]>
Commit | Line | Data |
---|---|---|
917a1aa0 JS |
1 | #!/bin/bash |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2017 IPFire Network Development Team # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
33944dfb MT |
22 | IPSEC_CONNECTION_CONFIG_SETTINGS="\ |
23 | AUTH_MODE \ | |
24 | DPD_ACTION \ | |
25 | DPD_DELAY \ | |
26 | DPD_TIMEOUT \ | |
27 | INACTIVITY_TIMEOUT \ | |
28 | LOCAL_ADDRESS \ | |
29 | LOCAL_ID \ | |
30 | LOCAL_PREFIX \ | |
31 | MODE \ | |
32 | PEER \ | |
33 | PSK \ | |
34 | REMOTE_ID \ | |
35 | REMOTE_PREFIX \ | |
5601f4f5 JS |
36 | SECURITY_POLICY \ |
37 | ENABLED" | |
917a1aa0 JS |
38 | |
39 | # Default values | |
ab589039 | 40 | IPSEC_DEFAULT_AUTH_MODE="PSK" |
bb9fccaf JS |
41 | IPSEC_DEFAULT_DPD_ACTION="restart" |
42 | IPSEC_DEFAULT_DPD_DELAY="30" | |
43 | IPSEC_DEFAULT_DPD_TIMEOUT="120" | |
5601f4f5 | 44 | IPSEC_DEFAULT_ENABLED="true" |
917a1aa0 | 45 | IPSEC_DEFAULT_INACTIVITY_TIMEOUT="0" |
bb9fccaf | 46 | IPSEC_DEFAULT_MODE="tunnel" |
917a1aa0 | 47 | IPSEC_DEFAULT_SECURITY_POLICY="system" |
bb9fccaf | 48 | IPSEC_DEFAULT_START_ACTION="on-demand" |
917a1aa0 JS |
49 | |
50 | IPSEC_VALID_MODES="gre-transport tunnel vti" | |
ab589039 | 51 | IPSEC_VALID_AUTH_MODES="PSK" |
917a1aa0 | 52 | |
2da98f56 MT |
53 | cli_ipsec() { |
54 | local action=${1} | |
55 | shift 1 | |
56 | ||
57 | case "${action}" in | |
58 | connection) | |
59 | cli_ipsec_connection $@ | |
60 | ;; | |
61 | *) | |
62 | error "Unrecognized argument: ${action}" | |
63 | exit ${EXIT_ERROR} | |
64 | ;; | |
65 | esac | |
66 | } | |
67 | ||
68 | cli_ipsec_connection() { | |
69 | if ipsec_connection_exists ${1}; then | |
70 | local connection=${1} | |
71 | local key=${2} | |
72 | key=${key//-/_} | |
73 | shift 2 | |
74 | ||
75 | case "${key}" in | |
5601f4f5 | 76 | authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer|remote|security_policy|start_action|up) |
2da98f56 MT |
77 | ipsec_connection_${key} ${connection} $@ |
78 | ;; | |
c1e76e97 MT |
79 | show) |
80 | cli_ipsec_connection_show "${connection}" | |
81 | exit $? | |
82 | ;; | |
2da98f56 MT |
83 | *) |
84 | error "Unrecognized argument: ${key}" | |
85 | exit ${EXIT_ERROR} | |
86 | ;; | |
87 | esac | |
88 | else | |
89 | local action=${1} | |
90 | shift | |
91 | ||
92 | case "${action}" in | |
93 | new) | |
94 | ipsec_connection_new $@ | |
95 | ;; | |
96 | destroy) | |
fa33d830 | 97 | cli_ipsec_connection_destroy $@ |
2da98f56 MT |
98 | ;; |
99 | ""|*) | |
100 | if [ -n "${action}" ]; then | |
101 | error "Unrecognized argument: '${action}'" | |
102 | fi | |
103 | exit ${EXIT_ERROR} | |
104 | ;; | |
105 | esac | |
106 | fi | |
107 | } | |
108 | ||
fa33d830 MT |
109 | cli_ipsec_connection_destroy() { |
110 | local connection="${1}" | |
111 | ||
112 | if ! ipsec_connection_destroy "${connection}"; then | |
113 | return ${EXIT_ERROR} | |
114 | fi | |
115 | ||
116 | # Inform strongswan about the changes | |
117 | ipsec_strongswan_load | |
118 | ||
119 | # Configure strongswan autostart | |
120 | ipsec_strongswan_autostart | |
121 | } | |
122 | ||
c1e76e97 MT |
123 | cli_ipsec_connection_show() { |
124 | local connection="${1}" | |
125 | ||
126 | # Read the config settings | |
127 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
128 | if ! ipsec_connection_read_config "${connection}"; then | |
129 | error "Could not read the connection configuration" | |
130 | return ${EXIT_ERROR} | |
131 | fi | |
132 | ||
133 | cli_headline 0 "IPsec VPN Connection: ${connection}" | |
134 | cli_space | |
135 | ||
136 | # Peer | |
137 | if isset PEER; then | |
138 | cli_print_fmt1 1 "Peer" "${PEER}" | |
139 | fi | |
140 | ||
141 | # Security Policy | |
142 | cli_print_fmt1 1 "Security Policy" "${SECURITY_POLICY-${IPSEC_DEFAULT_SECURITY_POLICY}}" | |
143 | cli_space | |
144 | ||
145 | cli_headline 2 "Authentication" | |
146 | case "${AUTH_MODE^^}" in | |
147 | PSK) | |
148 | cli_print_fmt1 2 "Mode" "Pre-Shared-Key" | |
149 | ||
150 | if isset PSK; then | |
151 | cli_print_fmt1 2 "Pre-Shared-Key" "****" | |
152 | else | |
153 | cli_print_fmt1 2 "Pre-Shared-Key" "- is not set -" | |
154 | fi | |
155 | ;; | |
156 | X509) | |
157 | : # TODO | |
158 | ;; | |
159 | esac | |
160 | cli_space | |
161 | ||
162 | local i | |
163 | for i in LOCAL REMOTE; do | |
164 | case "${i}" in | |
165 | LOCAL) | |
166 | cli_headline 2 "Local" | |
167 | ;; | |
168 | REMOTE) | |
169 | cli_headline 2 "Remote" | |
170 | ;; | |
171 | esac | |
172 | ||
173 | local id_var="${i}_ID" | |
174 | if [ -n "${!id_var}" ]; then | |
175 | cli_print_fmt1 2 "ID" "${!id_var}" | |
176 | fi | |
177 | ||
178 | local prefix_var="${i}_PREFIX" | |
179 | if isset ${prefix_var}; then | |
180 | cli_headline 3 "Prefix(es)" | |
181 | ||
182 | local prefix | |
183 | for prefix in ${!prefix_var}; do | |
184 | cli_print_fmt1 3 "${prefix}" | |
185 | done | |
186 | fi | |
187 | ||
188 | cli_space | |
189 | done | |
190 | ||
191 | cli_headline 2 "Misc." | |
192 | ||
193 | case "${MODE}" in | |
194 | gre-transport) | |
195 | cli_print_fmt1 2 "Transport Mode" "GRE Transport" | |
196 | ;; | |
197 | tunnel) | |
198 | cli_print_fmt1 2 "Transport Mode" "Tunnel" | |
199 | ;; | |
200 | vti) | |
201 | cli_print_fmt1 2 "Transport Mode" "Virtual Tunnel Interface" | |
202 | ;; | |
203 | *) | |
204 | cli_print_fmt1 2 "Transport Mode" "- Unknown -" | |
205 | ;; | |
206 | esac | |
207 | ||
208 | # Inactivity timeout | |
209 | if isset INACTIVITY_TIMEOUT && [ ${INACTIVITY_TIMEOUT} -gt 0 ]; then | |
210 | cli_print_fmt1 2 "Inactivity Timeout" "$(format_time ${INACTIVITY_TIMEOUT})" | |
211 | fi | |
212 | cli_space | |
213 | ||
214 | return ${EXIT_OK} | |
215 | } | |
216 | ||
5601f4f5 JS |
217 | ipsec_connection_disable() { |
218 | local connection=${1} | |
219 | ||
220 | if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "false"; then | |
221 | log ERROR "Could not write configuration settings" | |
222 | return ${EXIT_ERROR} | |
223 | fi | |
224 | ||
225 | ipsec_reload ${connection} | |
c3f31173 MT |
226 | |
227 | # Configure strongswan autostart | |
228 | ipsec_strongswan_autostart | |
5601f4f5 JS |
229 | } |
230 | ||
231 | ipsec_connection_enable() { | |
232 | local connection=${1} | |
233 | ||
234 | if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "true"; then | |
235 | log ERROR "Could not write configuration settings" | |
236 | return ${EXIT_ERROR} | |
237 | fi | |
238 | ||
239 | ipsec_reload "${connection}" | |
c3f31173 MT |
240 | |
241 | # Configure strongswan autostart | |
242 | ipsec_strongswan_autostart | |
5601f4f5 JS |
243 | } |
244 | ||
917a1aa0 JS |
245 | # This function writes all values to a via ${connection} specificated VPN IPsec configuration file |
246 | ipsec_connection_write_config() { | |
247 | assert [ $# -ge 1 ] | |
248 | ||
249 | local connection="${1}" | |
250 | ||
251 | if ! ipsec_connection_exists "${connection}"; then | |
252 | log ERROR "No such VPN IPsec connection: ${connection}" | |
253 | return ${EXIT_ERROR} | |
254 | fi | |
255 | ||
cf8685a1 | 256 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings" |
917a1aa0 JS |
257 | |
258 | if ! settings_write "${path}" ${IPSEC_CONNECTION_CONFIG_SETTINGS}; then | |
259 | log ERROR "Could not write configuration settings for VPN IPsec connection ${connection}" | |
260 | return ${EXIT_ERROR} | |
261 | fi | |
262 | ||
263 | ipsec_reload ${connection} | |
264 | } | |
265 | ||
266 | # This funtion writes the value for one key to a via ${connection} specificated VPN IPsec connection configuration file | |
267 | ipsec_connection_write_config_key() { | |
268 | assert [ $# -ge 3 ] | |
269 | ||
270 | local connection=${1} | |
271 | local key=${2} | |
272 | shift 2 | |
273 | ||
274 | local value="$@" | |
275 | ||
276 | if ! ipsec_connection_exists "${connection}"; then | |
277 | log ERROR "No such VPN ipsec connection: ${connection}" | |
278 | return ${EXIT_ERROR} | |
279 | fi | |
280 | ||
281 | log DEBUG "Set '${key}' to new value '${value}' in VPN ipsec connection '${connection}'" | |
282 | ||
283 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
284 | ||
285 | # Read the config settings | |
286 | if ! ipsec_connection_read_config "${connection}"; then | |
287 | return ${EXIT_ERROR} | |
288 | fi | |
289 | ||
290 | # Set the key to a new value | |
291 | assign "${key}" "${value}" | |
292 | ||
293 | if ! ipsec_connection_write_config "${connection}"; then | |
294 | return ${EXIT_ERROR} | |
295 | fi | |
296 | ||
297 | return ${EXIT_TRUE} | |
298 | } | |
299 | ||
300 | # Reads one or more keys out of a settings file or all if no key is provided. | |
301 | ipsec_connection_read_config() { | |
302 | assert [ $# -ge 1 ] | |
303 | ||
304 | local connection="${1}" | |
305 | shift 1 | |
306 | ||
307 | if ! ipsec_connection_exists "${connection}"; then | |
308 | log ERROR "No such VPN IPsec connection : ${connection}" | |
309 | return ${EXIT_ERROR} | |
310 | fi | |
311 | ||
312 | ||
313 | local args | |
314 | if [ $# -eq 0 ] && [ -n "${IPSEC_CONNECTION_CONFIG_SETTINGS}" ]; then | |
315 | list_append args ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
316 | else | |
317 | list_append args $@ | |
318 | fi | |
319 | ||
cf8685a1 | 320 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}/settings" |
917a1aa0 JS |
321 | |
322 | if ! settings_read "${path}" ${args}; then | |
323 | log ERROR "Could not read settings for VPN IPsec connection ${connection}" | |
324 | return ${EXIT_ERROR} | |
325 | fi | |
326 | } | |
327 | ||
917a1aa0 JS |
328 | # This function checks if a vpn ipsec connection exists |
329 | # Returns True when yes and false when not | |
330 | ipsec_connection_exists() { | |
331 | assert [ $# -eq 1 ] | |
332 | ||
333 | local connection=${1} | |
334 | ||
cf8685a1 | 335 | local path="${NETWORK_IPSEC_CONNS_DIR}/${connection}" |
917a1aa0 JS |
336 | |
337 | [ -d "${path}" ] && return ${EXIT_TRUE} || return ${EXIT_FALSE} | |
338 | } | |
339 | ||
c3f31173 MT |
340 | # Determines if strongswan should be automatically started |
341 | # when the system boots up. | |
342 | ipsec_strongswan_autostart() { | |
343 | local autostart_needed="false" | |
344 | ||
345 | local connection | |
346 | for connection in $(ipsec_list_connections); do | |
347 | local ENABLED | |
348 | ||
349 | if ! ipsec_connection_read_config "${connection}" "ENABLED"; then | |
350 | log WARNING "Could not read configuation" | |
351 | continue | |
352 | fi | |
353 | ||
354 | if enabled ENABLED; then | |
355 | autostart_needed="true" | |
356 | break | |
357 | fi | |
358 | done | |
359 | ||
360 | # Start strongswan when we need it and when it is not yet enabled | |
b863fe52 MT |
361 | if ${autostart_needed}; then |
362 | if ! service_is_enabled "strongswan"; then | |
363 | service_enable "strongswan" | |
364 | fi | |
365 | ||
366 | if ! service_is_active "strongswan"; then | |
367 | service_start "strongswan" | |
368 | fi | |
c3f31173 MT |
369 | |
370 | # Disable strongswan when we do not need it but it is enabled | |
b863fe52 MT |
371 | elif ! ${autostart_needed}; then |
372 | if service_is_enabled "strongswan"; then | |
373 | service_disable "strongswan" | |
374 | fi | |
375 | ||
376 | if service_is_active "strongswan"; then | |
377 | service_stop "strongswan" | |
378 | fi | |
c3f31173 MT |
379 | fi |
380 | } | |
381 | ||
f0e91d26 JS |
382 | ipsec_strongswan_load() { |
383 | if ! cmd swanctl --load-all; then | |
384 | log ERROR "Could not reload strongswan config" | |
385 | return ${EXIT_ERROR} | |
386 | fi | |
387 | } | |
388 | ||
917a1aa0 JS |
389 | # Reloads the connection after config changes |
390 | ipsec_reload() { | |
39d87f20 JS |
391 | local connection=${1} |
392 | ||
5601f4f5 JS |
393 | local ENABLED |
394 | ||
395 | if ! ipsec_connection_read_config "${connection}" "ENABLED"; then | |
396 | log ERROR "Could not read configuration for IPsec connection ${connection}" | |
39d87f20 JS |
397 | return ${EXIT_ERROR} |
398 | fi | |
399 | ||
471f16bc | 400 | if enabled ENABLED; then |
5601f4f5 JS |
401 | if ! ipsec_connection_to_strongswan ${connection}; then |
402 | log ERROR "Could not generate strongswan config for ${connnection}" | |
403 | return ${EXIT_ERROR} | |
404 | fi | |
405 | else | |
406 | unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" | |
407 | fi | |
408 | ||
f0e91d26 | 409 | ipsec_strongswan_load |
917a1aa0 JS |
410 | } |
411 | ||
412 | # Handle the cli after authentification | |
413 | ipsec_connection_authentication() { | |
414 | if [ ! $# -gt 1 ]; then | |
415 | log ERROR "Not enough arguments" | |
416 | return ${EXIT_ERROR} | |
417 | fi | |
418 | ||
419 | local connection=${1} | |
420 | local cmd=${2} | |
421 | shift 2 | |
422 | ||
423 | case ${cmd} in | |
424 | mode) | |
425 | ipsec_connection_authentication_mode "${connection}" $@ | |
426 | ;; | |
427 | pre-shared-key) | |
428 | ipsec_connection_authentication_psk "${connection}" $@ | |
429 | ;; | |
430 | *) | |
431 | log ERROR "Unrecognized argument: ${cmd}" | |
432 | return ${EXIT_ERROR} | |
433 | ;; | |
434 | esac | |
435 | } | |
436 | ||
437 | # Set the authentification mode | |
438 | ipsec_connection_authentication_mode() { | |
439 | if [ ! $# -eq 2 ]; then | |
440 | log ERROR "Not enough arguments" | |
441 | return ${EXIT_ERROR} | |
442 | fi | |
443 | local connection=${1} | |
444 | local mode=${2} | |
445 | ||
446 | if ! isoneof mode ${IPSEC_VALID_AUTH_MODES}; then | |
447 | log ERROR "Auth mode '${mode}' is invalid" | |
448 | return ${EXIT_ERROR} | |
449 | fi | |
450 | ||
ab589039 | 451 | if ! ipsec_connection_write_config_key "${connection}" "AUTH_MODE" ${mode^^}; then |
917a1aa0 JS |
452 | log ERROR "Could not write configuration settings" |
453 | return ${EXIT_ERROR} | |
454 | fi | |
455 | } | |
456 | ||
457 | # Set the psk | |
458 | ipsec_connection_authentication_psk() { | |
db491d1d | 459 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
460 | log ERROR "Not enough arguments" |
461 | return ${EXIT_ERROR} | |
462 | fi | |
1bfc4f56 | 463 | |
917a1aa0 JS |
464 | local connection=${1} |
465 | local psk=${2} | |
466 | ||
1bfc4f56 MT |
467 | local length=${#psk} |
468 | ||
469 | if [ ${length} -lt 4 ]; then | |
470 | error "The PSK must be longer than four characters" | |
471 | return ${EXIT_ERROR} | |
472 | fi | |
473 | ||
474 | if [ ${length} -gt 128 ]; then | |
475 | error "The PSK cannot be longer than 128 characters" | |
476 | return ${EXIT_ERROR} | |
477 | fi | |
917a1aa0 | 478 | |
1bfc4f56 | 479 | if ! ipsec_connection_write_config_key "${connection}" "PSK" "${psk}"; then |
917a1aa0 JS |
480 | log ERROR "Could not write configuration settings" |
481 | return ${EXIT_ERROR} | |
482 | fi | |
483 | ||
484 | return ${EXIT_OK} | |
485 | } | |
486 | ||
3cde31b9 MT |
487 | ipsec_connection_up() { |
488 | local connection="${1}" | |
489 | ||
490 | if ! ipsec_connection_exists "${connection}"; then | |
491 | error "No such VPN IPsec connection: ${connection}" | |
492 | return ${EXIT_ERROR} | |
493 | fi | |
494 | ||
495 | cmd swanctl --initiate --child "${connection}" | |
496 | } | |
497 | ||
498 | ipsec_connection_down() { | |
499 | local connection="${1}" | |
500 | ||
501 | if ! ipsec_connection_exists "${connection}"; then | |
502 | error "No such VPN IPsec connection: ${connection}" | |
503 | return ${EXIT_ERROR} | |
504 | fi | |
505 | ||
506 | cmd swanctl --terminate --ike "${connection}" | |
507 | } | |
bb9fccaf JS |
508 | |
509 | # Handle the cli after authentification | |
510 | ipsec_connection_dpd() { | |
511 | if [ ! $# -gt 1 ]; then | |
512 | log ERROR "Not enough arguments" | |
513 | return ${EXIT_ERROR} | |
514 | fi | |
515 | ||
516 | local connection=${1} | |
517 | local cmd=${2} | |
518 | shift 2 | |
519 | ||
520 | case ${cmd} in | |
521 | action) | |
522 | ipsec_connection_dpd_action "${connection}" $@ | |
523 | ;; | |
524 | delay) | |
525 | ipsec_connection_dpd_delay "${connection}" $@ | |
526 | ;; | |
527 | timeout) | |
528 | ipsec_connection_dpd_timeout "${connection}" $@ | |
529 | ;; | |
530 | *) | |
531 | log ERROR "Unrecognized argument: ${cmd}" | |
532 | return ${EXIT_ERROR} | |
533 | ;; | |
534 | esac | |
535 | } | |
536 | ||
537 | # Set the default dpd action | |
538 | ipsec_connection_dpd_action() { | |
539 | if [ ! $# -eq 2 ]; then | |
540 | log ERROR "Not enough arguments" | |
541 | return ${EXIT_ERROR} | |
542 | fi | |
543 | local connection=${1} | |
544 | local action=${2} | |
545 | ||
546 | if ! isoneof action "restart" "clear"; then | |
547 | log ERROR "dpd action '${action}' is invalid" | |
548 | return ${EXIT_ERROR} | |
549 | fi | |
550 | ||
551 | if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION" ${action}; then | |
552 | log ERROR "Could not write configuration settings" | |
553 | return ${EXIT_ERROR} | |
554 | fi | |
555 | } | |
556 | ||
557 | # Set the dpd delay | |
558 | ipsec_connection_dpd_delay() { | |
559 | if [ ! $# -ge 2 ]; then | |
560 | log ERROR "Not enough arguments" | |
561 | return ${EXIT_ERROR} | |
562 | fi | |
563 | ||
564 | local connection=${1} | |
565 | shift 1 | |
566 | local value=$@ | |
567 | ||
568 | if ! isinteger value; then | |
569 | value=$(parse_time $@) | |
570 | if [ ! $? -eq 0 ]; then | |
571 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
572 | return ${EXIT_ERROR} | |
573 | fi | |
574 | fi | |
575 | ||
576 | if [ ${value} -lt 0 ]; then | |
577 | log ERROR "The passed time value must be in the sum greater or equal zero seconds." | |
578 | return ${EXIT_ERROR} | |
579 | fi | |
580 | ||
581 | if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY" ${value}; then | |
582 | log ERROR "Could not write configuration settings" | |
583 | return ${EXIT_ERROR} | |
584 | fi | |
585 | ||
586 | return ${EXIT_OK} | |
587 | } | |
588 | ||
589 | # Set the dpd timeout | |
590 | ipsec_connection_dpd_timeout() { | |
591 | if [ ! $# -ge 2 ]; then | |
592 | log ERROR "Not enough arguments" | |
593 | return ${EXIT_ERROR} | |
594 | fi | |
595 | ||
596 | local connection=${1} | |
597 | shift 1 | |
598 | local value=$@ | |
599 | ||
600 | if ! isinteger value; then | |
601 | value=$(parse_time $@) | |
602 | if [ ! $? -eq 0 ]; then | |
603 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
604 | return ${EXIT_ERROR} | |
605 | fi | |
606 | fi | |
607 | ||
608 | if [ ${value} -le 0 ]; then | |
609 | log ERROR "The passed time value must be in the sum greater or equal zero seconds." | |
610 | return ${EXIT_ERROR} | |
611 | fi | |
612 | ||
613 | if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT" ${value}; then | |
614 | log ERROR "Could not write configuration settings" | |
615 | return ${EXIT_ERROR} | |
616 | fi | |
617 | ||
618 | return ${EXIT_OK} | |
619 | } | |
620 | ||
917a1aa0 JS |
621 | # Handle the cli after local |
622 | ipsec_connection_local() { | |
623 | if [ ! $# -ge 2 ]; then | |
624 | log ERROR "Not enough arguments" | |
625 | return ${EXIT_ERROR} | |
626 | fi | |
627 | ||
628 | local connection=${1} | |
629 | local cmd=${2} | |
630 | shift 2 | |
631 | ||
632 | case ${cmd} in | |
bb9fccaf JS |
633 | address) |
634 | ipsec_connection_local_address "${connection}" $@ | |
635 | ;; | |
917a1aa0 JS |
636 | id) |
637 | ipsec_connection_id "${connection}" "LOCAL" $@ | |
638 | ;; | |
639 | prefix) | |
640 | ipsec_connection_prefix "${connection}" "LOCAL" $@ | |
641 | ;; | |
642 | *) | |
643 | log ERROR "Unrecognized argument: ${cmd}" | |
644 | return ${EXIT_ERROR} | |
645 | ;; | |
646 | esac | |
647 | ||
648 | return ${EXIT_OK} | |
649 | } | |
650 | ||
651 | # Set the connection mode | |
652 | ipsec_connection_mode() { | |
5bdbc2ee | 653 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
654 | log ERROR "Not enough arguments" |
655 | return ${EXIT_ERROR} | |
656 | fi | |
657 | local connection=${1} | |
658 | local mode=${2} | |
659 | ||
660 | if ! isoneof mode ${IPSEC_VALID_MODES}; then | |
661 | log ERROR "Mode '${mode}' is invalid" | |
662 | return ${EXIT_ERROR} | |
663 | fi | |
664 | ||
665 | if ! ipsec_connection_write_config_key "${connection}" "MODE" ${mode}; then | |
666 | log ERROR "Could not write configuration settings" | |
667 | return ${EXIT_ERROR} | |
668 | fi | |
669 | ||
670 | return ${EXIT_OK} | |
671 | } | |
672 | ||
bb9fccaf JS |
673 | # Set the local address |
674 | ipsec_connection_local_address() { | |
675 | if [ ! $# -eq 2 ]; then | |
676 | log ERROR "Not enough arguments" | |
677 | return ${EXIT_ERROR} | |
678 | fi | |
679 | local connection=${1} | |
680 | local local_address=${2} | |
681 | ||
682 | if ! ipsec_connection_check_peer ${local_address}; then | |
683 | log ERROR "Local address '${local_address}' is invalid" | |
684 | return ${EXIT_ERROR} | |
685 | fi | |
686 | ||
687 | if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS" ${local_address}; then | |
688 | log ERROR "Could not write configuration settings" | |
689 | return ${EXIT_ERROR} | |
690 | fi | |
691 | ||
692 | return ${EXIT_OK} | |
693 | } | |
694 | ||
917a1aa0 JS |
695 | # Set the peer to connect to |
696 | ipsec_connection_peer() { | |
0b962a64 | 697 | if [ ! $# -eq 2 ]; then |
917a1aa0 JS |
698 | log ERROR "Not enough arguments" |
699 | return ${EXIT_ERROR} | |
700 | fi | |
701 | local connection=${1} | |
702 | local peer=${2} | |
703 | ||
704 | if ! ipsec_connection_check_peer ${peer}; then | |
705 | log ERROR "Peer '${peer}' is invalid" | |
706 | return ${EXIT_ERROR} | |
707 | fi | |
708 | ||
709 | if ! ipsec_connection_write_config_key "${connection}" "PEER" ${peer}; then | |
710 | log ERROR "Could not write configuration settings" | |
711 | return ${EXIT_ERROR} | |
712 | fi | |
713 | ||
714 | return ${EXIT_OK} | |
715 | } | |
716 | ||
717 | #Set the local or remote id | |
718 | ipsec_connection_id() { | |
719 | if [ ! $# -eq 3 ]; then | |
720 | log ERROR "Not enough arguments" | |
721 | return ${EXIT_ERROR} | |
722 | fi | |
723 | local connection=${1} | |
724 | local type=${2} | |
725 | local id=${3} | |
726 | ||
727 | if ! ipsec_connection_check_id ${id}; then | |
728 | log ERROR "Id '${id}' is invalid" | |
729 | return ${EXIT_ERROR} | |
730 | fi | |
731 | ||
732 | if ! ipsec_connection_write_config_key "${connection}" "${type}_ID" ${id}; then | |
733 | log ERROR "Could not write configuration settings" | |
734 | return ${EXIT_ERROR} | |
735 | fi | |
736 | ||
737 | return ${EXIT_OK} | |
738 | } | |
739 | ||
740 | # Set the local or remote prefix | |
741 | ipsec_connection_prefix() { | |
742 | if [ ! $# -ge 3 ]; then | |
743 | log ERROR "Not enough arguments" | |
744 | return ${EXIT_ERROR} | |
745 | fi | |
746 | local connection=${1} | |
747 | local type=${2} | |
748 | shift 2 | |
749 | ||
750 | local _prefix="${type}_PREFIX" | |
751 | local "${_prefix}" | |
752 | if ! ipsec_connection_read_config "${connection}" "${_prefix}"; then | |
753 | return ${EXIT_ERROR} | |
754 | fi | |
755 | ||
756 | # Remove duplicated entries to proceed the list safely | |
757 | assign "${_prefix}" "$(list_unique ${!_prefix} )" | |
758 | ||
759 | local prefixes_added | |
760 | local prefixes_removed | |
761 | local prefixes_set | |
762 | ||
763 | while [ $# -gt 0 ]; do | |
764 | local arg="${1}" | |
765 | ||
766 | case "${arg}" in | |
767 | +*) | |
768 | list_append prefixes_added "${arg:1}" | |
769 | ;; | |
770 | -*) | |
771 | list_append prefixes_removed "${arg:1}" | |
772 | ;; | |
773 | [A-Fa-f0-9]*) | |
774 | list_append prefixes_set "${arg}" | |
775 | ;; | |
776 | *) | |
777 | error "Invalid argument: ${arg}" | |
778 | return ${EXIT_ERROR} | |
779 | ;; | |
780 | esac | |
781 | shift | |
782 | done | |
783 | ||
784 | # Check if the user is trying a mixed operation | |
785 | if ! list_is_empty prefixes_set && (! list_is_empty prefixes_added || ! list_is_empty prefixes_removed); then | |
786 | error "You cannot reset the prefix list and add or remove prefixes at the same time" | |
787 | return ${EXIT_ERROR} | |
788 | fi | |
789 | ||
790 | # Set new prefix list | |
791 | if ! list_is_empty prefixes_set; then | |
792 | # Check if all prefixes are valid | |
793 | local prefix | |
794 | for prefix in ${prefixes_set}; do | |
795 | if ! ip_net_is_valid ${prefix}; then | |
796 | error "Unsupported prefix: ${prefix}" | |
797 | return ${EXIT_ERROR} | |
798 | fi | |
799 | done | |
800 | ||
801 | assign "${_prefix}" "${prefixes_set}" | |
802 | ||
803 | # Perform incremental updates | |
804 | else | |
805 | local prefix | |
806 | ||
807 | # Perform all removals | |
808 | for prefix in ${prefixes_removed}; do | |
809 | if ! list_remove "${_prefix}" ${prefix}; then | |
810 | warning "${prefix} was not on the list and could not be removed" | |
811 | fi | |
812 | done | |
813 | ||
814 | ||
815 | for prefix in ${prefixes_added}; do | |
816 | if ip_net_is_valid ${prefix}; then | |
817 | if ! list_append_unique "${_prefix}" ${prefix}; then | |
818 | warning "${prefix} is already on the prefix list" | |
819 | fi | |
820 | else | |
f03f29b7 | 821 | warning "${prefix} is not a valid IP network and could not be added" |
917a1aa0 JS |
822 | fi |
823 | done | |
824 | fi | |
825 | ||
826 | # Check if the list contain at least one valid prefix | |
827 | if list_is_empty ${_prefix}; then | |
828 | error "Cannot save an empty prefix list" | |
829 | return ${EXIT_ERROR} | |
830 | fi | |
831 | ||
832 | # Save everything | |
833 | if ! ipsec_connection_write_config_key "${connection}" "${_prefix}" ${!_prefix}; then | |
834 | log ERROR "Could not write configuration settings" | |
835 | fi | |
836 | ||
837 | return ${EXIT_OK} | |
838 | } | |
839 | ||
840 | # Handle the cli after remote | |
841 | ipsec_connection_remote() { | |
842 | if [ ! $# -ge 2 ]; then | |
843 | log ERROR "Not enough arguments" | |
844 | return ${EXIT_ERROR} | |
845 | fi | |
846 | ||
847 | local connection=${1} | |
848 | local cmd=${2} | |
849 | shift 2 | |
850 | ||
851 | case ${cmd} in | |
852 | id) | |
853 | ipsec_connection_id "${connection}" "REMOTE" $@ | |
854 | ;; | |
855 | ||
856 | prefix) | |
857 | ipsec_connection_prefix "${connection}" "REMOTE" $@ | |
858 | ;; | |
859 | *) | |
860 | log ERROR "Unrecognized argument: ${cmd}" | |
861 | return ${EXIT_ERROR} | |
862 | ;; | |
863 | esac | |
864 | ||
865 | return ${EXIT_OK} | |
866 | } | |
867 | ||
868 | # Set the inactivity timeout | |
869 | ipsec_connection_inactivity_timeout() { | |
870 | if [ ! $# -ge 2 ]; then | |
871 | log ERROR "Not enough arguments" | |
872 | return ${EXIT_ERROR} | |
873 | fi | |
874 | ||
875 | local connection=${1} | |
876 | shift 1 | |
877 | local value=$@ | |
878 | ||
879 | if ! isinteger value; then | |
880 | value=$(parse_time $@) | |
881 | if [ ! $? -eq 0 ]; then | |
882 | log ERROR "Parsing the passed time was not sucessful please check the passed values." | |
883 | return ${EXIT_ERROR} | |
884 | fi | |
885 | fi | |
886 | ||
887 | if [ ${value} -le 0 ]; then | |
888 | log ERROR "The passed time value must be in the sum greater zero seconds." | |
889 | return ${EXIT_ERROR} | |
890 | fi | |
891 | ||
892 | if ! ipsec_connection_write_config_key "${connection}" "INACTIVITY_TIMEOUT" ${value}; then | |
893 | log ERROR "Could not write configuration settings" | |
894 | return ${EXIT_ERROR} | |
895 | fi | |
896 | ||
897 | return ${EXIT_OK} | |
898 | } | |
899 | ||
bb9fccaf JS |
900 | # Set the default start action |
901 | ipsec_connection_start_action() { | |
902 | if [ ! $# -eq 2 ]; then | |
903 | log ERROR "Not enough arguments" | |
904 | return ${EXIT_ERROR} | |
905 | fi | |
906 | local connection=${1} | |
907 | local action=${2} | |
908 | ||
909 | if ! isoneof action "on-demand" "always-on"; then | |
910 | log ERROR "Start action '${action}' is invalid" | |
911 | return ${EXIT_ERROR} | |
912 | fi | |
913 | ||
914 | if ! ipsec_connection_write_config_key "${connection}" "START_ACTION" ${action}; then | |
915 | log ERROR "Could not write configuration settings" | |
916 | return ${EXIT_ERROR} | |
917 | fi | |
918 | } | |
917a1aa0 JS |
919 | |
920 | # Set the security policy to use | |
921 | ipsec_connection_security_policy() { | |
922 | if [ ! $# -eq 2 ]; then | |
923 | log ERROR "Not enough arguments" | |
924 | return ${EXIT_ERROR} | |
925 | fi | |
926 | local connection=${1} | |
927 | local security_policy=${2} | |
928 | ||
929 | if ! vpn_security_policy_exists ${security_policy}; then | |
930 | log ERROR "No such vpn security policy '${security_policy}'" | |
931 | return ${EXIT_ERROR} | |
932 | fi | |
933 | ||
934 | if ! ipsec_connection_write_config_key "${connection}" "SECURITY_POLICY" ${security_policy}; then | |
935 | log ERROR "Could not write configuration settings" | |
936 | return ${EXIT_ERROR} | |
937 | fi | |
938 | } | |
939 | ||
940 | # Check if a id is valid | |
941 | ipsec_connection_check_id() { | |
942 | assert [ $# -eq 1 ] | |
943 | local id=${1} | |
944 | ||
945 | if [[ ${id} =~ ^@[[:alnum:]]+$ ]] || ip_is_valid ${id}; then | |
946 | return ${EXIT_TRUE} | |
947 | else | |
948 | return ${EXIT_FALSE} | |
949 | fi | |
950 | } | |
951 | ||
952 | # Checks if a peer is valid | |
953 | ipsec_connection_check_peer() { | |
954 | assert [ $# -eq 1 ] | |
955 | local peer=${1} | |
956 | ||
957 | # TODO Accept also FQDNs | |
958 | if ip_is_valid ${peer}; then | |
959 | return ${EXIT_TRUE} | |
960 | else | |
961 | return ${EXIT_FALSE} | |
962 | fi | |
963 | } | |
964 | ||
965 | # This function checks if a VPN IPsec connection name is valid | |
966 | # Allowed are only A-Za-z0-9 | |
967 | ipsec_connection_check_name() { | |
968 | assert [ $# -eq 1 ] | |
969 | ||
970 | local connection=${1} | |
971 | ||
972 | [[ "${connection}" =~ [^[:alnum:]$] ]] | |
973 | } | |
974 | ||
975 | # Function that creates one VPN IPsec connection | |
976 | ipsec_connection_new() { | |
977 | if [ $# -gt 1 ]; then | |
978 | error "Too many arguments" | |
979 | return ${EXIT_ERROR} | |
980 | fi | |
981 | ||
982 | local connection="${1}" | |
983 | if ! isset connection; then | |
984 | error "Please provide a connection name" | |
985 | return ${EXIT_ERROR} | |
986 | fi | |
987 | ||
988 | # Check for duplicates | |
989 | if ipsec_connection_exists "${connection}"; then | |
990 | error "The VPN IPsec connection ${connection} already exists" | |
991 | return ${EXIT_ERROR} | |
992 | fi | |
993 | ||
994 | # Check if the name of the connection is valid | |
995 | if ipsec_connection_check_name "${connection}"; then | |
996 | error "'${connection}' contains illegal characters" | |
997 | return ${EXIT_ERROR} | |
998 | fi | |
999 | ||
1000 | log DEBUG "Creating VPN IPsec connection ${connection}" | |
1001 | ||
cf8685a1 | 1002 | if ! mkdir -p "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then |
917a1aa0 JS |
1003 | log ERROR "Could not create config directory for ${connection}" |
1004 | return ${EXIT_ERROR} | |
1005 | fi | |
1006 | ||
1007 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
1008 | ||
917a1aa0 | 1009 | AUTH_MODE=${IPSEC_DEFAULT_AUTH_MODE} |
bb9fccaf JS |
1010 | DPD_ACTION=${IPSEC_DEFAULT_DPD_ACTION} |
1011 | DPD_DELAY=${IPSEC_DEFAULT_DPD_DELAY} | |
1012 | DPD_TIMEOUT=${IPSEC_DEFAULT_DPD_TIMEOUT} | |
5601f4f5 | 1013 | ENABLED=${IPSEC_DEFAULT_ENABLED} |
bb9fccaf JS |
1014 | MODE=${IPSEC_DEFAULT_MODE} |
1015 | START_ACTION=${IPSEC_DEFAULT_START_ACTION} | |
1016 | ||
917a1aa0 JS |
1017 | INACTIVITY_TIMEOUT=${IPSEC_DEFAULT_INACTIVITY_TIMEOUT} |
1018 | SECURITY_POLICY=${IPSEC_DEFAULT_SECURITY_POLICY} | |
1019 | ||
1020 | if ! ipsec_connection_write_config "${connection}"; then | |
1021 | log ERROR "Could not write new config file" | |
1022 | return ${EXIT_ERROR} | |
1023 | fi | |
c3f31173 MT |
1024 | |
1025 | # Configure strongswan autostart | |
1026 | ipsec_strongswan_autostart | |
917a1aa0 JS |
1027 | } |
1028 | ||
1029 | # Function that deletes based on the passed parameters one ore more vpn security policies | |
1030 | ipsec_connection_destroy() { | |
1031 | local connection | |
1032 | for connection in $@; do | |
1033 | if ! ipsec_connection_exists "${connection}"; then | |
1034 | log ERROR "The VPN IPsec connection ${connection} does not exist." | |
1035 | continue | |
1036 | fi | |
1037 | ||
1038 | log DEBUG "Deleting VPN IPsec connection ${connection}" | |
fa33d830 MT |
1039 | |
1040 | # Delete strongswan configuration file | |
1041 | file_delete "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" | |
1042 | ||
cf8685a1 | 1043 | if ! rm -rf "${NETWORK_IPSEC_CONNS_DIR}/${connection}"; then |
917a1aa0 JS |
1044 | log ERROR "Deleting the VPN IPsec connection ${connection} was not sucessful" |
1045 | return ${EXIT_ERROR} | |
1046 | fi | |
c3f31173 | 1047 | |
fa33d830 | 1048 | done |
917a1aa0 | 1049 | } |
d6c852b8 JS |
1050 | |
1051 | # List all ipsec connections | |
1052 | ipsec_list_connections() { | |
1053 | local connection | |
1054 | for connection in ${NETWORK_IPSEC_CONNS_DIR}/*; do | |
1055 | [ -d ${connection} ] || continue | |
1056 | basename ${connection} | |
1057 | done | |
1058 | } | |
67baa452 MT |
1059 | |
1060 | ipsec_connection_to_strongswan() { | |
1061 | local connection="${1}" | |
1062 | ||
1063 | # Read the config settings | |
1064 | local ${IPSEC_CONNECTION_CONFIG_SETTINGS} | |
1065 | if ! ipsec_connection_read_config "${connection}"; then | |
1066 | error "Could not read the connection ${connection}" | |
1067 | return ${EXIT_ERROR} | |
1068 | fi | |
1069 | ||
1070 | local path="${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" | |
1071 | ||
1072 | ( | |
1073 | # Write the connection section | |
1074 | _ipsec_connection_to_strongswan_connection "${connection}" | |
1075 | ||
1076 | # Write the secrets section | |
1077 | _ipsec_connection_to_strongswan_secrets "${connection}" | |
1078 | ||
1079 | ) > ${path} | |
1080 | } | |
1081 | ||
1082 | _ipsec_connection_to_strongswan_connection() { | |
1083 | local connection="${1}" | |
1084 | ||
1085 | # Read the security policy | |
1086 | local ${VPN_SECURITY_POLICIES_CONFIG_SETTINGS} | |
1087 | if ! vpn_security_policies_read_config "${SECURITY_POLICY}"; then | |
1088 | return ${EXIT_ERROR} | |
1089 | fi | |
1090 | ||
4e271faa MT |
1091 | # Is DPD enabled? |
1092 | local dpd="false" | |
1093 | if isset DPD_DELAY && isinteger DPD_DELAY && [ ${DPD_DELAY} -gt 0 ]; then | |
1094 | dpd="true" | |
1095 | fi | |
1096 | ||
b21fb175 MT |
1097 | # Write configuration header |
1098 | config_header "strongSwan configuration for ${connection}" | |
1099 | ||
67baa452 MT |
1100 | print_indent 0 "connections {" |
1101 | print_indent 1 "${connection} {" | |
1102 | ||
1103 | # IKE Version | |
1104 | print_indent 2 "# IKE Version" | |
1105 | case "${KEY_EXCHANGE^^}" in | |
1106 | IKEV1) | |
1107 | print_indent 2 "version = 1" | |
1108 | ;; | |
1109 | ||
1110 | # Fall back to IKEv2 for any random values | |
1111 | IKEV2|*) | |
1112 | print_indent 2 "version = 2" | |
1113 | ;; | |
1114 | esac | |
1115 | print # empty line | |
1116 | ||
4609d6b4 MT |
1117 | # Always only keep one connection open at a time |
1118 | print_indent 2 "# Unique IDs" | |
1119 | print_indent 2 "unique = replace" | |
1120 | ||
1121 | ||
3e8ad776 MT |
1122 | # Local Address |
1123 | print_indent 2 "# Local Address" | |
1124 | if isset LOCAL_ADDRESS; then | |
1125 | print_indent 2 "local_addrs = ${LOCAL_ADDRESS}" | |
1126 | else | |
1127 | print_indent 2 "local_addrs = %any" | |
1128 | fi | |
1129 | ||
67baa452 MT |
1130 | |
1131 | # Remote Address | |
1132 | print_indent 2 "# Remote Address" | |
1133 | if isset PEER; then | |
1134 | print_indent 2 "remote_addrs = ${PEER}" | |
1135 | else | |
1136 | print_indent 2 "remote_addrs = %any" | |
1137 | fi | |
1138 | ||
1139 | ||
1140 | # IKE Proposals | |
1141 | print_indent 2 "# IKE Proposals" | |
e3ffacf7 | 1142 | print_indent 2 "proposals = $(vpn_security_policies_make_ike_proposal ${SECURITY_POLICY})" |
67baa452 MT |
1143 | |
1144 | ||
117278c3 | 1145 | # DPD Settings |
4e271faa | 1146 | if enabled dpd; then |
117278c3 | 1147 | print_indent 2 "# Dead Peer Detection" |
117278c3 MT |
1148 | print_indent 2 "dpd_delay = ${DPD_DELAY}" |
1149 | ||
1150 | if isset DPD_TIMEOUT; then | |
1151 | print_indent 2 "dpd_timeout = ${DPD_TIMEOUT}" | |
1152 | fi | |
1153 | ||
1154 | ||
1155 | fi | |
67baa452 MT |
1156 | |
1157 | # Fragmentation | |
1158 | print_indent 2 "# Fragmentation" | |
1159 | print_indent 2 "fragmentation = yes" | |
1160 | ||
1161 | ||
1162 | # Local | |
1163 | print_indent 2 "local {" | |
1164 | ||
1165 | # Local ID | |
1166 | if isset LOCAL_ID; then | |
1167 | print_indent 3 "id = ${LOCAL_ID}" | |
1168 | fi | |
1169 | ||
1170 | # Authentication | |
1171 | case "${AUTH_MODE}" in | |
1172 | PSK) | |
1173 | print_indent 3 "auth = psk" | |
1174 | ;; | |
1175 | esac | |
1176 | ||
1177 | print_indent 2 "}" | |
1178 | ||
1179 | ||
1180 | # Remote | |
1181 | print_indent 2 "remote {" | |
1182 | ||
1183 | # Remote ID | |
1184 | if isset REMOTE_ID; then | |
1185 | print_indent 3 "id = ${REMOTE_ID}" | |
1186 | fi | |
1187 | ||
1188 | # Authentication | |
1189 | case "${AUTH_MODE}" in | |
1190 | PSK) | |
1191 | print_indent 3 "auth = psk" | |
1192 | ;; | |
1193 | esac | |
1194 | ||
1195 | print_indent 2 "}" | |
1196 | ||
1197 | ||
1198 | # Children | |
1199 | ||
1200 | print_indent 2 "children {" | |
1201 | print_indent 3 "${connection} {" | |
1202 | ||
1203 | print_indent 4 "# ESP Proposals" | |
e3d8f3f6 | 1204 | print_indent 4 "esp_proposals = $(vpn_security_policies_make_esp_proposal ${SECURITY_POLICY})" |
67baa452 MT |
1205 | |
1206 | ||
1207 | # Traffic Selectors | |
1208 | ||
95835d23 MT |
1209 | case "${MODE}" in |
1210 | gre-*) | |
1211 | print_indent 4 "local_ts = dynamic[gre]" | |
1212 | print_indent 4 "remote_ts = dynamic[gre]" | |
1213 | ;; | |
1214 | *) | |
1215 | # Local Prefixes | |
1216 | if isset LOCAL_PREFIX; then | |
1217 | print_indent 4 "local_ts = $(list_join LOCAL_PREFIX ,)" | |
1218 | else | |
1219 | print_indent 4 "local_ts = dynamic" | |
1220 | fi | |
67baa452 | 1221 | |
95835d23 MT |
1222 | # Remote Prefixes |
1223 | if isset REMOTE_PREFIX; then | |
1224 | print_indent 4 "remote_ts = $(list_join REMOTE_PREFIX ,)" | |
1225 | else | |
1226 | print_indent 4 "remote_ts = dynamic" | |
1227 | fi | |
1228 | ;; | |
1229 | esac | |
67baa452 MT |
1230 | |
1231 | ||
82fac748 MT |
1232 | # Netfilter Marks |
1233 | print_indent 4 "# Netfilter Marks" | |
1234 | print_indent 4 "mark_in = %unique" | |
1235 | print_indent 4 "mark_out = %unique" | |
1236 | ||
1237 | ||
4e271faa MT |
1238 | # Dead Peer Detection |
1239 | if enabled dpd; then | |
1240 | print_indent 4 "# Dead Peer Detection" | |
1241 | print_indent 4 "dpd_action = ${DPD_ACTION}" | |
1242 | ||
1243 | fi | |
1244 | ||
67baa452 MT |
1245 | # Rekeying |
1246 | if isset LIFETIME; then | |
1247 | print_indent 4 "# Rekey Time" | |
1248 | print_indent 4 "rekey_time = ${LIFETIME}" | |
1249 | ||
1250 | fi | |
1251 | ||
1252 | # Updown Script | |
1253 | print_indent 4 "updown = ${NETWORK_HELPERS_DIR}/ipsec-updown" | |
1254 | ||
1255 | ||
1256 | # Mode | |
1257 | print_indent 4 "# Mode" | |
1258 | case "${MODE}" in | |
1259 | gre-transport) | |
1260 | print_indent 4 "mode = transport" | |
1261 | ;; | |
1262 | tunnel|vti|*) | |
1263 | print_indent 4 "mode = tunnel" | |
1264 | ;; | |
1265 | esac | |
1266 | ||
1267 | ||
1268 | # Compression | |
1269 | print_indent 4 "# Compression" | |
1270 | if enabled COMPRESSION; then | |
1271 | print_indent 4 "ipcomp = yes" | |
1272 | else | |
1273 | print_indent 4 "ipcomp = no" | |
1274 | fi | |
1275 | ||
1276 | ||
1277 | # Inactivity Timeout | |
1278 | if isset INACTIVITY_TIMEOUT; then | |
1279 | print_indent 4 "# Inactivity Timeout" | |
1280 | print_indent 4 "inactivity = ${INACTIVITY_TIMEOUT}" | |
1281 | ||
1282 | fi | |
1283 | ||
37317b3e MT |
1284 | # Start Action |
1285 | print_indent 4 "# Start Action" | |
1286 | case "${START_ACTION}" in | |
1287 | on-demand) | |
1288 | print_indent 4 "start_action = trap" | |
1289 | print_indent 4 "close_action = trap" | |
1290 | ;; | |
1291 | wait) | |
1292 | print_indent 4 "start_action = none" | |
1293 | print_indent 4 "close_action = none" | |
1294 | ;; | |
1295 | always-on|*) | |
1296 | print_indent 4 "start_action = start" | |
1297 | print_indent 4 "close_action = start" | |
1298 | ;; | |
1299 | esac | |
1300 | ||
67baa452 MT |
1301 | |
1302 | print_indent 3 "}" | |
1303 | print_indent 2 "}" | |
1304 | ||
1305 | ||
1306 | print_indent 1 "}" | |
1307 | print_indent 0 "}" | |
1308 | ||
1309 | } | |
1310 | ||
1311 | _ipsec_connection_to_strongswan_secrets() { | |
1312 | local connection="${1}" | |
1313 | ||
1314 | print_indent 0 "secrets {" | |
1315 | ||
1316 | case "${AUTH_MODE}" in | |
1317 | PSK) | |
1318 | print_indent 1 "ike {" | |
1319 | ||
1320 | # Secret | |
1321 | print_indent 2 "secret = ${PSK}" | |
1322 | ||
1323 | # ID | |
1324 | if isset REMOTE_ID; then | |
1325 | print_indent 2 "id = ${REMOTE_ID}" | |
1326 | fi | |
1327 | ||
1328 | print_indent 1 "}" | |
1329 | ;; | |
1330 | esac | |
1331 | ||
1332 | print_indent 0 "}" | |
1333 | } |