[people/stevee/network.git] / src / helpers / ipsec-updown

#!/bin/bash
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2017  IPFire Network Development Team                         #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

LOG_DISABLE_STDOUT="true"

. /usr/lib/network/functions

# Read network settings
network_settings_read

# Make sure we are called by strongSwan
assert isset PLUTO_VERSION

CONNECTION="${PLUTO_CONNECTION}"

# Interface name for this IPsec connection
INTERFACE="ipsec-${CONNECTION}"

if ! ipsec_connection_read_config "${CONNECTION}"; then
	log ERROR "Could not read configuration for ${CONNECTION}"
	exit ${EXIT_ERROR}
fi

log DEBUG "${0} called for ${CONNECTION}: ${PLUTO_VERB}"

case "${PLUTO_VERB}" in
	up-client|up-client-v6|up-host|up-host-v6)
		case "${MODE}" in
			gre-*)
				if ! device_exists "${INTERFACE}"; then
					ip_tunnel_add "${INTERFACE}" \
						--mode="gre" \
						--local-address="${TUNNEL_ADDRESS}" \
						--remote-address="${TUNNEL_PEER}"

					device_set_up "${INTERFACE}"
				fi
				;;
			vti)
				if device_exists "${INTERFACE}"; then
					ip_tunnel_change_keys "${INTERFACE}" \
						--ikey="${PLUTO_MARK_IN%/*}" \
						--okey="${PLUTO_MARK_OUT%/*}"

				else
					if ! ip_tunnel_add "${INTERFACE}" \
						--mode="vti" \
						--local-address="${PLUTO_ME}" \
						--remote-address="${PLUTO_PEER}" \
						--ikey="${PLUTO_MARK_IN%/*}" \
						--okey="${PLUTO_MARK_OUT%/*}"; then
						log ERROR "Could not create VTI device for ${CONNECTION}"
					fi
				fi

				device_set_up "${INTERFACE}"
				;;
		esac
		;;

	down-client|down-client-v6|down-host|down-host-v6)
		case "${MODE}" in
			vti)
				if device_exists "${INTERFACE}"; then
					device_set_down "${INTERFACE}"

					ip_tunnel_del "${INTERFACE}"
				fi
				;;
		esac
		;;
esac

exit ${EXIT_OK}
Commit	Line	Data
67baa452 MT	1	#!/bin/bash
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2017 IPFire Network Development Team #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	LOG_DISABLE_STDOUT="true"
	23
	24	. /usr/lib/network/functions
	25
	26	# Read network settings
	27	network_settings_read
	28
	29	# Make sure we are called by strongSwan
	30	assert isset PLUTO_VERSION
	31
	32	CONNECTION="${PLUTO_CONNECTION}"
	33
82fac748 MT	34	# Interface name for this IPsec connection
	35	INTERFACE="ipsec-${CONNECTION}"
	36
67baa452 MT	37	if ! ipsec_connection_read_config "${CONNECTION}"; then
	38	log ERROR "Could not read configuration for ${CONNECTION}"
	39	exit ${EXIT_ERROR}
	40	fi
	41
	42	log DEBUG "${0} called for ${CONNECTION}: ${PLUTO_VERB}"
	43
	44	case "${PLUTO_VERB}" in
7bb41ec4	45	up-client\|up-client-v6\|up-host\|up-host-v6)
82fac748	46	case "${MODE}" in
95835d23 MT	47	gre-*)
	48	if ! device_exists "${INTERFACE}"; then
	49	ip_tunnel_add "${INTERFACE}" \
	50	--mode="gre" \
	51	--local-address="${TUNNEL_ADDRESS}" \
	52	--remote-address="${TUNNEL_PEER}"
	53
	54	device_set_up "${INTERFACE}"
	55	fi
	56	;;
82fac748 MT	57	vti)
	58	if device_exists "${INTERFACE}"; then
	59	ip_tunnel_change_keys "${INTERFACE}" \
	60	--ikey="${PLUTO_MARK_IN%/*}" \
	61	--okey="${PLUTO_MARK_OUT%/*}"
	62
	63	else
	64	if ! ip_tunnel_add "${INTERFACE}" \
	65	--mode="vti" \
	66	--local-address="${PLUTO_ME}" \
	67	--remote-address="${PLUTO_PEER}" \
	68	--ikey="${PLUTO_MARK_IN%/*}" \
	69	--okey="${PLUTO_MARK_OUT%/*}"; then
	70	log ERROR "Could not create VTI device for ${CONNECTION}"
	71	fi
	72	fi
	73
	74	device_set_up "${INTERFACE}"
	75	;;
	76	esac
67baa452 MT	77	;;
67baa452 MT	78
7bb41ec4	79	down-client\|down-client-v6\|down-host\|down-host-v6)
82fac748 MT	80	case "${MODE}" in
	81	vti)
	82	if device_exists "${INTERFACE}"; then
	83	device_set_down "${INTERFACE}"
	84
	85	ip_tunnel_del "${INTERFACE}"
	86	fi
	87	;;
	88	esac
67baa452 MT	89	;;
	90	esac
	91
	92	exit ${EXIT_OK}