | fi | |
714 | } | |
715 | ||
716 | # Function that deletes based on the passed parameters one ore more vpn security policies | |
717 | ipsec_connection_destroy() { | |
718 | local connection | |
719 | for connection in $@; do | |
720 | if ! ipsec_connection_exists "${connection}"; then | |
721 | log ERROR "The VPN IPsec connection ${connection} does not exist." | |
722 | continue | |
723 | fi | |
724 | ||
725 | log DEBUG "Deleting VPN IPsec connection ${connection}" | |
cf8685a1 | 726 | if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then |
917a1aa0 JS |
727 | log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful" |
728 | return ${EXIT_ERROR} | |
729 | fi | |
730 | done | |
731 | } | |
d6c852b8 JS |
732 | |
733 | # List all ipsec connections | |
734 | ipsec_list_connections() { | |
735 | local connection | |
736 | for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do | |
737 | [ -d ${connection} ] || continue | |
738 | basename ${connection} | |
739 | done | |
740 | } | |
67baa452 MT |
741 | |
742 | ipsec_connection_to_strongswan() { | |
743 | local connection="${1}" | |
744 | ||
745 | # Read the config settings | |
746 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
747 | if ! ipsec_connection_read_config "${connection}"; then | |
748 | error "Could not read the connection ${connection}" | |
749 | return ${EXIT_ERROR} | |
750 | fi | |
751 | ||
752 | local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" | |
753 | ||
754 | ( | |
755 | # Write the connection section | |
756 | _ipsec_connection_to_strongswan_connection "${connection}" | |
757 | ||
758 | # Write the secrets section | |
759 | _ipsec_connection_to_strongswan_secrets "${connection}" | |
760 | ||
761 | ) > ${path} | |
762 | } | |
763 | ||
764 | _ipsec_connection_to_strongswan_connection() { | |
765 | local connection="${1}" | |
766 | ||
767 | # Read the security policy | |
768 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
769 | if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then | |
770 | return ${EXIT_ERROR} | |
771 | fi | |
772 | ||
773 | print_indent 0 "connections {" | |
774 | print_indent 1 "${connection} {" | |
775 | ||
776 | # IKE Version | |
777 | print_indent 2 "# IKE Version" | |
778 | case "${KEY_EXCHANGE^^}" in | |
779 | IKEV1) | |
780 | print_indent 2 "version = 1" | |
781 | ;; | |
782 | ||
783 | # Fall back to IKEv2 for any random values | |
784 | IKEV2|*) | |
785 | print_indent 2 "version = 2" | |
786 | ;; | |
787 | esac | |
788 | print # empty line | |
789 | ||
3e8ad776 MT |
790 | # Local Address |
791 | print_indent 2 "# Local Address" | |
792 | if isset LOCAL_ADDRESS; then | |
793 | print_indent 2 "local_addrs = ${LOCAL_ADDRESS}" | |
794 | else | |
795 | print_indent 2 "local_addrs = %any" | |
796 | fi | |
797 | ||
67baa452 MT |
798 | |
799 | # Remote Address | |
800 | print_indent 2 "# Remote Address" | |
801 | if isset PEER; then | |
802 | print_indent 2 "remote_addrs = ${PEER}" | |
803 | else | |
804 | print_indent 2 "remote_addrs = %any" | |
805 | fi | |
806 | ||
807 | ||
808 | # IKE Proposals | |
809 | print_indent 2 "# IKE Proposals" | |
810 | print_indent 2 "proposals = $(vpn_security_policies_make_ah_proposal ${SECURITY_POLICY})" | |
811 | ||
812 | ||
117278c3 MT |
813 | # DPD Settings |
814 | if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then | |
815 | print_indent 2 "# Dead Peer Detection" | |
816 | ||
817 | print_indent 2 "dpd_action = ${DPD_ACTION}" | |
818 | print_indent 2 "dpd_delay = ${DPD_DELAY}" | |
819 | ||
820 | if isset DPD_TIMEOUT; then | |
821 | print_indent 2 "dpd_timeout = ${DPD_TIMEOUT}" | |
822 | fi | |
823 | ||
824 | ||
825 | fi | |
67baa452 MT |
826 | |
827 | # Fragmentation | |
828 | print_indent 2 "# Fragmentation" | |
829 | print_indent 2 "fragmentation = yes" | |
830 | ||
831 | ||
832 | # Local | |
833 | print_indent 2 "local {" | |
834 | ||
835 | # Local ID | |
836 | if isset LOCAL_ID; then | |
837 | print_indent 3 "id = ${LOCAL_ID}" | |
838 | fi | |
839 | ||
840 | # Authentication | |
841 | case "${AUTH_MODE}" in | |
842 | PSK) | |
843 | print_indent 3 "auth = psk" | |
844 | ;; | |
845 | esac | |
846 | ||
847 | print_indent 2 "}" | |
848 | ||
849 | ||
850 | # Remote | |
851 | print_indent 2 "remote {" | |
852 | ||
853 | # Remote ID | |
854 | if isset REMOTE_ID; then | |
855 | print_indent 3 "id = ${REMOTE_ID}" | |
856 | fi | |
857 | ||
858 | # Authentication | |
859 | case "${AUTH_MODE}" in | |
860 | PSK) | |
861 | print_indent 3 "auth = psk" | |
862 | ;; | |
863 | esac | |
864 | ||
865 | print_indent 2 "}" | |
866 | ||
867 | ||
868 | # Children | |
869 | ||
870 | print_indent 2 "children {" | |
871 | print_indent 3 "${connection} {" | |
872 | ||
873 | print_indent 4 "# ESP Proposals" | |
874 | print_indent 4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})" | |
875 | ||
876 | ||
877 | # Traffic Selectors | |
878 | ||
879 | # Local Prefixes | |
880 | if isset LOCAL_PREFIX; then | |
881 | print_indent 4 "local_ts = $(list_join LOCAL_PREFIX ,)" | |
882 | else | |
883 | print_indent 4 "local_ts = dynamic" | |
884 | fi | |
885 | ||
886 | # Remote Prefixes | |
887 | if isset REMOTE_PREFIX; then | |
888 | print_indent 4 "remote_ts = $(list_join REMOTE_PREFIX ,)" | |
889 | else | |
890 | print_indent 4 "remote_ts = dynamic" | |
891 | fi | |
892 | ||
893 | ||
894 | # Rekeying | |
895 | if isset LIFETIME; then | |
896 | print_indent 4 "# Rekey Time" | |
897 | print_indent 4 "rekey_time = ${LIFETIME}" | |
898 | ||
899 | fi | |
900 | ||
901 | # Updown Script | |
902 | print_indent 4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown" | |
903 | ||
904 | ||
905 | # Mode | |
906 | print_indent 4 "# Mode" | |
907 | case "${MODE}" in | |
908 | gre-transport) | |
909 | print_indent 4 "mode = transport" | |
910 | ;; | |
911 | tunnel|vti|*) | |
912 | print_indent 4 "mode = tunnel" | |
913 | ;; | |
914 | esac | |
915 | ||
916 | ||
917 | # Compression | |
918 | print_indent 4 "# Compression" | |
919 | if enabled COMPRESSION; then | |
920 | print_indent 4 "ipcomp = yes" | |
921 | else | |
922 | print_indent 4 "ipcomp = no" | |
923 | fi | |
924 | ||
925 | ||
926 | # Inactivity Timeout | |
927 | if isset INACTIVITY_TIMEOUT; then | |
928 | print_indent 4 "# Inactivity Timeout" | |
929 | print_indent 4 "inactivity = ${INACTIVITY_TIMEOUT}" | |
930 | ||
931 | fi | |
932 | ||
37317b3e MT |
933 | # Start Action |
934 | print_indent 4 "# Start Action" | |
935 | case "${START_ACTION}" in | |
936 | on-demand) | |
937 | print_indent 4 "start_action = trap" | |
938 | print_indent 4 "close_action = trap" | |
939 | ;; | |
940 | wait) | |
941 | print_indent 4 "start_action = none" | |
942 | print_indent 4 "close_action = none" | |
943 | ;; | |
944 | always-on|*) | |
945 | print_indent 4 "start_action = start" | |
946 | print_indent 4 "close_action = start" | |
947 | ;; | |
948 | esac | |
949 | ||
67baa452 MT |
950 | |
951 | print_indent 3 "}" | |
952 | print_indent 2 "}" | |
953 | ||
954 | ||
955 | print_indent 1 "}" | |
956 | print_indent 0 "}" | |
957 | ||
958 | } | |
959 | ||
960 | _ipsec_connection_to_strongswan_secrets() { | |
961 | local connection="${1}" | |
962 | ||
963 | print_indent 0 "secrets {" | |
964 | ||
965 | case "${AUTH_MODE}" in | |
966 | PSK) | |
967 | print_indent 1 "ike {" | |
968 | ||
969 | # Secret | |
970 | print_indent 2 "secret = ${PSK}" | |
971 | ||
972 | # ID | |
973 | if isset REMOTE_ID; then | |
974 | print_indent 2 "id = ${REMOTE_ID}" | |
975 | fi | |
976 | ||
977 | print_indent 1 "}" | |
978 | ;; | |
979 | esac | |
980 | ||
981 | print_indent 0 "}" | |
982 | } |