1 #!/bin/sh /etc/rc.common
6 .
$IPKG_INSTROOT/lib
/functions.sh
8 UCI_IPSEC_CONFIG
=/etc
/config
/ipsec
10 IPSEC_SECRETS_FILE
=/etc
/ipsec.secrets
11 IPSEC_CONN_FILE
=/etc
/ipsec.conf
12 STRONGSWAN_CONF_FILE
=/etc
/strongswan.conf
14 IPSEC_VAR_SECRETS_FILE
=/var
/ipsec
/ipsec.secrets
15 IPSEC_VAR_CONN_FILE
=/var
/ipsec
/ipsec.conf
16 STRONGSWAN_VAR_CONF_FILE
=/var
/ipsec
/strongswan.conf
18 ENABLED_REMOTE_PEERS
=0
28 echo "${@}" >> "${file}"
35 sed -i "\_${include}_d" "${file}"
39 remove_include
"${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
40 remove_include
"${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
41 remove_include
"${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
47 local backup
=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
49 [ ! -f "${conf}" ] && rm -rf "${conf}"
52 cat "${conf}" | grep -v "${uciconf}" > "${backup}"
53 mv "${backup}" "${conf}"
54 xappend
"${conf}" "include ${uciconf}"
55 file_reset
"${uciconf}"
59 do_include
"${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
63 xappend
"${IPSEC_VAR_CONN_FILE}" "$@"
67 do_include
"${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
71 xappend
"${STRONGSWAN_VAR_CONF_FILE}" "$@"
75 do_include
"${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
79 xappend
"${IPSEC_VAR_SECRETS_FILE}" "$@"
83 echo "WARNING: $@" >&2
86 add_crypto_proposal
() {
87 local encryption_algorithm
91 config_get encryption_algorithm
"$1" encryption_algorithm
92 config_get hash_algorithm
"$1" hash_algorithm
93 config_get dh_group
"$1" dh_group
95 [ -n "${encryption_algorithm}" ] && \
96 crypto
="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
99 set_crypto_proposal
() {
105 config_get crypto_proposal
"$conf" crypto_proposal
""
106 for proposal
in $crypto_proposal; do
107 add_crypto_proposal
"$proposal"
110 [ -n "${crypto}" ] && {
111 local force_crypto_proposal
113 config_get_bool force_crypto_proposal
"$conf" force_crypto_proposal
115 [ "${force_crypto_proposal}" = "1" ] && crypto
="${crypto}!"
118 crypto_proposal
="${crypto}"
122 # Generic ipsec conn section shared by tunnel and transport
130 local remote_sourceip
132 local remote_firewall
142 config_get mode
"$1" mode
"route"
143 config_get local_subnet
"$1" local_subnet
""
144 config_get local_nat
"$1" local_nat
""
145 config_get local_sourceip
"$1" local_sourceip
""
146 config_get local_updown
"$1" local_updown
""
147 config_get local_firewall
"$1" local_firewall
""
148 config_get remote_subnet
"$1" remote_subnet
""
149 config_get remote_sourceip
"$1" remote_sourceip
""
150 config_get remote_updown
"$1" remote_updown
""
151 config_get remote_firewall
"$1" remote_firewall
""
152 config_get ikelifetime
"$1" ikelifetime
"3h"
153 config_get lifetime
"$1" lifetime
"1h"
154 config_get margintime
"$1" margintime
"9m"
155 config_get keyingtries
"$1" keyingtries
"3"
156 config_get dpdaction
"$1" dpdaction
"none"
157 config_get dpddelay
"$1" dpddelay
"30s"
158 config_get inactivity
"$1" inactivity
159 config_get keyexchange
"$1" keyexchange
"ikev2"
161 [ -n "$local_nat" ] && local_subnet
=$local_nat
163 ipsec_xappend
"conn $config_name-$1"
164 ipsec_xappend
" left=%any"
165 ipsec_xappend
" right=$remote_gateway"
167 [ -n "$local_sourceip" ] && ipsec_xappend
" leftsourceip=$local_sourceip"
168 [ -n "$local_subnet" ] && ipsec_xappend
" leftsubnet=$local_subnet"
170 [ -n "$local_firewall" ] && ipsec_xappend
" leftfirewall=$local_firewall"
171 [ -n "$remote_firewall" ] && ipsec_xappend
" rightfirewall=$remote_firewall"
173 ipsec_xappend
" ikelifetime=$ikelifetime"
174 ipsec_xappend
" lifetime=$lifetime"
175 ipsec_xappend
" margintime=$margintime"
176 ipsec_xappend
" keyingtries=$keyingtries"
177 ipsec_xappend
" dpdaction=$dpdaction"
178 ipsec_xappend
" dpddelay=$dpddelay"
180 [ -n "$inactivity" ] && ipsec_xappend
" inactivity=$inactivity"
182 if [ "$auth_method" = "psk" ]; then
183 ipsec_xappend
" leftauth=psk"
184 ipsec_xappend
" rightauth=psk"
186 [ "$remote_sourceip" != "" ] && ipsec_xappend
" rightsourceip=$remote_sourceip"
187 [ "$remote_subnet" != "" ] && ipsec_xappend
" rightsubnet=$remote_subnet"
189 ipsec_xappend
" auto=$mode"
191 warning
"AuthenticationMethod $auth_method not supported"
194 [ -n "$local_identifier" ] && ipsec_xappend
" leftid=$local_identifier"
195 [ -n "$remote_identifier" ] && ipsec_xappend
" rightid=$remote_identifier"
196 [ -n "$local_updown" ] && ipsec_xappend
" leftupdown=$local_updown"
197 [ -n "$remote_updown" ] && ipsec_xappend
" rightupdown=$remote_updown"
198 ipsec_xappend
" keyexchange=$keyexchange"
200 set_crypto_proposal
"$1"
201 [ -n "${crypto_proposal}" ] && ipsec_xappend
" esp=$crypto_proposal"
202 [ -n "${ike_proposal}" ] && ipsec_xappend
" ike=$ike_proposal"
208 # Specific for the tunnel part
209 ipsec_xappend
" type=tunnel"
215 # Specific for the transport part
216 ipsec_xappend
" type=transport"
227 config_get_bool enabled
"$1" enabled
0
228 [ "$enabled" = "0" ] && return
230 ENABLED_REMOTE_PEERS
=$
((ENABLED_REMOTE_PEERS
+ 1))
232 config_get gateway
"$1" gateway
233 config_get pre_shared_key
"$1" pre_shared_key
234 config_get auth_method
"$1" authentication_method
235 config_get local_identifier
"$1" local_identifier
""
236 config_get remote_identifier
"$1" remote_identifier
""
238 [ "$gateway" = "any" ] && remote_gateway
="%any" || remote_gateway
="$gateway"
240 [ -z "$local_identifier" ] && {
243 [ "$remote_gateway" = "%any" ] && ipdest
="1.1.1.1" || ipdest
="$remote_gateway"
244 local_gateway
=`ip route get $ipdest | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
247 [ -n "$local_identifier" ] && secret_xappend
-n "$local_identifier " || secret_xappend
-n "$local_gateway "
248 [ -n "$remote_identifier" ] && secret_xappend
-n "$remote_identifier " || secret_xappend
-n "$remote_gateway "
250 secret_xappend
": PSK \"$pre_shared_key\""
252 set_crypto_proposal
"$1"
253 ike_proposal
="$crypto_proposal"
255 config_list_foreach
"$1" tunnel config_tunnel
257 config_list_foreach
"$1" transport config_transport
264 local rtinstall_enabled
265 local routing_tables_ignored
267 local routing_table_id
275 ipsec_xappend
"# generated by /etc/init.d/ipsec"
276 ipsec_xappend
"version 2"
279 secret_xappend
"# generated by /etc/init.d/ipsec"
281 config_get debug
"$1" debug
0
282 config_get_bool rtinstall_enabled
"$1" rtinstall_enabled
1
283 [ $rtinstall_enabled = "1" ] && install_routes
=yes || install_routes
=no
285 # prepare extra charon config option ignore_routing_tables
286 for routing_table
in $
(config_get
"$1" "ignore_routing_tables"); do
287 if [ "$routing_table" -ge 0 ] 2>/dev
/null
; then
288 routing_table_id
=$routing_table
290 routing_table_id
=$
(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc
/iproute
2/rt_tables
)
293 [ -n "$routing_table_id" ] && append routing_tables_ignored
"$routing_table_id"
296 swan_xappend
"# generated by /etc/init.d/ipsec"
297 swan_xappend
"charon {"
298 swan_xappend
" load_modular = yes"
299 swan_xappend
" install_routes = $install_routes"
300 [ -n "$routing_tables_ignored" ] && swan_xappend
" ignore_routing_tables = $routing_tables_ignored"
301 swan_xappend
" plugins {"
302 swan_xappend
" include /etc/strongswan.d/charon/*.conf"
304 swan_xappend
" syslog {"
305 swan_xappend
" identifier = ipsec"
306 swan_xappend
" daemon {"
307 swan_xappend
" default = $debug"
309 swan_xappend
" auth {"
310 swan_xappend
" default = $debug"
320 config_foreach config_ipsec ipsec
321 config_foreach config_remote remote
326 [ $ENABLED_REMOTE_PEERS != 0 -o ! -f $UCI_IPSEC_CONFIG ] && ipsec start
335 [ $ENABLED_REMOTE_PEERS != 0 -o ! -f $UCI_IPSEC_CONFIG ] && ipsec restart || ipsec stop
340 [ $ENABLED_REMOTE_PEERS != 0 -o ! -f $UCI_IPSEC_CONFIG ] && {
342 if [[ ! -z "$(ipsec status)" ]]; then