libreswan: add libreswan 3.27lilik-openwrt-22.03
@ -0,0 +1,125 @@ | |||||
# | |||||
# Copyright (C) 2019 Lucian Cristian <lucian.cristian@gmail.com> | |||||
# | |||||
# This is free software, licensed under the GNU General Public License v2. | |||||
# See /LICENSE for more information. | |||||
include $(TOPDIR)/rules.mk | |||||
PKG_NAME:=libreswan | |||||
PKG_VERSION:=3.27 | |||||
PKG_RELEASE:=1 | |||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz | |||||
PKG_SOURCE_URL:=https://download.libreswan.org/ | |||||
PKG_HASH:=ead07dd701116094b483dc57e54e2a5ee9a06d3982bb142260bcbf3d1faf7b82 | |||||
PKG_LICENSE:=GPL-2.0 | |||||
PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com> | |||||
PKG_BUILD_PARALLEL:=1 | |||||
PKG_INSTALL:=1 | |||||
include $(INCLUDE_DIR)/package.mk | |||||
include $(INCLUDE_DIR)/kernel.mk | |||||
define Package/libreswan/Default | |||||
TITLE:=Libreswan | |||||
URL:=https://libreswan.org/ | |||||
endef | |||||
define Package/libreswan/Default/description | |||||
Libreswan is a free software implementation of the most widely supported and | |||||
standardized VPN protocol based on ("IPsec") and the Internet Key Exchange | |||||
("IKE"). These standards are produced and maintained by the Internet | |||||
Engineering Task Force ("IETF"). | |||||
endef | |||||
define Package/libreswan | |||||
$(call Package/libreswan/Default) | |||||
SUBMENU:=VPN | |||||
SECTION:=net | |||||
CATEGORY:=Network | |||||
DEPENDS:= +kmod-libreswan +libnss +librt +libevent2 +libevent2-pthreads \ | |||||
+ip-full | |||||
PROVIDES:=openswan | |||||
CONFLICTS:=strongswan | |||||
TITLE+= IPsec Server | |||||
endef | |||||
define Package/libreswan/description | |||||
$(call Package/libreswan/Default/description) | |||||
Libreswan is a free software implementation of the most widely supported and | |||||
standardized VPN protocol based on ("IPsec") and the Internet Key Exchange | |||||
("IKE"). These standards are produced and maintained by the Internet | |||||
Engineering Task Force ("IETF"). | |||||
endef | |||||
define KernelPackage/libreswan | |||||
$(call Package/libreswan/Default) | |||||
SUBMENU:=Network Support | |||||
TITLE+= (kernel module) | |||||
FILES:=$(PKG_BUILD_DIR)/modobj*/ipsec.$(LINUX_KMOD_SUFFIX) | |||||
DEPENDS:= +kmod-crypto-authenc +kmod-crypto-hash +kmod-ipt-ipsec +iptables-mod-ipsec \ | |||||
+kmod-ipsec +kmod-ipsec4 +kmod-crypto-rng +IPV6:kmod-ipsec6 | |||||
endef | |||||
define KernelPackage/libreswan/description | |||||
$(call Package/libreswan/Default/description) | |||||
This package contains the Libreswan kernel module. | |||||
endef | |||||
define Package/libreswan/conffiles | |||||
/etc/ipsec.d | |||||
/etc/ipsec.conf | |||||
/etc/ipsec.secrets | |||||
endef | |||||
TARGET_CFLAGS+= -Wno-error=format-nonliteral | |||||
MAKE_FLAGS+= \ | |||||
WERROR_CFLAGS=" " \ | |||||
USE_DNSSEC=false \ | |||||
USE_LINUX_AUDIT=false \ | |||||
USE_LABELED_IPSEC=false \ | |||||
USE_NM=false \ | |||||
USE_LIBCURL=false \ | |||||
USE_GLIBC_KERN_FLIP_HEADERS=true \ | |||||
USE_XAUTHPAM=false \ | |||||
USE_FIPSCHECK=false \ | |||||
USE_LIBCAP_NG=false \ | |||||
USE_SYSTEMD_WATCHDOG=false \ | |||||
INC_USRLOCAL="/usr" \ | |||||
FINALRUNDIR="/var/run/pluto" \ | |||||
KERNELSRC="$(LINUX_DIR)" | |||||
define Build/Prepare | |||||
$(call Build/Prepare/Default) | |||||
$(SED) 's,include $$$$(top_srcdir)/mk/manpages.mk,,g' \ | |||||
$(PKG_BUILD_DIR)/mk/program.mk | |||||
endef | |||||
define Build/Compile | |||||
$(call Build/Compile/Default,base) | |||||
$(call Build/Compile/Default,module) | |||||
endef | |||||
define Package/libreswan/install | |||||
$(INSTALL_DIR) \ | |||||
$(1)/etc/init.d \ | |||||
$(1)/etc/ipsec.d/policies \ | |||||
$(1)/usr/libexec/ipsec \ | |||||
$(1)/usr/sbin | |||||
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec \ | |||||
$(1)/usr/sbin/ipsec | |||||
$(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec | |||||
$(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf | |||||
$(INSTALL_DATA) ./files/ipsec.secrets $(1)/etc/ipsec.secrets | |||||
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ipsec.d/policies/* \ | |||||
$(1)/etc/ipsec.d/policies/ | |||||
$(CP) $(PKG_INSTALL_DIR)/usr/libexec/ipsec/* \ | |||||
$(1)/usr/libexec/ipsec/ | |||||
endef | |||||
$(eval $(call BuildPackage,libreswan)) | |||||
$(eval $(call KernelPackage,libreswan)) |
@ -0,0 +1,46 @@ | |||||
# /etc/ipsec.conf - Libreswan IPsec configuration file | |||||
# | |||||
# see 'man ipsec.conf' and 'man pluto' for more information | |||||
# | |||||
# For example configurations and documentation, see https://libreswan.org/wiki/ | |||||
config setup | |||||
# Normally, pluto logs via syslog. | |||||
#logfile=/var/log/pluto.log | |||||
# | |||||
# Do not enable debug options to debug configuration issues! | |||||
# | |||||
# plutodebug="control parsing" | |||||
# plutodebug="all crypt" | |||||
plutodebug=none | |||||
# | |||||
# NAT-TRAVERSAL support | |||||
# exclude networks used on server side by adding %v4:!a.b.c.0/24 | |||||
# It seems that T-Mobile in the US and Rogers/Fido in Canada are | |||||
# using 25/8 as "private" address space on their wireless networks. | |||||
# This range has never been announced via BGP (at least up to 2015) | |||||
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 | |||||
# if it exists, include system wide crypto-policy defaults | |||||
# include /etc/crypto-policies/back-ends/libreswan.config | |||||
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/ | |||||
conn L2TP-PSK-NAT | |||||
rightsubnet=vhost:%priv | |||||
also=L2TP-PSK-noNAT | |||||
conn L2TP-PSK-noNAT | |||||
authby=secret | |||||
pfs=no | |||||
auto=add | |||||
keyingtries=8 | |||||
ikelifetime=8h | |||||
keylife=1h | |||||
type=transport | |||||
left=A.B.C.D | |||||
leftprotoport=17/1701 | |||||
right=%any | |||||
rightprotoport=17/%any | |||||
include /etc/ipsec.d/*.conf |
@ -0,0 +1,207 @@ | |||||
#!/bin/sh /etc/rc.common | |||||
START=90 | |||||
STOP=10 | |||||
#USE_PROCD=1 | |||||
. $IPKG_INSTROOT/lib/functions.sh | |||||
EXTRA_COMMANDS=status | |||||
EXTRA_HELP=" status Show the status of the service" | |||||
# Check that networking is up. | |||||
[ "${NETWORKING}" = "no" ] && exit 6 | |||||
if [ $(id -u) -ne 0 ]; then | |||||
echo "permission denied (must be superuser)" | \ | |||||
logger -s -p daemon.error -t ipsec_setup 2>&1 | |||||
exit 4 | |||||
fi | |||||
# where the private directory and the config files are | |||||
IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}" | |||||
IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}" | |||||
IPSEC_CONF="${IPSEC_CONF-/etc/ipsec.conf}" | |||||
unset PLUTO_OPTIONS | |||||
rundir=/var/run/pluto | |||||
plutopid=${rundir}/pluto.pid | |||||
plutoctl=${rundir}/pluto.ctl | |||||
lockdir=/var/lock | |||||
lockfile=${lockdir}/ipsec | |||||
ipsecversion=/proc/net/ipsec_version | |||||
kamepfkey=/proc/net/pfkey | |||||
# /etc/resolv.conf related paths | |||||
LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup | |||||
ORIG_RESOLV_CONF=/etc/resolv.conf | |||||
# misc setup | |||||
umask 022 | |||||
# standardize PATH, and export it for everything else's benefit | |||||
PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin | |||||
export PATH | |||||
mkdir -p ${rundir} | |||||
chmod 700 ${rundir} | |||||
verify_config() { | |||||
[ -f ${IPSEC_CONF} ] || exit 6 | |||||
config_error=$(ipsec addconn --config ${IPSEC_CONF} --checkconfig 2>&1) | |||||
RETVAL=$? | |||||
if [ ${RETVAL} -gt 0 ]; then | |||||
echo "Configuration error - the following error occurred:" | |||||
echo ${config_error} | |||||
echo "IKE daemon status was not modified" | |||||
exit ${RETVAL} | |||||
fi | |||||
} | |||||
start() { | |||||
echo -n "Starting pluto IKE daemon for IPsec: " | |||||
ipsec _stackmanager start | |||||
# pluto searches the current directory, so this is required for making it selinux compliant | |||||
cd / | |||||
# Create nss db or convert from old format to new sql format | |||||
ipsec --checknss | |||||
# Enable nflog if configured | |||||
ipsec --checknflog > /dev/null | |||||
# This script will enter an endless loop to ensure pluto restarts on crash | |||||
ipsec _plutorun --config ${IPSEC_CONF} --nofork ${PLUTO_OPTIONS} & [ -d ${lockdir} ] || mkdir -p ${lockdir} | |||||
touch ${lockfile} | |||||
# Because _plutorun starts pluto at background we need to make sure pluto is started | |||||
# before we know if start was successful or not | |||||
for waitsec in 1 2 3 4 5; do | |||||
if status >/dev/null; then | |||||
RETVAL=0 | |||||
break | |||||
else | |||||
echo -n "." | |||||
sleep 1 | |||||
RETVAL=1 | |||||
fi | |||||
done | |||||
if [ ${RETVAL} -ge 1 ]; then | |||||
rm -f ${lockfile} | |||||
fi | |||||
echo | |||||
return ${RETVAL} | |||||
} | |||||
stop() { | |||||
if [ -e ${plutoctl} ]; then | |||||
echo "Shutting down pluto IKE daemon" | |||||
ipsec whack --shutdown 2>/dev/null | |||||
# don't use seq, might not exist on embedded | |||||
for waitsec in 1 2 3 4 5 6 7 8 9 10; do | |||||
if [ -s ${plutopid} ]; then | |||||
echo -n "." | |||||
sleep 1 | |||||
else | |||||
break | |||||
fi | |||||
done | |||||
echo | |||||
rm -f ${plutoctl} # we won't be using this anymore | |||||
fi | |||||
if [ -s ${plutopid} ]; then | |||||
# pluto did not die peacefully | |||||
pid=$(cat ${plutopid}) | |||||
if [ -d /proc/${pid} ]; then | |||||
kill -TERM ${pid} | |||||
RETVAL=$? | |||||
sleep 5; | |||||
if [ -d /proc/${pid} ]; then | |||||
kill -KILL ${pid} | |||||
RETVAL=$? | |||||
fi | |||||
if [ ${RETVAL} -ne 0 ]; then | |||||
echo "Kill failed - removing orphaned ${plutopid}" | |||||
fi | |||||
else | |||||
echo "Removing orphaned ${plutopid}" | |||||
fi | |||||
rm -f ${plutopid} | |||||
fi | |||||
ipsec _stackmanager stop | |||||
ipsec --stopnflog > /dev/null | |||||
# cleaning up backup resolv.conf | |||||
if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then | |||||
if grep 'Libreswan' ${ORIG_RESOLV_CONF} > /dev/null 2>&1; then | |||||
cp ${LIBRESWAN_RESOLV_CONF} ${ORIG_RESOLV_CONF} | |||||
fi | |||||
rm -f ${LIBRESWAN_RESOLV_CONF} | |||||
fi | |||||
rm -f ${lockfile} | |||||
return ${RETVAL} | |||||
} | |||||
restart() { | |||||
verify_config | |||||
stop | |||||
start | |||||
return $? | |||||
} | |||||
status() { | |||||
local RC | |||||
if [ -f ${plutopid} ]; then | |||||
if [ -r ${plutopid} ]; then | |||||
pid=$(cat ${plutopid}) | |||||
if [ -n "$pid" -a -d /proc/${pid} ]; then | |||||
RC=0 # running | |||||
else | |||||
RC=1 # not running but pid exists | |||||
fi | |||||
else | |||||
RC=4 # insufficient privileges | |||||
fi | |||||
fi | |||||
if [ -z "${RC}" ]; then | |||||
if [ -f ${lockfile} ]; then | |||||
RC=2 | |||||
else | |||||
RC=3 | |||||
fi | |||||
fi | |||||
case "${RC}" in | |||||
0) | |||||
echo "ipsec: pluto (pid ${pid}) is running..." | |||||
return 0 | |||||
;; | |||||
1) | |||||
echo "ipsec: pluto dead but pid file exits" | |||||
return 1 | |||||
;; | |||||
2) | |||||
echo "ipsec: pluto dead but subsys locked" | |||||
return 2 | |||||
;; | |||||
4) | |||||
echo "ipsec: pluto status unknown due to insufficient privileges." | |||||
return 4 | |||||
;; | |||||
esac | |||||
echo "ipsec: pluto is stopped" | |||||
return 3 | |||||
} | |||||
condrestart() { | |||||
verify_config | |||||
RETVAL=$? | |||||
if [ -f ${lockfile} ]; then | |||||
restart | |||||
RETVAL=$? | |||||
fi | |||||
return ${RETVAL} | |||||
} | |||||
version() { | |||||
ipsec version | |||||
return $? | |||||
} |
@ -0,0 +1,17 @@ | |||||
# This file holds shared secrets (PSK) and XAUTH user passwords used for | |||||
# authentication. See pluto(8) manpage or the libreswan website. | |||||
# Unlike older openswan, this file does NOT contain any X.509 related | |||||
# information such as private key :RSA statements as these now reside | |||||
# in the NSS database. See: | |||||
# | |||||
# https://libreswan.org/wiki/Using_NSS_with_libreswan | |||||
# https://libreswan.org/wiki/Migrating_from_Openswan | |||||
# | |||||
# The preferred method for adding secrets is to create a new file in | |||||
# the /etc/ipsec.d/ directory, so it will be included via the include | |||||
# line below | |||||
#A.B.C.D %any : PSK "SsEeCcRrEeTt" | |||||
include /etc/ipsec.d/*.secrets |