]> git.ipfire.org Git - people/stevee/network.git/blame - src/functions/functions.ipsec
projects / people / stevee / network.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ipsec: Always make sure that n2n connections are unique
[people/stevee/network.git] / src / functions / functions.ipsec
CommitLineData
917a1aa0
JS		 1#!/bin/bash
2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
5# Copyright (C) 2017 IPFire Network Development Team #
6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
21
33944dfb
MT		 22IPSEC_CONNECTION_CONFIG_SETTINGS="\
23 AUTH_MODE \
24 DPD_ACTION \
25 DPD_DELAY \
26 DPD_TIMEOUT \
27 INACTIVITY_TIMEOUT \
28 LOCAL_ADDRESS \
29 LOCAL_ID \
30 LOCAL_PREFIX \
31 MODE \
32 PEER \
33 PSK \
34 REMOTE_ID \
35 REMOTE_PREFIX \
5601f4f5
JS		 36 SECURITY_POLICY \
37 ENABLED"
917a1aa0
JS		 38
39# Default values
ab589039 40IPSEC_DEFAULT_AUTH_MODE="PSK"
bb9fccaf
JS		 41IPSEC_DEFAULT_DPD_ACTION="restart"
42IPSEC_DEFAULT_DPD_DELAY="30"
43IPSEC_DEFAULT_DPD_TIMEOUT="120"
5601f4f5 44IPSEC_DEFAULT_ENABLED="true"
917a1aa0 45IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0"
bb9fccaf 46IPSEC_DEFAULT_MODE="tunnel"
917a1aa0 47IPSEC_DEFAULT_SECURITY_POLICY="system"
bb9fccaf 48IPSEC_DEFAULT_START_ACTION="on-demand"
917a1aa0
JS		 49
50IPSEC_VALID_MODES="gre-transport tunnel vti"
ab589039 51IPSEC_VALID_AUTH_MODES="PSK"
917a1aa0 52
2da98f56
MT		 53cli_ipsec() {
54 local action=${1}
55 shift 1
56
57 case "${action}" in
58 connection)
59 cli_ipsec_connection $@
60 ;;
61 *)
62 error "Unrecognized argument: ${action}"
63 exit ${EXIT_ERROR}
64 ;;
65 esac
66}
67
68cli_ipsec_connection() {
69 if ipsec_connection_exists ${1}; then
70 local connection=${1}
71 local key=${2}
72 key=${key//-/_}
73 shift 2
74
75 case "${key}" in
5601f4f5 76 authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|remote|security_policy|start_action|up)
2da98f56
MT		 77 ipsec_connection_${key} ${connection} $@
78 ;;
c1e76e97
MT		 79 show)
80 cli_ipsec_connection_show "${connection}"
81 exit $?
82 ;;
2da98f56
MT		 83 *)
84 error "Unrecognized argument: ${key}"
85 exit ${EXIT_ERROR}
86 ;;
87 esac
88 else
89 local action=${1}
90 shift
91
92 case "${action}" in
93 new)
94 ipsec_connection_new $@
95 ;;
96 destroy)
97 ipsec_connection_destroy $@
98 ;;
99 ""|*)
100 if [ -n "${action}" ]; then
101 error "Unrecognized argument: '${action}'"
102 fi
103 exit ${EXIT_ERROR}
104 ;;
105 esac
106 fi
107}
108
c1e76e97
MT		 109cli_ipsec_connection_show() {
110 local connection="${1}"
111
112 # Read the config settings
113 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
114 if ! ipsec_connection_read_config "${connection}"; then
115 error "Could not read the connection configuration"
116 return ${EXIT_ERROR}
117 fi
118
119 cli_headline 0 "IPsec VPN Connection: ${connection}"
120 cli_space
121
122 # Peer
123 if isset PEER; then
124 cli_print_fmt1 1 "Peer" "${PEER}"
125 fi
126
127 # Security Policy
128 cli_print_fmt1 1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}"
129 cli_space
130
131 cli_headline 2 "Authentication"
132 case "${AUTH_MODE^^}" in
133 PSK)
134 cli_print_fmt1 2 "Mode" "Pre-Shared-Key"
135
136 if isset PSK; then
137 cli_print_fmt1 2 "Pre-Shared-Key" "****"
138 else
139 cli_print_fmt1 2 "Pre-Shared-Key" "- is not set -"
140 fi
141 ;;
142 X509)
143 : # TODO
144 ;;
145 esac
146 cli_space
147
148 local i
149 for i in LOCAL REMOTE; do
150 case "${i}" in
151 LOCAL)
152 cli_headline 2 "Local"
153 ;;
154 REMOTE)
155 cli_headline 2 "Remote"
156 ;;
157 esac
158
159 local id_var="${i}_ID"
160 if [ -n "${!id_var}" ]; then
161 cli_print_fmt1 2 "ID" "${!id_var}"
162 fi
163
164 local prefix_var="${i}_PREFIX"
165 if isset ${prefix_var}; then
166 cli_headline 3 "Prefix(es)"
167
168 local prefix
169 for prefix in ${!prefix_var}; do
170 cli_print_fmt1 3 "${prefix}"
171 done
172 fi
173
174 cli_space
175 done
176
177 cli_headline 2 "Misc."
178
179 case "${MODE}" in
180 gre-transport)
181 cli_print_fmt1 2 "Transport Mode" "GRE Transport"
182 ;;
183 tunnel)
184 cli_print_fmt1 2 "Transport Mode" "Tunnel"
185 ;;
186 vti)
187 cli_print_fmt1 2 "Transport Mode" "Virtual Tunnel Interface"
188 ;;
189 *)
190 cli_print_fmt1 2 "Transport Mode" "- Unknown -"
191 ;;
192 esac
193
194 # Inactivity timeout
195 if isset INACTIVITY_TIMEOUT && [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then
196 cli_print_fmt1 2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})"
197 fi
198 cli_space
199
200 return ${EXIT_OK}
201}
202
5601f4f5
JS		 203ipsec_connection_disable() {
204 local connection=${1}
205
206 if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "false"; then
207 log ERROR "Could not write configuration settings"
208 return ${EXIT_ERROR}
209 fi
210
211 ipsec_reload ${connection}
212}
213
214ipsec_connection_enable() {
215 local connection=${1}
216
217 if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "true"; then
218 log ERROR "Could not write configuration settings"
219 return ${EXIT_ERROR}
220 fi
221
222 ipsec_reload "${connection}"
223}
224
917a1aa0
JS		 225# This function writes all values to a via ${connection} specificated VPN IPsec configuration file
226ipsec_connection_write_config() {
227 assert [ $# -ge 1 ]
228
229 local connection="${1}"
230
231 if ! ipsec_connection_exists "${connection}"; then
232 log ERROR "No such VPN IPsec connection: ${connection}"
233 return ${EXIT_ERROR}
234 fi
235
cf8685a1 236 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
917a1aa0
JS		 237
238 if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
239 log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}"
240 return ${EXIT_ERROR}
241 fi
242
243 ipsec_reload ${connection}
244}
245
246# This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
247ipsec_connection_write_config_key() {
248 assert [ $# -ge 3 ]
249
250 local connection=${1}
251 local key=${2}
252 shift 2
253
254 local value="$@"
255
256 if ! ipsec_connection_exists "${connection}"; then
257 log ERROR "No such VPN ipsec connection: ${connection}"
258 return ${EXIT_ERROR}
259 fi
260
261 log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
262
263 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
264
265 # Read the config settings
266 if ! ipsec_connection_read_config "${connection}"; then
267 return ${EXIT_ERROR}
268 fi
269
270 # Set the key to a new value
271 assign "${key}" "${value}"
272
273 if ! ipsec_connection_write_config "${connection}"; then
274 return ${EXIT_ERROR}
275 fi
276
277 return ${EXIT_TRUE}
278}
279
280# Reads one or more keys out of a settings file or all if no key is provided.
281ipsec_connection_read_config() {
282 assert [ $# -ge 1 ]
283
284 local connection="${1}"
285 shift 1
286
287 if ! ipsec_connection_exists "${connection}"; then
288 log ERROR "No such VPN IPsec connection : ${connection}"
289 return ${EXIT_ERROR}
290 fi
291
292
293 local args
294 if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
295 list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS}
296 else
297 list_append args $@
298 fi
299
cf8685a1 300 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
917a1aa0
JS		 301
302 if ! settings_read "${path}" ${args}; then
303 log ERROR "Could not read settings for VPN IPsec connection ${connection}"
304 return ${EXIT_ERROR}
305 fi
306}
307
917a1aa0
JS		 308# This function checks if a vpn ipsec connection exists
309# Returns True when yes and false when not
310ipsec_connection_exists() {
311 assert [ $# -eq 1 ]
312
313 local connection=${1}
314
cf8685a1 315 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}"
917a1aa0
JS		 316
317 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
318}
319
f0e91d26
JS		 320ipsec_strongswan_load() {
321 if ! cmd swanctl --load-all; then
322 log ERROR "Could not reload strongswan config"
323 return ${EXIT_ERROR}
324 fi
325}
326
917a1aa0
JS		 327# Reloads the connection after config changes
328ipsec_reload() {
39d87f20
JS		 329 local connection=${1}
330
5601f4f5
JS		 331 local ENABLED
332
333 if ! ipsec_connection_read_config "${connection}" "ENABLED"; then
334 log ERROR "Could not read configuration for IPsec connection ${connection}"
39d87f20
JS		 335 return ${EXIT_ERROR}
336 fi
337
5601f4f5
JS		 338 if enabled ${ENABLED}; then
339 if ! ipsec_connection_to_strongswan ${connection}; then
340 log ERROR "Could not generate strongswan config for ${connnection}"
341 return ${EXIT_ERROR}
342 fi
343 else
344 unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
345 fi
346
f0e91d26 347 ipsec_strongswan_load
917a1aa0
JS		 348}
349
350# Handle the cli after authentification
351ipsec_connection_authentication() {
352 if [ ! $# -gt 1 ]; then
353 log ERROR "Not enough arguments"
354 return ${EXIT_ERROR}
355 fi
356
357 local connection=${1}
358 local cmd=${2}
359 shift 2
360
361 case ${cmd} in
362 mode)
363 ipsec_connection_authentication_mode "${connection}" $@
364 ;;
365 pre-shared-key)
366 ipsec_connection_authentication_psk "${connection}" $@
367 ;;
368 *)
369 log ERROR "Unrecognized argument: ${cmd}"
370 return ${EXIT_ERROR}
371 ;;
372 esac
373}
374
375# Set the authentification mode
376ipsec_connection_authentication_mode() {
377 if [ ! $# -eq 2 ]; then
378 log ERROR "Not enough arguments"
379 return ${EXIT_ERROR}
380 fi
381 local connection=${1}
382 local mode=${2}
383
384 if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
385 log ERROR "Auth mode '${mode}' is invalid"
386 return ${EXIT_ERROR}
387 fi
388
ab589039 389 if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode^^}; then
917a1aa0
JS		 390 log ERROR "Could not write configuration settings"
391 return ${EXIT_ERROR}
392 fi
393}
394
395# Set the psk
396ipsec_connection_authentication_psk() {
db491d1d 397 if [ ! $# -eq 2 ]; then
917a1aa0
JS		 398 log ERROR "Not enough arguments"
399 return ${EXIT_ERROR}
400 fi
1bfc4f56 401
917a1aa0
JS		 402 local connection=${1}
403 local psk=${2}
404
1bfc4f56
MT		 405 local length=${#psk}
406
407 if [ ${length} -lt 4 ]; then
408 error "The PSK must be longer than four characters"
409 return ${EXIT_ERROR}
410 fi
411
412 if [ ${length} -gt 128 ]; then
413 error "The PSK cannot be longer than 128 characters"
414 return ${EXIT_ERROR}
415 fi
917a1aa0 416
1bfc4f56 417 if ! ipsec_connection_write_config_key "${connection}" "PSK" "${psk}"; then
917a1aa0
JS		 418 log ERROR "Could not write configuration settings"
419 return ${EXIT_ERROR}
420 fi
421
422 return ${EXIT_OK}
423}
424
3cde31b9
MT		 425ipsec_connection_up() {
426 local connection="${1}"
427
428 if ! ipsec_connection_exists "${connection}"; then
429 error "No such VPN IPsec connection: ${connection}"
430 return ${EXIT_ERROR}
431 fi
432
433 cmd swanctl --initiate --child "${connection}"
434}
435
436ipsec_connection_down() {
437 local connection="${1}"
438
439 if ! ipsec_connection_exists "${connection}"; then
440 error "No such VPN IPsec connection: ${connection}"
441 return ${EXIT_ERROR}
442 fi
443
444 cmd swanctl --terminate --ike "${connection}"
445}
bb9fccaf
JS		 446
447# Handle the cli after authentification
448ipsec_connection_dpd() {
449 if [ ! $# -gt 1 ]; then
450 log ERROR "Not enough arguments"
451 return ${EXIT_ERROR}
452 fi
453
454 local connection=${1}
455 local cmd=${2}
456 shift 2
457
458 case ${cmd} in
459 action)
460 ipsec_connection_dpd_action "${connection}" $@
461 ;;
462 delay)
463 ipsec_connection_dpd_delay "${connection}" $@
464 ;;
465 timeout)
466 ipsec_connection_dpd_timeout "${connection}" $@
467 ;;
468 *)
469 log ERROR "Unrecognized argument: ${cmd}"
470 return ${EXIT_ERROR}
471 ;;
472 esac
473}
474
475# Set the default dpd action
476ipsec_connection_dpd_action() {
477 if [ ! $# -eq 2 ]; then
478 log ERROR "Not enough arguments"
479 return ${EXIT_ERROR}
480 fi
481 local connection=${1}
482 local action=${2}
483
484 if ! isoneof action "restart" "clear"; then
485 log ERROR "dpd action '${action}' is invalid"
486 return ${EXIT_ERROR}
487 fi
488
489 if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION" ${action}; then
490 log ERROR "Could not write configuration settings"
491 return ${EXIT_ERROR}
492 fi
493}
494
495# Set the dpd delay
496ipsec_connection_dpd_delay() {
497 if [ ! $# -ge 2 ]; then
498 log ERROR "Not enough arguments"
499 return ${EXIT_ERROR}
500 fi
501
502 local connection=${1}
503 shift 1
504 local value=$@
505
506 if ! isinteger value; then
507 value=$(parse_time $@)
508 if [ ! $? -eq 0 ]; then
509 log ERROR "Parsing the passed time was not sucessful please check the passed values."
510 return ${EXIT_ERROR}
511 fi
512 fi
513
514 if [ ${value} -lt 0 ]; then
515 log ERROR "The passed time value must be in the sum greater or equal zero seconds."
516 return ${EXIT_ERROR}
517 fi
518
519 if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY" ${value}; then
520 log ERROR "Could not write configuration settings"
521 return ${EXIT_ERROR}
522 fi
523
524 return ${EXIT_OK}
525}
526
527# Set the dpd timeout
528ipsec_connection_dpd_timeout() {
529 if [ ! $# -ge 2 ]; then
530 log ERROR "Not enough arguments"
531 return ${EXIT_ERROR}
532 fi
533
534 local connection=${1}
535 shift 1
536 local value=$@
537
538 if ! isinteger value; then
539 value=$(parse_time $@)
540 if [ ! $? -eq 0 ]; then
541 log ERROR "Parsing the passed time was not sucessful please check the passed values."
542 return ${EXIT_ERROR}
543 fi
544 fi
545
546 if [ ${value} -le 0 ]; then
547 log ERROR "The passed time value must be in the sum greater or equal zero seconds."
548 return ${EXIT_ERROR}
549 fi
550
551 if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT" ${value}; then
552 log ERROR "Could not write configuration settings"
553 return ${EXIT_ERROR}
554 fi
555
556 return ${EXIT_OK}
557}
558
917a1aa0
JS		 559# Handle the cli after local
560ipsec_connection_local() {
561 if [ ! $# -ge 2 ]; then
562 log ERROR "Not enough arguments"
563 return ${EXIT_ERROR}
564 fi
565
566 local connection=${1}
567 local cmd=${2}
568 shift 2
569
570 case ${cmd} in
bb9fccaf
JS		 571 address)
572 ipsec_connection_local_address "${connection}" $@
573 ;;
917a1aa0
JS		 574 id)
575 ipsec_connection_id "${connection}" "LOCAL" $@
576 ;;
577 prefix)
578 ipsec_connection_prefix "${connection}" "LOCAL" $@
579 ;;
580 *)
581 log ERROR "Unrecognized argument: ${cmd}"
582 return ${EXIT_ERROR}
583 ;;
584 esac
585
586 return ${EXIT_OK}
587}
588
589# Set the connection mode
590ipsec_connection_mode() {
5bdbc2ee 591 if [ ! $# -eq 2 ]; then
917a1aa0
JS		 592 log ERROR "Not enough arguments"
593 return ${EXIT_ERROR}
594 fi
595 local connection=${1}
596 local mode=${2}
597
598 if ! isoneof mode ${IPSEC_VALID_MODES}; then
599 log ERROR "Mode '${mode}' is invalid"
600 return ${EXIT_ERROR}
601 fi
602
603 if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then
604 log ERROR "Could not write configuration settings"
605 return ${EXIT_ERROR}
606 fi
607
608 return ${EXIT_OK}
609}
610
bb9fccaf
JS		 611# Set the local address
612ipsec_connection_local_address() {
613 if [ ! $# -eq 2 ]; then
614 log ERROR "Not enough arguments"
615 return ${EXIT_ERROR}
616 fi
617 local connection=${1}
618 local local_address=${2}
619
620 if ! ipsec_connection_check_peer ${local_address}; then
621 log ERROR "Local address '${local_address}' is invalid"
622 return ${EXIT_ERROR}
623 fi
624
625 if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS" ${local_address}; then
626 log ERROR "Could not write configuration settings"
627 return ${EXIT_ERROR}
628 fi
629
630 return ${EXIT_OK}
631}
632
917a1aa0
JS		 633# Set the peer to connect to
634ipsec_connection_peer() {
0b962a64 635 if [ ! $# -eq 2 ]; then
917a1aa0
JS		 636 log ERROR "Not enough arguments"
637 return ${EXIT_ERROR}
638 fi
639 local connection=${1}
640 local peer=${2}
641
642 if ! ipsec_connection_check_peer ${peer}; then
643 log ERROR "Peer '${peer}' is invalid"
644 return ${EXIT_ERROR}
645 fi
646
647 if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then
648 log ERROR "Could not write configuration settings"
649 return ${EXIT_ERROR}
650 fi
651
652 return ${EXIT_OK}
653}
654
655#Set the local or remote id
656ipsec_connection_id() {
657 if [ ! $# -eq 3 ]; then
658 log ERROR "Not enough arguments"
659 return ${EXIT_ERROR}
660 fi
661 local connection=${1}
662 local type=${2}
663 local id=${3}
664
665 if ! ipsec_connection_check_id ${id}; then
666 log ERROR "Id '${id}' is invalid"
667 return ${EXIT_ERROR}
668 fi
669
670 if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
671 log ERROR "Could not write configuration settings"
672 return ${EXIT_ERROR}
673 fi
674
675 return ${EXIT_OK}
676}
677
678# Set the local or remote prefix
679ipsec_connection_prefix() {
680 if [ ! $# -ge 3 ]; then
681 log ERROR "Not enough arguments"
682 return ${EXIT_ERROR}
683 fi
684 local connection=${1}
685 local type=${2}
686 shift 2
687
688 local _prefix="${type}_PREFIX"
689 local "${_prefix}"
690 if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then
691 return ${EXIT_ERROR}
692 fi
693
694 # Remove duplicated entries to proceed the list safely
695 assign "${_prefix}" "$(list_unique ${!_prefix} )"
696
697 local prefixes_added
698 local prefixes_removed
699 local prefixes_set
700
701 while [ $# -gt 0 ]; do
702 local arg="${1}"
703
704 case "${arg}" in
705 +*)
706 list_append prefixes_added "${arg:1}"
707 ;;
708 -*)
709 list_append prefixes_removed "${arg:1}"
710 ;;
711 [A-Fa-f0-9]*)
712 list_append prefixes_set "${arg}"
713 ;;
714 *)
715 error "Invalid argument: ${arg}"
716 return ${EXIT_ERROR}
717 ;;
718 esac
719 shift
720 done
721
722 # Check if the user is trying a mixed operation
723 if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then
724 error "You cannot reset the prefix list and add or remove prefixes at the same time"
725 return ${EXIT_ERROR}
726 fi
727
728 # Set new prefix list
729 if ! list_is_empty prefixes_set; then
730 # Check if all prefixes are valid
731 local prefix
732 for prefix in ${prefixes_set}; do
733 if ! ip_net_is_valid ${prefix}; then
734 error "Unsupported prefix: ${prefix}"
735 return ${EXIT_ERROR}
736 fi
737 done
738
739 assign "${_prefix}" "${prefixes_set}"
740
741 # Perform incremental updates
742 else
743 local prefix
744
745 # Perform all removals
746 for prefix in ${prefixes_removed}; do
747 if ! list_remove "${_prefix}" ${prefix}; then
748 warning "${prefix} was not on the list and could not be removed"
749 fi
750 done
751
752
753 for prefix in ${prefixes_added}; do
754 if ip_net_is_valid ${prefix}; then
755 if ! list_append_unique "${_prefix}" ${prefix}; then
756 warning "${prefix} is already on the prefix list"
757 fi
758 else
f03f29b7 759 warning "${prefix} is not a valid IP network and could not be added"
917a1aa0
JS		 760 fi
761 done
762 fi
763
764 # Check if the list contain at least one valid prefix
765 if list_is_empty ${_prefix}; then
766 error "Cannot save an empty prefix list"
767 return ${EXIT_ERROR}
768 fi
769
770 # Save everything
771 if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then
772 log ERROR "Could not write configuration settings"
773 fi
774
775 return ${EXIT_OK}
776}
777
778# Handle the cli after remote
779ipsec_connection_remote() {
780 if [ ! $# -ge 2 ]; then
781 log ERROR "Not enough arguments"
782 return ${EXIT_ERROR}
783 fi
784
785 local connection=${1}
786 local cmd=${2}
787 shift 2
788
789 case ${cmd} in
790 id)
791 ipsec_connection_id "${connection}" "REMOTE" $@
792 ;;
793
794 prefix)
795 ipsec_connection_prefix "${connection}" "REMOTE" $@
796 ;;
797 *)
798 log ERROR "Unrecognized argument: ${cmd}"
799 return ${EXIT_ERROR}
800 ;;
801 esac
802
803 return ${EXIT_OK}
804}
805
806# Set the inactivity timeout
807ipsec_connection_inactivity_timeout() {
808 if [ ! $# -ge 2 ]; then
809 log ERROR "Not enough arguments"
810 return ${EXIT_ERROR}
811 fi
812
813 local connection=${1}
814 shift 1
815 local value=$@
816
817 if ! isinteger value; then
818 value=$(parse_time $@)
819 if [ ! $? -eq 0 ]; then
820 log ERROR "Parsing the passed time was not sucessful please check the passed values."
821 return ${EXIT_ERROR}
822 fi
823 fi
824
825 if [ ${value} -le 0 ]; then
826 log ERROR "The passed time value must be in the sum greater zero seconds."
827 return ${EXIT_ERROR}
828 fi
829
830 if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then
831 log ERROR "Could not write configuration settings"
832 return ${EXIT_ERROR}
833 fi
834
835 return ${EXIT_OK}
836}
837
bb9fccaf
JS		 838# Set the default start action
839ipsec_connection_start_action() {
840 if [ ! $# -eq 2 ]; then
841 log ERROR "Not enough arguments"
842 return ${EXIT_ERROR}
843 fi
844 local connection=${1}
845 local action=${2}
846
847 if ! isoneof action "on-demand" "always-on"; then
848 log ERROR "Start action '${action}' is invalid"
849 return ${EXIT_ERROR}
850 fi
851
852 if ! ipsec_connection_write_config_key "${connection}" "START_ACTION" ${action}; then
853 log ERROR "Could not write configuration settings"
854 return ${EXIT_ERROR}
855 fi
856}
917a1aa0
JS		 857
858# Set the security policy to use
859ipsec_connection_security_policy() {
860 if [ ! $# -eq 2 ]; then
861 log ERROR "Not enough arguments"
862 return ${EXIT_ERROR}
863 fi
864 local connection=${1}
865 local security_policy=${2}
866
867 if ! vpn_security_policy_exists ${security_policy}; then
868 log ERROR "No such vpn security policy '${security_policy}'"
869 return ${EXIT_ERROR}
870 fi
871
872 if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then
873 log ERROR "Could not write configuration settings"
874 return ${EXIT_ERROR}
875 fi
876}
877
878# Check if a id is valid
879ipsec_connection_check_id() {
880 assert [ $# -eq 1 ]
881 local id=${1}
882
883 if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
884 return ${EXIT_TRUE}
885 else
886 return ${EXIT_FALSE}
887 fi
888}
889
890# Checks if a peer is valid
891ipsec_connection_check_peer() {
892 assert [ $# -eq 1 ]
893 local peer=${1}
894
895 # TODO Accept also FQDNs
896 if ip_is_valid ${peer}; then
897 return ${EXIT_TRUE}
898 else
899 return ${EXIT_FALSE}
900 fi
901}
902
903# This function checks if a VPN IPsec connection name is valid
904# Allowed are only A-Za-z0-9
905ipsec_connection_check_name() {
906 assert [ $# -eq 1 ]
907
908 local connection=${1}
909
910 [[ "${connection}" =~ [^[:alnum:]$] ]]
911}
912
913# Function that creates one VPN IPsec connection
914ipsec_connection_new() {
915 if [ $# -gt 1 ]; then
916 error "Too many arguments"
917 return ${EXIT_ERROR}
918 fi
919
920 local connection="${1}"
921 if ! isset connection; then
922 error "Please provide a connection name"
923 return ${EXIT_ERROR}
924 fi
925
926 # Check for duplicates
927 if ipsec_connection_exists "${connection}"; then
928 error "The VPN IPsec connection ${connection} already exists"
929 return ${EXIT_ERROR}
930 fi
931
932 # Check if the name of the connection is valid
933 if ipsec_connection_check_name "${connection}"; then
934 error "'${connection}' contains illegal characters"
935 return ${EXIT_ERROR}
936 fi
937
938 log DEBUG "Creating VPN IPsec connection ${connection}"
939
cf8685a1 940 if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
917a1aa0
JS		 941 log ERROR "Could not create config directory for ${connection}"
942 return ${EXIT_ERROR}
943 fi
944
945 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
946
917a1aa0 947 AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
bb9fccaf
JS		 948 DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION}
949 DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY}
950 DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT}
5601f4f5 951 ENABLED=${IPSEC_DEFAULT_ENABLED}
bb9fccaf
JS		 952 MODE=${IPSEC_DEFAULT_MODE}
953 START_ACTION=${IPSEC_DEFAULT_START_ACTION}
954
917a1aa0
JS		 955 INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
956 SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
957
958 if ! ipsec_connection_write_config "${connection}"; then
959 log ERROR "Could not write new config file"
960 return ${EXIT_ERROR}
961 fi
962}
963
964# Function that deletes based on the passed parameters one ore more vpn security policies
965ipsec_connection_destroy() {
966 local connection
967 for connection in $@; do
968 if ! ipsec_connection_exists "${connection}"; then
969 log ERROR "The VPN IPsec connection ${connection} does not exist."
970 continue
971 fi
972
973 log DEBUG "Deleting VPN IPsec connection ${connection}"
cf8685a1 974 if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
917a1aa0
JS		 975 log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful"
976 return ${EXIT_ERROR}
977 fi
978 done
979}
d6c852b8
JS		 980
981# List all ipsec connections
982ipsec_list_connections() {
983 local connection
984 for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do
985 [ -d ${connection} ] || continue
986 basename ${connection}
987 done
988}
67baa452
MT		 989
990ipsec_connection_to_strongswan() {
991 local connection="${1}"
992
993 # Read the config settings
994 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
995 if ! ipsec_connection_read_config "${connection}"; then
996 error "Could not read the connection ${connection}"
997 return ${EXIT_ERROR}
998 fi
999
1000 local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
1001
1002 (
1003 # Write the connection section
1004 _ipsec_connection_to_strongswan_connection "${connection}"
1005
1006 # Write the secrets section
1007 _ipsec_connection_to_strongswan_secrets "${connection}"
1008
1009 ) > ${path}
1010}
1011
1012_ipsec_connection_to_strongswan_connection() {
1013 local connection="${1}"
1014
1015 # Read the security policy
1016 local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
1017 if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then
1018 return ${EXIT_ERROR}
1019 fi
1020
4e271faa
MT		 1021 # Is DPD enabled?
1022 local dpd="false"
1023 if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
1024 dpd="true"
1025 fi
1026
67baa452
MT		 1027 print_indent 0 "connections {"
1028 print_indent 1 "${connection} {"
1029
1030 # IKE Version
1031 print_indent 2 "# IKE Version"
1032 case "${KEY_EXCHANGE^^}" in
1033 IKEV1)
1034 print_indent 2 "version = 1"
1035 ;;
1036
1037 # Fall back to IKEv2 for any random values
1038 IKEV2|*)
1039 print_indent 2 "version = 2"
1040 ;;
1041 esac
1042 print # empty line
1043
4609d6b4
MT		 1044 # Always only keep one connection open at a time
1045 print_indent 2 "# Unique IDs"
1046 print_indent 2 "unique = replace"
1047 print
1048
3e8ad776
MT		 1049 # Local Address
1050 print_indent 2 "# Local Address"
1051 if isset LOCAL_ADDRESS; then
1052 print_indent 2 "local_addrs = ${LOCAL_ADDRESS}"
1053 else
1054 print_indent 2 "local_addrs = %any"
1055 fi
1056 print
67baa452
MT		 1057
1058 # Remote Address
1059 print_indent 2 "# Remote Address"
1060 if isset PEER; then
1061 print_indent 2 "remote_addrs = ${PEER}"
1062 else
1063 print_indent 2 "remote_addrs = %any"
1064 fi
1065 print
1066
1067 # IKE Proposals
1068 print_indent 2 "# IKE Proposals"
e3ffacf7 1069 print_indent 2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})"
67baa452
MT		 1070 print
1071
117278c3 1072 # DPD Settings
4e271faa 1073 if enabled dpd; then
117278c3 1074 print_indent 2 "# Dead Peer Detection"
117278c3
MT		 1075 print_indent 2 "dpd_delay = ${DPD_DELAY}"
1076
1077 if isset DPD_TIMEOUT; then
1078 print_indent 2 "dpd_timeout = ${DPD_TIMEOUT}"
1079 fi
1080
1081 print
1082 fi
67baa452
MT		 1083
1084 # Fragmentation
1085 print_indent 2 "# Fragmentation"
1086 print_indent 2 "fragmentation = yes"
1087 print
1088
1089 # Local
1090 print_indent 2 "local {"
1091
1092 # Local ID
1093 if isset LOCAL_ID; then
1094 print_indent 3 "id = ${LOCAL_ID}"
1095 fi
1096
1097 # Authentication
1098 case "${AUTH_MODE}" in
1099 PSK)
1100 print_indent 3 "auth = psk"
1101 ;;
1102 esac
1103
1104 print_indent 2 "}"
1105 print
1106
1107 # Remote
1108 print_indent 2 "remote {"
1109
1110 # Remote ID
1111 if isset REMOTE_ID; then
1112 print_indent 3 "id = ${REMOTE_ID}"
1113 fi
1114
1115 # Authentication
1116 case "${AUTH_MODE}" in
1117 PSK)
1118 print_indent 3 "auth = psk"
1119 ;;
1120 esac
1121
1122 print_indent 2 "}"
1123 print
1124
1125 # Children
1126
1127 print_indent 2 "children {"
1128 print_indent 3 "${connection} {"
1129
1130 print_indent 4 "# ESP Proposals"
e3d8f3f6 1131 print_indent 4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})"
67baa452
MT		 1132 print
1133
1134 # Traffic Selectors
1135
95835d23
MT		 1136 case "${MODE}" in
1137 gre-*)
1138 print_indent 4 "local_ts = dynamic[gre]"
1139 print_indent 4 "remote_ts = dynamic[gre]"
1140 ;;
1141 *)
1142 # Local Prefixes
1143 if isset LOCAL_PREFIX; then
1144 print_indent 4 "local_ts = $(list_join LOCAL_PREFIX ,)"
1145 else
1146 print_indent 4 "local_ts = dynamic"
1147 fi
67baa452 1148
95835d23
MT		 1149 # Remote Prefixes
1150 if isset REMOTE_PREFIX; then
1151 print_indent 4 "remote_ts = $(list_join REMOTE_PREFIX ,)"
1152 else
1153 print_indent 4 "remote_ts = dynamic"
1154 fi
1155 ;;
1156 esac
67baa452
MT		 1157 print
1158
82fac748
MT		 1159 # Netfilter Marks
1160 print_indent 4 "# Netfilter Marks"
1161 print_indent 4 "mark_in = %unique"
1162 print_indent 4 "mark_out = %unique"
1163 print
1164
4e271faa
MT		 1165 # Dead Peer Detection
1166 if enabled dpd; then
1167 print_indent 4 "# Dead Peer Detection"
1168 print_indent 4 "dpd_action = ${DPD_ACTION}"
1169 print
1170 fi
1171
67baa452
MT		 1172 # Rekeying
1173 if isset LIFETIME; then
1174 print_indent 4 "# Rekey Time"
1175 print_indent 4 "rekey_time = ${LIFETIME}"
1176 print
1177 fi
1178
1179 # Updown Script
1180 print_indent 4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown"
1181 print
1182
1183 # Mode
1184 print_indent 4 "# Mode"
1185 case "${MODE}" in
1186 gre-transport)
1187 print_indent 4 "mode = transport"
1188 ;;
1189 tunnel|vti|*)
1190 print_indent 4 "mode = tunnel"
1191 ;;
1192 esac
1193 print
1194
1195 # Compression
1196 print_indent 4 "# Compression"
1197 if enabled COMPRESSION; then
1198 print_indent 4 "ipcomp = yes"
1199 else
1200 print_indent 4 "ipcomp = no"
1201 fi
1202 print
1203
1204 # Inactivity Timeout
1205 if isset INACTIVITY_TIMEOUT; then
1206 print_indent 4 "# Inactivity Timeout"
1207 print_indent 4 "inactivity = ${INACTIVITY_TIMEOUT}"
1208 print
1209 fi
1210
37317b3e
MT		 1211 # Start Action
1212 print_indent 4 "# Start Action"
1213 case "${START_ACTION}" in
1214 on-demand)
1215 print_indent 4 "start_action = trap"
1216 print_indent 4 "close_action = trap"
1217 ;;
1218 wait)
1219 print_indent 4 "start_action = none"
1220 print_indent 4 "close_action = none"
1221 ;;
1222 always-on|*)
1223 print_indent 4 "start_action = start"
1224 print_indent 4 "close_action = start"
1225 ;;
1226 esac
1227 print
67baa452
MT		 1228
1229 print_indent 3 "}"
1230 print_indent 2 "}"
1231 print
1232
1233 print_indent 1 "}"
1234 print_indent 0 "}"
1235 print
1236}
1237
1238_ipsec_connection_to_strongswan_secrets() {
1239 local connection="${1}"
1240
1241 print_indent 0 "secrets {"
1242
1243 case "${AUTH_MODE}" in
1244 PSK)
1245 print_indent 1 "ike {"
1246
1247 # Secret
1248 print_indent 2 "secret = ${PSK}"
1249
1250 # ID
1251 if isset REMOTE_ID; then
1252 print_indent 2 "id = ${REMOTE_ID}"
1253 fi
1254
1255 print_indent 1 "}"
1256 ;;
1257 esac
1258
1259 print_indent 0 "}"
1260}
Stevee's network tree.