You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

348 lines
9.2 KiB

  1. #!/bin/sh /etc/rc.common
  2. START=90
  3. STOP=10
  4. . $IPKG_INSTROOT/lib/functions.sh
  5. UCI_IPSEC_CONFIG=/etc/config/ipsec
  6. IPSEC_SECRETS_FILE=/etc/ipsec.secrets
  7. IPSEC_CONN_FILE=/etc/ipsec.conf
  8. STRONGSWAN_CONF_FILE=/etc/strongswan.conf
  9. IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets
  10. IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
  11. STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf
  12. ENABLED_REMOTE_PEERS=0
  13. file_reset() {
  14. : > "$1"
  15. }
  16. xappend() {
  17. local file="$1"
  18. shift
  19. echo "${@}" >> "${file}"
  20. }
  21. remove_include() {
  22. local file="$1"
  23. local include="$2"
  24. sed -i "\_${include}_d" "${file}"
  25. }
  26. remove_includes() {
  27. remove_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
  28. remove_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
  29. remove_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
  30. }
  31. do_include() {
  32. local conf="$1"
  33. local uciconf="$2"
  34. local backup=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
  35. [ ! -f "${conf}" ] && rm -rf "${conf}"
  36. touch "${conf}"
  37. cat "${conf}" | grep -v "${uciconf}" > "${backup}"
  38. mv "${backup}" "${conf}"
  39. xappend "${conf}" "include ${uciconf}"
  40. file_reset "${uciconf}"
  41. }
  42. ipsec_reset() {
  43. do_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
  44. }
  45. ipsec_xappend() {
  46. xappend "${IPSEC_VAR_CONN_FILE}" "$@"
  47. }
  48. swan_reset() {
  49. do_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
  50. }
  51. swan_xappend() {
  52. xappend "${STRONGSWAN_VAR_CONF_FILE}" "$@"
  53. }
  54. secret_reset() {
  55. do_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
  56. }
  57. secret_xappend() {
  58. xappend "${IPSEC_VAR_SECRETS_FILE}" "$@"
  59. }
  60. warning() {
  61. echo "WARNING: $@" >&2
  62. }
  63. add_crypto_proposal() {
  64. local encryption_algorithm
  65. local hash_algorithm
  66. local dh_group
  67. config_get encryption_algorithm "$1" encryption_algorithm
  68. config_get hash_algorithm "$1" hash_algorithm
  69. config_get dh_group "$1" dh_group
  70. [ -n "${encryption_algorithm}" ] && \
  71. crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
  72. }
  73. set_crypto_proposal() {
  74. local conf="$1"
  75. local proposal
  76. crypto=""
  77. config_get crypto_proposal "$conf" crypto_proposal ""
  78. for proposal in $crypto_proposal; do
  79. add_crypto_proposal "$proposal"
  80. done
  81. [ -n "${crypto}" ] && {
  82. local force_crypto_proposal
  83. config_get_bool force_crypto_proposal "$conf" force_crypto_proposal
  84. [ "${force_crypto_proposal}" = "1" ] && crypto="${crypto}!"
  85. }
  86. crypto_proposal="${crypto}"
  87. }
  88. config_conn() {
  89. # Generic ipsec conn section shared by tunnel and transport
  90. local mode
  91. local local_subnet
  92. local local_nat
  93. local local_sourceip
  94. local local_updown
  95. local local_firewall
  96. local remote_subnet
  97. local remote_sourceip
  98. local remote_updown
  99. local remote_firewall
  100. local ikelifetime
  101. local lifetime
  102. local margintime
  103. local keyingtries
  104. local dpdaction
  105. local dpddelay
  106. local inactivity
  107. local keyexchange
  108. config_get mode "$1" mode "route"
  109. config_get local_subnet "$1" local_subnet ""
  110. config_get local_nat "$1" local_nat ""
  111. config_get local_sourceip "$1" local_sourceip ""
  112. config_get local_updown "$1" local_updown ""
  113. config_get local_firewall "$1" local_firewall ""
  114. config_get remote_subnet "$1" remote_subnet ""
  115. config_get remote_sourceip "$1" remote_sourceip ""
  116. config_get remote_updown "$1" remote_updown ""
  117. config_get remote_firewall "$1" remote_firewall ""
  118. config_get ikelifetime "$1" ikelifetime "3h"
  119. config_get lifetime "$1" lifetime "1h"
  120. config_get margintime "$1" margintime "9m"
  121. config_get keyingtries "$1" keyingtries "3"
  122. config_get dpdaction "$1" dpdaction "none"
  123. config_get dpddelay "$1" dpddelay "30s"
  124. config_get inactivity "$1" inactivity
  125. config_get keyexchange "$1" keyexchange "ikev2"
  126. [ -n "$local_nat" ] && local_subnet=$local_nat
  127. ipsec_xappend "conn $config_name-$1"
  128. ipsec_xappend " left=%any"
  129. ipsec_xappend " right=$remote_gateway"
  130. [ -n "$local_sourceip" ] && ipsec_xappend " leftsourceip=$local_sourceip"
  131. [ -n "$local_subnet" ] && ipsec_xappend " leftsubnet=$local_subnet"
  132. [ -n "$local_firewall" ] && ipsec_xappend " leftfirewall=$local_firewall"
  133. [ -n "$remote_firewall" ] && ipsec_xappend " rightfirewall=$remote_firewall"
  134. ipsec_xappend " ikelifetime=$ikelifetime"
  135. ipsec_xappend " lifetime=$lifetime"
  136. ipsec_xappend " margintime=$margintime"
  137. ipsec_xappend " keyingtries=$keyingtries"
  138. ipsec_xappend " dpdaction=$dpdaction"
  139. ipsec_xappend " dpddelay=$dpddelay"
  140. [ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity"
  141. if [ "$auth_method" = "psk" ]; then
  142. ipsec_xappend " leftauth=psk"
  143. ipsec_xappend " rightauth=psk"
  144. [ "$remote_sourceip" != "" ] && ipsec_xappend " rightsourceip=$remote_sourceip"
  145. [ "$remote_subnet" != "" ] && ipsec_xappend " rightsubnet=$remote_subnet"
  146. ipsec_xappend " auto=$mode"
  147. else
  148. warning "AuthenticationMethod $auth_method not supported"
  149. fi
  150. [ -n "$local_identifier" ] && ipsec_xappend " leftid=$local_identifier"
  151. [ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier"
  152. [ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown"
  153. [ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown"
  154. ipsec_xappend " keyexchange=$keyexchange"
  155. set_crypto_proposal "$1"
  156. [ -n "${crypto_proposal}" ] && ipsec_xappend " esp=$crypto_proposal"
  157. [ -n "${ike_proposal}" ] && ipsec_xappend " ike=$ike_proposal"
  158. }
  159. config_tunnel() {
  160. config_conn "$1"
  161. # Specific for the tunnel part
  162. ipsec_xappend " type=tunnel"
  163. }
  164. config_transport() {
  165. config_conn "$1"
  166. # Specific for the transport part
  167. ipsec_xappend " type=transport"
  168. }
  169. config_remote() {
  170. local enabled
  171. local gateway
  172. local pre_shared_key
  173. local auth_method
  174. config_name=$1
  175. config_get_bool enabled "$1" enabled 0
  176. [ "$enabled" = "0" ] && return
  177. ENABLED_REMOTE_PEERS=$((ENABLED_REMOTE_PEERS + 1))
  178. config_get gateway "$1" gateway
  179. config_get pre_shared_key "$1" pre_shared_key
  180. config_get auth_method "$1" authentication_method
  181. config_get local_identifier "$1" local_identifier ""
  182. config_get remote_identifier "$1" remote_identifier ""
  183. [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
  184. [ -z "$local_identifier" ] && {
  185. local ipdest
  186. [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
  187. local_gateway=`ip route get $ipdest | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
  188. }
  189. [ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway "
  190. [ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway "
  191. secret_xappend ": PSK \"$pre_shared_key\""
  192. set_crypto_proposal "$1"
  193. ike_proposal="$crypto_proposal"
  194. config_list_foreach "$1" tunnel config_tunnel
  195. config_list_foreach "$1" transport config_transport
  196. ipsec_xappend ""
  197. }
  198. config_ipsec() {
  199. local debug
  200. local rtinstall_enabled
  201. local routing_tables_ignored
  202. local routing_table
  203. local routing_table_id
  204. local interface
  205. local device_list
  206. ipsec_reset
  207. secret_reset
  208. swan_reset
  209. ipsec_xappend "# generated by /etc/init.d/ipsec"
  210. ipsec_xappend "version 2"
  211. ipsec_xappend ""
  212. secret_xappend "# generated by /etc/init.d/ipsec"
  213. config_get debug "$1" debug 0
  214. config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
  215. [ $rtinstall_enabled = "1" ] && install_routes=yes || install_routes=no
  216. # prepare extra charon config option ignore_routing_tables
  217. for routing_table in $(config_get "$1" "ignore_routing_tables"); do
  218. if [ "$routing_table" -ge 0 ] 2>/dev/null; then
  219. routing_table_id=$routing_table
  220. else
  221. routing_table_id=$(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc/iproute2/rt_tables)
  222. fi
  223. [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
  224. done
  225. swan_xappend "# generated by /etc/init.d/ipsec"
  226. swan_xappend "charon {"
  227. swan_xappend " load_modular = yes"
  228. swan_xappend " install_routes = $install_routes"
  229. [ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored"
  230. swan_xappend " plugins {"
  231. swan_xappend " include /etc/strongswan.d/charon/*.conf"
  232. swan_xappend " }"
  233. swan_xappend " syslog {"
  234. swan_xappend " identifier = ipsec"
  235. swan_xappend " daemon {"
  236. swan_xappend " default = $debug"
  237. swan_xappend " }"
  238. swan_xappend " auth {"
  239. swan_xappend " default = $debug"
  240. swan_xappend " }"
  241. swan_xappend " }"
  242. swan_xappend "}"
  243. }
  244. prepare_env() {
  245. mkdir -p /var/ipsec
  246. remove_includes
  247. config_load ipsec
  248. config_foreach config_ipsec ipsec
  249. config_foreach config_remote remote
  250. }
  251. start() {
  252. prepare_env
  253. [ $ENABLED_REMOTE_PEERS != 0 -o ! -f $UCI_IPSEC_CONFIG ] && ipsec start
  254. }
  255. stop() {
  256. ipsec stop
  257. }
  258. restart() {
  259. prepare_env
  260. [ $ENABLED_REMOTE_PEERS != 0 -o ! -f $UCI_IPSEC_CONFIG ] && ipsec restart || ipsec stop
  261. }
  262. reload() {
  263. prepare_env
  264. [ $ENABLED_REMOTE_PEERS != 0 -o ! -f $UCI_IPSEC_CONFIG ] && {
  265. ipsec secrets
  266. if [[ ! -z "$(ipsec status)" ]]; then
  267. ipsec reload
  268. else
  269. ipsec start
  270. fi
  271. } || ipsec stop
  272. }