/[smecontribs]/rpms/smeserver-libreswan/contribs10/smeserver-libreswan-forceencaps-l2tpd.patch
ViewVC logotype

Contents of /rpms/smeserver-libreswan/contribs10/smeserver-libreswan-forceencaps-l2tpd.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Mon Feb 22 16:03:33 2021 UTC (3 years, 8 months ago) by brianr
Branch: MAIN
CVS Tags: smeserver-libreswan-0_5-36_el7_sme, smeserver-libreswan-0_5-35_el7_sme, HEAD
Initial import

1 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update
2 --- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update 2017-06-15 00:33:57.103000044 +0200
3 +++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update 2017-06-15 00:34:07.806999374 +0200
4 @@ -21,70 +21,84 @@
5 # Note that we do not need to use the init ipsec script - we can start and
6 # stop directly using /usr/sbin/ipsec which will call the init script
7
8 +# Probably ought to check somewhere that the status of services is public
9 +# But if it is private then you have to re-expand masq someplace
10 +
11 use strict;
12 use warnings;
13 use esmith::ConfigDB;
14
15 my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
16 my $ipsecDB = esmith::ConfigDB->open('ipsec_connections')
17 - or die("Ipsec Error - cant connect to ipsec database");
18 + or die("Ipsec Error - cant connect to ipsec database");
19
20 -my $dbKey = 'ipsec';
21 +my $ipsecDBkey = 'ipsec';
22 +my $xl2tpdDBkey = 'xl2tpd';
23 +my $xl2tpdipsecprop = "L2TPD-PSK";
24
25 # Check on access status - we'll use this later
26 # If status goes to disabled we should set this private
27
28 -my $ipsec_access = $configDB->get_prop( $dbKey, 'access' ) || 'private';
29 +my $ipsec_access = $configDB->get_prop( $ipsecDBkey, 'access' ) || 'private';
30 print "Ipsec Information - IpsecAccessState: $ipsec_access\n";
31
32 # If the service is set disabled then make sure it is stopped
33 # Note that ipsec is not a service so we cannot use the normal service commands
34
35 -if ( $configDB->get_prop( $dbKey, 'status' ) eq 'disabled' ) {
36 +if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'disabled' ) {
37 +
38 + # Always reset redirects on stop
39 + print "Ipsec Information - reset redirects";
40 + resetRedirects();
41 +
42 + # Sort out xl2tpd - if ipsec is disabled it has to be stopped
43 +
44 + print "Xl2tpd Information - ipsec is disabled - Stopping xl2tpd \n";
45 + my $myStopXl2tpd = qx(/etc/rc.d/init.d/xl2tpd stop) || die("xl2tpd Error - Unable to launch xl2tpd stop : $!\n");
46 +
47 + if ( not defined $myStopXl2tpd ) {
48 + die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
49 + }
50
51 # Do we check if it is already stopped ?
52 # For now we stop it regardless
53
54 print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
55 + my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop) || die("Ipsec Error - Unable to launch ipsec stop : $!\n");
56
57 - # First set ipsec access to private which disables firewall rule
58 - # Is this the correct syntax - what about die ?
59 - # This is problematic as masq templates are already expanded and may be wrong
60 -
61 - # Make sure access = private
62 - # No point in this unless we expand the masq template again
63 -
64 - #unless ( $ipsec_access eq 'private' ) {
65 - # $configDB->set_prop( $dbKey, 'access', 'private' );
66 - #}
67 + if ( not defined $myStopConnection ) {
68 + die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
69 + }
70
71 - my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
72 - die("Ipsec Error - Unable to launch ipsec stop : $!\n")
73 + exit 0;
74 +}
75
76 - if not defined $myStopConnection;
77 - die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
78 +# If the ipsec service is set to enabled AND running (then check the connections)
79
80 - print "Ipsec Information - reset redirects";
81 - resetRedirects();
82 +if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'enabled' ) {
83
84 - exit 0;
85 -}
86 + # Sort out xl2tpd - if ipsec is enabled, AND xl2tpd then see if it is started
87 + if ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) eq 'enabled' ) {
88 + my $xl2tpdstatus = (`ps ax | grep -v grep | grep xl2tpd`);
89
90 -# If the service is set to enabled AND running (then check the connections)
91 + #If the service is not running then start it
92 + unless ( $xl2tpdstatus =~ m/_xl2tpd/ ) {
93
94 -if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
95 + print "Xl2tpd Information - xl2tpd enabled but stopped - starting xl2tpd \n";
96 + my $myStartXl2tpd = qx(/etc/rc.d/init.d/xl2tpd start)
97 + || die("xl2tpd Error - Unable to launch xl2tpd start : $!\n");
98
99 - # Make sure access = public
100 - # No point in this unless we expand the masq template again
101 -
102 - #unless ( $ipsec_access eq 'public' ) {
103 - # $configDB->set_prop( $dbKey, 'access', 'public' );
104 - #}
105 + if ( not defined $myStartXl2tpd ) {
106 + die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
107 + }
108 +
109 + }
110 + }
111
112 my $status = (`ps ax | grep -v grep | grep pluto`);
113
114 - #If the service is running
115 - if ( $status =~ m/_plutorun/ ) {
116 + # If the ipsec service is running
117 + if ( $status =~ m/_plutorun/ ) {
118
119 # Lets do some stuff
120 print "Ipsec Information - ipsec is running !\n";
121 @@ -99,7 +113,7 @@
122
123 #Check the individual connection status
124 my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' )
125 - || "disabled";
126 + || "disabled";
127
128 # What type of connection are we ?
129 my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
130 @@ -120,13 +134,13 @@
131 my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
132
133 die("Ipsec Error - Unable launch ipsec reread secrets : $!\n")
134 - if not defined $reread;
135 + if not defined $reread;
136 die("Ipsec Error - Unable to reread ipsec secrets ( error code $?)\n")
137 - if $?;
138 + if $?;
139
140 # If we are enabled
141 - if ( ( $previpsecstatus eq "enabled" )
142 - && ( $ipsecstatus eq "enabled" ) ) {
143 + if ( ( $previpsecstatus eq "enabled" )
144 + && ( $ipsecstatus eq "enabled" ) ) {
145
146 # Restart
147 print "Ipsec Information - Restarting connection - $ipsecprop\n";
148 @@ -152,20 +166,20 @@
149 }
150
151 # If status is disabled then stop it
152 - elsif ( ( $previpsecstatus eq "disabled" )
153 - && ( $ipsecstatus eq "disabled" ) ) {
154 + elsif (( $previpsecstatus eq "disabled" )
155 + && ( $ipsecstatus eq "disabled" ) ) {
156
157 # Stop
158 print "Ipsec Information - Stop connection - $ipsecprop\n";
159 stopConnection($ipsecprop);
160
161 # Set Previous status
162 - changeState( $dbKey, $ipsecstatus );
163 + changeState( $ipsecDBkey, $ipsecstatus );
164 }
165
166 # If status was disabled and now enabled then start it
167 - elsif ( ( $previpsecstatus eq "disabled" )
168 - && ( $ipsecstatus eq "enabled" ) ) {
169 + elsif (( $previpsecstatus eq "disabled" )
170 + && ( $ipsecstatus eq "enabled" ) ) {
171
172 # Start
173 print "Enabling connection $ipsecprop\n";
174 @@ -192,8 +206,8 @@
175 }
176
177 # If status was enabled and now disabled then stop it
178 - elsif ( ( $previpsecstatus eq "enabled" )
179 - && ( $ipsecstatus eq "disabled" ) ) {
180 + elsif (( $previpsecstatus eq "enabled" )
181 + && ( $ipsecstatus eq "disabled" ) ) {
182
183 # Stop and remove - do we need to ?
184 print "Ipsec Information - Stopping connection $ipsecprop\n ";
185 @@ -220,13 +234,13 @@
186
187 # Make sure access = public
188 unless ( $ipsec_access eq 'public' ) {
189 - $configDB->set_prop( $dbKey, 'access', 'public' );
190 + $configDB->set_prop( $ipsecDBkey, 'access', 'public' );
191 }
192
193 print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
194 my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
195 die("Ipsec Error - Unable to launch ipsec start : $!\n ")
196 - if not defined $myStartConnection;
197 + if not defined $myStartConnection;
198 die("Ipsec Error - Unable to launch ipsec start ( error code $?)\n ") if $?;
199
200 exit 0;
201 @@ -240,7 +254,7 @@
202
203 sub changeState {
204
205 - #@_ contains $dbKey and $ipsecstatus
206 + #@_ contains $ipsecDBkey and $ipsecstatus
207 $ipsecDB->set_prop( $_[0], 'PreviousState', $_[1] );
208 }
209
210 @@ -262,23 +276,23 @@
211 # Make sure you read and understand what happens !
212 # If I knew which specific interfaces to change we could reduce the lines here
213 system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
214 - or die("Ipsec Error - A problem occurred with sysctl: $?");
215 + or die("Ipsec Error - A problem occurred with sysctl: $?");
216 system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
217 - or die("Ipsec Error - A problem occurred with sysctl: $?");
218 + or die("Ipsec Error - A problem occurred with sysctl: $?");
219
220 system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
221 - or die("Ipsec Error - A problem occurred with sysctl: $?");
222 + or die("Ipsec Error - A problem occurred with sysctl: $?");
223 system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
224 - or die("Ipsec Error - A problem occurred with sysctl: $?");
225 + or die("Ipsec Error - A problem occurred with sysctl: $?");
226
227 system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0
228 - or die("Ipsec Error - A problem occurred with sysctl: $?");
229 + or die("Ipsec Error - A problem occurred with sysctl: $?");
230 system("/sbin/sysctl -w net.ipv4.conf.all.rp_filter=0") == 0
231 - or die("Ipsec Error - A problem occurred with sysctl: $?");
232 + or die("Ipsec Error - A problem occurred with sysctl: $?");
233 system("/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0") == 0
234 - or die("Ipsec Error - A problem occurred with sysctl: $?");
235 + or die("Ipsec Error - A problem occurred with sysctl: $?");
236 system("/sbin/sysctl -w net.ipv4.conf.eth1.rp_filter=0") == 0
237 - or die("Ipsec Error - A problem occurred with sysctl: $?");
238 + or die("Ipsec Error - A problem occurred with sysctl: $?");
239
240 # On v8 this is set to 0 so we would need
241 # system ("/sbin/sysctl -w net.core.xfrm_larval_drop=1") == 0 or die ("A problem occurred with sysctl: $?");
242 @@ -291,6 +305,6 @@
243 # This should reload the file - if ipsec is disabled it should reset to defaults
244 # If ipsec is enabled it should disable rp_filtering
245 system("/sbin/sysctl -p") == 0
246 - or die("Ipsec Error - A problem occurred with sysctl: $?");
247 + or die("Ipsec Error - A problem occurred with sysctl: $?");
248 }
249
250 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
251 --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2017-06-15 00:33:57.108000046 +0200
252 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2017-06-15 00:34:07.806999374 +0200
253 @@ -1,5 +1,3 @@
254 -#!/usr/bin/perl -w
255 -
256 {
257 use strict;
258 use warnings;
259 @@ -25,7 +23,8 @@
260 my $dbKey = 'ipsec';
261
262 # Generic setup file
263 - my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
264 + my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
265 + my $keepalive = $configDB->get_prop( $dbKey, 'keepalive' ) || '';
266
267 # A standard config is included in the RPM but we need to generate a new one so we can modify settings
268
269 @@ -37,6 +36,10 @@
270 $OUT .= " dumpdir=/var/run/pluto/\n";
271 $OUT .= " nat_traversal=yes\n";
272
273 + if ( $keepalive ne '' ) {
274 + $OUT .= " keep-alive=$keepalive\n";
275 + }
276 +
277 # This should get all the connections in an array
278
279 my @connections = $ipsecDB->keys;
280 @@ -44,25 +47,29 @@
281 $OUT .= " virtual_private=";
282
283 my $virtual_private = '';
284 -
285 + my @subnetArr = ();
286 +
287 foreach my $ipsecprop (@connections) {
288
289 - my $type = $ipsecDB->get_prop( "$ipsecprop", 'type' );
290 - print "Connection: $ipsecprop Type: $type\n";
291 + # Note that L2TPD needs the localsubnet in here
292
293 - if ( $type eq "ipsec" ) {
294 - print "Connection: $ipsecprop\n";
295 - my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled";
296 -
297 - if ( $ipsecstatus eq "enabled" ) {
298 - my $subnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' );
299 - $virtual_private .= "%v4:$subnet,";
300 - }
301 + my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled";
302 +
303 + if ( $ipsecstatus eq 'enabled' ) {
304 + my $rightsubnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' );
305
306 - # End if
307 + # Check if the network is a unique value
308 + if ( !( $rightsubnet ~~ @subnetArr ) ) {
309 + print "$rightsubnet\n";
310 +
311 + push( @subnetArr, $rightsubnet );
312 + }
313 }
314
315 - # End foreach
316 + } # End foreach
317 +
318 + foreach my $subnet (@subnetArr) {
319 + $virtual_private .= "%v4:$subnet,";
320 }
321
322 # Remove last character ','
323 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection
324 --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-06-15 00:33:57.113000043 +0200
325 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-06-15 00:34:07.806999374 +0200
326 @@ -19,7 +19,7 @@
327
328 else {
329 my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
330 - or die("cant connect to ipsec database");
331 + or die("cant connect to ipsec database");
332
333 # This should get all the connections in an array
334
335 @@ -29,215 +29,226 @@
336
337 foreach my $ipsecprop (@connections) {
338
339 - # first we verify if IPSec is enabled for the connection
340 + if ( $ipsecprop ne 'L2TPD-PSK' ) {
341
342 - my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
343 + # first we verify if IPSec is enabled for the connection
344
345 - if ( $ipsecstatus eq 'enabled' ) {
346 + my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
347
348 - $OUT .= "conn $ipsecprop\n";
349 -
350 - # These should be from $configDB-> ipsec
351 + if ( $ipsecstatus eq 'enabled' ) {
352
353 - # Not templated this - maybe later with L2TPD
354 - # We currently use a password file but this could be integrated with other authent later
355 + $OUT .= "conn $ipsecprop\n";
356
357 - # Lazy - assume that it is security (password by default) - options are rsasig|certs
358 + # These should be from $configDB-> ipsec
359
360 - # Careful - property 'type' has a special meaning in configDB and returns 'service'
361 + # Not templated this - maybe later with L2TPD
362 + # We currently use a password file but this could be integrated with other authent later
363
364 - my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
365 - || 'tunnel';
366 - $OUT .= " type=$connectiontype\n";
367 + # Lazy - assume that it is security (password by default) - options are rsasig|certs
368
369 - my $security = $ipsecDB->get_prop( $ipsecprop, 'security' )
370 - || 'secret';
371 + # Careful - property 'type' has a special meaning in configDB and returns 'service'
372
373 - # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ?
374 + my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
375 + || 'tunnel';
376 + $OUT .= " type=$connectiontype\n";
377
378 - if ( $security eq 'rsasig' ) {
379 - $OUT .= " authby=rsasig\n";
380 + my $security = $ipsecDB->get_prop( $ipsecprop, 'security' )
381 + || 'secret';
382
383 - my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
384 - || '';
385 - $OUT .= " leftrsasigkey=$leftrsasig\n";
386 + # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ?
387
388 - my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
389 - || '';
390 - $OUT .= " rightrsasigkey=$rightrsasig\n";
391 + if ( $security eq 'rsasig' ) {
392 + $OUT .= " authby=rsasig\n";
393
394 - }
395 + my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
396 + || '';
397 + $OUT .= " leftrsasigkey=$leftrsasig\n";
398
399 - elsif ( $security eq 'certs' ) {
400 + my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
401 + || '';
402 + $OUT .= " rightrsasigkey=$rightrsasig\n";
403
404 - $OUT .= " authby=rsasig\n";
405 + }
406
407 - my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
408 - || '%cert';
409 - $OUT .= " leftrsasigkey=$leftrsasig\n";
410 + elsif ( $security eq 'certs' ) {
411
412 - my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
413 - || '%cert';
414 - $OUT .= " rightrsasigkey=$rightrsasig\n";
415 + $OUT .= " authby=rsasig\n";
416
417 - my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' )
418 - || '"LeftCertName"';
419 - $OUT .= " leftcert=\"$leftcert\"\n";
420 + my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
421 + || '%cert';
422 + $OUT .= " leftrsasigkey=$leftrsasig\n";
423
424 - my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' )
425 - || '"RightCertName"';
426 - $OUT .= " rightcert=\"$rightcert\"\n";
427 + my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
428 + || '%cert';
429 + $OUT .= " rightrsasigkey=$rightrsasig\n";
430
431 - }
432 + my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' )
433 + || '"LeftCertName"';
434 + $OUT .= " leftcert=\"$leftcert\"\n";
435
436 - else {
437 - $OUT .= " authby=$security\n";
438 - }
439 + my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' )
440 + || '"RightCertName"';
441 + $OUT .= " rightcert=\"$rightcert\"\n";
442
443 - # Use connection value if it exists, if not use generic db value
444 - my $auto =
445 - $ipsecDB->get_prop( $ipsecprop, 'auto' )
446 - || $configDB->get_prop( $dbKey, 'auto' )
447 - || 'start';
448 + }
449
450 - # If we are a static host to a dynamic client we are always add
451 - my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
452 + else {
453 + $OUT .= " authby=$security\n";
454 + }
455
456 - if ( $iptype eq 'stattodyn' ) {
457 - $OUT .= " auto=add\n";
458 - }
459 - else {
460 - $OUT .= " auto=$auto\n";
461 - }
462 + # Use connection value if it exists, if not use generic db value
463 + my $auto =
464 + $ipsecDB->get_prop( $ipsecprop, 'auto' )
465 + || $configDB->get_prop( $dbKey, 'auto' )
466 + || 'start';
467
468 - # We should change ipsecversion to ikev2status
469 - my $ipsecversion =
470 - $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
471 - || $configDB->get_prop( $dbKey, 'ipsecversion' )
472 - || 'permit';
473 -
474 - $OUT .= " ikev2=$ipsecversion\n";
475 -
476 - # Set the Phase one and Phase two default strengths - these are set to aes
477 - my $ike =
478 - $ipsecDB->get_prop( $ipsecprop, 'ike' )
479 - || $configDB->get_prop( $dbKey, 'ike' )
480 - || 'aes-sha1';
481 - $OUT .= " ike=$ike\n";
482 -
483 - my $phase2 =
484 - $ipsecDB->get_prop( $ipsecprop, 'phase2' )
485 - || $configDB->get_prop( $dbKey, 'phase2' )
486 - || 'aes-sha1';
487 - $OUT .= " phase2alg=$phase2\n";
488 -
489 - # mtu can only be set per connection
490 - my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
491 - || '';
492 + # If we are a static host to a dynamic client we are always add
493 + my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
494
495 - unless ( $mtu eq '' ) {
496 - $OUT .= " mtu=$mtu\n";
497 - }
498 + if ( $iptype eq 'stattodyn' ) {
499 + $OUT .= " auto=add\n";
500 + }
501 + else {
502 + $OUT .= " auto=$auto\n";
503 + }
504
505 - # These should be from $configDB-> ipsec unless they exist in ipsec_connections
506 + # We should change ipsecversion to 'ikev2'
507 + my $ipsecversion =
508 + $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
509 + || $configDB->get_prop( $dbKey, 'ipsecversion' )
510 + || 'permit';
511
512 - my $keyingtries =
513 - $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
514 - || $configDB->get_prop( $dbKey, 'keyingtries' )
515 - || '0';
516 - $OUT .= " keyingtries=$keyingtries\n";
517 -
518 - # Following come from ipsecDB or configDB or hardcoded
519 - my $ikelifetime =
520 - $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
521 - || $configDB->get_prop( $dbKey, 'ikelifetime' )
522 - || '3600s';
523 - $OUT .= " ikelifetime=$ikelifetime\n";
524 -
525 - my $salifetime =
526 - $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
527 - || $configDB->get_prop( $dbKey, 'salifetime' )
528 - || '28800s';
529 - $OUT .= " salifetime=$salifetime\n";
530 -
531 - # Add is for incoming and is better that server dpd is ignored
532 - # Disabled for now
533 -
534 - # if ( $auto ne 'add' ) {}
535 - my $dpdaction =
536 - $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
537 - || $configDB->get_prop( $dbKey, 'dpdaction' )
538 - || 'restart';
539 - $OUT .= " dpdaction=$dpdaction\n";
540 -
541 - my $dpddelay =
542 - $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
543 - || $configDB->get_prop( $dbKey, 'dpddelay' )
544 - || '30';
545 - $OUT .= " dpddelay=$dpddelay\n";
546 -
547 - my $dpdtimeout =
548 - $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
549 - || $configDB->get_prop( $dbKey, 'dpdtimeout' )
550 - || '10';
551 - $OUT .= " dpdtimeout=$dpdtimeout\n";
552 -
553 - # default to yes unless overridden in the connection db
554 - my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
555 - $OUT .= " pfs=$pfs\n";
556 -
557 - # Following come from ipsecDB or configDB or hardcoded
558 - my $left =
559 - $ipsecDB->get_prop( $ipsecprop, 'left' )
560 - || $configDB->get_prop( $dbKey, 'left' )
561 - || '%defaultroute';
562 - $OUT .= " left=$left\n";
563 -
564 - if ( $security eq 'certs' ) {
565 - my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' );
566 - $OUT .= " leftid=$leftid\n";
567 - }
568 + $OUT .= " ikev2=$ipsecversion\n";
569
570 - # These ONLY come from the ipsec_configurations db
571 - elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) {
572 - $OUT .= " leftid=$leftid\n";
573 - }
574 + # Set the Phase one and Phase two default strengths - these are set to aes
575 + my $ike =
576 + $ipsecDB->get_prop( $ipsecprop, 'ike' )
577 + || $configDB->get_prop( $dbKey, 'ike' )
578 + || 'aes-sha1';
579 + $OUT .= " ike=$ike\n";
580
581 - my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
582 - || '';
583 - $OUT .= " leftsourceip=$leftsourceip\n";
584 + # We should change phase2 to phase2alg
585 + my $phase2 =
586 + $ipsecDB->get_prop( $ipsecprop, 'phase2' )
587 + || $configDB->get_prop( $dbKey, 'phase2' )
588 + || 'aes-sha1';
589 + $OUT .= " phase2alg=$phase2\n";
590
591 - my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' )
592 - || '';
593 - $OUT .= " leftsubnet=$leftsub\n";
594 + # mtu can only be set per connection
595 + my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
596 + || '';
597
598 - # If we are a static host to a dynamic client we HAVE to set right %any
599 + unless ( $mtu eq '' ) {
600 + $OUT .= " mtu=$mtu\n";
601 + }
602
603 - my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
604 + # These should be from $configDB-> ipsec unless they exist in ipsec_connections
605
606 - if ( $iptype eq 'stattodyn' ) {
607 - $OUT .= " right=%any\n";
608 - }
609 - else {
610 - $OUT .= " right=$right\n";
611 - }
612 + my $forceencaps =
613 + $ipsecDB->get_prop( $ipsecprop, 'forceencaps' )
614 + || $configDB->get_prop( $dbKey, 'forceencaps' )
615 + || 'no';
616 + $OUT .= " forceencaps=$forceencaps\n";
617
618 - if ( $security eq 'certs' ) {
619 - my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' );
620 - $OUT .= " rightid=$rightid\n";
621 - }
622 + my $keyingtries =
623 + $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
624 + || $configDB->get_prop( $dbKey, 'keyingtries' )
625 + || '0';
626 + $OUT .= " keyingtries=$keyingtries\n";
627
628 - elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) {
629 - $OUT .= " rightid=$rightid\n";
630 - }
631 + # Following come from ipsecDB or configDB or hardcoded
632 + my $ikelifetime =
633 + $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
634 + || $configDB->get_prop( $dbKey, 'ikelifetime' )
635 + || '3600s';
636 + $OUT .= " ikelifetime=$ikelifetime\n";
637 +
638 + my $salifetime =
639 + $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
640 + || $configDB->get_prop( $dbKey, 'salifetime' )
641 + || '28800s';
642 + $OUT .= " salifetime=$salifetime\n";
643 +
644 + # Add is for incoming and is better that server dpd is ignored
645 + # Disabled for now
646
647 - my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
648 - $OUT .= " rightsubnet=$rightsubnet\n";
649 + # if ( $auto ne 'add' ) {}
650 + my $dpdaction =
651 + $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
652 + || $configDB->get_prop( $dbKey, 'dpdaction' )
653 + || 'restart';
654 + $OUT .= " dpdaction=$dpdaction\n";
655 +
656 + my $dpddelay =
657 + $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
658 + || $configDB->get_prop( $dbKey, 'dpddelay' )
659 + || '30';
660 + $OUT .= " dpddelay=$dpddelay\n";
661 +
662 + my $dpdtimeout =
663 + $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
664 + || $configDB->get_prop( $dbKey, 'dpdtimeout' )
665 + || '10';
666 + $OUT .= " dpdtimeout=$dpdtimeout\n";
667 +
668 + # default to yes unless overridden in the connection db
669 + my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
670 + $OUT .= " pfs=$pfs\n";
671 +
672 + # Following come from ipsecDB or configDB or hardcoded
673 + my $left =
674 + $ipsecDB->get_prop( $ipsecprop, 'left' )
675 + || $configDB->get_prop( $dbKey, 'left' )
676 + || '%defaultroute';
677 + $OUT .= " left=$left\n";
678 +
679 + if ( $security eq 'certs' ) {
680 + my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' );
681 + $OUT .= " leftid=$leftid\n";
682 + }
683 +
684 + # These ONLY come from the ipsec_configurations db
685 + elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) {
686 + $OUT .= " leftid=$leftid\n";
687 + }
688 +
689 + my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
690 + || '';
691 + $OUT .= " leftsourceip=$leftsourceip\n";
692 +
693 + my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' )
694 + || '';
695 + $OUT .= " leftsubnet=$leftsub\n";
696 +
697 + # If we are a static host to a dynamic client we HAVE to set right %any
698 +
699 + my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
700 +
701 + if ( $iptype eq 'stattodyn' ) {
702 + $OUT .= " right=%any\n";
703 + }
704 + else {
705 + $OUT .= " right=$right\n";
706 + }
707 +
708 + if ( $security eq 'certs' ) {
709 + my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' );
710 + $OUT .= " rightid=$rightid\n";
711 + }
712 +
713 + elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) {
714 + $OUT .= " rightid=$rightid\n";
715 + }
716 +
717 + my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
718 + $OUT .= " rightsubnet=$rightsubnet\n";
719 +
720 + } # End If
721 + else {
722 + $OUT .= "# conn $ipsecprop disabled\n";
723 + }
724
725 - } # End If
726 - else {
727 - $OUT .= "# conn $ipsecprop disabled\n";
728 - }
729 + } # End unless
730 } # End foreach
731 } # End else
732 }
733 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords
734 --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-06-15 00:33:57.112000044 +0200
735 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-06-15 00:34:07.806999374 +0200
736 @@ -19,94 +19,98 @@
737
738 else {
739 my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
740 - or die("cant connect to ipsec database");
741 + or die("cant connect to ipsec database");
742
743 # This should get all the connections in an array
744
745 my @connections = $ipsecDB->keys;
746
747 $OUT .= "# ipsec.secrets\n\n";
748 -
749 +
750 my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
751 -
752 +
753 foreach my $ipsecprop (@connections) {
754
755 - # first we verify if IPSec is enabled for the connection
756 + if ( $ipsecprop ne 'L2TPD-PSK' ) {
757
758 - my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
759 - || "disabled";
760 + # first we verify if IPSec is enabled for the connection
761
762 - if ( $ipsecstatus eq "enabled" ) {
763 + my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
764 + || "disabled";
765
766 - my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
767 + if ( $ipsecstatus eq "enabled" ) {
768
769 - # Hmm..... if left is not set it defaults to %defaultroute which we don't want here
770 + my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
771
772 - my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP;
773 - my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
774 - my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
775 - my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
776 - my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || '';
777 + # Hmm..... if left is not set it defaults to %defaultroute which we don't want here
778
779 - # Double quote is not allowed in configuration
780 - if ( $passwd =~ /"/ ) {
781 - die("Ipsec Error - PSK value cannot contain double quotes (\")");
782 - }
783 + my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP;
784 + my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
785 + my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
786 + my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
787 + my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || '';
788
789 - $OUT .= "# $ipsecprop is enabled\n";
790 + # Double quote is not allowed in configuration
791 + if ( $passwd =~ /"/ ) {
792 + die("Ipsec Error - PSK value cannot contain double quotes (\")");
793 + }
794
795 - if ( $security eq 'certs' ) {
796 - $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
797 - }
798 + $OUT .= "# $ipsecprop is enabled\n";
799
800 - elsif ( $security eq 'secret' ) {
801 + if ( $security eq 'certs' ) {
802 + $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
803 + }
804
805 - # If dynamic it must be %any here
806 - # If not it can be ExternalIP if left not set
807 + elsif ( $security eq 'secret' ) {
808
809 - # IF we have IDs then use them in preference to %any
810 + # If dynamic it must be %any here
811 + # If not it can be ExternalIP if left not set
812
813 - my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '';
814 - my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';
815 + # IF we have IDs then use them in preference to %any
816
817 - if ( $iptype eq 'stattodyn' ) {
818 - if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
819 - $OUT .= "$left %any \: PSK \"$passwd\"";
820 + my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '';
821 + my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';
822 +
823 + if ( $iptype eq 'stattodyn' ) {
824 + if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
825 + $OUT .= "$left %any \: PSK \"$passwd\"";
826 + }
827 + else {
828 + $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
829 + }
830 }
831 - else {
832 - $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
833 +
834 + elsif ( $iptype eq 'dyntostat' ) {
835 + if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
836 + $OUT .= "%any $right\: PSK \"$passwd\"";
837 + }
838 + else {
839 + $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
840 + }
841 }
842 - }
843
844 - elsif ( $iptype eq 'dyntostat' ) {
845 - if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
846 - $OUT .= "%any $right\: PSK \"$passwd\"";
847 + elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) {
848 + $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
849 }
850 +
851 else {
852 - $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
853 + $OUT .= "$left $right \: PSK \"$passwd\"";
854 }
855 }
856
857 - elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) {
858 - $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
859 + elsif ( $security eq "rsasig" ) {
860 + $OUT .= "# Connection to $ipsecprop is RSA\n";
861 + $OUT .= "# Our RSA key is in separate file\n";
862 }
863
864 else {
865 - $OUT .= "$left $right \: PSK \"$passwd\"";
866 + $OUT .= "# $ipsecprop is disabled\n";
867 + $OUT .= "\n";
868 }
869 - }
870 -
871 - elsif ( $security eq "rsasig" ) {
872 - $OUT .= "# Connection to $ipsecprop is RSA\n";
873 - $OUT .= "# Our RSA key is in separate file\n";
874 - }
875 -
876 - else {
877 - $OUT .= "# $ipsecprop is disabled\n";
878 $OUT .= "\n";
879 - }
880 - $OUT .= "\n";
881 - }
882 - }
883 - }
884 + } # if
885 + } #unless
886 + } #foreach
887 + } #else
888 }
889 +

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed