]>
Commit | Line | Data |
---|---|---|
917a1aa0 JS |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2017 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
33944dfb MT |
22 | IPSEC_CONNECTION_CONFIG_SETTINGS="\ |
23 | AUTH_MODE \ | |
24 | DPD_ACTION \ | |
25 | DPD_DELAY \ | |
26 | DPD_TIMEOUT \ | |
27 | INACTIVITY_TIMEOUT \ | |
28 | LOCAL_ADDRESS \ | |
29 | LOCAL_ID \ | |
30 | LOCAL_PREFIX \ | |
31 | MODE \ | |
32 | PEER \ | |
96fdb077 | 33 | POOLS \ |
33944dfb MT |
34 | PSK \ |
35 | REMOTE_ID \ | |
36 | REMOTE_PREFIX \ | |
5601f4f5 | 37 | SECURITY_POLICY \ |
eb6fa666 | 38 | START_ACTION \ |
89d71d08 | 39 | TYPE \ |
5601f4f5 | 40 | ENABLED" |
917a1aa0 | 41 | |
7c623df2 | 42 | IPSEC_POOL_CONFIG_SETTINGS="\ |
940bb51b JS |
43 | DNS_SERVER \ |
44 | NETWORK \ | |
45 | TYPE" | |
7c623df2 | 46 | |
917a1aa0 | 47 | # Default values |
ab589039 | 48 | IPSEC_DEFAULT_AUTH_MODE="PSK" |
bb9fccaf JS |
49 | IPSEC_DEFAULT_DPD_ACTION="restart" |
50 | IPSEC_DEFAULT_DPD_DELAY="30" | |
51 | IPSEC_DEFAULT_DPD_TIMEOUT="120" | |
5601f4f5 | 52 | IPSEC_DEFAULT_ENABLED="true" |
917a1aa0 | 53 | IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0" |
bb9fccaf | 54 | IPSEC_DEFAULT_MODE="tunnel" |
917a1aa0 | 55 | IPSEC_DEFAULT_SECURITY_POLICY="system" |
bb9fccaf | 56 | IPSEC_DEFAULT_START_ACTION="on-demand" |
89d71d08 | 57 | IPSEC_DEFAULT_TYPE="net-to-net" |
917a1aa0 JS |
58 | |
59 | IPSEC_VALID_MODES="gre-transport tunnel vti" | |
ab589039 | 60 | IPSEC_VALID_AUTH_MODES="PSK" |
917a1aa0 | 61 | |
2da98f56 MT |
62 | cli_ipsec() { |
63 | local action=${1} | |
64 | shift 1 | |
65 | ||
66 | case "${action}" in | |
67 | connection) | |
2212045f | 68 | cli_ipsec_connection "$@" |
2da98f56 | 69 | ;; |
7c623df2 | 70 | pool) |
2212045f | 71 | cli_ipsec_pool "$@" |
7c623df2 | 72 | ;; |
2da98f56 MT |
73 | *) |
74 | error "Unrecognized argument: ${action}" | |
75 | exit ${EXIT_ERROR} | |
76 | ;; | |
77 | esac | |
78 | } | |
79 | ||
80 | cli_ipsec_connection() { | |
81 | if ipsec_connection_exists ${1}; then | |
82 | local connection=${1} | |
83 | local key=${2} | |
84 | key=${key//-/_} | |
85 | shift 2 | |
86 | ||
87 | case "${key}" in | |
96fdb077 | 88 | authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|pool|remote|security_policy|start_action|up) |
2212045f | 89 | ipsec_connection_${key} ${connection} "$@" |
2da98f56 | 90 | ;; |
c1e76e97 MT |
91 | show) |
92 | cli_ipsec_connection_show "${connection}" | |
93 | exit $? | |
94 | ;; | |
2da98f56 MT |
95 | *) |
96 | error "Unrecognized argument: ${key}" | |
97 | exit ${EXIT_ERROR} | |
98 | ;; | |
99 | esac | |
100 | else | |
101 | local action=${1} | |
102 | shift | |
103 | ||
104 | case "${action}" in | |
105 | new) | |
2212045f | 106 | ipsec_connection_new "$@" |
2da98f56 MT |
107 | ;; |
108 | destroy) | |
2212045f | 109 | cli_ipsec_connection_destroy "$@" |
2da98f56 MT |
110 | ;; |
111 | ""|*) | |
112 | if [ -n "${action}" ]; then | |
113 | error "Unrecognized argument: '${action}'" | |
114 | fi | |
115 | exit ${EXIT_ERROR} | |
116 | ;; | |
117 | esac | |
118 | fi | |
119 | } | |
120 | ||
7c623df2 JS |
121 | cli_ipsec_pool() { |
122 | if ipsec_pool_exists ${1}; then | |
123 | local pool=${1} | |
124 | local key=${2} | |
125 | key=${key//-/_} | |
126 | shift 2 | |
127 | ||
128 | case "${key}" in | |
129 | dns_server|network) | |
2212045f | 130 | ipsec_pool_${key} ${pool} "$@" |
7c623df2 JS |
131 | ;; |
132 | show) | |
133 | cli_ipsec_pool_show "${pool}" | |
134 | exit $? | |
135 | ;; | |
136 | *) | |
137 | error "Unrecognized argument: ${key}" | |
138 | exit ${EXIT_ERROR} | |
139 | ;; | |
140 | esac | |
141 | else | |
142 | local action=${1} | |
143 | shift | |
144 | ||
145 | case "${action}" in | |
146 | new) | |
2212045f | 147 | ipsec_pool_new "$@" |
7c623df2 JS |
148 | ;; |
149 | destroy) | |
2212045f | 150 | ipsec_pool_destroy "$@" |
7c623df2 JS |
151 | ;; |
152 | ""|*) | |
153 | if [ -n "${action}" ]; then | |
154 | error "Unrecognized argument: '${action}'" | |
155 | fi | |
156 | exit ${EXIT_ERROR} | |
157 | ;; | |
158 | esac | |
159 | fi | |
160 | } | |
161 | ||
fa33d830 MT |
162 | cli_ipsec_connection_destroy() { |
163 | local connection="${1}" | |
164 | ||
165 | if ! ipsec_connection_destroy "${connection}"; then | |
166 | return ${EXIT_ERROR} | |
167 | fi | |
168 | ||
169 | # Inform strongswan about the changes | |
170 | ipsec_strongswan_load | |
171 | ||
172 | # Configure strongswan autostart | |
173 | ipsec_strongswan_autostart | |
174 | } | |
175 | ||
c1e76e97 MT |
176 | cli_ipsec_connection_show() { |
177 | local connection="${1}" | |
178 | ||
179 | # Read the config settings | |
180 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
181 | if ! ipsec_connection_read_config "${connection}"; then | |
182 | error "Could not read the connection configuration" | |
183 | return ${EXIT_ERROR} | |
184 | fi | |
185 | ||
186 | cli_headline 0 "IPsec VPN Connection: ${connection}" | |
187 | cli_space | |
188 | ||
189 | # Peer | |
190 | if isset PEER; then | |
191 | cli_print_fmt1 1 "Peer" "${PEER}" | |
192 | fi | |
193 | ||
194 | # Security Policy | |
195 | cli_print_fmt1 1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}" | |
196 | cli_space | |
197 | ||
198 | cli_headline 2 "Authentication" | |
199 | case "${AUTH_MODE^^}" in | |
200 | PSK) | |
201 | cli_print_fmt1 2 "Mode" "Pre-Shared-Key" | |
202 | ||
203 | if isset PSK; then | |
204 | cli_print_fmt1 2 "Pre-Shared-Key" "****" | |
205 | else | |
206 | cli_print_fmt1 2 "Pre-Shared-Key" "- is not set -" | |
207 | fi | |
208 | ;; | |
209 | X509) | |
210 | : # TODO | |
211 | ;; | |
212 | esac | |
213 | cli_space | |
214 | ||
215 | local i | |
216 | for i in LOCAL REMOTE; do | |
217 | case "${i}" in | |
218 | LOCAL) | |
219 | cli_headline 2 "Local" | |
220 | ;; | |
221 | REMOTE) | |
222 | cli_headline 2 "Remote" | |
223 | ;; | |
224 | esac | |
225 | ||
226 | local id_var="${i}_ID" | |
227 | if [ -n "${!id_var}" ]; then | |
228 | cli_print_fmt1 2 "ID" "${!id_var}" | |
229 | fi | |
230 | ||
231 | local prefix_var="${i}_PREFIX" | |
232 | if isset ${prefix_var}; then | |
233 | cli_headline 3 "Prefix(es)" | |
234 | ||
235 | local prefix | |
236 | for prefix in ${!prefix_var}; do | |
237 | cli_print_fmt1 3 "${prefix}" | |
238 | done | |
239 | fi | |
240 | ||
241 | cli_space | |
242 | done | |
243 | ||
244 | cli_headline 2 "Misc." | |
245 | ||
246 | case "${MODE}" in | |
247 | gre-transport) | |
248 | cli_print_fmt1 2 "Transport Mode" "GRE Transport" | |
249 | ;; | |
250 | tunnel) | |
251 | cli_print_fmt1 2 "Transport Mode" "Tunnel" | |
252 | ;; | |
253 | vti) | |
254 | cli_print_fmt1 2 "Transport Mode" "Virtual Tunnel Interface" | |
255 | ;; | |
256 | *) | |
257 | cli_print_fmt1 2 "Transport Mode" "- Unknown -" | |
258 | ;; | |
259 | esac | |
260 | ||
261 | # Inactivity timeout | |
262 | if isset INACTIVITY_TIMEOUT && [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then | |
263 | cli_print_fmt1 2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})" | |
264 | fi | |
265 | cli_space | |
266 | ||
267 | return ${EXIT_OK} | |
268 | } | |
269 | ||
5601f4f5 JS |
270 | ipsec_connection_disable() { |
271 | local connection=${1} | |
272 | ||
273 | if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "false"; then | |
274 | log ERROR "Could not write configuration settings" | |
275 | return ${EXIT_ERROR} | |
276 | fi | |
277 | ||
c3f31173 MT |
278 | # Configure strongswan autostart |
279 | ipsec_strongswan_autostart | |
5601f4f5 JS |
280 | } |
281 | ||
282 | ipsec_connection_enable() { | |
283 | local connection=${1} | |
284 | ||
285 | if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "true"; then | |
286 | log ERROR "Could not write configuration settings" | |
287 | return ${EXIT_ERROR} | |
288 | fi | |
289 | ||
c3f31173 MT |
290 | # Configure strongswan autostart |
291 | ipsec_strongswan_autostart | |
5601f4f5 JS |
292 | } |
293 | ||
917a1aa0 JS |
294 | # This function writes all values to a via ${connection} specificated VPN IPsec configuration file |
295 | ipsec_connection_write_config() { | |
296 | assert [ $# -ge 1 ] | |
297 | ||
298 | local connection="${1}" | |
299 | ||
300 | if ! ipsec_connection_exists "${connection}"; then | |
301 | log ERROR "No such VPN IPsec connection: ${connection}" | |
302 | return ${EXIT_ERROR} | |
303 | fi | |
304 | ||
cf8685a1 | 305 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings" |
917a1aa0 JS |
306 | |
307 | if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then | |
308 | log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}" | |
309 | return ${EXIT_ERROR} | |
310 | fi | |
311 | ||
312 | ipsec_reload ${connection} | |
313 | } | |
314 | ||
315 | # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file | |
316 | ipsec_connection_write_config_key() { | |
317 | assert [ $# -ge 3 ] | |
318 | ||
319 | local connection=${1} | |
320 | local key=${2} | |
321 | shift 2 | |
322 | ||
323 | local value="$@" | |
324 | ||
325 | if ! ipsec_connection_exists "${connection}"; then | |
326 | log ERROR "No such VPN ipsec connection: ${connection}" | |
327 | return ${EXIT_ERROR} | |
328 | fi | |
329 | ||
330 | log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'" | |
331 | ||
332 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
333 | ||
334 | # Read the config settings | |
335 | if ! ipsec_connection_read_config "${connection}"; then | |
336 | return ${EXIT_ERROR} | |
337 | fi | |
338 | ||
339 | # Set the key to a new value | |
340 | assign "${key}" "${value}" | |
341 | ||
342 | if ! ipsec_connection_write_config "${connection}"; then | |
343 | return ${EXIT_ERROR} | |
344 | fi | |
345 | ||
346 | return ${EXIT_TRUE} | |
347 | } | |
348 | ||
349 | # Reads one or more keys out of a settings file or all if no key is provided. | |
350 | ipsec_connection_read_config() { | |
351 | assert [ $# -ge 1 ] | |
352 | ||
353 | local connection="${1}" | |
354 | shift 1 | |
355 | ||
356 | if ! ipsec_connection_exists "${connection}"; then | |
357 | log ERROR "No such VPN IPsec connection : ${connection}" | |
358 | return ${EXIT_ERROR} | |
359 | fi | |
360 | ||
361 | ||
362 | local args | |
363 | if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then | |
364 | list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
365 | else | |
2212045f | 366 | list_append args "$@" |
917a1aa0 JS |
367 | fi |
368 | ||
cf8685a1 | 369 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings" |
917a1aa0 JS |
370 | |
371 | if ! settings_read "${path}" ${args}; then | |
372 | log ERROR "Could not read settings for VPN IPsec connection ${connection}" | |
373 | return ${EXIT_ERROR} | |
374 | fi | |
375 | } | |
376 | ||
917a1aa0 JS |
377 | # This function checks if a vpn ipsec connection exists |
378 | # Returns True when yes and false when not | |
379 | ipsec_connection_exists() { | |
380 | assert [ $# -eq 1 ] | |
381 | ||
382 | local connection=${1} | |
383 | ||
cf8685a1 | 384 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}" |
917a1aa0 JS |
385 | |
386 | [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} | |
387 | } | |
388 | ||
c3f31173 MT |
389 | # Determines if strongswan should be automatically started |
390 | # when the system boots up. | |
391 | ipsec_strongswan_autostart() { | |
392 | local autostart_needed="false" | |
393 | ||
394 | local connection | |
395 | for connection in $(ipsec_list_connections); do | |
396 | local ENABLED | |
397 | ||
398 | if ! ipsec_connection_read_config "${connection}" "ENABLED"; then | |
399 | log WARNING "Could not read configuation" | |
400 | continue | |
401 | fi | |
402 | ||
403 | if enabled ENABLED; then | |
404 | autostart_needed="true" | |
405 | break | |
406 | fi | |
407 | done | |
408 | ||
409 | # Start strongswan when we need it and when it is not yet enabled | |
b863fe52 MT |
410 | if ${autostart_needed}; then |
411 | if ! service_is_enabled "strongswan"; then | |
412 | service_enable "strongswan" | |
413 | fi | |
414 | ||
415 | if ! service_is_active "strongswan"; then | |
416 | service_start "strongswan" | |
417 | fi | |
c3f31173 MT |
418 | |
419 | # Disable strongswan when we do not need it but it is enabled | |
b863fe52 MT |
420 | elif ! ${autostart_needed}; then |
421 | if service_is_enabled "strongswan"; then | |
422 | service_disable "strongswan" | |
423 | fi | |
424 | ||
425 | if service_is_active "strongswan"; then | |
426 | service_stop "strongswan" | |
427 | fi | |
c3f31173 MT |
428 | fi |
429 | } | |
430 | ||
f0e91d26 | 431 | ipsec_strongswan_load() { |
7fc57ebc MT |
432 | # Do nothing if strongswan is not running |
433 | if ! service_is_active "strongswan"; then | |
434 | return ${EXIT_OK} | |
435 | fi | |
436 | ||
f0e91d26 JS |
437 | if ! cmd swanctl --load-all; then |
438 | log ERROR "Could not reload strongswan config" | |
439 | return ${EXIT_ERROR} | |
440 | fi | |
441 | } | |
442 | ||
917a1aa0 JS |
443 | # Reloads the connection after config changes |
444 | ipsec_reload() { | |
39d87f20 JS |
445 | local connection=${1} |
446 | ||
5601f4f5 JS |
447 | local ENABLED |
448 | ||
449 | if ! ipsec_connection_read_config "${connection}" "ENABLED"; then | |
450 | log ERROR "Could not read configuration for IPsec connection ${connection}" | |
39d87f20 JS |
451 | return ${EXIT_ERROR} |
452 | fi | |
453 | ||
471f16bc | 454 | if enabled ENABLED; then |
5601f4f5 JS |
455 | if ! ipsec_connection_to_strongswan ${connection}; then |
456 | log ERROR "Could not generate strongswan config for ${connnection}" | |
457 | return ${EXIT_ERROR} | |
458 | fi | |
459 | else | |
ad482897 | 460 | log DEBUG "Deleting strongswan config ${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" |
5601f4f5 JS |
461 | unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" |
462 | fi | |
463 | ||
f0e91d26 | 464 | ipsec_strongswan_load |
917a1aa0 JS |
465 | } |
466 | ||
467 | # Handle the cli after authentification | |
468 | ipsec_connection_authentication() { | |
469 | if [ ! $# -gt 1 ]; then | |
470 | log ERROR "Not enough arguments" | |
471 | return ${EXIT_ERROR} | |
472 | fi | |
473 | ||
474 | local connection=${1} | |
475 | local cmd=${2} | |
476 | shift 2 | |
477 | ||
478 | case ${cmd} in | |
479 | mode) | |
2212045f | 480 | ipsec_connection_authentication_mode "${connection}" "$@" |
917a1aa0 JS |
481 | ;; |
482 | pre-shared-key) | |
2212045f | 483 | ipsec_connection_authentication_psk "${connection}" "$@" |
917a1aa0 JS |
484 | ;; |
485 | *) | |
486 | log ERROR "Unrecognized argument: ${cmd}" | |
487 | return ${EXIT_ERROR} | |
488 | ;; | |
489 | esac | |
490 | } | |
491 | ||
492 | # Set the authentification mode | |
493 | ipsec_connection_authentication_mode() { | |
494 | if [ ! $# -eq 2 ]; then | |
495 | log ERROR "Not enough arguments" | |
496 | return ${EXIT_ERROR} | |
497 | fi | |
498 | local connection=${1} | |
499 | local mode=${2} | |
500 | ||
501 | if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then | |
502 | log ERROR "Auth mode '${mode}' is invalid" | |
503 | return ${EXIT_ERROR} | |
504 | fi | |
505 | ||
ab589039 | 506 | if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode^^}; then |
917a1aa0 JS |
507 | log ERROR "Could not write configuration settings" |
508 | return ${EXIT_ERROR} | |
509 | fi | |
510 | } | |
511 | ||
512 | # Set the psk | |
513 | ipsec_connection_authentication_psk() { | |
db491d1d | 514 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
515 | log ERROR "Not enough arguments" |
516 | return ${EXIT_ERROR} | |
517 | fi | |
1bfc4f56 | 518 | |
917a1aa0 JS |
519 | local connection=${1} |
520 | local psk=${2} | |
521 | ||
1bfc4f56 MT |
522 | local length=${#psk} |
523 | ||
524 | if [ ${length} -lt 4 ]; then | |
525 | error "The PSK must be longer than four characters" | |
526 | return ${EXIT_ERROR} | |
527 | fi | |
528 | ||
529 | if [ ${length} -gt 128 ]; then | |
530 | error "The PSK cannot be longer than 128 characters" | |
531 | return ${EXIT_ERROR} | |
532 | fi | |
917a1aa0 | 533 | |
1bfc4f56 | 534 | if ! ipsec_connection_write_config_key "${connection}" "PSK" "${psk}"; then |
917a1aa0 JS |
535 | log ERROR "Could not write configuration settings" |
536 | return ${EXIT_ERROR} | |
537 | fi | |
538 | ||
539 | return ${EXIT_OK} | |
540 | } | |
541 | ||
3cde31b9 MT |
542 | ipsec_connection_up() { |
543 | local connection="${1}" | |
544 | ||
545 | if ! ipsec_connection_exists "${connection}"; then | |
546 | error "No such VPN IPsec connection: ${connection}" | |
547 | return ${EXIT_ERROR} | |
548 | fi | |
549 | ||
550 | cmd swanctl --initiate --child "${connection}" | |
551 | } | |
552 | ||
553 | ipsec_connection_down() { | |
554 | local connection="${1}" | |
555 | ||
556 | if ! ipsec_connection_exists "${connection}"; then | |
557 | error "No such VPN IPsec connection: ${connection}" | |
558 | return ${EXIT_ERROR} | |
559 | fi | |
560 | ||
561 | cmd swanctl --terminate --ike "${connection}" | |
562 | } | |
bb9fccaf JS |
563 | |
564 | # Handle the cli after authentification | |
565 | ipsec_connection_dpd() { | |
566 | if [ ! $# -gt 1 ]; then | |
567 | log ERROR "Not enough arguments" | |
568 | return ${EXIT_ERROR} | |
569 | fi | |
570 | ||
571 | local connection=${1} | |
572 | local cmd=${2} | |
573 | shift 2 | |
574 | ||
575 | case ${cmd} in | |
576 | action) | |
2212045f | 577 | ipsec_connection_dpd_action "${connection}" "$@" |
bb9fccaf JS |
578 | ;; |
579 | delay) | |
2212045f | 580 | ipsec_connection_dpd_delay "${connection}" "$@" |
bb9fccaf JS |
581 | ;; |
582 | timeout) | |
2212045f | 583 | ipsec_connection_dpd_timeout "${connection}" "$@" |
bb9fccaf JS |
584 | ;; |
585 | *) | |
586 | log ERROR "Unrecognized argument: ${cmd}" | |
587 | return ${EXIT_ERROR} | |
588 | ;; | |
589 | esac | |
590 | } | |
591 | ||
592 | # Set the default dpd action | |
593 | ipsec_connection_dpd_action() { | |
594 | if [ ! $# -eq 2 ]; then | |
595 | log ERROR "Not enough arguments" | |
596 | return ${EXIT_ERROR} | |
597 | fi | |
598 | local connection=${1} | |
599 | local action=${2} | |
600 | ||
601 | if ! isoneof action "restart" "clear"; then | |
602 | log ERROR "dpd action '${action}' is invalid" | |
603 | return ${EXIT_ERROR} | |
604 | fi | |
605 | ||
606 | if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION" ${action}; then | |
607 | log ERROR "Could not write configuration settings" | |
608 | return ${EXIT_ERROR} | |
609 | fi | |
610 | } | |
611 | ||
612 | # Set the dpd delay | |
613 | ipsec_connection_dpd_delay() { | |
614 | if [ ! $# -ge 2 ]; then | |
615 | log ERROR "Not enough arguments" | |
616 | return ${EXIT_ERROR} | |
617 | fi | |
618 | ||
619 | local connection=${1} | |
620 | shift 1 | |
621 | local value=$@ | |
622 | ||
623 | if ! isinteger value; then | |
2212045f | 624 | value=$(parse_time "$@") |
bb9fccaf JS |
625 | if [ ! $? -eq 0 ]; then |
626 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
627 | return ${EXIT_ERROR} | |
628 | fi | |
629 | fi | |
630 | ||
631 | if [ ${value} -lt 0 ]; then | |
632 | log ERROR "The passed time value must be in the sum greater or equal zero seconds." | |
633 | return ${EXIT_ERROR} | |
634 | fi | |
635 | ||
636 | if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY" ${value}; then | |
637 | log ERROR "Could not write configuration settings" | |
638 | return ${EXIT_ERROR} | |
639 | fi | |
640 | ||
641 | return ${EXIT_OK} | |
642 | } | |
643 | ||
644 | # Set the dpd timeout | |
645 | ipsec_connection_dpd_timeout() { | |
646 | if [ ! $# -ge 2 ]; then | |
647 | log ERROR "Not enough arguments" | |
648 | return ${EXIT_ERROR} | |
649 | fi | |
650 | ||
651 | local connection=${1} | |
652 | shift 1 | |
653 | local value=$@ | |
654 | ||
655 | if ! isinteger value; then | |
2212045f | 656 | value=$(parse_time "$@") |
bb9fccaf JS |
657 | if [ ! $? -eq 0 ]; then |
658 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
659 | return ${EXIT_ERROR} | |
660 | fi | |
661 | fi | |
662 | ||
663 | if [ ${value} -le 0 ]; then | |
664 | log ERROR "The passed time value must be in the sum greater or equal zero seconds." | |
665 | return ${EXIT_ERROR} | |
666 | fi | |
667 | ||
668 | if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT" ${value}; then | |
669 | log ERROR "Could not write configuration settings" | |
670 | return ${EXIT_ERROR} | |
671 | fi | |
672 | ||
673 | return ${EXIT_OK} | |
674 | } | |
675 | ||
917a1aa0 JS |
676 | # Handle the cli after local |
677 | ipsec_connection_local() { | |
678 | if [ ! $# -ge 2 ]; then | |
679 | log ERROR "Not enough arguments" | |
680 | return ${EXIT_ERROR} | |
681 | fi | |
682 | ||
683 | local connection=${1} | |
684 | local cmd=${2} | |
685 | shift 2 | |
686 | ||
687 | case ${cmd} in | |
bb9fccaf | 688 | address) |
2212045f | 689 | ipsec_connection_local_address "${connection}" "$@" |
bb9fccaf | 690 | ;; |
917a1aa0 | 691 | id) |
2212045f | 692 | ipsec_connection_id "${connection}" "LOCAL" "$@" |
917a1aa0 JS |
693 | ;; |
694 | prefix) | |
2212045f | 695 | ipsec_connection_prefix "${connection}" "LOCAL" "$@" |
917a1aa0 JS |
696 | ;; |
697 | *) | |
698 | log ERROR "Unrecognized argument: ${cmd}" | |
699 | return ${EXIT_ERROR} | |
700 | ;; | |
701 | esac | |
702 | ||
703 | return ${EXIT_OK} | |
704 | } | |
705 | ||
706 | # Set the connection mode | |
707 | ipsec_connection_mode() { | |
5bdbc2ee | 708 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
709 | log ERROR "Not enough arguments" |
710 | return ${EXIT_ERROR} | |
711 | fi | |
712 | local connection=${1} | |
713 | local mode=${2} | |
714 | ||
715 | if ! isoneof mode ${IPSEC_VALID_MODES}; then | |
716 | log ERROR "Mode '${mode}' is invalid" | |
717 | return ${EXIT_ERROR} | |
718 | fi | |
719 | ||
720 | if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then | |
721 | log ERROR "Could not write configuration settings" | |
722 | return ${EXIT_ERROR} | |
723 | fi | |
724 | ||
725 | return ${EXIT_OK} | |
726 | } | |
727 | ||
bb9fccaf JS |
728 | # Set the local address |
729 | ipsec_connection_local_address() { | |
730 | if [ ! $# -eq 2 ]; then | |
731 | log ERROR "Not enough arguments" | |
732 | return ${EXIT_ERROR} | |
733 | fi | |
734 | local connection=${1} | |
735 | local local_address=${2} | |
736 | ||
737 | if ! ipsec_connection_check_peer ${local_address}; then | |
738 | log ERROR "Local address '${local_address}' is invalid" | |
739 | return ${EXIT_ERROR} | |
740 | fi | |
741 | ||
742 | if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS" ${local_address}; then | |
743 | log ERROR "Could not write configuration settings" | |
744 | return ${EXIT_ERROR} | |
745 | fi | |
746 | ||
747 | return ${EXIT_OK} | |
748 | } | |
749 | ||
917a1aa0 JS |
750 | # Set the peer to connect to |
751 | ipsec_connection_peer() { | |
0b962a64 | 752 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
753 | log ERROR "Not enough arguments" |
754 | return ${EXIT_ERROR} | |
755 | fi | |
756 | local connection=${1} | |
757 | local peer=${2} | |
758 | ||
759 | if ! ipsec_connection_check_peer ${peer}; then | |
760 | log ERROR "Peer '${peer}' is invalid" | |
761 | return ${EXIT_ERROR} | |
762 | fi | |
763 | ||
764 | if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then | |
765 | log ERROR "Could not write configuration settings" | |
766 | return ${EXIT_ERROR} | |
767 | fi | |
768 | ||
769 | return ${EXIT_OK} | |
770 | } | |
771 | ||
772 | #Set the local or remote id | |
773 | ipsec_connection_id() { | |
774 | if [ ! $# -eq 3 ]; then | |
775 | log ERROR "Not enough arguments" | |
776 | return ${EXIT_ERROR} | |
777 | fi | |
778 | local connection=${1} | |
779 | local type=${2} | |
780 | local id=${3} | |
781 | ||
782 | if ! ipsec_connection_check_id ${id}; then | |
783 | log ERROR "Id '${id}' is invalid" | |
784 | return ${EXIT_ERROR} | |
785 | fi | |
aaa72eef | 786 | |
917a1aa0 JS |
787 | if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then |
788 | log ERROR "Could not write configuration settings" | |
789 | return ${EXIT_ERROR} | |
790 | fi | |
aaa72eef | 791 | |
917a1aa0 JS |
792 | return ${EXIT_OK} |
793 | } | |
794 | ||
aaa72eef | 795 | # Set the local or remote prefix |
917a1aa0 JS |
796 | ipsec_connection_prefix() { |
797 | if [ ! $# -ge 3 ]; then | |
798 | log ERROR "Not enough arguments" | |
799 | return ${EXIT_ERROR} | |
800 | fi | |
801 | local connection=${1} | |
802 | local type=${2} | |
803 | shift 2 | |
aaa72eef | 804 | |
917a1aa0 JS |
805 | local _prefix="${type}_PREFIX" |
806 | local "${_prefix}" | |
807 | if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then | |
808 | return ${EXIT_ERROR} | |
809 | fi | |
810 | ||
811 | # Remove duplicated entries to proceed the list safely | |
812 | assign "${_prefix}" "$(list_unique ${!_prefix} )" | |
813 | ||
814 | local prefixes_added | |
815 | local prefixes_removed | |
816 | local prefixes_set | |
817 | ||
818 | while [ $# -gt 0 ]; do | |
819 | local arg="${1}" | |
820 | ||
821 | case "${arg}" in | |
822 | +*) | |
823 | list_append prefixes_added "${arg:1}" | |
824 | ;; | |
825 | -*) | |
826 | list_append prefixes_removed "${arg:1}" | |
827 | ;; | |
828 | [A-Fa-f0-9]*) | |
829 | list_append prefixes_set "${arg}" | |
830 | ;; | |
831 | *) | |
832 | error "Invalid argument: ${arg}" | |
833 | return ${EXIT_ERROR} | |
834 | ;; | |
835 | esac | |
836 | shift | |
837 | done | |
838 | ||
839 | # Check if the user is trying a mixed operation | |
840 | if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then | |
841 | error "You cannot reset the prefix list and add or remove prefixes at the same time" | |
842 | return ${EXIT_ERROR} | |
843 | fi | |
844 | ||
845 | # Set new prefix list | |
846 | if ! list_is_empty prefixes_set; then | |
847 | # Check if all prefixes are valid | |
848 | local prefix | |
849 | for prefix in ${prefixes_set}; do | |
850 | if ! ip_net_is_valid ${prefix}; then | |
851 | error "Unsupported prefix: ${prefix}" | |
852 | return ${EXIT_ERROR} | |
853 | fi | |
854 | done | |
855 | ||
856 | assign "${_prefix}" "${prefixes_set}" | |
857 | ||
858 | # Perform incremental updates | |
859 | else | |
860 | local prefix | |
861 | ||
862 | # Perform all removals | |
863 | for prefix in ${prefixes_removed}; do | |
864 | if ! list_remove "${_prefix}" ${prefix}; then | |
865 | warning "${prefix} was not on the list and could not be removed" | |
866 | fi | |
867 | done | |
868 | ||
869 | ||
870 | for prefix in ${prefixes_added}; do | |
871 | if ip_net_is_valid ${prefix}; then | |
872 | if ! list_append_unique "${_prefix}" ${prefix}; then | |
873 | warning "${prefix} is already on the prefix list" | |
874 | fi | |
875 | else | |
f03f29b7 | 876 | warning "${prefix} is not a valid IP network and could not be added" |
917a1aa0 JS |
877 | fi |
878 | done | |
879 | fi | |
880 | ||
881 | # Check if the list contain at least one valid prefix | |
882 | if list_is_empty ${_prefix}; then | |
883 | error "Cannot save an empty prefix list" | |
884 | return ${EXIT_ERROR} | |
885 | fi | |
886 | ||
887 | # Save everything | |
888 | if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then | |
889 | log ERROR "Could not write configuration settings" | |
890 | fi | |
891 | ||
892 | return ${EXIT_OK} | |
893 | } | |
894 | ||
96fdb077 JS |
895 | # Set the pools to use |
896 | ipsec_connection_pool() { | |
897 | if [ ! $# -ge 2 ]; then | |
898 | log ERROR "Not enough arguments" | |
899 | return ${EXIT_ERROR} | |
900 | fi | |
901 | local connection=${1} | |
902 | shift | |
903 | ||
904 | local POOLS | |
905 | if ! ipsec_connection_read_config "${connection}" "POOLS"; then | |
906 | return ${EXIT_ERROR} | |
907 | fi | |
908 | ||
909 | # Remove duplicated entries to proceed the list safely | |
910 | assign "POOLS" "$(list_unique ${POOLS})" | |
911 | ||
912 | local pools_added | |
913 | local pools_removed | |
914 | local pools_set | |
915 | ||
916 | while [ $# -gt 0 ]; do | |
917 | local arg="${1}" | |
918 | ||
919 | case "${arg}" in | |
920 | +*) | |
921 | list_append pools_added "${arg:1}" | |
922 | ;; | |
923 | -*) | |
924 | list_append pools_removed "${arg:1}" | |
925 | ;; | |
926 | [A-Za-z0-9]*) | |
927 | list_append pools_set "${arg}" | |
928 | ;; | |
929 | *) | |
930 | error "Invalid argument: ${arg}" | |
931 | return ${EXIT_ERROR} | |
932 | ;; | |
933 | esac | |
934 | shift | |
935 | done | |
936 | ||
937 | # Check if the user is trying a mixed operation | |
938 | if ! list_is_empty pools_set && (! list_is_empty pools_added || ! list_is_empty pools_removed); then | |
939 | error "You cannot reset the pools list and add or remove pools at the same time" | |
940 | return ${EXIT_ERROR} | |
941 | fi | |
942 | ||
943 | # Set new pools list | |
944 | if ! list_is_empty pools_set; then | |
945 | # Check if all pools are valid | |
946 | local pool | |
947 | for pool in ${pools_set}; do | |
948 | if ! ipsec_pool_exists ${pool} || ! ipsec_pool_check_config ${pool}; then | |
949 | error "Pool ${pool} is not valid" | |
950 | return ${EXIT_ERROR} | |
951 | fi | |
952 | done | |
953 | ||
954 | assign "POOLS" "${pools_set}" | |
955 | ||
956 | # Perform incremental updates | |
957 | else | |
958 | local pool | |
959 | ||
960 | # Perform all removals | |
961 | for pool in ${pools_removed}; do | |
962 | if ! list_remove "POOLS" ${pool}; then | |
963 | warning "${pool} was not on the list and could not be removed" | |
964 | fi | |
965 | done | |
966 | ||
967 | ||
968 | for pool in ${pools_added}; do | |
beb0ebbb | 969 | if ipsec_pool_exists ${pool} && ipsec_pool_check_config ${pool}; then |
96fdb077 JS |
970 | if ! list_append_unique "POOLS" ${pool}; then |
971 | warning "${pool} is already on the prefix list" | |
972 | fi | |
973 | else | |
974 | warning "${pool} is not a valid pool" | |
975 | fi | |
976 | done | |
977 | fi | |
978 | ||
979 | # Check if the list contain at least one valid pool | |
980 | if list_is_empty POOLS; then | |
981 | error "Cannot save an empty pool list" | |
982 | return ${EXIT_ERROR} | |
983 | fi | |
984 | ||
985 | # Save everything | |
986 | if ! ipsec_connection_write_config_key "${connection}" "POOLS" ${POOLS}; then | |
987 | log ERROR "Could not write configuration settings" | |
988 | fi | |
989 | ||
990 | return ${EXIT_OK} | |
991 | } | |
992 | ||
917a1aa0 JS |
993 | # Handle the cli after remote |
994 | ipsec_connection_remote() { | |
995 | if [ ! $# -ge 2 ]; then | |
996 | log ERROR "Not enough arguments" | |
997 | return ${EXIT_ERROR} | |
998 | fi | |
999 | ||
1000 | local connection=${1} | |
1001 | local cmd=${2} | |
1002 | shift 2 | |
1003 | ||
1004 | case ${cmd} in | |
1005 | id) | |
2212045f | 1006 | ipsec_connection_id "${connection}" "REMOTE" "$@" |
917a1aa0 JS |
1007 | ;; |
1008 | ||
1009 | prefix) | |
2212045f | 1010 | ipsec_connection_prefix "${connection}" "REMOTE" "$@" |
917a1aa0 JS |
1011 | ;; |
1012 | *) | |
1013 | log ERROR "Unrecognized argument: ${cmd}" | |
1014 | return ${EXIT_ERROR} | |
1015 | ;; | |
1016 | esac | |
1017 | ||
1018 | return ${EXIT_OK} | |
1019 | } | |
1020 | ||
1021 | # Set the inactivity timeout | |
1022 | ipsec_connection_inactivity_timeout() { | |
1023 | if [ ! $# -ge 2 ]; then | |
1024 | log ERROR "Not enough arguments" | |
1025 | return ${EXIT_ERROR} | |
1026 | fi | |
1027 | ||
1028 | local connection=${1} | |
1029 | shift 1 | |
1030 | local value=$@ | |
1031 | ||
1032 | if ! isinteger value; then | |
2212045f | 1033 | value=$(parse_time "$@") |
917a1aa0 JS |
1034 | if [ ! $? -eq 0 ]; then |
1035 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
1036 | return ${EXIT_ERROR} | |
1037 | fi | |
1038 | fi | |
1039 | ||
1040 | if [ ${value} -le 0 ]; then | |
1041 | log ERROR "The passed time value must be in the sum greater zero seconds." | |
1042 | return ${EXIT_ERROR} | |
1043 | fi | |
1044 | ||
1045 | if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then | |
1046 | log ERROR "Could not write configuration settings" | |
1047 | return ${EXIT_ERROR} | |
1048 | fi | |
1049 | ||
1050 | return ${EXIT_OK} | |
1051 | } | |
1052 | ||
bb9fccaf JS |
1053 | # Set the default start action |
1054 | ipsec_connection_start_action() { | |
1055 | if [ ! $# -eq 2 ]; then | |
1056 | log ERROR "Not enough arguments" | |
1057 | return ${EXIT_ERROR} | |
1058 | fi | |
1059 | local connection=${1} | |
1060 | local action=${2} | |
1061 | ||
1062 | if ! isoneof action "on-demand" "always-on"; then | |
1063 | log ERROR "Start action '${action}' is invalid" | |
1064 | return ${EXIT_ERROR} | |
1065 | fi | |
1066 | ||
1067 | if ! ipsec_connection_write_config_key "${connection}" "START_ACTION" ${action}; then | |
1068 | log ERROR "Could not write configuration settings" | |
1069 | return ${EXIT_ERROR} | |
1070 | fi | |
1071 | } | |
917a1aa0 JS |
1072 | |
1073 | # Set the security policy to use | |
1074 | ipsec_connection_security_policy() { | |
1075 | if [ ! $# -eq 2 ]; then | |
1076 | log ERROR "Not enough arguments" | |
1077 | return ${EXIT_ERROR} | |
1078 | fi | |
1079 | local connection=${1} | |
1080 | local security_policy=${2} | |
1081 | ||
1082 | if ! vpn_security_policy_exists ${security_policy}; then | |
1083 | log ERROR "No such vpn security policy '${security_policy}'" | |
1084 | return ${EXIT_ERROR} | |
1085 | fi | |
1086 | ||
1087 | if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then | |
1088 | log ERROR "Could not write configuration settings" | |
1089 | return ${EXIT_ERROR} | |
1090 | fi | |
1091 | } | |
1092 | ||
1093 | # Check if a id is valid | |
1094 | ipsec_connection_check_id() { | |
1095 | assert [ $# -eq 1 ] | |
1096 | local id=${1} | |
1097 | ||
1098 | if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then | |
1099 | return ${EXIT_TRUE} | |
1100 | else | |
1101 | return ${EXIT_FALSE} | |
1102 | fi | |
1103 | } | |
1104 | ||
1105 | # Checks if a peer is valid | |
1106 | ipsec_connection_check_peer() { | |
1107 | assert [ $# -eq 1 ] | |
1108 | local peer=${1} | |
1109 | ||
1110 | # TODO Accept also FQDNs | |
1111 | if ip_is_valid ${peer}; then | |
1112 | return ${EXIT_TRUE} | |
1113 | else | |
1114 | return ${EXIT_FALSE} | |
1115 | fi | |
1116 | } | |
1117 | ||
1118 | # This function checks if a VPN IPsec connection name is valid | |
1119 | # Allowed are only A-Za-z0-9 | |
1120 | ipsec_connection_check_name() { | |
1121 | assert [ $# -eq 1 ] | |
1122 | ||
1123 | local connection=${1} | |
1124 | ||
1125 | [[ "${connection}" =~ [^[:alnum:]$] ]] | |
1126 | } | |
1127 | ||
1128 | # Function that creates one VPN IPsec connection | |
1129 | ipsec_connection_new() { | |
89d71d08 | 1130 | if [ $# -gt 2 ]; then |
917a1aa0 JS |
1131 | error "Too many arguments" |
1132 | return ${EXIT_ERROR} | |
1133 | fi | |
1134 | ||
1135 | local connection="${1}" | |
89d71d08 JS |
1136 | local type="${2}" |
1137 | ||
917a1aa0 JS |
1138 | if ! isset connection; then |
1139 | error "Please provide a connection name" | |
1140 | return ${EXIT_ERROR} | |
1141 | fi | |
1142 | ||
1143 | # Check for duplicates | |
1144 | if ipsec_connection_exists "${connection}"; then | |
1145 | error "The VPN IPsec connection ${connection} already exists" | |
1146 | return ${EXIT_ERROR} | |
1147 | fi | |
1148 | ||
1149 | # Check if the name of the connection is valid | |
1150 | if ipsec_connection_check_name "${connection}"; then | |
1151 | error "'${connection}' contains illegal characters" | |
1152 | return ${EXIT_ERROR} | |
1153 | fi | |
1154 | ||
89d71d08 JS |
1155 | # Set TYPE to default if not set by the user |
1156 | if ! isset type; then | |
1157 | type="${IPSEC_DEFAULT_TYPE}" | |
1158 | fi | |
1159 | ||
1160 | if ! isoneof "type" "net-to-net" "host-to-net"; then | |
1161 | error "Type is invalid" | |
1162 | return ${EXIT_ERROR} | |
1163 | fi | |
1164 | ||
917a1aa0 JS |
1165 | log DEBUG "Creating VPN IPsec connection ${connection}" |
1166 | ||
cf8685a1 | 1167 | if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then |
917a1aa0 JS |
1168 | log ERROR "Could not create config directory for ${connection}" |
1169 | return ${EXIT_ERROR} | |
1170 | fi | |
1171 | ||
1172 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
1173 | ||
917a1aa0 | 1174 | AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE} |
bb9fccaf JS |
1175 | DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION} |
1176 | DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY} | |
1177 | DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT} | |
5601f4f5 | 1178 | ENABLED=${IPSEC_DEFAULT_ENABLED} |
bb9fccaf JS |
1179 | MODE=${IPSEC_DEFAULT_MODE} |
1180 | START_ACTION=${IPSEC_DEFAULT_START_ACTION} | |
89d71d08 | 1181 | TYPE="${type}" |
bb9fccaf | 1182 | |
917a1aa0 JS |
1183 | INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT} |
1184 | SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY} | |
1185 | ||
1186 | if ! ipsec_connection_write_config "${connection}"; then | |
1187 | log ERROR "Could not write new config file" | |
1188 | return ${EXIT_ERROR} | |
1189 | fi | |
c3f31173 MT |
1190 | |
1191 | # Configure strongswan autostart | |
1192 | ipsec_strongswan_autostart | |
917a1aa0 JS |
1193 | } |
1194 | ||
1195 | # Function that deletes based on the passed parameters one ore more vpn security policies | |
1196 | ipsec_connection_destroy() { | |
1197 | local connection | |
2212045f | 1198 | for connection in "$@"; do |
917a1aa0 JS |
1199 | if ! ipsec_connection_exists "${connection}"; then |
1200 | log ERROR "The VPN IPsec connection ${connection} does not exist." | |
1201 | continue | |
1202 | fi | |
1203 | ||
1204 | log DEBUG "Deleting VPN IPsec connection ${connection}" | |
fa33d830 MT |
1205 | |
1206 | # Delete strongswan configuration file | |
1207 | file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" | |
1208 | ||
cf8685a1 | 1209 | if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then |
917a1aa0 JS |
1210 | log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful" |
1211 | return ${EXIT_ERROR} | |
1212 | fi | |
c3f31173 | 1213 | |
fa33d830 | 1214 | done |
917a1aa0 | 1215 | } |
d6c852b8 JS |
1216 | |
1217 | # List all ipsec connections | |
1218 | ipsec_list_connections() { | |
1219 | local connection | |
1220 | for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do | |
1221 | [ -d ${connection} ] || continue | |
1222 | basename ${connection} | |
1223 | done | |
1224 | } | |
67baa452 MT |
1225 | |
1226 | ipsec_connection_to_strongswan() { | |
1227 | local connection="${1}" | |
aaa72eef | 1228 | log DEBUG "Generating IPsec configuration for ${connection}" |
67baa452 MT |
1229 | |
1230 | # Read the config settings | |
1231 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
1232 | if ! ipsec_connection_read_config "${connection}"; then | |
1233 | error "Could not read the connection ${connection}" | |
1234 | return ${EXIT_ERROR} | |
1235 | fi | |
1236 | ||
1237 | local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" | |
1238 | ||
1239 | ( | |
1240 | # Write the connection section | |
1241 | _ipsec_connection_to_strongswan_connection "${connection}" | |
1242 | ||
1243 | # Write the secrets section | |
1244 | _ipsec_connection_to_strongswan_secrets "${connection}" | |
1245 | ||
1246 | ) > ${path} | |
1247 | } | |
1248 | ||
1249 | _ipsec_connection_to_strongswan_connection() { | |
1250 | local connection="${1}" | |
1251 | ||
1252 | # Read the security policy | |
1253 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
1254 | if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then | |
1255 | return ${EXIT_ERROR} | |
1256 | fi | |
1257 | ||
4e271faa MT |
1258 | # Is DPD enabled? |
1259 | local dpd="false" | |
1260 | if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then | |
1261 | dpd="true" | |
1262 | fi | |
1263 | ||
b21fb175 MT |
1264 | # Write configuration header |
1265 | config_header "strongSwan configuration for ${connection}" | |
1266 | ||
67baa452 MT |
1267 | print_indent 0 "connections {" |
1268 | print_indent 1 "${connection} {" | |
1269 | ||
1270 | # IKE Version | |
1271 | print_indent 2 "# IKE Version" | |
1272 | case "${KEY_EXCHANGE^^}" in | |
1273 | IKEV1) | |
1274 | print_indent 2 "version = 1" | |
1275 | ;; | |
1276 | ||
1277 | # Fall back to IKEv2 for any random values | |
1278 | IKEV2|*) | |
1279 | print_indent 2 "version = 2" | |
1280 | ;; | |
1281 | esac | |
1282 | print # empty line | |
1283 | ||
4609d6b4 MT |
1284 | # Always only keep one connection open at a time |
1285 | print_indent 2 "# Unique IDs" | |
1286 | print_indent 2 "unique = replace" | |
1287 | ||
1288 | ||
3e8ad776 MT |
1289 | # Local Address |
1290 | print_indent 2 "# Local Address" | |
1291 | if isset LOCAL_ADDRESS; then | |
1292 | print_indent 2 "local_addrs = ${LOCAL_ADDRESS}" | |
1293 | else | |
1294 | print_indent 2 "local_addrs = %any" | |
1295 | fi | |
1296 | ||
67baa452 MT |
1297 | |
1298 | # Remote Address | |
1299 | print_indent 2 "# Remote Address" | |
1300 | if isset PEER; then | |
1301 | print_indent 2 "remote_addrs = ${PEER}" | |
1302 | else | |
1303 | print_indent 2 "remote_addrs = %any" | |
1304 | fi | |
1305 | ||
1306 | ||
1307 | # IKE Proposals | |
1308 | print_indent 2 "# IKE Proposals" | |
e3ffacf7 | 1309 | print_indent 2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})" |
67baa452 MT |
1310 | |
1311 | ||
117278c3 | 1312 | # DPD Settings |
4e271faa | 1313 | if enabled dpd; then |
117278c3 | 1314 | print_indent 2 "# Dead Peer Detection" |
117278c3 MT |
1315 | print_indent 2 "dpd_delay = ${DPD_DELAY}" |
1316 | ||
1317 | if isset DPD_TIMEOUT; then | |
1318 | print_indent 2 "dpd_timeout = ${DPD_TIMEOUT}" | |
1319 | fi | |
1320 | ||
1321 | ||
1322 | fi | |
67baa452 MT |
1323 | |
1324 | # Fragmentation | |
1325 | print_indent 2 "# Fragmentation" | |
1326 | print_indent 2 "fragmentation = yes" | |
1327 | ||
1328 | ||
dd66c192 MT |
1329 | |
1330 | # Host-to-Net specific settings | |
1331 | case "${TYPE}" in | |
1332 | host-to-net) | |
1333 | # Pools | |
1334 | if isset POOLS; then | |
1335 | print_indent 2 "# Pools" | |
1336 | print_indent 2 "pools = $(list_join POOLS ", ")" | |
1337 | ||
1338 | fi | |
1339 | ;; | |
1340 | esac | |
96fdb077 | 1341 | |
67baa452 MT |
1342 | # Local |
1343 | print_indent 2 "local {" | |
1344 | ||
1345 | # Local ID | |
1346 | if isset LOCAL_ID; then | |
1347 | print_indent 3 "id = ${LOCAL_ID}" | |
1348 | fi | |
1349 | ||
1350 | # Authentication | |
1351 | case "${AUTH_MODE}" in | |
1352 | PSK) | |
1353 | print_indent 3 "auth = psk" | |
1354 | ;; | |
1355 | esac | |
1356 | ||
1357 | print_indent 2 "}" | |
1358 | ||
1359 | ||
1360 | # Remote | |
1361 | print_indent 2 "remote {" | |
1362 | ||
1363 | # Remote ID | |
1364 | if isset REMOTE_ID; then | |
1365 | print_indent 3 "id = ${REMOTE_ID}" | |
1366 | fi | |
1367 | ||
1368 | # Authentication | |
1369 | case "${AUTH_MODE}" in | |
1370 | PSK) | |
1371 | print_indent 3 "auth = psk" | |
1372 | ;; | |
1373 | esac | |
1374 | ||
1375 | print_indent 2 "}" | |
1376 | ||
1377 | ||
1378 | # Children | |
1379 | ||
1380 | print_indent 2 "children {" | |
1381 | print_indent 3 "${connection} {" | |
1382 | ||
1383 | print_indent 4 "# ESP Proposals" | |
e3d8f3f6 | 1384 | print_indent 4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})" |
67baa452 MT |
1385 | |
1386 | ||
1387 | # Traffic Selectors | |
1388 | ||
95835d23 MT |
1389 | case "${MODE}" in |
1390 | gre-*) | |
1391 | print_indent 4 "local_ts = dynamic[gre]" | |
1392 | print_indent 4 "remote_ts = dynamic[gre]" | |
1393 | ;; | |
1394 | *) | |
1395 | # Local Prefixes | |
1396 | if isset LOCAL_PREFIX; then | |
1397 | print_indent 4 "local_ts = $(list_join LOCAL_PREFIX ,)" | |
1398 | else | |
1399 | print_indent 4 "local_ts = dynamic" | |
1400 | fi | |
67baa452 | 1401 | |
95835d23 MT |
1402 | # Remote Prefixes |
1403 | if isset REMOTE_PREFIX; then | |
1404 | print_indent 4 "remote_ts = $(list_join REMOTE_PREFIX ,)" | |
1405 | else | |
1406 | print_indent 4 "remote_ts = dynamic" | |
1407 | fi | |
1408 | ;; | |
1409 | esac | |
67baa452 MT |
1410 | |
1411 | ||
82fac748 | 1412 | # Netfilter Marks |
8af22236 MT |
1413 | case "${MODE}" in |
1414 | vti) | |
1415 | print_indent 4 "# Netfilter Marks" | |
1416 | print_indent 4 "mark_in = %unique" | |
1417 | print_indent 4 "mark_out = %unique" | |
1418 | ||
1419 | ;; | |
1420 | esac | |
82fac748 | 1421 | |
4e271faa MT |
1422 | # Dead Peer Detection |
1423 | if enabled dpd; then | |
1424 | print_indent 4 "# Dead Peer Detection" | |
1425 | print_indent 4 "dpd_action = ${DPD_ACTION}" | |
1426 | ||
1427 | fi | |
1428 | ||
67baa452 MT |
1429 | # Rekeying |
1430 | if isset LIFETIME; then | |
1431 | print_indent 4 "# Rekey Time" | |
1432 | print_indent 4 "rekey_time = ${LIFETIME}" | |
1433 | ||
1434 | fi | |
1435 | ||
1436 | # Updown Script | |
1437 | print_indent 4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown" | |
1438 | ||
1439 | ||
1440 | # Mode | |
1441 | print_indent 4 "# Mode" | |
1442 | case "${MODE}" in | |
1443 | gre-transport) | |
1444 | print_indent 4 "mode = transport" | |
1445 | ;; | |
1446 | tunnel|vti|*) | |
1447 | print_indent 4 "mode = tunnel" | |
1448 | ;; | |
1449 | esac | |
1450 | ||
1451 | ||
1452 | # Compression | |
1453 | print_indent 4 "# Compression" | |
1454 | if enabled COMPRESSION; then | |
1455 | print_indent 4 "ipcomp = yes" | |
1456 | else | |
1457 | print_indent 4 "ipcomp = no" | |
1458 | fi | |
1459 | ||
1460 | ||
1461 | # Inactivity Timeout | |
1462 | if isset INACTIVITY_TIMEOUT; then | |
1463 | print_indent 4 "# Inactivity Timeout" | |
1464 | print_indent 4 "inactivity = ${INACTIVITY_TIMEOUT}" | |
1465 | ||
1466 | fi | |
1467 | ||
dd66c192 MT |
1468 | # Net-to-Net specific settings |
1469 | case "${TYPE}" in | |
1470 | net-to-net) | |
1471 | # Start Action | |
1472 | print_indent 4 "# Start Action" | |
1473 | case "${START_ACTION}" in | |
1474 | on-demand) | |
1475 | print_indent 4 "start_action = trap" | |
1476 | print_indent 4 "close_action = trap" | |
1477 | ;; | |
1478 | wait) | |
1479 | print_indent 4 "start_action = none" | |
1480 | print_indent 4 "close_action = none" | |
1481 | ;; | |
1482 | always-on|*) | |
1483 | print_indent 4 "start_action = start" | |
1484 | print_indent 4 "close_action = start" | |
1485 | ;; | |
1486 | esac | |
1487 | ||
37317b3e MT |
1488 | ;; |
1489 | esac | |
67baa452 MT |
1490 | |
1491 | print_indent 3 "}" | |
1492 | print_indent 2 "}" | |
1493 | ||
1494 | ||
1495 | print_indent 1 "}" | |
1496 | print_indent 0 "}" | |
1497 | ||
1498 | } | |
1499 | ||
1500 | _ipsec_connection_to_strongswan_secrets() { | |
1501 | local connection="${1}" | |
1502 | ||
1503 | print_indent 0 "secrets {" | |
1504 | ||
1505 | case "${AUTH_MODE}" in | |
1506 | PSK) | |
1507 | print_indent 1 "ike {" | |
1508 | ||
1509 | # Secret | |
1510 | print_indent 2 "secret = ${PSK}" | |
1511 | ||
1512 | # ID | |
1513 | if isset REMOTE_ID; then | |
1514 | print_indent 2 "id = ${REMOTE_ID}" | |
1515 | fi | |
1516 | ||
1517 | print_indent 1 "}" | |
1518 | ;; | |
1519 | esac | |
1520 | ||
1521 | print_indent 0 "}" | |
1522 | } | |
7c623df2 JS |
1523 | |
1524 | # This function writes all values to a via ${pool} specificated VPN IPsec pool configuration file | |
1525 | ipsec_pool_write_config() { | |
1526 | assert [ $# -ge 1 ] | |
1527 | ||
1528 | local pool="${1}" | |
1529 | ||
1530 | if ! ipsec_pool_exists "${pool}"; then | |
1531 | log ERROR "No such VPN IPsec pool: ${pool}" | |
1532 | return ${EXIT_ERROR} | |
1533 | fi | |
1534 | ||
1535 | local path="${NETWORK_IPSEC_POOLS_DIR}/${pool}/settings" | |
1536 | ||
1537 | if ! settings_write "${path}" ${IPSEC_POOL_CONFIG_SETTINGS}; then | |
1538 | log ERROR "Could not write configuration settings for VPN IPsec pool ${pool}" | |
1539 | return ${EXIT_ERROR} | |
1540 | fi | |
940bb51b JS |
1541 | |
1542 | if ! ipsec_pool_reload ${pool}; then | |
1543 | log WARNING "Could not reload IPsec pool ${pool}" | |
1544 | fi | |
1545 | ||
1546 | # When we get here the writing of the config file was successful | |
1547 | return ${EXIT_OK} | |
7c623df2 JS |
1548 | } |
1549 | ||
1550 | # This funtion writes the value for one key to a via ${connection} specificated | |
1551 | # VPN IPsec pool configuration file | |
1552 | ipsec_pool_write_config_key() { | |
1553 | assert [ $# -ge 3 ] | |
1554 | ||
1555 | local pool=${1} | |
1556 | local key=${2} | |
1557 | shift 2 | |
1558 | ||
1559 | local value="$@" | |
1560 | ||
1561 | if ! ipsec_pool_exists "${pool}"; then | |
1562 | log ERROR "No such VPN IPsec pool: ${pool}" | |
1563 | return ${EXIT_ERROR} | |
1564 | fi | |
1565 | ||
1566 | log DEBUG "Set '${key}' to new value '${value}' in VPN IPsec pool '${pool}'" | |
1567 | ||
1568 | local ${IPSEC_POOL_CONFIG_SETTINGS} | |
1569 | ||
1570 | # Read the config settings | |
1571 | if ! ipsec_pool_read_config "${pool}"; then | |
1572 | return ${EXIT_ERROR} | |
1573 | fi | |
1574 | ||
1575 | # Set the key to a new value | |
1576 | assign "${key}" "${value}" | |
1577 | ||
1578 | if ! ipsec_pool_write_config "${pool}"; then | |
1579 | return ${EXIT_ERROR} | |
1580 | fi | |
1581 | ||
1582 | return ${EXIT_TRUE} | |
1583 | } | |
1584 | ||
1585 | # Reads one or more keys out of a settings file or all if no key is provided. | |
1586 | ipsec_pool_read_config() { | |
1587 | assert [ $# -ge 1 ] | |
1588 | ||
1589 | local pool="${1}" | |
1590 | shift 1 | |
1591 | ||
1592 | if ! ipsec_pool_exists "${pool}"; then | |
1593 | log ERROR "No such VPN IPsec pool : ${pool}" | |
1594 | return ${EXIT_ERROR} | |
1595 | fi | |
1596 | ||
1597 | local args | |
1598 | if [ $# -eq 0 ] && [ -n "${IPSEC_POOL_CONFIG_SETTINGS}" ]; then | |
1599 | list_append args ${IPSEC_POOL_CONFIG_SETTINGS} | |
1600 | else | |
2212045f | 1601 | list_append args "$@" |
7c623df2 JS |
1602 | fi |
1603 | ||
1604 | local path="${NETWORK_IPSEC_POOLS_DIR}/${pool}/settings" | |
1605 | ||
1606 | if ! settings_read "${path}" ${args}; then | |
1607 | log ERROR "Could not read settings for VPN IPsec pool ${pool}" | |
1608 | return ${EXIT_ERROR} | |
1609 | fi | |
1610 | } | |
1611 | ||
1612 | # This function checks if a vpn IPsec pool exists | |
1613 | # Returns True when yes and false when not | |
1614 | ipsec_pool_exists() { | |
1615 | assert [ $# -eq 1 ] | |
1616 | ||
1617 | local pool=${1} | |
1618 | ||
1619 | local path="${NETWORK_IPSEC_POOLS_DIR}/${pool}" | |
1620 | ||
1621 | [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} | |
1622 | } | |
1623 | ||
1624 | # This function checks if a VPN IPsec pool name is valid | |
1625 | # Allowed are only A-Za-z0-9 | |
1626 | ipsec_pool_check_name() { | |
1627 | assert [ $# -eq 1 ] | |
1628 | ||
1629 | local pool=${1} | |
1630 | ||
1631 | # These are special words in strongswan | |
1632 | if isoneof pool dhcp radius; then | |
1633 | return ${EXIT_ERROR} | |
1634 | fi | |
1635 | ||
1636 | [[ "${pool}" =~ [^[:alnum:]$] ]] | |
1637 | } | |
1638 | ||
1639 | ipsec_pool_new() { | |
1640 | if [ $# -gt 1 ]; then | |
1641 | error "Too many arguments" | |
1642 | return ${EXIT_ERROR} | |
1643 | fi | |
1644 | ||
1645 | local pool="${1}" | |
1646 | if ! isset pool; then | |
1647 | error "Please provide a pool name" | |
1648 | return ${EXIT_ERROR} | |
1649 | fi | |
1650 | ||
1651 | # Check for duplicates | |
1652 | if ipsec_pool_exists "${pool}"; then | |
1653 | error "The VPN IPsec pool ${pool} already exists" | |
1654 | return ${EXIT_ERROR} | |
1655 | fi | |
1656 | ||
1657 | # Check if the name of the connection is valid | |
1658 | if ipsec_pool_check_name "${pool}"; then | |
1659 | error "'${pool}' contains illegal characters" | |
1660 | return ${EXIT_ERROR} | |
1661 | fi | |
1662 | ||
1663 | log DEBUG "Creating VPN IPsec pool ${pool}" | |
1664 | ||
1665 | if ! mkdir -p "${NETWORK_IPSEC_POOLS_DIR}/${pool}"; then | |
1666 | log ERROR "Could not create config directory for ${pool}" | |
1667 | return ${EXIT_ERROR} | |
1668 | fi | |
1669 | ||
1670 | local ${IPSEC_POOL_CONFIG_SETTINGS} | |
1671 | ||
1672 | if ! ipsec_pool_write_config "${pool}"; then | |
1673 | log ERROR "Could not write new config file" | |
1674 | return ${EXIT_ERROR} | |
1675 | fi | |
1676 | } | |
1677 | ||
1678 | # Function that deletes based on the passed parameters | |
1679 | # one ore more vpn ipsec pools | |
1680 | ipsec_pool_destroy() { | |
1681 | local pool | |
2212045f | 1682 | for pool in "$@"; do |
7c623df2 JS |
1683 | if ! ipsec_pool_exists "${pool}"; then |
1684 | log ERROR "The VPN IPsec pool ${pool} does not exist." | |
1685 | continue | |
1686 | fi | |
1687 | ||
1688 | log DEBUG "Deleting VPN IPsec pool ${pool}" | |
1689 | ||
1690 | if ! rm -rf "${NETWORK_IPSEC_POOLS_DIR}/${pool}"; then | |
1691 | log ERROR "Deleting the VPN IPsec pool ${pool} was not sucessful" | |
1692 | return ${EXIT_ERROR} | |
1693 | fi | |
1694 | done | |
1695 | } | |
1696 | ||
940bb51b JS |
1697 | ipsec_pool_set_type() { |
1698 | local pool=${1} | |
1699 | local ip=${2} | |
1700 | assert isset pool | |
1701 | assert isset ip | |
1702 | ||
1703 | local type=$(ip_detect_protocol ${ip}) | |
1704 | ||
1705 | if ! isset type; then | |
1706 | error "Cannot detect IP protocol of ${ip}" | |
1707 | return ${EXIT_ERROR} | |
1708 | else | |
1709 | log DEBUG "IP protocol of ${ip} is ${type}" | |
1710 | if ! ipsec_pool_write_config_key "${pool}" "TYPE" ${type}; then | |
1711 | log ERROR "Could not write configuration settings" | |
1712 | return ${EXIT_ERROR} | |
1713 | fi | |
1714 | fi | |
1715 | } | |
1716 | ||
7c623df2 | 1717 | ipsec_pool_network() { |
940bb51b | 1718 | if [ ! $# -eq 2 ]; then |
7c623df2 JS |
1719 | log ERROR "Not enough arguments" |
1720 | return ${EXIT_ERROR} | |
1721 | fi | |
1722 | local pool=${1} | |
940bb51b | 1723 | local network=${2} |
7c623df2 | 1724 | |
940bb51b JS |
1725 | local TYPE |
1726 | if ! ipsec_pool_read_config ${pool} "TYPE"; then | |
1727 | error "Failed to read configuration settings for pool '${pool}'" | |
7c623df2 JS |
1728 | return ${EXIT_ERROR} |
1729 | fi | |
1730 | ||
940bb51b JS |
1731 | if ! isset TYPE; then |
1732 | if ! ip_net_is_valid ${network}; then | |
1733 | log ERROR "Network '${network}' is invalid" | |
1734 | return ${EXIT_ERROR} | |
1735 | fi | |
7c623df2 | 1736 | |
940bb51b JS |
1737 | if ! ipsec_pool_set_type ${pool} ${network}; then |
1738 | log ERROR "Could not set type for IPsec pool ${pool}" | |
1739 | return ${EXIT_ERROR} | |
1740 | fi | |
1741 | else | |
1742 | if ! ${TYPE}_net_is_valid ${network}; then | |
1743 | log ERROR "Network '${network}' is invalid" | |
1744 | return ${EXIT_ERROR} | |
1745 | fi | |
1746 | fi | |
7c623df2 | 1747 | |
940bb51b JS |
1748 | if ! ipsec_pool_write_config_key "${pool}" "NETWORK" ${network}; then |
1749 | log ERROR "Could not write configuration settings" | |
1750 | return ${EXIT_ERROR} | |
1751 | fi | |
1752 | } | |
7c623df2 | 1753 | |
940bb51b JS |
1754 | ipsec_pool_dns_server() { |
1755 | if [ ! $# -eq 2 ]; then | |
1756 | log ERROR "Not enough arguments" | |
7c623df2 JS |
1757 | return ${EXIT_ERROR} |
1758 | fi | |
940bb51b JS |
1759 | local pool=${1} |
1760 | local dns_server=${2} | |
7c623df2 | 1761 | |
940bb51b JS |
1762 | local TYPE |
1763 | if ! ipsec_pool_read_config ${pool} "TYPE"; then | |
1764 | error "Failed to read configuration settings for pool '${pool}'" | |
1765 | return ${EXIT_ERROR} | |
1766 | fi | |
7c623df2 | 1767 | |
940bb51b JS |
1768 | if ! isset TYPE; then |
1769 | if ! ip_is_valid ${dns_server}; then | |
1770 | log ERROR "DNS server '${dns_server}' is invalid" | |
1771 | return ${EXIT_ERROR} | |
1772 | fi | |
7c623df2 | 1773 | |
940bb51b JS |
1774 | if ! ipsec_pool_set_type ${pool} ${dns_server}; then |
1775 | log ERROR "Could not set type for IPsec pool ${pool}" | |
1776 | return ${EXIT_ERROR} | |
1777 | fi | |
7c623df2 | 1778 | else |
940bb51b JS |
1779 | if ! ${TYPE}_is_valid ${dns_server}; then |
1780 | log ERROR "DNS server '${dns_server}' is invalid" | |
1781 | return ${EXIT_ERROR} | |
1782 | fi | |
7c623df2 JS |
1783 | fi |
1784 | ||
940bb51b | 1785 | if ! ipsec_pool_write_config_key "${pool}" "DNS_SERVER" ${dns_server}; then |
7c623df2 | 1786 | log ERROR "Could not write configuration settings" |
940bb51b | 1787 | return ${EXIT_ERROR} |
7c623df2 | 1788 | fi |
7c623df2 JS |
1789 | } |
1790 | ||
940bb51b JS |
1791 | ipsec_pool_check_config() { |
1792 | local pool=${1} | |
1793 | assert isset pool | |
1794 | ||
1795 | local ${IPSEC_POOL_CONFIG_SETTINGS} | |
1796 | if ! ipsec_pool_read_config "${pool}"; then | |
1797 | log ERROR "Could not read configuration settings" | |
7c623df2 JS |
1798 | return ${EXIT_ERROR} |
1799 | fi | |
7c623df2 | 1800 | |
940bb51b JS |
1801 | if ! isset NETWORK; then |
1802 | log ERROR "Network for IPSec pool ${pool} is not set" | |
7c623df2 JS |
1803 | return ${EXIT_ERROR} |
1804 | fi | |
1805 | ||
940bb51b JS |
1806 | if ! isset TYPE; then |
1807 | TYPE=$(ip_detect_protocol ${NETWORK}) | |
1808 | log DEBUG "IP protocol of ${NETWORK} is ${TYPE}" | |
1809 | if ! isset TYPE; then | |
1810 | error "Cannot detect IP protocol of ${NETWORK}" | |
1811 | return ${EXIT_ERROR} | |
1812 | else | |
1813 | if ! ipsec_pool_write_config_key "${pool}" "TYPE" ${TYPE}; then | |
1814 | log ERROR "Could not write configuration settings" | |
1815 | return ${EXIT_ERROR} | |
1816 | fi | |
1817 | fi | |
1818 | else | |
1819 | if ! ${TYPE}_net_is_valid ${NETWORK}; then | |
1820 | log ERROR "NETWORK '${NETWORK}' is invalid" | |
1821 | return ${EXIT_ERROR} | |
1822 | fi | |
7c623df2 | 1823 | |
940bb51b JS |
1824 | if isset DNS_SERVER && ! ${TYPE}_is_valid ${DNS_SERVER}; then |
1825 | log ERROR "DNS server '${DNS_SERVER}' is invalid" | |
1826 | return ${EXIT_ERROR} | |
1827 | fi | |
1828 | fi | |
7c623df2 | 1829 | |
940bb51b JS |
1830 | return ${EXIT_OK} |
1831 | } | |
7c623df2 | 1832 | |
940bb51b JS |
1833 | ipsec_pool_reload() { |
1834 | local pool=${1} | |
7c623df2 | 1835 | |
940bb51b JS |
1836 | if ! ipsec_pool_to_strongswan ${pool}; then |
1837 | log ERROR "Could not generate strongswan config for ${pool}" | |
7c623df2 JS |
1838 | return ${EXIT_ERROR} |
1839 | fi | |
1840 | ||
940bb51b JS |
1841 | ipsec_strongswan_load |
1842 | } | |
7c623df2 | 1843 | |
940bb51b JS |
1844 | ipsec_pool_to_strongswan() { |
1845 | local pool=${1} | |
7c623df2 | 1846 | |
940bb51b | 1847 | log DEBUG "Generating IPsec pool config for ${pool}" |
7c623df2 | 1848 | |
940bb51b JS |
1849 | local ${IPSEC_POOL_CONFIG_SETTINGS} |
1850 | if ! ipsec_pool_read_config "${pool}"; then | |
1851 | return ${EXIT_ERROR} | |
7c623df2 JS |
1852 | fi |
1853 | ||
940bb51b JS |
1854 | if isset NETWORK && ! ipsec_pool_check_config "${pool}"; then |
1855 | log ERROR "Configuration of ${pool} seems to be invalid" | |
7c623df2 JS |
1856 | return ${EXIT_ERROR} |
1857 | fi | |
1858 | ||
940bb51b | 1859 | local path="${NETWORK_IPSEC_SWANCTL_POOLS_DIR}/${pool}.conf" |
7c623df2 | 1860 | |
940bb51b JS |
1861 | ( |
1862 | config_header "strongSwan pool configuration" | |
1863 | ||
1864 | if isset NETWORK; then | |
1865 | print_indent 0 "pools {" | |
1866 | ||
1867 | print_indent 1 "${pool} {" | |
1868 | print_indent 2 "addrs = ${NETWORK}" | |
1869 | ||
1870 | if isset DNS_SERVER; then | |
1871 | print_indent 2 "dns = ${DNS_SERVER}" | |
1872 | fi | |
1873 | ||
1874 | print_indent 1 "}" | |
1875 | print_indent 0 "}" | |
1876 | fi | |
1877 | ) > ${path} | |
7c623df2 | 1878 | } |