You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

351 lines
9.3 KiB

  1. #!/bin/sh /etc/rc.common
  2. START=90
  3. STOP=10
  4. USE_PROCD=1
  5. PROG=/usr/lib/ipsec/starter
  6. . $IPKG_INSTROOT/lib/functions.sh
  7. IPSEC_SECRETS_FILE=/etc/ipsec.secrets
  8. IPSEC_CONN_FILE=/etc/ipsec.conf
  9. STRONGSWAN_CONF_FILE=/etc/strongswan.conf
  10. IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets
  11. IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
  12. STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf
  13. file_reset() {
  14. : > "$1"
  15. }
  16. xappend() {
  17. local file="$1"
  18. shift
  19. echo "${@}" >> "${file}"
  20. }
  21. remove_include() {
  22. local file="$1"
  23. local include="$2"
  24. sed -i "\_${include}_d" "${file}"
  25. }
  26. remove_includes() {
  27. remove_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
  28. remove_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
  29. remove_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
  30. }
  31. do_include() {
  32. local conf="$1"
  33. local uciconf="$2"
  34. local backup=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
  35. [ ! -f "${conf}" ] && rm -rf "${conf}"
  36. touch "${conf}"
  37. cat "${conf}" | grep -v "${uciconf}" > "${backup}"
  38. mv "${backup}" "${conf}"
  39. xappend "${conf}" "include ${uciconf}"
  40. file_reset "${uciconf}"
  41. }
  42. ipsec_reset() {
  43. do_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
  44. }
  45. ipsec_xappend() {
  46. xappend "${IPSEC_VAR_CONN_FILE}" "$@"
  47. }
  48. swan_reset() {
  49. do_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
  50. }
  51. swan_xappend() {
  52. xappend "${STRONGSWAN_VAR_CONF_FILE}" "$@"
  53. }
  54. secret_reset() {
  55. do_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
  56. }
  57. secret_xappend() {
  58. xappend "${IPSEC_VAR_SECRETS_FILE}" "$@"
  59. }
  60. warning() {
  61. echo "WARNING: $@" >&2
  62. }
  63. add_crypto_proposal() {
  64. local encryption_algorithm
  65. local hash_algorithm
  66. local dh_group
  67. config_get encryption_algorithm "$1" encryption_algorithm
  68. config_get hash_algorithm "$1" hash_algorithm
  69. config_get dh_group "$1" dh_group
  70. [ -n "${encryption_algorithm}" ] && \
  71. crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
  72. }
  73. set_crypto_proposal() {
  74. local conf="$1"
  75. local proposal
  76. crypto=""
  77. config_get crypto_proposal "$conf" crypto_proposal ""
  78. for proposal in $crypto_proposal; do
  79. add_crypto_proposal "$proposal"
  80. done
  81. [ -n "${crypto}" ] && {
  82. local force_crypto_proposal
  83. config_get_bool force_crypto_proposal "$conf" force_crypto_proposal
  84. [ "${force_crypto_proposal}" = "1" ] && crypto="${crypto}!"
  85. }
  86. crypto_proposal="${crypto}"
  87. }
  88. config_conn() {
  89. # Generic ipsec conn section shared by tunnel and transport
  90. local mode
  91. local local_subnet
  92. local local_nat
  93. local local_sourceip
  94. local local_updown
  95. local local_firewall
  96. local remote_subnet
  97. local remote_sourceip
  98. local remote_updown
  99. local remote_firewall
  100. local ikelifetime
  101. local lifetime
  102. local margintime
  103. local keyingtries
  104. local dpdaction
  105. local dpddelay
  106. local inactivity
  107. local keyexchange
  108. config_get mode "$1" mode "route"
  109. config_get local_subnet "$1" local_subnet ""
  110. config_get local_nat "$1" local_nat ""
  111. config_get local_sourceip "$1" local_sourceip ""
  112. config_get local_updown "$1" local_updown ""
  113. config_get local_firewall "$1" local_firewall ""
  114. config_get remote_subnet "$1" remote_subnet ""
  115. config_get remote_sourceip "$1" remote_sourceip ""
  116. config_get remote_updown "$1" remote_updown ""
  117. config_get remote_firewall "$1" remote_firewall ""
  118. config_get ikelifetime "$1" ikelifetime "3h"
  119. config_get lifetime "$1" lifetime "1h"
  120. config_get margintime "$1" margintime "9m"
  121. config_get keyingtries "$1" keyingtries "3"
  122. config_get dpdaction "$1" dpdaction "none"
  123. config_get dpddelay "$1" dpddelay "30s"
  124. config_get inactivity "$1" inactivity
  125. config_get keyexchange "$1" keyexchange "ikev2"
  126. [ -n "$local_nat" ] && local_subnet=$local_nat
  127. ipsec_xappend "conn $config_name-$1"
  128. ipsec_xappend " left=%any"
  129. ipsec_xappend " right=$remote_gateway"
  130. [ -n "$local_sourceip" ] && ipsec_xappend " leftsourceip=$local_sourceip"
  131. [ -n "$local_subnet" ] && ipsec_xappend " leftsubnet=$local_subnet"
  132. [ -n "$local_firewall" ] && ipsec_xappend " leftfirewall=$local_firewall"
  133. [ -n "$remote_firewall" ] && ipsec_xappend " rightfirewall=$remote_firewall"
  134. ipsec_xappend " ikelifetime=$ikelifetime"
  135. ipsec_xappend " lifetime=$lifetime"
  136. ipsec_xappend " margintime=$margintime"
  137. ipsec_xappend " keyingtries=$keyingtries"
  138. ipsec_xappend " dpdaction=$dpdaction"
  139. ipsec_xappend " dpddelay=$dpddelay"
  140. [ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity"
  141. if [ "$auth_method" = "psk" ]; then
  142. ipsec_xappend " leftauth=psk"
  143. ipsec_xappend " rightauth=psk"
  144. [ "$remote_sourceip" != "" ] && ipsec_xappend " rightsourceip=$remote_sourceip"
  145. [ "$remote_subnet" != "" ] && ipsec_xappend " rightsubnet=$remote_subnet"
  146. ipsec_xappend " auto=$mode"
  147. else
  148. warning "AuthenticationMethod $auth_method not supported"
  149. fi
  150. [ -n "$local_identifier" ] && ipsec_xappend " leftid=$local_identifier"
  151. [ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier"
  152. [ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown"
  153. [ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown"
  154. ipsec_xappend " keyexchange=$keyexchange"
  155. set_crypto_proposal "$1"
  156. [ -n "${crypto_proposal}" ] && ipsec_xappend " esp=$crypto_proposal"
  157. [ -n "${ike_proposal}" ] && ipsec_xappend " ike=$ike_proposal"
  158. }
  159. config_tunnel() {
  160. config_conn "$1"
  161. # Specific for the tunnel part
  162. ipsec_xappend " type=tunnel"
  163. }
  164. config_transport() {
  165. config_conn "$1"
  166. # Specific for the transport part
  167. ipsec_xappend " type=transport"
  168. }
  169. config_remote() {
  170. local enabled
  171. local gateway
  172. local pre_shared_key
  173. local auth_method
  174. config_name=$1
  175. config_get_bool enabled "$1" enabled 0
  176. [ $enabled -eq 0 ] && return
  177. config_get gateway "$1" gateway
  178. config_get pre_shared_key "$1" pre_shared_key
  179. config_get auth_method "$1" authentication_method
  180. config_get local_identifier "$1" local_identifier ""
  181. config_get remote_identifier "$1" remote_identifier ""
  182. [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
  183. [ -z "$local_identifier" ] && {
  184. local ipdest
  185. [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
  186. local_gateway=`ip route get $ipdest | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
  187. }
  188. [ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway "
  189. [ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway "
  190. secret_xappend ": PSK \"$pre_shared_key\""
  191. set_crypto_proposal "$1"
  192. ike_proposal="$crypto_proposal"
  193. config_list_foreach "$1" tunnel config_tunnel
  194. config_list_foreach "$1" transport config_transport
  195. ipsec_xappend ""
  196. }
  197. config_ipsec() {
  198. local debug
  199. local rtinstall_enabled
  200. local routing_tables_ignored
  201. local routing_table
  202. local routing_table_id
  203. local interface
  204. local device_list
  205. ipsec_reset
  206. secret_reset
  207. swan_reset
  208. ipsec_xappend "# generated by /etc/init.d/ipsec"
  209. ipsec_xappend "version 2"
  210. ipsec_xappend ""
  211. secret_xappend "# generated by /etc/init.d/ipsec"
  212. config_get debug "$1" debug 0
  213. config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
  214. [ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no
  215. # prepare extra charon config option ignore_routing_tables
  216. for routing_table in $(config_get "$1" "ignore_routing_tables"); do
  217. if [ "$routing_table" -ge 0 ] 2>/dev/null; then
  218. routing_table_id=$routing_table
  219. else
  220. routing_table_id=$(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc/iproute2/rt_tables)
  221. fi
  222. [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
  223. done
  224. swan_xappend "# generated by /etc/init.d/ipsec"
  225. swan_xappend "charon {"
  226. swan_xappend " load_modular = yes"
  227. swan_xappend " install_routes = $install_routes"
  228. [ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored"
  229. swan_xappend " plugins {"
  230. swan_xappend " include /etc/strongswan.d/charon/*.conf"
  231. swan_xappend " }"
  232. swan_xappend " syslog {"
  233. swan_xappend " identifier = ipsec"
  234. swan_xappend " daemon {"
  235. swan_xappend " default = $debug"
  236. swan_xappend " }"
  237. swan_xappend " auth {"
  238. swan_xappend " default = $debug"
  239. swan_xappend " }"
  240. swan_xappend " }"
  241. swan_xappend "}"
  242. }
  243. prepare_env() {
  244. mkdir -p /var/ipsec
  245. remove_includes
  246. config_load ipsec
  247. config_foreach config_ipsec ipsec
  248. config_foreach config_remote remote
  249. }
  250. reload_service() {
  251. prepare_env
  252. if ipsec status > /dev/null 2>&1; then
  253. ipsec rereadall
  254. ipsec reload
  255. else
  256. ipsec start
  257. fi
  258. }
  259. service_triggers() {
  260. procd_add_reload_trigger "ipsec"
  261. }
  262. start_service() {
  263. prepare_env
  264. procd_open_instance
  265. procd_set_param command $PROG --daemon charon --nofork
  266. procd_set_param file $IPSEC_CONN_FILE
  267. procd_append_param file $IPSEC_SECRETS_FILE
  268. procd_append_param file $STRONGSWAN_CONF_FILE
  269. procd_append_param file /etc/strongswan.d/*.conf
  270. procd_append_param file /etc/strongswan.d/charon/*.conf
  271. procd_set_param respawn
  272. procd_close_instance
  273. }