etc/host.conf
etc/inittab
etc/inputrc
-#etc/ipsec.user.conf
-#etc/ipsec.user.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
etc/issue
etc/ld.so.conf
etc/localtime
usr/local/bin/settime
usr/local/bin/timecheck
#usr/local/bin/uname
-usr/local/bin/vpn-watch
#usr/local/include
#usr/local/lib
#usr/local/sbin
#usr/lib/ipsec
#usr/lib/ipsec/libcharon.a
#usr/lib/ipsec/libcharon.la
-usr/lib/ipsec/libcharon.so
+#usr/lib/ipsec/libcharon.so
usr/lib/ipsec/libcharon.so.0
usr/lib/ipsec/libcharon.so.0.0.0
#usr/lib/ipsec/libhydra.a
#usr/lib/ipsec/libhydra.la
-usr/lib/ipsec/libhydra.so
+#usr/lib/ipsec/libhydra.so
usr/lib/ipsec/libhydra.so.0
usr/lib/ipsec/libhydra.so.0.0.0
#usr/lib/ipsec/libstrongswan.a
#usr/lib/ipsec/libstrongswan.la
-usr/lib/ipsec/libstrongswan.so
+#usr/lib/ipsec/libstrongswan.so
usr/lib/ipsec/libstrongswan.so.0
usr/lib/ipsec/libstrongswan.so.0.0.0
#usr/lib/ipsec/plugins
-#usr/lib/ipsec/plugins/libstrongswan-aes.a
-#usr/lib/ipsec/plugins/libstrongswan-aes.la
usr/lib/ipsec/plugins/libstrongswan-aes.so
-#usr/lib/ipsec/plugins/libstrongswan-attr.a
-#usr/lib/ipsec/plugins/libstrongswan-attr.la
usr/lib/ipsec/plugins/libstrongswan-attr.so
-#usr/lib/ipsec/plugins/libstrongswan-cmac.a
-#usr/lib/ipsec/plugins/libstrongswan-cmac.la
usr/lib/ipsec/plugins/libstrongswan-cmac.so
-#usr/lib/ipsec/plugins/libstrongswan-constraints.a
-#usr/lib/ipsec/plugins/libstrongswan-constraints.la
usr/lib/ipsec/plugins/libstrongswan-constraints.so
-#usr/lib/ipsec/plugins/libstrongswan-curl.a
-#usr/lib/ipsec/plugins/libstrongswan-curl.la
usr/lib/ipsec/plugins/libstrongswan-curl.so
-#usr/lib/ipsec/plugins/libstrongswan-des.a
-#usr/lib/ipsec/plugins/libstrongswan-des.la
usr/lib/ipsec/plugins/libstrongswan-des.so
-#usr/lib/ipsec/plugins/libstrongswan-dnskey.a
-#usr/lib/ipsec/plugins/libstrongswan-dnskey.la
usr/lib/ipsec/plugins/libstrongswan-dnskey.so
-#usr/lib/ipsec/plugins/libstrongswan-fips-prf.a
-#usr/lib/ipsec/plugins/libstrongswan-fips-prf.la
usr/lib/ipsec/plugins/libstrongswan-fips-prf.so
-#usr/lib/ipsec/plugins/libstrongswan-gmp.a
-#usr/lib/ipsec/plugins/libstrongswan-gmp.la
usr/lib/ipsec/plugins/libstrongswan-gmp.so
-#usr/lib/ipsec/plugins/libstrongswan-hmac.a
-#usr/lib/ipsec/plugins/libstrongswan-hmac.la
usr/lib/ipsec/plugins/libstrongswan-hmac.so
-#usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.a
-#usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.la
usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
-#usr/lib/ipsec/plugins/libstrongswan-md5.a
-#usr/lib/ipsec/plugins/libstrongswan-md5.la
usr/lib/ipsec/plugins/libstrongswan-md5.so
-#usr/lib/ipsec/plugins/libstrongswan-pem.a
-#usr/lib/ipsec/plugins/libstrongswan-pem.la
+usr/lib/ipsec/plugins/libstrongswan-nonce.so
+usr/lib/ipsec/plugins/libstrongswan-openssl.so
+usr/lib/ipsec/plugins/libstrongswan-padlock.so
usr/lib/ipsec/plugins/libstrongswan-pem.so
-#usr/lib/ipsec/plugins/libstrongswan-pgp.a
-#usr/lib/ipsec/plugins/libstrongswan-pgp.la
usr/lib/ipsec/plugins/libstrongswan-pgp.so
-#usr/lib/ipsec/plugins/libstrongswan-pkcs1.a
-#usr/lib/ipsec/plugins/libstrongswan-pkcs1.la
usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
-#usr/lib/ipsec/plugins/libstrongswan-pkcs8.a
-#usr/lib/ipsec/plugins/libstrongswan-pkcs8.la
usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
-#usr/lib/ipsec/plugins/libstrongswan-pubkey.a
-#usr/lib/ipsec/plugins/libstrongswan-pubkey.la
usr/lib/ipsec/plugins/libstrongswan-pubkey.so
-#usr/lib/ipsec/plugins/libstrongswan-random.a
-#usr/lib/ipsec/plugins/libstrongswan-random.la
usr/lib/ipsec/plugins/libstrongswan-random.so
-#usr/lib/ipsec/plugins/libstrongswan-resolve.a
-#usr/lib/ipsec/plugins/libstrongswan-resolve.la
usr/lib/ipsec/plugins/libstrongswan-resolve.so
-#usr/lib/ipsec/plugins/libstrongswan-revocation.a
-#usr/lib/ipsec/plugins/libstrongswan-revocation.la
usr/lib/ipsec/plugins/libstrongswan-revocation.so
-#usr/lib/ipsec/plugins/libstrongswan-sha1.a
-#usr/lib/ipsec/plugins/libstrongswan-sha1.la
usr/lib/ipsec/plugins/libstrongswan-sha1.so
-#usr/lib/ipsec/plugins/libstrongswan-sha2.a
-#usr/lib/ipsec/plugins/libstrongswan-sha2.la
usr/lib/ipsec/plugins/libstrongswan-sha2.so
-#usr/lib/ipsec/plugins/libstrongswan-socket-raw.a
-#usr/lib/ipsec/plugins/libstrongswan-socket-raw.la
-usr/lib/ipsec/plugins/libstrongswan-socket-raw.so
-#usr/lib/ipsec/plugins/libstrongswan-stroke.a
-#usr/lib/ipsec/plugins/libstrongswan-stroke.la
+usr/lib/ipsec/plugins/libstrongswan-socket-default.so
usr/lib/ipsec/plugins/libstrongswan-stroke.so
-#usr/lib/ipsec/plugins/libstrongswan-updown.a
-#usr/lib/ipsec/plugins/libstrongswan-updown.la
usr/lib/ipsec/plugins/libstrongswan-updown.so
-#usr/lib/ipsec/plugins/libstrongswan-x509.a
-#usr/lib/ipsec/plugins/libstrongswan-x509.la
usr/lib/ipsec/plugins/libstrongswan-x509.so
-#usr/lib/ipsec/plugins/libstrongswan-xauth.a
-#usr/lib/ipsec/plugins/libstrongswan-xauth.la
-usr/lib/ipsec/plugins/libstrongswan-xauth.so
-#usr/lib/ipsec/plugins/libstrongswan-xcbc.a
-#usr/lib/ipsec/plugins/libstrongswan-xcbc.la
+usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
usr/lib/ipsec/plugins/libstrongswan-xcbc.so
#usr/libexec/ipsec
usr/libexec/ipsec/_copyright
-usr/libexec/ipsec/_pluto_adns
usr/libexec/ipsec/_updown
usr/libexec/ipsec/_updown_espmark
usr/libexec/ipsec/charon
usr/libexec/ipsec/openac
usr/libexec/ipsec/pki
-usr/libexec/ipsec/pluto
usr/libexec/ipsec/scepclient
usr/libexec/ipsec/starter
usr/libexec/ipsec/stroke
-usr/libexec/ipsec/whack
usr/sbin/ipsec
-#usr/share/man/man3/anyaddr.3
-#usr/share/man/man3/atoaddr.3
-#usr/share/man/man3/atoasr.3
-#usr/share/man/man3/atoul.3
-#usr/share/man/man3/goodmask.3
-#usr/share/man/man3/initaddr.3
-#usr/share/man/man3/initsubnet.3
-#usr/share/man/man3/portof.3
-#usr/share/man/man3/rangetosubnet.3
-#usr/share/man/man3/sameaddr.3
-#usr/share/man/man3/subnetof.3
-#usr/share/man/man3/ttoaddr.3
-#usr/share/man/man3/ttodata.3
-#usr/share/man/man3/ttosa.3
-#usr/share/man/man3/ttoul.3
#usr/share/man/man5/ipsec.conf.5
#usr/share/man/man5/ipsec.secrets.5
#usr/share/man/man5/strongswan.conf.5
#usr/share/man/man8/_updown_espmark.8
#usr/share/man/man8/ipsec.8
#usr/share/man/man8/openac.8
-#usr/share/man/man8/pluto.8
#usr/share/man/man8/scepclient.8
-etc/ipsec.user.conf
-etc/ipsec.user.secrets
--- /dev/null
+srv/web/ipfire/html/proxy.pac
+etc/udev/rules.d/30-persistent-network.rules
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+var/updatecache
+etc/localtime
+var/ipfire/ovpn
+etc/ssh/ssh_config
+etc/ssh/sshd_config
+etc/ssl/openssl.cnf
--- /dev/null
+etc/system-release
+etc/issue
+etc/rc.d/init.d/tmpfs
+srv/web/ipfire/cgi-bin/services.cgi
+srv/web/ipfire/cgi-bin/vpnmain.cgi
+usr/local/bin/ipsecctrl
--- /dev/null
+../../../common/strongswan
\ No newline at end of file
--- /dev/null
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2012 IPFire-Team <info@ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+#
+# Remove old core updates from pakfire cache to save space...
+core=61
+for (( i=1; i<=$core; i++ ))
+do
+ rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+#
+#Stop services
+ipsecctrl D
+
+#
+#Extract files
+extract_files
+
+# Remove old pluto binaries.
+rm -f /usr/libexec/ipsec/{pluto,_pluto_adns,whack}
+rm -f /usr/local/bin/vpn-watch
+
+#
+#Start services
+
+# Call the CGI script to regenerate the configuration files.
+/srv/web/ipfire/cgi-bin/vpnmain.cgi
+ipsecctrl S
+
+#
+#Update Language cache
+perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
+
+#Rebuild module dep's
+#arch=`uname -m`
+#if [ ${arch::3} == "arm" ]; then
+# depmod -a 2.6.32.45-ipfire-versatile >/dev/null 2>&1
+# depmod -a 2.6.32.45-ipfire-kirkwood >/dev/null 2>&1
+#else
+# depmod -a 2.6.32.45-ipfire >/dev/null 2>&1
+# depmod -a 2.6.32.45-ipfire-pae >/dev/null 2>&1
+# depmod -a 2.6.32.45-ipfire-xen >/dev/null 2>&1
+#fi
+
+
+#Rebuild initrd's because some compat-wireless modules are inside
+#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45.img 2.6.32.45-ipfire
+#if [ -e /boot/ipfirerd-2.6.32.45-pae.img ]; then
+#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-pae.img 2.6.32.45-ipfire-pae
+#fi
+#if [ -e /boot/ipfirerd-2.6.32.45-xen.img ]; then
+#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-xen.img 2.6.32.45-ipfire-xen
+#fi
+
+sync
+
+# This update need a reboot...
+#touch /var/run/need_reboot
+
+#
+#Finish
+/etc/init.d/fireinfo start
+sendprofile
+#Don't report the exitcode last command
+exit 0
$Lang::tr{'kernel logging server'} => 'klogd',
$Lang::tr{'ntp server'} => 'ntpd',
$Lang::tr{'secure shell server'} => 'sshd',
- $Lang::tr{'vpn'} => 'pluto',
+ $Lang::tr{'vpn'} => 'charon',
$Lang::tr{'web proxy'} => 'squid',
'OpenVPN' => 'openvpn'
);
$cgiparams{'EDIT_ADVANCED'} = 'off';
$cgiparams{'ACTION'} = '';
$cgiparams{'CA_NAME'} = '';
-$cgiparams{'DBG_CRYPT'} = '';
-$cgiparams{'DBG_PARSING'} = '';
-$cgiparams{'DBG_EMITTING'} = '';
-$cgiparams{'DBG_CONTROL'} = '';
-$cgiparams{'DBG_KLIPS'} = '';
-$cgiparams{'DBG_DNS'} = '';
-$cgiparams{'DBG_NAT_T'} = '';
$cgiparams{'KEY'} = '';
$cgiparams{'TYPE'} = '';
$cgiparams{'ADVANCED'} = '';
-$cgiparams{'INTERFACE'} = '';
$cgiparams{'NAME'} = '';
$cgiparams{'LOCAL_SUBNET'} = '';
$cgiparams{'REMOTE_SUBNET'} = '';
flock CONF, 2;
flock SECRETS, 2;
print CONF "version 2\n\n";
- print CONF "config setup\n";
- #create an ipsec Interface for each 'enabled' ones
- #loop trought configuration and add physical interfaces to the list
- my $interfaces = "\tinterfaces=\"";
- foreach my $key (keys %lconfighash) {
- next if ($lconfighash{$key}[0] ne 'on');
- $interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED');
- $interfaces .= "$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN');
- $interfaces .= "$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE');
- $interfaces .= "$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE');
- }
- print CONF $interfaces . "\"\n";
-
- my $plutodebug = ''; # build debug list
- map ($plutodebug .= $lvpnsettings{$_} eq 'on' ? lc (substr($_,4)).' ' : '',
- ('DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_DNS'));
- $plutodebug = 'none' if $plutodebug eq ''; # if nothing selected, use 'none'.
- #print CONF "\tklipsdebug=\"none\"\n";
- print CONF "\tplutodebug=\"$plutodebug\"\n";
- # deprecated in ipsec.conf version 2
- #print CONF "\tplutoload=%search\n";
- #print CONF "\tplutostart=%search\n";
- print CONF "\tuniqueids=yes\n";
- print CONF "\tnat_traversal=yes\n";
- print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne '');
- print CONF "\tvirtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16";
- print CONF ",%v4:!$green_cidr";
- if (length($netsettings{'ORANGE_DEV'}) > 2) {
- print CONF ",%v4:!$orange_cidr";
- }
- if (length($netsettings{'BLUE_DEV'}) > 2) {
- print CONF ",%v4:!$blue_cidr";
- }
- foreach my $key (keys %lconfighash) {
- if ($lconfighash{$key}[3] eq 'net') {
- print CONF ",%v4:!$lconfighash{$key}[11]";
- }
- }
- print CONF "\n\n";
print CONF "conn %default\n";
- print CONF "\tkeyingtries=0\n";
- #strongswan doesn't know this
- #print CONF "\tdisablearrivalcheck=no\n";
+ print CONF "\tkeyingtries=%forever\n";
print CONF "\n";
# Add user includes to config file
print CONF "conn $lconfighash{$key}[1]\n";
print CONF "\tleft=$localside\n";
- print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute');
my $cidr_net=&General::ipcidr($lconfighash{$key}[8]);
print CONF "\tleftsubnet=$cidr_net\n";
print CONF "\tleftfirewall=yes\n";
if ($lconfighash{$key}[3] eq 'net') {
my $cidr_net=&General::ipcidr($lconfighash{$key}[11]);
print CONF "\trightsubnet=$cidr_net\n";
- print CONF "\trightnexthop=%defaultroute\n";
} elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors?
print CONF "\trightsubnet=vhost:%no,%priv\n";
}
print CONF "\tleftid=\"$lconfighash{$key}[7]\"\n" if ($lconfighash{$key}[7]);
print CONF "\trightid=\"$lconfighash{$key}[9]\"\n" if ($lconfighash{$key}[9]);
+ # Is PFS enabled?
+ my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';
+
# Algorithms
if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) {
print CONF "\tike=";
print CONF "\tesp=";
my @encs = split('\|', $lconfighash{$key}[21]);
my @ints = split('\|', $lconfighash{$key}[22]);
+ my @groups = split('\|', $lconfighash{$key}[20]);
my $comma = 0;
foreach my $i (@encs) {
foreach my $j (@ints) {
- if ($comma != 0) { print CONF ","; } else { $comma = 1; }
- print CONF "$i-$j";
+ my $modp = "";
+ if ($pfs eq "on") {
+ foreach my $k (@groups) {
+ if ($comma != 0) { print CONF ","; } else { $comma = 1; }
+ if ($pfs eq "on") {
+ $modp = "-modp$k";
+ } else {
+ $modp = "";
+ }
+ print CONF "$i-$j$modp";
+ }
+ } else {
+ if ($comma != 0) { print CONF ","; } else { $comma = 1; }
+ print CONF "$i-$j";
+ }
}
}
if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms?
print CONF "\n";
}
}
- if ($lconfighash{$key}[23]) {
- print CONF "\tpfsgroup=$lconfighash{$key}[23]\n";
- }
# IKE V1 or V2
if (! $lconfighash{$key}[29]) {
print CONF "\tdpdtimeout=120\n";
print CONF "\tdpdaction=$lconfighash{$key}[27]\n";
- # Disable pfs ?
- print CONF "\tpfs=". ($lconfighash{$key}[28] eq 'on' ? "yes\n" : "no\n");
-
# Build Authentication details: LEFTid RIGHTid : PSK psk
my $psk_line;
if ($lconfighash{$key}[4] eq 'psk') {
close(SECRETS);
}
+# Hook to regenerate the configuration files.
+if ($ENV{"REMOTE_ADDR"} eq "") {
+ writeipsecfiles;
+ exit(0);
+}
+
###
### Save main settings
###
goto SAVE_ERROR;
}
- unless ($cgiparams{'VPN_OVERRIDE_MTU'} =~ /^(|[0-9]{1,5})$/ ) { #allow 0-99999
- $errormessage = $Lang::tr{'vpn mtu invalid'};
- goto SAVE_ERROR;
- }
-
- unless ($cgiparams{'VPN_WATCH'} =~ /^(|off|on)$/ ) {
- $errormessage = $Lang::tr{'invalid input'};
- goto SAVE_ERROR;
- }
-
if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) {
$errormessage = $Lang::tr{'urlfilter invalid ip or mask error'};
goto SAVE_ERROR;
}
- map ($vpnsettings{$_} = $cgiparams{$_},
- ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_DNS'));
-
$vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
$vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'};
- $vpnsettings{'VPN_OVERRIDE_MTU'} = $cgiparams{'VPN_OVERRIDE_MTU'};
- $vpnsettings{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'};
$vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'};
&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
&writeipsecfiles();
$cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
$cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
$cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
- $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
$cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27];
$cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29];
$cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18];
$confighash{$key}[9] = $cgiparams{'REMOTE_ID'};
$confighash{$key}[10] = $cgiparams{'REMOTE'};
$confighash{$key}[25] = $cgiparams{'REMARK'};
- $confighash{$key}[26] = $cgiparams{'INTERFACE'};
+ $confighash{$key}[26] = ""; # Formerly INTERFACE
$confighash{$key}[27] = $cgiparams{'DPD_ACTION'};
$confighash{$key}[29] = $cgiparams{'IKE_VERSION'};
$cgiparams{'DPD_ACTION'} = 'restart';
}
- # Default IKE Version to V1
- if (! $cgiparams{'IKE_VERSION'}) {
- $cgiparams{'IKE_VERSION'} = 'ikev1';
+ # Default IKE Version to v2
+ if (!$cgiparams{'IKE_VERSION'}) {
+ $cgiparams{'IKE_VERSION'} = 'ikev2';
}
- # Default is yes for 'pfs'
- $cgiparams{'PFS'} = 'on';
-
# ID are empty
$cgiparams{'LOCAL_ID'} = '';
$cgiparams{'REMOTE_ID'} = '';
#use default advanced value
- $cgiparams{'IKE_ENCRYPTION'} = 'aes128|3des'; #[18];
+ $cgiparams{'IKE_ENCRYPTION'} = 'aes256|aes128|3des'; #[18];
$cgiparams{'IKE_INTEGRITY'} = 'sha|md5'; #[19];
- $cgiparams{'IKE_GROUPTYPE'} = '1536|1024'; #[20];
+ $cgiparams{'IKE_GROUPTYPE'} = '2048'; #[20];
$cgiparams{'IKE_LIFETIME'} = '1'; #[16];
- $cgiparams{'ESP_ENCRYPTION'} = 'aes128|3des'; #[21];
+ $cgiparams{'ESP_ENCRYPTION'} = 'aes256|aes128|3des'; #[21];
$cgiparams{'ESP_INTEGRITY'} = 'sha1|md5'; #[22];
$cgiparams{'ESP_GROUPTYPE'} = ''; #[23];
$cgiparams{'ESP_KEYLIFE'} = '8'; #[17];
- $cgiparams{'COMPRESSION'} = 'off'; #[13];
+ $cgiparams{'COMPRESSION'} = 'on'; #[13];
$cgiparams{'ONLY_PROPOSED'} = 'off'; #[24];
$cgiparams{'PFS'} = 'on'; #[28];
$cgiparams{'VHOST'} = 'on'; #[14];
$checked{'AUTH'}{'auth-dn'} = '';
$checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'";
- $selected{'INTERFACE'}{'RED'} = '';
- $selected{'INTERFACE'}{'ORANGE'} = '';
- $selected{'INTERFACE'}{'GREEN'} = '';
- $selected{'INTERFACE'}{'BLUE'} = '';
- $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = "selected='selected'";
-
$selected{'DPD_ACTION'}{'clear'} = '';
$selected{'DPD_ACTION'}{'hold'} = '';
$selected{'DPD_ACTION'}{'restart'} = '';
$blob = "<img src='/blob.gif' alt='*' />";
};
- print "<tr><td>$Lang::tr{'host ip'}:</td>";
- print "<td><select name='INTERFACE'>";
- print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED ($vpnsettings{'VPN_IP'})</option>";
- print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN ($netsettings{'GREEN_ADDRESS'})</option>";
- print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE ($netsettings{'BLUE_ADDRESS'})</option>" if ($netsettings{'BLUE_DEV'} ne '');
- print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE ($netsettings{'ORANGE_ADDRESS'})</option>" if ($netsettings{'ORANGE_DEV'} ne '');
- print "</select></td>";
print <<END
+ <tr>
<td class='boldbase'>$Lang::tr{'remote host/ip'}: $blob</td>
- <td><input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' /></td>
- </tr><tr>
- <td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
- <td><input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' /></td>
+ <td>
+ <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size='30' />
+ </td>
<td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td>
- <td><input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' /></td>
- </tr><tr>
+ <td>
+ <input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size='30' />
+ </td>
+ </tr>
+ <tr>
+ <td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
+ <td colspan='3'>
+ <input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size='30' />
+ </td>
+ </tr>
+ <tr>
<td class='boldbase'>$Lang::tr{'vpn local id'}:<br />($Lang::tr{'eg'} <tt>@xy.example.com</tt>)</td>
<td><input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' /></td>
<td class='boldbase'>$Lang::tr{'vpn remote id'}:</td>
</tr><td><br /></td><tr>
<td>$Lang::tr{'vpn keyexchange'}:</td>
<td><select name='IKE_VERSION'>
- <option value='ikev1' $selected{'IKE_VERSION'}{'ikev1'}>IKEv1</option>
<option value='ikev2' $selected{'IKE_VERSION'}{'ikev2'}>IKEv2</option>
- </select></a>
+ <option value='ikev1' $selected{'IKE_VERSION'}{'ikev1'}>IKEv1</option>
+ </select>
</td>
<td>$Lang::tr{'dpd action'}:</td>
<td><select name='DPD_ACTION'>
<option value='clear' $selected{'DPD_ACTION'}{'clear'}>clear</option>
<option value='hold' $selected{'DPD_ACTION'}{'hold'}>hold</option>
<option value='restart' $selected{'DPD_ACTION'}{'restart'}>restart</option>
- </select> <a href='http://www.openswan.com/docs/local/README.DPD'>?</a>
+ </select>
</td>
</tr><tr>
-<!--http://www.openswan.com/docs/local/README.DPD
- http://bugs.xelerance.com/view.php?id=156
- restart = clear + reinitiate connection
--->
<td class='boldbase'>$Lang::tr{'remark title'} <img src='/blob.gif' alt='*' /></td>
<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td>
</tr>
$cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq '');
$cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'}));
- $checked{'VPN_WATCH'} = $cgiparams{'VPN_WATCH'} eq 'on' ? "checked='checked'" : '' ;
- map ($checked{$_} = $cgiparams{$_} eq 'on' ? "checked='checked'" : '',
- ('ENABLED','DBG_CRYPT','DBG_PARSING','DBG_EMITTING','DBG_CONTROL',
- 'DBG_DNS'));
-
+ $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
<td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td>
<td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td>
</tr>
-END
- ;
- print <<END
- <tr>
- <td class='base' nowrap='nowrap'>$Lang::tr{'override mtu'}: <img src='/blob.gif' alt='*' /></td>
- <td ><input type='text' name='VPN_OVERRIDE_MTU' value='$cgiparams{'VPN_OVERRIDE_MTU'}' /></td>
- </tr>
END
;
print <<END
<td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td>
</tr>
</table>
-<p>$Lang::tr{'vpn watch'}:<input type='checkbox' name='VPN_WATCH' $checked{'VPN_WATCH'} /></p>
-<p>PLUTO DEBUG =
-crypt:<input type='checkbox' name='DBG_CRYPT' $checked{'DBG_CRYPT'} />,
-parsing:<input type='checkbox' name='DBG_PARSING' $checked{'DBG_PARSING'} />,
-emitting:<input type='checkbox' name='DBG_EMITTING' $checked{'DBG_EMITTING'} />,
-control:<input type='checkbox' name='DBG_CONTROL' $checked{'DBG_CONTROL'} />,
-dns:<input type='checkbox' name='DBG_DNS' $checked{'DBG_DNS'} />
<hr />
<table width='100%'>
<tr>
include Config
-VER = 4.6.4
+VER = 5.0.0
THISAPP = strongswan-$(VER)
DL_FILE = $(THISAPP).tar.bz2
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
+ifeq "$(MACHINE)" "i586"
+ PADLOCK = --enable-padlock
+else
+ PADLOCK = --disable-padlock
+endif
+
###############################################################################
# Top-level Rules
###############################################################################
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4c0999c42faa0860ae0afc4f8efd9d04
+$(DL_FILE)_MD5 = c8b861305def7c0abae04f7bbefec212
install : $(TARGET)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.5.3_ipfire.patch
- # Customize the welcome banner.
- sed -i $(DIR_APP)/src/pluto/modecfg.c \
- -e 's/^#define.*DEFAULT_UNITY_BANNER.*/#define DEFAULT_UNITY_BANNER "Welcome to IPFire - An Open Source Firewall Solution.\\n"/'
-
- cd $(DIR_APP) && ./configure --prefix="/usr" --sysconfdir="/etc" \
- --enable-cisco-quirks \
- --enable-curl \
- --enable-nat-transport
+ cd $(DIR_APP) && ./configure \
+ --prefix="/usr" \
+ --sysconfdir="/etc" \
+ --enable-curl \
+ --enable-openssl \
+ $(PADLOCK)
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
+ # Remove all library files we don't want or need.
+ rm -vf /usr/lib/ipsec/plugins/*.{,l}a
+
-rm -rfv /etc/rc*.d/*ipsec
cd $(DIR_SRC) && cp src/initscripts/init.d/ipsec /etc/rc.d/init.d/ipsec
rm -f /etc/ipsec.conf /etc/ipsec.secrets
mkdir -p /var/run/mysql
chown mysql:mysql /var/run/mysql
fi
- if [ ! -e /var/run/pluto ]; then
- mkdir -p /var/run/pluto
- chmod 700 /var/run/pluto
- fi
if [ ! -e /var/run/saslauthd ]; then
mkdir -p /var/run/saslauthd
fi
safe_system("/sbin/iptables -F IPSECINPUT");
safe_system("/sbin/iptables -F IPSECFORWARD");
safe_system("/sbin/iptables -F IPSECOUTPUT");
-
}
/*
int decode_line (char *s,
char **key,
char **name,
- char **type,
- char **interface
+ char **type
) {
int count = 0;
*key = NULL;
*name = result;
if (count == 4)
*type = result;
- if (count == 27)
- *interface = result;
count++;
result = strsep(&s, ",");
}
return 0;
}
- if (! (strcmp(*interface, "RED") == 0 || strcmp(*interface, "GREEN") == 0 ||
- strcmp(*interface, "ORANGE") == 0 || strcmp(*interface, "BLUE") == 0)) {
- fprintf(stderr, "Bad interface name: %s\n", *interface);
- return 0;
- }
//it's a valid & active line
return 1;
}
/*
issue ipsec commmands to turn on connection 'name'
*/
-void turn_connection_on (char *name, char *type) {
-/*
- Rename the connection and run ipsec update and rename it back to readd
- a deleted connection. Because ipsec update ignores connection that have
- not changed since last load.
-*/
+void turn_connection_on(char *name, char *type) {
+ /*
+ * To bring up a connection, we need to reload the configuration
+ * and issue ipsec up afterwards. To make sure the connection
+ * is not established from the start, we bring it down in advance.
+ */
char command[STRING_SIZE];
- memset(command, 0, STRING_SIZE);
- snprintf(command, STRING_SIZE - 1,
- "sed -i -e 's|^conn %s$|conn %s-renamed|g' /var/ipfire/vpn/ipsec.conf >/dev/null", name, name);
- safe_system(command);
- // Down and delete IKEv2 Tunnel before ipsec update
+ // Bring down the connection (if established).
snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec stroke down %s >/dev/null", name);
+ "/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
- snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec stroke delete %s >/dev/null", name);
- safe_system(command);
-
- safe_system("/etc/rc.d/init.d/ipsec update >/dev/null");
- sleep(1);
+ // Reload the configuration into the daemon.
+ safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
- // Back to original name
- snprintf(command, STRING_SIZE - 1,
- "sed -i -e 's|^conn %s-renamed$|conn %s|g' /var/ipfire/vpn/ipsec.conf >/dev/null", name, name);
- safe_system(command);
-
- // Down and delete IKEv2 Tunnel before ipsec update
- snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec stroke down %s-renamed >/dev/null", name);
- safe_system(command);
- snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec stroke delete %s-renamed >/dev/null", name);
- safe_system(command);
-
- safe_system("/etc/rc.d/init.d/ipsec update >/dev/null");
+ // Bring the connection up again.
+ snprintf(command, STRING_SIZE - 1,
+ "/usr/sbin/ipsec up %s >/dev/null", name);
+ safe_system(command);
}
+
/*
issue ipsec commmands to turn off connection 'name'
*/
void turn_connection_off (char *name) {
+ /*
+ * To turn off a connection, all SAs must be turned down.
+ * After that, the configuration must be reloaded.
+ */
char command[STRING_SIZE];
- memset(command, 0, STRING_SIZE);
- snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec whack --delete --name %s >/dev/null", name);
- safe_system(command);
- snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec stroke down %s >/dev/null", name);
- safe_system(command);
+
+ // Bring down the connection.
snprintf(command, STRING_SIZE - 1,
- "/usr/sbin/ipsec stroke delete %s >/dev/null", name);
+ "/usr/sbin/ipsec down %s >/dev/null", name);
safe_system(command);
- safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null");
- safe_system("/usr/sbin/ipsec stroke rereadall >/dev/null");
-
+ // Reload, so the connection is dropped.
+ safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
}
-
int main(int argc, char *argv[]) {
-
char configtype[STRING_SIZE];
char redtype[STRING_SIZE] = "";
struct keyvalue *kv = NULL;
if (strcmp(argv[1], "I") == 0) {
- safe_system("/usr/sbin/ipsec whack --status");
- safe_system("/usr/sbin/ipsec stroke status");
+ safe_system("/usr/sbin/ipsec status");
exit(0);
}
if (strcmp(argv[1], "R") == 0) {
- safe_system("/usr/sbin/ipsec whack --rereadall >/dev/null");
- safe_system("/usr/sbin/ipsec stroke rereadall >/dev/null");
+ safe_system("/usr/sbin/ipsec reload >/dev/null 2>&1");
exit(0);
}
- /* Get vpnwatch pid */
-
-
- if ((argc == 2) && (file = fopen("/var/run/vpn-watch.pid", "r"))) {
- safe_system("kill -9 $(cat /var/run/vpn-watch.pid)");
- safe_system("unlink /var/run/vpn-watch.pid");
- close(file);
- }
-
/* FIXME: workaround for pclose() issue - still no real idea why
* this is happening */
signal(SIGCHLD, SIG_DFL);
/* handle operations that doesn't need start the ipsec system */
if (argc == 2) {
if (strcmp(argv[1], "D") == 0) {
- /* Only shutdown pluto if it really is running */
- /* Get pluto pid */
- if (file = fopen("/var/run/pluto.pid", "r")) {
- safe_system("/etc/rc.d/init.d/ipsec stop 2> /dev/null >/dev/null");
- close(file);
- }
+ safe_system("/usr/sbin/ipsec stop >/dev/null 2>&1");
ipsec_norules();
exit(0);
}
-
}
/* read vpn config */
char if_blue[STRING_SIZE] = "";
char s[STRING_SIZE];
- if (!(file = fopen(CONFIG_ROOT "/vpn/config", "r"))) {
- fprintf(stderr, "Couldn't open vpn settings file");
- exit(1);
- }
- while (fgets(s, STRING_SIZE, file) != NULL) {
- char *key;
- char *name;
- char *type;
- char *interface;
- if (!decode_line(s,&key,&name,&type,&interface))
- continue;
- /* search interface */
- if (!enable_red && strcmp (interface, "RED") == 0) {
- // when RED is up, find interface name in special file
- FILE *ifacefile = NULL;
- if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {
- if (fgets(if_red, STRING_SIZE, ifacefile)) {
- if (if_red[strlen(if_red) - 1] == '\n')
- if_red[strlen(if_red) - 1] = '\0';
- }
- fclose (ifacefile);
-
- if (VALID_DEVICE(if_red))
- enable_red+=2; // present and running
- }
- }
-
- if (!enable_green && strcmp (interface, "GREEN") == 0) {
- enable_green = 1;
- findkey(kv, "GREEN_DEV", if_green);
- if (VALID_DEVICE(if_green))
- enable_green++;
- else
- fprintf(stderr, "IPSec enabled on green but green interface is invalid or not found\n");
+ // when RED is up, find interface name in special file
+ FILE *ifacefile = NULL;
+ if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r"))) {
+ if (fgets(if_red, STRING_SIZE, ifacefile)) {
+ if (if_red[strlen(if_red) - 1] == '\n')
+ if_red[strlen(if_red) - 1] = '\0';
}
+ fclose (ifacefile);
- if (!enable_orange && strcmp (interface, "ORANGE") == 0) {
- enable_orange = 1;
- findkey(kv, "ORANGE_DEV", if_orange);
- if (VALID_DEVICE(if_orange))
- enable_orange++;
- else
- fprintf(stderr, "IPSec enabled on orange but orange interface is invalid or not found\n");
- }
+ if (VALID_DEVICE(if_red))
+ enable_red++;
+ }
- if (!enable_blue && strcmp (interface, "BLUE") == 0) {
- enable_blue++;
- findkey(kv, "BLUE_DEV", if_blue);
- if (VALID_DEVICE(if_blue))
- enable_blue++;
- else
- fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n");
+ // Check if GREEN is enabled.
+ findkey(kv, "GREEN_DEV", if_green);
+ if (VALID_DEVICE(if_green))
+ enable_green++;
+ else
+ fprintf(stderr, "IPSec enabled on green but green interface is invalid or not found\n");
+
+ // Check if ORANGE is enabled.
+ findkey(kv, "ORANGE_DEV", if_orange);
+ if (VALID_DEVICE(if_orange))
+ enable_orange++;
+ else
+ fprintf(stderr, "IPSec enabled on orange but orange interface is invalid or not found\n");
+
+ // Check if BLUE is enabled.
+ findkey(kv, "BLUE_DEV", if_blue);
+ if (VALID_DEVICE(if_blue))
+ enable_blue++;
+ else
+ fprintf(stderr, "IPSec enabled on blue but blue interface is invalid or not found\n");
- }
- }
- fclose(file);
freekeyvalues(kv);
- // do nothing if something is in error condition
- if ((enable_red==1) || (enable_green==1) || (enable_orange==1) || (enable_blue==1) )
- exit(1);
-
// exit if nothing to do
- if ( (enable_red+enable_green+enable_orange+enable_blue) == 0 )
+ if ((enable_red+enable_green+enable_orange+enable_blue) == 0)
exit(0);
// open needed ports
- // todo: read a nat_t indicator to allow or not openning UDP/4500
- if (enable_red==2)
+ if (enable_red > 0)
open_physical(if_red, 4500);
- if (enable_green==2)
+ if (enable_green > 0)
open_physical(if_green, 4500);
- if (enable_orange==2)
+ if (enable_orange > 0)
open_physical(if_orange, 4500);
- if (enable_blue==2)
+ if (enable_blue > 0)
open_physical(if_blue, 4500);
// start the system
if ((argc == 2) && strcmp(argv[1], "S") == 0) {
- safe_system("/etc/rc.d/init.d/ipsec restart >/dev/null");
- safe_system("/usr/local/bin/vpn-watch &");
+ safe_system("/usr/sbin/ipsec restart >/dev/null");
exit(0);
}
// it is a selective start or stop
// second param is only a number 'key'
if ((argc == 2) || strspn(argv[2], NUMBERS) != strlen(argv[2])) {
- fprintf(stderr, "Bad arg\n");
+ fprintf(stderr, "Bad arg: %s\n", argv[2]);
usage();
exit(1);
}
char *key;
char *name;
char *type;
- char *interface;
- if (!decode_line(s,&key,&name,&type,&interface))
+ if (!decode_line(s,&key,&name,&type))
continue;
- // start/stop a vpn if belonging to specified interface
- if (strcmp(argv[1], interface) == 0 ) {
- if (strcmp(argv[2], "0")==0)
- turn_connection_off (name);
- else
- turn_connection_on (name, type);
- continue;
- }
// is it the 'key' requested ?
if (strcmp(argv[2], key) != 0)
continue;
+
// Start or Delete this Connection
if (strcmp(argv[1], "S") == 0)
turn_connection_on (name, type);
- else
- if (strcmp(argv[1], "D") == 0)
+ else if (strcmp(argv[1], "D") == 0)
turn_connection_off (name);
else {
fprintf(stderr, "Bad command\n");
}
}
fclose(file);
+
return 0;
}
+++ /dev/null
-#!/usr/bin/perl
-##################################################
-##### VPN-Watch.pl Version 0.7 #####
-##################################################
-# #
-# VPN-Watch is part of the IPFire Firewall #
-# #
-##################################################
-
-use strict;
-
-require '/var/ipfire/general-functions.pl';
-my @vpnsettings;
-my $i = 0;
-my $file = "/var/run/vpn-watch.pid";
-my $debug = 0;
-
-if ( -e $file ){
- logger("There my be another vpn-watch runnning because $file exists, vpn-watch will try kill the process.");
- open(FILE, "<$file");
- my $PID = <FILE>;
- close(FILE);
- system("kill -9 $PID");
- }
-
-system("echo $$ > $file");
-my $round=0;
-while ( $i == 0){
- if ($debug){logger("We will wait 60 seconds before next action.");}
- sleep(60);
-
- $round++;
-
- # Reset roundcounter after 10 min. To do established check.
- if ($round > 9) { $round=0; }
-
- if (open(FILE, "<${General::swroot}/vpn/config")) { @vpnsettings = <FILE>;
- close(FILE);
- unless(@vpnsettings) {exit 1;}
- }
-
-my $status = `ipsec status`;
-foreach (@vpnsettings){
- my @settings = split(/,/,$_);
-
- chomp($settings[30]);
- if ($settings[27] ne 'RED'){next;}
- if ($settings[4] ne 'net'){next;}
- if ($settings[1] ne 'on'){next;}chomp($settings[29]);
- if ($settings[29] ne 'on'){next;}
-
- my $remotehostname = $settings[11];
-
- if ($debug){logger("Checking connection to $remotehostname.");}
-
- my $remoteip = `/usr/bin/ping -c 1 $remotehostname 2>/dev/null | head -n1 | awk '{print \$3}' | tr -d '()' | tr -d ':'`;chomp($remoteip);
- if ($remoteip eq ""){next;if ($debug){logger("Unable to resolve $remotehostname.");}}
- my $ipmatch= `echo "$status" | grep '$remoteip' | grep '$settings[2]'`;
- my $established= `echo "$status" | grep '$settings[2]' | grep -e 'erouted;' -e 'INSTALLED'`;
- my $known= `echo "$status" | grep '$settings[2]'`;
-
- if ( $ipmatch eq '' && $known ne '' ){
- logger("Remote IP for host $remotehostname($remoteip) has changed, restarting ipsec.");
- system("/usr/local/bin/ipsecctrl S $settings[0]");
- $round=0;
- }
-
- if ($debug){logger("Round=".$round." and established=".$established);}
-
- if ( ($round == 0) && ($established eq '')) {
- logger("Connection to $remotehostname($remoteip) not erouted, restarting ipsec.");
- system("/usr/local/bin/ipsecctrl S $settings[0]");
- $round=0;
-
- }
- }
- if ($debug){logger("All connections may be fine nothing was done.");}
-}
-
-sub logger {
- my $log = shift;
- system("logger -t vpnwatch \"$log\"");
-}