]>
Commit | Line | Data |
---|---|---|
917a1aa0 JS |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2017 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
33944dfb MT |
22 | IPSEC_CONNECTION_CONFIG_SETTINGS="\ |
23 | AUTH_MODE \ | |
24 | DPD_ACTION \ | |
25 | DPD_DELAY \ | |
26 | DPD_TIMEOUT \ | |
27 | INACTIVITY_TIMEOUT \ | |
28 | LOCAL_ADDRESS \ | |
29 | LOCAL_ID \ | |
30 | LOCAL_PREFIX \ | |
31 | MODE \ | |
32 | PEER \ | |
33 | PSK \ | |
34 | REMOTE_ID \ | |
35 | REMOTE_PREFIX \ | |
5601f4f5 JS |
36 | SECURITY_POLICY \ |
37 | ENABLED" | |
917a1aa0 JS |
38 | |
39 | # Default values | |
ab589039 | 40 | IPSEC_DEFAULT_AUTH_MODE="PSK" |
bb9fccaf JS |
41 | IPSEC_DEFAULT_DPD_ACTION="restart" |
42 | IPSEC_DEFAULT_DPD_DELAY="30" | |
43 | IPSEC_DEFAULT_DPD_TIMEOUT="120" | |
5601f4f5 | 44 | IPSEC_DEFAULT_ENABLED="true" |
917a1aa0 | 45 | IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0" |
bb9fccaf | 46 | IPSEC_DEFAULT_MODE="tunnel" |
917a1aa0 | 47 | IPSEC_DEFAULT_SECURITY_POLICY="system" |
bb9fccaf | 48 | IPSEC_DEFAULT_START_ACTION="on-demand" |
917a1aa0 JS |
49 | |
50 | IPSEC_VALID_MODES="gre-transport tunnel vti" | |
ab589039 | 51 | IPSEC_VALID_AUTH_MODES="PSK" |
917a1aa0 | 52 | |
2da98f56 MT |
53 | cli_ipsec() { |
54 | local action=${1} | |
55 | shift 1 | |
56 | ||
57 | case "${action}" in | |
58 | connection) | |
59 | cli_ipsec_connection $@ | |
60 | ;; | |
61 | *) | |
62 | error "Unrecognized argument: ${action}" | |
63 | exit ${EXIT_ERROR} | |
64 | ;; | |
65 | esac | |
66 | } | |
67 | ||
68 | cli_ipsec_connection() { | |
69 | if ipsec_connection_exists ${1}; then | |
70 | local connection=${1} | |
71 | local key=${2} | |
72 | key=${key//-/_} | |
73 | shift 2 | |
74 | ||
75 | case "${key}" in | |
5601f4f5 | 76 | authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|remote|security_policy|start_action|up) |
2da98f56 MT |
77 | ipsec_connection_${key} ${connection} $@ |
78 | ;; | |
c1e76e97 MT |
79 | show) |
80 | cli_ipsec_connection_show "${connection}" | |
81 | exit $? | |
82 | ;; | |
2da98f56 MT |
83 | *) |
84 | error "Unrecognized argument: ${key}" | |
85 | exit ${EXIT_ERROR} | |
86 | ;; | |
87 | esac | |
88 | else | |
89 | local action=${1} | |
90 | shift | |
91 | ||
92 | case "${action}" in | |
93 | new) | |
94 | ipsec_connection_new $@ | |
95 | ;; | |
96 | destroy) | |
97 | ipsec_connection_destroy $@ | |
98 | ;; | |
99 | ""|*) | |
100 | if [ -n "${action}" ]; then | |
101 | error "Unrecognized argument: '${action}'" | |
102 | fi | |
103 | exit ${EXIT_ERROR} | |
104 | ;; | |
105 | esac | |
106 | fi | |
107 | } | |
108 | ||
c1e76e97 MT |
109 | cli_ipsec_connection_show() { |
110 | local connection="${1}" | |
111 | ||
112 | # Read the config settings | |
113 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
114 | if ! ipsec_connection_read_config "${connection}"; then | |
115 | error "Could not read the connection configuration" | |
116 | return ${EXIT_ERROR} | |
117 | fi | |
118 | ||
119 | cli_headline 0 "IPsec VPN Connection: ${connection}" | |
120 | cli_space | |
121 | ||
122 | # Peer | |
123 | if isset PEER; then | |
124 | cli_print_fmt1 1 "Peer" "${PEER}" | |
125 | fi | |
126 | ||
127 | # Security Policy | |
128 | cli_print_fmt1 1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}" | |
129 | cli_space | |
130 | ||
131 | cli_headline 2 "Authentication" | |
132 | case "${AUTH_MODE^^}" in | |
133 | PSK) | |
134 | cli_print_fmt1 2 "Mode" "Pre-Shared-Key" | |
135 | ||
136 | if isset PSK; then | |
137 | cli_print_fmt1 2 "Pre-Shared-Key" "****" | |
138 | else | |
139 | cli_print_fmt1 2 "Pre-Shared-Key" "- is not set -" | |
140 | fi | |
141 | ;; | |
142 | X509) | |
143 | : # TODO | |
144 | ;; | |
145 | esac | |
146 | cli_space | |
147 | ||
148 | local i | |
149 | for i in LOCAL REMOTE; do | |
150 | case "${i}" in | |
151 | LOCAL) | |
152 | cli_headline 2 "Local" | |
153 | ;; | |
154 | REMOTE) | |
155 | cli_headline 2 "Remote" | |
156 | ;; | |
157 | esac | |
158 | ||
159 | local id_var="${i}_ID" | |
160 | if [ -n "${!id_var}" ]; then | |
161 | cli_print_fmt1 2 "ID" "${!id_var}" | |
162 | fi | |
163 | ||
164 | local prefix_var="${i}_PREFIX" | |
165 | if isset ${prefix_var}; then | |
166 | cli_headline 3 "Prefix(es)" | |
167 | ||
168 | local prefix | |
169 | for prefix in ${!prefix_var}; do | |
170 | cli_print_fmt1 3 "${prefix}" | |
171 | done | |
172 | fi | |
173 | ||
174 | cli_space | |
175 | done | |
176 | ||
177 | cli_headline 2 "Misc." | |
178 | ||
179 | case "${MODE}" in | |
180 | gre-transport) | |
181 | cli_print_fmt1 2 "Transport Mode" "GRE Transport" | |
182 | ;; | |
183 | tunnel) | |
184 | cli_print_fmt1 2 "Transport Mode" "Tunnel" | |
185 | ;; | |
186 | vti) | |
187 | cli_print_fmt1 2 "Transport Mode" "Virtual Tunnel Interface" | |
188 | ;; | |
189 | *) | |
190 | cli_print_fmt1 2 "Transport Mode" "- Unknown -" | |
191 | ;; | |
192 | esac | |
193 | ||
194 | # Inactivity timeout | |
195 | if isset INACTIVITY_TIMEOUT && [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then | |
196 | cli_print_fmt1 2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})" | |
197 | fi | |
198 | cli_space | |
199 | ||
200 | return ${EXIT_OK} | |
201 | } | |
202 | ||
5601f4f5 JS |
203 | ipsec_connection_disable() { |
204 | local connection=${1} | |
205 | ||
206 | if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "false"; then | |
207 | log ERROR "Could not write configuration settings" | |
208 | return ${EXIT_ERROR} | |
209 | fi | |
210 | ||
211 | ipsec_reload ${connection} | |
212 | } | |
213 | ||
214 | ipsec_connection_enable() { | |
215 | local connection=${1} | |
216 | ||
217 | if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "true"; then | |
218 | log ERROR "Could not write configuration settings" | |
219 | return ${EXIT_ERROR} | |
220 | fi | |
221 | ||
222 | ipsec_reload "${connection}" | |
223 | } | |
224 | ||
917a1aa0 JS |
225 | # This function writes all values to a via ${connection} specificated VPN IPsec configuration file |
226 | ipsec_connection_write_config() { | |
227 | assert [ $# -ge 1 ] | |
228 | ||
229 | local connection="${1}" | |
230 | ||
231 | if ! ipsec_connection_exists "${connection}"; then | |
232 | log ERROR "No such VPN IPsec connection: ${connection}" | |
233 | return ${EXIT_ERROR} | |
234 | fi | |
235 | ||
cf8685a1 | 236 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings" |
917a1aa0 JS |
237 | |
238 | if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then | |
239 | log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}" | |
240 | return ${EXIT_ERROR} | |
241 | fi | |
242 | ||
243 | ipsec_reload ${connection} | |
244 | } | |
245 | ||
246 | # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file | |
247 | ipsec_connection_write_config_key() { | |
248 | assert [ $# -ge 3 ] | |
249 | ||
250 | local connection=${1} | |
251 | local key=${2} | |
252 | shift 2 | |
253 | ||
254 | local value="$@" | |
255 | ||
256 | if ! ipsec_connection_exists "${connection}"; then | |
257 | log ERROR "No such VPN ipsec connection: ${connection}" | |
258 | return ${EXIT_ERROR} | |
259 | fi | |
260 | ||
261 | log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'" | |
262 | ||
263 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
264 | ||
265 | # Read the config settings | |
266 | if ! ipsec_connection_read_config "${connection}"; then | |
267 | return ${EXIT_ERROR} | |
268 | fi | |
269 | ||
270 | # Set the key to a new value | |
271 | assign "${key}" "${value}" | |
272 | ||
273 | if ! ipsec_connection_write_config "${connection}"; then | |
274 | return ${EXIT_ERROR} | |
275 | fi | |
276 | ||
277 | return ${EXIT_TRUE} | |
278 | } | |
279 | ||
280 | # Reads one or more keys out of a settings file or all if no key is provided. | |
281 | ipsec_connection_read_config() { | |
282 | assert [ $# -ge 1 ] | |
283 | ||
284 | local connection="${1}" | |
285 | shift 1 | |
286 | ||
287 | if ! ipsec_connection_exists "${connection}"; then | |
288 | log ERROR "No such VPN IPsec connection : ${connection}" | |
289 | return ${EXIT_ERROR} | |
290 | fi | |
291 | ||
292 | ||
293 | local args | |
294 | if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then | |
295 | list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
296 | else | |
297 | list_append args $@ | |
298 | fi | |
299 | ||
cf8685a1 | 300 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings" |
917a1aa0 JS |
301 | |
302 | if ! settings_read "${path}" ${args}; then | |
303 | log ERROR "Could not read settings for VPN IPsec connection ${connection}" | |
304 | return ${EXIT_ERROR} | |
305 | fi | |
306 | } | |
307 | ||
917a1aa0 JS |
308 | # This function checks if a vpn ipsec connection exists |
309 | # Returns True when yes and false when not | |
310 | ipsec_connection_exists() { | |
311 | assert [ $# -eq 1 ] | |
312 | ||
313 | local connection=${1} | |
314 | ||
cf8685a1 | 315 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}" |
917a1aa0 JS |
316 | |
317 | [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} | |
318 | } | |
319 | ||
f0e91d26 JS |
320 | ipsec_strongswan_load() { |
321 | if ! cmd swanctl --load-all; then | |
322 | log ERROR "Could not reload strongswan config" | |
323 | return ${EXIT_ERROR} | |
324 | fi | |
325 | } | |
326 | ||
917a1aa0 JS |
327 | # Reloads the connection after config changes |
328 | ipsec_reload() { | |
39d87f20 JS |
329 | local connection=${1} |
330 | ||
5601f4f5 JS |
331 | local ENABLED |
332 | ||
333 | if ! ipsec_connection_read_config "${connection}" "ENABLED"; then | |
334 | log ERROR "Could not read configuration for IPsec connection ${connection}" | |
39d87f20 JS |
335 | return ${EXIT_ERROR} |
336 | fi | |
337 | ||
5601f4f5 JS |
338 | if enabled ${ENABLED}; then |
339 | if ! ipsec_connection_to_strongswan ${connection}; then | |
340 | log ERROR "Could not generate strongswan config for ${connnection}" | |
341 | return ${EXIT_ERROR} | |
342 | fi | |
343 | else | |
344 | unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" | |
345 | fi | |
346 | ||
f0e91d26 | 347 | ipsec_strongswan_load |
917a1aa0 JS |
348 | } |
349 | ||
350 | # Handle the cli after authentification | |
351 | ipsec_connection_authentication() { | |
352 | if [ ! $# -gt 1 ]; then | |
353 | log ERROR "Not enough arguments" | |
354 | return ${EXIT_ERROR} | |
355 | fi | |
356 | ||
357 | local connection=${1} | |
358 | local cmd=${2} | |
359 | shift 2 | |
360 | ||
361 | case ${cmd} in | |
362 | mode) | |
363 | ipsec_connection_authentication_mode "${connection}" $@ | |
364 | ;; | |
365 | pre-shared-key) | |
366 | ipsec_connection_authentication_psk "${connection}" $@ | |
367 | ;; | |
368 | *) | |
369 | log ERROR "Unrecognized argument: ${cmd}" | |
370 | return ${EXIT_ERROR} | |
371 | ;; | |
372 | esac | |
373 | } | |
374 | ||
375 | # Set the authentification mode | |
376 | ipsec_connection_authentication_mode() { | |
377 | if [ ! $# -eq 2 ]; then | |
378 | log ERROR "Not enough arguments" | |
379 | return ${EXIT_ERROR} | |
380 | fi | |
381 | local connection=${1} | |
382 | local mode=${2} | |
383 | ||
384 | if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then | |
385 | log ERROR "Auth mode '${mode}' is invalid" | |
386 | return ${EXIT_ERROR} | |
387 | fi | |
388 | ||
ab589039 | 389 | if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode^^}; then |
917a1aa0 JS |
390 | log ERROR "Could not write configuration settings" |
391 | return ${EXIT_ERROR} | |
392 | fi | |
393 | } | |
394 | ||
395 | # Set the psk | |
396 | ipsec_connection_authentication_psk() { | |
db491d1d | 397 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
398 | log ERROR "Not enough arguments" |
399 | return ${EXIT_ERROR} | |
400 | fi | |
1bfc4f56 | 401 | |
917a1aa0 JS |
402 | local connection=${1} |
403 | local psk=${2} | |
404 | ||
1bfc4f56 MT |
405 | local length=${#psk} |
406 | ||
407 | if [ ${length} -lt 4 ]; then | |
408 | error "The PSK must be longer than four characters" | |
409 | return ${EXIT_ERROR} | |
410 | fi | |
411 | ||
412 | if [ ${length} -gt 128 ]; then | |
413 | error "The PSK cannot be longer than 128 characters" | |
414 | return ${EXIT_ERROR} | |
415 | fi | |
917a1aa0 | 416 | |
1bfc4f56 | 417 | if ! ipsec_connection_write_config_key "${connection}" "PSK" "${psk}"; then |
917a1aa0 JS |
418 | log ERROR "Could not write configuration settings" |
419 | return ${EXIT_ERROR} | |
420 | fi | |
421 | ||
422 | return ${EXIT_OK} | |
423 | } | |
424 | ||
3cde31b9 MT |
425 | ipsec_connection_up() { |
426 | local connection="${1}" | |
427 | ||
428 | if ! ipsec_connection_exists "${connection}"; then | |
429 | error "No such VPN IPsec connection: ${connection}" | |
430 | return ${EXIT_ERROR} | |
431 | fi | |
432 | ||
433 | cmd swanctl --initiate --child "${connection}" | |
434 | } | |
435 | ||
436 | ipsec_connection_down() { | |
437 | local connection="${1}" | |
438 | ||
439 | if ! ipsec_connection_exists "${connection}"; then | |
440 | error "No such VPN IPsec connection: ${connection}" | |
441 | return ${EXIT_ERROR} | |
442 | fi | |
443 | ||
444 | cmd swanctl --terminate --ike "${connection}" | |
445 | } | |
bb9fccaf JS |
446 | |
447 | # Handle the cli after authentification | |
448 | ipsec_connection_dpd() { | |
449 | if [ ! $# -gt 1 ]; then | |
450 | log ERROR "Not enough arguments" | |
451 | return ${EXIT_ERROR} | |
452 | fi | |
453 | ||
454 | local connection=${1} | |
455 | local cmd=${2} | |
456 | shift 2 | |
457 | ||
458 | case ${cmd} in | |
459 | action) | |
460 | ipsec_connection_dpd_action "${connection}" $@ | |
461 | ;; | |
462 | delay) | |
463 | ipsec_connection_dpd_delay "${connection}" $@ | |
464 | ;; | |
465 | timeout) | |
466 | ipsec_connection_dpd_timeout "${connection}" $@ | |
467 | ;; | |
468 | *) | |
469 | log ERROR "Unrecognized argument: ${cmd}" | |
470 | return ${EXIT_ERROR} | |
471 | ;; | |
472 | esac | |
473 | } | |
474 | ||
475 | # Set the default dpd action | |
476 | ipsec_connection_dpd_action() { | |
477 | if [ ! $# -eq 2 ]; then | |
478 | log ERROR "Not enough arguments" | |
479 | return ${EXIT_ERROR} | |
480 | fi | |
481 | local connection=${1} | |
482 | local action=${2} | |
483 | ||
484 | if ! isoneof action "restart" "clear"; then | |
485 | log ERROR "dpd action '${action}' is invalid" | |
486 | return ${EXIT_ERROR} | |
487 | fi | |
488 | ||
489 | if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION" ${action}; then | |
490 | log ERROR "Could not write configuration settings" | |
491 | return ${EXIT_ERROR} | |
492 | fi | |
493 | } | |
494 | ||
495 | # Set the dpd delay | |
496 | ipsec_connection_dpd_delay() { | |
497 | if [ ! $# -ge 2 ]; then | |
498 | log ERROR "Not enough arguments" | |
499 | return ${EXIT_ERROR} | |
500 | fi | |
501 | ||
502 | local connection=${1} | |
503 | shift 1 | |
504 | local value=$@ | |
505 | ||
506 | if ! isinteger value; then | |
507 | value=$(parse_time $@) | |
508 | if [ ! $? -eq 0 ]; then | |
509 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
510 | return ${EXIT_ERROR} | |
511 | fi | |
512 | fi | |
513 | ||
514 | if [ ${value} -lt 0 ]; then | |
515 | log ERROR "The passed time value must be in the sum greater or equal zero seconds." | |
516 | return ${EXIT_ERROR} | |
517 | fi | |
518 | ||
519 | if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY" ${value}; then | |
520 | log ERROR "Could not write configuration settings" | |
521 | return ${EXIT_ERROR} | |
522 | fi | |
523 | ||
524 | return ${EXIT_OK} | |
525 | } | |
526 | ||
527 | # Set the dpd timeout | |
528 | ipsec_connection_dpd_timeout() { | |
529 | if [ ! $# -ge 2 ]; then | |
530 | log ERROR "Not enough arguments" | |
531 | return ${EXIT_ERROR} | |
532 | fi | |
533 | ||
534 | local connection=${1} | |
535 | shift 1 | |
536 | local value=$@ | |
537 | ||
538 | if ! isinteger value; then | |
539 | value=$(parse_time $@) | |
540 | if [ ! $? -eq 0 ]; then | |
541 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
542 | return ${EXIT_ERROR} | |
543 | fi | |
544 | fi | |
545 | ||
546 | if [ ${value} -le 0 ]; then | |
547 | log ERROR "The passed time value must be in the sum greater or equal zero seconds." | |
548 | return ${EXIT_ERROR} | |
549 | fi | |
550 | ||
551 | if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT" ${value}; then | |
552 | log ERROR "Could not write configuration settings" | |
553 | return ${EXIT_ERROR} | |
554 | fi | |
555 | ||
556 | return ${EXIT_OK} | |
557 | } | |
558 | ||
917a1aa0 JS |
559 | # Handle the cli after local |
560 | ipsec_connection_local() { | |
561 | if [ ! $# -ge 2 ]; then | |
562 | log ERROR "Not enough arguments" | |
563 | return ${EXIT_ERROR} | |
564 | fi | |
565 | ||
566 | local connection=${1} | |
567 | local cmd=${2} | |
568 | shift 2 | |
569 | ||
570 | case ${cmd} in | |
bb9fccaf JS |
571 | address) |
572 | ipsec_connection_local_address "${connection}" $@ | |
573 | ;; | |
917a1aa0 JS |
574 | id) |
575 | ipsec_connection_id "${connection}" "LOCAL" $@ | |
576 | ;; | |
577 | prefix) | |
578 | ipsec_connection_prefix "${connection}" "LOCAL" $@ | |
579 | ;; | |
580 | *) | |
581 | log ERROR "Unrecognized argument: ${cmd}" | |
582 | return ${EXIT_ERROR} | |
583 | ;; | |
584 | esac | |
585 | ||
586 | return ${EXIT_OK} | |
587 | } | |
588 | ||
589 | # Set the connection mode | |
590 | ipsec_connection_mode() { | |
5bdbc2ee | 591 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
592 | log ERROR "Not enough arguments" |
593 | return ${EXIT_ERROR} | |
594 | fi | |
595 | local connection=${1} | |
596 | local mode=${2} | |
597 | ||
598 | if ! isoneof mode ${IPSEC_VALID_MODES}; then | |
599 | log ERROR "Mode '${mode}' is invalid" | |
600 | return ${EXIT_ERROR} | |
601 | fi | |
602 | ||
603 | if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then | |
604 | log ERROR "Could not write configuration settings" | |
605 | return ${EXIT_ERROR} | |
606 | fi | |
607 | ||
608 | return ${EXIT_OK} | |
609 | } | |
610 | ||
bb9fccaf JS |
611 | # Set the local address |
612 | ipsec_connection_local_address() { | |
613 | if [ ! $# -eq 2 ]; then | |
614 | log ERROR "Not enough arguments" | |
615 | return ${EXIT_ERROR} | |
616 | fi | |
617 | local connection=${1} | |
618 | local local_address=${2} | |
619 | ||
620 | if ! ipsec_connection_check_peer ${local_address}; then | |
621 | log ERROR "Local address '${local_address}' is invalid" | |
622 | return ${EXIT_ERROR} | |
623 | fi | |
624 | ||
625 | if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS" ${local_address}; then | |
626 | log ERROR "Could not write configuration settings" | |
627 | return ${EXIT_ERROR} | |
628 | fi | |
629 | ||
630 | return ${EXIT_OK} | |
631 | } | |
632 | ||
917a1aa0 JS |
633 | # Set the peer to connect to |
634 | ipsec_connection_peer() { | |
0b962a64 | 635 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
636 | log ERROR "Not enough arguments" |
637 | return ${EXIT_ERROR} | |
638 | fi | |
639 | local connection=${1} | |
640 | local peer=${2} | |
641 | ||
642 | if ! ipsec_connection_check_peer ${peer}; then | |
643 | log ERROR "Peer '${peer}' is invalid" | |
644 | return ${EXIT_ERROR} | |
645 | fi | |
646 | ||
647 | if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then | |
648 | log ERROR "Could not write configuration settings" | |
649 | return ${EXIT_ERROR} | |
650 | fi | |
651 | ||
652 | return ${EXIT_OK} | |
653 | } | |
654 | ||
655 | #Set the local or remote id | |
656 | ipsec_connection_id() { | |
657 | if [ ! $# -eq 3 ]; then | |
658 | log ERROR "Not enough arguments" | |
659 | return ${EXIT_ERROR} | |
660 | fi | |
661 | local connection=${1} | |
662 | local type=${2} | |
663 | local id=${3} | |
664 | ||
665 | if ! ipsec_connection_check_id ${id}; then | |
666 | log ERROR "Id '${id}' is invalid" | |
667 | return ${EXIT_ERROR} | |
668 | fi | |
669 | ||
670 | if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then | |
671 | log ERROR "Could not write configuration settings" | |
672 | return ${EXIT_ERROR} | |
673 | fi | |
674 | ||
675 | return ${EXIT_OK} | |
676 | } | |
677 | ||
678 | # Set the local or remote prefix | |
679 | ipsec_connection_prefix() { | |
680 | if [ ! $# -ge 3 ]; then | |
681 | log ERROR "Not enough arguments" | |
682 | return ${EXIT_ERROR} | |
683 | fi | |
684 | local connection=${1} | |
685 | local type=${2} | |
686 | shift 2 | |
687 | ||
688 | local _prefix="${type}_PREFIX" | |
689 | local "${_prefix}" | |
690 | if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then | |
691 | return ${EXIT_ERROR} | |
692 | fi | |
693 | ||
694 | # Remove duplicated entries to proceed the list safely | |
695 | assign "${_prefix}" "$(list_unique ${!_prefix} )" | |
696 | ||
697 | local prefixes_added | |
698 | local prefixes_removed | |
699 | local prefixes_set | |
700 | ||
701 | while [ $# -gt 0 ]; do | |
702 | local arg="${1}" | |
703 | ||
704 | case "${arg}" in | |
705 | +*) | |
706 | list_append prefixes_added "${arg:1}" | |
707 | ;; | |
708 | -*) | |
709 | list_append prefixes_removed "${arg:1}" | |
710 | ;; | |
711 | [A-Fa-f0-9]*) | |
712 | list_append prefixes_set "${arg}" | |
713 | ;; | |
714 | *) | |
715 | error "Invalid argument: ${arg}" | |
716 | return ${EXIT_ERROR} | |
717 | ;; | |
718 | esac | |
719 | shift | |
720 | done | |
721 | ||
722 | # Check if the user is trying a mixed operation | |
723 | if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then | |
724 | error "You cannot reset the prefix list and add or remove prefixes at the same time" | |
725 | return ${EXIT_ERROR} | |
726 | fi | |
727 | ||
728 | # Set new prefix list | |
729 | if ! list_is_empty prefixes_set; then | |
730 | # Check if all prefixes are valid | |
731 | local prefix | |
732 | for prefix in ${prefixes_set}; do | |
733 | if ! ip_net_is_valid ${prefix}; then | |
734 | error "Unsupported prefix: ${prefix}" | |
735 | return ${EXIT_ERROR} | |
736 | fi | |
737 | done | |
738 | ||
739 | assign "${_prefix}" "${prefixes_set}" | |
740 | ||
741 | # Perform incremental updates | |
742 | else | |
743 | local prefix | |
744 | ||
745 | # Perform all removals | |
746 | for prefix in ${prefixes_removed}; do | |
747 | if ! list_remove "${_prefix}" ${prefix}; then | |
748 | warning "${prefix} was not on the list and could not be removed" | |
749 | fi | |
750 | done | |
751 | ||
752 | ||
753 | for prefix in ${prefixes_added}; do | |
754 | if ip_net_is_valid ${prefix}; then | |
755 | if ! list_append_unique "${_prefix}" ${prefix}; then | |
756 | warning "${prefix} is already on the prefix list" | |
757 | fi | |
758 | else | |
f03f29b7 | 759 | warning "${prefix} is not a valid IP network and could not be added" |
917a1aa0 JS |
760 | fi |
761 | done | |
762 | fi | |
763 | ||
764 | # Check if the list contain at least one valid prefix | |
765 | if list_is_empty ${_prefix}; then | |
766 | error "Cannot save an empty prefix list" | |
767 | return ${EXIT_ERROR} | |
768 | fi | |
769 | ||
770 | # Save everything | |
771 | if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then | |
772 | log ERROR "Could not write configuration settings" | |
773 | fi | |
774 | ||
775 | return ${EXIT_OK} | |
776 | } | |
777 | ||
778 | # Handle the cli after remote | |
779 | ipsec_connection_remote() { | |
780 | if [ ! $# -ge 2 ]; then | |
781 | log ERROR "Not enough arguments" | |
782 | return ${EXIT_ERROR} | |
783 | fi | |
784 | ||
785 | local connection=${1} | |
786 | local cmd=${2} | |
787 | shift 2 | |
788 | ||
789 | case ${cmd} in | |
790 | id) | |
791 | ipsec_connection_id "${connection}" "REMOTE" $@ | |
792 | ;; | |
793 | ||
794 | prefix) | |
795 | ipsec_connection_prefix "${connection}" "REMOTE" $@ | |
796 | ;; | |
797 | *) | |
798 | log ERROR "Unrecognized argument: ${cmd}" | |
799 | return ${EXIT_ERROR} | |
800 | ;; | |
801 | esac | |
802 | ||
803 | return ${EXIT_OK} | |
804 | } | |
805 | ||
806 | # Set the inactivity timeout | |
807 | ipsec_connection_inactivity_timeout() { | |
808 | if [ ! $# -ge 2 ]; then | |
809 | log ERROR "Not enough arguments" | |
810 | return ${EXIT_ERROR} | |
811 | fi | |
812 | ||
813 | local connection=${1} | |
814 | shift 1 | |
815 | local value=$@ | |
816 | ||
817 | if ! isinteger value; then | |
818 | value=$(parse_time $@) | |
819 | if [ ! $? -eq 0 ]; then | |
820 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
821 | return ${EXIT_ERROR} | |
822 | fi | |
823 | fi | |
824 | ||
825 | if [ ${value} -le 0 ]; then | |
826 | log ERROR "The passed time value must be in the sum greater zero seconds." | |
827 | return ${EXIT_ERROR} | |
828 | fi | |
829 | ||
830 | if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then | |
831 | log ERROR "Could not write configuration settings" | |
832 | return ${EXIT_ERROR} | |
833 | fi | |
834 | ||
835 | return ${EXIT_OK} | |
836 | } | |
837 | ||
bb9fccaf JS |
838 | # Set the default start action |
839 | ipsec_connection_start_action() { | |
840 | if [ ! $# -eq 2 ]; then | |
841 | log ERROR "Not enough arguments" | |
842 | return ${EXIT_ERROR} | |
843 | fi | |
844 | local connection=${1} | |
845 | local action=${2} | |
846 | ||
847 | if ! isoneof action "on-demand" "always-on"; then | |
848 | log ERROR "Start action '${action}' is invalid" | |
849 | return ${EXIT_ERROR} | |
850 | fi | |
851 | ||
852 | if ! ipsec_connection_write_config_key "${connection}" "START_ACTION" ${action}; then | |
853 | log ERROR "Could not write configuration settings" | |
854 | return ${EXIT_ERROR} | |
855 | fi | |
856 | } | |
917a1aa0 JS |
857 | |
858 | # Set the security policy to use | |
859 | ipsec_connection_security_policy() { | |
860 | if [ ! $# -eq 2 ]; then | |
861 | log ERROR "Not enough arguments" | |
862 | return ${EXIT_ERROR} | |
863 | fi | |
864 | local connection=${1} | |
865 | local security_policy=${2} | |
866 | ||
867 | if ! vpn_security_policy_exists ${security_policy}; then | |
868 | log ERROR "No such vpn security policy '${security_policy}'" | |
869 | return ${EXIT_ERROR} | |
870 | fi | |
871 | ||
872 | if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then | |
873 | log ERROR "Could not write configuration settings" | |
874 | return ${EXIT_ERROR} | |
875 | fi | |
876 | } | |
877 | ||
878 | # Check if a id is valid | |
879 | ipsec_connection_check_id() { | |
880 | assert [ $# -eq 1 ] | |
881 | local id=${1} | |
882 | ||
883 | if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then | |
884 | return ${EXIT_TRUE} | |
885 | else | |
886 | return ${EXIT_FALSE} | |
887 | fi | |
888 | } | |
889 | ||
890 | # Checks if a peer is valid | |
891 | ipsec_connection_check_peer() { | |
892 | assert [ $# -eq 1 ] | |
893 | local peer=${1} | |
894 | ||
895 | # TODO Accept also FQDNs | |
896 | if ip_is_valid ${peer}; then | |
897 | return ${EXIT_TRUE} | |
898 | else | |
899 | return ${EXIT_FALSE} | |
900 | fi | |
901 | } | |
902 | ||
903 | # This function checks if a VPN IPsec connection name is valid | |
904 | # Allowed are only A-Za-z0-9 | |
905 | ipsec_connection_check_name() { | |
906 | assert [ $# -eq 1 ] | |
907 | ||
908 | local connection=${1} | |
909 | ||
910 | [[ "${connection}" =~ [^[:alnum:]$] ]] | |
911 | } | |
912 | ||
913 | # Function that creates one VPN IPsec connection | |
914 | ipsec_connection_new() { | |
915 | if [ $# -gt 1 ]; then | |
916 | error "Too many arguments" | |
917 | return ${EXIT_ERROR} | |
918 | fi | |
919 | ||
920 | local connection="${1}" | |
921 | if ! isset connection; then | |
922 | error "Please provide a connection name" | |
923 | return ${EXIT_ERROR} | |
924 | fi | |
925 | ||
926 | # Check for duplicates | |
927 | if ipsec_connection_exists "${connection}"; then | |
928 | error "The VPN IPsec connection ${connection} already exists" | |
929 | return ${EXIT_ERROR} | |
930 | fi | |
931 | ||
932 | # Check if the name of the connection is valid | |
933 | if ipsec_connection_check_name "${connection}"; then | |
934 | error "'${connection}' contains illegal characters" | |
935 | return ${EXIT_ERROR} | |
936 | fi | |
937 | ||
938 | log DEBUG "Creating VPN IPsec connection ${connection}" | |
939 | ||
cf8685a1 | 940 | if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then |
917a1aa0 JS |
941 | log ERROR "Could not create config directory for ${connection}" |
942 | return ${EXIT_ERROR} | |
943 | fi | |
944 | ||
945 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
946 | ||
917a1aa0 | 947 | AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE} |
bb9fccaf JS |
948 | DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION} |
949 | DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY} | |
950 | DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT} | |
5601f4f5 | 951 | ENABLED=${IPSEC_DEFAULT_ENABLED} |
bb9fccaf JS |
952 | MODE=${IPSEC_DEFAULT_MODE} |
953 | START_ACTION=${IPSEC_DEFAULT_START_ACTION} | |
954 | ||
917a1aa0 JS |
955 | INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT} |
956 | SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY} | |
957 | ||
958 | if ! ipsec_connection_write_config "${connection}"; then | |
959 | log ERROR "Could not write new config file" | |
960 | return ${EXIT_ERROR} | |
961 | fi | |
962 | } | |
963 | ||
964 | # Function that deletes based on the passed parameters one ore more vpn security policies | |
965 | ipsec_connection_destroy() { | |
966 | local connection | |
967 | for connection in $@; do | |
968 | if ! ipsec_connection_exists "${connection}"; then | |
969 | log ERROR "The VPN IPsec connection ${connection} does not exist." | |
970 | continue | |
971 | fi | |
972 | ||
973 | log DEBUG "Deleting VPN IPsec connection ${connection}" | |
cf8685a1 | 974 | if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then |
917a1aa0 JS |
975 | log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful" |
976 | return ${EXIT_ERROR} | |
977 | fi | |
978 | done | |
979 | } | |
d6c852b8 JS |
980 | |
981 | # List all ipsec connections | |
982 | ipsec_list_connections() { | |
983 | local connection | |
984 | for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do | |
985 | [ -d ${connection} ] || continue | |
986 | basename ${connection} | |
987 | done | |
988 | } | |
67baa452 MT |
989 | |
990 | ipsec_connection_to_strongswan() { | |
991 | local connection="${1}" | |
992 | ||
993 | # Read the config settings | |
994 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
995 | if ! ipsec_connection_read_config "${connection}"; then | |
996 | error "Could not read the connection ${connection}" | |
997 | return ${EXIT_ERROR} | |
998 | fi | |
999 | ||
1000 | local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" | |
1001 | ||
1002 | ( | |
1003 | # Write the connection section | |
1004 | _ipsec_connection_to_strongswan_connection "${connection}" | |
1005 | ||
1006 | # Write the secrets section | |
1007 | _ipsec_connection_to_strongswan_secrets "${connection}" | |
1008 | ||
1009 | ) > ${path} | |
1010 | } | |
1011 | ||
1012 | _ipsec_connection_to_strongswan_connection() { | |
1013 | local connection="${1}" | |
1014 | ||
1015 | # Read the security policy | |
1016 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
1017 | if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then | |
1018 | return ${EXIT_ERROR} | |
1019 | fi | |
1020 | ||
4e271faa MT |
1021 | # Is DPD enabled? |
1022 | local dpd="false" | |
1023 | if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then | |
1024 | dpd="true" | |
1025 | fi | |
1026 | ||
67baa452 MT |
1027 | print_indent 0 "connections {" |
1028 | print_indent 1 "${connection} {" | |
1029 | ||
1030 | # IKE Version | |
1031 | print_indent 2 "# IKE Version" | |
1032 | case "${KEY_EXCHANGE^^}" in | |
1033 | IKEV1) | |
1034 | print_indent 2 "version = 1" | |
1035 | ;; | |
1036 | ||
1037 | # Fall back to IKEv2 for any random values | |
1038 | IKEV2|*) | |
1039 | print_indent 2 "version = 2" | |
1040 | ;; | |
1041 | esac | |
1042 | print # empty line | |
1043 | ||
4609d6b4 MT |
1044 | # Always only keep one connection open at a time |
1045 | print_indent 2 "# Unique IDs" | |
1046 | print_indent 2 "unique = replace" | |
1047 | ||
1048 | ||
3e8ad776 MT |
1049 | # Local Address |
1050 | print_indent 2 "# Local Address" | |
1051 | if isset LOCAL_ADDRESS; then | |
1052 | print_indent 2 "local_addrs = ${LOCAL_ADDRESS}" | |
1053 | else | |
1054 | print_indent 2 "local_addrs = %any" | |
1055 | fi | |
1056 | ||
67baa452 MT |
1057 | |
1058 | # Remote Address | |
1059 | print_indent 2 "# Remote Address" | |
1060 | if isset PEER; then | |
1061 | print_indent 2 "remote_addrs = ${PEER}" | |
1062 | else | |
1063 | print_indent 2 "remote_addrs = %any" | |
1064 | fi | |
1065 | ||
1066 | ||
1067 | # IKE Proposals | |
1068 | print_indent 2 "# IKE Proposals" | |
e3ffacf7 | 1069 | print_indent 2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})" |
67baa452 MT |
1070 | |
1071 | ||
117278c3 | 1072 | # DPD Settings |
4e271faa | 1073 | if enabled dpd; then |
117278c3 | 1074 | print_indent 2 "# Dead Peer Detection" |
117278c3 MT |
1075 | print_indent 2 "dpd_delay = ${DPD_DELAY}" |
1076 | ||
1077 | if isset DPD_TIMEOUT; then | |
1078 | print_indent 2 "dpd_timeout = ${DPD_TIMEOUT}" | |
1079 | fi | |
1080 | ||
1081 | ||
1082 | fi | |
67baa452 MT |
1083 | |
1084 | # Fragmentation | |
1085 | print_indent 2 "# Fragmentation" | |
1086 | print_indent 2 "fragmentation = yes" | |
1087 | ||
1088 | ||
1089 | # Local | |
1090 | print_indent 2 "local {" | |
1091 | ||
1092 | # Local ID | |
1093 | if isset LOCAL_ID; then | |
1094 | print_indent 3 "id = ${LOCAL_ID}" | |
1095 | fi | |
1096 | ||
1097 | # Authentication | |
1098 | case "${AUTH_MODE}" in | |
1099 | PSK) | |
1100 | print_indent 3 "auth = psk" | |
1101 | ;; | |
1102 | esac | |
1103 | ||
1104 | print_indent 2 "}" | |
1105 | ||
1106 | ||
1107 | # Remote | |
1108 | print_indent 2 "remote {" | |
1109 | ||
1110 | # Remote ID | |
1111 | if isset REMOTE_ID; then | |
1112 | print_indent 3 "id = ${REMOTE_ID}" | |
1113 | fi | |
1114 | ||
1115 | # Authentication | |
1116 | case "${AUTH_MODE}" in | |
1117 | PSK) | |
1118 | print_indent 3 "auth = psk" | |
1119 | ;; | |
1120 | esac | |
1121 | ||
1122 | print_indent 2 "}" | |
1123 | ||
1124 | ||
1125 | # Children | |
1126 | ||
1127 | print_indent 2 "children {" | |
1128 | print_indent 3 "${connection} {" | |
1129 | ||
1130 | print_indent 4 "# ESP Proposals" | |
e3d8f3f6 | 1131 | print_indent 4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})" |
67baa452 MT |
1132 | |
1133 | ||
1134 | # Traffic Selectors | |
1135 | ||
95835d23 MT |
1136 | case "${MODE}" in |
1137 | gre-*) | |
1138 | print_indent 4 "local_ts = dynamic[gre]" | |
1139 | print_indent 4 "remote_ts = dynamic[gre]" | |
1140 | ;; | |
1141 | *) | |
1142 | # Local Prefixes | |
1143 | if isset LOCAL_PREFIX; then | |
1144 | print_indent 4 "local_ts = $(list_join LOCAL_PREFIX ,)" | |
1145 | else | |
1146 | print_indent 4 "local_ts = dynamic" | |
1147 | fi | |
67baa452 | 1148 | |
95835d23 MT |
1149 | # Remote Prefixes |
1150 | if isset REMOTE_PREFIX; then | |
1151 | print_indent 4 "remote_ts = $(list_join REMOTE_PREFIX ,)" | |
1152 | else | |
1153 | print_indent 4 "remote_ts = dynamic" | |
1154 | fi | |
1155 | ;; | |
1156 | esac | |
67baa452 MT |
1157 | |
1158 | ||
82fac748 MT |
1159 | # Netfilter Marks |
1160 | print_indent 4 "# Netfilter Marks" | |
1161 | print_indent 4 "mark_in = %unique" | |
1162 | print_indent 4 "mark_out = %unique" | |
1163 | ||
1164 | ||
4e271faa MT |
1165 | # Dead Peer Detection |
1166 | if enabled dpd; then | |
1167 | print_indent 4 "# Dead Peer Detection" | |
1168 | print_indent 4 "dpd_action = ${DPD_ACTION}" | |
1169 | ||
1170 | fi | |
1171 | ||
67baa452 MT |
1172 | # Rekeying |
1173 | if isset LIFETIME; then | |
1174 | print_indent 4 "# Rekey Time" | |
1175 | print_indent 4 "rekey_time = ${LIFETIME}" | |
1176 | ||
1177 | fi | |
1178 | ||
1179 | # Updown Script | |
1180 | print_indent 4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown" | |
1181 | ||
1182 | ||
1183 | # Mode | |
1184 | print_indent 4 "# Mode" | |
1185 | case "${MODE}" in | |
1186 | gre-transport) | |
1187 | print_indent 4 "mode = transport" | |
1188 | ;; | |
1189 | tunnel|vti|*) | |
1190 | print_indent 4 "mode = tunnel" | |
1191 | ;; | |
1192 | esac | |
1193 | ||
1194 | ||
1195 | # Compression | |
1196 | print_indent 4 "# Compression" | |
1197 | if enabled COMPRESSION; then | |
1198 | print_indent 4 "ipcomp = yes" | |
1199 | else | |
1200 | print_indent 4 "ipcomp = no" | |
1201 | fi | |
1202 | ||
1203 | ||
1204 | # Inactivity Timeout | |
1205 | if isset INACTIVITY_TIMEOUT; then | |
1206 | print_indent 4 "# Inactivity Timeout" | |
1207 | print_indent 4 "inactivity = ${INACTIVITY_TIMEOUT}" | |
1208 | ||
1209 | fi | |
1210 | ||
37317b3e MT |
1211 | # Start Action |
1212 | print_indent 4 "# Start Action" | |
1213 | case "${START_ACTION}" in | |
1214 | on-demand) | |
1215 | print_indent 4 "start_action = trap" | |
1216 | print_indent 4 "close_action = trap" | |
1217 | ;; | |
1218 | wait) | |
1219 | print_indent 4 "start_action = none" | |
1220 | print_indent 4 "close_action = none" | |
1221 | ;; | |
1222 | always-on|*) | |
1223 | print_indent 4 "start_action = start" | |
1224 | print_indent 4 "close_action = start" | |
1225 | ;; | |
1226 | esac | |
1227 | ||
67baa452 MT |
1228 | |
1229 | print_indent 3 "}" | |
1230 | print_indent 2 "}" | |
1231 | ||
1232 | ||
1233 | print_indent 1 "}" | |
1234 | print_indent 0 "}" | |
1235 | ||
1236 | } | |
1237 | ||
1238 | _ipsec_connection_to_strongswan_secrets() { | |
1239 | local connection="${1}" | |
1240 | ||
1241 | print_indent 0 "secrets {" | |
1242 | ||
1243 | case "${AUTH_MODE}" in | |
1244 | PSK) | |
1245 | print_indent 1 "ike {" | |
1246 | ||
1247 | # Secret | |
1248 | print_indent 2 "secret = ${PSK}" | |
1249 | ||
1250 | # ID | |
1251 | if isset REMOTE_ID; then | |
1252 | print_indent 2 "id = ${REMOTE_ID}" | |
1253 | fi | |
1254 | ||
1255 | print_indent 1 "}" | |
1256 | ;; | |
1257 | esac | |
1258 | ||
1259 | print_indent 0 "}" | |
1260 | } |