diff --git a/net/libreswan/Makefile b/net/libreswan/Makefile new file mode 100644 index 000000000..556e20fda --- /dev/null +++ b/net/libreswan/Makefile @@ -0,0 +1,125 @@ +# +# Copyright (C) 2019 Lucian Cristian +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libreswan +PKG_VERSION:=3.27 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://download.libreswan.org/ +PKG_HASH:=ead07dd701116094b483dc57e54e2a5ee9a06d3982bb142260bcbf3d1faf7b82 + +PKG_LICENSE:=GPL-2.0 +PKG_MAINTAINER:=Lucian Cristian + +PKG_BUILD_PARALLEL:=1 +PKG_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/kernel.mk + +define Package/libreswan/Default + TITLE:=Libreswan + URL:=https://libreswan.org/ +endef + +define Package/libreswan/Default/description + Libreswan is a free software implementation of the most widely supported and + standardized VPN protocol based on ("IPsec") and the Internet Key Exchange + ("IKE"). These standards are produced and maintained by the Internet + Engineering Task Force ("IETF"). +endef + +define Package/libreswan +$(call Package/libreswan/Default) + SUBMENU:=VPN + SECTION:=net + CATEGORY:=Network + DEPENDS:= +kmod-libreswan +libnss +librt +libevent2 +libevent2-pthreads \ + +ip-full + PROVIDES:=openswan + CONFLICTS:=strongswan + TITLE+= IPsec Server +endef + +define Package/libreswan/description +$(call Package/libreswan/Default/description) + Libreswan is a free software implementation of the most widely supported and + standardized VPN protocol based on ("IPsec") and the Internet Key Exchange + ("IKE"). These standards are produced and maintained by the Internet + Engineering Task Force ("IETF"). +endef + +define KernelPackage/libreswan +$(call Package/libreswan/Default) + SUBMENU:=Network Support + TITLE+= (kernel module) + FILES:=$(PKG_BUILD_DIR)/modobj*/ipsec.$(LINUX_KMOD_SUFFIX) + DEPENDS:= +kmod-crypto-authenc +kmod-crypto-hash +kmod-ipt-ipsec +iptables-mod-ipsec \ + +kmod-ipsec +kmod-ipsec4 +kmod-crypto-rng +IPV6:kmod-ipsec6 +endef + +define KernelPackage/libreswan/description +$(call Package/libreswan/Default/description) + This package contains the Libreswan kernel module. +endef + +define Package/libreswan/conffiles +/etc/ipsec.d +/etc/ipsec.conf +/etc/ipsec.secrets +endef + +TARGET_CFLAGS+= -Wno-error=format-nonliteral +MAKE_FLAGS+= \ + WERROR_CFLAGS=" " \ + USE_DNSSEC=false \ + USE_LINUX_AUDIT=false \ + USE_LABELED_IPSEC=false \ + USE_NM=false \ + USE_LIBCURL=false \ + USE_GLIBC_KERN_FLIP_HEADERS=true \ + USE_XAUTHPAM=false \ + USE_FIPSCHECK=false \ + USE_LIBCAP_NG=false \ + USE_SYSTEMD_WATCHDOG=false \ + INC_USRLOCAL="/usr" \ + FINALRUNDIR="/var/run/pluto" \ + KERNELSRC="$(LINUX_DIR)" + +define Build/Prepare + $(call Build/Prepare/Default) + $(SED) 's,include $$$$(top_srcdir)/mk/manpages.mk,,g' \ + $(PKG_BUILD_DIR)/mk/program.mk +endef + +define Build/Compile + $(call Build/Compile/Default,base) + $(call Build/Compile/Default,module) +endef + +define Package/libreswan/install + $(INSTALL_DIR) \ + $(1)/etc/init.d \ + $(1)/etc/ipsec.d/policies \ + $(1)/usr/libexec/ipsec \ + $(1)/usr/sbin + + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec \ + $(1)/usr/sbin/ipsec + $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec + $(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf + $(INSTALL_DATA) ./files/ipsec.secrets $(1)/etc/ipsec.secrets + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ipsec.d/policies/* \ + $(1)/etc/ipsec.d/policies/ + $(CP) $(PKG_INSTALL_DIR)/usr/libexec/ipsec/* \ + $(1)/usr/libexec/ipsec/ +endef + +$(eval $(call BuildPackage,libreswan)) +$(eval $(call KernelPackage,libreswan)) diff --git a/net/libreswan/files/ipsec.conf b/net/libreswan/files/ipsec.conf new file mode 100644 index 000000000..affa5b0a6 --- /dev/null +++ b/net/libreswan/files/ipsec.conf @@ -0,0 +1,46 @@ +# /etc/ipsec.conf - Libreswan IPsec configuration file +# +# see 'man ipsec.conf' and 'man pluto' for more information +# +# For example configurations and documentation, see https://libreswan.org/wiki/ + +config setup + # Normally, pluto logs via syslog. + #logfile=/var/log/pluto.log + # + # Do not enable debug options to debug configuration issues! + # + # plutodebug="control parsing" + # plutodebug="all crypt" + plutodebug=none + # + # NAT-TRAVERSAL support + # exclude networks used on server side by adding %v4:!a.b.c.0/24 + # It seems that T-Mobile in the US and Rogers/Fido in Canada are + # using 25/8 as "private" address space on their wireless networks. + # This range has never been announced via BGP (at least up to 2015) + virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 + +# if it exists, include system wide crypto-policy defaults +# include /etc/crypto-policies/back-ends/libreswan.config + +# It is best to add your IPsec connections as separate files in /etc/ipsec.d/ + +conn L2TP-PSK-NAT + rightsubnet=vhost:%priv + also=L2TP-PSK-noNAT + +conn L2TP-PSK-noNAT + authby=secret + pfs=no + auto=add + keyingtries=8 + ikelifetime=8h + keylife=1h + type=transport + left=A.B.C.D + leftprotoport=17/1701 + right=%any + rightprotoport=17/%any + +include /etc/ipsec.d/*.conf \ No newline at end of file diff --git a/net/libreswan/files/ipsec.init b/net/libreswan/files/ipsec.init new file mode 100755 index 000000000..6e3026308 --- /dev/null +++ b/net/libreswan/files/ipsec.init @@ -0,0 +1,207 @@ +#!/bin/sh /etc/rc.common + +START=90 +STOP=10 + +#USE_PROCD=1 + +. $IPKG_INSTROOT/lib/functions.sh + +EXTRA_COMMANDS=status +EXTRA_HELP=" status Show the status of the service" + +# Check that networking is up. +[ "${NETWORKING}" = "no" ] && exit 6 + +if [ $(id -u) -ne 0 ]; then + echo "permission denied (must be superuser)" | \ + logger -s -p daemon.error -t ipsec_setup 2>&1 + exit 4 +fi + +# where the private directory and the config files are +IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}" +IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}" +IPSEC_CONF="${IPSEC_CONF-/etc/ipsec.conf}" +unset PLUTO_OPTIONS + +rundir=/var/run/pluto +plutopid=${rundir}/pluto.pid +plutoctl=${rundir}/pluto.ctl +lockdir=/var/lock +lockfile=${lockdir}/ipsec +ipsecversion=/proc/net/ipsec_version +kamepfkey=/proc/net/pfkey + +# /etc/resolv.conf related paths +LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup +ORIG_RESOLV_CONF=/etc/resolv.conf + +# misc setup +umask 022 + +# standardize PATH, and export it for everything else's benefit +PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin +export PATH + +mkdir -p ${rundir} +chmod 700 ${rundir} + +verify_config() { + [ -f ${IPSEC_CONF} ] || exit 6 + config_error=$(ipsec addconn --config ${IPSEC_CONF} --checkconfig 2>&1) + RETVAL=$? + if [ ${RETVAL} -gt 0 ]; then + echo "Configuration error - the following error occurred:" + echo ${config_error} + echo "IKE daemon status was not modified" + exit ${RETVAL} + fi +} + +start() { + echo -n "Starting pluto IKE daemon for IPsec: " + ipsec _stackmanager start + # pluto searches the current directory, so this is required for making it selinux compliant + cd / + # Create nss db or convert from old format to new sql format + ipsec --checknss + # Enable nflog if configured + ipsec --checknflog > /dev/null + # This script will enter an endless loop to ensure pluto restarts on crash + ipsec _plutorun --config ${IPSEC_CONF} --nofork ${PLUTO_OPTIONS} & [ -d ${lockdir} ] || mkdir -p ${lockdir} + touch ${lockfile} + # Because _plutorun starts pluto at background we need to make sure pluto is started + # before we know if start was successful or not + for waitsec in 1 2 3 4 5; do + if status >/dev/null; then + RETVAL=0 + break + else + echo -n "." + sleep 1 + RETVAL=1 + fi + done + if [ ${RETVAL} -ge 1 ]; then + rm -f ${lockfile} + fi + echo + return ${RETVAL} +} + +stop() { + if [ -e ${plutoctl} ]; then + echo "Shutting down pluto IKE daemon" + ipsec whack --shutdown 2>/dev/null + # don't use seq, might not exist on embedded + for waitsec in 1 2 3 4 5 6 7 8 9 10; do + if [ -s ${plutopid} ]; then + echo -n "." + sleep 1 + else + break + fi + done + echo + rm -f ${plutoctl} # we won't be using this anymore + fi + if [ -s ${plutopid} ]; then + # pluto did not die peacefully + pid=$(cat ${plutopid}) + if [ -d /proc/${pid} ]; then + kill -TERM ${pid} + RETVAL=$? + sleep 5; + if [ -d /proc/${pid} ]; then + kill -KILL ${pid} + RETVAL=$? + fi + if [ ${RETVAL} -ne 0 ]; then + echo "Kill failed - removing orphaned ${plutopid}" + fi + else + echo "Removing orphaned ${plutopid}" + fi + rm -f ${plutopid} + fi + + ipsec _stackmanager stop + ipsec --stopnflog > /dev/null + + # cleaning up backup resolv.conf + if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then + if grep 'Libreswan' ${ORIG_RESOLV_CONF} > /dev/null 2>&1; then + cp ${LIBRESWAN_RESOLV_CONF} ${ORIG_RESOLV_CONF} + fi + rm -f ${LIBRESWAN_RESOLV_CONF} + fi + + rm -f ${lockfile} + return ${RETVAL} +} + +restart() { + verify_config + stop + start + return $? +} + +status() { + local RC + if [ -f ${plutopid} ]; then + if [ -r ${plutopid} ]; then + pid=$(cat ${plutopid}) + if [ -n "$pid" -a -d /proc/${pid} ]; then + RC=0 # running + else + RC=1 # not running but pid exists + fi + else + RC=4 # insufficient privileges + fi + fi + if [ -z "${RC}" ]; then + if [ -f ${lockfile} ]; then + RC=2 + else + RC=3 + fi + fi + case "${RC}" in + 0) + echo "ipsec: pluto (pid ${pid}) is running..." + return 0 + ;; + 1) + echo "ipsec: pluto dead but pid file exits" + return 1 + ;; + 2) + echo "ipsec: pluto dead but subsys locked" + return 2 + ;; + 4) + echo "ipsec: pluto status unknown due to insufficient privileges." + return 4 + ;; + esac + echo "ipsec: pluto is stopped" + return 3 +} + +condrestart() { + verify_config + RETVAL=$? + if [ -f ${lockfile} ]; then + restart + RETVAL=$? + fi + return ${RETVAL} +} + +version() { + ipsec version + return $? +} diff --git a/net/libreswan/files/ipsec.secrets b/net/libreswan/files/ipsec.secrets new file mode 100644 index 000000000..a43754ca9 --- /dev/null +++ b/net/libreswan/files/ipsec.secrets @@ -0,0 +1,17 @@ +# This file holds shared secrets (PSK) and XAUTH user passwords used for +# authentication. See pluto(8) manpage or the libreswan website. + +# Unlike older openswan, this file does NOT contain any X.509 related +# information such as private key :RSA statements as these now reside +# in the NSS database. See: +# +# https://libreswan.org/wiki/Using_NSS_with_libreswan +# https://libreswan.org/wiki/Migrating_from_Openswan +# +# The preferred method for adding secrets is to create a new file in +# the /etc/ipsec.d/ directory, so it will be included via the include +# line below + +#A.B.C.D %any : PSK "SsEeCcRrEeTt" + +include /etc/ipsec.d/*.secrets