391 lines
10 KiB
Bash
391 lines
10 KiB
Bash
#!/bin/sh /etc/rc.common
|
|
|
|
START=90
|
|
STOP=10
|
|
|
|
USE_PROCD=1
|
|
PROG=/usr/lib/ipsec/starter
|
|
|
|
. $IPKG_INSTROOT/lib/functions.sh
|
|
. $IPKG_INSTROOT/lib/functions/network.sh
|
|
|
|
IPSEC_SECRETS_FILE=/etc/ipsec.secrets
|
|
IPSEC_CONN_FILE=/etc/ipsec.conf
|
|
STRONGSWAN_CONF_FILE=/etc/strongswan.conf
|
|
|
|
IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets
|
|
IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
|
|
STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf
|
|
|
|
WAIT_FOR_INTF=0
|
|
|
|
file_reset() {
|
|
: > "$1"
|
|
}
|
|
|
|
xappend() {
|
|
local file="$1"
|
|
shift
|
|
|
|
echo "${@}" >> "${file}"
|
|
}
|
|
|
|
remove_include() {
|
|
local file="$1"
|
|
local include="$2"
|
|
|
|
sed -i "\_${include}_d" "${file}"
|
|
}
|
|
|
|
remove_includes() {
|
|
remove_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
|
|
remove_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
|
|
remove_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
|
|
}
|
|
|
|
do_include() {
|
|
local conf="$1"
|
|
local uciconf="$2"
|
|
local backup=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
|
|
|
|
[ ! -f "${conf}" ] && rm -rf "${conf}"
|
|
touch "${conf}"
|
|
|
|
cat "${conf}" | grep -v "${uciconf}" > "${backup}"
|
|
mv "${backup}" "${conf}"
|
|
xappend "${conf}" "include ${uciconf}"
|
|
file_reset "${uciconf}"
|
|
}
|
|
|
|
ipsec_reset() {
|
|
do_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
|
|
}
|
|
|
|
ipsec_xappend() {
|
|
xappend "${IPSEC_VAR_CONN_FILE}" "$@"
|
|
}
|
|
|
|
swan_reset() {
|
|
do_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
|
|
}
|
|
|
|
swan_xappend() {
|
|
xappend "${STRONGSWAN_VAR_CONF_FILE}" "$@"
|
|
}
|
|
|
|
secret_reset() {
|
|
do_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
|
|
}
|
|
|
|
secret_xappend() {
|
|
xappend "${IPSEC_VAR_SECRETS_FILE}" "$@"
|
|
}
|
|
|
|
warning() {
|
|
echo "WARNING: $@" >&2
|
|
}
|
|
|
|
add_crypto_proposal() {
|
|
local encryption_algorithm
|
|
local hash_algorithm
|
|
local dh_group
|
|
|
|
config_get encryption_algorithm "$1" encryption_algorithm
|
|
config_get hash_algorithm "$1" hash_algorithm
|
|
config_get dh_group "$1" dh_group
|
|
|
|
[ -n "${encryption_algorithm}" ] && \
|
|
crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
|
|
}
|
|
|
|
set_crypto_proposal() {
|
|
local conf="$1"
|
|
local proposal
|
|
|
|
crypto=""
|
|
|
|
config_get crypto_proposal "$conf" crypto_proposal ""
|
|
for proposal in $crypto_proposal; do
|
|
add_crypto_proposal "$proposal"
|
|
done
|
|
|
|
[ -n "${crypto}" ] && {
|
|
local force_crypto_proposal
|
|
|
|
config_get_bool force_crypto_proposal "$conf" force_crypto_proposal
|
|
|
|
[ "${force_crypto_proposal}" = "1" ] && crypto="${crypto}!"
|
|
}
|
|
|
|
crypto_proposal="${crypto}"
|
|
}
|
|
|
|
config_conn() {
|
|
# Generic ipsec conn section shared by tunnel and transport
|
|
local mode
|
|
local local_subnet
|
|
local local_nat
|
|
local local_sourceip
|
|
local local_leftip
|
|
local local_updown
|
|
local local_firewall
|
|
local remote_subnet
|
|
local remote_sourceip
|
|
local remote_updown
|
|
local remote_firewall
|
|
local ikelifetime
|
|
local lifetime
|
|
local margintime
|
|
local keyingtries
|
|
local dpdaction
|
|
local dpddelay
|
|
local inactivity
|
|
local keyexchange
|
|
local reqid
|
|
local packet_marker
|
|
|
|
config_get mode "$1" mode "route"
|
|
config_get local_subnet "$1" local_subnet ""
|
|
config_get local_nat "$1" local_nat ""
|
|
config_get local_sourceip "$1" local_sourceip ""
|
|
config_get local_leftip "$1" local_leftip "%any"
|
|
config_get local_updown "$1" local_updown ""
|
|
config_get local_firewall "$1" local_firewall ""
|
|
config_get remote_subnet "$1" remote_subnet ""
|
|
config_get remote_sourceip "$1" remote_sourceip ""
|
|
config_get remote_updown "$1" remote_updown ""
|
|
config_get remote_firewall "$1" remote_firewall ""
|
|
config_get ikelifetime "$1" ikelifetime "3h"
|
|
config_get lifetime "$1" lifetime "1h"
|
|
config_get margintime "$1" margintime "9m"
|
|
config_get keyingtries "$1" keyingtries "3"
|
|
config_get dpdaction "$1" dpdaction "none"
|
|
config_get dpddelay "$1" dpddelay "30s"
|
|
config_get inactivity "$1" inactivity
|
|
config_get keyexchange "$1" keyexchange "ikev2"
|
|
config_get reqid "$1" reqid
|
|
config_get packet_marker "$1" packet_marker
|
|
|
|
[ -n "$local_nat" ] && local_subnet=$local_nat
|
|
|
|
ipsec_xappend "conn $config_name-$1"
|
|
ipsec_xappend " left=$local_leftip"
|
|
ipsec_xappend " right=$remote_gateway"
|
|
|
|
[ -n "$local_sourceip" ] && ipsec_xappend " leftsourceip=$local_sourceip"
|
|
[ -n "$local_subnet" ] && ipsec_xappend " leftsubnet=$local_subnet"
|
|
|
|
[ -n "$local_firewall" ] && ipsec_xappend " leftfirewall=$local_firewall"
|
|
[ -n "$remote_firewall" ] && ipsec_xappend " rightfirewall=$remote_firewall"
|
|
|
|
ipsec_xappend " ikelifetime=$ikelifetime"
|
|
ipsec_xappend " lifetime=$lifetime"
|
|
ipsec_xappend " margintime=$margintime"
|
|
ipsec_xappend " keyingtries=$keyingtries"
|
|
ipsec_xappend " dpdaction=$dpdaction"
|
|
ipsec_xappend " dpddelay=$dpddelay"
|
|
|
|
[ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity"
|
|
[ -n "$reqid" ] && ipsec_xappend " reqid=$reqid"
|
|
|
|
if [ "$auth_method" = "psk" ]; then
|
|
ipsec_xappend " leftauth=psk"
|
|
ipsec_xappend " rightauth=psk"
|
|
|
|
[ "$remote_sourceip" != "" ] && ipsec_xappend " rightsourceip=$remote_sourceip"
|
|
[ "$remote_subnet" != "" ] && ipsec_xappend " rightsubnet=$remote_subnet"
|
|
|
|
ipsec_xappend " auto=$mode"
|
|
else
|
|
warning "AuthenticationMethod $auth_method not supported"
|
|
fi
|
|
|
|
[ -n "$local_identifier" ] && ipsec_xappend " leftid=$local_identifier"
|
|
[ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier"
|
|
[ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown"
|
|
[ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown"
|
|
[ -n "$packet_marker" ] && ipsec_xappend " mark=$packet_marker"
|
|
ipsec_xappend " keyexchange=$keyexchange"
|
|
|
|
set_crypto_proposal "$1"
|
|
[ -n "${crypto_proposal}" ] && ipsec_xappend " esp=$crypto_proposal"
|
|
[ -n "${ike_proposal}" ] && ipsec_xappend " ike=$ike_proposal"
|
|
}
|
|
|
|
config_tunnel() {
|
|
config_conn "$1"
|
|
|
|
# Specific for the tunnel part
|
|
ipsec_xappend " type=tunnel"
|
|
}
|
|
|
|
config_transport() {
|
|
config_conn "$1"
|
|
|
|
# Specific for the transport part
|
|
ipsec_xappend " type=transport"
|
|
}
|
|
|
|
config_remote() {
|
|
local enabled
|
|
local gateway
|
|
local pre_shared_key
|
|
local auth_method
|
|
|
|
config_name=$1
|
|
|
|
config_get_bool enabled "$1" enabled 0
|
|
[ $enabled -eq 0 ] && return
|
|
|
|
config_get gateway "$1" gateway
|
|
config_get pre_shared_key "$1" pre_shared_key
|
|
config_get auth_method "$1" authentication_method
|
|
config_get local_identifier "$1" local_identifier ""
|
|
config_get remote_identifier "$1" remote_identifier ""
|
|
|
|
[ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
|
|
|
|
[ -z "$local_identifier" ] && {
|
|
local ipdest
|
|
|
|
[ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
|
|
local_gateway=$(ip -o route get "$ipdest" | awk '/ src / { print gensub(/^.* src ([^ ]*) .*$/, "\\1", "g"); }')
|
|
}
|
|
|
|
[ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway "
|
|
[ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway "
|
|
|
|
secret_xappend ": PSK \"$pre_shared_key\""
|
|
|
|
set_crypto_proposal "$1"
|
|
ike_proposal="$crypto_proposal"
|
|
|
|
config_list_foreach "$1" tunnel config_tunnel
|
|
|
|
config_list_foreach "$1" transport config_transport
|
|
|
|
ipsec_xappend ""
|
|
}
|
|
|
|
config_ipsec() {
|
|
local debug
|
|
local rtinstall_enabled
|
|
local routing_tables_ignored
|
|
local routing_table
|
|
local routing_table_id
|
|
local interface
|
|
local device_list
|
|
|
|
ipsec_reset
|
|
secret_reset
|
|
swan_reset
|
|
|
|
ipsec_xappend "# generated by /etc/init.d/ipsec"
|
|
ipsec_xappend "version 2"
|
|
ipsec_xappend ""
|
|
|
|
secret_xappend "# generated by /etc/init.d/ipsec"
|
|
|
|
config_get debug "$1" debug 0
|
|
config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
|
|
[ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no
|
|
|
|
# prepare extra charon config option ignore_routing_tables
|
|
for routing_table in $(config_get "$1" "ignore_routing_tables"); do
|
|
if [ "$routing_table" -ge 0 ] 2>/dev/null; then
|
|
routing_table_id=$routing_table
|
|
else
|
|
routing_table_id=$(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc/iproute2/rt_tables)
|
|
fi
|
|
|
|
[ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
|
|
done
|
|
|
|
local interface_list=$(config_get "$1" "interface")
|
|
if [ -z "$interface_list" ]; then
|
|
WAIT_FOR_INTF=0
|
|
else
|
|
for interface in $interface_list; do
|
|
network_get_device device $interface
|
|
[ -n "$device" ] && append device_list "$device" ","
|
|
done
|
|
[ -n "$device_list" ] && WAIT_FOR_INTF=0 || WAIT_FOR_INTF=1
|
|
fi
|
|
|
|
swan_xappend "# generated by /etc/init.d/ipsec"
|
|
swan_xappend "charon {"
|
|
swan_xappend " load_modular = yes"
|
|
swan_xappend " install_routes = $install_routes"
|
|
[ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored"
|
|
[ -n "$device_list" ] && swan_xappend " interfaces_use = $device_list"
|
|
swan_xappend " plugins {"
|
|
swan_xappend " include /etc/strongswan.d/charon/*.conf"
|
|
swan_xappend " }"
|
|
swan_xappend " syslog {"
|
|
swan_xappend " identifier = ipsec"
|
|
swan_xappend " daemon {"
|
|
swan_xappend " default = $debug"
|
|
swan_xappend " }"
|
|
swan_xappend " }"
|
|
swan_xappend "}"
|
|
}
|
|
|
|
prepare_env() {
|
|
mkdir -p /var/ipsec
|
|
remove_includes
|
|
config_load ipsec
|
|
config_foreach config_ipsec ipsec
|
|
config_foreach config_remote remote
|
|
}
|
|
|
|
service_running() {
|
|
ipsec status > /dev/null 2>&1
|
|
}
|
|
|
|
reload_service() {
|
|
running && {
|
|
prepare_env
|
|
[ $WAIT_FOR_INTF -eq 0 ] && {
|
|
ipsec rereadall
|
|
ipsec reload
|
|
return
|
|
}
|
|
}
|
|
|
|
start
|
|
}
|
|
|
|
check_ipsec_interface() {
|
|
local intf
|
|
|
|
for intf in $(config_get "$1" interface); do
|
|
procd_add_interface_trigger "interface.*" "$intf" /etc/init.d/ipsec reload
|
|
done
|
|
}
|
|
|
|
service_triggers() {
|
|
procd_add_reload_trigger "ipsec"
|
|
config load "ipsec"
|
|
config_foreach check_ipsec_interface ipsec
|
|
}
|
|
|
|
start_service() {
|
|
prepare_env
|
|
|
|
[ $WAIT_FOR_INTF -eq 1 ] && return
|
|
|
|
procd_open_instance
|
|
|
|
procd_set_param command $PROG --daemon charon --nofork
|
|
|
|
procd_set_param file $IPSEC_CONN_FILE
|
|
procd_append_param file $IPSEC_SECRETS_FILE
|
|
procd_append_param file $STRONGSWAN_CONF_FILE
|
|
procd_append_param file /etc/strongswan.d/*.conf
|
|
procd_append_param file /etc/strongswan.d/charon/*.conf
|
|
|
|
procd_set_param respawn
|
|
|
|
procd_close_instance
|
|
}
|