|
|
- #!/bin/sh /etc/rc.common
-
- START=90
- STOP=10
-
- USE_PROCD=1
- PROG=/usr/lib/ipsec/charon
-
- . $IPKG_INSTROOT/lib/functions.sh
- . $IPKG_INSTROOT/lib/functions/network.sh
-
- STRONGSWAN_CONF_FILE=/etc/strongswan.conf
- STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf
-
- SWANCTL_CONF_FILE=/etc/swanctl/swanctl.conf
- SWANCTL_VAR_CONF_FILE=/var/swanctl/swanctl.conf
-
- WAIT_FOR_INTF=0
-
- CONFIG_FAIL=0
-
- time2seconds()
- {
- local timestring="$1"
- local multiplier number suffix
-
- suffix="${timestring//[0-9 ]}"
- number="${timestring%%$suffix}"
- [ "$number$suffix" != "$timestring" ] && return 1
- case "$suffix" in
- ""|s)
- multiplier=1 ;;
- m)
- multiplier=60 ;;
- h)
- multiplier=3600 ;;
- d)
- multiplier=86400 ;;
- *)
- return 1 ;;
- esac
- echo $(( number * multiplier ))
- }
-
- seconds2time()
- {
- local seconds="$1"
-
- if [ $seconds -eq 0 ]; then
- echo "0s"
- elif [ $((seconds % 86400)) -eq 0 ]; then
- echo "$((seconds / 86400))d"
- elif [ $((seconds % 3600)) -eq 0 ]; then
- echo "$((seconds / 3600))h"
- elif [ $((seconds % 60)) -eq 0 ]; then
- echo "$((seconds / 60))m"
- else
- echo "${seconds}s"
- fi
- }
-
- file_reset() {
- : > "$1"
- }
-
- xappend() {
- local file="$1"
- shift
-
- echo "$@" >> "$file"
- }
-
- swan_reset() {
- file_reset "$STRONGSWAN_VAR_CONF_FILE"
- }
-
- swan_xappend() {
- xappend "$STRONGSWAN_VAR_CONF_FILE" "$@"
- }
-
- swan_xappend0() {
- swan_xappend "$@"
- }
-
- swan_xappend1() {
- swan_xappend " ""$@"
- }
-
- swan_xappend2() {
- swan_xappend " ""$@"
- }
-
- swan_xappend3() {
- swan_xappend " ""$@"
- }
-
- swan_xappend4() {
- swan_xappend " ""$@"
- }
-
- swanctl_reset() {
- file_reset "$SWANCTL_VAR_CONF_FILE"
- }
-
- swanctl_xappend() {
- xappend "$SWANCTL_VAR_CONF_FILE" "$@"
- }
-
- swanctl_xappend0() {
- swanctl_xappend "$@"
- }
-
- swanctl_xappend1() {
- swanctl_xappend " ""$@"
- }
-
- swanctl_xappend2() {
- swanctl_xappend " ""$@"
- }
-
- swanctl_xappend3() {
- swanctl_xappend " ""$@"
- }
-
- swanctl_xappend4() {
- swanctl_xappend " ""$@"
- }
-
- warning() {
- echo "WARNING: $@" >&2
- }
-
- fatal() {
- echo "ERROR: $@" >&2
- CONFIG_FAIL=1
- }
-
- is_aead() {
- local cipher="$1"
-
- case "$cipher" in
- aes*gcm*|aes*ccm*|aes*gmac*)
- return 0 ;;
- chacha20poly1305)
- return 0 ;;
- esac
-
- return 1
- }
-
- add_esp_proposal() {
- local encryption_algorithm
- local hash_algorithm
- local dh_group
-
- config_get encryption_algorithm "$1" encryption_algorithm
- config_get hash_algorithm "$1" hash_algorithm
- config_get dh_group "$1" dh_group
-
- # check for AEAD and clobber hash_algorithm if set
- if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
- fatal "Can't have $hash_algorithm with $encryption_algorithm"
- hash_algorithm=
- fi
-
- [ -n "$encryption_algorithm" ] && \
- crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
- }
-
- parse_esp_proposal() {
- local conf="$1"
- local var="$2"
-
- local crypto=""
-
- config_list_foreach "$conf" crypto_proposal add_esp_proposal
-
- export -n "$var=$crypto"
- }
-
- add_ike_proposal() {
- local encryption_algorithm
- local hash_algorithm
- local dh_group
- local prf_algorithm
-
- config_get encryption_algorithm "$1" encryption_algorithm
- config_get hash_algorithm "$1" hash_algorithm
- config_get dh_group "$1" dh_group
- config_get prf_algorithm "$1" prf_algorithm
-
- # check for AEAD and clobber hash_algorithm if set
- if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
- fatal "Can't have $hash_algorithm with $encryption_algorithm"
- hash_algorithm=
- fi
-
- [ -n "$encryption_algorithm" ] && \
- crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${prf_algorithm:+-${prf_algorithm}}${dh_group:+-${dh_group}}"
- }
-
- parse_ike_proposal() {
- local conf="$1"
- local var="$2"
-
- local crypto=""
-
- config_list_foreach "$conf" crypto_proposal add_ike_proposal
-
- export -n "$var=$crypto"
- }
-
- config_conn() {
- # Generic ipsec conn section shared by tunnel and transport
- local config_name="$1"
- local mode="$2"
-
- local local_subnet
- local local_nat
- local updown
- local firewall
- local remote_subnet
- local remote_sourceip
- local lifetime
- local dpdaction
- local closeaction
- local startaction
- local if_id
- local rekeytime
-
- config_get startaction "$1" startaction "route"
- config_get local_subnet "$1" local_subnet ""
- config_get local_nat "$1" local_nat ""
- config_get updown "$1" updown ""
- config_get firewall "$1" firewall ""
- config_get remote_subnet "$1" remote_subnet ""
- config_get remote_sourceip "$1" remote_sourceip ""
- config_get lifetime "$1" lifetime ""
- config_get dpdaction "$1" dpdaction "none"
- config_get closeaction "$1" closeaction "none"
- config_get if_id "$1" if_id ""
- config_get rekeytime "$1" rekeytime ""
-
- local esp_proposal
- parse_esp_proposal "$1" esp_proposal
-
- # translate from ipsec to swanctl
- case "$startaction" in
- add)
- startaction="none" ;;
- route)
- startaction="trap" ;;
- start|none|trap)
- # already using new syntax
- ;;
- *)
- fatal "Startaction $startaction unknown"
- startaction=
- ;;
- esac
-
- case "$closeaction" in
- none|clear)
- closeaction="none" ;;
- hold)
- closeaction="trap" ;;
- restart)
- closeaction="start" ;;
- trap|start)
- # already using new syntax
- ;;
- *)
- fatal "Closeaction $closeaction unknown"
- closeaction=
- ;;
- esac
-
- [ -n "$closeaction" -a "$closeaction" != "none" ] && warning "Closeaction $closeaction can cause instability"
-
- case "$dpdaction" in
- none)
- dpddelay="0s"
- dpdaction=
- ;;
- clear)
- ;;
- hold)
- dpdaction="trap" ;;
- restart)
- dpdaction="start" ;;
- trap|start)
- # already using new syntax
- ;;
- *)
- fatal "Dpdaction $dpdaction unknown"
- dpdaction=
- ;;
- esac
-
- [ -n "$local_nat" ] && local_subnet="$local_nat"
-
- swanctl_xappend3 "$config_name {"
-
- [ -n "$local_subnet" ] && swanctl_xappend4 "local_ts = $local_subnet"
- [ -n "$remote_subnet" ] && swanctl_xappend4 "remote_ts = $remote_subnet"
- [ -n "$if_id" ] && { swanctl_xappend4 "if_id_in = $if_id" ; swanctl_xappend4 "if_id_out = $if_id" ; }
- [ -n "$startaction" -a "$startaction" != "none" ] && swanctl_xappend4 "start_action = $startaction"
- [ -n "$closeaction" -a "$closeaction" != "none" ] && swanctl_xappend4 "close_action = $closeaction"
- swanctl_xappend4 "esp_proposals = $esp_proposal"
- swanctl_xappend4 "mode = $mode"
-
- if [ -n "$lifetime" ]; then
- swanctl_xappend4 "life_time = $lifetime"
- elif [ -n "$rekeytime" ]; then
- swanctl_xappend4 "life_time = $(seconds2time $(((110 * $(time2seconds $rekeytime)) / 100)))"
- fi
- [ -n "$rekeytime" ] && swanctl_xappend4 "rekey_time = $rekeytime"
-
- [ -n "$updown" ] && swanctl_xappend4 "updown = $updown"
- [ -n "$dpdaction" ] && swanctl_xappend4 "dpd_action = $dpdaction"
-
- swanctl_xappend3 "}"
- }
-
- config_tunnel() {
- config_conn "$1" "tunnel"
- }
-
- config_transport() {
- config_conn "$1" "transport"
- }
-
- config_remote() {
- local config_name="$1"
-
- local enabled
- local gateway
- local local_gateway
- local local_sourceip
- local local_leftip
- local remote_gateway
- local pre_shared_key
- local auth_method
- local keyingtries
- local dpddelay
- local inactivity
- local keyexchange
- local reqid
- local packet_marker
- local fragmentation
- local mobike
- local local_cert
- local local_key
- local ca_cert
- local rekeytime
-
- config_get_bool enabled "$1" enabled 0
- [ $enabled -eq 0 ] && return
-
- config_get gateway "$1" gateway
- config_get pre_shared_key "$1" pre_shared_key
- config_get auth_method "$1" authentication_method
- config_get local_identifier "$1" local_identifier ""
- config_get remote_identifier "$1" remote_identifier ""
- config_get local_sourceip "$1" local_sourceip ""
- config_get local_leftip "$1" local_leftip "%any"
- config_get keyingtries "$1" keyingtries "3"
- config_get dpddelay "$1" dpddelay "30s"
- config_get inactivity "$1" inactivity
- config_get keyexchange "$1" keyexchange "ikev2"
- config_get reqid "$1" reqid
- config_get packet_marker "$1" packet_marker
- config_get fragmentation "$1" fragmentation "yes"
- config_get_bool mobike "$1" mobike 1
- config_get local_cert "$1" local_cert ""
- config_get local_key "$1" local_key ""
- config_get ca_cert "$1" ca_cert ""
- config_get rekeytime "$1" rekeytime
- config_get overtime "$1" overtime
-
- case "$fragmentation" in
- 0)
- fragmentation="no" ;;
- 1)
- fragmentation="yes" ;;
- yes|accept|force|no)
- # already using new syntax
- ;;
- *)
- fatal "Fragmentation $fragmentation not supported"
- fragmentation=
- ;;
- esac
-
- [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
-
- [ -z "$local_gateway" ] && {
- local ipdest
-
- [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
- local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'`
- }
-
- local ike_proposal
- parse_ike_proposal "$1" ike_proposal
-
- [ -n "$firewall" ] && fatal "Firewall not supported"
-
- swanctl_xappend0 "# config for $config_name"
- swanctl_xappend0 "connections {"
- swanctl_xappend1 "$config_name {"
- swanctl_xappend2 "local_addrs = $local_leftip"
- swanctl_xappend2 "remote_addrs = $remote_gateway"
-
- [ -n "$local_sourceip" ] && swanctl_xappend2 "vips = $local_sourceip"
- [ -n "$fragmentation" ] && swanctl_xappend2 "fragmentation = $fragmentation"
-
- swanctl_xappend2 "local {"
- swanctl_xappend3 "auth = $auth_method"
-
- [ -n "$local_identifier" ] && swanctl_xappend3 "id = \"$local_identifier\""
- [ "$auth_method" = pubkey ] && swanctl_xappend3 "certs = $local_cert"
- swanctl_xappend2 "}"
-
- swanctl_xappend2 "remote {"
- swanctl_xappend3 "auth = $auth_method"
- [ -n "$remote_identifier" ] && swanctl_xappend3 "id = \"$remote_identifier\""
- swanctl_xappend2 "}"
-
- swanctl_xappend2 "children {"
-
- config_list_foreach "$1" tunnel config_tunnel
-
- config_list_foreach "$1" transport config_transport
-
- swanctl_xappend2 "}"
-
- case "$keyexchange" in
- ike)
- ;;
- ikev1)
- swanctl_xappend2 "version = 1" ;;
- ikev2)
- swanctl_xappend2 "version = 2" ;;
- *)
- fatal "Keyexchange $keyexchange not supported"
- keyexchange=
- ;;
- esac
-
- [ $mobike -eq 1 ] && swanctl_xappend2 "mobike = yes" || swanctl_xappend2 "mobike = no"
-
- if [ -n "$rekeytime" ]; then
- swanctl_xappend2 "rekey_time = $rekeytime"
-
- if [ -z "$overtime" ]; then
- overtime=$(seconds2time $(($(time2seconds $rekeytime) / 10)))
- fi
- fi
- [ -n "$overtime" ] && swanctl_xappend2 "over_time = $overtime"
-
- swanctl_xappend2 "proposals = $ike_proposal"
- [ -n "$dpddelay" ] && swanctl_xappend2 "dpd_delay = $dpddelay"
- [ "$keyingtries" = "%forever" ] && swanctl_xappend2 "keyingtries = 0" || swanctl_xappend2 "keyingtries = $keyingtries"
-
- swanctl_xappend1 "}"
- swanctl_xappend0 "}"
-
- if [ "$auth_method" = pubkey ]; then
- swanctl_xappend0 ""
-
- swanctl_xappend0 "secrets {"
- swanctl_xappend1 "rsa {"
- swanctl_xappend2 "filename = $local_key"
- swanctl_xappend1 "}"
- swanctl_xappend0 "}"
-
- swanctl_xappend0 ""
-
- if [ -n "$ca_cert" ]; then
- swanctl_xappend0 "authorities {"
- swanctl_xappend1 "$config_name {"
- swanctl_xappend2 "cacert = $ca_cert"
- swanctl_xappend1 "}"
- swanctl_xappend0 "}"
- fi
-
- elif [ "$auth_method" = psk ]; then
- swanctl_xappend0 ""
-
- swanctl_xappend0 "secrets {"
- swanctl_xappend1 "ike {"
- swanctl_xappend2 "secret = $pre_shared_key"
- if [ -z "$local_id" ]; then
- swanctl_xappend2 "id1 = $local_id"
- if [ -z "$remote_id" ]; then
- swanctl_xappend2 "id2 = $remote_id"
- fi
- fi
- else
- fatal "AuthenticationMode $auth_mode not supported"
- fi
-
- swanctl_xappend0 ""
- }
-
- do_preamble() {
- swanctl_xappend0 "# generated by /etc/init.d/swanctl"
- }
-
- config_ipsec() {
- local debug
- local rtinstall_enabled
- local routing_tables_ignored
- local routing_table
- local routing_table_id
- local interface
- local device_list
-
- config_get debug "$1" debug 0
- config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
- [ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no
-
- # prepare extra charon config option ignore_routing_tables
- for routing_table in $(config_get "$1" "ignore_routing_tables"); do
- if [ "$routing_table" -ge 0 ] 2>/dev/null; then
- routing_table_id=$routing_table
- else
- routing_table_id=$(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc/iproute2/rt_tables)
- fi
-
- [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
- done
-
- local interface_list=$(config_get "$1" "interface")
- if [ -z "$interface_list" ]; then
- WAIT_FOR_INTF=0
- else
- for interface in $interface_list; do
- network_get_device device $interface
- [ -n "$device" ] && append device_list "$device" ","
- done
- [ -n "$device_list" ] && WAIT_FOR_INTF=0 || WAIT_FOR_INTF=1
- fi
- }
-
- do_postamble() {
- swan_xappend0 "# generated by /etc/init.d/swanctl"
- swan_xappend0 "charon {"
- swan_xappend1 "install_routes = $install_routes"
- [ -n "$routing_tables_ignored" ] && swan_xappend1 "ignore_routing_tables = $routing_tables_ignored"
- [ -n "$device_list" ] && swan_xappend1 "interfaces_use = $device_list"
- swan_xappend1 "start-scripts {"
- swan_xappend2 "load-all = /usr/sbin/swanctl --load-all --noprompt"
- swan_xappend1 "}"
- swan_xappend1 "syslog {"
- swan_xappend2 "identifier = ipsec"
- swan_xappend2 "daemon {"
- swan_xappend3 "default = $debug"
- swan_xappend2 "}"
- swan_xappend1 "}"
- swan_xappend0 "}"
- }
-
- prepare_env() {
- mkdir -p /var/ipsec /var/swanctl
-
- swan_reset
- swanctl_reset
- do_preamble
-
- config_load ipsec
- config_foreach config_ipsec ipsec
- config_foreach config_remote remote
-
- do_postamble
- }
-
- service_running() {
- swanctl --stats > /dev/null 2>&1
- }
-
- reload_service() {
- running && {
- prepare_env
- [ $WAIT_FOR_INTF -eq 0 ] && {
- swanctl --load-all --noprompt
- return
- }
- }
-
- start
- }
-
- stop_service() {
- swan_reset
- swanctl_reset
- }
-
- service_triggers() {
- procd_add_reload_trigger "ipsec"
- config load "ipsec"
- }
-
- start_service() {
- prepare_env
-
- [ $WAIT_FOR_INTF -eq 1 ] && return
-
- if [ $CONFIG_FAIL -ne 0 ]; then
- procd_set_param error "Invalid configuration"
- return
- fi
-
- procd_open_instance
-
- procd_set_param command $PROG
-
- procd_set_param file $SWANCTL_CONF_FILE
- procd_append_param file /etc/swanctl/conf.d/*.conf
- procd_append_param file $STRONGSWAN_CONF_FILE
-
- procd_set_param respawn
-
- procd_close_instance
- }
|