]> git.ipfire.org Git - people/stevee/network.git/blame - src/functions/functions.ipsec
projects / people / stevee / network.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ipsec: move pool function in a seperated file
[people/stevee/network.git] / src / functions / functions.ipsec
CommitLineData
917a1aa0
JS		 1#!/bin/bash
2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
5# Copyright (C) 2017 IPFire Network Development Team #
6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
21
33944dfb
MT		 22IPSEC_CONNECTION_CONFIG_SETTINGS="\
23 AUTH_MODE \
24 DPD_ACTION \
25 DPD_DELAY \
26 DPD_TIMEOUT \
27 INACTIVITY_TIMEOUT \
28 LOCAL_ADDRESS \
29 LOCAL_ID \
30 LOCAL_PREFIX \
31 MODE \
32 PEER \
96fdb077 33 POOLS \
33944dfb
MT		 34 PSK \
35 REMOTE_ID \
36 REMOTE_PREFIX \
5601f4f5 37 SECURITY_POLICY \
eb6fa666 38 START_ACTION \
89d71d08 39 TYPE \
5601f4f5 40 ENABLED"
917a1aa0
JS		 41
42# Default values
ab589039 43IPSEC_DEFAULT_AUTH_MODE="PSK"
bb9fccaf
JS		 44IPSEC_DEFAULT_DPD_ACTION="restart"
45IPSEC_DEFAULT_DPD_DELAY="30"
46IPSEC_DEFAULT_DPD_TIMEOUT="120"
5601f4f5 47IPSEC_DEFAULT_ENABLED="true"
917a1aa0 48IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0"
bb9fccaf 49IPSEC_DEFAULT_MODE="tunnel"
917a1aa0 50IPSEC_DEFAULT_SECURITY_POLICY="system"
bb9fccaf 51IPSEC_DEFAULT_START_ACTION="on-demand"
89d71d08 52IPSEC_DEFAULT_TYPE="net-to-net"
917a1aa0
JS		 53
54IPSEC_VALID_MODES="gre-transport tunnel vti"
ab589039 55IPSEC_VALID_AUTH_MODES="PSK"
917a1aa0 56
2da98f56
MT		 57cli_ipsec() {
58 local action=${1}
59 shift 1
60
61 case "${action}" in
62 connection)
2212045f 63 cli_ipsec_connection "$@"
2da98f56 64 ;;
7c623df2 65 pool)
2212045f 66 cli_ipsec_pool "$@"
7c623df2 67 ;;
2da98f56
MT		 68 *)
69 error "Unrecognized argument: ${action}"
70 exit ${EXIT_ERROR}
71 ;;
72 esac
73}
74
75cli_ipsec_connection() {
76 if ipsec_connection_exists ${1}; then
77 local connection=${1}
78 local key=${2}
79 key=${key//-/_}
80 shift 2
81
82 case "${key}" in
96fdb077 83 authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|pool|remote|security_policy|start_action|up)
2212045f 84 ipsec_connection_${key} ${connection} "$@"
2da98f56 85 ;;
c1e76e97
MT		 86 show)
87 cli_ipsec_connection_show "${connection}"
88 exit $?
89 ;;
2da98f56
MT		 90 *)
91 error "Unrecognized argument: ${key}"
92 exit ${EXIT_ERROR}
93 ;;
94 esac
95 else
96 local action=${1}
97 shift
98
99 case "${action}" in
100 new)
2212045f 101 ipsec_connection_new "$@"
2da98f56
MT		 102 ;;
103 destroy)
2212045f 104 cli_ipsec_connection_destroy "$@"
2da98f56
MT		 105 ;;
106 ""|*)
107 if [ -n "${action}" ]; then
108 error "Unrecognized argument: '${action}'"
109 fi
110 exit ${EXIT_ERROR}
111 ;;
112 esac
113 fi
114}
115
fa33d830
MT		 116cli_ipsec_connection_destroy() {
117 local connection="${1}"
118
119 if ! ipsec_connection_destroy "${connection}"; then
120 return ${EXIT_ERROR}
121 fi
122
123 # Inform strongswan about the changes
124 ipsec_strongswan_load
125
126 # Configure strongswan autostart
127 ipsec_strongswan_autostart
128}
129
c1e76e97
MT		 130cli_ipsec_connection_show() {
131 local connection="${1}"
132
133 # Read the config settings
134 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
135 if ! ipsec_connection_read_config "${connection}"; then
136 error "Could not read the connection configuration"
137 return ${EXIT_ERROR}
138 fi
139
140 cli_headline 0 "IPsec VPN Connection: ${connection}"
141 cli_space
142
143 # Peer
144 if isset PEER; then
145 cli_print_fmt1 1 "Peer" "${PEER}"
146 fi
147
148 # Security Policy
149 cli_print_fmt1 1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}"
150 cli_space
151
152 cli_headline 2 "Authentication"
153 case "${AUTH_MODE^^}" in
154 PSK)
155 cli_print_fmt1 2 "Mode" "Pre-Shared-Key"
156
157 if isset PSK; then
158 cli_print_fmt1 2 "Pre-Shared-Key" "****"
159 else
160 cli_print_fmt1 2 "Pre-Shared-Key" "- is not set -"
161 fi
162 ;;
163 X509)
164 : # TODO
165 ;;
166 esac
167 cli_space
168
169 local i
170 for i in LOCAL REMOTE; do
171 case "${i}" in
172 LOCAL)
173 cli_headline 2 "Local"
174 ;;
175 REMOTE)
176 cli_headline 2 "Remote"
177 ;;
178 esac
179
180 local id_var="${i}_ID"
181 if [ -n "${!id_var}" ]; then
182 cli_print_fmt1 2 "ID" "${!id_var}"
183 fi
184
185 local prefix_var="${i}_PREFIX"
186 if isset ${prefix_var}; then
187 cli_headline 3 "Prefix(es)"
188
189 local prefix
190 for prefix in ${!prefix_var}; do
191 cli_print_fmt1 3 "${prefix}"
192 done
193 fi
194
195 cli_space
196 done
197
198 cli_headline 2 "Misc."
199
200 case "${MODE}" in
201 gre-transport)
202 cli_print_fmt1 2 "Transport Mode" "GRE Transport"
203 ;;
204 tunnel)
205 cli_print_fmt1 2 "Transport Mode" "Tunnel"
206 ;;
207 vti)
208 cli_print_fmt1 2 "Transport Mode" "Virtual Tunnel Interface"
209 ;;
210 *)
211 cli_print_fmt1 2 "Transport Mode" "- Unknown -"
212 ;;
213 esac
214
215 # Inactivity timeout
216 if isset INACTIVITY_TIMEOUT && [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then
217 cli_print_fmt1 2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})"
218 fi
219 cli_space
220
221 return ${EXIT_OK}
222}
223
5601f4f5
JS		 224ipsec_connection_disable() {
225 local connection=${1}
226
227 if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "false"; then
228 log ERROR "Could not write configuration settings"
229 return ${EXIT_ERROR}
230 fi
231
c3f31173
MT		 232 # Configure strongswan autostart
233 ipsec_strongswan_autostart
5601f4f5
JS		 234}
235
236ipsec_connection_enable() {
237 local connection=${1}
238
239 if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "true"; then
240 log ERROR "Could not write configuration settings"
241 return ${EXIT_ERROR}
242 fi
243
c3f31173
MT		 244 # Configure strongswan autostart
245 ipsec_strongswan_autostart
5601f4f5
JS		 246}
247
917a1aa0
JS		 248# This function writes all values to a via ${connection} specificated VPN IPsec configuration file
249ipsec_connection_write_config() {
250 assert [ $# -ge 1 ]
251
252 local connection="${1}"
253
254 if ! ipsec_connection_exists "${connection}"; then
255 log ERROR "No such VPN IPsec connection: ${connection}"
256 return ${EXIT_ERROR}
257 fi
258
cf8685a1 259 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
917a1aa0
JS		 260
261 if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then
262 log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}"
263 return ${EXIT_ERROR}
264 fi
265
266 ipsec_reload ${connection}
267}
268
269# This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file
270ipsec_connection_write_config_key() {
271 assert [ $# -ge 3 ]
272
273 local connection=${1}
274 local key=${2}
275 shift 2
276
277 local value="$@"
278
279 if ! ipsec_connection_exists "${connection}"; then
280 log ERROR "No such VPN ipsec connection: ${connection}"
281 return ${EXIT_ERROR}
282 fi
283
284 log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'"
285
286 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
287
288 # Read the config settings
289 if ! ipsec_connection_read_config "${connection}"; then
290 return ${EXIT_ERROR}
291 fi
292
293 # Set the key to a new value
294 assign "${key}" "${value}"
295
296 if ! ipsec_connection_write_config "${connection}"; then
297 return ${EXIT_ERROR}
298 fi
299
300 return ${EXIT_TRUE}
301}
302
303# Reads one or more keys out of a settings file or all if no key is provided.
304ipsec_connection_read_config() {
305 assert [ $# -ge 1 ]
306
307 local connection="${1}"
308 shift 1
309
310 if ! ipsec_connection_exists "${connection}"; then
311 log ERROR "No such VPN IPsec connection : ${connection}"
312 return ${EXIT_ERROR}
313 fi
314
315
316 local args
317 if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then
318 list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS}
319 else
2212045f 320 list_append args "$@"
917a1aa0
JS		 321 fi
322
cf8685a1 323 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings"
917a1aa0
JS		 324
325 if ! settings_read "${path}" ${args}; then
326 log ERROR "Could not read settings for VPN IPsec connection ${connection}"
327 return ${EXIT_ERROR}
328 fi
329}
330
917a1aa0
JS		 331# This function checks if a vpn ipsec connection exists
332# Returns True when yes and false when not
333ipsec_connection_exists() {
334 assert [ $# -eq 1 ]
335
336 local connection=${1}
337
cf8685a1 338 local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}"
917a1aa0
JS		 339
340 [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE}
341}
342
c3f31173
MT		 343# Determines if strongswan should be automatically started
344# when the system boots up.
345ipsec_strongswan_autostart() {
346 local autostart_needed="false"
347
348 local connection
349 for connection in $(ipsec_list_connections); do
350 local ENABLED
351
352 if ! ipsec_connection_read_config "${connection}" "ENABLED"; then
353 log WARNING "Could not read configuation"
354 continue
355 fi
356
357 if enabled ENABLED; then
358 autostart_needed="true"
359 break
360 fi
361 done
362
363 # Start strongswan when we need it and when it is not yet enabled
b863fe52
MT		 364 if ${autostart_needed}; then
365 if ! service_is_enabled "strongswan"; then
366 service_enable "strongswan"
367 fi
368
369 if ! service_is_active "strongswan"; then
370 service_start "strongswan"
371 fi
c3f31173
MT		 372
373 # Disable strongswan when we do not need it but it is enabled
b863fe52
MT		 374 elif ! ${autostart_needed}; then
375 if service_is_enabled "strongswan"; then
376 service_disable "strongswan"
377 fi
378
379 if service_is_active "strongswan"; then
380 service_stop "strongswan"
381 fi
c3f31173
MT		 382 fi
383}
384
f0e91d26 385ipsec_strongswan_load() {
7fc57ebc
MT		 386 # Do nothing if strongswan is not running
387 if ! service_is_active "strongswan"; then
388 return ${EXIT_OK}
389 fi
390
f0e91d26
JS		 391 if ! cmd swanctl --load-all; then
392 log ERROR "Could not reload strongswan config"
393 return ${EXIT_ERROR}
394 fi
395}
396
917a1aa0
JS		 397# Reloads the connection after config changes
398ipsec_reload() {
39d87f20
JS		 399 local connection=${1}
400
5601f4f5
JS		 401 local ENABLED
402
403 if ! ipsec_connection_read_config "${connection}" "ENABLED"; then
404 log ERROR "Could not read configuration for IPsec connection ${connection}"
39d87f20
JS		 405 return ${EXIT_ERROR}
406 fi
407
471f16bc 408 if enabled ENABLED; then
5601f4f5
JS		 409 if ! ipsec_connection_to_strongswan ${connection}; then
410 log ERROR "Could not generate strongswan config for ${connnection}"
411 return ${EXIT_ERROR}
412 fi
413 else
ad482897 414 log DEBUG "Deleting strongswan config ${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
5601f4f5
JS		 415 unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
416 fi
417
f0e91d26 418 ipsec_strongswan_load
917a1aa0
JS		 419}
420
421# Handle the cli after authentification
422ipsec_connection_authentication() {
423 if [ ! $# -gt 1 ]; then
424 log ERROR "Not enough arguments"
425 return ${EXIT_ERROR}
426 fi
427
428 local connection=${1}
429 local cmd=${2}
430 shift 2
431
432 case ${cmd} in
433 mode)
2212045f 434 ipsec_connection_authentication_mode "${connection}" "$@"
917a1aa0
JS		 435 ;;
436 pre-shared-key)
2212045f 437 ipsec_connection_authentication_psk "${connection}" "$@"
917a1aa0
JS		 438 ;;
439 *)
440 log ERROR "Unrecognized argument: ${cmd}"
441 return ${EXIT_ERROR}
442 ;;
443 esac
444}
445
446# Set the authentification mode
447ipsec_connection_authentication_mode() {
448 if [ ! $# -eq 2 ]; then
449 log ERROR "Not enough arguments"
450 return ${EXIT_ERROR}
451 fi
452 local connection=${1}
453 local mode=${2}
454
455 if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then
456 log ERROR "Auth mode '${mode}' is invalid"
457 return ${EXIT_ERROR}
458 fi
459
ab589039 460 if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode^^}; then
917a1aa0
JS		 461 log ERROR "Could not write configuration settings"
462 return ${EXIT_ERROR}
463 fi
464}
465
466# Set the psk
467ipsec_connection_authentication_psk() {
db491d1d 468 if [ ! $# -eq 2 ]; then
917a1aa0
JS		 469 log ERROR "Not enough arguments"
470 return ${EXIT_ERROR}
471 fi
1bfc4f56 472
917a1aa0
JS		 473 local connection=${1}
474 local psk=${2}
475
1bfc4f56
MT		 476 local length=${#psk}
477
478 if [ ${length} -lt 4 ]; then
479 error "The PSK must be longer than four characters"
480 return ${EXIT_ERROR}
481 fi
482
483 if [ ${length} -gt 128 ]; then
484 error "The PSK cannot be longer than 128 characters"
485 return ${EXIT_ERROR}
486 fi
917a1aa0 487
1bfc4f56 488 if ! ipsec_connection_write_config_key "${connection}" "PSK" "${psk}"; then
917a1aa0
JS		 489 log ERROR "Could not write configuration settings"
490 return ${EXIT_ERROR}
491 fi
492
493 return ${EXIT_OK}
494}
495
3cde31b9
MT		 496ipsec_connection_up() {
497 local connection="${1}"
498
499 if ! ipsec_connection_exists "${connection}"; then
500 error "No such VPN IPsec connection: ${connection}"
501 return ${EXIT_ERROR}
502 fi
503
504 cmd swanctl --initiate --child "${connection}"
505}
506
507ipsec_connection_down() {
508 local connection="${1}"
509
510 if ! ipsec_connection_exists "${connection}"; then
511 error "No such VPN IPsec connection: ${connection}"
512 return ${EXIT_ERROR}
513 fi
514
515 cmd swanctl --terminate --ike "${connection}"
516}
bb9fccaf
JS		 517
518# Handle the cli after authentification
519ipsec_connection_dpd() {
520 if [ ! $# -gt 1 ]; then
521 log ERROR "Not enough arguments"
522 return ${EXIT_ERROR}
523 fi
524
525 local connection=${1}
526 local cmd=${2}
527 shift 2
528
529 case ${cmd} in
530 action)
2212045f 531 ipsec_connection_dpd_action "${connection}" "$@"
bb9fccaf
JS		 532 ;;
533 delay)
2212045f 534 ipsec_connection_dpd_delay "${connection}" "$@"
bb9fccaf
JS		 535 ;;
536 timeout)
2212045f 537 ipsec_connection_dpd_timeout "${connection}" "$@"
bb9fccaf
JS		 538 ;;
539 *)
540 log ERROR "Unrecognized argument: ${cmd}"
541 return ${EXIT_ERROR}
542 ;;
543 esac
544}
545
546# Set the default dpd action
547ipsec_connection_dpd_action() {
548 if [ ! $# -eq 2 ]; then
549 log ERROR "Not enough arguments"
550 return ${EXIT_ERROR}
551 fi
552 local connection=${1}
553 local action=${2}
554
555 if ! isoneof action "restart" "clear"; then
556 log ERROR "dpd action '${action}' is invalid"
557 return ${EXIT_ERROR}
558 fi
559
560 if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION" ${action}; then
561 log ERROR "Could not write configuration settings"
562 return ${EXIT_ERROR}
563 fi
564}
565
566# Set the dpd delay
567ipsec_connection_dpd_delay() {
568 if [ ! $# -ge 2 ]; then
569 log ERROR "Not enough arguments"
570 return ${EXIT_ERROR}
571 fi
572
573 local connection=${1}
574 shift 1
575 local value=$@
576
577 if ! isinteger value; then
2212045f 578 value=$(parse_time "$@")
bb9fccaf
JS		 579 if [ ! $? -eq 0 ]; then
580 log ERROR "Parsing the passed time was not sucessful please check the passed values."
581 return ${EXIT_ERROR}
582 fi
583 fi
584
585 if [ ${value} -lt 0 ]; then
586 log ERROR "The passed time value must be in the sum greater or equal zero seconds."
587 return ${EXIT_ERROR}
588 fi
589
590 if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY" ${value}; then
591 log ERROR "Could not write configuration settings"
592 return ${EXIT_ERROR}
593 fi
594
595 return ${EXIT_OK}
596}
597
598# Set the dpd timeout
599ipsec_connection_dpd_timeout() {
600 if [ ! $# -ge 2 ]; then
601 log ERROR "Not enough arguments"
602 return ${EXIT_ERROR}
603 fi
604
605 local connection=${1}
606 shift 1
607 local value=$@
608
609 if ! isinteger value; then
2212045f 610 value=$(parse_time "$@")
bb9fccaf
JS		 611 if [ ! $? -eq 0 ]; then
612 log ERROR "Parsing the passed time was not sucessful please check the passed values."
613 return ${EXIT_ERROR}
614 fi
615 fi
616
617 if [ ${value} -le 0 ]; then
618 log ERROR "The passed time value must be in the sum greater or equal zero seconds."
619 return ${EXIT_ERROR}
620 fi
621
622 if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT" ${value}; then
623 log ERROR "Could not write configuration settings"
624 return ${EXIT_ERROR}
625 fi
626
627 return ${EXIT_OK}
628}
629
917a1aa0
JS		 630# Handle the cli after local
631ipsec_connection_local() {
632 if [ ! $# -ge 2 ]; then
633 log ERROR "Not enough arguments"
634 return ${EXIT_ERROR}
635 fi
636
637 local connection=${1}
638 local cmd=${2}
639 shift 2
640
641 case ${cmd} in
bb9fccaf 642 address)
2212045f 643 ipsec_connection_local_address "${connection}" "$@"
bb9fccaf 644 ;;
917a1aa0 645 id)
2212045f 646 ipsec_connection_id "${connection}" "LOCAL" "$@"
917a1aa0
JS		 647 ;;
648 prefix)
2212045f 649 ipsec_connection_prefix "${connection}" "LOCAL" "$@"
917a1aa0
JS		 650 ;;
651 *)
652 log ERROR "Unrecognized argument: ${cmd}"
653 return ${EXIT_ERROR}
654 ;;
655 esac
656
657 return ${EXIT_OK}
658}
659
660# Set the connection mode
661ipsec_connection_mode() {
5bdbc2ee 662 if [ ! $# -eq 2 ]; then
917a1aa0
JS		 663 log ERROR "Not enough arguments"
664 return ${EXIT_ERROR}
665 fi
666 local connection=${1}
667 local mode=${2}
668
669 if ! isoneof mode ${IPSEC_VALID_MODES}; then
670 log ERROR "Mode '${mode}' is invalid"
671 return ${EXIT_ERROR}
672 fi
673
674 if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then
675 log ERROR "Could not write configuration settings"
676 return ${EXIT_ERROR}
677 fi
678
679 return ${EXIT_OK}
680}
681
bb9fccaf
JS		 682# Set the local address
683ipsec_connection_local_address() {
684 if [ ! $# -eq 2 ]; then
685 log ERROR "Not enough arguments"
686 return ${EXIT_ERROR}
687 fi
688 local connection=${1}
689 local local_address=${2}
690
691 if ! ipsec_connection_check_peer ${local_address}; then
692 log ERROR "Local address '${local_address}' is invalid"
693 return ${EXIT_ERROR}
694 fi
695
696 if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS" ${local_address}; then
697 log ERROR "Could not write configuration settings"
698 return ${EXIT_ERROR}
699 fi
700
701 return ${EXIT_OK}
702}
703
917a1aa0
JS		 704# Set the peer to connect to
705ipsec_connection_peer() {
0b962a64 706 if [ ! $# -eq 2 ]; then
917a1aa0
JS		 707 log ERROR "Not enough arguments"
708 return ${EXIT_ERROR}
709 fi
710 local connection=${1}
711 local peer=${2}
712
713 if ! ipsec_connection_check_peer ${peer}; then
714 log ERROR "Peer '${peer}' is invalid"
715 return ${EXIT_ERROR}
716 fi
717
718 if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then
719 log ERROR "Could not write configuration settings"
720 return ${EXIT_ERROR}
721 fi
722
723 return ${EXIT_OK}
724}
725
726#Set the local or remote id
727ipsec_connection_id() {
728 if [ ! $# -eq 3 ]; then
729 log ERROR "Not enough arguments"
730 return ${EXIT_ERROR}
731 fi
732 local connection=${1}
733 local type=${2}
734 local id=${3}
735
736 if ! ipsec_connection_check_id ${id}; then
737 log ERROR "Id '${id}' is invalid"
738 return ${EXIT_ERROR}
739 fi
aaa72eef 740
917a1aa0
JS		 741 if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then
742 log ERROR "Could not write configuration settings"
743 return ${EXIT_ERROR}
744 fi
aaa72eef 745
917a1aa0
JS		 746 return ${EXIT_OK}
747}
748
aaa72eef 749# Set the local or remote prefix
917a1aa0
JS		 750ipsec_connection_prefix() {
751 if [ ! $# -ge 3 ]; then
752 log ERROR "Not enough arguments"
753 return ${EXIT_ERROR}
754 fi
755 local connection=${1}
756 local type=${2}
757 shift 2
aaa72eef 758
917a1aa0
JS		 759 local _prefix="${type}_PREFIX"
760 local "${_prefix}"
761 if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then
762 return ${EXIT_ERROR}
763 fi
764
765 # Remove duplicated entries to proceed the list safely
766 assign "${_prefix}" "$(list_unique ${!_prefix} )"
767
768 local prefixes_added
769 local prefixes_removed
770 local prefixes_set
771
772 while [ $# -gt 0 ]; do
773 local arg="${1}"
774
775 case "${arg}" in
776 +*)
777 list_append prefixes_added "${arg:1}"
778 ;;
779 -*)
780 list_append prefixes_removed "${arg:1}"
781 ;;
782 [A-Fa-f0-9]*)
783 list_append prefixes_set "${arg}"
784 ;;
785 *)
786 error "Invalid argument: ${arg}"
787 return ${EXIT_ERROR}
788 ;;
789 esac
790 shift
791 done
792
793 # Check if the user is trying a mixed operation
794 if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then
795 error "You cannot reset the prefix list and add or remove prefixes at the same time"
796 return ${EXIT_ERROR}
797 fi
798
799 # Set new prefix list
800 if ! list_is_empty prefixes_set; then
801 # Check if all prefixes are valid
802 local prefix
803 for prefix in ${prefixes_set}; do
804 if ! ip_net_is_valid ${prefix}; then
805 error "Unsupported prefix: ${prefix}"
806 return ${EXIT_ERROR}
807 fi
808 done
809
810 assign "${_prefix}" "${prefixes_set}"
811
812 # Perform incremental updates
813 else
814 local prefix
815
816 # Perform all removals
817 for prefix in ${prefixes_removed}; do
818 if ! list_remove "${_prefix}" ${prefix}; then
819 warning "${prefix} was not on the list and could not be removed"
820 fi
821 done
822
823
824 for prefix in ${prefixes_added}; do
825 if ip_net_is_valid ${prefix}; then
826 if ! list_append_unique "${_prefix}" ${prefix}; then
827 warning "${prefix} is already on the prefix list"
828 fi
829 else
f03f29b7 830 warning "${prefix} is not a valid IP network and could not be added"
917a1aa0
JS		 831 fi
832 done
833 fi
834
835 # Check if the list contain at least one valid prefix
836 if list_is_empty ${_prefix}; then
837 error "Cannot save an empty prefix list"
838 return ${EXIT_ERROR}
839 fi
840
841 # Save everything
842 if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then
843 log ERROR "Could not write configuration settings"
844 fi
845
846 return ${EXIT_OK}
847}
848
96fdb077
JS		 849# Set the pools to use
850ipsec_connection_pool() {
851 if [ ! $# -ge 2 ]; then
852 log ERROR "Not enough arguments"
853 return ${EXIT_ERROR}
854 fi
855 local connection=${1}
856 shift
857
858 local POOLS
859 if ! ipsec_connection_read_config "${connection}" "POOLS"; then
860 return ${EXIT_ERROR}
861 fi
862
863 # Remove duplicated entries to proceed the list safely
864 assign "POOLS" "$(list_unique ${POOLS})"
865
866 local pools_added
867 local pools_removed
868 local pools_set
869
870 while [ $# -gt 0 ]; do
871 local arg="${1}"
872
873 case "${arg}" in
874 +*)
875 list_append pools_added "${arg:1}"
876 ;;
877 -*)
878 list_append pools_removed "${arg:1}"
879 ;;
880 [A-Za-z0-9]*)
881 list_append pools_set "${arg}"
882 ;;
883 *)
884 error "Invalid argument: ${arg}"
885 return ${EXIT_ERROR}
886 ;;
887 esac
888 shift
889 done
890
891 # Check if the user is trying a mixed operation
892 if ! list_is_empty pools_set && (! list_is_empty pools_added || ! list_is_empty pools_removed); then
893 error "You cannot reset the pools list and add or remove pools at the same time"
894 return ${EXIT_ERROR}
895 fi
896
897 # Set new pools list
898 if ! list_is_empty pools_set; then
899 # Check if all pools are valid
900 local pool
901 for pool in ${pools_set}; do
902 if ! ipsec_pool_exists ${pool} || ! ipsec_pool_check_config ${pool}; then
903 error "Pool ${pool} is not valid"
904 return ${EXIT_ERROR}
905 fi
906 done
907
908 assign "POOLS" "${pools_set}"
909
910 # Perform incremental updates
911 else
912 local pool
913
914 # Perform all removals
915 for pool in ${pools_removed}; do
916 if ! list_remove "POOLS" ${pool}; then
917 warning "${pool} was not on the list and could not be removed"
918 fi
919 done
920
921
922 for pool in ${pools_added}; do
beb0ebbb 923 if ipsec_pool_exists ${pool} && ipsec_pool_check_config ${pool}; then
96fdb077
JS		 924 if ! list_append_unique "POOLS" ${pool}; then
925 warning "${pool} is already on the prefix list"
926 fi
927 else
928 warning "${pool} is not a valid pool"
929 fi
930 done
931 fi
932
933 # Check if the list contain at least one valid pool
934 if list_is_empty POOLS; then
935 error "Cannot save an empty pool list"
936 return ${EXIT_ERROR}
937 fi
938
939 # Save everything
940 if ! ipsec_connection_write_config_key "${connection}" "POOLS" ${POOLS}; then
941 log ERROR "Could not write configuration settings"
942 fi
943
944 return ${EXIT_OK}
945}
946
917a1aa0
JS		 947# Handle the cli after remote
948ipsec_connection_remote() {
949 if [ ! $# -ge 2 ]; then
950 log ERROR "Not enough arguments"
951 return ${EXIT_ERROR}
952 fi
953
954 local connection=${1}
955 local cmd=${2}
956 shift 2
957
958 case ${cmd} in
959 id)
2212045f 960 ipsec_connection_id "${connection}" "REMOTE" "$@"
917a1aa0
JS		 961 ;;
962
963 prefix)
2212045f 964 ipsec_connection_prefix "${connection}" "REMOTE" "$@"
917a1aa0
JS		 965 ;;
966 *)
967 log ERROR "Unrecognized argument: ${cmd}"
968 return ${EXIT_ERROR}
969 ;;
970 esac
971
972 return ${EXIT_OK}
973}
974
975# Set the inactivity timeout
976ipsec_connection_inactivity_timeout() {
977 if [ ! $# -ge 2 ]; then
978 log ERROR "Not enough arguments"
979 return ${EXIT_ERROR}
980 fi
981
982 local connection=${1}
983 shift 1
984 local value=$@
985
986 if ! isinteger value; then
2212045f 987 value=$(parse_time "$@")
917a1aa0
JS		 988 if [ ! $? -eq 0 ]; then
989 log ERROR "Parsing the passed time was not sucessful please check the passed values."
990 return ${EXIT_ERROR}
991 fi
992 fi
993
994 if [ ${value} -le 0 ]; then
995 log ERROR "The passed time value must be in the sum greater zero seconds."
996 return ${EXIT_ERROR}
997 fi
998
999 if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then
1000 log ERROR "Could not write configuration settings"
1001 return ${EXIT_ERROR}
1002 fi
1003
1004 return ${EXIT_OK}
1005}
1006
bb9fccaf
JS		 1007# Set the default start action
1008ipsec_connection_start_action() {
1009 if [ ! $# -eq 2 ]; then
1010 log ERROR "Not enough arguments"
1011 return ${EXIT_ERROR}
1012 fi
1013 local connection=${1}
1014 local action=${2}
1015
1016 if ! isoneof action "on-demand" "always-on"; then
1017 log ERROR "Start action '${action}' is invalid"
1018 return ${EXIT_ERROR}
1019 fi
1020
1021 if ! ipsec_connection_write_config_key "${connection}" "START_ACTION" ${action}; then
1022 log ERROR "Could not write configuration settings"
1023 return ${EXIT_ERROR}
1024 fi
1025}
917a1aa0
JS		 1026
1027# Set the security policy to use
1028ipsec_connection_security_policy() {
1029 if [ ! $# -eq 2 ]; then
1030 log ERROR "Not enough arguments"
1031 return ${EXIT_ERROR}
1032 fi
1033 local connection=${1}
1034 local security_policy=${2}
1035
1036 if ! vpn_security_policy_exists ${security_policy}; then
1037 log ERROR "No such vpn security policy '${security_policy}'"
1038 return ${EXIT_ERROR}
1039 fi
1040
1041 if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then
1042 log ERROR "Could not write configuration settings"
1043 return ${EXIT_ERROR}
1044 fi
1045}
1046
1047# Check if a id is valid
1048ipsec_connection_check_id() {
1049 assert [ $# -eq 1 ]
1050 local id=${1}
1051
1052 if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then
1053 return ${EXIT_TRUE}
1054 else
1055 return ${EXIT_FALSE}
1056 fi
1057}
1058
1059# Checks if a peer is valid
1060ipsec_connection_check_peer() {
1061 assert [ $# -eq 1 ]
1062 local peer=${1}
1063
1064 # TODO Accept also FQDNs
1065 if ip_is_valid ${peer}; then
1066 return ${EXIT_TRUE}
1067 else
1068 return ${EXIT_FALSE}
1069 fi
1070}
1071
1072# This function checks if a VPN IPsec connection name is valid
1073# Allowed are only A-Za-z0-9
1074ipsec_connection_check_name() {
1075 assert [ $# -eq 1 ]
1076
1077 local connection=${1}
1078
1079 [[ "${connection}" =~ [^[:alnum:]$] ]]
1080}
1081
1082# Function that creates one VPN IPsec connection
1083ipsec_connection_new() {
89d71d08 1084 if [ $# -gt 2 ]; then
917a1aa0
JS		 1085 error "Too many arguments"
1086 return ${EXIT_ERROR}
1087 fi
1088
1089 local connection="${1}"
89d71d08
JS		 1090 local type="${2}"
1091
917a1aa0
JS		 1092 if ! isset connection; then
1093 error "Please provide a connection name"
1094 return ${EXIT_ERROR}
1095 fi
1096
1097 # Check for duplicates
1098 if ipsec_connection_exists "${connection}"; then
1099 error "The VPN IPsec connection ${connection} already exists"
1100 return ${EXIT_ERROR}
1101 fi
1102
1103 # Check if the name of the connection is valid
1104 if ipsec_connection_check_name "${connection}"; then
1105 error "'${connection}' contains illegal characters"
1106 return ${EXIT_ERROR}
1107 fi
1108
89d71d08
JS		 1109 # Set TYPE to default if not set by the user
1110 if ! isset type; then
1111 type="${IPSEC_DEFAULT_TYPE}"
1112 fi
1113
1114 if ! isoneof "type" "net-to-net" "host-to-net"; then
1115 error "Type is invalid"
1116 return ${EXIT_ERROR}
1117 fi
1118
917a1aa0
JS		 1119 log DEBUG "Creating VPN IPsec connection ${connection}"
1120
cf8685a1 1121 if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
917a1aa0
JS		 1122 log ERROR "Could not create config directory for ${connection}"
1123 return ${EXIT_ERROR}
1124 fi
1125
1126 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1127
917a1aa0 1128 AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE}
bb9fccaf
JS		 1129 DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION}
1130 DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY}
1131 DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT}
5601f4f5 1132 ENABLED=${IPSEC_DEFAULT_ENABLED}
bb9fccaf
JS		 1133 MODE=${IPSEC_DEFAULT_MODE}
1134 START_ACTION=${IPSEC_DEFAULT_START_ACTION}
89d71d08 1135 TYPE="${type}"
bb9fccaf 1136
917a1aa0
JS		 1137 INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT}
1138 SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY}
1139
1140 if ! ipsec_connection_write_config "${connection}"; then
1141 log ERROR "Could not write new config file"
1142 return ${EXIT_ERROR}
1143 fi
c3f31173
MT		 1144
1145 # Configure strongswan autostart
1146 ipsec_strongswan_autostart
917a1aa0
JS		 1147}
1148
1149# Function that deletes based on the passed parameters one ore more vpn security policies
1150ipsec_connection_destroy() {
1151 local connection
2212045f 1152 for connection in "$@"; do
917a1aa0
JS		 1153 if ! ipsec_connection_exists "${connection}"; then
1154 log ERROR "The VPN IPsec connection ${connection} does not exist."
1155 continue
1156 fi
1157
1158 log DEBUG "Deleting VPN IPsec connection ${connection}"
fa33d830
MT		 1159
1160 # Delete strongswan configuration file
1161 file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
1162
cf8685a1 1163 if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then
917a1aa0
JS		 1164 log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful"
1165 return ${EXIT_ERROR}
1166 fi
c3f31173 1167
fa33d830 1168 done
917a1aa0 1169}
d6c852b8
JS		 1170
1171# List all ipsec connections
1172ipsec_list_connections() {
1173 local connection
1174 for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do
1175 [ -d ${connection} ] || continue
1176 basename ${connection}
1177 done
1178}
67baa452
MT		 1179
1180ipsec_connection_to_strongswan() {
1181 local connection="${1}"
aaa72eef 1182 log DEBUG "Generating IPsec configuration for ${connection}"
67baa452
MT		 1183
1184 # Read the config settings
1185 local ${IPSEC_CONNECTION_CONFIG_SETTINGS}
1186 if ! ipsec_connection_read_config "${connection}"; then
1187 error "Could not read the connection ${connection}"
1188 return ${EXIT_ERROR}
1189 fi
1190
1191 local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf"
1192
1193 (
1194 # Write the connection section
1195 _ipsec_connection_to_strongswan_connection "${connection}"
1196
1197 # Write the secrets section
1198 _ipsec_connection_to_strongswan_secrets "${connection}"
1199
1200 ) > ${path}
1201}
1202
1203_ipsec_connection_to_strongswan_connection() {
1204 local connection="${1}"
1205
1206 # Read the security policy
1207 local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS}
1208 if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then
1209 return ${EXIT_ERROR}
1210 fi
1211
4e271faa
MT		 1212 # Is DPD enabled?
1213 local dpd="false"
1214 if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then
1215 dpd="true"
1216 fi
1217
b21fb175
MT		 1218 # Write configuration header
1219 config_header "strongSwan configuration for ${connection}"
1220
67baa452
MT		 1221 print_indent 0 "connections {"
1222 print_indent 1 "${connection} {"
1223
1224 # IKE Version
1225 print_indent 2 "# IKE Version"
1226 case "${KEY_EXCHANGE^^}" in
1227 IKEV1)
1228 print_indent 2 "version = 1"
1229 ;;
1230
1231 # Fall back to IKEv2 for any random values
1232 IKEV2|*)
1233 print_indent 2 "version = 2"
1234 ;;
1235 esac
1236 print # empty line
1237
4609d6b4
MT		 1238 # Always only keep one connection open at a time
1239 print_indent 2 "# Unique IDs"
1240 print_indent 2 "unique = replace"
1241 print
1242
3e8ad776
MT		 1243 # Local Address
1244 print_indent 2 "# Local Address"
1245 if isset LOCAL_ADDRESS; then
1246 print_indent 2 "local_addrs = ${LOCAL_ADDRESS}"
1247 else
1248 print_indent 2 "local_addrs = %any"
1249 fi
1250 print
67baa452
MT		 1251
1252 # Remote Address
1253 print_indent 2 "# Remote Address"
1254 if isset PEER; then
1255 print_indent 2 "remote_addrs = ${PEER}"
1256 else
1257 print_indent 2 "remote_addrs = %any"
1258 fi
1259 print
1260
1261 # IKE Proposals
1262 print_indent 2 "# IKE Proposals"
e3ffacf7 1263 print_indent 2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})"
67baa452
MT		 1264 print
1265
117278c3 1266 # DPD Settings
4e271faa 1267 if enabled dpd; then
117278c3 1268 print_indent 2 "# Dead Peer Detection"
117278c3
MT		 1269 print_indent 2 "dpd_delay = ${DPD_DELAY}"
1270
1271 if isset DPD_TIMEOUT; then
1272 print_indent 2 "dpd_timeout = ${DPD_TIMEOUT}"
1273 fi
1274
1275 print
1276 fi
67baa452
MT		 1277
1278 # Fragmentation
1279 print_indent 2 "# Fragmentation"
1280 print_indent 2 "fragmentation = yes"
1281 print
1282
dd66c192
MT		 1283
1284 # Host-to-Net specific settings
1285 case "${TYPE}" in
1286 host-to-net)
1287 # Pools
1288 if isset POOLS; then
1289 print_indent 2 "# Pools"
1290 print_indent 2 "pools = $(list_join POOLS ", ")"
1291 print
1292 fi
1293 ;;
1294 esac
96fdb077 1295
67baa452
MT		 1296 # Local
1297 print_indent 2 "local {"
1298
1299 # Local ID
1300 if isset LOCAL_ID; then
1301 print_indent 3 "id = ${LOCAL_ID}"
1302 fi
1303
1304 # Authentication
1305 case "${AUTH_MODE}" in
1306 PSK)
1307 print_indent 3 "auth = psk"
1308 ;;
1309 esac
1310
1311 print_indent 2 "}"
1312 print
1313
1314 # Remote
1315 print_indent 2 "remote {"
1316
1317 # Remote ID
1318 if isset REMOTE_ID; then
1319 print_indent 3 "id = ${REMOTE_ID}"
1320 fi
1321
1322 # Authentication
1323 case "${AUTH_MODE}" in
1324 PSK)
1325 print_indent 3 "auth = psk"
1326 ;;
1327 esac
1328
1329 print_indent 2 "}"
1330 print
1331
1332 # Children
1333
1334 print_indent 2 "children {"
1335 print_indent 3 "${connection} {"
1336
1337 print_indent 4 "# ESP Proposals"
e3d8f3f6 1338 print_indent 4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})"
67baa452
MT		 1339 print
1340
1341 # Traffic Selectors
1342
95835d23
MT		 1343 case "${MODE}" in
1344 gre-*)
1345 print_indent 4 "local_ts = dynamic[gre]"
1346 print_indent 4 "remote_ts = dynamic[gre]"
1347 ;;
1348 *)
1349 # Local Prefixes
1350 if isset LOCAL_PREFIX; then
1351 print_indent 4 "local_ts = $(list_join LOCAL_PREFIX ,)"
1352 else
1353 print_indent 4 "local_ts = dynamic"
1354 fi
67baa452 1355
95835d23
MT		 1356 # Remote Prefixes
1357 if isset REMOTE_PREFIX; then
1358 print_indent 4 "remote_ts = $(list_join REMOTE_PREFIX ,)"
1359 else
1360 print_indent 4 "remote_ts = dynamic"
1361 fi
1362 ;;
1363 esac
67baa452
MT		 1364 print
1365
82fac748 1366 # Netfilter Marks
8af22236
MT		 1367 case "${MODE}" in
1368 vti)
1369 print_indent 4 "# Netfilter Marks"
1370 print_indent 4 "mark_in = %unique"
1371 print_indent 4 "mark_out = %unique"
1372 print
1373 ;;
1374 esac
82fac748 1375
4e271faa
MT		 1376 # Dead Peer Detection
1377 if enabled dpd; then
1378 print_indent 4 "# Dead Peer Detection"
1379 print_indent 4 "dpd_action = ${DPD_ACTION}"
1380 print
1381 fi
1382
67baa452
MT		 1383 # Rekeying
1384 if isset LIFETIME; then
1385 print_indent 4 "# Rekey Time"
1386 print_indent 4 "rekey_time = ${LIFETIME}"
1387 print
1388 fi
1389
1390 # Updown Script
1391 print_indent 4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown"
1392 print
1393
1394 # Mode
1395 print_indent 4 "# Mode"
1396 case "${MODE}" in
1397 gre-transport)
1398 print_indent 4 "mode = transport"
1399 ;;
1400 tunnel|vti|*)
1401 print_indent 4 "mode = tunnel"
1402 ;;
1403 esac
1404 print
1405
1406 # Compression
1407 print_indent 4 "# Compression"
1408 if enabled COMPRESSION; then
1409 print_indent 4 "ipcomp = yes"
1410 else
1411 print_indent 4 "ipcomp = no"
1412 fi
1413 print
1414
1415 # Inactivity Timeout
1416 if isset INACTIVITY_TIMEOUT; then
1417 print_indent 4 "# Inactivity Timeout"
1418 print_indent 4 "inactivity = ${INACTIVITY_TIMEOUT}"
1419 print
1420 fi
1421
dd66c192
MT		 1422 # Net-to-Net specific settings
1423 case "${TYPE}" in
1424 net-to-net)
1425 # Start Action
1426 print_indent 4 "# Start Action"
1427 case "${START_ACTION}" in
1428 on-demand)
1429 print_indent 4 "start_action = trap"
1430 print_indent 4 "close_action = trap"
1431 ;;
1432 wait)
1433 print_indent 4 "start_action = none"
1434 print_indent 4 "close_action = none"
1435 ;;
1436 always-on|*)
1437 print_indent 4 "start_action = start"
1438 print_indent 4 "close_action = start"
1439 ;;
1440 esac
1441 print
37317b3e
MT		 1442 ;;
1443 esac
67baa452
MT		 1444
1445 print_indent 3 "}"
1446 print_indent 2 "}"
1447 print
1448
1449 print_indent 1 "}"
1450 print_indent 0 "}"
1451 print
1452}
1453
1454_ipsec_connection_to_strongswan_secrets() {
1455 local connection="${1}"
1456
1457 print_indent 0 "secrets {"
1458
1459 case "${AUTH_MODE}" in
1460 PSK)
1461 print_indent 1 "ike {"
1462
1463 # Secret
1464 print_indent 2 "secret = ${PSK}"
1465
1466 # ID
1467 if isset REMOTE_ID; then
1468 print_indent 2 "id = ${REMOTE_ID}"
1469 fi
1470
1471 print_indent 1 "}"
1472 ;;
1473 esac
1474
1475 print_indent 0 "}"
1476}
Stevee's network tree.