1 |
brianr |
1.1 |
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection |
2 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-01-25 16:19:45.651000000 +0100 |
3 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-01-25 16:20:03.868000104 +0100 |
4 |
|
|
@@ -1,4 +1,3 @@ |
5 |
|
|
-#!/usr/bin/perl -w |
6 |
|
|
|
7 |
|
|
{ |
8 |
|
|
use strict; |
9 |
|
|
@@ -26,212 +25,220 @@ |
10 |
|
|
|
11 |
|
|
my @connections = $ipsecDB->keys; |
12 |
|
|
|
13 |
|
|
+ $OUT .= "# ipsec.conf\n\n"; |
14 |
|
|
+ |
15 |
|
|
foreach my $ipsecprop (@connections) { |
16 |
|
|
- if ( $ipsecDB->get_prop( $ipsecprop, 'type' ) eq 'ipsec' ) { |
17 |
|
|
|
18 |
|
|
- # first we verify if IPSec is enabled for the connection |
19 |
|
|
+ # first we verify if IPSec is enabled for the connection |
20 |
|
|
|
21 |
|
|
- my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled'; |
22 |
|
|
+ my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled'; |
23 |
|
|
|
24 |
|
|
- if ( $ipsecstatus ne 'enabled' ) { |
25 |
|
|
- $OUT .= "# $ipsecprop is disabled\n" |
26 |
|
|
- unless $ipsecstatus eq "enabled"; |
27 |
|
|
- } |
28 |
|
|
- else { |
29 |
|
|
+ if ( $ipsecstatus eq 'enabled' ) { |
30 |
|
|
|
31 |
|
|
- $OUT .= "conn $ipsecprop\n"; |
32 |
|
|
+ $OUT .= "conn $ipsecprop\n"; |
33 |
|
|
+ |
34 |
|
|
+ # These should be from $configDB-> ipsec |
35 |
|
|
|
36 |
|
|
- # These should be from $configDB-> ipsec |
37 |
|
|
+ # Not templated this - maybe later with L2TPD |
38 |
|
|
+ # We currently use a password file but this could be integrated with other authent later |
39 |
|
|
|
40 |
|
|
- # Not templated this - maybe later with L2TPD |
41 |
|
|
- # We currently use a password file but this could be integrated with other authent later |
42 |
|
|
+ # Lazy - assume that it is security (password by default) - options are rsasig|certs |
43 |
|
|
|
44 |
|
|
- # Lazy - assume that it is security (password by default) - option is rsasig |
45 |
|
|
+ # Careful - property 'type' has a special meaning in configDB and returns 'service' |
46 |
|
|
|
47 |
|
|
- # Careful - property 'type' has a special meaning in configDB and returns 'service' |
48 |
|
|
- |
49 |
|
|
- my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' ) |
50 |
|
|
- || 'tunnel'; |
51 |
|
|
- $OUT .= " type=$connectiontype\n"; |
52 |
|
|
- |
53 |
|
|
- my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' ) |
54 |
|
|
- || 'secret'; |
55 |
|
|
- my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; |
56 |
|
|
- |
57 |
|
|
- if ( $security eq "rsasig" ) { |
58 |
|
|
- $OUT .= " authby=rsasig\n"; |
59 |
|
|
- |
60 |
|
|
- my $leftrsasig = $ipsecDB->get_prop( "$ipsecprop", 'leftrsasig' ) |
61 |
|
|
- || ''; |
62 |
|
|
- $OUT .= " leftrsasigkey=$leftrsasig\n"; |
63 |
|
|
- |
64 |
|
|
- my $rightrsasig = $ipsecDB->get_prop( "$ipsecprop", 'rightrsasig' ) |
65 |
|
|
- || ''; |
66 |
|
|
- $OUT .= " rightrsasigkey=$rightrsasig\n"; |
67 |
|
|
- |
68 |
|
|
- } |
69 |
|
|
- |
70 |
|
|
- # Prep for certs |
71 |
|
|
- # Problem here is that certificate settings are basically the same as rsasig |
72 |
|
|
- # I think we can use a key to identify the type of connection and adjust accordingly |
73 |
|
|
- # elsif ( $security eq "certificate" ) { |
74 |
|
|
- # $OUT .= " authby=rsasig\n"; |
75 |
|
|
- # leftcert=$keyname.$ServerName.$DomainName |
76 |
|
|
- # leftrsasigkey=%cert |
77 |
|
|
- # leftid=leftid |
78 |
|
|
- # leftsendcert=always - maybe not needed |
79 |
|
|
- |
80 |
|
|
- # rightca=%same |
81 |
|
|
- # rightrsasigkey=%cert |
82 |
|
|
- # rightid=%fromcert ? |
83 |
|
|
- |
84 |
|
|
- # $OUT .= " leftid=\"CN=$certname\"\n"; |
85 |
|
|
- # $OUT .= " leftcert=$certname\n"; |
86 |
|
|
- |
87 |
|
|
- # } |
88 |
|
|
- |
89 |
|
|
- else { |
90 |
|
|
- $OUT .= " authby=$security\n"; |
91 |
|
|
- } |
92 |
|
|
- |
93 |
|
|
- # Use connection value if it exists, if not use generic db value |
94 |
|
|
- my $auto = |
95 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'auto' ) |
96 |
|
|
- || $configDB->get_prop( $dbKey, 'auto' ) |
97 |
|
|
- || 'start'; |
98 |
|
|
- |
99 |
|
|
- # If we are a static host to a dynamic client we are always add |
100 |
|
|
- my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; |
101 |
|
|
- |
102 |
|
|
- if ( $iptype eq 'stattodyn' ) { |
103 |
|
|
- $OUT .= " auto=add\n"; |
104 |
|
|
- } |
105 |
|
|
- else { |
106 |
|
|
- $OUT .= " auto=$auto\n"; |
107 |
|
|
- } |
108 |
|
|
- |
109 |
|
|
- # We should change ipsecversion to ikev2status |
110 |
|
|
- my $ipsecversion = |
111 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' ) |
112 |
|
|
- || $configDB->get_prop( $dbKey, 'ipsecversion' ) |
113 |
|
|
- || 'permit'; |
114 |
|
|
- |
115 |
|
|
- $OUT .= " ikev2=$ipsecversion\n"; |
116 |
|
|
- |
117 |
|
|
- # Set the Phase one and Phase two default strengths - these are set to aes |
118 |
|
|
- my $ike = |
119 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'ike' ) |
120 |
|
|
- || $configDB->get_prop( $dbKey, 'ike' ) |
121 |
|
|
- || 'aes-sha1'; |
122 |
|
|
- $OUT .= " ike=$ike\n"; |
123 |
|
|
- |
124 |
|
|
- my $phase2 = |
125 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'phase2' ) |
126 |
|
|
- || $configDB->get_prop( $dbKey, 'phase2' ) |
127 |
|
|
- || 'aes-sha1'; |
128 |
|
|
- $OUT .= " phase2alg=$phase2\n"; |
129 |
|
|
+ my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' ) |
130 |
|
|
+ || 'tunnel'; |
131 |
|
|
+ $OUT .= " type=$connectiontype\n"; |
132 |
|
|
|
133 |
|
|
- # mtu can only be set per connection |
134 |
|
|
- my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' ) |
135 |
|
|
- || ''; |
136 |
|
|
- unless ( $mtu eq '' ) { |
137 |
|
|
- $OUT .= " mtu=$mtu\n"; |
138 |
|
|
- } |
139 |
|
|
- |
140 |
|
|
- # These should be from $configDB-> ipsec unless they exist in ipsec_connections |
141 |
|
|
- |
142 |
|
|
- my $keyingtries = |
143 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'keyingtries' ) |
144 |
|
|
- || $configDB->get_prop( $dbKey, 'keyingtries' ) |
145 |
|
|
- || '0'; |
146 |
|
|
- $OUT .= " keyingtries=$keyingtries\n"; |
147 |
|
|
- |
148 |
|
|
- # Following come from ipsecDB or configDB or hardcoded |
149 |
|
|
- my $ikelifetime = |
150 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' ) |
151 |
|
|
- || $configDB->get_prop( $dbKey, 'ikelifetime' ) |
152 |
|
|
- || '3600s'; |
153 |
|
|
- $OUT .= " ikelifetime=$ikelifetime\n"; |
154 |
|
|
- |
155 |
|
|
- my $salifetime = |
156 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'salifetime' ) |
157 |
|
|
- || $configDB->get_prop( $dbKey, 'salifetime' ) |
158 |
|
|
- || '28800s'; |
159 |
|
|
- $OUT .= " salifetime=$salifetime\n"; |
160 |
|
|
- |
161 |
|
|
- # Add is for incoming and is better that server dpd is ignored |
162 |
|
|
- # Disabled for now |
163 |
|
|
- |
164 |
|
|
- # if ( $auto ne 'add' ) { |
165 |
|
|
- my $dpdaction = |
166 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'dpdaction' ) |
167 |
|
|
- || $configDB->get_prop( $dbKey, 'dpdaction' ) |
168 |
|
|
- || 'restart'; |
169 |
|
|
- $OUT .= " dpdaction=$dpdaction\n"; |
170 |
|
|
- |
171 |
|
|
- my $dpddelay = |
172 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'dpddelay' ) |
173 |
|
|
- || $configDB->get_prop( $dbKey, 'dpddelay' ) |
174 |
|
|
- || '30'; |
175 |
|
|
- $OUT .= " dpddelay=$dpddelay\n"; |
176 |
|
|
- |
177 |
|
|
- my $dpdtimeout = |
178 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' ) |
179 |
|
|
- || $configDB->get_prop( $dbKey, 'dpdtimeout' ) |
180 |
|
|
- || '10'; |
181 |
|
|
- $OUT .= " dpdtimeout=$dpdtimeout\n"; |
182 |
|
|
- |
183 |
|
|
- # } |
184 |
|
|
- |
185 |
|
|
- # default to yes unless overridden in the connection db |
186 |
|
|
- my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes'; |
187 |
|
|
- $OUT .= " pfs=$pfs\n"; |
188 |
|
|
- |
189 |
|
|
- # Following come from ipsecDB or configDB or hardcoded |
190 |
|
|
- my $left = |
191 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'left' ) |
192 |
|
|
- || $configDB->get_prop( $dbKey, 'left' ) |
193 |
|
|
- || '%defaultroute'; |
194 |
|
|
- $OUT .= " left=$left\n"; |
195 |
|
|
- |
196 |
|
|
- # These ONLY come from the ipsec_configurations db |
197 |
|
|
- if ( ( my $leftid = $ipsecDB->get_prop( "$ipsecprop", 'leftid' ) || '' ) ne '' ) { |
198 |
|
|
- $OUT .= " leftid=\@$leftid\n"; |
199 |
|
|
- } |
200 |
|
|
- my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) |
201 |
|
|
+ my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) |
202 |
|
|
+ || 'secret'; |
203 |
|
|
+ |
204 |
|
|
+ # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ? |
205 |
|
|
+ |
206 |
|
|
+ if ( $security eq 'rsasig' ) { |
207 |
|
|
+ $OUT .= " authby=rsasig\n"; |
208 |
|
|
+ |
209 |
|
|
+ my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' ) |
210 |
|
|
|| ''; |
211 |
|
|
- $OUT .= " leftsourceip=$leftsourceip\n"; |
212 |
|
|
+ $OUT .= " leftrsasigkey=$leftrsasig\n"; |
213 |
|
|
|
214 |
|
|
- my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) |
215 |
|
|
+ my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' ) |
216 |
|
|
|| ''; |
217 |
|
|
- $OUT .= " leftsubnet=$leftsub\n"; |
218 |
|
|
+ $OUT .= " rightrsasigkey=$rightrsasig\n"; |
219 |
|
|
+ |
220 |
|
|
+ } |
221 |
|
|
|
222 |
|
|
- # If we are a static host to a dynamic client we HAVE to set right %any |
223 |
|
|
+ elsif ( $security eq 'certs' ) { |
224 |
|
|
|
225 |
|
|
- my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; |
226 |
|
|
+ $OUT .= " authby=rsasig\n"; |
227 |
|
|
|
228 |
|
|
- if ( $iptype eq 'stattodyn' ) { |
229 |
|
|
- $OUT .= " right=%any\n"; |
230 |
|
|
- } |
231 |
|
|
- else { |
232 |
|
|
- $OUT .= " right=$right\n"; |
233 |
|
|
- } |
234 |
|
|
+ my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' ) |
235 |
|
|
+ || '%cert'; |
236 |
|
|
+ $OUT .= " leftrsasigkey=$leftrsasig\n"; |
237 |
|
|
|
238 |
|
|
- if ( ( my $rightid = $ipsecDB->get_prop( "$ipsecprop", 'rightid' ) || '' ) ne '' ) { |
239 |
|
|
- $OUT .= " rightid=\@$rightid\n"; |
240 |
|
|
- } |
241 |
|
|
+ my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' ) |
242 |
|
|
+ || '%cert'; |
243 |
|
|
+ $OUT .= " rightrsasigkey=$rightrsasig\n"; |
244 |
|
|
|
245 |
|
|
- my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || ''; |
246 |
|
|
- $OUT .= " rightsubnet=$rightsubnet\n"; |
247 |
|
|
+ my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' ) |
248 |
|
|
+ || '"LeftCertName"'; |
249 |
|
|
+ $OUT .= " leftcert=\"$leftcert\"\n"; |
250 |
|
|
+ |
251 |
|
|
+ my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' ) |
252 |
|
|
+ || '"RightCertName"'; |
253 |
|
|
+ $OUT .= " rightcert=\"$rightcert\"\n"; |
254 |
|
|
|
255 |
|
|
} |
256 |
|
|
- } |
257 |
|
|
|
258 |
|
|
- } |
259 |
|
|
+ else { |
260 |
|
|
+ $OUT .= " authby=$security\n"; |
261 |
|
|
+ } |
262 |
|
|
|
263 |
|
|
- # End For |
264 |
|
|
- } |
265 |
|
|
+ # Use connection value if it exists, if not use generic db value |
266 |
|
|
+ my $auto = |
267 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'auto' ) |
268 |
|
|
+ || $configDB->get_prop( $dbKey, 'auto' ) |
269 |
|
|
+ || 'start'; |
270 |
|
|
+ |
271 |
|
|
+ # If we are a static host to a dynamic client we are always add |
272 |
|
|
+ my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; |
273 |
|
|
+ |
274 |
|
|
+ if ( $iptype eq 'stattodyn' ) { |
275 |
|
|
+ $OUT .= " auto=add\n"; |
276 |
|
|
+ } |
277 |
|
|
+ else { |
278 |
|
|
+ $OUT .= " auto=$auto\n"; |
279 |
|
|
+ } |
280 |
|
|
|
281 |
|
|
- # End Else |
282 |
|
|
+ # We should change ipsecversion to ikev2status |
283 |
|
|
+ my $ipsecversion = |
284 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' ) |
285 |
|
|
+ || $configDB->get_prop( $dbKey, 'ipsecversion' ) |
286 |
|
|
+ || 'permit'; |
287 |
|
|
+ |
288 |
|
|
+ $OUT .= " ikev2=$ipsecversion\n"; |
289 |
|
|
+ |
290 |
|
|
+ # Set the Phase one and Phase two default strengths - these are set to aes |
291 |
|
|
+ my $ike = |
292 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'ike' ) |
293 |
|
|
+ || $configDB->get_prop( $dbKey, 'ike' ) |
294 |
|
|
+ || 'aes-sha1'; |
295 |
|
|
+ $OUT .= " ike=$ike\n"; |
296 |
|
|
+ |
297 |
|
|
+ my $phase2 = |
298 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'phase2' ) |
299 |
|
|
+ || $configDB->get_prop( $dbKey, 'phase2' ) |
300 |
|
|
+ || 'aes-sha1'; |
301 |
|
|
+ $OUT .= " phase2alg=$phase2\n"; |
302 |
|
|
+ |
303 |
|
|
+ # mtu can only be set per connection |
304 |
|
|
+ my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' ) |
305 |
|
|
+ || ''; |
306 |
|
|
+ |
307 |
|
|
+ unless ( $mtu eq '' ) { |
308 |
|
|
+ $OUT .= " mtu=$mtu\n"; |
309 |
|
|
+ } |
310 |
|
|
|
311 |
|
|
+ # These should be from $configDB-> ipsec unless they exist in ipsec_connections |
312 |
|
|
+ |
313 |
|
|
+ my $keyingtries = |
314 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'keyingtries' ) |
315 |
|
|
+ || $configDB->get_prop( $dbKey, 'keyingtries' ) |
316 |
|
|
+ || '0'; |
317 |
|
|
+ $OUT .= " keyingtries=$keyingtries\n"; |
318 |
|
|
+ |
319 |
|
|
+ # Following come from ipsecDB or configDB or hardcoded |
320 |
|
|
+ my $ikelifetime = |
321 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' ) |
322 |
|
|
+ || $configDB->get_prop( $dbKey, 'ikelifetime' ) |
323 |
|
|
+ || '3600s'; |
324 |
|
|
+ $OUT .= " ikelifetime=$ikelifetime\n"; |
325 |
|
|
+ |
326 |
|
|
+ my $salifetime = |
327 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'salifetime' ) |
328 |
|
|
+ || $configDB->get_prop( $dbKey, 'salifetime' ) |
329 |
|
|
+ || '28800s'; |
330 |
|
|
+ $OUT .= " salifetime=$salifetime\n"; |
331 |
|
|
+ |
332 |
|
|
+ # Add is for incoming and is better that server dpd is ignored |
333 |
|
|
+ # Disabled for now |
334 |
|
|
+ |
335 |
|
|
+ # if ( $auto ne 'add' ) {} |
336 |
|
|
+ my $dpdaction = |
337 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'dpdaction' ) |
338 |
|
|
+ || $configDB->get_prop( $dbKey, 'dpdaction' ) |
339 |
|
|
+ || 'restart'; |
340 |
|
|
+ $OUT .= " dpdaction=$dpdaction\n"; |
341 |
|
|
+ |
342 |
|
|
+ my $dpddelay = |
343 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'dpddelay' ) |
344 |
|
|
+ || $configDB->get_prop( $dbKey, 'dpddelay' ) |
345 |
|
|
+ || '30'; |
346 |
|
|
+ $OUT .= " dpddelay=$dpddelay\n"; |
347 |
|
|
+ |
348 |
|
|
+ my $dpdtimeout = |
349 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' ) |
350 |
|
|
+ || $configDB->get_prop( $dbKey, 'dpdtimeout' ) |
351 |
|
|
+ || '10'; |
352 |
|
|
+ $OUT .= " dpdtimeout=$dpdtimeout\n"; |
353 |
|
|
+ |
354 |
|
|
+ # default to yes unless overridden in the connection db |
355 |
|
|
+ my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes'; |
356 |
|
|
+ $OUT .= " pfs=$pfs\n"; |
357 |
|
|
+ |
358 |
|
|
+ # Following come from ipsecDB or configDB or hardcoded |
359 |
|
|
+ my $left = |
360 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'left' ) |
361 |
|
|
+ || $configDB->get_prop( $dbKey, 'left' ) |
362 |
|
|
+ || '%defaultroute'; |
363 |
|
|
+ $OUT .= " left=$left\n"; |
364 |
|
|
+ |
365 |
|
|
+ if ( $security eq 'certs' ) { |
366 |
|
|
+ my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' ); |
367 |
|
|
+ $OUT .= " leftid=$leftid\n"; |
368 |
|
|
+ } |
369 |
|
|
+ |
370 |
|
|
+ # These ONLY come from the ipsec_configurations db |
371 |
|
|
+ elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) { |
372 |
|
|
+ $OUT .= " leftid=\@$leftid\n"; |
373 |
|
|
+ } |
374 |
|
|
+ |
375 |
|
|
+ my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) |
376 |
|
|
+ || ''; |
377 |
|
|
+ $OUT .= " leftsourceip=$leftsourceip\n"; |
378 |
|
|
+ |
379 |
|
|
+ my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) |
380 |
|
|
+ || ''; |
381 |
|
|
+ $OUT .= " leftsubnet=$leftsub\n"; |
382 |
|
|
+ |
383 |
|
|
+ # If we are a static host to a dynamic client we HAVE to set right %any |
384 |
|
|
+ |
385 |
|
|
+ my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; |
386 |
|
|
+ |
387 |
|
|
+ if ( $iptype eq 'stattodyn' ) { |
388 |
|
|
+ $OUT .= " right=%any\n"; |
389 |
|
|
+ } |
390 |
|
|
+ else { |
391 |
|
|
+ $OUT .= " right=$right\n"; |
392 |
|
|
+ } |
393 |
|
|
+ |
394 |
|
|
+ if ( $security eq 'certs' ) { |
395 |
|
|
+ my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' ); |
396 |
|
|
+ $OUT .= " rightid=$rightid\n"; |
397 |
|
|
+ } |
398 |
|
|
+ |
399 |
|
|
+ elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) { |
400 |
|
|
+ $OUT .= " rightid=\@$rightid\n"; |
401 |
|
|
+ } |
402 |
|
|
+ |
403 |
|
|
+ my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || ''; |
404 |
|
|
+ $OUT .= " rightsubnet=$rightsubnet\n"; |
405 |
|
|
+ |
406 |
|
|
+ } # End If |
407 |
|
|
+ else { |
408 |
|
|
+ $OUT .= "# conn $ipsecprop disabled\n"; |
409 |
|
|
+ } |
410 |
|
|
+ } # End foreach |
411 |
|
|
+ } # End else |
412 |
|
|
} |
413 |
|
|
+ |
414 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords |
415 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-01-25 16:19:45.652000000 +0100 |
416 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-01-25 16:20:03.867000123 +0100 |
417 |
|
|
@@ -1,4 +1,3 @@ |
418 |
|
|
-#!/usr/bin/perl -w |
419 |
|
|
|
420 |
|
|
{ |
421 |
|
|
use strict; |
422 |
|
|
@@ -22,31 +21,32 @@ |
423 |
|
|
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') |
424 |
|
|
or die("cant connect to ipsec database"); |
425 |
|
|
|
426 |
|
|
- my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" ); |
427 |
|
|
- |
428 |
|
|
# This should get all the connections in an array |
429 |
|
|
|
430 |
|
|
my @connections = $ipsecDB->keys; |
431 |
|
|
|
432 |
|
|
- $OUT .= "# ipsec.secrets\n"; |
433 |
|
|
- |
434 |
|
|
+ $OUT .= "# ipsec.secrets\n\n"; |
435 |
|
|
+ |
436 |
|
|
+ my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" ); |
437 |
|
|
+ |
438 |
|
|
foreach my $ipsecprop (@connections) { |
439 |
|
|
|
440 |
|
|
# first we verify if IPSec is enabled for the connection |
441 |
|
|
|
442 |
|
|
- my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) |
443 |
|
|
+ my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) |
444 |
|
|
|| "disabled"; |
445 |
|
|
|
446 |
|
|
if ( $ipsecstatus eq "enabled" ) { |
447 |
|
|
- my $right = $ipsecDB->get_prop( "$ipsecprop", 'right' ) || ''; |
448 |
|
|
+ |
449 |
|
|
+ my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; |
450 |
|
|
|
451 |
|
|
# Hmm..... if left is not set it defaults to %defaultroute which we don't want here |
452 |
|
|
|
453 |
|
|
- my $left = $ipsecDB->get_prop( "$ipsecprop", 'left' ) || $ExternalIP; |
454 |
|
|
- my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' ) || 'secret'; |
455 |
|
|
- my $iptype = $ipsecDB->get_prop( "$ipsecprop", 'iptype' ) || ''; |
456 |
|
|
- my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; |
457 |
|
|
- my $passwd = $ipsecDB->get_prop( "$ipsecprop", 'passwd' ) || ''; |
458 |
|
|
+ my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP; |
459 |
|
|
+ my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret'; |
460 |
|
|
+ my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; |
461 |
|
|
+ my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || ''; |
462 |
|
|
+ my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || ''; |
463 |
|
|
|
464 |
|
|
# Double quote is not allowed in configuration |
465 |
|
|
if ( $passwd =~ /"/ ) { |
466 |
|
|
@@ -55,15 +55,19 @@ |
467 |
|
|
|
468 |
|
|
$OUT .= "# $ipsecprop is enabled\n"; |
469 |
|
|
|
470 |
|
|
- if ( $security eq "secret" ) { |
471 |
|
|
+ if ( $security eq 'certs' ) { |
472 |
|
|
+ $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n"; |
473 |
|
|
+ } |
474 |
|
|
+ |
475 |
|
|
+ elsif ( $security eq 'secret' ) { |
476 |
|
|
|
477 |
|
|
# If dynamic it must be %any here |
478 |
|
|
# If not it can be ExternalIP if left not set |
479 |
|
|
|
480 |
|
|
# IF we have IDs then use them in preference to %any |
481 |
|
|
|
482 |
|
|
- my $leftid = $ipsecDB->get_prop( "$ipsecprop", 'leftid' ) || ''; |
483 |
|
|
- my $rightid = $ipsecDB->get_prop( "$ipsecprop", 'rightid' ) || ''; |
484 |
|
|
+ my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || ''; |
485 |
|
|
+ my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || ''; |
486 |
|
|
|
487 |
|
|
if ( $iptype eq 'stattodyn' ) { |
488 |
|
|
if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) { |
489 |
|
|
@@ -101,7 +105,7 @@ |
490 |
|
|
$OUT .= "# $ipsecprop is disabled\n"; |
491 |
|
|
$OUT .= "\n"; |
492 |
|
|
} |
493 |
|
|
- $OUT .= "\n\n"; |
494 |
|
|
+ $OUT .= "\n"; |
495 |
|
|
} |
496 |
|
|
} |
497 |
|
|
} |