From a7558eb3569bcd0605895c4a62eadcb38fac588c Mon Sep 17 00:00:00 2001 From: Lucian Cristian Date: Sat, 6 Apr 2019 15:26:16 +0300 Subject: [PATCH] libreswan: add package Libreswan is a free software implementation of the most widely supported and standardized VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE"). These standards are produced and maintained by the Internet Engineering Task Force ("IETF"). Signed-off-by: Lucian Cristian --- net/libreswan/Makefile | 125 ++++++++++++++++++ net/libreswan/files/ipsec.conf | 46 +++++++ net/libreswan/files/ipsec.init | 207 ++++++++++++++++++++++++++++++ net/libreswan/files/ipsec.secrets | 17 +++ 4 files changed, 395 insertions(+) create mode 100644 net/libreswan/Makefile create mode 100644 net/libreswan/files/ipsec.conf create mode 100755 net/libreswan/files/ipsec.init create mode 100644 net/libreswan/files/ipsec.secrets diff --git a/net/libreswan/Makefile b/net/libreswan/Makefile new file mode 100644 index 000000000..556e20fda --- /dev/null +++ b/net/libreswan/Makefile @@ -0,0 +1,125 @@ +# +# Copyright (C) 2019 Lucian Cristian +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libreswan +PKG_VERSION:=3.27 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://download.libreswan.org/ +PKG_HASH:=ead07dd701116094b483dc57e54e2a5ee9a06d3982bb142260bcbf3d1faf7b82 + +PKG_LICENSE:=GPL-2.0 +PKG_MAINTAINER:=Lucian Cristian + +PKG_BUILD_PARALLEL:=1 +PKG_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/kernel.mk + +define Package/libreswan/Default + TITLE:=Libreswan + URL:=https://libreswan.org/ +endef + +define Package/libreswan/Default/description + Libreswan is a free software implementation of the most widely supported and + standardized VPN protocol based on ("IPsec") and the Internet Key Exchange + ("IKE"). These standards are produced and maintained by the Internet + Engineering Task Force ("IETF"). +endef + +define Package/libreswan +$(call Package/libreswan/Default) + SUBMENU:=VPN + SECTION:=net + CATEGORY:=Network + DEPENDS:= +kmod-libreswan +libnss +librt +libevent2 +libevent2-pthreads \ + +ip-full + PROVIDES:=openswan + CONFLICTS:=strongswan + TITLE+= IPsec Server +endef + +define Package/libreswan/description +$(call Package/libreswan/Default/description) + Libreswan is a free software implementation of the most widely supported and + standardized VPN protocol based on ("IPsec") and the Internet Key Exchange + ("IKE"). These standards are produced and maintained by the Internet + Engineering Task Force ("IETF"). +endef + +define KernelPackage/libreswan +$(call Package/libreswan/Default) + SUBMENU:=Network Support + TITLE+= (kernel module) + FILES:=$(PKG_BUILD_DIR)/modobj*/ipsec.$(LINUX_KMOD_SUFFIX) + DEPENDS:= +kmod-crypto-authenc +kmod-crypto-hash +kmod-ipt-ipsec +iptables-mod-ipsec \ + +kmod-ipsec +kmod-ipsec4 +kmod-crypto-rng +IPV6:kmod-ipsec6 +endef + +define KernelPackage/libreswan/description +$(call Package/libreswan/Default/description) + This package contains the Libreswan kernel module. +endef + +define Package/libreswan/conffiles +/etc/ipsec.d +/etc/ipsec.conf +/etc/ipsec.secrets +endef + +TARGET_CFLAGS+= -Wno-error=format-nonliteral +MAKE_FLAGS+= \ + WERROR_CFLAGS=" " \ + USE_DNSSEC=false \ + USE_LINUX_AUDIT=false \ + USE_LABELED_IPSEC=false \ + USE_NM=false \ + USE_LIBCURL=false \ + USE_GLIBC_KERN_FLIP_HEADERS=true \ + USE_XAUTHPAM=false \ + USE_FIPSCHECK=false \ + USE_LIBCAP_NG=false \ + USE_SYSTEMD_WATCHDOG=false \ + INC_USRLOCAL="/usr" \ + FINALRUNDIR="/var/run/pluto" \ + KERNELSRC="$(LINUX_DIR)" + +define Build/Prepare + $(call Build/Prepare/Default) + $(SED) 's,include $$$$(top_srcdir)/mk/manpages.mk,,g' \ + $(PKG_BUILD_DIR)/mk/program.mk +endef + +define Build/Compile + $(call Build/Compile/Default,base) + $(call Build/Compile/Default,module) +endef + +define Package/libreswan/install + $(INSTALL_DIR) \ + $(1)/etc/init.d \ + $(1)/etc/ipsec.d/policies \ + $(1)/usr/libexec/ipsec \ + $(1)/usr/sbin + + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec \ + $(1)/usr/sbin/ipsec + $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec + $(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf + $(INSTALL_DATA) ./files/ipsec.secrets $(1)/etc/ipsec.secrets + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ipsec.d/policies/* \ + $(1)/etc/ipsec.d/policies/ + $(CP) $(PKG_INSTALL_DIR)/usr/libexec/ipsec/* \ + $(1)/usr/libexec/ipsec/ +endef + +$(eval $(call BuildPackage,libreswan)) +$(eval $(call KernelPackage,libreswan)) diff --git a/net/libreswan/files/ipsec.conf b/net/libreswan/files/ipsec.conf new file mode 100644 index 000000000..affa5b0a6 --- /dev/null +++ b/net/libreswan/files/ipsec.conf @@ -0,0 +1,46 @@ +# /etc/ipsec.conf - Libreswan IPsec configuration file +# +# see 'man ipsec.conf' and 'man pluto' for more information +# +# For example configurations and documentation, see https://libreswan.org/wiki/ + +config setup + # Normally, pluto logs via syslog. + #logfile=/var/log/pluto.log + # + # Do not enable debug options to debug configuration issues! + # + # plutodebug="control parsing" + # plutodebug="all crypt" + plutodebug=none + # + # NAT-TRAVERSAL support + # exclude networks used on server side by adding %v4:!a.b.c.0/24 + # It seems that T-Mobile in the US and Rogers/Fido in Canada are + # using 25/8 as "private" address space on their wireless networks. + # This range has never been announced via BGP (at least up to 2015) + virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 + +# if it exists, include system wide crypto-policy defaults +# include /etc/crypto-policies/back-ends/libreswan.config + +# It is best to add your IPsec connections as separate files in /etc/ipsec.d/ + +conn L2TP-PSK-NAT + rightsubnet=vhost:%priv + also=L2TP-PSK-noNAT + +conn L2TP-PSK-noNAT + authby=secret + pfs=no + auto=add + keyingtries=8 + ikelifetime=8h + keylife=1h + type=transport + left=A.B.C.D + leftprotoport=17/1701 + right=%any + rightprotoport=17/%any + +include /etc/ipsec.d/*.conf \ No newline at end of file diff --git a/net/libreswan/files/ipsec.init b/net/libreswan/files/ipsec.init new file mode 100755 index 000000000..6e3026308 --- /dev/null +++ b/net/libreswan/files/ipsec.init @@ -0,0 +1,207 @@ +#!/bin/sh /etc/rc.common + +START=90 +STOP=10 + +#USE_PROCD=1 + +. $IPKG_INSTROOT/lib/functions.sh + +EXTRA_COMMANDS=status +EXTRA_HELP=" status Show the status of the service" + +# Check that networking is up. +[ "${NETWORKING}" = "no" ] && exit 6 + +if [ $(id -u) -ne 0 ]; then + echo "permission denied (must be superuser)" | \ + logger -s -p daemon.error -t ipsec_setup 2>&1 + exit 4 +fi + +# where the private directory and the config files are +IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}" +IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}" +IPSEC_CONF="${IPSEC_CONF-/etc/ipsec.conf}" +unset PLUTO_OPTIONS + +rundir=/var/run/pluto +plutopid=${rundir}/pluto.pid +plutoctl=${rundir}/pluto.ctl +lockdir=/var/lock +lockfile=${lockdir}/ipsec +ipsecversion=/proc/net/ipsec_version +kamepfkey=/proc/net/pfkey + +# /etc/resolv.conf related paths +LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup +ORIG_RESOLV_CONF=/etc/resolv.conf + +# misc setup +umask 022 + +# standardize PATH, and export it for everything else's benefit +PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin +export PATH + +mkdir -p ${rundir} +chmod 700 ${rundir} + +verify_config() { + [ -f ${IPSEC_CONF} ] || exit 6 + config_error=$(ipsec addconn --config ${IPSEC_CONF} --checkconfig 2>&1) + RETVAL=$? + if [ ${RETVAL} -gt 0 ]; then + echo "Configuration error - the following error occurred:" + echo ${config_error} + echo "IKE daemon status was not modified" + exit ${RETVAL} + fi +} + +start() { + echo -n "Starting pluto IKE daemon for IPsec: " + ipsec _stackmanager start + # pluto searches the current directory, so this is required for making it selinux compliant + cd / + # Create nss db or convert from old format to new sql format + ipsec --checknss + # Enable nflog if configured + ipsec --checknflog > /dev/null + # This script will enter an endless loop to ensure pluto restarts on crash + ipsec _plutorun --config ${IPSEC_CONF} --nofork ${PLUTO_OPTIONS} & [ -d ${lockdir} ] || mkdir -p ${lockdir} + touch ${lockfile} + # Because _plutorun starts pluto at background we need to make sure pluto is started + # before we know if start was successful or not + for waitsec in 1 2 3 4 5; do + if status >/dev/null; then + RETVAL=0 + break + else + echo -n "." + sleep 1 + RETVAL=1 + fi + done + if [ ${RETVAL} -ge 1 ]; then + rm -f ${lockfile} + fi + echo + return ${RETVAL} +} + +stop() { + if [ -e ${plutoctl} ]; then + echo "Shutting down pluto IKE daemon" + ipsec whack --shutdown 2>/dev/null + # don't use seq, might not exist on embedded + for waitsec in 1 2 3 4 5 6 7 8 9 10; do + if [ -s ${plutopid} ]; then + echo -n "." + sleep 1 + else + break + fi + done + echo + rm -f ${plutoctl} # we won't be using this anymore + fi + if [ -s ${plutopid} ]; then + # pluto did not die peacefully + pid=$(cat ${plutopid}) + if [ -d /proc/${pid} ]; then + kill -TERM ${pid} + RETVAL=$? + sleep 5; + if [ -d /proc/${pid} ]; then + kill -KILL ${pid} + RETVAL=$? + fi + if [ ${RETVAL} -ne 0 ]; then + echo "Kill failed - removing orphaned ${plutopid}" + fi + else + echo "Removing orphaned ${plutopid}" + fi + rm -f ${plutopid} + fi + + ipsec _stackmanager stop + ipsec --stopnflog > /dev/null + + # cleaning up backup resolv.conf + if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then + if grep 'Libreswan' ${ORIG_RESOLV_CONF} > /dev/null 2>&1; then + cp ${LIBRESWAN_RESOLV_CONF} ${ORIG_RESOLV_CONF} + fi + rm -f ${LIBRESWAN_RESOLV_CONF} + fi + + rm -f ${lockfile} + return ${RETVAL} +} + +restart() { + verify_config + stop + start + return $? +} + +status() { + local RC + if [ -f ${plutopid} ]; then + if [ -r ${plutopid} ]; then + pid=$(cat ${plutopid}) + if [ -n "$pid" -a -d /proc/${pid} ]; then + RC=0 # running + else + RC=1 # not running but pid exists + fi + else + RC=4 # insufficient privileges + fi + fi + if [ -z "${RC}" ]; then + if [ -f ${lockfile} ]; then + RC=2 + else + RC=3 + fi + fi + case "${RC}" in + 0) + echo "ipsec: pluto (pid ${pid}) is running..." + return 0 + ;; + 1) + echo "ipsec: pluto dead but pid file exits" + return 1 + ;; + 2) + echo "ipsec: pluto dead but subsys locked" + return 2 + ;; + 4) + echo "ipsec: pluto status unknown due to insufficient privileges." + return 4 + ;; + esac + echo "ipsec: pluto is stopped" + return 3 +} + +condrestart() { + verify_config + RETVAL=$? + if [ -f ${lockfile} ]; then + restart + RETVAL=$? + fi + return ${RETVAL} +} + +version() { + ipsec version + return $? +} diff --git a/net/libreswan/files/ipsec.secrets b/net/libreswan/files/ipsec.secrets new file mode 100644 index 000000000..a43754ca9 --- /dev/null +++ b/net/libreswan/files/ipsec.secrets @@ -0,0 +1,17 @@ +# This file holds shared secrets (PSK) and XAUTH user passwords used for +# authentication. See pluto(8) manpage or the libreswan website. + +# Unlike older openswan, this file does NOT contain any X.509 related +# information such as private key :RSA statements as these now reside +# in the NSS database. See: +# +# https://libreswan.org/wiki/Using_NSS_with_libreswan +# https://libreswan.org/wiki/Migrating_from_Openswan +# +# The preferred method for adding secrets is to create a new file in +# the /etc/ipsec.d/ directory, so it will be included via the include +# line below + +#A.B.C.D %any : PSK "SsEeCcRrEeTt" + +include /etc/ipsec.d/*.secrets