|
|
- #!/bin/sh /etc/rc.common
-
- START=90
- STOP=10
-
- . $IPKG_INSTROOT/lib/functions.sh
-
- UCI_IPSEC_CONFIG=/etc/config/ipsec
-
- IPSEC_SECRETS_FILE=/etc/ipsec.secrets
- IPSEC_CONN_FILE=/etc/ipsec.conf
- STRONGSWAN_CONF_FILE=/etc/strongswan.conf
-
- IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets
- IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
- STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf
-
- ENABLED_REMOTE_PEERS=0
-
- file_reset() {
- : > "$1"
- }
-
- xappend() {
- local file="$1"
- shift
-
- echo "${@}" >> "${file}"
- }
-
- remove_include() {
- local file="$1"
- local include="$2"
-
- sed -i "\_${include}_d" "${file}"
- }
-
- remove_includes() {
- remove_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
- remove_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
- remove_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
- }
-
- do_include() {
- local conf="$1"
- local uciconf="$2"
- local backup=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
-
- [ ! -f "${conf}" ] && rm -rf "${conf}"
- touch "${conf}"
-
- cat "${conf}" | grep -v "${uciconf}" > "${backup}"
- mv "${backup}" "${conf}"
- xappend "${conf}" "include ${uciconf}"
- file_reset "${uciconf}"
- }
-
- ipsec_reset() {
- do_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
- }
-
- ipsec_xappend() {
- xappend "${IPSEC_VAR_CONN_FILE}" "$@"
- }
-
- swan_reset() {
- do_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
- }
-
- swan_xappend() {
- xappend "${STRONGSWAN_VAR_CONF_FILE}" "$@"
- }
-
- secret_reset() {
- do_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
- }
-
- secret_xappend() {
- xappend "${IPSEC_VAR_SECRETS_FILE}" "$@"
- }
-
- warning() {
- echo "WARNING: $@" >&2
- }
-
- add_crypto_proposal() {
- local encryption_algorithm
- local hash_algorithm
- local dh_group
-
- config_get encryption_algorithm "$1" encryption_algorithm
- config_get hash_algorithm "$1" hash_algorithm
- config_get dh_group "$1" dh_group
-
- [ -n "${encryption_algorithm}" ] && \
- crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
- }
-
- set_crypto_proposal() {
- local conf="$1"
- local proposal
-
- crypto=""
-
- config_get crypto_proposal "$conf" crypto_proposal ""
- for proposal in $crypto_proposal; do
- add_crypto_proposal "$proposal"
- done
-
- [ -n "${crypto}" ] && {
- local force_crypto_proposal
-
- config_get_bool force_crypto_proposal "$conf" force_crypto_proposal
-
- [ "${force_crypto_proposal}" = "1" ] && crypto="${crypto}!"
- }
-
- crypto_proposal="${crypto}"
- }
-
- config_conn() {
- # Generic ipsec conn section shared by tunnel and transport
- local mode
- local local_subnet
- local local_nat
- local local_sourceip
- local local_updown
- local local_firewall
- local remote_subnet
- local remote_sourceip
- local remote_updown
- local remote_firewall
- local ikelifetime
- local lifetime
- local margintime
- local keyingtries
- local dpdaction
- local dpddelay
- local inactivity
- local keyexchange
-
- config_get mode "$1" mode "route"
- config_get local_subnet "$1" local_subnet ""
- config_get local_nat "$1" local_nat ""
- config_get local_sourceip "$1" local_sourceip ""
- config_get local_updown "$1" local_updown ""
- config_get local_firewall "$1" local_firewall ""
- config_get remote_subnet "$1" remote_subnet ""
- config_get remote_sourceip "$1" remote_sourceip ""
- config_get remote_updown "$1" remote_updown ""
- config_get remote_firewall "$1" remote_firewall ""
- config_get ikelifetime "$1" ikelifetime "3h"
- config_get lifetime "$1" lifetime "1h"
- config_get margintime "$1" margintime "9m"
- config_get keyingtries "$1" keyingtries "3"
- config_get dpdaction "$1" dpdaction "none"
- config_get dpddelay "$1" dpddelay "30s"
- config_get inactivity "$1" inactivity
- config_get keyexchange "$1" keyexchange "ikev2"
-
- [ -n "$local_nat" ] && local_subnet=$local_nat
-
- ipsec_xappend "conn $config_name-$1"
- ipsec_xappend " left=%any"
- ipsec_xappend " right=$remote_gateway"
-
- [ -n "$local_sourceip" ] && ipsec_xappend " leftsourceip=$local_sourceip"
- [ -n "$local_subnet" ] && ipsec_xappend " leftsubnet=$local_subnet"
-
- [ -n "$local_firewall" ] && ipsec_xappend " leftfirewall=$local_firewall"
- [ -n "$remote_firewall" ] && ipsec_xappend " rightfirewall=$remote_firewall"
-
- ipsec_xappend " ikelifetime=$ikelifetime"
- ipsec_xappend " lifetime=$lifetime"
- ipsec_xappend " margintime=$margintime"
- ipsec_xappend " keyingtries=$keyingtries"
- ipsec_xappend " dpdaction=$dpdaction"
- ipsec_xappend " dpddelay=$dpddelay"
-
- [ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity"
-
- if [ "$auth_method" = "psk" ]; then
- ipsec_xappend " leftauth=psk"
- ipsec_xappend " rightauth=psk"
-
- [ "$remote_sourceip" != "" ] && ipsec_xappend " rightsourceip=$remote_sourceip"
- [ "$remote_subnet" != "" ] && ipsec_xappend " rightsubnet=$remote_subnet"
-
- ipsec_xappend " auto=$mode"
- else
- warning "AuthenticationMethod $auth_method not supported"
- fi
-
- [ -n "$local_identifier" ] && ipsec_xappend " leftid=$local_identifier"
- [ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier"
- [ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown"
- [ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown"
- ipsec_xappend " keyexchange=$keyexchange"
-
- set_crypto_proposal "$1"
- [ -n "${crypto_proposal}" ] && ipsec_xappend " esp=$crypto_proposal"
- [ -n "${ike_proposal}" ] && ipsec_xappend " ike=$ike_proposal"
- }
-
- config_tunnel() {
- config_conn "$1"
-
- # Specific for the tunnel part
- ipsec_xappend " type=tunnel"
- }
-
- config_transport() {
- config_conn "$1"
-
- # Specific for the transport part
- ipsec_xappend " type=transport"
- }
-
- config_remote() {
- local enabled
- local gateway
- local pre_shared_key
- local auth_method
-
- config_name=$1
-
- config_get_bool enabled "$1" enabled 0
- [ "$enabled" = "0" ] && return
-
- ENABLED_REMOTE_PEERS=$((ENABLED_REMOTE_PEERS + 1))
-
- config_get gateway "$1" gateway
- config_get pre_shared_key "$1" pre_shared_key
- config_get auth_method "$1" authentication_method
- config_get local_identifier "$1" local_identifier ""
- config_get remote_identifier "$1" remote_identifier ""
-
- [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
-
- [ -z "$local_identifier" ] && {
- local ipdest
-
- [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
- local_gateway=`ip route get $ipdest | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
- }
-
- [ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway "
- [ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway "
-
- secret_xappend ": PSK \"$pre_shared_key\""
-
- set_crypto_proposal "$1"
- ike_proposal="$crypto_proposal"
-
- config_list_foreach "$1" tunnel config_tunnel
-
- config_list_foreach "$1" transport config_transport
-
- ipsec_xappend ""
- }
-
- config_ipsec() {
- local debug
- local rtinstall_enabled
- local routing_tables_ignored
- local routing_table
- local routing_table_id
- local interface
- local device_list
-
- ipsec_reset
- secret_reset
- swan_reset
-
- ipsec_xappend "# generated by /etc/init.d/ipsec"
- ipsec_xappend "version 2"
- ipsec_xappend ""
-
- secret_xappend "# generated by /etc/init.d/ipsec"
-
- config_get debug "$1" debug 0
- config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
- [ $rtinstall_enabled = "1" ] && install_routes=yes || install_routes=no
-
- # prepare extra charon config option ignore_routing_tables
- for routing_table in $(config_get "$1" "ignore_routing_tables"); do
- if [ "$routing_table" -ge 0 ] 2>/dev/null; then
- routing_table_id=$routing_table
- else
- routing_table_id=$(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc/iproute2/rt_tables)
- fi
-
- [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
- done
-
- swan_xappend "# generated by /etc/init.d/ipsec"
- swan_xappend "charon {"
- swan_xappend " load_modular = yes"
- swan_xappend " install_routes = $install_routes"
- [ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored"
- swan_xappend " plugins {"
- swan_xappend " include /etc/strongswan.d/charon/*.conf"
- swan_xappend " }"
- swan_xappend " syslog {"
- swan_xappend " identifier = ipsec"
- swan_xappend " daemon {"
- swan_xappend " default = $debug"
- swan_xappend " }"
- swan_xappend " auth {"
- swan_xappend " default = $debug"
- swan_xappend " }"
- swan_xappend " }"
- swan_xappend "}"
- }
-
- prepare_env() {
- mkdir -p /var/ipsec
- remove_includes
- config_load ipsec
- config_foreach config_ipsec ipsec
- config_foreach config_remote remote
- }
-
- start() {
- prepare_env
- [ $ENABLED_REMOTE_PEERS != 0 -o ! -f $UCI_IPSEC_CONFIG ] && ipsec start
- }
-
- stop() {
- ipsec stop
- }
-
- restart() {
- prepare_env
- [ $ENABLED_REMOTE_PEERS != 0 -o ! -f $UCI_IPSEC_CONFIG ] && ipsec restart || ipsec stop
- }
-
- reload() {
- prepare_env
- [ $ENABLED_REMOTE_PEERS != 0 -o ! -f $UCI_IPSEC_CONFIG ] && {
- ipsec secrets
- if [[ ! -z "$(ipsec status)" ]]; then
- ipsec reload
- else
- ipsec start
- fi
- } || ipsec stop
- }
|