Browse Source

libreswan: add package

Libreswan is a free software implementation of the most widely
supported and standardized VPN protocol based on ("IPsec") and
the Internet Key Exchange ("IKE"). These standards are produced
and maintained by the Internet Engineering Task Force ("IETF").

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
lilik-openwrt-22.03
Lucian Cristian 6 years ago
parent
commit
a7558eb356
4 changed files with 395 additions and 0 deletions
  1. +125
    -0
      net/libreswan/Makefile
  2. +46
    -0
      net/libreswan/files/ipsec.conf
  3. +207
    -0
      net/libreswan/files/ipsec.init
  4. +17
    -0
      net/libreswan/files/ipsec.secrets

+ 125
- 0
net/libreswan/Makefile View File

@ -0,0 +1,125 @@
#
# Copyright (C) 2019 Lucian Cristian <lucian.cristian@gmail.com>
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
include $(TOPDIR)/rules.mk
PKG_NAME:=libreswan
PKG_VERSION:=3.27
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://download.libreswan.org/
PKG_HASH:=ead07dd701116094b483dc57e54e2a5ee9a06d3982bb142260bcbf3d1faf7b82
PKG_LICENSE:=GPL-2.0
PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com>
PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/kernel.mk
define Package/libreswan/Default
TITLE:=Libreswan
URL:=https://libreswan.org/
endef
define Package/libreswan/Default/description
Libreswan is a free software implementation of the most widely supported and
standardized VPN protocol based on ("IPsec") and the Internet Key Exchange
("IKE"). These standards are produced and maintained by the Internet
Engineering Task Force ("IETF").
endef
define Package/libreswan
$(call Package/libreswan/Default)
SUBMENU:=VPN
SECTION:=net
CATEGORY:=Network
DEPENDS:= +kmod-libreswan +libnss +librt +libevent2 +libevent2-pthreads \
+ip-full
PROVIDES:=openswan
CONFLICTS:=strongswan
TITLE+= IPsec Server
endef
define Package/libreswan/description
$(call Package/libreswan/Default/description)
Libreswan is a free software implementation of the most widely supported and
standardized VPN protocol based on ("IPsec") and the Internet Key Exchange
("IKE"). These standards are produced and maintained by the Internet
Engineering Task Force ("IETF").
endef
define KernelPackage/libreswan
$(call Package/libreswan/Default)
SUBMENU:=Network Support
TITLE+= (kernel module)
FILES:=$(PKG_BUILD_DIR)/modobj*/ipsec.$(LINUX_KMOD_SUFFIX)
DEPENDS:= +kmod-crypto-authenc +kmod-crypto-hash +kmod-ipt-ipsec +iptables-mod-ipsec \
+kmod-ipsec +kmod-ipsec4 +kmod-crypto-rng +IPV6:kmod-ipsec6
endef
define KernelPackage/libreswan/description
$(call Package/libreswan/Default/description)
This package contains the Libreswan kernel module.
endef
define Package/libreswan/conffiles
/etc/ipsec.d
/etc/ipsec.conf
/etc/ipsec.secrets
endef
TARGET_CFLAGS+= -Wno-error=format-nonliteral
MAKE_FLAGS+= \
WERROR_CFLAGS=" " \
USE_DNSSEC=false \
USE_LINUX_AUDIT=false \
USE_LABELED_IPSEC=false \
USE_NM=false \
USE_LIBCURL=false \
USE_GLIBC_KERN_FLIP_HEADERS=true \
USE_XAUTHPAM=false \
USE_FIPSCHECK=false \
USE_LIBCAP_NG=false \
USE_SYSTEMD_WATCHDOG=false \
INC_USRLOCAL="/usr" \
FINALRUNDIR="/var/run/pluto" \
KERNELSRC="$(LINUX_DIR)"
define Build/Prepare
$(call Build/Prepare/Default)
$(SED) 's,include $$$$(top_srcdir)/mk/manpages.mk,,g' \
$(PKG_BUILD_DIR)/mk/program.mk
endef
define Build/Compile
$(call Build/Compile/Default,base)
$(call Build/Compile/Default,module)
endef
define Package/libreswan/install
$(INSTALL_DIR) \
$(1)/etc/init.d \
$(1)/etc/ipsec.d/policies \
$(1)/usr/libexec/ipsec \
$(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec \
$(1)/usr/sbin/ipsec
$(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
$(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf
$(INSTALL_DATA) ./files/ipsec.secrets $(1)/etc/ipsec.secrets
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ipsec.d/policies/* \
$(1)/etc/ipsec.d/policies/
$(CP) $(PKG_INSTALL_DIR)/usr/libexec/ipsec/* \
$(1)/usr/libexec/ipsec/
endef
$(eval $(call BuildPackage,libreswan))
$(eval $(call KernelPackage,libreswan))

+ 46
- 0
net/libreswan/files/ipsec.conf View File

@ -0,0 +1,46 @@
# /etc/ipsec.conf - Libreswan IPsec configuration file
#
# see 'man ipsec.conf' and 'man pluto' for more information
#
# For example configurations and documentation, see https://libreswan.org/wiki/
config setup
# Normally, pluto logs via syslog.
#logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug="control parsing"
# plutodebug="all crypt"
plutodebug=none
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# if it exists, include system wide crypto-policy defaults
# include /etc/crypto-policies/back-ends/libreswan.config
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=8
ikelifetime=8h
keylife=1h
type=transport
left=A.B.C.D
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
include /etc/ipsec.d/*.conf

+ 207
- 0
net/libreswan/files/ipsec.init View File

@ -0,0 +1,207 @@
#!/bin/sh /etc/rc.common
START=90
STOP=10
#USE_PROCD=1
. $IPKG_INSTROOT/lib/functions.sh
EXTRA_COMMANDS=status
EXTRA_HELP=" status Show the status of the service"
# Check that networking is up.
[ "${NETWORKING}" = "no" ] && exit 6
if [ $(id -u) -ne 0 ]; then
echo "permission denied (must be superuser)" | \
logger -s -p daemon.error -t ipsec_setup 2>&1
exit 4
fi
# where the private directory and the config files are
IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
IPSEC_CONF="${IPSEC_CONF-/etc/ipsec.conf}"
unset PLUTO_OPTIONS
rundir=/var/run/pluto
plutopid=${rundir}/pluto.pid
plutoctl=${rundir}/pluto.ctl
lockdir=/var/lock
lockfile=${lockdir}/ipsec
ipsecversion=/proc/net/ipsec_version
kamepfkey=/proc/net/pfkey
# /etc/resolv.conf related paths
LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup
ORIG_RESOLV_CONF=/etc/resolv.conf
# misc setup
umask 022
# standardize PATH, and export it for everything else's benefit
PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
export PATH
mkdir -p ${rundir}
chmod 700 ${rundir}
verify_config() {
[ -f ${IPSEC_CONF} ] || exit 6
config_error=$(ipsec addconn --config ${IPSEC_CONF} --checkconfig 2>&1)
RETVAL=$?
if [ ${RETVAL} -gt 0 ]; then
echo "Configuration error - the following error occurred:"
echo ${config_error}
echo "IKE daemon status was not modified"
exit ${RETVAL}
fi
}
start() {
echo -n "Starting pluto IKE daemon for IPsec: "
ipsec _stackmanager start
# pluto searches the current directory, so this is required for making it selinux compliant
cd /
# Create nss db or convert from old format to new sql format
ipsec --checknss
# Enable nflog if configured
ipsec --checknflog > /dev/null
# This script will enter an endless loop to ensure pluto restarts on crash
ipsec _plutorun --config ${IPSEC_CONF} --nofork ${PLUTO_OPTIONS} & [ -d ${lockdir} ] || mkdir -p ${lockdir}
touch ${lockfile}
# Because _plutorun starts pluto at background we need to make sure pluto is started
# before we know if start was successful or not
for waitsec in 1 2 3 4 5; do
if status >/dev/null; then
RETVAL=0
break
else
echo -n "."
sleep 1
RETVAL=1
fi
done
if [ ${RETVAL} -ge 1 ]; then
rm -f ${lockfile}
fi
echo
return ${RETVAL}
}
stop() {
if [ -e ${plutoctl} ]; then
echo "Shutting down pluto IKE daemon"
ipsec whack --shutdown 2>/dev/null
# don't use seq, might not exist on embedded
for waitsec in 1 2 3 4 5 6 7 8 9 10; do
if [ -s ${plutopid} ]; then
echo -n "."
sleep 1
else
break
fi
done
echo
rm -f ${plutoctl} # we won't be using this anymore
fi
if [ -s ${plutopid} ]; then
# pluto did not die peacefully
pid=$(cat ${plutopid})
if [ -d /proc/${pid} ]; then
kill -TERM ${pid}
RETVAL=$?
sleep 5;
if [ -d /proc/${pid} ]; then
kill -KILL ${pid}
RETVAL=$?
fi
if [ ${RETVAL} -ne 0 ]; then
echo "Kill failed - removing orphaned ${plutopid}"
fi
else
echo "Removing orphaned ${plutopid}"
fi
rm -f ${plutopid}
fi
ipsec _stackmanager stop
ipsec --stopnflog > /dev/null
# cleaning up backup resolv.conf
if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then
if grep 'Libreswan' ${ORIG_RESOLV_CONF} > /dev/null 2>&1; then
cp ${LIBRESWAN_RESOLV_CONF} ${ORIG_RESOLV_CONF}
fi
rm -f ${LIBRESWAN_RESOLV_CONF}
fi
rm -f ${lockfile}
return ${RETVAL}
}
restart() {
verify_config
stop
start
return $?
}
status() {
local RC
if [ -f ${plutopid} ]; then
if [ -r ${plutopid} ]; then
pid=$(cat ${plutopid})
if [ -n "$pid" -a -d /proc/${pid} ]; then
RC=0 # running
else
RC=1 # not running but pid exists
fi
else
RC=4 # insufficient privileges
fi
fi
if [ -z "${RC}" ]; then
if [ -f ${lockfile} ]; then
RC=2
else
RC=3
fi
fi
case "${RC}" in
0)
echo "ipsec: pluto (pid ${pid}) is running..."
return 0
;;
1)
echo "ipsec: pluto dead but pid file exits"
return 1
;;
2)
echo "ipsec: pluto dead but subsys locked"
return 2
;;
4)
echo "ipsec: pluto status unknown due to insufficient privileges."
return 4
;;
esac
echo "ipsec: pluto is stopped"
return 3
}
condrestart() {
verify_config
RETVAL=$?
if [ -f ${lockfile} ]; then
restart
RETVAL=$?
fi
return ${RETVAL}
}
version() {
ipsec version
return $?
}

+ 17
- 0
net/libreswan/files/ipsec.secrets View File

@ -0,0 +1,17 @@
# This file holds shared secrets (PSK) and XAUTH user passwords used for
# authentication. See pluto(8) manpage or the libreswan website.
# Unlike older openswan, this file does NOT contain any X.509 related
# information such as private key :RSA statements as these now reside
# in the NSS database. See:
#
# https://libreswan.org/wiki/Using_NSS_with_libreswan
# https://libreswan.org/wiki/Migrating_from_Openswan
#
# The preferred method for adding secrets is to create a new file in
# the /etc/ipsec.d/ directory, so it will be included via the include
# line below
#A.B.C.D %any : PSK "SsEeCcRrEeTt"
include /etc/ipsec.d/*.secrets

Loading…
Cancel
Save