1 #!/bin/sh /etc/rc.common
7 PROG
=/usr
/lib
/ipsec
/starter
9 .
$IPKG_INSTROOT/lib
/functions.sh
11 IPSEC_SECRETS_FILE
=/etc
/ipsec.secrets
12 IPSEC_CONN_FILE
=/etc
/ipsec.conf
13 STRONGSWAN_CONF_FILE
=/etc
/strongswan.conf
15 IPSEC_VAR_SECRETS_FILE
=/var
/ipsec
/ipsec.secrets
16 IPSEC_VAR_CONN_FILE
=/var
/ipsec
/ipsec.conf
17 STRONGSWAN_VAR_CONF_FILE
=/var
/ipsec
/strongswan.conf
27 echo "${@}" >> "${file}"
34 sed -i "\_${include}_d" "${file}"
38 remove_include
"${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
39 remove_include
"${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
40 remove_include
"${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
46 local backup
=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
48 [ ! -f "${conf}" ] && rm -rf "${conf}"
51 cat "${conf}" | grep -v "${uciconf}" > "${backup}"
52 mv "${backup}" "${conf}"
53 xappend
"${conf}" "include ${uciconf}"
54 file_reset
"${uciconf}"
58 do_include
"${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
62 xappend
"${IPSEC_VAR_CONN_FILE}" "$@"
66 do_include
"${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
70 xappend
"${STRONGSWAN_VAR_CONF_FILE}" "$@"
74 do_include
"${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
78 xappend
"${IPSEC_VAR_SECRETS_FILE}" "$@"
82 echo "WARNING: $@" >&2
85 add_crypto_proposal
() {
86 local encryption_algorithm
90 config_get encryption_algorithm
"$1" encryption_algorithm
91 config_get hash_algorithm
"$1" hash_algorithm
92 config_get dh_group
"$1" dh_group
94 [ -n "${encryption_algorithm}" ] && \
95 crypto
="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
98 set_crypto_proposal
() {
104 config_get crypto_proposal
"$conf" crypto_proposal
""
105 for proposal
in $crypto_proposal; do
106 add_crypto_proposal
"$proposal"
109 [ -n "${crypto}" ] && {
110 local force_crypto_proposal
112 config_get_bool force_crypto_proposal
"$conf" force_crypto_proposal
114 [ "${force_crypto_proposal}" = "1" ] && crypto
="${crypto}!"
117 crypto_proposal
="${crypto}"
121 # Generic ipsec conn section shared by tunnel and transport
129 local remote_sourceip
131 local remote_firewall
141 config_get mode
"$1" mode
"route"
142 config_get local_subnet
"$1" local_subnet
""
143 config_get local_nat
"$1" local_nat
""
144 config_get local_sourceip
"$1" local_sourceip
""
145 config_get local_updown
"$1" local_updown
""
146 config_get local_firewall
"$1" local_firewall
""
147 config_get remote_subnet
"$1" remote_subnet
""
148 config_get remote_sourceip
"$1" remote_sourceip
""
149 config_get remote_updown
"$1" remote_updown
""
150 config_get remote_firewall
"$1" remote_firewall
""
151 config_get ikelifetime
"$1" ikelifetime
"3h"
152 config_get lifetime
"$1" lifetime
"1h"
153 config_get margintime
"$1" margintime
"9m"
154 config_get keyingtries
"$1" keyingtries
"3"
155 config_get dpdaction
"$1" dpdaction
"none"
156 config_get dpddelay
"$1" dpddelay
"30s"
157 config_get inactivity
"$1" inactivity
158 config_get keyexchange
"$1" keyexchange
"ikev2"
160 [ -n "$local_nat" ] && local_subnet
=$local_nat
162 ipsec_xappend
"conn $config_name-$1"
163 ipsec_xappend
" left=%any"
164 ipsec_xappend
" right=$remote_gateway"
166 [ -n "$local_sourceip" ] && ipsec_xappend
" leftsourceip=$local_sourceip"
167 [ -n "$local_subnet" ] && ipsec_xappend
" leftsubnet=$local_subnet"
169 [ -n "$local_firewall" ] && ipsec_xappend
" leftfirewall=$local_firewall"
170 [ -n "$remote_firewall" ] && ipsec_xappend
" rightfirewall=$remote_firewall"
172 ipsec_xappend
" ikelifetime=$ikelifetime"
173 ipsec_xappend
" lifetime=$lifetime"
174 ipsec_xappend
" margintime=$margintime"
175 ipsec_xappend
" keyingtries=$keyingtries"
176 ipsec_xappend
" dpdaction=$dpdaction"
177 ipsec_xappend
" dpddelay=$dpddelay"
179 [ -n "$inactivity" ] && ipsec_xappend
" inactivity=$inactivity"
181 if [ "$auth_method" = "psk" ]; then
182 ipsec_xappend
" leftauth=psk"
183 ipsec_xappend
" rightauth=psk"
185 [ "$remote_sourceip" != "" ] && ipsec_xappend
" rightsourceip=$remote_sourceip"
186 [ "$remote_subnet" != "" ] && ipsec_xappend
" rightsubnet=$remote_subnet"
188 ipsec_xappend
" auto=$mode"
190 warning
"AuthenticationMethod $auth_method not supported"
193 [ -n "$local_identifier" ] && ipsec_xappend
" leftid=$local_identifier"
194 [ -n "$remote_identifier" ] && ipsec_xappend
" rightid=$remote_identifier"
195 [ -n "$local_updown" ] && ipsec_xappend
" leftupdown=$local_updown"
196 [ -n "$remote_updown" ] && ipsec_xappend
" rightupdown=$remote_updown"
197 ipsec_xappend
" keyexchange=$keyexchange"
199 set_crypto_proposal
"$1"
200 [ -n "${crypto_proposal}" ] && ipsec_xappend
" esp=$crypto_proposal"
201 [ -n "${ike_proposal}" ] && ipsec_xappend
" ike=$ike_proposal"
207 # Specific for the tunnel part
208 ipsec_xappend
" type=tunnel"
214 # Specific for the transport part
215 ipsec_xappend
" type=transport"
226 config_get_bool enabled
"$1" enabled
0
227 [ $enabled -eq 0 ] && return
229 config_get gateway
"$1" gateway
230 config_get pre_shared_key
"$1" pre_shared_key
231 config_get auth_method
"$1" authentication_method
232 config_get local_identifier
"$1" local_identifier
""
233 config_get remote_identifier
"$1" remote_identifier
""
235 [ "$gateway" = "any" ] && remote_gateway
="%any" || remote_gateway
="$gateway"
237 [ -z "$local_identifier" ] && {
240 [ "$remote_gateway" = "%any" ] && ipdest
="1.1.1.1" || ipdest
="$remote_gateway"
241 local_gateway
=`ip route get $ipdest | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
244 [ -n "$local_identifier" ] && secret_xappend
-n "$local_identifier " || secret_xappend
-n "$local_gateway "
245 [ -n "$remote_identifier" ] && secret_xappend
-n "$remote_identifier " || secret_xappend
-n "$remote_gateway "
247 secret_xappend
": PSK \"$pre_shared_key\""
249 set_crypto_proposal
"$1"
250 ike_proposal
="$crypto_proposal"
252 config_list_foreach
"$1" tunnel config_tunnel
254 config_list_foreach
"$1" transport config_transport
261 local rtinstall_enabled
262 local routing_tables_ignored
264 local routing_table_id
272 ipsec_xappend
"# generated by /etc/init.d/ipsec"
273 ipsec_xappend
"version 2"
276 secret_xappend
"# generated by /etc/init.d/ipsec"
278 config_get debug
"$1" debug
0
279 config_get_bool rtinstall_enabled
"$1" rtinstall_enabled
1
280 [ $rtinstall_enabled -eq 1 ] && install_routes
=yes || install_routes
=no
282 # prepare extra charon config option ignore_routing_tables
283 for routing_table
in $
(config_get
"$1" "ignore_routing_tables"); do
284 if [ "$routing_table" -ge 0 ] 2>/dev
/null
; then
285 routing_table_id
=$routing_table
287 routing_table_id
=$
(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc
/iproute
2/rt_tables
)
290 [ -n "$routing_table_id" ] && append routing_tables_ignored
"$routing_table_id"
293 swan_xappend
"# generated by /etc/init.d/ipsec"
294 swan_xappend
"charon {"
295 swan_xappend
" load_modular = yes"
296 swan_xappend
" install_routes = $install_routes"
297 [ -n "$routing_tables_ignored" ] && swan_xappend
" ignore_routing_tables = $routing_tables_ignored"
298 swan_xappend
" plugins {"
299 swan_xappend
" include /etc/strongswan.d/charon/*.conf"
301 swan_xappend
" syslog {"
302 swan_xappend
" identifier = ipsec"
303 swan_xappend
" daemon {"
304 swan_xappend
" default = $debug"
306 swan_xappend
" auth {"
307 swan_xappend
" default = $debug"
317 config_foreach config_ipsec ipsec
318 config_foreach config_remote remote
323 if ipsec status
> /dev
/null
2>&1; then
332 procd_add_reload_trigger
"ipsec"
340 procd_set_param
command $PROG --daemon charon
--nofork
342 procd_set_param
file $IPSEC_CONN_FILE
343 procd_append_param
file $IPSEC_SECRETS_FILE
344 procd_append_param
file $STRONGSWAN_CONF_FILE
345 procd_append_param
file /etc
/strongswan.d
/*.conf
346 procd_append_param
file /etc
/strongswan.d
/charon
/*.conf
348 procd_set_param respawn