Browse Source

ipsec-tools: racoon uci integration

Signed-Off-By: Vitaly Protsko <villy@sft.ru>
---
 b/net/ipsec-tools/Makefile            |   16 -
 b/net/ipsec-tools/files/functions.sh  |  137 +++++++++
 b/net/ipsec-tools/files/p1client-down |   41 ++
 b/net/ipsec-tools/files/p1client-up   |   41 ++
 b/net/ipsec-tools/files/racoon        |  109 +++++++
 b/net/ipsec-tools/files/racoon.init   |  478 +++++++++++++++++++++++++++++++++-
 b/net/ipsec-tools/files/vpnctl        |   19 +
 net/ipsec-tools/files/racoon.conf     |   36 --
 8 files changed, 824 insertions(+), 53 deletions(-)
lilik-openwrt-22.03
aTanW 10 years ago
parent
commit
2564e407d2
8 changed files with 824 additions and 53 deletions
  1. +9
    -7
      net/ipsec-tools/Makefile
  2. +137
    -0
      net/ipsec-tools/files/functions.sh
  3. +41
    -0
      net/ipsec-tools/files/p1client-down
  4. +41
    -0
      net/ipsec-tools/files/p1client-up
  5. +109
    -0
      net/ipsec-tools/files/racoon
  6. +0
    -36
      net/ipsec-tools/files/racoon.conf
  7. +468
    -10
      net/ipsec-tools/files/racoon.init
  8. +19
    -0
      net/ipsec-tools/files/vpnctl

+ 9
- 7
net/ipsec-tools/Makefile View File

@ -1,6 +1,6 @@
# #
# Copyright (C) 2006-2011 OpenWrt.org # Copyright (C) 2006-2011 OpenWrt.org
# 2014 Noah Meyerhans <frodo@morgul.net>
# 2014-2015 Noah Meyerhans <frodo@morgul.net>
# #
# This is free software, licensed under the GNU General Public License v2. # This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information. # See /LICENSE for more information.
@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=ipsec-tools PKG_NAME:=ipsec-tools
PKG_VERSION:=0.8.2 PKG_VERSION:=0.8.2
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_MAINTAINER := "Noah Meyerhans <frodo@morgul.net>" PKG_MAINTAINER := "Noah Meyerhans <frodo@morgul.net>"
PKG_LICENSE := BSD-3-Clause PKG_LICENSE := BSD-3-Clause
@ -76,12 +76,15 @@ endif
endef endef
define Package/ipsec-tools/install define Package/ipsec-tools/install
$(INSTALL_DIR) $(1)/etc
$(INSTALL_CONF) ./files/racoon.conf $(1)/etc/racoon.conf
$(INSTALL_DIR) $(1)/etc/racoon $(INSTALL_DIR) $(1)/etc/racoon
$(INSTALL_CONF) $(PKG_BUILD_DIR)/src/racoon/samples/psk.txt $(1)/etc/racoon/
$(INSTALL_CONF) ./files/functions.sh $(1)/etc/racoon/
$(INSTALL_BIN) ./files/p1client-up $(1)/etc/racoon/
$(INSTALL_BIN) ./files/p1client-down $(1)/etc/racoon/
$(INSTALL_BIN) ./files/vpnctl $(1)/etc/racoon/
$(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/racoon.init $(1)/etc/init.d/racoon $(INSTALL_BIN) ./files/racoon.init $(1)/etc/init.d/racoon
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/racoon $(1)/etc/config/
$(INSTALL_DIR) $(1)/usr/lib $(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libipsec.so.* $(1)/usr/lib/ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libipsec.so.* $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libracoon.so.* $(1)/usr/lib/ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libracoon.so.* $(1)/usr/lib/
@ -93,8 +96,7 @@ define Package/ipsec-tools/install
endef endef
define Package/ipsec-tools/conffiles define Package/ipsec-tools/conffiles
/etc/racoon.conf
/etc/racoon/psk.txt
/etc/config/racoon
endef endef
$(eval $(call BuildPackage,ipsec-tools)) $(eval $(call BuildPackage,ipsec-tools))

+ 137
- 0
net/ipsec-tools/files/functions.sh View File

@ -0,0 +1,137 @@
#!/bin/sh
#
# Copyright (C) 2015 Vitaly Protsko <villy@sft.ru>
errno=0
get_fieldval() {
local __data="$3"
local __rest
test -z "$1" && return
while true ; do
__rest=${__data#* }
test "$__rest" = "$__data" && break
if [ "${__data/ *}" = "$2" ]; then
eval "$1=${__rest/ *}"
break
fi
__data="$__rest"
done
}
manage_fw() {
local cmd=/usr/sbin/iptables
local mode
local item
if [ -z "$4" ]; then
$log "Bad usage of manage_fw"
errno=3; return 3
fi
case "$1" in
add|up|1) mode=A ;;
del|down|0) mode=D ;;
*) return 3 ;;
esac
for item in $4 ; do
$cmd -$mode forwarding_$2_rule -s $item -j ACCEPT
$cmd -$mode output_$3_rule -d $item -j ACCEPT
$cmd -$mode forwarding_$3_rule -d $item -j ACCEPT
$cmd -t nat -$mode postrouting_$3_rule -d $item -j ACCEPT
done
}
manage_sa() {
local spdcmd
local rtcmd
local gate
local litem
local ritem
if [ -z "$4" ]; then
$log "Bad usage of manage_sa"
errno=3; return 3
fi
case "$1" in
add|up|1) spdcmd=add; rtcmd=add ;;
del|down|0) spdcmd=delete; rtcmd=del ;;
*) errno=3; return 3 ;;
esac
get_fieldval gate src "$(/usr/sbin/ip route get $4)"
if [ -z "$gate" ]; then
$log "Can not find outbound IP for $4"
errno=3; return 3
fi
for litem in $2 ; do
for ritem in $3 ; do
echo "
spd$spdcmd $litem $ritem any -P out ipsec esp/tunnel/$gate-$4/require;
spd$spdcmd $ritem $litem any -P in ipsec esp/tunnel/$4-$gate/require;
" | /usr/sbin/setkey -c 1>&2
done
done
test -n "$5" && gate=$5
for ritem in $3 ; do
(sleep 3; /usr/sbin/ip route $rtcmd $ritem via $gate) &
done
}
. /lib/functions/network.sh
get_zoneiflist() {
local item
local data
local addr
item=0
data=$(uci get firewall.@zone[0].name)
while [ -n "$data" ]; do
test "$data" = "$1" && break
let "item=$item+1"
data=$(uci get firewall.@zone[$item].name)
done
if [ -z "$data" ]; then
errno=1
return $errno
fi
data=$(uci get firewall.@zone[$item].network)
echo "$data"
}
get_zoneiplist() {
local item
local addr
local data
local result
data=$(get_zoneiflist $1)
test $? -gt 0 -o $errno -gt 0 -o -z "$data" && return $errno
for item in $data ; do
if network_is_up $item ; then
network_get_ipaddrs addr $item
test $? -eq 0 && result="$result $addr"
fi
done
result=$(echo $result)
echo "$result"
}
# EOF /etc/racoon/functions.sh

+ 41
- 0
net/ipsec-tools/files/p1client-down View File

@ -0,0 +1,41 @@
#!/bin/sh
#
log="logger -t p1client-down[$$]"
. /lib/functions.sh
. /etc/racoon/functions.sh
if [ -z "$SPLIT_INCLUDE_CIDR" ]; then
$log "Connection without server-pushed routing is not supported"
exit 1
fi
$log "Shutting down tunnel to server $REMOTE_ADDR"
$log "Closing tunnel(-s) to $SPLIT_INCLUDE_CIDR through $INTERNAL_ADDR4"
config_load racoon
config_get confIntZone racoon int_zone lan
config_get confExtZone racoon ext_zone wan
manage_fw del $confIntZone $confExtZone "$INTERNAL_ADDR4 $SPLIT_INCLUDE_CIDR"
data=$(get_zoneiflist $confIntZone)
if [ -n "$data" ]; then
for item in $data ; do
network_get_subnet locnet $item
if [ -n "$locnet" ]; then
manage_sa del "$locnet" "$SPLIT_INCLUDE_CIDR" $REMOTE_ADDR $INTERNAL_ADDR4
else
$log "Can not find subnet on interface $item"
fi
done
else
$log "Can not find subnets in zone $confIntZone"
fi
get_fieldval data dev "$(/usr/sbin/ip route get $REMOTE_ADDR)"
ip address del $INTERNAL_ADDR4/32 dev $data
# EOF /etc/racoon/p1client-down

+ 41
- 0
net/ipsec-tools/files/p1client-up View File

@ -0,0 +1,41 @@
#!/bin/sh
#
log="logger -t p1client-up[$$]"
. /lib/functions.sh
. /etc/racoon/functions.sh
if [ -z "$SPLIT_INCLUDE_CIDR" ]; then
$log "Connection without server-pushed routing is not supported"
exit 1
fi
$log "Setting up tunnel to server $REMOTE_ADDR"
$log "Making tunnel(-s) to $SPLIT_INCLUDE_CIDR through $INTERNAL_ADDR4"
get_fieldval data dev "$(/usr/sbin/ip route get $REMOTE_ADDR)"
ip address add $INTERNAL_ADDR4/32 dev $data
config_load racoon
config_get confIntZone racoon int_zone lan
config_get confExtZone racoon ext_zone wan
data=$(get_zoneiflist $confIntZone)
if [ -n "$data" ]; then
for item in $data ; do
network_get_subnet locnet $item
if [ -n "$locnet" ]; then
manage_sa add "$locnet" "$SPLIT_INCLUDE_CIDR" $REMOTE_ADDR $INTERNAL_ADDR4
else
$log "Can not find subnet on interface $item"
fi
done
else
$log "Can not find interfaces in zone $confIntZone"
fi
manage_fw add $confIntZone $confExtZone "$INTERNAL_ADDR4 $SPLIT_INCLUDE_CIDR"
# EOF /etc/racoon/p1client-up

+ 109
- 0
net/ipsec-tools/files/racoon View File

@ -0,0 +1,109 @@
#/etc/config/racoon
#
# Copyright 2015 Vitaly Protsko <villy@sft.ru>
# * WARNING: this is "not working" example
# * Defaults are commented out
# * Resuting config will appear in /var/racoon/
config racoon
# option debug 0
# option ext_zone 'wan'
# option int_zone 'lan'
# option port 500
# option natt_port 4500
# following 4 or 6, no default
# option ipversion 4
config p1_proposal 'example_prop1'
# option lifetime 28800
option enc_alg 'aes'
option hash_alg 'sha1'
option auth_method 'rsasig'
option dh_group 2
config p1_proposal 'example_anon'
# option lifetime 28800
option enc_alg 'aes'
option hash_alg 'sha1'
option auth_method 'xauth_rsa_server'
option dh_group 2
config p1_proposal 'example_xauth'
# option lifetime 28800
option enc_alg 'aes'
option hash_alg 'sha1'
option auth_method 'xauth_rsa_client'
option dh_group 2
config p2_proposal 'example_prop2'
option pfs_group 2
option enc_alg 'aes'
option auth_alg 'hmac_sha1'
config p2_proposal 'example_in2'
option pfs_group 2
# option lifetime 14400
option enc_alg 'aes'
option auth_alg 'hmac_sha1'
config sainfo 'office'
option p2_proposal 'example_prop2'
option local_net '192.168.8.0/24'
option remote_net '192.168.1.0/24'
config sainfo 'welcome'
option p2_proposal 'example_in2'
option local_net '192.168.8.0/24'
option remote_net '192.168.10.0/24'
option dns4 '192.168.8.1'
option defdomain 'myhome.local'
config sainfo 'client'
p2_proposal 'std_p2'
config tunnel 'Office'
option enabled 1
# initial_contact
# option init 1
option remote 'vpn.example.tld'
option exchange_mode 'main'
option certificate 'example_cert'
# option peer_id_type 'asn1dn'
# option prop_check 'obey'
# option verify_id 1
# option weak_p1check 1
# option dpd_delay ''
list p1_proposal 'example_prop1'
list sainfo 'office'
# WARNING: Only ONE tunnel with remote anonymous
# can be configured and it can have only
# ONE sainfo. Otherwise resulting racoon
# configuration will be unusable
config tunnel 'Incoming'
option enabled 1
option remote 'anonymous'
option pre_shared_key 'testitnow'
option exchange_mode 'aggressive,main'
option my_id_type 'fqdn'
option my_id 'myserver.homeip.net'
list p1_proposal 'example_anon'
list sainfo 'welcome'
config tunnel 'Client'
option enabled 1
option remote 'vpn.example.tld'
option username 'testuser'
option password 'testW0rD'
# option mode_cfg 1
list p1_proposal 'example_xauth'
list sainfo 'client'
# Insert corresponding data in PEM format as one line
config 'certificate' 'example_cert'
option 'key' '-----BEGIN PRIVATE KEY----- ~ -----END PRIVATE KEY-----'
option 'crt' '-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE-----'
config 'certificate' 'example_ca_cert'
option 'crt' '-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE-----'

+ 0
- 36
net/ipsec-tools/files/racoon.conf View File

@ -1,36 +0,0 @@
# Simple racoon.conf
#
# Refer to http://wiki.openwrt.org/doc/howto/vpn.ipsec.basics.racoon for
# details about configuring racoon in OpenWRT.
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#
# Manual pages for ipsec-tools are not included with OpenWRT. Refer to
# the following locations to view them online:
# http://linux.die.net/man/8/racoon
# http://linux.die.net/man/5/racoon.conf
# http://linux.die.net/man/8/setkey
#
log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
#remote 172.31.1.1 {
# exchange_mode main,aggressive;
# proposal {
# encryption_algorithm 3des;
# hash_algorithm sha1;
# authentication_method pre_shared_key;
# dh_group modp1024;
# }
# generate_policy off;
#}
#
#sainfo address 192.168.203.10[any] any address 192.168.22.0/24[any] any {
# pfs_group modp768;
# encryption_algorithm 3des;
# authentication_algorithm hmac_md5;
# compression_algorithm deflate;
#}

+ 468
- 10
net/ipsec-tools/files/racoon.init View File

@ -1,17 +1,475 @@
#!/bin/sh /etc/rc.common #!/bin/sh /etc/rc.common
# Copyright (C) 2009-2011 OpenWrt.org
# Copyright (C) 2011 Artem Makhutov
# Copyright (C) 2014 Noah Meyerhans <frodo@morgul.net>
#
# Copyright (C) 2015 Vitaly Protsko <villy@sft.ru>
#set -vx
USE_PROCD=1 USE_PROCD=1
START=49
START=60
STOP=40
let connWait=2/2
confDir=/var/racoon
confExtZone=
confIntZone=
confPort=
confNATPort=
confIPMode=
confPh1ID=0
log="logger -t init.d/racoon[$$] "
. /etc/racoon/functions.sh
setup_load() {
config_get confExtZone "$1" ext_zone wan
config_get confIntZone "$1" int_zone lan
config_get confPort "$1" port 500
config_get confNATPort "$1" natt_port 4500
config_get confIPMode "$1" ipversion ""
case X$confIPMode in
X4|X6) ;;
*) unset confIPMode ;;
esac
}
write_header() {
echo "
# autogenerated, don't edit, look at /etc/config/racoon
#
path certificate \"$confDir/cert\";
path script \"/etc/racoon\";
path pre_shared_key \"$confDir/psk.txt\";
path pidfile \"$confDir/racoon.pid\";
padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; }
timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; }
"
}
setup_conf() {
local conf=$confDir/racoon.conf
local peerconf=$confDir/peers.txt
local pskconf=$confDir/psk.txt
local item
local data
data="$(get_zoneiplist $confExtZone)"
if [ "X$data" = X ]; then
$log "No IP addresses found for zone $confExtZone, exitng"
errno=2; return 2
fi
write_header > $conf
echo -n > $peerconf
echo -n > $pskconf
chmod 0600 $conf $peerconf $pskconf
echo "listen {" >> $conf
for item in $data ; do
echo " isakmp $item [$confPort]; isakmp_natt $item [$confNATPort];" >> $conf
done
echo "}" >> $conf
config_get_bool item "$1" debug 0
data=warning
test $item -ne 0 && data=debug
echo "log $data;" >> $conf
setup_fw add
}
setup_p1() {
local conf=$confDir/racoon.conf
local data
echo " proposal {" >> $conf
config_get data "$1" lifetime 28800
echo " lifetime time $data sec;" >> $conf
config_get data "$1" enc_alg
test -n "$data" && echo " encryption_algorithm $data;" >> $conf
config_get data "$1" hash_alg
test -n "$data" && echo " hash_algorithm $data;" >> $conf
config_get data "$1" auth_method
test -n "$data" && echo " authentication_method $data;" >> $conf
config_get data "$1" dh_group 2
echo -e " dh_group $data;\n }" >> $conf
}
setup_fw() {
local cmd=/usr/sbin/iptables
local mode
case "$1" in
add|up|1) mode=A ;;
del|down|0) mode=D ;;
*) return 3 ;;
esac
$cmd -$mode input_${confExtZone}_rule -p AH -j ACCEPT
$cmd -$mode input_${confExtZone}_rule -p ESP -j ACCEPT
$cmd -$mode input_${confExtZone}_rule -p UDP --dport $confPort -j ACCEPT
$cmd -$mode input_${confExtZone}_rule -p UDP --dport $confNATPort -j ACCEPT
}
setup_sa() {
local conf=$confDir/racoon.conf
local remote="${2/ *}"
local client="${2#* }"
local locnet
local remnet
local p2
local data
test "$2" = "$client" && unset client
if [ -z "$client" ]; then
config_get locnet "$1" local_net
config_get remnet "$1" remote_net
if [ -z "$locnet" ] || [ -z "$remnet" ]; then
$log "Remote and local networks for $1 must be configured ($2)"
errno=4; return 4
fi
if [ "$remote" = "anonymous" ]; then
echo "sainfo anonymous {" >> $conf
else
echo "sainfo address $locnet any address $remnet any {" >> $conf
fi
else
echo "sainfo anonymous {" >> $conf
fi
config_get p2 "$1" p2_proposal
if [ -z "$p2" ]; then
$log "Phase2 proposal must be configured in $1 sainfo"
errno=5; return 5
fi
echo " remoteid $confPh1ID;" >> $conf
config_get data "$p2" pfs_group
test -n "$data" && echo " pfs_group $data;" >> $conf
config_get data "$p2" lifetime 14400
test -n "$data" && echo " lifetime time $data sec;" >> $conf
config_get data "$p2" enc_alg
test -n "$data" && echo " encryption_algorithm $data;" >> $conf
config_get data "$p2" auth_alg
test -n "$data" && echo " authentication_algorithm $data;" >> $conf
echo -e " compression_algorithm deflate;\n}" >> $conf
if [ "$remote" = "anonymous" ]; then
echo -e "mode_cfg {\n auth_source system;\n conf_source local;" >> $conf
config_get data "$1" dns4
test -n "$data" && echo " dns4 $data;" >> $conf
config_get data "$1" defdomain
test -n "$data" && echo " default_domain \"$data\";" >> $conf
data=${remnet%/*}
let "data=${data##*.}+1"
echo " network4 ${remnet%.*}.$data;" >> $conf
let "data=255<<(24-${remnet#*/}+8)&255"
echo " netmask4 255.255.255.$data;" >> $conf
echo -e " split_network include $locnet;\n}" >> $conf
elif [ -z "$client" ]; then
manage_sa add $locnet $remnet $remote
test $? -gt 0 -o $errno -gt 0 && return $errno
manage_fw add $confIntZone $confExtZone $remnet
fi
}
setup_tunnel() {
local conf=$confDir/racoon.conf
local peerconf=$confDir/peers.txt
local data
local remote
local xauth
config_get_bool data "$1" enabled 0
test "$data" = "0" && return 0
config_get remote "$1" remote
if [ "$remote" = "anonymous" ]; then
echo -e "remote anonymous {\n generate_policy on;" >> $conf
else
data=$(nslookup "$remote" | awk 'NR == 5 {print $3}')
test -n "$data" && remote="$data"
echo -e "remote \"$1\" {\n remote_address $remote;" >> $conf
echo "$data" >> $peerconf
fi
config_get data "$1" pre_shared_key ""
if [ -n "$data" ]; then
if [ "$remote" != "anonymous" ]; then
echo "$remote $data" >> $confDir/psk.txt
else
echo "* $data" >> $confDir/psk.txt
fi
fi
let confPh1ID=$confPh1ID+1
echo " ph1id $confPh1ID;" >> $conf
config_get xauth "$1" username ""
config_get data "$1" certificate ""
if [ -n "$data" ]; then
echo -en " verify_cert on;\n my_identifier asn1dn;\n certificate_type x509 " >> $conf
echo -en "\"$data.crt\" \"$data.key\";\n send_cr off;\n peers_identifier " >> $conf
else
config_get data "$1" my_id_type ""
if [ -n "$data" ]; then
echo -n " my_identifier $data" >> $conf
config_get data "$1" my_id ""
if [ -n "$data" ]; then
echo " \"$data\";" >> $conf
elif [ -n "$xauth" ]; then
echo " \"$xauth\";" >> $conf
else
echo ";" >> $conf
fi
elif [ -n "$xauth" ]; then
echo " my_identifier user_fqdn \"$xauth\";" >> $conf
fi
echo -n " peers_identifier " >> $conf
fi
if [ "$remote" = "anonymous" ]; then
echo "user_fqdn;" >> $conf
else
config_get data "$1" peer_id_type "asn1dn"
echo -n "$data" >> $conf
config_get data "$1" peer_id ""
test -n "$data" && echo -n " \"$data\"" >> $conf
echo ";" >> $conf
fi
if [ -n "$xauth" ]; then
config_get data "$1" password
if [ -z "$data" ]; then
$log "Password must be given in $1 tunnel"
errno=7; return 7
fi
echo "$xauth $data" >> $confDir/psk.txt
echo " xauth_login \"$xauth\";" >> $conf
echo -e " script \"p1client-up\" phase1_up;\n script \"p1client-down\" phase1_down;" >> $conf
fi
config_get data "$1" exchange_mode
if [ -z "$data" ]; then
data=main
test -n "$xauth" && data="${data},aggressive"
fi
echo -e " exchange_mode $data;\n nat_traversal on;\n support_proxy on;" >> $conf
config_get data "$1" prop_check "obey"
test -n "$data" && echo " proposal_check $data;" >> $conf
config_get_bool data "$1" weak_p1check 1
if [ $data -eq 0 ]; then data=off; else data=on; fi
echo " weak_phase1_check $data;" >> $conf
config_get_bool data "$1" verify_id 1
if [ $data -eq 0 ]; then data=off; else data=on; fi
echo " verify_identifier $data;" >> $conf
config_get data "$1" dpd_delay ""
test -n "$data" && echo " dpd_delay $data;" >> $conf
unset data
test -n "$xauth" && data="on"
config_get data "$1" mode_cfg "$data"
test -n "$data" && echo " mode_cfg $data;" >> $conf
config_get_bool data "$1" init 0
if [ $data -eq 0 ]; then data=off; else data=on; fi
echo " initial_contact $data;" >> $conf
config_list_foreach "$1" p1_proposal setup_p1
echo "}" >> $conf
config_list_foreach "$1" sainfo setup_sa "$remote $xauth"
}
setup_cert() {
local item
local data
for item in key crt ; do
config_get data "$1" $item ""
test -z "$data" && continue
echo "$data" |\
sed 's/-\+[A-Z ]\+-\+/\n&\n/g' | sed 's/.\{50,50\}/&\n/g' | sed '/^$/d'\
> $confDir/cert/$1.$item
chmod 600 $confDir/cert/$1.$item
done
if [ -s $confDir/cert/$1.crt ]; then
data=$(openssl x509 -noout -hash -in $confDir/cert/$1.crt)
ln -sf $confDir/cert/$1.crt $confDir/cert/$data.0
fi
}
destroy_sa() {
local locnet
local remnet
config_get locnet "$1" local_net
config_get remnet "$1" remote_net
if [ -z "$locnet" ] || [ -z "$remnet" ]; then
$log "Remote and local networks for $1 must be configured"
errno=4; return 4
fi
manage_sa del $locnet $remnet $2
manage_fw del $confIntZone $confExtZone $remnet
}
destroy_tunnel() {
local data
config_get_bool data "$1" enabled 0
test "$data" = "0" && return 0
config_get remote "$1" remote
data=$(nslookup "$remote" | awk 'NR == 5 {print $3}')
test -n "$data" && remote="$data"
config_get data "$1" username ""
if [ -z "$data" ]; then
config_list_foreach "$1" sainfo destroy_sa $remote
fi
}
destroy_conf() {
setup_fw del
}
check_software() {
local item
for item in /usr/sbin/setkey /usr/bin/openssl /usr/sbin/ip ; do
if [ ! -x $item ]; then
$log "Needed program $item not found, exiting"
errno=9; return 9
fi
done
}
cleanup_conf() {
config_load racoon
config_foreach setup_load racoon
config_foreach destroy_conf racoon
config_foreach destroy_tunnel tunnel
/usr/sbin/setkey -P -F
/usr/sbin/setkey -F
}
check_dir() {
local item
for item in $confDir $confDir/cert ; do
if [ ! -d $item ]; then
mkdir -m 0700 -p $item
fi
done
}
wait4wanzone() {
local item=$connWait
local data
data="$(get_zoneiplist $confExtZone)"
while [ $item -gt 0 ]; do
test -n "$data" && break
sleep 2
let "item=$item-1"
data="$(get_zoneiplist $confExtZone)"
done
test -z "$data" && return 10
}
start_service() { start_service() {
mkdir -m 0700 -p /var/racoon
[ -f /etc/ipsec.conf ] && /usr/sbin/setkey -f /etc/ipsec.conf
procd_open_instance
procd_set_param command /usr/sbin/racoon -F -f /etc/racoon.conf
procd_set_param respawn
procd_close_instance
check_software
test $? -gt 0 -o $errno -gt 0 && exit $errno
check_dir
config_load racoon
config_foreach setup_load racoon
config_foreach wait4wanzone racoon
if [ $? -gt 0 ] || [ $errno -gt 0 ]; then
$log "No active interfaces in $confExtZone zone found, exiting"
exit $errno
fi
config_foreach setup_conf racoon
test $? -gt 0 -o $errno -gt 0 && exit $errno
config_foreach setup_tunnel tunnel
test $? -gt 0 -o $errno -gt 0 && exit $errno
config_foreach setup_cert certificate
procd_open_instance
procd_set_param command /usr/sbin/racoon
test -n "$confIPMode" && procd_append_param command -$confIPMode
procd_append_param command -F -f $confDir/racoon.conf
procd_set_param file $confDir/racoon.conf
procd_close_instance
if [ -x /etc/racoon/vpnctl ]; then
let connWait=$connWait*2+2
( sleep $connWait; /etc/racoon/vpnctl up ) &
fi
}
service_triggers() {
local item
local data
procd_add_reload_trigger "racoon" "network"
config_load racoon
config_foreach setup_load racoon
data=$(get_zoneiflist $confExtZone)
if [ $? -gt 0 ] || [ $errno -gt 0 ] || [ -z "$data" ]; then
$log "Can not find interfaces for $confExtZone zone"
else
for item in $data ; do
procd_add_reload_interface_trigger $item
done
fi
}
stop_service() {
cleanup_conf
procd_kill racoon
} }
trap "cleanup_conf" 1 2 3 4 5 6 7 8 9 10
# EOF /etc/init.d/racoon

+ 19
- 0
net/ipsec-tools/files/vpnctl View File

@ -0,0 +1,19 @@
#!/bin/sh
#
case X$1 in
Xup|X1|Xstart) connMode=vpn-connect ;;
Xdown|X0|Xstop) connMode=vpn-disconnect ;;
*)
echo "Usage: $0: up|1|start || down|0|stop"
exit 1 ;;
esac
if [ -s /var/racoon/peers.txt ]; then
(while read ipa ; do
racoonctl $connMode $ipa
done) < /var/racoon/peers.txt
fi
# EOF /usr/bin/vpnctl

Loading…
Cancel
Save