]>
git.ipfire.org Git - thirdparty/strongswan.git/blob - programs/auto/auto.in
2 # user interface to automatic keying and Pluto in general
3 # Copyright (C) 1998, 1999, 2000 Henry Spencer.
5 # This program is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU General Public License as published by the
7 # Free Software Foundation; either version 2 of the License, or (at your
8 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 # This program is distributed in the hope that it will be useful, but
11 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 # RCSID $Id: auto.in,v 1.17 2006/04/20 04:42:12 as Exp $
19 $me [--showonly] [--asynchronous] --up connectionname
20 $me [--showonly] [-- type conn|ca] --{add|delete|replace|down} name
21 $me [--showonly] --{route|unroute} connectionname
22 $me [--showonly] --ready
23 $me [--showonly] --{status|statusall} [connectionname]
24 $me [--showonly] --{rereadsecrets|rereadgroups}
25 $me [--showonly] --{rereadcacerts|rereadaacerts|rereadocspcerts}
26 $me [--showonly] --{rereadacerts|rereadcrls|rereadall}
27 $me [--showonly] [--utc] --{listalgs|listpubkeys|listcerts}
28 $me [--showonly] [--utc] --{listcacerts|listaacerts|listocspcerts}
29 $me [--showonly] [--utc] --{listacerts|listgroups|listcainfos}
30 $me [--showonly] [--utc] --{listcrls|listocsp|listcards|listall}
31 $me [--showonly] --purgeocsp
33 other options: [--config ipsecconfigfile] [--verbose] [--show]"
37 info
=/var
/run
/ipsec.info
41 logfilter
='$1 != "002"'
51 --help) echo "$usage" ; exit 0 ;;
52 --version) echo "$me $IPSEC_VERSION" ; exit 0 ;;
54 --showonly) showonly
=yes ;;
56 --config) config
="--config $2" ; shift ;;
57 --noinclude) noinclude
=--noinclude ;;
58 --asynchronous) async
="--asynchronous" ;;
59 --verbose) logfilter
='1' ;;
60 --type) type="$2" ; shift ;;
61 --up|
--down|
--add|
--delete|
--replace|
--route|
--unroute)
69 if test "$type" = "ca"
73 --add|
--delete|
--replace) ;;
74 --*) echo "$op option not supported for --type ca";
92 --ready|
--rereadsecrets|
--rereadgroups|\
93 --rereadcacerts|
--rereadaacerts|
--rereadocspcerts|\
94 --rereadacerts|
--rereadcrls|
--rereadall|\
95 --listalgs|
--listpubkeys|
--listcerts|\
96 --listcacerts|
--listaacerts|
--listocspcerts|\
97 --listacerts|
--listgroups|
--listcainfos|\
98 --listcrls|
--listocsp|
--listcards|
--listall|\
100 if test " $op" != " "
109 -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;;
117 --*) if test " $argc" -ne $#
124 *) echo "$usage" >&2 ; exit 2 ;;
139 awk "/^= / { exit \$2 } $logfilter { print }"
144 --ready) echo "ipsec whack --listen" | runit
; exit ;;
145 --rereadsecrets) echo "ipsec whack --rereadsecrets" | runit
; exit ;;
146 --rereadgroups) echo "ipsec whack --listen" | runit
; exit ;;
147 --rereadcacerts) echo "ipsec whack --rereadcacerts" | runit
; exit ;;
148 --rereadaacerts) echo "ipsec whack --rereadaacerts" | runit
; exit ;;
149 --rereadocspcerts) echo "ipsec whack --rereadocspcerts" | runit
; exit ;;
150 --rereadacerts) echo "ipsec whack --rereadacerts" | runit
; exit ;;
151 --rereadcrls) echo "ipsec whack --rereadcrls" | runit
; exit ;;
152 --rereadall) echo "ipsec whack --rereadall" | runit
; exit ;;
153 --listalgs) echo "ipsec whack --listalgs" | runit
; exit ;;
154 --listpubkeys) echo "ipsec whack $utc --listpubkeys" | runit
; exit ;;
155 --listcerts) echo "ipsec whack $utc --listcerts" | runit
; exit ;;
156 --listcacerts) echo "ipsec whack $utc --listcacerts" | runit
; exit ;;
157 --listaacerts) echo "ipsec whack $utc --listaacerts" | runit
; exit ;;
158 --listocspcerts) echo "ipsec whack $utc --listocspcerts" | runit
; exit ;;
159 --listacerts) echo "ipsec whack $utc --listacerts" | runit
; exit ;;
160 --listgroups) echo "ipsec whack $utc --listgroups" | runit
; exit ;;
161 --listcainfos) echo "ipsec whack $utc --listcainfos" | runit
; exit ;;
162 --listcrls) echo "ipsec whack $utc --listcrls" | runit
; exit ;;
163 --listocsp) echo "ipsec whack $utc --listocsp" | runit
; exit ;;
164 --listcards) echo "ipsec whack $utc --listcards" | runit
; exit ;;
165 --listall) echo "ipsec whack $utc --listall" | runit
; exit ;;
166 --purgeocsp) echo "ipsec whack $utc --purgeocsp" | runit
; exit ;;
167 --up) echo "ipsec whack $async --name $names --initiate" | runit
; exit ;;
168 --down) echo "ipsec whack --name $names --terminate" | runit
; exit ;;
169 --delete) echo "ipsec whack $name $names --delete" | runit
; exit ;;
170 --route) echo "ipsec whack --name $names --route" | runit
; exit ;;
171 --unroute) echo "ipsec whack --name $names --unroute" | runit
; exit ;;
172 --status) echo "ipsec whack $name $names --status" | runit
; exit ;;
173 --statusall) echo "ipsec whack $name $names --statusall" | runit
; exit ;;
181 ipsec _confread
$config $noinclude --type $type $names |
182 awk -v section
="$type" ' BEGIN {
186 draddr = "'"$defaultrouteaddr"'"
187 drnexthop = "'"$defaultroutenexthop"'"
191 print "PATH=\"'"$PATH"'\""
193 flip["left"] = "right"
194 flip["right"] = "left"
226 fail("internal error, unknown type code " v($1))
229 print "ipsec_auto: fatal error in " v(name) ": " m |err
234 if ((k in s) && s[k] != "yes" && s[k] != "no")
235 fail("parameter " v(k) " must be \"yes\" or \"no\"")
237 function setdefault(k, val) {
241 function was(new, old) {
242 if (!(new in s) && (old in s))
247 fail("connection has no " v(k) " parameter specified")
249 fail("parameter " v(k) " value must be non-empty")
251 function integer(k) {
254 if (s[k] !~ /^[0-9]+$/)
255 fail("parameter " v(k) " value must be integer")
257 function duration(k, n, t) {
261 n = substr(t, 1, length(t)-1)
264 else if (t ~ /^[0-9]+s$/)
266 else if (t ~ /^[0-9]+(\.[0-9]+)?m$/)
268 else if (t ~ /^[0-9]+(\.[0-9]+)?h$/)
270 else if (t ~ /^[0-9]+(\.[0-9]+)?d$/)
271 s[k] = int(n*3600*24)
273 fail("parameter " v(k) " not valid time, must be nnn[smhd]")
275 function nexthopset(dir, val, k) {
278 fail("non-default value of " k " is being overridden")
284 function id(dir, k) {
290 function whackkey(dir, which, flag, rk, n) {
291 if (id(dir) == "%opportunistic")
294 if (rk == "%dnsondemand")
296 kod="--dnskeyondemand"
299 if (rk == "" || rk == "%none" || rk == "%cert" || rk == "0x00")
301 n = "\"\\\"" name "\\\" " dir which"\""
302 if (rk == "%dns" || rk == "%dnsonload")
304 if (id(flip[dir]) == "%opportunistic" || s[flip[dir]] == "%any")
306 print "ipsec whack --label", n, flag,
307 "--keyid", q(id(dir)), "\\"
311 print "ipsec whack --label", n, flag,
312 "--keyid", q(id(dir)),
313 "--pubkeyrsa", q(rk), "\\"
317 function q(str) { # quoting for shell
320 function qs(k) { # utility abbreviation for q(s[k])
323 function v(str) { # quoting for human viewing
328 fail("internal error, output called inappropriately")
330 setdefault("type", "tunnel")
334 # do NOT default subnets to side/32, despite what
336 type_flags = "--tunnel"
337 } else if (t == "transport") {
338 if ("leftsubnet" in s)
339 fail("type=transport incompatible with leftsubnet")
340 if ("rightsubnet" in s)
341 fail("type=transport incompatible with rightsubnet")
343 } else if (t == "passthrough") {
344 type_flags = "--pass"
345 } else if (t == "drop") {
346 type_flags = "--drop"
347 } else if (t == "reject") {
348 type_flags = "--reject"
350 fail("unknown type " v(t))
352 setdefault("failureshunt", "none")
353 t = s["failureshunt"]
354 if (t == "passthrough")
355 type_flags = type_flags " --failpass";
356 else if (t == "drop")
357 type_flags = type_flags " --faildrop";
358 else if (t == "reject")
359 type_flags = type_flags " --failreject";
360 else if (t != "none")
361 fail("unknown failureshunt value " v(t))
365 if (s["left"] == "%defaultroute") {
366 if (s["right"] == "%defaultroute")
367 fail("left and right cannot both be %defaultroute")
369 fail("%defaultroute requested but not known")
371 nexthopset("left", drnexthop)
372 } else if (s["right"] == "%defaultroute") {
374 fail("%defaultroute requested but not known")
376 nexthopset("right", drnexthop)
379 setdefault("keyexchange", "ike")
380 if (s["keyexchange"] != "ike")
381 fail("only know how to do keyexchange=ike")
382 setdefault("auth", "esp")
383 if (("auth" in s) && s["auth"] != "esp" && s["auth"] != "ah")
384 fail("only know how to do auth=esp or auth=ah")
387 setdefault("pfs", "yes")
389 duration("dpdtimeout")
390 if ("dpdaction" in s)
392 setdefault("dpddelay",30)
393 setdefault("dpdtimeout",120)
396 setdefault("compress", "no")
397 setdefault("keylife", "1h")
400 setdefault("rekey", "yes")
401 setdefault("rekeymargin", "9m")
402 duration("rekeymargin")
403 setdefault("keyingtries", "%forever")
404 if (s["keyingtries"] == "%forever")
406 integer("keyingtries")
407 if ("rekeyfuzz" in s) {
408 if (s["rekeyfuzz"] !~ /%$/)
409 fail("rekeyfuzz must be nnn%")
411 s["rekeyfuzz"] = substr(r, 1, length(r)-1)
414 duration("ikelifetime")
415 setdefault("disablearrivalcheck", "no")
417 setdefault("leftsendcert", "always")
418 setdefault("rightsendcert", "always")
420 setdefault("leftnexthop", "%direct")
421 setdefault("rightnexthop", "%direct")
422 if (s["leftnexthop"] == s["left"])
423 fail("left and leftnexthop must not be the same")
424 if (s["rightnexthop"] == s["right"])
425 fail("right and rightnexthop must not be the same")
426 if (s["leftnexthop"] == "%defaultroute") {
428 fail("%defaultroute requested but not known")
429 s["leftnexthop"] = drnexthop
431 if (s["rightnexthop"] == "%defaultroute") {
433 fail("%defaultroute requested but not known")
434 s["rightnexthop"] = drnexthop
437 if ("leftfirewall" in s && "leftupdown" in s)
438 fail("cannot have both leftfirewall and leftupdown")
439 if ("rightfirewall" in s && "rightupdown" in s)
440 fail("cannot have both rightfirewall and rightupdown")
441 setdefault("leftupdown", "ipsec _updown")
442 setdefault("rightupdown", "ipsec _updown")
443 setdefault("lefthostaccess", "no")
444 setdefault("righthostaccess", "no")
445 yesno("lefthostaccess")
446 yesno("righthostaccess")
448 if (s["lefthostaccess"] == "yes")
451 if (s["righthostaccess"] == "yes")
453 setdefault("leftfirewall", "no")
454 setdefault("rightfirewall", "no")
455 yesno("leftfirewall")
456 yesno("rightfirewall")
457 if (s["leftfirewall"] == "yes")
458 s["leftupdown"] = s["leftupdown"] " iptables"
459 if (s["rightfirewall"] == "yes")
460 s["rightupdown"] = s["rightupdown"] " iptables"
462 setdefault("authby", "rsasig")
464 if (t == "rsasig" || t == "secret|rsasig" || t == "rsasig|secret") {
465 authtype = "--rsasig"
466 type_flags = "--encrypt " type_flags
467 if (!("leftcert" in s)) {
468 setdefault("leftrsasigkey", "%cert")
469 if (id("left") == "%any" &&
470 !(s["leftrsasigkey"] == "%cert" ||
471 s["leftrsasigkey"] == "0x00") )
472 fail("ID " v(id("left")) " cannot have RSA key")
474 if (!("rightcert" in s)) {
475 setdefault("rightrsasigkey", "%cert")
476 if (id("right") == "%any" &&
477 !(s["rightrsasigkey"] == "%cert" ||
478 s["rightrsasigkey"] == "0x00") )
479 fail("ID " v(id("right")) " cannot have RSA key")
482 authtype = authtype " --psk"
483 } else if (t == "secret") {
485 type_flags = "--encrypt " type_flags
486 } else if (t == "never") {
489 fail("unknown authby value " v(t))
492 settings = type_flags
493 setdefault("ike", "3des-sha,3des-md5")
495 settings = settings " --ike " qs("ike")
496 setdefault("esp", "3des")
498 settings = settings " --esp " qs("esp")
499 if (s["auth"] == "ah")
500 settings = settings " --authenticate"
501 if (s["pfs"] == "yes") {
502 settings = settings " --pfs"
503 if (s["pfsgroup"] != "")
504 settings = settings " --pfsgroup " qs("pfsgroup")
508 settings = settings " --dpdaction " qs("dpdaction")
510 settings = settings " --dpddelay " qs("dpddelay")
512 settings = settings " --dpdtimeout " qs("dpdtimeout")
514 if (s["compress"] == "yes")
515 settings = settings " --compress"
516 if (op == "--replace")
517 settings = settings " --delete"
518 if ("ikelifetime" in s)
519 settings = settings " --ikelifetime " qs("ikelifetime")
520 if (s["disablearrivalcheck"] == "yes")
521 settings = settings " --disablearrivalcheck"
522 settings = settings " " authtype
526 if ("leftsubnet" in s)
527 lc = "--client " qs("leftsubnet")
528 if ("rightsubnet" in s)
529 rc = "--client " qs("rightsubnet")
530 if ("leftsubnetwithin" in s)
531 lc = lc " --clientwithin " qs("leftsubnetwithin")
532 if ("rightsubnetwithin" in s)
533 rc = rc " --clientwithin " qs("rightsubnetwithin")
536 if ("leftprotoport" in s)
537 lp = "--clientprotoport " qs("leftprotoport")
538 if ("rightprotoport" in s)
539 rp = "--clientprotoport " qs("rightprotoport")
540 lud = "--updown " qs("leftupdown")
541 rud = "--updown " qs("rightupdown")
545 lid = "--id " qs("leftid")
548 rid = "--id " qs("rightid")
550 if ("leftsourceip" in s)
551 lsip = "--srcip " qs("leftsourceip")
553 if ("rightsourceip" in s)
554 rsip = "--srcip " qs("rightsourceip")
556 if ("leftsendcert" in s)
557 lscert = "--sendcert " qs("leftsendcert")
559 if ("rightsendcert" in s)
560 rscert = "--sendcert " qs("rightsendcert")
563 lcert = "--cert " qs("leftcert")
565 if ("rightcert" in s)
566 rcert = "--cert " qs("rightcert")
569 lca = "--ca " qs("leftca")
572 rca = "--ca " qs("rightca")
574 if ("leftgroups" in s)
575 lgr = "--groups " qs("leftgroups")
577 if ("rightgroups" in s)
578 rgr = "--groups " qs("rightgroups")
580 if ("rekeyfuzz" in s)
581 fuzz = "--rekeyfuzz " qs("rekeyfuzz")
583 if (s["rekey"] == "no")
586 if ("_plutodevel" in s)
587 pd = "--plutodevel " s["_plutodevel"] # not qs()
591 if (authtype != "--psk") {
593 whackkey("left", "rsasigkey", "")
594 whackkey("left", "rsasigkey2", "--addkey")
597 whackkey("right", "rsasigkey", "")
598 whackkey("right", "rsasigkey2", "--addkey")
601 print "ipsec whack --name", name, settings, "\\"
602 print "\t--host", qs("left"), lc, lp, "--nexthop",
603 qs("leftnexthop"), lud, lha, lid, lkod, lscert, lcert, lca, lsip, lgr, "\\"
604 print "\t--to", "--host", qs("right"), rc, rp, "--nexthop",
605 qs("rightnexthop"), rud, rha, rid, rkod, rscert, rcert, rca, rsip, rgr, "\\"
606 print "\t--ipseclifetime", qs("keylife"),
607 "--rekeymargin", qs("rekeymargin"), "\\"
608 print "\t--keyingtries", qs("keyingtries"), fuzz, rk, pd, "\\"
611 function output_ca() {
613 fail("internal error, output called inappropriately")
615 if (op == "--replace")
616 settings = "--delete"
619 cacert = "--cacert " qs("cacert")
622 ldaphost = "--ldaphost " qs("ldaphost")
625 ldapbase = "--ldapbase " qs("ldapbase")
628 crluri = "--crluri " qs("crluri")
631 crluri2 = "--crluri2 " qs("crluri2")
634 ocspuri = "--ocspuri " qs("ocspuri")
635 yesno("strictcrlpolicy")
636 setdefault("strictcrlpolicy", "no")
637 if (s["strictcrlpolicy"] == "yes")
638 settings = settings " --strictcrlpolicy"
640 setdefault("cachecrls", "no")
641 if (s["cachecrls"] == "yes")
642 settings = settings " --cachecrls"
644 print "ipsec whack --caname", name, settings, cacert, ldaphost, ldapbase,
645 crluri, crluri2, ocspuri, "\\"
650 print "# fatal error discovered, force failure using \"false\" command"
652 exit 1 # just on general principles