projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge pull request #11353 from kvuorine/fwknop-fixes
[feed/packages.git] / net / strongswan / files / ipsec.init
1 #!/bin/sh /etc/rc.common
2
3 START=90
4 STOP=10
5
6 USE_PROCD=1
7 PROG=/usr/lib/ipsec/starter
8
9 . $IPKG_INSTROOT/lib/functions.sh
10 . $IPKG_INSTROOT/lib/functions/network.sh
11
12 IPSEC_SECRETS_FILE=/etc/ipsec.secrets
13 IPSEC_CONN_FILE=/etc/ipsec.conf
14 STRONGSWAN_CONF_FILE=/etc/strongswan.conf
15
16 IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets
17 IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
18 STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf
19
20 WAIT_FOR_INTF=0
21
22 file_reset() {
23 : > "$1"
24 }
25
26 xappend() {
27 local file="$1"
28 shift
29
30 echo "${@}" >> "${file}"
31 }
32
33 remove_include() {
34 local file="$1"
35 local include="$2"
36
37 sed -i "\_${include}_d" "${file}"
38 }
39
40 remove_includes() {
41 remove_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
42 remove_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
43 remove_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
44 }
45
46 do_include() {
47 local conf="$1"
48 local uciconf="$2"
49 local backup=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
50
51 [ ! -f "${conf}" ] && rm -rf "${conf}"
52 touch "${conf}"
53
54 cat "${conf}" | grep -v "${uciconf}" > "${backup}"
55 mv "${backup}" "${conf}"
56 xappend "${conf}" "include ${uciconf}"
57 file_reset "${uciconf}"
58 }
59
60 ipsec_reset() {
61 do_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
62 }
63
64 ipsec_xappend() {
65 xappend "${IPSEC_VAR_CONN_FILE}" "$@"
66 }
67
68 swan_reset() {
69 do_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
70 }
71
72 swan_xappend() {
73 xappend "${STRONGSWAN_VAR_CONF_FILE}" "$@"
74 }
75
76 secret_reset() {
77 do_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
78 }
79
80 secret_xappend() {
81 xappend "${IPSEC_VAR_SECRETS_FILE}" "$@"
82 }
83
84 warning() {
85 echo "WARNING: $@" >&2
86 }
87
88 add_crypto_proposal() {
89 local encryption_algorithm
90 local hash_algorithm
91 local dh_group
92
93 config_get encryption_algorithm "$1" encryption_algorithm
94 config_get hash_algorithm "$1" hash_algorithm
95 config_get dh_group "$1" dh_group
96
97 [ -n "${encryption_algorithm}" ] && \
98 crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
99 }
100
101 set_crypto_proposal() {
102 local conf="$1"
103 local proposal
104
105 crypto=""
106
107 config_get crypto_proposal "$conf" crypto_proposal ""
108 for proposal in $crypto_proposal; do
109 add_crypto_proposal "$proposal"
110 done
111
112 [ -n "${crypto}" ] && {
113 local force_crypto_proposal
114
115 config_get_bool force_crypto_proposal "$conf" force_crypto_proposal
116
117 [ "${force_crypto_proposal}" = "1" ] && crypto="${crypto}!"
118 }
119
120 crypto_proposal="${crypto}"
121 }
122
123 config_conn() {
124 # Generic ipsec conn section shared by tunnel and transport
125 local mode
126 local local_subnet
127 local local_nat
128 local local_sourceip
129 local local_leftip
130 local local_updown
131 local local_firewall
132 local remote_subnet
133 local remote_sourceip
134 local remote_updown
135 local remote_firewall
136 local ikelifetime
137 local lifetime
138 local margintime
139 local keyingtries
140 local dpdaction
141 local dpddelay
142 local inactivity
143 local keyexchange
144 local reqid
145 local packet_marker
146
147 config_get mode "$1" mode "route"
148 config_get local_subnet "$1" local_subnet ""
149 config_get local_nat "$1" local_nat ""
150 config_get local_sourceip "$1" local_sourceip ""
151 config_get local_leftip "$1" local_leftip "%any"
152 config_get local_updown "$1" local_updown ""
153 config_get local_firewall "$1" local_firewall ""
154 config_get remote_subnet "$1" remote_subnet ""
155 config_get remote_sourceip "$1" remote_sourceip ""
156 config_get remote_updown "$1" remote_updown ""
157 config_get remote_firewall "$1" remote_firewall ""
158 config_get ikelifetime "$1" ikelifetime "3h"
159 config_get lifetime "$1" lifetime "1h"
160 config_get margintime "$1" margintime "9m"
161 config_get keyingtries "$1" keyingtries "3"
162 config_get dpdaction "$1" dpdaction "none"
163 config_get dpddelay "$1" dpddelay "30s"
164 config_get inactivity "$1" inactivity
165 config_get keyexchange "$1" keyexchange "ikev2"
166 config_get reqid "$1" reqid
167 config_get packet_marker "$1" packet_marker
168
169 [ -n "$local_nat" ] && local_subnet=$local_nat
170
171 ipsec_xappend "conn $config_name-$1"
172 ipsec_xappend " left=$local_leftip"
173 ipsec_xappend " right=$remote_gateway"
174
175 [ -n "$local_sourceip" ] && ipsec_xappend " leftsourceip=$local_sourceip"
176 [ -n "$local_subnet" ] && ipsec_xappend " leftsubnet=$local_subnet"
177
178 [ -n "$local_firewall" ] && ipsec_xappend " leftfirewall=$local_firewall"
179 [ -n "$remote_firewall" ] && ipsec_xappend " rightfirewall=$remote_firewall"
180
181 ipsec_xappend " ikelifetime=$ikelifetime"
182 ipsec_xappend " lifetime=$lifetime"
183 ipsec_xappend " margintime=$margintime"
184 ipsec_xappend " keyingtries=$keyingtries"
185 ipsec_xappend " dpdaction=$dpdaction"
186 ipsec_xappend " dpddelay=$dpddelay"
187
188 [ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity"
189 [ -n "$reqid" ] && ipsec_xappend " reqid=$reqid"
190
191 if [ "$auth_method" = "psk" ]; then
192 ipsec_xappend " leftauth=psk"
193 ipsec_xappend " rightauth=psk"
194
195 [ "$remote_sourceip" != "" ] && ipsec_xappend " rightsourceip=$remote_sourceip"
196 [ "$remote_subnet" != "" ] && ipsec_xappend " rightsubnet=$remote_subnet"
197
198 ipsec_xappend " auto=$mode"
199 else
200 warning "AuthenticationMethod $auth_method not supported"
201 fi
202
203 [ -n "$local_identifier" ] && ipsec_xappend " leftid=$local_identifier"
204 [ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier"
205 [ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown"
206 [ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown"
207 [ -n "$packet_marker" ] && ipsec_xappend " mark=$packet_marker"
208 ipsec_xappend " keyexchange=$keyexchange"
209
210 set_crypto_proposal "$1"
211 [ -n "${crypto_proposal}" ] && ipsec_xappend " esp=$crypto_proposal"
212 [ -n "${ike_proposal}" ] && ipsec_xappend " ike=$ike_proposal"
213 }
214
215 config_tunnel() {
216 config_conn "$1"
217
218 # Specific for the tunnel part
219 ipsec_xappend " type=tunnel"
220 }
221
222 config_transport() {
223 config_conn "$1"
224
225 # Specific for the transport part
226 ipsec_xappend " type=transport"
227 }
228
229 config_remote() {
230 local enabled
231 local gateway
232 local pre_shared_key
233 local auth_method
234
235 config_name=$1
236
237 config_get_bool enabled "$1" enabled 0
238 [ $enabled -eq 0 ] && return
239
240 config_get gateway "$1" gateway
241 config_get pre_shared_key "$1" pre_shared_key
242 config_get auth_method "$1" authentication_method
243 config_get local_identifier "$1" local_identifier ""
244 config_get remote_identifier "$1" remote_identifier ""
245
246 [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
247
248 [ -z "$local_identifier" ] && {
249 local ipdest
250
251 [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
252 local_gateway=`ip route get $ipdest | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
253 }
254
255 [ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway "
256 [ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway "
257
258 secret_xappend ": PSK \"$pre_shared_key\""
259
260 set_crypto_proposal "$1"
261 ike_proposal="$crypto_proposal"
262
263 config_list_foreach "$1" tunnel config_tunnel
264
265 config_list_foreach "$1" transport config_transport
266
267 ipsec_xappend ""
268 }
269
270 config_ipsec() {
271 local debug
272 local rtinstall_enabled
273 local routing_tables_ignored
274 local routing_table
275 local routing_table_id
276 local interface
277 local device_list
278
279 ipsec_reset
280 secret_reset
281 swan_reset
282
283 ipsec_xappend "# generated by /etc/init.d/ipsec"
284 ipsec_xappend "version 2"
285 ipsec_xappend ""
286
287 secret_xappend "# generated by /etc/init.d/ipsec"
288
289 config_get debug "$1" debug 0
290 config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
291 [ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no
292
293 # prepare extra charon config option ignore_routing_tables
294 for routing_table in $(config_get "$1" "ignore_routing_tables"); do
295 if [ "$routing_table" -ge 0 ] 2>/dev/null; then
296 routing_table_id=$routing_table
297 else
298 routing_table_id=$(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc/iproute2/rt_tables)
299 fi
300
301 [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
302 done
303
304 local interface_list=$(config_get "$1" "interface")
305 if [ -z "$interface_list" ]; then
306 WAIT_FOR_INTF=0
307 else
308 for interface in $interface_list; do
309 network_get_device device $interface
310 [ -n "$device" ] && append device_list "$device" ","
311 done
312 [ -n "$device_list" ] && WAIT_FOR_INTF=0 || WAIT_FOR_INTF=1
313 fi
314
315 swan_xappend "# generated by /etc/init.d/ipsec"
316 swan_xappend "charon {"
317 swan_xappend " load_modular = yes"
318 swan_xappend " install_routes = $install_routes"
319 [ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored"
320 [ -n "$device_list" ] && swan_xappend " interfaces_use = $device_list"
321 swan_xappend " plugins {"
322 swan_xappend " include /etc/strongswan.d/charon/*.conf"
323 swan_xappend " }"
324 swan_xappend " syslog {"
325 swan_xappend " identifier = ipsec"
326 swan_xappend " daemon {"
327 swan_xappend " default = $debug"
328 swan_xappend " }"
329 swan_xappend " auth {"
330 swan_xappend " default = $debug"
331 swan_xappend " }"
332 swan_xappend " }"
333 swan_xappend "}"
334 }
335
336 prepare_env() {
337 mkdir -p /var/ipsec
338 remove_includes
339 config_load ipsec
340 config_foreach config_ipsec ipsec
341 config_foreach config_remote remote
342 }
343
344 service_running() {
345 ipsec status > /dev/null 2>&1
346 }
347
348 reload_service() {
349 running && {
350 prepare_env
351 [ $WAIT_FOR_INTF -eq 0 ] && {
352 ipsec rereadall
353 ipsec reload
354 return
355 }
356 }
357
358 start
359 }
360
361 check_ipsec_interface() {
362 local intf
363
364 for intf in $(config_get "$1" interface); do
365 procd_add_interface_trigger "interface.*" "$intf" /etc/init.d/ipsec reload
366 done
367 }
368
369 service_triggers() {
370 procd_add_reload_trigger "ipsec"
371 config load "ipsec"
372 config_foreach check_ipsec_interface ipsec
373 }
374
375 start_service() {
376 prepare_env
377
378 [ $WAIT_FOR_INTF -eq 1 ] && return
379
380 procd_open_instance
381
382 procd_set_param command $PROG --daemon charon --nofork
383
384 procd_set_param file $IPSEC_CONN_FILE
385 procd_append_param file $IPSEC_SECRETS_FILE
386 procd_append_param file $STRONGSWAN_CONF_FILE
387 procd_append_param file /etc/strongswan.d/*.conf
388 procd_append_param file /etc/strongswan.d/charon/*.conf
389
390 procd_set_param respawn
391
392 procd_close_instance
393 }
Mirror of packages feed