1 #!/bin/sh /etc/rc.common
7 PROG
=/usr
/lib
/ipsec
/starter
9 .
$IPKG_INSTROOT/lib
/functions.sh
10 .
$IPKG_INSTROOT/lib
/functions
/network.sh
12 IPSEC_SECRETS_FILE
=/etc
/ipsec.secrets
13 IPSEC_CONN_FILE
=/etc
/ipsec.conf
14 STRONGSWAN_CONF_FILE
=/etc
/strongswan.conf
16 IPSEC_VAR_SECRETS_FILE
=/var
/ipsec
/ipsec.secrets
17 IPSEC_VAR_CONN_FILE
=/var
/ipsec
/ipsec.conf
18 STRONGSWAN_VAR_CONF_FILE
=/var
/ipsec
/strongswan.conf
30 echo "${@}" >> "${file}"
37 sed -i "\_${include}_d" "${file}"
41 remove_include
"${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
42 remove_include
"${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
43 remove_include
"${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
49 local backup
=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
51 [ ! -f "${conf}" ] && rm -rf "${conf}"
54 cat "${conf}" | grep -v "${uciconf}" > "${backup}"
55 mv "${backup}" "${conf}"
56 xappend
"${conf}" "include ${uciconf}"
57 file_reset
"${uciconf}"
61 do_include
"${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
65 xappend
"${IPSEC_VAR_CONN_FILE}" "$@"
69 do_include
"${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
73 xappend
"${STRONGSWAN_VAR_CONF_FILE}" "$@"
77 do_include
"${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
81 xappend
"${IPSEC_VAR_SECRETS_FILE}" "$@"
85 echo "WARNING: $@" >&2
88 add_crypto_proposal
() {
89 local encryption_algorithm
93 config_get encryption_algorithm
"$1" encryption_algorithm
94 config_get hash_algorithm
"$1" hash_algorithm
95 config_get dh_group
"$1" dh_group
97 [ -n "${encryption_algorithm}" ] && \
98 crypto
="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
101 set_crypto_proposal
() {
107 config_get crypto_proposal
"$conf" crypto_proposal
""
108 for proposal
in $crypto_proposal; do
109 add_crypto_proposal
"$proposal"
112 [ -n "${crypto}" ] && {
113 local force_crypto_proposal
115 config_get_bool force_crypto_proposal
"$conf" force_crypto_proposal
117 [ "${force_crypto_proposal}" = "1" ] && crypto
="${crypto}!"
120 crypto_proposal
="${crypto}"
124 # Generic ipsec conn section shared by tunnel and transport
133 local remote_sourceip
135 local remote_firewall
147 config_get mode
"$1" mode
"route"
148 config_get local_subnet
"$1" local_subnet
""
149 config_get local_nat
"$1" local_nat
""
150 config_get local_sourceip
"$1" local_sourceip
""
151 config_get local_leftip
"$1" local_leftip
"%any"
152 config_get local_updown
"$1" local_updown
""
153 config_get local_firewall
"$1" local_firewall
""
154 config_get remote_subnet
"$1" remote_subnet
""
155 config_get remote_sourceip
"$1" remote_sourceip
""
156 config_get remote_updown
"$1" remote_updown
""
157 config_get remote_firewall
"$1" remote_firewall
""
158 config_get ikelifetime
"$1" ikelifetime
"3h"
159 config_get lifetime
"$1" lifetime
"1h"
160 config_get margintime
"$1" margintime
"9m"
161 config_get keyingtries
"$1" keyingtries
"3"
162 config_get dpdaction
"$1" dpdaction
"none"
163 config_get dpddelay
"$1" dpddelay
"30s"
164 config_get inactivity
"$1" inactivity
165 config_get keyexchange
"$1" keyexchange
"ikev2"
166 config_get reqid
"$1" reqid
167 config_get packet_marker
"$1" packet_marker
169 [ -n "$local_nat" ] && local_subnet
=$local_nat
171 ipsec_xappend
"conn $config_name-$1"
172 ipsec_xappend
" left=$local_leftip"
173 ipsec_xappend
" right=$remote_gateway"
175 [ -n "$local_sourceip" ] && ipsec_xappend
" leftsourceip=$local_sourceip"
176 [ -n "$local_subnet" ] && ipsec_xappend
" leftsubnet=$local_subnet"
178 [ -n "$local_firewall" ] && ipsec_xappend
" leftfirewall=$local_firewall"
179 [ -n "$remote_firewall" ] && ipsec_xappend
" rightfirewall=$remote_firewall"
181 ipsec_xappend
" ikelifetime=$ikelifetime"
182 ipsec_xappend
" lifetime=$lifetime"
183 ipsec_xappend
" margintime=$margintime"
184 ipsec_xappend
" keyingtries=$keyingtries"
185 ipsec_xappend
" dpdaction=$dpdaction"
186 ipsec_xappend
" dpddelay=$dpddelay"
188 [ -n "$inactivity" ] && ipsec_xappend
" inactivity=$inactivity"
189 [ -n "$reqid" ] && ipsec_xappend
" reqid=$reqid"
191 if [ "$auth_method" = "psk" ]; then
192 ipsec_xappend
" leftauth=psk"
193 ipsec_xappend
" rightauth=psk"
195 [ "$remote_sourceip" != "" ] && ipsec_xappend
" rightsourceip=$remote_sourceip"
196 [ "$remote_subnet" != "" ] && ipsec_xappend
" rightsubnet=$remote_subnet"
198 ipsec_xappend
" auto=$mode"
200 warning
"AuthenticationMethod $auth_method not supported"
203 [ -n "$local_identifier" ] && ipsec_xappend
" leftid=$local_identifier"
204 [ -n "$remote_identifier" ] && ipsec_xappend
" rightid=$remote_identifier"
205 [ -n "$local_updown" ] && ipsec_xappend
" leftupdown=$local_updown"
206 [ -n "$remote_updown" ] && ipsec_xappend
" rightupdown=$remote_updown"
207 [ -n "$packet_marker" ] && ipsec_xappend
" mark=$packet_marker"
208 ipsec_xappend
" keyexchange=$keyexchange"
210 set_crypto_proposal
"$1"
211 [ -n "${crypto_proposal}" ] && ipsec_xappend
" esp=$crypto_proposal"
212 [ -n "${ike_proposal}" ] && ipsec_xappend
" ike=$ike_proposal"
218 # Specific for the tunnel part
219 ipsec_xappend
" type=tunnel"
225 # Specific for the transport part
226 ipsec_xappend
" type=transport"
237 config_get_bool enabled
"$1" enabled
0
238 [ $enabled -eq 0 ] && return
240 config_get gateway
"$1" gateway
241 config_get pre_shared_key
"$1" pre_shared_key
242 config_get auth_method
"$1" authentication_method
243 config_get local_identifier
"$1" local_identifier
""
244 config_get remote_identifier
"$1" remote_identifier
""
246 [ "$gateway" = "any" ] && remote_gateway
="%any" || remote_gateway
="$gateway"
248 [ -z "$local_identifier" ] && {
251 [ "$remote_gateway" = "%any" ] && ipdest
="1.1.1.1" || ipdest
="$remote_gateway"
252 local_gateway
=`ip route get $ipdest | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
255 [ -n "$local_identifier" ] && secret_xappend
-n "$local_identifier " || secret_xappend
-n "$local_gateway "
256 [ -n "$remote_identifier" ] && secret_xappend
-n "$remote_identifier " || secret_xappend
-n "$remote_gateway "
258 secret_xappend
": PSK \"$pre_shared_key\""
260 set_crypto_proposal
"$1"
261 ike_proposal
="$crypto_proposal"
263 config_list_foreach
"$1" tunnel config_tunnel
265 config_list_foreach
"$1" transport config_transport
272 local rtinstall_enabled
273 local routing_tables_ignored
275 local routing_table_id
283 ipsec_xappend
"# generated by /etc/init.d/ipsec"
284 ipsec_xappend
"version 2"
287 secret_xappend
"# generated by /etc/init.d/ipsec"
289 config_get debug
"$1" debug
0
290 config_get_bool rtinstall_enabled
"$1" rtinstall_enabled
1
291 [ $rtinstall_enabled -eq 1 ] && install_routes
=yes || install_routes
=no
293 # prepare extra charon config option ignore_routing_tables
294 for routing_table
in $
(config_get
"$1" "ignore_routing_tables"); do
295 if [ "$routing_table" -ge 0 ] 2>/dev
/null
; then
296 routing_table_id
=$routing_table
298 routing_table_id
=$
(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc
/iproute
2/rt_tables
)
301 [ -n "$routing_table_id" ] && append routing_tables_ignored
"$routing_table_id"
304 local interface_list
=$
(config_get
"$1" "interface")
305 if [ -z "$interface_list" ]; then
308 for interface
in $interface_list; do
309 network_get_device device
$interface
310 [ -n "$device" ] && append device_list
"$device" ","
312 [ -n "$device_list" ] && WAIT_FOR_INTF
=0 || WAIT_FOR_INTF
=1
315 swan_xappend
"# generated by /etc/init.d/ipsec"
316 swan_xappend
"charon {"
317 swan_xappend
" load_modular = yes"
318 swan_xappend
" install_routes = $install_routes"
319 [ -n "$routing_tables_ignored" ] && swan_xappend
" ignore_routing_tables = $routing_tables_ignored"
320 [ -n "$device_list" ] && swan_xappend
" interfaces_use = $device_list"
321 swan_xappend
" plugins {"
322 swan_xappend
" include /etc/strongswan.d/charon/*.conf"
324 swan_xappend
" syslog {"
325 swan_xappend
" identifier = ipsec"
326 swan_xappend
" daemon {"
327 swan_xappend
" default = $debug"
329 swan_xappend
" auth {"
330 swan_xappend
" default = $debug"
340 config_foreach config_ipsec ipsec
341 config_foreach config_remote remote
345 ipsec status
> /dev
/null
2>&1
351 [ $WAIT_FOR_INTF -eq 0 ] && {
361 check_ipsec_interface
() {
364 for intf
in $
(config_get
"$1" interface
); do
365 procd_add_interface_trigger
"interface.*" "$intf" /etc
/init.d
/ipsec reload
370 procd_add_reload_trigger
"ipsec"
372 config_foreach check_ipsec_interface ipsec
378 [ $WAIT_FOR_INTF -eq 1 ] && return
382 procd_set_param
command $PROG --daemon charon
--nofork
384 procd_set_param
file $IPSEC_CONN_FILE
385 procd_append_param
file $IPSEC_SECRETS_FILE
386 procd_append_param
file $STRONGSWAN_CONF_FILE
387 procd_append_param
file /etc
/strongswan.d
/*.conf
388 procd_append_param
file /etc
/strongswan.d
/charon
/*.conf
390 procd_set_param respawn