]>
Commit | Line | Data |
---|---|---|
917a1aa0 JS |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2017 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
33944dfb MT |
22 | IPSEC_CONNECTION_CONFIG_SETTINGS="\ |
23 | AUTH_MODE \ | |
24 | DPD_ACTION \ | |
25 | DPD_DELAY \ | |
26 | DPD_TIMEOUT \ | |
27 | INACTIVITY_TIMEOUT \ | |
28 | LOCAL_ADDRESS \ | |
29 | LOCAL_ID \ | |
30 | LOCAL_PREFIX \ | |
31 | MODE \ | |
32 | PEER \ | |
96fdb077 | 33 | POOLS \ |
33944dfb MT |
34 | PSK \ |
35 | REMOTE_ID \ | |
36 | REMOTE_PREFIX \ | |
5601f4f5 | 37 | SECURITY_POLICY \ |
eb6fa666 | 38 | START_ACTION \ |
89d71d08 | 39 | TYPE \ |
5601f4f5 | 40 | ENABLED" |
917a1aa0 JS |
41 | |
42 | # Default values | |
ab589039 | 43 | IPSEC_DEFAULT_AUTH_MODE="PSK" |
bb9fccaf JS |
44 | IPSEC_DEFAULT_DPD_ACTION="restart" |
45 | IPSEC_DEFAULT_DPD_DELAY="30" | |
46 | IPSEC_DEFAULT_DPD_TIMEOUT="120" | |
5601f4f5 | 47 | IPSEC_DEFAULT_ENABLED="true" |
917a1aa0 | 48 | IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0" |
bb9fccaf | 49 | IPSEC_DEFAULT_MODE="tunnel" |
917a1aa0 | 50 | IPSEC_DEFAULT_SECURITY_POLICY="system" |
bb9fccaf | 51 | IPSEC_DEFAULT_START_ACTION="on-demand" |
89d71d08 | 52 | IPSEC_DEFAULT_TYPE="net-to-net" |
917a1aa0 JS |
53 | |
54 | IPSEC_VALID_MODES="gre-transport tunnel vti" | |
ab589039 | 55 | IPSEC_VALID_AUTH_MODES="PSK" |
917a1aa0 | 56 | |
2da98f56 MT |
57 | cli_ipsec() { |
58 | local action=${1} | |
59 | shift 1 | |
60 | ||
61 | case "${action}" in | |
62 | connection) | |
2212045f | 63 | cli_ipsec_connection "$@" |
2da98f56 | 64 | ;; |
7c623df2 | 65 | pool) |
2212045f | 66 | cli_ipsec_pool "$@" |
7c623df2 | 67 | ;; |
2da98f56 MT |
68 | *) |
69 | error "Unrecognized argument: ${action}" | |
70 | exit ${EXIT_ERROR} | |
71 | ;; | |
72 | esac | |
73 | } | |
74 | ||
75 | cli_ipsec_connection() { | |
76 | if ipsec_connection_exists ${1}; then | |
77 | local connection=${1} | |
78 | local key=${2} | |
79 | key=${key//-/_} | |
80 | shift 2 | |
81 | ||
82 | case "${key}" in | |
96fdb077 | 83 | authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|pool|remote|security_policy|start_action|up) |
2212045f | 84 | ipsec_connection_${key} ${connection} "$@" |
2da98f56 | 85 | ;; |
c1e76e97 MT |
86 | show) |
87 | cli_ipsec_connection_show "${connection}" | |
88 | exit $? | |
89 | ;; | |
2da98f56 MT |
90 | *) |
91 | error "Unrecognized argument: ${key}" | |
92 | exit ${EXIT_ERROR} | |
93 | ;; | |
94 | esac | |
95 | else | |
96 | local action=${1} | |
97 | shift | |
98 | ||
99 | case "${action}" in | |
100 | new) | |
2212045f | 101 | ipsec_connection_new "$@" |
2da98f56 MT |
102 | ;; |
103 | destroy) | |
2212045f | 104 | cli_ipsec_connection_destroy "$@" |
2da98f56 MT |
105 | ;; |
106 | ""|*) | |
107 | if [ -n "${action}" ]; then | |
108 | error "Unrecognized argument: '${action}'" | |
109 | fi | |
110 | exit ${EXIT_ERROR} | |
111 | ;; | |
112 | esac | |
113 | fi | |
114 | } | |
115 | ||
fa33d830 MT |
116 | cli_ipsec_connection_destroy() { |
117 | local connection="${1}" | |
118 | ||
119 | if ! ipsec_connection_destroy "${connection}"; then | |
120 | return ${EXIT_ERROR} | |
121 | fi | |
122 | ||
123 | # Inform strongswan about the changes | |
124 | ipsec_strongswan_load | |
125 | ||
126 | # Configure strongswan autostart | |
127 | ipsec_strongswan_autostart | |
128 | } | |
129 | ||
c1e76e97 MT |
130 | cli_ipsec_connection_show() { |
131 | local connection="${1}" | |
132 | ||
133 | # Read the config settings | |
134 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
135 | if ! ipsec_connection_read_config "${connection}"; then | |
136 | error "Could not read the connection configuration" | |
137 | return ${EXIT_ERROR} | |
138 | fi | |
139 | ||
140 | cli_headline 0 "IPsec VPN Connection: ${connection}" | |
141 | cli_space | |
142 | ||
143 | # Peer | |
144 | if isset PEER; then | |
145 | cli_print_fmt1 1 "Peer" "${PEER}" | |
146 | fi | |
147 | ||
148 | # Security Policy | |
149 | cli_print_fmt1 1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}" | |
150 | cli_space | |
151 | ||
152 | cli_headline 2 "Authentication" | |
153 | case "${AUTH_MODE^^}" in | |
154 | PSK) | |
155 | cli_print_fmt1 2 "Mode" "Pre-Shared-Key" | |
156 | ||
157 | if isset PSK; then | |
158 | cli_print_fmt1 2 "Pre-Shared-Key" "****" | |
159 | else | |
160 | cli_print_fmt1 2 "Pre-Shared-Key" "- is not set -" | |
161 | fi | |
162 | ;; | |
163 | X509) | |
164 | : # TODO | |
165 | ;; | |
166 | esac | |
167 | cli_space | |
168 | ||
169 | local i | |
170 | for i in LOCAL REMOTE; do | |
171 | case "${i}" in | |
172 | LOCAL) | |
173 | cli_headline 2 "Local" | |
174 | ;; | |
175 | REMOTE) | |
176 | cli_headline 2 "Remote" | |
177 | ;; | |
178 | esac | |
179 | ||
180 | local id_var="${i}_ID" | |
181 | if [ -n "${!id_var}" ]; then | |
182 | cli_print_fmt1 2 "ID" "${!id_var}" | |
183 | fi | |
184 | ||
185 | local prefix_var="${i}_PREFIX" | |
186 | if isset ${prefix_var}; then | |
187 | cli_headline 3 "Prefix(es)" | |
188 | ||
189 | local prefix | |
190 | for prefix in ${!prefix_var}; do | |
191 | cli_print_fmt1 3 "${prefix}" | |
192 | done | |
193 | fi | |
194 | ||
195 | cli_space | |
196 | done | |
197 | ||
198 | cli_headline 2 "Misc." | |
199 | ||
200 | case "${MODE}" in | |
201 | gre-transport) | |
202 | cli_print_fmt1 2 "Transport Mode" "GRE Transport" | |
203 | ;; | |
204 | tunnel) | |
205 | cli_print_fmt1 2 "Transport Mode" "Tunnel" | |
206 | ;; | |
207 | vti) | |
208 | cli_print_fmt1 2 "Transport Mode" "Virtual Tunnel Interface" | |
209 | ;; | |
210 | *) | |
211 | cli_print_fmt1 2 "Transport Mode" "- Unknown -" | |
212 | ;; | |
213 | esac | |
214 | ||
215 | # Inactivity timeout | |
216 | if isset INACTIVITY_TIMEOUT && [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then | |
217 | cli_print_fmt1 2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})" | |
218 | fi | |
219 | cli_space | |
220 | ||
221 | return ${EXIT_OK} | |
222 | } | |
223 | ||
5601f4f5 JS |
224 | ipsec_connection_disable() { |
225 | local connection=${1} | |
226 | ||
227 | if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "false"; then | |
228 | log ERROR "Could not write configuration settings" | |
229 | return ${EXIT_ERROR} | |
230 | fi | |
231 | ||
c3f31173 MT |
232 | # Configure strongswan autostart |
233 | ipsec_strongswan_autostart | |
5601f4f5 JS |
234 | } |
235 | ||
236 | ipsec_connection_enable() { | |
237 | local connection=${1} | |
238 | ||
239 | if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "true"; then | |
240 | log ERROR "Could not write configuration settings" | |
241 | return ${EXIT_ERROR} | |
242 | fi | |
243 | ||
c3f31173 MT |
244 | # Configure strongswan autostart |
245 | ipsec_strongswan_autostart | |
5601f4f5 JS |
246 | } |
247 | ||
917a1aa0 JS |
248 | # This function writes all values to a via ${connection} specificated VPN IPsec configuration file |
249 | ipsec_connection_write_config() { | |
250 | assert [ $# -ge 1 ] | |
251 | ||
252 | local connection="${1}" | |
253 | ||
254 | if ! ipsec_connection_exists "${connection}"; then | |
255 | log ERROR "No such VPN IPsec connection: ${connection}" | |
256 | return ${EXIT_ERROR} | |
257 | fi | |
258 | ||
cf8685a1 | 259 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings" |
917a1aa0 JS |
260 | |
261 | if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then | |
262 | log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}" | |
263 | return ${EXIT_ERROR} | |
264 | fi | |
265 | ||
266 | ipsec_reload ${connection} | |
267 | } | |
268 | ||
269 | # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file | |
270 | ipsec_connection_write_config_key() { | |
271 | assert [ $# -ge 3 ] | |
272 | ||
273 | local connection=${1} | |
274 | local key=${2} | |
275 | shift 2 | |
276 | ||
277 | local value="$@" | |
278 | ||
279 | if ! ipsec_connection_exists "${connection}"; then | |
280 | log ERROR "No such VPN ipsec connection: ${connection}" | |
281 | return ${EXIT_ERROR} | |
282 | fi | |
283 | ||
284 | log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'" | |
285 | ||
286 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
287 | ||
288 | # Read the config settings | |
289 | if ! ipsec_connection_read_config "${connection}"; then | |
290 | return ${EXIT_ERROR} | |
291 | fi | |
292 | ||
293 | # Set the key to a new value | |
294 | assign "${key}" "${value}" | |
295 | ||
296 | if ! ipsec_connection_write_config "${connection}"; then | |
297 | return ${EXIT_ERROR} | |
298 | fi | |
299 | ||
300 | return ${EXIT_TRUE} | |
301 | } | |
302 | ||
303 | # Reads one or more keys out of a settings file or all if no key is provided. | |
304 | ipsec_connection_read_config() { | |
305 | assert [ $# -ge 1 ] | |
306 | ||
307 | local connection="${1}" | |
308 | shift 1 | |
309 | ||
310 | if ! ipsec_connection_exists "${connection}"; then | |
311 | log ERROR "No such VPN IPsec connection : ${connection}" | |
312 | return ${EXIT_ERROR} | |
313 | fi | |
314 | ||
315 | ||
316 | local args | |
317 | if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then | |
318 | list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
319 | else | |
2212045f | 320 | list_append args "$@" |
917a1aa0 JS |
321 | fi |
322 | ||
cf8685a1 | 323 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings" |
917a1aa0 JS |
324 | |
325 | if ! settings_read "${path}" ${args}; then | |
326 | log ERROR "Could not read settings for VPN IPsec connection ${connection}" | |
327 | return ${EXIT_ERROR} | |
328 | fi | |
329 | } | |
330 | ||
917a1aa0 JS |
331 | # This function checks if a vpn ipsec connection exists |
332 | # Returns True when yes and false when not | |
333 | ipsec_connection_exists() { | |
334 | assert [ $# -eq 1 ] | |
335 | ||
336 | local connection=${1} | |
337 | ||
cf8685a1 | 338 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}" |
917a1aa0 JS |
339 | |
340 | [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} | |
341 | } | |
342 | ||
c3f31173 MT |
343 | # Determines if strongswan should be automatically started |
344 | # when the system boots up. | |
345 | ipsec_strongswan_autostart() { | |
346 | local autostart_needed="false" | |
347 | ||
348 | local connection | |
349 | for connection in $(ipsec_list_connections); do | |
350 | local ENABLED | |
351 | ||
352 | if ! ipsec_connection_read_config "${connection}" "ENABLED"; then | |
353 | log WARNING "Could not read configuation" | |
354 | continue | |
355 | fi | |
356 | ||
357 | if enabled ENABLED; then | |
358 | autostart_needed="true" | |
359 | break | |
360 | fi | |
361 | done | |
362 | ||
363 | # Start strongswan when we need it and when it is not yet enabled | |
b863fe52 MT |
364 | if ${autostart_needed}; then |
365 | if ! service_is_enabled "strongswan"; then | |
366 | service_enable "strongswan" | |
367 | fi | |
368 | ||
369 | if ! service_is_active "strongswan"; then | |
370 | service_start "strongswan" | |
371 | fi | |
c3f31173 MT |
372 | |
373 | # Disable strongswan when we do not need it but it is enabled | |
b863fe52 MT |
374 | elif ! ${autostart_needed}; then |
375 | if service_is_enabled "strongswan"; then | |
376 | service_disable "strongswan" | |
377 | fi | |
378 | ||
379 | if service_is_active "strongswan"; then | |
380 | service_stop "strongswan" | |
381 | fi | |
c3f31173 MT |
382 | fi |
383 | } | |
384 | ||
f0e91d26 | 385 | ipsec_strongswan_load() { |
7fc57ebc MT |
386 | # Do nothing if strongswan is not running |
387 | if ! service_is_active "strongswan"; then | |
388 | return ${EXIT_OK} | |
389 | fi | |
390 | ||
f0e91d26 JS |
391 | if ! cmd swanctl --load-all; then |
392 | log ERROR "Could not reload strongswan config" | |
393 | return ${EXIT_ERROR} | |
394 | fi | |
395 | } | |
396 | ||
917a1aa0 JS |
397 | # Reloads the connection after config changes |
398 | ipsec_reload() { | |
39d87f20 JS |
399 | local connection=${1} |
400 | ||
5601f4f5 JS |
401 | local ENABLED |
402 | ||
403 | if ! ipsec_connection_read_config "${connection}" "ENABLED"; then | |
404 | log ERROR "Could not read configuration for IPsec connection ${connection}" | |
39d87f20 JS |
405 | return ${EXIT_ERROR} |
406 | fi | |
407 | ||
471f16bc | 408 | if enabled ENABLED; then |
5601f4f5 JS |
409 | if ! ipsec_connection_to_strongswan ${connection}; then |
410 | log ERROR "Could not generate strongswan config for ${connnection}" | |
411 | return ${EXIT_ERROR} | |
412 | fi | |
413 | else | |
ad482897 | 414 | log DEBUG "Deleting strongswan config ${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" |
5601f4f5 JS |
415 | unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" |
416 | fi | |
417 | ||
f0e91d26 | 418 | ipsec_strongswan_load |
917a1aa0 JS |
419 | } |
420 | ||
421 | # Handle the cli after authentification | |
422 | ipsec_connection_authentication() { | |
423 | if [ ! $# -gt 1 ]; then | |
424 | log ERROR "Not enough arguments" | |
425 | return ${EXIT_ERROR} | |
426 | fi | |
427 | ||
428 | local connection=${1} | |
429 | local cmd=${2} | |
430 | shift 2 | |
431 | ||
432 | case ${cmd} in | |
433 | mode) | |
2212045f | 434 | ipsec_connection_authentication_mode "${connection}" "$@" |
917a1aa0 JS |
435 | ;; |
436 | pre-shared-key) | |
2212045f | 437 | ipsec_connection_authentication_psk "${connection}" "$@" |
917a1aa0 JS |
438 | ;; |
439 | *) | |
440 | log ERROR "Unrecognized argument: ${cmd}" | |
441 | return ${EXIT_ERROR} | |
442 | ;; | |
443 | esac | |
444 | } | |
445 | ||
446 | # Set the authentification mode | |
447 | ipsec_connection_authentication_mode() { | |
448 | if [ ! $# -eq 2 ]; then | |
449 | log ERROR "Not enough arguments" | |
450 | return ${EXIT_ERROR} | |
451 | fi | |
452 | local connection=${1} | |
453 | local mode=${2} | |
454 | ||
455 | if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then | |
456 | log ERROR "Auth mode '${mode}' is invalid" | |
457 | return ${EXIT_ERROR} | |
458 | fi | |
459 | ||
ab589039 | 460 | if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode^^}; then |
917a1aa0 JS |
461 | log ERROR "Could not write configuration settings" |
462 | return ${EXIT_ERROR} | |
463 | fi | |
464 | } | |
465 | ||
466 | # Set the psk | |
467 | ipsec_connection_authentication_psk() { | |
db491d1d | 468 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
469 | log ERROR "Not enough arguments" |
470 | return ${EXIT_ERROR} | |
471 | fi | |
1bfc4f56 | 472 | |
917a1aa0 JS |
473 | local connection=${1} |
474 | local psk=${2} | |
475 | ||
1bfc4f56 MT |
476 | local length=${#psk} |
477 | ||
478 | if [ ${length} -lt 4 ]; then | |
479 | error "The PSK must be longer than four characters" | |
480 | return ${EXIT_ERROR} | |
481 | fi | |
482 | ||
483 | if [ ${length} -gt 128 ]; then | |
484 | error "The PSK cannot be longer than 128 characters" | |
485 | return ${EXIT_ERROR} | |
486 | fi | |
917a1aa0 | 487 | |
1bfc4f56 | 488 | if ! ipsec_connection_write_config_key "${connection}" "PSK" "${psk}"; then |
917a1aa0 JS |
489 | log ERROR "Could not write configuration settings" |
490 | return ${EXIT_ERROR} | |
491 | fi | |
492 | ||
493 | return ${EXIT_OK} | |
494 | } | |
495 | ||
3cde31b9 MT |
496 | ipsec_connection_up() { |
497 | local connection="${1}" | |
498 | ||
499 | if ! ipsec_connection_exists "${connection}"; then | |
500 | error "No such VPN IPsec connection: ${connection}" | |
501 | return ${EXIT_ERROR} | |
502 | fi | |
503 | ||
504 | cmd swanctl --initiate --child "${connection}" | |
505 | } | |
506 | ||
507 | ipsec_connection_down() { | |
508 | local connection="${1}" | |
509 | ||
510 | if ! ipsec_connection_exists "${connection}"; then | |
511 | error "No such VPN IPsec connection: ${connection}" | |
512 | return ${EXIT_ERROR} | |
513 | fi | |
514 | ||
515 | cmd swanctl --terminate --ike "${connection}" | |
516 | } | |
bb9fccaf JS |
517 | |
518 | # Handle the cli after authentification | |
519 | ipsec_connection_dpd() { | |
520 | if [ ! $# -gt 1 ]; then | |
521 | log ERROR "Not enough arguments" | |
522 | return ${EXIT_ERROR} | |
523 | fi | |
524 | ||
525 | local connection=${1} | |
526 | local cmd=${2} | |
527 | shift 2 | |
528 | ||
529 | case ${cmd} in | |
530 | action) | |
2212045f | 531 | ipsec_connection_dpd_action "${connection}" "$@" |
bb9fccaf JS |
532 | ;; |
533 | delay) | |
2212045f | 534 | ipsec_connection_dpd_delay "${connection}" "$@" |
bb9fccaf JS |
535 | ;; |
536 | timeout) | |
2212045f | 537 | ipsec_connection_dpd_timeout "${connection}" "$@" |
bb9fccaf JS |
538 | ;; |
539 | *) | |
540 | log ERROR "Unrecognized argument: ${cmd}" | |
541 | return ${EXIT_ERROR} | |
542 | ;; | |
543 | esac | |
544 | } | |
545 | ||
546 | # Set the default dpd action | |
547 | ipsec_connection_dpd_action() { | |
548 | if [ ! $# -eq 2 ]; then | |
549 | log ERROR "Not enough arguments" | |
550 | return ${EXIT_ERROR} | |
551 | fi | |
552 | local connection=${1} | |
553 | local action=${2} | |
554 | ||
555 | if ! isoneof action "restart" "clear"; then | |
556 | log ERROR "dpd action '${action}' is invalid" | |
557 | return ${EXIT_ERROR} | |
558 | fi | |
559 | ||
560 | if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION" ${action}; then | |
561 | log ERROR "Could not write configuration settings" | |
562 | return ${EXIT_ERROR} | |
563 | fi | |
564 | } | |
565 | ||
566 | # Set the dpd delay | |
567 | ipsec_connection_dpd_delay() { | |
568 | if [ ! $# -ge 2 ]; then | |
569 | log ERROR "Not enough arguments" | |
570 | return ${EXIT_ERROR} | |
571 | fi | |
572 | ||
573 | local connection=${1} | |
574 | shift 1 | |
575 | local value=$@ | |
576 | ||
577 | if ! isinteger value; then | |
2212045f | 578 | value=$(parse_time "$@") |
bb9fccaf JS |
579 | if [ ! $? -eq 0 ]; then |
580 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
581 | return ${EXIT_ERROR} | |
582 | fi | |
583 | fi | |
584 | ||
585 | if [ ${value} -lt 0 ]; then | |
586 | log ERROR "The passed time value must be in the sum greater or equal zero seconds." | |
587 | return ${EXIT_ERROR} | |
588 | fi | |
589 | ||
590 | if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY" ${value}; then | |
591 | log ERROR "Could not write configuration settings" | |
592 | return ${EXIT_ERROR} | |
593 | fi | |
594 | ||
595 | return ${EXIT_OK} | |
596 | } | |
597 | ||
598 | # Set the dpd timeout | |
599 | ipsec_connection_dpd_timeout() { | |
600 | if [ ! $# -ge 2 ]; then | |
601 | log ERROR "Not enough arguments" | |
602 | return ${EXIT_ERROR} | |
603 | fi | |
604 | ||
605 | local connection=${1} | |
606 | shift 1 | |
607 | local value=$@ | |
608 | ||
609 | if ! isinteger value; then | |
2212045f | 610 | value=$(parse_time "$@") |
bb9fccaf JS |
611 | if [ ! $? -eq 0 ]; then |
612 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
613 | return ${EXIT_ERROR} | |
614 | fi | |
615 | fi | |
616 | ||
617 | if [ ${value} -le 0 ]; then | |
618 | log ERROR "The passed time value must be in the sum greater or equal zero seconds." | |
619 | return ${EXIT_ERROR} | |
620 | fi | |
621 | ||
622 | if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT" ${value}; then | |
623 | log ERROR "Could not write configuration settings" | |
624 | return ${EXIT_ERROR} | |
625 | fi | |
626 | ||
627 | return ${EXIT_OK} | |
628 | } | |
629 | ||
917a1aa0 JS |
630 | # Handle the cli after local |
631 | ipsec_connection_local() { | |
632 | if [ ! $# -ge 2 ]; then | |
633 | log ERROR "Not enough arguments" | |
634 | return ${EXIT_ERROR} | |
635 | fi | |
636 | ||
637 | local connection=${1} | |
638 | local cmd=${2} | |
639 | shift 2 | |
640 | ||
641 | case ${cmd} in | |
bb9fccaf | 642 | address) |
2212045f | 643 | ipsec_connection_local_address "${connection}" "$@" |
bb9fccaf | 644 | ;; |
917a1aa0 | 645 | id) |
2212045f | 646 | ipsec_connection_id "${connection}" "LOCAL" "$@" |
917a1aa0 JS |
647 | ;; |
648 | prefix) | |
2212045f | 649 | ipsec_connection_prefix "${connection}" "LOCAL" "$@" |
917a1aa0 JS |
650 | ;; |
651 | *) | |
652 | log ERROR "Unrecognized argument: ${cmd}" | |
653 | return ${EXIT_ERROR} | |
654 | ;; | |
655 | esac | |
656 | ||
657 | return ${EXIT_OK} | |
658 | } | |
659 | ||
660 | # Set the connection mode | |
661 | ipsec_connection_mode() { | |
5bdbc2ee | 662 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
663 | log ERROR "Not enough arguments" |
664 | return ${EXIT_ERROR} | |
665 | fi | |
666 | local connection=${1} | |
667 | local mode=${2} | |
668 | ||
669 | if ! isoneof mode ${IPSEC_VALID_MODES}; then | |
670 | log ERROR "Mode '${mode}' is invalid" | |
671 | return ${EXIT_ERROR} | |
672 | fi | |
673 | ||
674 | if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then | |
675 | log ERROR "Could not write configuration settings" | |
676 | return ${EXIT_ERROR} | |
677 | fi | |
678 | ||
679 | return ${EXIT_OK} | |
680 | } | |
681 | ||
bb9fccaf JS |
682 | # Set the local address |
683 | ipsec_connection_local_address() { | |
684 | if [ ! $# -eq 2 ]; then | |
685 | log ERROR "Not enough arguments" | |
686 | return ${EXIT_ERROR} | |
687 | fi | |
688 | local connection=${1} | |
689 | local local_address=${2} | |
690 | ||
691 | if ! ipsec_connection_check_peer ${local_address}; then | |
692 | log ERROR "Local address '${local_address}' is invalid" | |
693 | return ${EXIT_ERROR} | |
694 | fi | |
695 | ||
696 | if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS" ${local_address}; then | |
697 | log ERROR "Could not write configuration settings" | |
698 | return ${EXIT_ERROR} | |
699 | fi | |
700 | ||
701 | return ${EXIT_OK} | |
702 | } | |
703 | ||
917a1aa0 JS |
704 | # Set the peer to connect to |
705 | ipsec_connection_peer() { | |
0b962a64 | 706 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
707 | log ERROR "Not enough arguments" |
708 | return ${EXIT_ERROR} | |
709 | fi | |
710 | local connection=${1} | |
711 | local peer=${2} | |
712 | ||
713 | if ! ipsec_connection_check_peer ${peer}; then | |
714 | log ERROR "Peer '${peer}' is invalid" | |
715 | return ${EXIT_ERROR} | |
716 | fi | |
717 | ||
718 | if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then | |
719 | log ERROR "Could not write configuration settings" | |
720 | return ${EXIT_ERROR} | |
721 | fi | |
722 | ||
723 | return ${EXIT_OK} | |
724 | } | |
725 | ||
726 | #Set the local or remote id | |
727 | ipsec_connection_id() { | |
728 | if [ ! $# -eq 3 ]; then | |
729 | log ERROR "Not enough arguments" | |
730 | return ${EXIT_ERROR} | |
731 | fi | |
732 | local connection=${1} | |
733 | local type=${2} | |
734 | local id=${3} | |
735 | ||
736 | if ! ipsec_connection_check_id ${id}; then | |
737 | log ERROR "Id '${id}' is invalid" | |
738 | return ${EXIT_ERROR} | |
739 | fi | |
aaa72eef | 740 | |
917a1aa0 JS |
741 | if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then |
742 | log ERROR "Could not write configuration settings" | |
743 | return ${EXIT_ERROR} | |
744 | fi | |
aaa72eef | 745 | |
917a1aa0 JS |
746 | return ${EXIT_OK} |
747 | } | |
748 | ||
aaa72eef | 749 | # Set the local or remote prefix |
917a1aa0 JS |
750 | ipsec_connection_prefix() { |
751 | if [ ! $# -ge 3 ]; then | |
752 | log ERROR "Not enough arguments" | |
753 | return ${EXIT_ERROR} | |
754 | fi | |
755 | local connection=${1} | |
756 | local type=${2} | |
757 | shift 2 | |
aaa72eef | 758 | |
917a1aa0 JS |
759 | local _prefix="${type}_PREFIX" |
760 | local "${_prefix}" | |
761 | if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then | |
762 | return ${EXIT_ERROR} | |
763 | fi | |
764 | ||
765 | # Remove duplicated entries to proceed the list safely | |
766 | assign "${_prefix}" "$(list_unique ${!_prefix} )" | |
767 | ||
768 | local prefixes_added | |
769 | local prefixes_removed | |
770 | local prefixes_set | |
771 | ||
772 | while [ $# -gt 0 ]; do | |
773 | local arg="${1}" | |
774 | ||
775 | case "${arg}" in | |
776 | +*) | |
777 | list_append prefixes_added "${arg:1}" | |
778 | ;; | |
779 | -*) | |
780 | list_append prefixes_removed "${arg:1}" | |
781 | ;; | |
782 | [A-Fa-f0-9]*) | |
783 | list_append prefixes_set "${arg}" | |
784 | ;; | |
785 | *) | |
786 | error "Invalid argument: ${arg}" | |
787 | return ${EXIT_ERROR} | |
788 | ;; | |
789 | esac | |
790 | shift | |
791 | done | |
792 | ||
793 | # Check if the user is trying a mixed operation | |
794 | if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then | |
795 | error "You cannot reset the prefix list and add or remove prefixes at the same time" | |
796 | return ${EXIT_ERROR} | |
797 | fi | |
798 | ||
799 | # Set new prefix list | |
800 | if ! list_is_empty prefixes_set; then | |
801 | # Check if all prefixes are valid | |
802 | local prefix | |
803 | for prefix in ${prefixes_set}; do | |
804 | if ! ip_net_is_valid ${prefix}; then | |
805 | error "Unsupported prefix: ${prefix}" | |
806 | return ${EXIT_ERROR} | |
807 | fi | |
808 | done | |
809 | ||
810 | assign "${_prefix}" "${prefixes_set}" | |
811 | ||
812 | # Perform incremental updates | |
813 | else | |
814 | local prefix | |
815 | ||
816 | # Perform all removals | |
817 | for prefix in ${prefixes_removed}; do | |
818 | if ! list_remove "${_prefix}" ${prefix}; then | |
819 | warning "${prefix} was not on the list and could not be removed" | |
820 | fi | |
821 | done | |
822 | ||
823 | ||
824 | for prefix in ${prefixes_added}; do | |
825 | if ip_net_is_valid ${prefix}; then | |
826 | if ! list_append_unique "${_prefix}" ${prefix}; then | |
827 | warning "${prefix} is already on the prefix list" | |
828 | fi | |
829 | else | |
f03f29b7 | 830 | warning "${prefix} is not a valid IP network and could not be added" |
917a1aa0 JS |
831 | fi |
832 | done | |
833 | fi | |
834 | ||
835 | # Check if the list contain at least one valid prefix | |
836 | if list_is_empty ${_prefix}; then | |
837 | error "Cannot save an empty prefix list" | |
838 | return ${EXIT_ERROR} | |
839 | fi | |
840 | ||
841 | # Save everything | |
842 | if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then | |
843 | log ERROR "Could not write configuration settings" | |
844 | fi | |
845 | ||
846 | return ${EXIT_OK} | |
847 | } | |
848 | ||
96fdb077 JS |
849 | # Set the pools to use |
850 | ipsec_connection_pool() { | |
851 | if [ ! $# -ge 2 ]; then | |
852 | log ERROR "Not enough arguments" | |
853 | return ${EXIT_ERROR} | |
854 | fi | |
855 | local connection=${1} | |
856 | shift | |
857 | ||
858 | local POOLS | |
859 | if ! ipsec_connection_read_config "${connection}" "POOLS"; then | |
860 | return ${EXIT_ERROR} | |
861 | fi | |
862 | ||
863 | # Remove duplicated entries to proceed the list safely | |
864 | assign "POOLS" "$(list_unique ${POOLS})" | |
865 | ||
866 | local pools_added | |
867 | local pools_removed | |
868 | local pools_set | |
869 | ||
870 | while [ $# -gt 0 ]; do | |
871 | local arg="${1}" | |
872 | ||
873 | case "${arg}" in | |
874 | +*) | |
875 | list_append pools_added "${arg:1}" | |
876 | ;; | |
877 | -*) | |
878 | list_append pools_removed "${arg:1}" | |
879 | ;; | |
880 | [A-Za-z0-9]*) | |
881 | list_append pools_set "${arg}" | |
882 | ;; | |
883 | *) | |
884 | error "Invalid argument: ${arg}" | |
885 | return ${EXIT_ERROR} | |
886 | ;; | |
887 | esac | |
888 | shift | |
889 | done | |
890 | ||
891 | # Check if the user is trying a mixed operation | |
892 | if ! list_is_empty pools_set && (! list_is_empty pools_added || ! list_is_empty pools_removed); then | |
893 | error "You cannot reset the pools list and add or remove pools at the same time" | |
894 | return ${EXIT_ERROR} | |
895 | fi | |
896 | ||
897 | # Set new pools list | |
898 | if ! list_is_empty pools_set; then | |
899 | # Check if all pools are valid | |
900 | local pool | |
901 | for pool in ${pools_set}; do | |
902 | if ! ipsec_pool_exists ${pool} || ! ipsec_pool_check_config ${pool}; then | |
903 | error "Pool ${pool} is not valid" | |
904 | return ${EXIT_ERROR} | |
905 | fi | |
906 | done | |
907 | ||
908 | assign "POOLS" "${pools_set}" | |
909 | ||
910 | # Perform incremental updates | |
911 | else | |
912 | local pool | |
913 | ||
914 | # Perform all removals | |
915 | for pool in ${pools_removed}; do | |
916 | if ! list_remove "POOLS" ${pool}; then | |
917 | warning "${pool} was not on the list and could not be removed" | |
918 | fi | |
919 | done | |
920 | ||
921 | ||
922 | for pool in ${pools_added}; do | |
beb0ebbb | 923 | if ipsec_pool_exists ${pool} && ipsec_pool_check_config ${pool}; then |
96fdb077 JS |
924 | if ! list_append_unique "POOLS" ${pool}; then |
925 | warning "${pool} is already on the prefix list" | |
926 | fi | |
927 | else | |
928 | warning "${pool} is not a valid pool" | |
929 | fi | |
930 | done | |
931 | fi | |
932 | ||
933 | # Check if the list contain at least one valid pool | |
934 | if list_is_empty POOLS; then | |
935 | error "Cannot save an empty pool list" | |
936 | return ${EXIT_ERROR} | |
937 | fi | |
938 | ||
939 | # Save everything | |
940 | if ! ipsec_connection_write_config_key "${connection}" "POOLS" ${POOLS}; then | |
941 | log ERROR "Could not write configuration settings" | |
942 | fi | |
943 | ||
944 | return ${EXIT_OK} | |
945 | } | |
946 | ||
917a1aa0 JS |
947 | # Handle the cli after remote |
948 | ipsec_connection_remote() { | |
949 | if [ ! $# -ge 2 ]; then | |
950 | log ERROR "Not enough arguments" | |
951 | return ${EXIT_ERROR} | |
952 | fi | |
953 | ||
954 | local connection=${1} | |
955 | local cmd=${2} | |
956 | shift 2 | |
957 | ||
958 | case ${cmd} in | |
959 | id) | |
2212045f | 960 | ipsec_connection_id "${connection}" "REMOTE" "$@" |
917a1aa0 JS |
961 | ;; |
962 | ||
963 | prefix) | |
2212045f | 964 | ipsec_connection_prefix "${connection}" "REMOTE" "$@" |
917a1aa0 JS |
965 | ;; |
966 | *) | |
967 | log ERROR "Unrecognized argument: ${cmd}" | |
968 | return ${EXIT_ERROR} | |
969 | ;; | |
970 | esac | |
971 | ||
972 | return ${EXIT_OK} | |
973 | } | |
974 | ||
975 | # Set the inactivity timeout | |
976 | ipsec_connection_inactivity_timeout() { | |
977 | if [ ! $# -ge 2 ]; then | |
978 | log ERROR "Not enough arguments" | |
979 | return ${EXIT_ERROR} | |
980 | fi | |
981 | ||
982 | local connection=${1} | |
983 | shift 1 | |
984 | local value=$@ | |
985 | ||
986 | if ! isinteger value; then | |
2212045f | 987 | value=$(parse_time "$@") |
917a1aa0 JS |
988 | if [ ! $? -eq 0 ]; then |
989 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
990 | return ${EXIT_ERROR} | |
991 | fi | |
992 | fi | |
993 | ||
994 | if [ ${value} -le 0 ]; then | |
995 | log ERROR "The passed time value must be in the sum greater zero seconds." | |
996 | return ${EXIT_ERROR} | |
997 | fi | |
998 | ||
999 | if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then | |
1000 | log ERROR "Could not write configuration settings" | |
1001 | return ${EXIT_ERROR} | |
1002 | fi | |
1003 | ||
1004 | return ${EXIT_OK} | |
1005 | } | |
1006 | ||
bb9fccaf JS |
1007 | # Set the default start action |
1008 | ipsec_connection_start_action() { | |
1009 | if [ ! $# -eq 2 ]; then | |
1010 | log ERROR "Not enough arguments" | |
1011 | return ${EXIT_ERROR} | |
1012 | fi | |
1013 | local connection=${1} | |
1014 | local action=${2} | |
1015 | ||
1016 | if ! isoneof action "on-demand" "always-on"; then | |
1017 | log ERROR "Start action '${action}' is invalid" | |
1018 | return ${EXIT_ERROR} | |
1019 | fi | |
1020 | ||
1021 | if ! ipsec_connection_write_config_key "${connection}" "START_ACTION" ${action}; then | |
1022 | log ERROR "Could not write configuration settings" | |
1023 | return ${EXIT_ERROR} | |
1024 | fi | |
1025 | } | |
917a1aa0 JS |
1026 | |
1027 | # Set the security policy to use | |
1028 | ipsec_connection_security_policy() { | |
1029 | if [ ! $# -eq 2 ]; then | |
1030 | log ERROR "Not enough arguments" | |
1031 | return ${EXIT_ERROR} | |
1032 | fi | |
1033 | local connection=${1} | |
1034 | local security_policy=${2} | |
1035 | ||
1036 | if ! vpn_security_policy_exists ${security_policy}; then | |
1037 | log ERROR "No such vpn security policy '${security_policy}'" | |
1038 | return ${EXIT_ERROR} | |
1039 | fi | |
1040 | ||
1041 | if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then | |
1042 | log ERROR "Could not write configuration settings" | |
1043 | return ${EXIT_ERROR} | |
1044 | fi | |
1045 | } | |
1046 | ||
1047 | # Check if a id is valid | |
1048 | ipsec_connection_check_id() { | |
1049 | assert [ $# -eq 1 ] | |
1050 | local id=${1} | |
1051 | ||
1052 | if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then | |
1053 | return ${EXIT_TRUE} | |
1054 | else | |
1055 | return ${EXIT_FALSE} | |
1056 | fi | |
1057 | } | |
1058 | ||
1059 | # Checks if a peer is valid | |
1060 | ipsec_connection_check_peer() { | |
1061 | assert [ $# -eq 1 ] | |
1062 | local peer=${1} | |
1063 | ||
1064 | # TODO Accept also FQDNs | |
1065 | if ip_is_valid ${peer}; then | |
1066 | return ${EXIT_TRUE} | |
1067 | else | |
1068 | return ${EXIT_FALSE} | |
1069 | fi | |
1070 | } | |
1071 | ||
1072 | # This function checks if a VPN IPsec connection name is valid | |
1073 | # Allowed are only A-Za-z0-9 | |
1074 | ipsec_connection_check_name() { | |
1075 | assert [ $# -eq 1 ] | |
1076 | ||
1077 | local connection=${1} | |
1078 | ||
1079 | [[ "${connection}" =~ [^[:alnum:]$] ]] | |
1080 | } | |
1081 | ||
1082 | # Function that creates one VPN IPsec connection | |
1083 | ipsec_connection_new() { | |
89d71d08 | 1084 | if [ $# -gt 2 ]; then |
917a1aa0 JS |
1085 | error "Too many arguments" |
1086 | return ${EXIT_ERROR} | |
1087 | fi | |
1088 | ||
1089 | local connection="${1}" | |
89d71d08 JS |
1090 | local type="${2}" |
1091 | ||
917a1aa0 JS |
1092 | if ! isset connection; then |
1093 | error "Please provide a connection name" | |
1094 | return ${EXIT_ERROR} | |
1095 | fi | |
1096 | ||
1097 | # Check for duplicates | |
1098 | if ipsec_connection_exists "${connection}"; then | |
1099 | error "The VPN IPsec connection ${connection} already exists" | |
1100 | return ${EXIT_ERROR} | |
1101 | fi | |
1102 | ||
1103 | # Check if the name of the connection is valid | |
1104 | if ipsec_connection_check_name "${connection}"; then | |
1105 | error "'${connection}' contains illegal characters" | |
1106 | return ${EXIT_ERROR} | |
1107 | fi | |
1108 | ||
89d71d08 JS |
1109 | # Set TYPE to default if not set by the user |
1110 | if ! isset type; then | |
1111 | type="${IPSEC_DEFAULT_TYPE}" | |
1112 | fi | |
1113 | ||
1114 | if ! isoneof "type" "net-to-net" "host-to-net"; then | |
1115 | error "Type is invalid" | |
1116 | return ${EXIT_ERROR} | |
1117 | fi | |
1118 | ||
917a1aa0 JS |
1119 | log DEBUG "Creating VPN IPsec connection ${connection}" |
1120 | ||
cf8685a1 | 1121 | if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then |
917a1aa0 JS |
1122 | log ERROR "Could not create config directory for ${connection}" |
1123 | return ${EXIT_ERROR} | |
1124 | fi | |
1125 | ||
1126 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
1127 | ||
917a1aa0 | 1128 | AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE} |
bb9fccaf JS |
1129 | DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION} |
1130 | DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY} | |
1131 | DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT} | |
5601f4f5 | 1132 | ENABLED=${IPSEC_DEFAULT_ENABLED} |
bb9fccaf JS |
1133 | MODE=${IPSEC_DEFAULT_MODE} |
1134 | START_ACTION=${IPSEC_DEFAULT_START_ACTION} | |
89d71d08 | 1135 | TYPE="${type}" |
bb9fccaf | 1136 | |
917a1aa0 JS |
1137 | INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT} |
1138 | SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY} | |
1139 | ||
1140 | if ! ipsec_connection_write_config "${connection}"; then | |
1141 | log ERROR "Could not write new config file" | |
1142 | return ${EXIT_ERROR} | |
1143 | fi | |
c3f31173 MT |
1144 | |
1145 | # Configure strongswan autostart | |
1146 | ipsec_strongswan_autostart | |
917a1aa0 JS |
1147 | } |
1148 | ||
1149 | # Function that deletes based on the passed parameters one ore more vpn security policies | |
1150 | ipsec_connection_destroy() { | |
1151 | local connection | |
2212045f | 1152 | for connection in "$@"; do |
917a1aa0 JS |
1153 | if ! ipsec_connection_exists "${connection}"; then |
1154 | log ERROR "The VPN IPsec connection ${connection} does not exist." | |
1155 | continue | |
1156 | fi | |
1157 | ||
1158 | log DEBUG "Deleting VPN IPsec connection ${connection}" | |
fa33d830 MT |
1159 | |
1160 | # Delete strongswan configuration file | |
1161 | file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" | |
1162 | ||
cf8685a1 | 1163 | if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then |
917a1aa0 JS |
1164 | log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful" |
1165 | return ${EXIT_ERROR} | |
1166 | fi | |
c3f31173 | 1167 | |
fa33d830 | 1168 | done |
917a1aa0 | 1169 | } |
d6c852b8 JS |
1170 | |
1171 | # List all ipsec connections | |
1172 | ipsec_list_connections() { | |
1173 | local connection | |
1174 | for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do | |
1175 | [ -d ${connection} ] || continue | |
1176 | basename ${connection} | |
1177 | done | |
1178 | } | |
67baa452 MT |
1179 | |
1180 | ipsec_connection_to_strongswan() { | |
1181 | local connection="${1}" | |
aaa72eef | 1182 | log DEBUG "Generating IPsec configuration for ${connection}" |
67baa452 MT |
1183 | |
1184 | # Read the config settings | |
1185 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
1186 | if ! ipsec_connection_read_config "${connection}"; then | |
1187 | error "Could not read the connection ${connection}" | |
1188 | return ${EXIT_ERROR} | |
1189 | fi | |
1190 | ||
1191 | local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" | |
1192 | ||
1193 | ( | |
1194 | # Write the connection section | |
1195 | _ipsec_connection_to_strongswan_connection "${connection}" | |
1196 | ||
1197 | # Write the secrets section | |
1198 | _ipsec_connection_to_strongswan_secrets "${connection}" | |
1199 | ||
1200 | ) > ${path} | |
1201 | } | |
1202 | ||
1203 | _ipsec_connection_to_strongswan_connection() { | |
1204 | local connection="${1}" | |
1205 | ||
1206 | # Read the security policy | |
1207 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
1208 | if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then | |
1209 | return ${EXIT_ERROR} | |
1210 | fi | |
1211 | ||
4e271faa MT |
1212 | # Is DPD enabled? |
1213 | local dpd="false" | |
1214 | if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then | |
1215 | dpd="true" | |
1216 | fi | |
1217 | ||
b21fb175 MT |
1218 | # Write configuration header |
1219 | config_header "strongSwan configuration for ${connection}" | |
1220 | ||
67baa452 MT |
1221 | print_indent 0 "connections {" |
1222 | print_indent 1 "${connection} {" | |
1223 | ||
1224 | # IKE Version | |
1225 | print_indent 2 "# IKE Version" | |
1226 | case "${KEY_EXCHANGE^^}" in | |
1227 | IKEV1) | |
1228 | print_indent 2 "version = 1" | |
1229 | ;; | |
1230 | ||
1231 | # Fall back to IKEv2 for any random values | |
1232 | IKEV2|*) | |
1233 | print_indent 2 "version = 2" | |
1234 | ;; | |
1235 | esac | |
1236 | print # empty line | |
1237 | ||
4609d6b4 MT |
1238 | # Always only keep one connection open at a time |
1239 | print_indent 2 "# Unique IDs" | |
1240 | print_indent 2 "unique = replace" | |
1241 | ||
1242 | ||
3e8ad776 MT |
1243 | # Local Address |
1244 | print_indent 2 "# Local Address" | |
1245 | if isset LOCAL_ADDRESS; then | |
1246 | print_indent 2 "local_addrs = ${LOCAL_ADDRESS}" | |
1247 | else | |
1248 | print_indent 2 "local_addrs = %any" | |
1249 | fi | |
1250 | ||
67baa452 MT |
1251 | |
1252 | # Remote Address | |
1253 | print_indent 2 "# Remote Address" | |
1254 | if isset PEER; then | |
1255 | print_indent 2 "remote_addrs = ${PEER}" | |
1256 | else | |
1257 | print_indent 2 "remote_addrs = %any" | |
1258 | fi | |
1259 | ||
1260 | ||
1261 | # IKE Proposals | |
1262 | print_indent 2 "# IKE Proposals" | |
e3ffacf7 | 1263 | print_indent 2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})" |
67baa452 MT |
1264 | |
1265 | ||
117278c3 | 1266 | # DPD Settings |
4e271faa | 1267 | if enabled dpd; then |
117278c3 | 1268 | print_indent 2 "# Dead Peer Detection" |
117278c3 MT |
1269 | print_indent 2 "dpd_delay = ${DPD_DELAY}" |
1270 | ||
1271 | if isset DPD_TIMEOUT; then | |
1272 | print_indent 2 "dpd_timeout = ${DPD_TIMEOUT}" | |
1273 | fi | |
1274 | ||
1275 | ||
1276 | fi | |
67baa452 MT |
1277 | |
1278 | # Fragmentation | |
1279 | print_indent 2 "# Fragmentation" | |
1280 | print_indent 2 "fragmentation = yes" | |
1281 | ||
1282 | ||
dd66c192 MT |
1283 | |
1284 | # Host-to-Net specific settings | |
1285 | case "${TYPE}" in | |
1286 | host-to-net) | |
1287 | # Pools | |
1288 | if isset POOLS; then | |
1289 | print_indent 2 "# Pools" | |
1290 | print_indent 2 "pools = $(list_join POOLS ", ")" | |
1291 | ||
1292 | fi | |
1293 | ;; | |
1294 | esac | |
96fdb077 | 1295 | |
67baa452 MT |
1296 | # Local |
1297 | print_indent 2 "local {" | |
1298 | ||
1299 | # Local ID | |
1300 | if isset LOCAL_ID; then | |
1301 | print_indent 3 "id = ${LOCAL_ID}" | |
1302 | fi | |
1303 | ||
1304 | # Authentication | |
1305 | case "${AUTH_MODE}" in | |
1306 | PSK) | |
1307 | print_indent 3 "auth = psk" | |
1308 | ;; | |
1309 | esac | |
1310 | ||
1311 | print_indent 2 "}" | |
1312 | ||
1313 | ||
1314 | # Remote | |
1315 | print_indent 2 "remote {" | |
1316 | ||
1317 | # Remote ID | |
1318 | if isset REMOTE_ID; then | |
1319 | print_indent 3 "id = ${REMOTE_ID}" | |
1320 | fi | |
1321 | ||
1322 | # Authentication | |
1323 | case "${AUTH_MODE}" in | |
1324 | PSK) | |
1325 | print_indent 3 "auth = psk" | |
1326 | ;; | |
1327 | esac | |
1328 | ||
1329 | print_indent 2 "}" | |
1330 | ||
1331 | ||
1332 | # Children | |
1333 | ||
1334 | print_indent 2 "children {" | |
1335 | print_indent 3 "${connection} {" | |
1336 | ||
1337 | print_indent 4 "# ESP Proposals" | |
e3d8f3f6 | 1338 | print_indent 4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})" |
67baa452 MT |
1339 | |
1340 | ||
1341 | # Traffic Selectors | |
1342 | ||
95835d23 MT |
1343 | case "${MODE}" in |
1344 | gre-*) | |
1345 | print_indent 4 "local_ts = dynamic[gre]" | |
1346 | print_indent 4 "remote_ts = dynamic[gre]" | |
1347 | ;; | |
1348 | *) | |
1349 | # Local Prefixes | |
1350 | if isset LOCAL_PREFIX; then | |
1351 | print_indent 4 "local_ts = $(list_join LOCAL_PREFIX ,)" | |
1352 | else | |
1353 | print_indent 4 "local_ts = dynamic" | |
1354 | fi | |
67baa452 | 1355 | |
95835d23 MT |
1356 | # Remote Prefixes |
1357 | if isset REMOTE_PREFIX; then | |
1358 | print_indent 4 "remote_ts = $(list_join REMOTE_PREFIX ,)" | |
1359 | else | |
1360 | print_indent 4 "remote_ts = dynamic" | |
1361 | fi | |
1362 | ;; | |
1363 | esac | |
67baa452 MT |
1364 | |
1365 | ||
82fac748 | 1366 | # Netfilter Marks |
8af22236 MT |
1367 | case "${MODE}" in |
1368 | vti) | |
1369 | print_indent 4 "# Netfilter Marks" | |
1370 | print_indent 4 "mark_in = %unique" | |
1371 | print_indent 4 "mark_out = %unique" | |
1372 | ||
1373 | ;; | |
1374 | esac | |
82fac748 | 1375 | |
4e271faa MT |
1376 | # Dead Peer Detection |
1377 | if enabled dpd; then | |
1378 | print_indent 4 "# Dead Peer Detection" | |
1379 | print_indent 4 "dpd_action = ${DPD_ACTION}" | |
1380 | ||
1381 | fi | |
1382 | ||
67baa452 MT |
1383 | # Rekeying |
1384 | if isset LIFETIME; then | |
1385 | print_indent 4 "# Rekey Time" | |
1386 | print_indent 4 "rekey_time = ${LIFETIME}" | |
1387 | ||
1388 | fi | |
1389 | ||
1390 | # Updown Script | |
1391 | print_indent 4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown" | |
1392 | ||
1393 | ||
1394 | # Mode | |
1395 | print_indent 4 "# Mode" | |
1396 | case "${MODE}" in | |
1397 | gre-transport) | |
1398 | print_indent 4 "mode = transport" | |
1399 | ;; | |
1400 | tunnel|vti|*) | |
1401 | print_indent 4 "mode = tunnel" | |
1402 | ;; | |
1403 | esac | |
1404 | ||
1405 | ||
1406 | # Compression | |
1407 | print_indent 4 "# Compression" | |
1408 | if enabled COMPRESSION; then | |
1409 | print_indent 4 "ipcomp = yes" | |
1410 | else | |
1411 | print_indent 4 "ipcomp = no" | |
1412 | fi | |
1413 | ||
1414 | ||
1415 | # Inactivity Timeout | |
1416 | if isset INACTIVITY_TIMEOUT; then | |
1417 | print_indent 4 "# Inactivity Timeout" | |
1418 | print_indent 4 "inactivity = ${INACTIVITY_TIMEOUT}" | |
1419 | ||
1420 | fi | |
1421 | ||
dd66c192 MT |
1422 | # Net-to-Net specific settings |
1423 | case "${TYPE}" in | |
1424 | net-to-net) | |
1425 | # Start Action | |
1426 | print_indent 4 "# Start Action" | |
1427 | case "${START_ACTION}" in | |
1428 | on-demand) | |
1429 | print_indent 4 "start_action = trap" | |
1430 | print_indent 4 "close_action = trap" | |
1431 | ;; | |
1432 | wait) | |
1433 | print_indent 4 "start_action = none" | |
1434 | print_indent 4 "close_action = none" | |
1435 | ;; | |
1436 | always-on|*) | |
1437 | print_indent 4 "start_action = start" | |
1438 | print_indent 4 "close_action = start" | |
1439 | ;; | |
1440 | esac | |
1441 | ||
37317b3e MT |
1442 | ;; |
1443 | esac | |
67baa452 MT |
1444 | |
1445 | print_indent 3 "}" | |
1446 | print_indent 2 "}" | |
1447 | ||
1448 | ||
1449 | print_indent 1 "}" | |
1450 | print_indent 0 "}" | |
1451 | ||
1452 | } | |
1453 | ||
1454 | _ipsec_connection_to_strongswan_secrets() { | |
1455 | local connection="${1}" | |
1456 | ||
1457 | print_indent 0 "secrets {" | |
1458 | ||
1459 | case "${AUTH_MODE}" in | |
1460 | PSK) | |
1461 | print_indent 1 "ike {" | |
1462 | ||
1463 | # Secret | |
1464 | print_indent 2 "secret = ${PSK}" | |
1465 | ||
1466 | # ID | |
1467 | if isset REMOTE_ID; then | |
1468 | print_indent 2 "id = ${REMOTE_ID}" | |
1469 | fi | |
1470 | ||
1471 | print_indent 1 "}" | |
1472 | ;; | |
1473 | esac | |
1474 | ||
1475 | print_indent 0 "}" | |
1476 | } |