projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge pull request #3585 from dedeckeh/strongswan_uci
[feed/packages.git] / net / strongswan / files / ipsec.init
1 #!/bin/sh /etc/rc.common
2
3 START=90
4 STOP=10
5
6 . $IPKG_INSTROOT/lib/functions.sh
7
8 UCI_IPSEC_CONFIG=/etc/config/ipsec
9
10 IPSEC_SECRETS_FILE=/etc/ipsec.secrets
11 IPSEC_CONN_FILE=/etc/ipsec.conf
12 STRONGSWAN_CONF_FILE=/etc/strongswan.conf
13
14 IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets
15 IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
16 STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf
17
18 ENABLED_REMOTE_PEERS=0
19
20 file_reset() {
21 : > "$1"
22 }
23
24 xappend() {
25 local file="$1"
26 shift
27
28 echo "${@}" >> "${file}"
29 }
30
31 remove_include() {
32 local file="$1"
33 local include="$2"
34
35 sed -i "\_${include}_d" "${file}"
36 }
37
38 remove_includes() {
39 remove_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
40 remove_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
41 remove_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
42 }
43
44 do_include() {
45 local conf="$1"
46 local uciconf="$2"
47 local backup=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
48
49 [ ! -f "${conf}" ] && rm -rf "${conf}"
50 touch "${conf}"
51
52 cat "${conf}" | grep -v "${uciconf}" > "${backup}"
53 mv "${backup}" "${conf}"
54 xappend "${conf}" "include ${uciconf}"
55 file_reset "${uciconf}"
56 }
57
58 ipsec_reset() {
59 do_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
60 }
61
62 ipsec_xappend() {
63 xappend "${IPSEC_VAR_CONN_FILE}" "$@"
64 }
65
66 swan_reset() {
67 do_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
68 }
69
70 swan_xappend() {
71 xappend "${STRONGSWAN_VAR_CONF_FILE}" "$@"
72 }
73
74 secret_reset() {
75 do_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
76 }
77
78 secret_xappend() {
79 xappend "${IPSEC_VAR_SECRETS_FILE}" "$@"
80 }
81
82 warning() {
83 echo "WARNING: $@" >&2
84 }
85
86 add_crypto_proposal() {
87 local encryption_algorithm
88 local hash_algorithm
89 local dh_group
90
91 config_get encryption_algorithm "$1" encryption_algorithm
92 config_get hash_algorithm "$1" hash_algorithm
93 config_get dh_group "$1" dh_group
94
95 [ -n "${encryption_algorithm}" ] && \
96 crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
97 }
98
99 set_crypto_proposal() {
100 local conf="$1"
101 local proposal
102
103 crypto=""
104
105 config_get crypto_proposal "$conf" crypto_proposal ""
106 for proposal in $crypto_proposal; do
107 add_crypto_proposal "$proposal"
108 done
109
110 [ -n "${crypto}" ] && {
111 local force_crypto_proposal
112
113 config_get_bool force_crypto_proposal "$conf" force_crypto_proposal
114
115 [ "${force_crypto_proposal}" = "1" ] && crypto="${crypto}!"
116 }
117
118 crypto_proposal="${crypto}"
119 }
120
121 config_conn() {
122 # Generic ipsec conn section shared by tunnel and transport
123 local mode
124 local local_subnet
125 local local_nat
126 local local_sourceip
127 local local_updown
128 local local_firewall
129 local remote_subnet
130 local remote_sourceip
131 local remote_updown
132 local remote_firewall
133 local ikelifetime
134 local lifetime
135 local margintime
136 local keyingtries
137 local dpdaction
138 local dpddelay
139 local inactivity
140 local keyexchange
141
142 config_get mode "$1" mode "route"
143 config_get local_subnet "$1" local_subnet ""
144 config_get local_nat "$1" local_nat ""
145 config_get local_sourceip "$1" local_sourceip ""
146 config_get local_updown "$1" local_updown ""
147 config_get local_firewall "$1" local_firewall ""
148 config_get remote_subnet "$1" remote_subnet ""
149 config_get remote_sourceip "$1" remote_sourceip ""
150 config_get remote_updown "$1" remote_updown ""
151 config_get remote_firewall "$1" remote_firewall ""
152 config_get ikelifetime "$1" ikelifetime "3h"
153 config_get lifetime "$1" lifetime "1h"
154 config_get margintime "$1" margintime "9m"
155 config_get keyingtries "$1" keyingtries "3"
156 config_get dpdaction "$1" dpdaction "none"
157 config_get dpddelay "$1" dpddelay "30s"
158 config_get inactivity "$1" inactivity
159 config_get keyexchange "$1" keyexchange "ikev2"
160
161 [ -n "$local_nat" ] && local_subnet=$local_nat
162
163 ipsec_xappend "conn $config_name-$1"
164 ipsec_xappend " left=%any"
165 ipsec_xappend " right=$remote_gateway"
166
167 [ -n "$local_sourceip" ] && ipsec_xappend " leftsourceip=$local_sourceip"
168 [ -n "$local_subnet" ] && ipsec_xappend " leftsubnet=$local_subnet"
169
170 [ -n "$local_firewall" ] && ipsec_xappend " leftfirewall=$local_firewall"
171 [ -n "$remote_firewall" ] && ipsec_xappend " rightfirewall=$remote_firewall"
172
173 ipsec_xappend " ikelifetime=$ikelifetime"
174 ipsec_xappend " lifetime=$lifetime"
175 ipsec_xappend " margintime=$margintime"
176 ipsec_xappend " keyingtries=$keyingtries"
177 ipsec_xappend " dpdaction=$dpdaction"
178 ipsec_xappend " dpddelay=$dpddelay"
179
180 [ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity"
181
182 if [ "$auth_method" = "psk" ]; then
183 ipsec_xappend " leftauth=psk"
184 ipsec_xappend " rightauth=psk"
185
186 [ "$remote_sourceip" != "" ] && ipsec_xappend " rightsourceip=$remote_sourceip"
187 [ "$remote_subnet" != "" ] && ipsec_xappend " rightsubnet=$remote_subnet"
188
189 ipsec_xappend " auto=$mode"
190 else
191 warning "AuthenticationMethod $auth_method not supported"
192 fi
193
194 [ -n "$local_identifier" ] && ipsec_xappend " leftid=$local_identifier"
195 [ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier"
196 [ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown"
197 [ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown"
198 ipsec_xappend " keyexchange=$keyexchange"
199
200 set_crypto_proposal "$1"
201 [ -n "${crypto_proposal}" ] && ipsec_xappend " esp=$crypto_proposal"
202 [ -n "${ike_proposal}" ] && ipsec_xappend " ike=$ike_proposal"
203 }
204
205 config_tunnel() {
206 config_conn "$1"
207
208 # Specific for the tunnel part
209 ipsec_xappend " type=tunnel"
210 }
211
212 config_transport() {
213 config_conn "$1"
214
215 # Specific for the transport part
216 ipsec_xappend " type=transport"
217 }
218
219 config_remote() {
220 local enabled
221 local gateway
222 local pre_shared_key
223 local auth_method
224
225 config_name=$1
226
227 config_get_bool enabled "$1" enabled 0
228 [ "$enabled" = "0" ] && return
229
230 ENABLED_REMOTE_PEERS=$((ENABLED_REMOTE_PEERS + 1))
231
232 config_get gateway "$1" gateway
233 config_get pre_shared_key "$1" pre_shared_key
234 config_get auth_method "$1" authentication_method
235 config_get local_identifier "$1" local_identifier ""
236 config_get remote_identifier "$1" remote_identifier ""
237
238 [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
239
240 [ -z "$local_identifier" ] && {
241 local ipdest
242
243 [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
244 local_gateway=`ip route get $ipdest | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
245 }
246
247 [ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway "
248 [ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway "
249
250 secret_xappend ": PSK \"$pre_shared_key\""
251
252 set_crypto_proposal "$1"
253 ike_proposal="$crypto_proposal"
254
255 config_list_foreach "$1" tunnel config_tunnel
256
257 config_list_foreach "$1" transport config_transport
258
259 ipsec_xappend ""
260 }
261
262 config_ipsec() {
263 local debug
264 local rtinstall_enabled
265 local routing_tables_ignored
266 local routing_table
267 local routing_table_id
268 local interface
269 local device_list
270
271 ipsec_reset
272 secret_reset
273 swan_reset
274
275 ipsec_xappend "# generated by /etc/init.d/ipsec"
276 ipsec_xappend "version 2"
277 ipsec_xappend ""
278
279 secret_xappend "# generated by /etc/init.d/ipsec"
280
281 config_get debug "$1" debug 0
282 config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
283 [ $rtinstall_enabled = "1" ] && install_routes=yes || install_routes=no
284
285 # prepare extra charon config option ignore_routing_tables
286 for routing_table in $(config_get "$1" "ignore_routing_tables"); do
287 if [ "$routing_table" -ge 0 ] 2>/dev/null; then
288 routing_table_id=$routing_table
289 else
290 routing_table_id=$(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc/iproute2/rt_tables)
291 fi
292
293 [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
294 done
295
296 swan_xappend "# generated by /etc/init.d/ipsec"
297 swan_xappend "charon {"
298 swan_xappend " load_modular = yes"
299 swan_xappend " install_routes = $install_routes"
300 [ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored"
301 swan_xappend " plugins {"
302 swan_xappend " include /etc/strongswan.d/charon/*.conf"
303 swan_xappend " }"
304 swan_xappend " syslog {"
305 swan_xappend " identifier = ipsec"
306 swan_xappend " daemon {"
307 swan_xappend " default = $debug"
308 swan_xappend " }"
309 swan_xappend " auth {"
310 swan_xappend " default = $debug"
311 swan_xappend " }"
312 swan_xappend " }"
313 swan_xappend "}"
314 }
315
316 prepare_env() {
317 mkdir -p /var/ipsec
318 remove_includes
319 config_load ipsec
320 config_foreach config_ipsec ipsec
321 config_foreach config_remote remote
322 }
323
324 start() {
325 prepare_env
326 [ $ENABLED_REMOTE_PEERS != 0 -o ! -f $UCI_IPSEC_CONFIG ] && ipsec start
327 }
328
329 stop() {
330 ipsec stop
331 }
332
333 restart() {
334 prepare_env
335 [ $ENABLED_REMOTE_PEERS != 0 -o ! -f $UCI_IPSEC_CONFIG ] && ipsec restart || ipsec stop
336 }
337
338 reload() {
339 prepare_env
340 [ $ENABLED_REMOTE_PEERS != 0 -o ! -f $UCI_IPSEC_CONFIG ] && {
341 ipsec secrets
342 if [[ ! -z "$(ipsec status)" ]]; then
343 ipsec reload
344 else
345 ipsec start
346 fi
347 } || ipsec stop
348 }
Mirror of packages feed