]> git.ipfire.org Git - thirdparty/strongswan.git/blob - programs/auto/auto.in
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
- import of strongswan-2.7.0
[thirdparty/strongswan.git] / programs / auto / auto.in
1 #! /bin/sh
2 # user interface to automatic keying and Pluto in general
3 # Copyright (C) 1998, 1999, 2000 Henry Spencer.
4 #
5 # This program is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU General Public License as published by the
7 # Free Software Foundation; either version 2 of the License, or (at your
8 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 #
10 # This program is distributed in the hope that it will be useful, but
11 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 # for more details.
14 #
15 # RCSID $Id: auto.in,v 1.17 2006/04/20 04:42:12 as Exp $
16
17 me='ipsec auto'
18 usage="Usage:
19 $me [--showonly] [--asynchronous] --up connectionname
20 $me [--showonly] [-- type conn|ca] --{add|delete|replace|down} name
21 $me [--showonly] --{route|unroute} connectionname
22 $me [--showonly] --ready
23 $me [--showonly] --{status|statusall} [connectionname]
24 $me [--showonly] --{rereadsecrets|rereadgroups}
25 $me [--showonly] --{rereadcacerts|rereadaacerts|rereadocspcerts}
26 $me [--showonly] --{rereadacerts|rereadcrls|rereadall}
27 $me [--showonly] [--utc] --{listalgs|listpubkeys|listcerts}
28 $me [--showonly] [--utc] --{listcacerts|listaacerts|listocspcerts}
29 $me [--showonly] [--utc] --{listacerts|listgroups|listcainfos}
30 $me [--showonly] [--utc] --{listcrls|listocsp|listcards|listall}
31 $me [--showonly] --purgeocsp
32
33 other options: [--config ipsecconfigfile] [--verbose] [--show]"
34
35 showonly=
36 config=
37 info=/var/run/ipsec.info
38 shopts=
39 noinclude=
40 async=
41 logfilter='$1 != "002"'
42 op=
43 argc=
44 utc=
45 type="conn"
46 name="--name"
47
48 for dummy
49 do
50 case "$1" in
51 --help) echo "$usage" ; exit 0 ;;
52 --version) echo "$me $IPSEC_VERSION" ; exit 0 ;;
53 --show) shopts=-x ;;
54 --showonly) showonly=yes ;;
55 --utc) utc="$1" ;;
56 --config) config="--config $2" ; shift ;;
57 --noinclude) noinclude=--noinclude ;;
58 --asynchronous) async="--asynchronous" ;;
59 --verbose) logfilter='1' ;;
60 --type) type="$2" ; shift ;;
61 --up|--down|--add|--delete|--replace|--route|--unroute)
62 if test " $op" != " "
63 then
64 echo "$usage" >&2
65 exit 2
66 fi
67 op="$1"
68 argc=1
69 if test "$type" = "ca"
70 then
71 name="--caname"
72 case "$op" in
73 --add|--delete|--replace) ;;
74 --*) echo "$op option not supported for --type ca";
75 exit 3 ;;
76 esac
77 fi
78 ;;
79 --status|--statusall)
80 if test " $op" != " "
81 then
82 echo "$usage" >&2
83 exit 2
84 fi
85 op="$1"
86 argc=1
87 if test $# -eq 1
88 then
89 argc=0; name=
90 fi
91 ;;
92 --ready|--rereadsecrets|--rereadgroups|\
93 --rereadcacerts|--rereadaacerts|--rereadocspcerts|\
94 --rereadacerts|--rereadcrls|--rereadall|\
95 --listalgs|--listpubkeys|--listcerts|\
96 --listcacerts|--listaacerts|--listocspcerts|\
97 --listacerts|--listgroups|--listcainfos|\
98 --listcrls|--listocsp|--listcards|--listall|\
99 --purgeocsp)
100 if test " $op" != " "
101 then
102 echo "$usage" >&2
103 exit 2
104 fi
105 op="$1"
106 argc=0
107 ;;
108 --) shift ; break ;;
109 -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;;
110 *) break ;;
111 esac
112 shift
113 done
114
115 names=
116 case "$op" in
117 --*) if test " $argc" -ne $#
118 then
119 echo "$usage" >&2
120 exit 2
121 fi
122 names="$*"
123 ;;
124 *) echo "$usage" >&2 ; exit 2 ;;
125 esac
126
127
128 runit() {
129 if test "$showonly"
130 then
131 cat
132 else
133 (
134 echo '('
135 cat
136 echo ')'
137 echo 'echo = $?'
138 ) | sh $shopts |
139 awk "/^= / { exit \$2 } $logfilter { print }"
140 fi
141 }
142
143 case "$op" in
144 --ready) echo "ipsec whack --listen" | runit ; exit ;;
145 --rereadsecrets) echo "ipsec whack --rereadsecrets" | runit ; exit ;;
146 --rereadgroups) echo "ipsec whack --listen" | runit ; exit ;;
147 --rereadcacerts) echo "ipsec whack --rereadcacerts" | runit ; exit ;;
148 --rereadaacerts) echo "ipsec whack --rereadaacerts" | runit ; exit ;;
149 --rereadocspcerts) echo "ipsec whack --rereadocspcerts" | runit ; exit ;;
150 --rereadacerts) echo "ipsec whack --rereadacerts" | runit ; exit ;;
151 --rereadcrls) echo "ipsec whack --rereadcrls" | runit ; exit ;;
152 --rereadall) echo "ipsec whack --rereadall" | runit ; exit ;;
153 --listalgs) echo "ipsec whack --listalgs" | runit ; exit ;;
154 --listpubkeys) echo "ipsec whack $utc --listpubkeys" | runit ; exit ;;
155 --listcerts) echo "ipsec whack $utc --listcerts" | runit ; exit ;;
156 --listcacerts) echo "ipsec whack $utc --listcacerts" | runit ; exit ;;
157 --listaacerts) echo "ipsec whack $utc --listaacerts" | runit ; exit ;;
158 --listocspcerts) echo "ipsec whack $utc --listocspcerts" | runit ; exit ;;
159 --listacerts) echo "ipsec whack $utc --listacerts" | runit ; exit ;;
160 --listgroups) echo "ipsec whack $utc --listgroups" | runit ; exit ;;
161 --listcainfos) echo "ipsec whack $utc --listcainfos" | runit ; exit ;;
162 --listcrls) echo "ipsec whack $utc --listcrls" | runit ; exit ;;
163 --listocsp) echo "ipsec whack $utc --listocsp" | runit ; exit ;;
164 --listcards) echo "ipsec whack $utc --listcards" | runit ; exit ;;
165 --listall) echo "ipsec whack $utc --listall" | runit ; exit ;;
166 --purgeocsp) echo "ipsec whack $utc --purgeocsp" | runit ; exit ;;
167 --up) echo "ipsec whack $async --name $names --initiate" | runit ; exit ;;
168 --down) echo "ipsec whack --name $names --terminate" | runit ; exit ;;
169 --delete) echo "ipsec whack $name $names --delete" | runit ; exit ;;
170 --route) echo "ipsec whack --name $names --route" | runit ; exit ;;
171 --unroute) echo "ipsec whack --name $names --unroute" | runit ; exit ;;
172 --status) echo "ipsec whack $name $names --status" | runit ; exit ;;
173 --statusall) echo "ipsec whack $name $names --statusall" | runit ; exit ;;
174 esac
175
176 if test -s $info
177 then
178 . $info
179 fi
180
181 ipsec _confread $config $noinclude --type $type $names |
182 awk -v section="$type" ' BEGIN {
183 FS = "\t"
184 op = "'"$op"'"
185 err = "cat >&2"
186 draddr = "'"$defaultrouteaddr"'"
187 drnexthop = "'"$defaultroutenexthop"'"
188 failed = 0
189 s[""] = ""
190 init()
191 print "PATH=\"'"$PATH"'\""
192 print "export PATH"
193 flip["left"] = "right"
194 flip["right"] = "left"
195 }
196 function init(n) {
197 for (n in s)
198 delete s[n]
199 name = ""
200 seensome = 0
201 }
202 $1 == ":" {
203 s[$2] = $3
204 seensome = 1
205 next
206 }
207 $1 == "!" {
208 if ($2 != "")
209 fail($2)
210 next
211 }
212 $1 == "=" {
213 if (name == "")
214 name = $2
215 next
216 }
217 $1 == "." {
218 if (section == "ca")
219 output_ca()
220 else
221 output()
222 init()
223 next
224 }
225 {
226 fail("internal error, unknown type code " v($1))
227 }
228 function fail(m) {
229 print "ipsec_auto: fatal error in " v(name) ": " m |err
230 failed = 1
231 exit
232 }
233 function yesno(k) {
234 if ((k in s) && s[k] != "yes" && s[k] != "no")
235 fail("parameter " v(k) " must be \"yes\" or \"no\"")
236 }
237 function setdefault(k, val) {
238 if (!(k in s))
239 s[k] = val
240 }
241 function was(new, old) {
242 if (!(new in s) && (old in s))
243 s[new] = s[old]
244 }
245 function need(k) {
246 if (!(k in s))
247 fail("connection has no " v(k) " parameter specified")
248 if (s[k] == "")
249 fail("parameter " v(k) " value must be non-empty")
250 }
251 function integer(k) {
252 if (!(k in s))
253 return
254 if (s[k] !~ /^[0-9]+$/)
255 fail("parameter " v(k) " value must be integer")
256 }
257 function duration(k, n, t) {
258 if (!(k in s))
259 return
260 t = s[k]
261 n = substr(t, 1, length(t)-1)
262 if (t ~ /^[0-9]+$/)
263 s[k] = t
264 else if (t ~ /^[0-9]+s$/)
265 s[k] = n
266 else if (t ~ /^[0-9]+(\.[0-9]+)?m$/)
267 s[k] = int(n*60)
268 else if (t ~ /^[0-9]+(\.[0-9]+)?h$/)
269 s[k] = int(n*3600)
270 else if (t ~ /^[0-9]+(\.[0-9]+)?d$/)
271 s[k] = int(n*3600*24)
272 else
273 fail("parameter " v(k) " not valid time, must be nnn[smhd]")
274 }
275 function nexthopset(dir, val, k) {
276 k = dir "nexthop"
277 if (k in s)
278 fail("non-default value of " k " is being overridden")
279 if (val != "")
280 s[k] = val
281 else if (k in s)
282 delete s[k]
283 }
284 function id(dir, k) {
285 k = dir "id"
286 if (!(k in s))
287 k = dir
288 return s[k]
289 }
290 function whackkey(dir, which, flag, rk, n) {
291 if (id(dir) == "%opportunistic")
292 return
293 rk = s[dir which]
294 if (rk == "%dnsondemand")
295 {
296 kod="--dnskeyondemand"
297 return
298 }
299 if (rk == "" || rk == "%none" || rk == "%cert" || rk == "0x00")
300 return
301 n = "\"\\\"" name "\\\" " dir which"\""
302 if (rk == "%dns" || rk == "%dnsonload")
303 {
304 if (id(flip[dir]) == "%opportunistic" || s[flip[dir]] == "%any")
305 return
306 print "ipsec whack --label", n, flag,
307 "--keyid", q(id(dir)), "\\"
308 }
309 else
310 {
311 print "ipsec whack --label", n, flag,
312 "--keyid", q(id(dir)),
313 "--pubkeyrsa", q(rk), "\\"
314 }
315 print "\t|| exit $?"
316 }
317 function q(str) { # quoting for shell
318 return "\"" str "\""
319 }
320 function qs(k) { # utility abbreviation for q(s[k])
321 return q(s[k])
322 }
323 function v(str) { # quoting for human viewing
324 return "\"" str "\""
325 }
326 function output() {
327 if (!seensome)
328 fail("internal error, output called inappropriately")
329
330 setdefault("type", "tunnel")
331 type_flags = ""
332 t = s["type"]
333 if (t == "tunnel") {
334 # do NOT default subnets to side/32, despite what
335 # the docs say...
336 type_flags = "--tunnel"
337 } else if (t == "transport") {
338 if ("leftsubnet" in s)
339 fail("type=transport incompatible with leftsubnet")
340 if ("rightsubnet" in s)
341 fail("type=transport incompatible with rightsubnet")
342 type_flags = ""
343 } else if (t == "passthrough") {
344 type_flags = "--pass"
345 } else if (t == "drop") {
346 type_flags = "--drop"
347 } else if (t == "reject") {
348 type_flags = "--reject"
349 } else
350 fail("unknown type " v(t))
351
352 setdefault("failureshunt", "none")
353 t = s["failureshunt"]
354 if (t == "passthrough")
355 type_flags = type_flags " --failpass";
356 else if (t == "drop")
357 type_flags = type_flags " --faildrop";
358 else if (t == "reject")
359 type_flags = type_flags " --failreject";
360 else if (t != "none")
361 fail("unknown failureshunt value " v(t))
362
363 need("left")
364 need("right")
365 if (s["left"] == "%defaultroute") {
366 if (s["right"] == "%defaultroute")
367 fail("left and right cannot both be %defaultroute")
368 if (draddr == "")
369 fail("%defaultroute requested but not known")
370 s["left"] = draddr
371 nexthopset("left", drnexthop)
372 } else if (s["right"] == "%defaultroute") {
373 if (draddr == "")
374 fail("%defaultroute requested but not known")
375 s["right"] = draddr
376 nexthopset("right", drnexthop)
377 }
378
379 setdefault("keyexchange", "ike")
380 if (s["keyexchange"] != "ike")
381 fail("only know how to do keyexchange=ike")
382 setdefault("auth", "esp")
383 if (("auth" in s) && s["auth"] != "esp" && s["auth"] != "ah")
384 fail("only know how to do auth=esp or auth=ah")
385 yesno("pfs")
386
387 setdefault("pfs", "yes")
388 duration("dpddelay")
389 duration("dpdtimeout")
390 if ("dpdaction" in s)
391 {
392 setdefault("dpddelay",30)
393 setdefault("dpdtimeout",120)
394 }
395 yesno("compress")
396 setdefault("compress", "no")
397 setdefault("keylife", "1h")
398 duration("keylife")
399 yesno("rekey")
400 setdefault("rekey", "yes")
401 setdefault("rekeymargin", "9m")
402 duration("rekeymargin")
403 setdefault("keyingtries", "%forever")
404 if (s["keyingtries"] == "%forever")
405 s["keyingtries"] = 0
406 integer("keyingtries")
407 if ("rekeyfuzz" in s) {
408 if (s["rekeyfuzz"] !~ /%$/)
409 fail("rekeyfuzz must be nnn%")
410 r = s["rekeyfuzz"]
411 s["rekeyfuzz"] = substr(r, 1, length(r)-1)
412 integer("rekeyfuzz")
413 }
414 duration("ikelifetime")
415 setdefault("disablearrivalcheck", "no")
416
417 setdefault("leftsendcert", "always")
418 setdefault("rightsendcert", "always")
419
420 setdefault("leftnexthop", "%direct")
421 setdefault("rightnexthop", "%direct")
422 if (s["leftnexthop"] == s["left"])
423 fail("left and leftnexthop must not be the same")
424 if (s["rightnexthop"] == s["right"])
425 fail("right and rightnexthop must not be the same")
426 if (s["leftnexthop"] == "%defaultroute") {
427 if (drnexthop == "")
428 fail("%defaultroute requested but not known")
429 s["leftnexthop"] = drnexthop
430 }
431 if (s["rightnexthop"] == "%defaultroute") {
432 if (drnexthop == "")
433 fail("%defaultroute requested but not known")
434 s["rightnexthop"] = drnexthop
435 }
436
437 if ("leftfirewall" in s && "leftupdown" in s)
438 fail("cannot have both leftfirewall and leftupdown")
439 if ("rightfirewall" in s && "rightupdown" in s)
440 fail("cannot have both rightfirewall and rightupdown")
441 setdefault("leftupdown", "ipsec _updown")
442 setdefault("rightupdown", "ipsec _updown")
443 setdefault("lefthostaccess", "no")
444 setdefault("righthostaccess", "no")
445 yesno("lefthostaccess")
446 yesno("righthostaccess")
447 lha = ""
448 if (s["lefthostaccess"] == "yes")
449 lha = "--hostaccess"
450 rha = ""
451 if (s["righthostaccess"] == "yes")
452 rha = "--hostaccess"
453 setdefault("leftfirewall", "no")
454 setdefault("rightfirewall", "no")
455 yesno("leftfirewall")
456 yesno("rightfirewall")
457 if (s["leftfirewall"] == "yes")
458 s["leftupdown"] = s["leftupdown"] " iptables"
459 if (s["rightfirewall"] == "yes")
460 s["rightupdown"] = s["rightupdown"] " iptables"
461
462 setdefault("authby", "rsasig")
463 t = s["authby"]
464 if (t == "rsasig" || t == "secret|rsasig" || t == "rsasig|secret") {
465 authtype = "--rsasig"
466 type_flags = "--encrypt " type_flags
467 if (!("leftcert" in s)) {
468 setdefault("leftrsasigkey", "%cert")
469 if (id("left") == "%any" &&
470 !(s["leftrsasigkey"] == "%cert" ||
471 s["leftrsasigkey"] == "0x00") )
472 fail("ID " v(id("left")) " cannot have RSA key")
473 }
474 if (!("rightcert" in s)) {
475 setdefault("rightrsasigkey", "%cert")
476 if (id("right") == "%any" &&
477 !(s["rightrsasigkey"] == "%cert" ||
478 s["rightrsasigkey"] == "0x00") )
479 fail("ID " v(id("right")) " cannot have RSA key")
480 }
481 if (t != "rsasig")
482 authtype = authtype " --psk"
483 } else if (t == "secret") {
484 authtype = "--psk"
485 type_flags = "--encrypt " type_flags
486 } else if (t == "never") {
487 authtype = ""
488 } else {
489 fail("unknown authby value " v(t))
490 }
491
492 settings = type_flags
493 setdefault("ike", "3des-sha,3des-md5")
494 if (s["ike"] != "")
495 settings = settings " --ike " qs("ike")
496 setdefault("esp", "3des")
497 if (s["esp"] != "")
498 settings = settings " --esp " qs("esp")
499 if (s["auth"] == "ah")
500 settings = settings " --authenticate"
501 if (s["pfs"] == "yes") {
502 settings = settings " --pfs"
503 if (s["pfsgroup"] != "")
504 settings = settings " --pfsgroup " qs("pfsgroup")
505 }
506
507 if (s["dpdaction"])
508 settings = settings " --dpdaction " qs("dpdaction")
509 if (s["dpddelay"])
510 settings = settings " --dpddelay " qs("dpddelay")
511 if (s["dpdtimeout"])
512 settings = settings " --dpdtimeout " qs("dpdtimeout")
513
514 if (s["compress"] == "yes")
515 settings = settings " --compress"
516 if (op == "--replace")
517 settings = settings " --delete"
518 if ("ikelifetime" in s)
519 settings = settings " --ikelifetime " qs("ikelifetime")
520 if (s["disablearrivalcheck"] == "yes")
521 settings = settings " --disablearrivalcheck"
522 settings = settings " " authtype
523
524 lc = ""
525 rc = ""
526 if ("leftsubnet" in s)
527 lc = "--client " qs("leftsubnet")
528 if ("rightsubnet" in s)
529 rc = "--client " qs("rightsubnet")
530 if ("leftsubnetwithin" in s)
531 lc = lc " --clientwithin " qs("leftsubnetwithin")
532 if ("rightsubnetwithin" in s)
533 rc = rc " --clientwithin " qs("rightsubnetwithin")
534 lp = ""
535 rp = ""
536 if ("leftprotoport" in s)
537 lp = "--clientprotoport " qs("leftprotoport")
538 if ("rightprotoport" in s)
539 rp = "--clientprotoport " qs("rightprotoport")
540 lud = "--updown " qs("leftupdown")
541 rud = "--updown " qs("rightupdown")
542
543 lid = ""
544 if ("leftid" in s)
545 lid = "--id " qs("leftid")
546 rid = ""
547 if ("rightid" in s)
548 rid = "--id " qs("rightid")
549 lsip = ""
550 if ("leftsourceip" in s)
551 lsip = "--srcip " qs("leftsourceip")
552 rsip = ""
553 if ("rightsourceip" in s)
554 rsip = "--srcip " qs("rightsourceip")
555 lscert = ""
556 if ("leftsendcert" in s)
557 lscert = "--sendcert " qs("leftsendcert")
558 rscert = ""
559 if ("rightsendcert" in s)
560 rscert = "--sendcert " qs("rightsendcert")
561 lcert = ""
562 if ("leftcert" in s)
563 lcert = "--cert " qs("leftcert")
564 rcert = ""
565 if ("rightcert" in s)
566 rcert = "--cert " qs("rightcert")
567 lca = ""
568 if ("leftca" in s)
569 lca = "--ca " qs("leftca")
570 rca = ""
571 if ("rightca" in s)
572 rca = "--ca " qs("rightca")
573 lgr = ""
574 if ("leftgroups" in s)
575 lgr = "--groups " qs("leftgroups")
576 rgr = ""
577 if ("rightgroups" in s)
578 rgr = "--groups " qs("rightgroups")
579 fuzz = ""
580 if ("rekeyfuzz" in s)
581 fuzz = "--rekeyfuzz " qs("rekeyfuzz")
582 rk = ""
583 if (s["rekey"] == "no")
584 rk = "--dontrekey"
585 pd = ""
586 if ("_plutodevel" in s)
587 pd = "--plutodevel " s["_plutodevel"] # not qs()
588
589 lkod = ""
590 rkod = ""
591 if (authtype != "--psk") {
592 kod = ""
593 whackkey("left", "rsasigkey", "")
594 whackkey("left", "rsasigkey2", "--addkey")
595 lkod = kod
596 kod = ""
597 whackkey("right", "rsasigkey", "")
598 whackkey("right", "rsasigkey2", "--addkey")
599 rkod = kod
600 }
601 print "ipsec whack --name", name, settings, "\\"
602 print "\t--host", qs("left"), lc, lp, "--nexthop",
603 qs("leftnexthop"), lud, lha, lid, lkod, lscert, lcert, lca, lsip, lgr, "\\"
604 print "\t--to", "--host", qs("right"), rc, rp, "--nexthop",
605 qs("rightnexthop"), rud, rha, rid, rkod, rscert, rcert, rca, rsip, rgr, "\\"
606 print "\t--ipseclifetime", qs("keylife"),
607 "--rekeymargin", qs("rekeymargin"), "\\"
608 print "\t--keyingtries", qs("keyingtries"), fuzz, rk, pd, "\\"
609 print "\t|| exit $?"
610 }
611 function output_ca() {
612 if (!seensome)
613 fail("internal error, output called inappropriately")
614 settings = ""
615 if (op == "--replace")
616 settings = "--delete"
617 cacert = ""
618 if ("cacert" in s)
619 cacert = "--cacert " qs("cacert")
620 ldaphost = ""
621 if ("ldaphost" in s)
622 ldaphost = "--ldaphost " qs("ldaphost")
623 ldapbase = ""
624 if ("ldapbase" in s)
625 ldapbase = "--ldapbase " qs("ldapbase")
626 crluri = ""
627 if ("crluri" in s)
628 crluri = "--crluri " qs("crluri")
629 crluri2 = ""
630 if ("crluri2" in s)
631 crluri2 = "--crluri2 " qs("crluri2")
632 ocspuri = ""
633 if ("ocspuri" in s)
634 ocspuri = "--ocspuri " qs("ocspuri")
635 yesno("strictcrlpolicy")
636 setdefault("strictcrlpolicy", "no")
637 if (s["strictcrlpolicy"] == "yes")
638 settings = settings " --strictcrlpolicy"
639 yesno("cachecrls")
640 setdefault("cachecrls", "no")
641 if (s["cachecrls"] == "yes")
642 settings = settings " --cachecrls"
643
644 print "ipsec whack --caname", name, settings, cacert, ldaphost, ldapbase,
645 crluri, crluri2, ocspuri, "\\"
646 print "\t|| exit $?"
647 }
648 END {
649 if (failed) {
650 print "# fatal error discovered, force failure using \"false\" command"
651 print "false"
652 exit 1 # just on general principles
653 }
654 if (seensome) {
655 if (section == "ca")
656 output_ca()
657 else
658 output()
659 }
660 }' | runit
Unnamed repository; edit this file 'description' to name the repository.