1 |
brianr |
1.1 |
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update |
2 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update 2017-06-15 00:33:57.103000044 +0200 |
3 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update 2017-06-15 00:34:07.806999374 +0200 |
4 |
|
|
@@ -21,70 +21,84 @@ |
5 |
|
|
# Note that we do not need to use the init ipsec script - we can start and |
6 |
|
|
# stop directly using /usr/sbin/ipsec which will call the init script |
7 |
|
|
|
8 |
|
|
+# Probably ought to check somewhere that the status of services is public |
9 |
|
|
+# But if it is private then you have to re-expand masq someplace |
10 |
|
|
+ |
11 |
|
|
use strict; |
12 |
|
|
use warnings; |
13 |
|
|
use esmith::ConfigDB; |
14 |
|
|
|
15 |
|
|
my $configDB = esmith::ConfigDB->open or die("can't open Config DB"); |
16 |
|
|
my $ipsecDB = esmith::ConfigDB->open('ipsec_connections') |
17 |
|
|
- or die("Ipsec Error - cant connect to ipsec database"); |
18 |
|
|
+ or die("Ipsec Error - cant connect to ipsec database"); |
19 |
|
|
|
20 |
|
|
-my $dbKey = 'ipsec'; |
21 |
|
|
+my $ipsecDBkey = 'ipsec'; |
22 |
|
|
+my $xl2tpdDBkey = 'xl2tpd'; |
23 |
|
|
+my $xl2tpdipsecprop = "L2TPD-PSK"; |
24 |
|
|
|
25 |
|
|
# Check on access status - we'll use this later |
26 |
|
|
# If status goes to disabled we should set this private |
27 |
|
|
|
28 |
|
|
-my $ipsec_access = $configDB->get_prop( $dbKey, 'access' ) || 'private'; |
29 |
|
|
+my $ipsec_access = $configDB->get_prop( $ipsecDBkey, 'access' ) || 'private'; |
30 |
|
|
print "Ipsec Information - IpsecAccessState: $ipsec_access\n"; |
31 |
|
|
|
32 |
|
|
# If the service is set disabled then make sure it is stopped |
33 |
|
|
# Note that ipsec is not a service so we cannot use the normal service commands |
34 |
|
|
|
35 |
|
|
-if ( $configDB->get_prop( $dbKey, 'status' ) eq 'disabled' ) { |
36 |
|
|
+if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'disabled' ) { |
37 |
|
|
+ |
38 |
|
|
+ # Always reset redirects on stop |
39 |
|
|
+ print "Ipsec Information - reset redirects"; |
40 |
|
|
+ resetRedirects(); |
41 |
|
|
+ |
42 |
|
|
+ # Sort out xl2tpd - if ipsec is disabled it has to be stopped |
43 |
|
|
+ |
44 |
|
|
+ print "Xl2tpd Information - ipsec is disabled - Stopping xl2tpd \n"; |
45 |
|
|
+ my $myStopXl2tpd = qx(/etc/rc.d/init.d/xl2tpd stop) || die("xl2tpd Error - Unable to launch xl2tpd stop : $!\n"); |
46 |
|
|
+ |
47 |
|
|
+ if ( not defined $myStopXl2tpd ) { |
48 |
|
|
+ die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?; |
49 |
|
|
+ } |
50 |
|
|
|
51 |
|
|
# Do we check if it is already stopped ? |
52 |
|
|
# For now we stop it regardless |
53 |
|
|
|
54 |
|
|
print "Ipsec Information - ipsec disabled - Stopping ipsec \n"; |
55 |
|
|
+ my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop) || die("Ipsec Error - Unable to launch ipsec stop : $!\n"); |
56 |
|
|
|
57 |
|
|
- # First set ipsec access to private which disables firewall rule |
58 |
|
|
- # Is this the correct syntax - what about die ? |
59 |
|
|
- # This is problematic as masq templates are already expanded and may be wrong |
60 |
|
|
- |
61 |
|
|
- # Make sure access = private |
62 |
|
|
- # No point in this unless we expand the masq template again |
63 |
|
|
- |
64 |
|
|
- #unless ( $ipsec_access eq 'private' ) { |
65 |
|
|
- # $configDB->set_prop( $dbKey, 'access', 'private' ); |
66 |
|
|
- #} |
67 |
|
|
+ if ( not defined $myStopConnection ) { |
68 |
|
|
+ die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?; |
69 |
|
|
+ } |
70 |
|
|
|
71 |
|
|
- my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop); |
72 |
|
|
- die("Ipsec Error - Unable to launch ipsec stop : $!\n") |
73 |
|
|
+ exit 0; |
74 |
|
|
+} |
75 |
|
|
|
76 |
|
|
- if not defined $myStopConnection; |
77 |
|
|
- die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?; |
78 |
|
|
+# If the ipsec service is set to enabled AND running (then check the connections) |
79 |
|
|
|
80 |
|
|
- print "Ipsec Information - reset redirects"; |
81 |
|
|
- resetRedirects(); |
82 |
|
|
+if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'enabled' ) { |
83 |
|
|
|
84 |
|
|
- exit 0; |
85 |
|
|
-} |
86 |
|
|
+ # Sort out xl2tpd - if ipsec is enabled, AND xl2tpd then see if it is started |
87 |
|
|
+ if ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) eq 'enabled' ) { |
88 |
|
|
+ my $xl2tpdstatus = (`ps ax | grep -v grep | grep xl2tpd`); |
89 |
|
|
|
90 |
|
|
-# If the service is set to enabled AND running (then check the connections) |
91 |
|
|
+ #If the service is not running then start it |
92 |
|
|
+ unless ( $xl2tpdstatus =~ m/_xl2tpd/ ) { |
93 |
|
|
|
94 |
|
|
-if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) { |
95 |
|
|
+ print "Xl2tpd Information - xl2tpd enabled but stopped - starting xl2tpd \n"; |
96 |
|
|
+ my $myStartXl2tpd = qx(/etc/rc.d/init.d/xl2tpd start) |
97 |
|
|
+ || die("xl2tpd Error - Unable to launch xl2tpd start : $!\n"); |
98 |
|
|
|
99 |
|
|
- # Make sure access = public |
100 |
|
|
- # No point in this unless we expand the masq template again |
101 |
|
|
- |
102 |
|
|
- #unless ( $ipsec_access eq 'public' ) { |
103 |
|
|
- # $configDB->set_prop( $dbKey, 'access', 'public' ); |
104 |
|
|
- #} |
105 |
|
|
+ if ( not defined $myStartXl2tpd ) { |
106 |
|
|
+ die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?; |
107 |
|
|
+ } |
108 |
|
|
+ |
109 |
|
|
+ } |
110 |
|
|
+ } |
111 |
|
|
|
112 |
|
|
my $status = (`ps ax | grep -v grep | grep pluto`); |
113 |
|
|
|
114 |
|
|
- #If the service is running |
115 |
|
|
- if ( $status =~ m/_plutorun/ ) { |
116 |
|
|
+ # If the ipsec service is running |
117 |
|
|
+ if ( $status =~ m/_plutorun/ ) { |
118 |
|
|
|
119 |
|
|
# Lets do some stuff |
120 |
|
|
print "Ipsec Information - ipsec is running !\n"; |
121 |
|
|
@@ -99,7 +113,7 @@ |
122 |
|
|
|
123 |
|
|
#Check the individual connection status |
124 |
|
|
my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) |
125 |
|
|
- || "disabled"; |
126 |
|
|
+ || "disabled"; |
127 |
|
|
|
128 |
|
|
# What type of connection are we ? |
129 |
|
|
my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || ''; |
130 |
|
|
@@ -120,13 +134,13 @@ |
131 |
|
|
my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets); |
132 |
|
|
|
133 |
|
|
die("Ipsec Error - Unable launch ipsec reread secrets : $!\n") |
134 |
|
|
- if not defined $reread; |
135 |
|
|
+ if not defined $reread; |
136 |
|
|
die("Ipsec Error - Unable to reread ipsec secrets ( error code $?)\n") |
137 |
|
|
- if $?; |
138 |
|
|
+ if $?; |
139 |
|
|
|
140 |
|
|
# If we are enabled |
141 |
|
|
- if ( ( $previpsecstatus eq "enabled" ) |
142 |
|
|
- && ( $ipsecstatus eq "enabled" ) ) { |
143 |
|
|
+ if ( ( $previpsecstatus eq "enabled" ) |
144 |
|
|
+ && ( $ipsecstatus eq "enabled" ) ) { |
145 |
|
|
|
146 |
|
|
# Restart |
147 |
|
|
print "Ipsec Information - Restarting connection - $ipsecprop\n"; |
148 |
|
|
@@ -152,20 +166,20 @@ |
149 |
|
|
} |
150 |
|
|
|
151 |
|
|
# If status is disabled then stop it |
152 |
|
|
- elsif ( ( $previpsecstatus eq "disabled" ) |
153 |
|
|
- && ( $ipsecstatus eq "disabled" ) ) { |
154 |
|
|
+ elsif (( $previpsecstatus eq "disabled" ) |
155 |
|
|
+ && ( $ipsecstatus eq "disabled" ) ) { |
156 |
|
|
|
157 |
|
|
# Stop |
158 |
|
|
print "Ipsec Information - Stop connection - $ipsecprop\n"; |
159 |
|
|
stopConnection($ipsecprop); |
160 |
|
|
|
161 |
|
|
# Set Previous status |
162 |
|
|
- changeState( $dbKey, $ipsecstatus ); |
163 |
|
|
+ changeState( $ipsecDBkey, $ipsecstatus ); |
164 |
|
|
} |
165 |
|
|
|
166 |
|
|
# If status was disabled and now enabled then start it |
167 |
|
|
- elsif ( ( $previpsecstatus eq "disabled" ) |
168 |
|
|
- && ( $ipsecstatus eq "enabled" ) ) { |
169 |
|
|
+ elsif (( $previpsecstatus eq "disabled" ) |
170 |
|
|
+ && ( $ipsecstatus eq "enabled" ) ) { |
171 |
|
|
|
172 |
|
|
# Start |
173 |
|
|
print "Enabling connection $ipsecprop\n"; |
174 |
|
|
@@ -192,8 +206,8 @@ |
175 |
|
|
} |
176 |
|
|
|
177 |
|
|
# If status was enabled and now disabled then stop it |
178 |
|
|
- elsif ( ( $previpsecstatus eq "enabled" ) |
179 |
|
|
- && ( $ipsecstatus eq "disabled" ) ) { |
180 |
|
|
+ elsif (( $previpsecstatus eq "enabled" ) |
181 |
|
|
+ && ( $ipsecstatus eq "disabled" ) ) { |
182 |
|
|
|
183 |
|
|
# Stop and remove - do we need to ? |
184 |
|
|
print "Ipsec Information - Stopping connection $ipsecprop\n "; |
185 |
|
|
@@ -220,13 +234,13 @@ |
186 |
|
|
|
187 |
|
|
# Make sure access = public |
188 |
|
|
unless ( $ipsec_access eq 'public' ) { |
189 |
|
|
- $configDB->set_prop( $dbKey, 'access', 'public' ); |
190 |
|
|
+ $configDB->set_prop( $ipsecDBkey, 'access', 'public' ); |
191 |
|
|
} |
192 |
|
|
|
193 |
|
|
print "Ipsec Information - ipsec enabled - Starting ipsec\n "; |
194 |
|
|
my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start); |
195 |
|
|
die("Ipsec Error - Unable to launch ipsec start : $!\n ") |
196 |
|
|
- if not defined $myStartConnection; |
197 |
|
|
+ if not defined $myStartConnection; |
198 |
|
|
die("Ipsec Error - Unable to launch ipsec start ( error code $?)\n ") if $?; |
199 |
|
|
|
200 |
|
|
exit 0; |
201 |
|
|
@@ -240,7 +254,7 @@ |
202 |
|
|
|
203 |
|
|
sub changeState { |
204 |
|
|
|
205 |
|
|
- #@_ contains $dbKey and $ipsecstatus |
206 |
|
|
+ #@_ contains $ipsecDBkey and $ipsecstatus |
207 |
|
|
$ipsecDB->set_prop( $_[0], 'PreviousState', $_[1] ); |
208 |
|
|
} |
209 |
|
|
|
210 |
|
|
@@ -262,23 +276,23 @@ |
211 |
|
|
# Make sure you read and understand what happens ! |
212 |
|
|
# If I knew which specific interfaces to change we could reduce the lines here |
213 |
|
|
system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0 |
214 |
|
|
- or die("Ipsec Error - A problem occurred with sysctl: $?"); |
215 |
|
|
+ or die("Ipsec Error - A problem occurred with sysctl: $?"); |
216 |
|
|
system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0 |
217 |
|
|
- or die("Ipsec Error - A problem occurred with sysctl: $?"); |
218 |
|
|
+ or die("Ipsec Error - A problem occurred with sysctl: $?"); |
219 |
|
|
|
220 |
|
|
system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0 |
221 |
|
|
- or die("Ipsec Error - A problem occurred with sysctl: $?"); |
222 |
|
|
+ or die("Ipsec Error - A problem occurred with sysctl: $?"); |
223 |
|
|
system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0 |
224 |
|
|
- or die("Ipsec Error - A problem occurred with sysctl: $?"); |
225 |
|
|
+ or die("Ipsec Error - A problem occurred with sysctl: $?"); |
226 |
|
|
|
227 |
|
|
system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0 |
228 |
|
|
- or die("Ipsec Error - A problem occurred with sysctl: $?"); |
229 |
|
|
+ or die("Ipsec Error - A problem occurred with sysctl: $?"); |
230 |
|
|
system("/sbin/sysctl -w net.ipv4.conf.all.rp_filter=0") == 0 |
231 |
|
|
- or die("Ipsec Error - A problem occurred with sysctl: $?"); |
232 |
|
|
+ or die("Ipsec Error - A problem occurred with sysctl: $?"); |
233 |
|
|
system("/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0") == 0 |
234 |
|
|
- or die("Ipsec Error - A problem occurred with sysctl: $?"); |
235 |
|
|
+ or die("Ipsec Error - A problem occurred with sysctl: $?"); |
236 |
|
|
system("/sbin/sysctl -w net.ipv4.conf.eth1.rp_filter=0") == 0 |
237 |
|
|
- or die("Ipsec Error - A problem occurred with sysctl: $?"); |
238 |
|
|
+ or die("Ipsec Error - A problem occurred with sysctl: $?"); |
239 |
|
|
|
240 |
|
|
# On v8 this is set to 0 so we would need |
241 |
|
|
# system ("/sbin/sysctl -w net.core.xfrm_larval_drop=1") == 0 or die ("A problem occurred with sysctl: $?"); |
242 |
|
|
@@ -291,6 +305,6 @@ |
243 |
|
|
# This should reload the file - if ipsec is disabled it should reset to defaults |
244 |
|
|
# If ipsec is enabled it should disable rp_filtering |
245 |
|
|
system("/sbin/sysctl -p") == 0 |
246 |
|
|
- or die("Ipsec Error - A problem occurred with sysctl: $?"); |
247 |
|
|
+ or die("Ipsec Error - A problem occurred with sysctl: $?"); |
248 |
|
|
} |
249 |
|
|
|
250 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup |
251 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2017-06-15 00:33:57.108000046 +0200 |
252 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2017-06-15 00:34:07.806999374 +0200 |
253 |
|
|
@@ -1,5 +1,3 @@ |
254 |
|
|
-#!/usr/bin/perl -w |
255 |
|
|
- |
256 |
|
|
{ |
257 |
|
|
use strict; |
258 |
|
|
use warnings; |
259 |
|
|
@@ -25,7 +23,8 @@ |
260 |
|
|
my $dbKey = 'ipsec'; |
261 |
|
|
|
262 |
|
|
# Generic setup file |
263 |
|
|
- my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none'; |
264 |
|
|
+ my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none'; |
265 |
|
|
+ my $keepalive = $configDB->get_prop( $dbKey, 'keepalive' ) || ''; |
266 |
|
|
|
267 |
|
|
# A standard config is included in the RPM but we need to generate a new one so we can modify settings |
268 |
|
|
|
269 |
|
|
@@ -37,6 +36,10 @@ |
270 |
|
|
$OUT .= " dumpdir=/var/run/pluto/\n"; |
271 |
|
|
$OUT .= " nat_traversal=yes\n"; |
272 |
|
|
|
273 |
|
|
+ if ( $keepalive ne '' ) { |
274 |
|
|
+ $OUT .= " keep-alive=$keepalive\n"; |
275 |
|
|
+ } |
276 |
|
|
+ |
277 |
|
|
# This should get all the connections in an array |
278 |
|
|
|
279 |
|
|
my @connections = $ipsecDB->keys; |
280 |
|
|
@@ -44,25 +47,29 @@ |
281 |
|
|
$OUT .= " virtual_private="; |
282 |
|
|
|
283 |
|
|
my $virtual_private = ''; |
284 |
|
|
- |
285 |
|
|
+ my @subnetArr = (); |
286 |
|
|
+ |
287 |
|
|
foreach my $ipsecprop (@connections) { |
288 |
|
|
|
289 |
|
|
- my $type = $ipsecDB->get_prop( "$ipsecprop", 'type' ); |
290 |
|
|
- print "Connection: $ipsecprop Type: $type\n"; |
291 |
|
|
+ # Note that L2TPD needs the localsubnet in here |
292 |
|
|
|
293 |
|
|
- if ( $type eq "ipsec" ) { |
294 |
|
|
- print "Connection: $ipsecprop\n"; |
295 |
|
|
- my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled"; |
296 |
|
|
- |
297 |
|
|
- if ( $ipsecstatus eq "enabled" ) { |
298 |
|
|
- my $subnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' ); |
299 |
|
|
- $virtual_private .= "%v4:$subnet,"; |
300 |
|
|
- } |
301 |
|
|
+ my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled"; |
302 |
|
|
+ |
303 |
|
|
+ if ( $ipsecstatus eq 'enabled' ) { |
304 |
|
|
+ my $rightsubnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' ); |
305 |
|
|
|
306 |
|
|
- # End if |
307 |
|
|
+ # Check if the network is a unique value |
308 |
|
|
+ if ( !( $rightsubnet ~~ @subnetArr ) ) { |
309 |
|
|
+ print "$rightsubnet\n"; |
310 |
|
|
+ |
311 |
|
|
+ push( @subnetArr, $rightsubnet ); |
312 |
|
|
+ } |
313 |
|
|
} |
314 |
|
|
|
315 |
|
|
- # End foreach |
316 |
|
|
+ } # End foreach |
317 |
|
|
+ |
318 |
|
|
+ foreach my $subnet (@subnetArr) { |
319 |
|
|
+ $virtual_private .= "%v4:$subnet,"; |
320 |
|
|
} |
321 |
|
|
|
322 |
|
|
# Remove last character ',' |
323 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection |
324 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-06-15 00:33:57.113000043 +0200 |
325 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-06-15 00:34:07.806999374 +0200 |
326 |
|
|
@@ -19,7 +19,7 @@ |
327 |
|
|
|
328 |
|
|
else { |
329 |
|
|
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') |
330 |
|
|
- or die("cant connect to ipsec database"); |
331 |
|
|
+ or die("cant connect to ipsec database"); |
332 |
|
|
|
333 |
|
|
# This should get all the connections in an array |
334 |
|
|
|
335 |
|
|
@@ -29,215 +29,226 @@ |
336 |
|
|
|
337 |
|
|
foreach my $ipsecprop (@connections) { |
338 |
|
|
|
339 |
|
|
- # first we verify if IPSec is enabled for the connection |
340 |
|
|
+ if ( $ipsecprop ne 'L2TPD-PSK' ) { |
341 |
|
|
|
342 |
|
|
- my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled'; |
343 |
|
|
+ # first we verify if IPSec is enabled for the connection |
344 |
|
|
|
345 |
|
|
- if ( $ipsecstatus eq 'enabled' ) { |
346 |
|
|
+ my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled'; |
347 |
|
|
|
348 |
|
|
- $OUT .= "conn $ipsecprop\n"; |
349 |
|
|
- |
350 |
|
|
- # These should be from $configDB-> ipsec |
351 |
|
|
+ if ( $ipsecstatus eq 'enabled' ) { |
352 |
|
|
|
353 |
|
|
- # Not templated this - maybe later with L2TPD |
354 |
|
|
- # We currently use a password file but this could be integrated with other authent later |
355 |
|
|
+ $OUT .= "conn $ipsecprop\n"; |
356 |
|
|
|
357 |
|
|
- # Lazy - assume that it is security (password by default) - options are rsasig|certs |
358 |
|
|
+ # These should be from $configDB-> ipsec |
359 |
|
|
|
360 |
|
|
- # Careful - property 'type' has a special meaning in configDB and returns 'service' |
361 |
|
|
+ # Not templated this - maybe later with L2TPD |
362 |
|
|
+ # We currently use a password file but this could be integrated with other authent later |
363 |
|
|
|
364 |
|
|
- my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' ) |
365 |
|
|
- || 'tunnel'; |
366 |
|
|
- $OUT .= " type=$connectiontype\n"; |
367 |
|
|
+ # Lazy - assume that it is security (password by default) - options are rsasig|certs |
368 |
|
|
|
369 |
|
|
- my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) |
370 |
|
|
- || 'secret'; |
371 |
|
|
+ # Careful - property 'type' has a special meaning in configDB and returns 'service' |
372 |
|
|
|
373 |
|
|
- # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ? |
374 |
|
|
+ my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' ) |
375 |
|
|
+ || 'tunnel'; |
376 |
|
|
+ $OUT .= " type=$connectiontype\n"; |
377 |
|
|
|
378 |
|
|
- if ( $security eq 'rsasig' ) { |
379 |
|
|
- $OUT .= " authby=rsasig\n"; |
380 |
|
|
+ my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) |
381 |
|
|
+ || 'secret'; |
382 |
|
|
|
383 |
|
|
- my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' ) |
384 |
|
|
- || ''; |
385 |
|
|
- $OUT .= " leftrsasigkey=$leftrsasig\n"; |
386 |
|
|
+ # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ? |
387 |
|
|
|
388 |
|
|
- my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' ) |
389 |
|
|
- || ''; |
390 |
|
|
- $OUT .= " rightrsasigkey=$rightrsasig\n"; |
391 |
|
|
+ if ( $security eq 'rsasig' ) { |
392 |
|
|
+ $OUT .= " authby=rsasig\n"; |
393 |
|
|
|
394 |
|
|
- } |
395 |
|
|
+ my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' ) |
396 |
|
|
+ || ''; |
397 |
|
|
+ $OUT .= " leftrsasigkey=$leftrsasig\n"; |
398 |
|
|
|
399 |
|
|
- elsif ( $security eq 'certs' ) { |
400 |
|
|
+ my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' ) |
401 |
|
|
+ || ''; |
402 |
|
|
+ $OUT .= " rightrsasigkey=$rightrsasig\n"; |
403 |
|
|
|
404 |
|
|
- $OUT .= " authby=rsasig\n"; |
405 |
|
|
+ } |
406 |
|
|
|
407 |
|
|
- my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' ) |
408 |
|
|
- || '%cert'; |
409 |
|
|
- $OUT .= " leftrsasigkey=$leftrsasig\n"; |
410 |
|
|
+ elsif ( $security eq 'certs' ) { |
411 |
|
|
|
412 |
|
|
- my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' ) |
413 |
|
|
- || '%cert'; |
414 |
|
|
- $OUT .= " rightrsasigkey=$rightrsasig\n"; |
415 |
|
|
+ $OUT .= " authby=rsasig\n"; |
416 |
|
|
|
417 |
|
|
- my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' ) |
418 |
|
|
- || '"LeftCertName"'; |
419 |
|
|
- $OUT .= " leftcert=\"$leftcert\"\n"; |
420 |
|
|
+ my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' ) |
421 |
|
|
+ || '%cert'; |
422 |
|
|
+ $OUT .= " leftrsasigkey=$leftrsasig\n"; |
423 |
|
|
|
424 |
|
|
- my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' ) |
425 |
|
|
- || '"RightCertName"'; |
426 |
|
|
- $OUT .= " rightcert=\"$rightcert\"\n"; |
427 |
|
|
+ my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' ) |
428 |
|
|
+ || '%cert'; |
429 |
|
|
+ $OUT .= " rightrsasigkey=$rightrsasig\n"; |
430 |
|
|
|
431 |
|
|
- } |
432 |
|
|
+ my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' ) |
433 |
|
|
+ || '"LeftCertName"'; |
434 |
|
|
+ $OUT .= " leftcert=\"$leftcert\"\n"; |
435 |
|
|
|
436 |
|
|
- else { |
437 |
|
|
- $OUT .= " authby=$security\n"; |
438 |
|
|
- } |
439 |
|
|
+ my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' ) |
440 |
|
|
+ || '"RightCertName"'; |
441 |
|
|
+ $OUT .= " rightcert=\"$rightcert\"\n"; |
442 |
|
|
|
443 |
|
|
- # Use connection value if it exists, if not use generic db value |
444 |
|
|
- my $auto = |
445 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'auto' ) |
446 |
|
|
- || $configDB->get_prop( $dbKey, 'auto' ) |
447 |
|
|
- || 'start'; |
448 |
|
|
+ } |
449 |
|
|
|
450 |
|
|
- # If we are a static host to a dynamic client we are always add |
451 |
|
|
- my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; |
452 |
|
|
+ else { |
453 |
|
|
+ $OUT .= " authby=$security\n"; |
454 |
|
|
+ } |
455 |
|
|
|
456 |
|
|
- if ( $iptype eq 'stattodyn' ) { |
457 |
|
|
- $OUT .= " auto=add\n"; |
458 |
|
|
- } |
459 |
|
|
- else { |
460 |
|
|
- $OUT .= " auto=$auto\n"; |
461 |
|
|
- } |
462 |
|
|
+ # Use connection value if it exists, if not use generic db value |
463 |
|
|
+ my $auto = |
464 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'auto' ) |
465 |
|
|
+ || $configDB->get_prop( $dbKey, 'auto' ) |
466 |
|
|
+ || 'start'; |
467 |
|
|
|
468 |
|
|
- # We should change ipsecversion to ikev2status |
469 |
|
|
- my $ipsecversion = |
470 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' ) |
471 |
|
|
- || $configDB->get_prop( $dbKey, 'ipsecversion' ) |
472 |
|
|
- || 'permit'; |
473 |
|
|
- |
474 |
|
|
- $OUT .= " ikev2=$ipsecversion\n"; |
475 |
|
|
- |
476 |
|
|
- # Set the Phase one and Phase two default strengths - these are set to aes |
477 |
|
|
- my $ike = |
478 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'ike' ) |
479 |
|
|
- || $configDB->get_prop( $dbKey, 'ike' ) |
480 |
|
|
- || 'aes-sha1'; |
481 |
|
|
- $OUT .= " ike=$ike\n"; |
482 |
|
|
- |
483 |
|
|
- my $phase2 = |
484 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'phase2' ) |
485 |
|
|
- || $configDB->get_prop( $dbKey, 'phase2' ) |
486 |
|
|
- || 'aes-sha1'; |
487 |
|
|
- $OUT .= " phase2alg=$phase2\n"; |
488 |
|
|
- |
489 |
|
|
- # mtu can only be set per connection |
490 |
|
|
- my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' ) |
491 |
|
|
- || ''; |
492 |
|
|
+ # If we are a static host to a dynamic client we are always add |
493 |
|
|
+ my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; |
494 |
|
|
|
495 |
|
|
- unless ( $mtu eq '' ) { |
496 |
|
|
- $OUT .= " mtu=$mtu\n"; |
497 |
|
|
- } |
498 |
|
|
+ if ( $iptype eq 'stattodyn' ) { |
499 |
|
|
+ $OUT .= " auto=add\n"; |
500 |
|
|
+ } |
501 |
|
|
+ else { |
502 |
|
|
+ $OUT .= " auto=$auto\n"; |
503 |
|
|
+ } |
504 |
|
|
|
505 |
|
|
- # These should be from $configDB-> ipsec unless they exist in ipsec_connections |
506 |
|
|
+ # We should change ipsecversion to 'ikev2' |
507 |
|
|
+ my $ipsecversion = |
508 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' ) |
509 |
|
|
+ || $configDB->get_prop( $dbKey, 'ipsecversion' ) |
510 |
|
|
+ || 'permit'; |
511 |
|
|
|
512 |
|
|
- my $keyingtries = |
513 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'keyingtries' ) |
514 |
|
|
- || $configDB->get_prop( $dbKey, 'keyingtries' ) |
515 |
|
|
- || '0'; |
516 |
|
|
- $OUT .= " keyingtries=$keyingtries\n"; |
517 |
|
|
- |
518 |
|
|
- # Following come from ipsecDB or configDB or hardcoded |
519 |
|
|
- my $ikelifetime = |
520 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' ) |
521 |
|
|
- || $configDB->get_prop( $dbKey, 'ikelifetime' ) |
522 |
|
|
- || '3600s'; |
523 |
|
|
- $OUT .= " ikelifetime=$ikelifetime\n"; |
524 |
|
|
- |
525 |
|
|
- my $salifetime = |
526 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'salifetime' ) |
527 |
|
|
- || $configDB->get_prop( $dbKey, 'salifetime' ) |
528 |
|
|
- || '28800s'; |
529 |
|
|
- $OUT .= " salifetime=$salifetime\n"; |
530 |
|
|
- |
531 |
|
|
- # Add is for incoming and is better that server dpd is ignored |
532 |
|
|
- # Disabled for now |
533 |
|
|
- |
534 |
|
|
- # if ( $auto ne 'add' ) {} |
535 |
|
|
- my $dpdaction = |
536 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'dpdaction' ) |
537 |
|
|
- || $configDB->get_prop( $dbKey, 'dpdaction' ) |
538 |
|
|
- || 'restart'; |
539 |
|
|
- $OUT .= " dpdaction=$dpdaction\n"; |
540 |
|
|
- |
541 |
|
|
- my $dpddelay = |
542 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'dpddelay' ) |
543 |
|
|
- || $configDB->get_prop( $dbKey, 'dpddelay' ) |
544 |
|
|
- || '30'; |
545 |
|
|
- $OUT .= " dpddelay=$dpddelay\n"; |
546 |
|
|
- |
547 |
|
|
- my $dpdtimeout = |
548 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' ) |
549 |
|
|
- || $configDB->get_prop( $dbKey, 'dpdtimeout' ) |
550 |
|
|
- || '10'; |
551 |
|
|
- $OUT .= " dpdtimeout=$dpdtimeout\n"; |
552 |
|
|
- |
553 |
|
|
- # default to yes unless overridden in the connection db |
554 |
|
|
- my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes'; |
555 |
|
|
- $OUT .= " pfs=$pfs\n"; |
556 |
|
|
- |
557 |
|
|
- # Following come from ipsecDB or configDB or hardcoded |
558 |
|
|
- my $left = |
559 |
|
|
- $ipsecDB->get_prop( $ipsecprop, 'left' ) |
560 |
|
|
- || $configDB->get_prop( $dbKey, 'left' ) |
561 |
|
|
- || '%defaultroute'; |
562 |
|
|
- $OUT .= " left=$left\n"; |
563 |
|
|
- |
564 |
|
|
- if ( $security eq 'certs' ) { |
565 |
|
|
- my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' ); |
566 |
|
|
- $OUT .= " leftid=$leftid\n"; |
567 |
|
|
- } |
568 |
|
|
+ $OUT .= " ikev2=$ipsecversion\n"; |
569 |
|
|
|
570 |
|
|
- # These ONLY come from the ipsec_configurations db |
571 |
|
|
- elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) { |
572 |
|
|
- $OUT .= " leftid=$leftid\n"; |
573 |
|
|
- } |
574 |
|
|
+ # Set the Phase one and Phase two default strengths - these are set to aes |
575 |
|
|
+ my $ike = |
576 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'ike' ) |
577 |
|
|
+ || $configDB->get_prop( $dbKey, 'ike' ) |
578 |
|
|
+ || 'aes-sha1'; |
579 |
|
|
+ $OUT .= " ike=$ike\n"; |
580 |
|
|
|
581 |
|
|
- my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) |
582 |
|
|
- || ''; |
583 |
|
|
- $OUT .= " leftsourceip=$leftsourceip\n"; |
584 |
|
|
+ # We should change phase2 to phase2alg |
585 |
|
|
+ my $phase2 = |
586 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'phase2' ) |
587 |
|
|
+ || $configDB->get_prop( $dbKey, 'phase2' ) |
588 |
|
|
+ || 'aes-sha1'; |
589 |
|
|
+ $OUT .= " phase2alg=$phase2\n"; |
590 |
|
|
|
591 |
|
|
- my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) |
592 |
|
|
- || ''; |
593 |
|
|
- $OUT .= " leftsubnet=$leftsub\n"; |
594 |
|
|
+ # mtu can only be set per connection |
595 |
|
|
+ my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' ) |
596 |
|
|
+ || ''; |
597 |
|
|
|
598 |
|
|
- # If we are a static host to a dynamic client we HAVE to set right %any |
599 |
|
|
+ unless ( $mtu eq '' ) { |
600 |
|
|
+ $OUT .= " mtu=$mtu\n"; |
601 |
|
|
+ } |
602 |
|
|
|
603 |
|
|
- my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; |
604 |
|
|
+ # These should be from $configDB-> ipsec unless they exist in ipsec_connections |
605 |
|
|
|
606 |
|
|
- if ( $iptype eq 'stattodyn' ) { |
607 |
|
|
- $OUT .= " right=%any\n"; |
608 |
|
|
- } |
609 |
|
|
- else { |
610 |
|
|
- $OUT .= " right=$right\n"; |
611 |
|
|
- } |
612 |
|
|
+ my $forceencaps = |
613 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'forceencaps' ) |
614 |
|
|
+ || $configDB->get_prop( $dbKey, 'forceencaps' ) |
615 |
|
|
+ || 'no'; |
616 |
|
|
+ $OUT .= " forceencaps=$forceencaps\n"; |
617 |
|
|
|
618 |
|
|
- if ( $security eq 'certs' ) { |
619 |
|
|
- my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' ); |
620 |
|
|
- $OUT .= " rightid=$rightid\n"; |
621 |
|
|
- } |
622 |
|
|
+ my $keyingtries = |
623 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'keyingtries' ) |
624 |
|
|
+ || $configDB->get_prop( $dbKey, 'keyingtries' ) |
625 |
|
|
+ || '0'; |
626 |
|
|
+ $OUT .= " keyingtries=$keyingtries\n"; |
627 |
|
|
|
628 |
|
|
- elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) { |
629 |
|
|
- $OUT .= " rightid=$rightid\n"; |
630 |
|
|
- } |
631 |
|
|
+ # Following come from ipsecDB or configDB or hardcoded |
632 |
|
|
+ my $ikelifetime = |
633 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' ) |
634 |
|
|
+ || $configDB->get_prop( $dbKey, 'ikelifetime' ) |
635 |
|
|
+ || '3600s'; |
636 |
|
|
+ $OUT .= " ikelifetime=$ikelifetime\n"; |
637 |
|
|
+ |
638 |
|
|
+ my $salifetime = |
639 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'salifetime' ) |
640 |
|
|
+ || $configDB->get_prop( $dbKey, 'salifetime' ) |
641 |
|
|
+ || '28800s'; |
642 |
|
|
+ $OUT .= " salifetime=$salifetime\n"; |
643 |
|
|
+ |
644 |
|
|
+ # Add is for incoming and is better that server dpd is ignored |
645 |
|
|
+ # Disabled for now |
646 |
|
|
|
647 |
|
|
- my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || ''; |
648 |
|
|
- $OUT .= " rightsubnet=$rightsubnet\n"; |
649 |
|
|
+ # if ( $auto ne 'add' ) {} |
650 |
|
|
+ my $dpdaction = |
651 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'dpdaction' ) |
652 |
|
|
+ || $configDB->get_prop( $dbKey, 'dpdaction' ) |
653 |
|
|
+ || 'restart'; |
654 |
|
|
+ $OUT .= " dpdaction=$dpdaction\n"; |
655 |
|
|
+ |
656 |
|
|
+ my $dpddelay = |
657 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'dpddelay' ) |
658 |
|
|
+ || $configDB->get_prop( $dbKey, 'dpddelay' ) |
659 |
|
|
+ || '30'; |
660 |
|
|
+ $OUT .= " dpddelay=$dpddelay\n"; |
661 |
|
|
+ |
662 |
|
|
+ my $dpdtimeout = |
663 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' ) |
664 |
|
|
+ || $configDB->get_prop( $dbKey, 'dpdtimeout' ) |
665 |
|
|
+ || '10'; |
666 |
|
|
+ $OUT .= " dpdtimeout=$dpdtimeout\n"; |
667 |
|
|
+ |
668 |
|
|
+ # default to yes unless overridden in the connection db |
669 |
|
|
+ my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes'; |
670 |
|
|
+ $OUT .= " pfs=$pfs\n"; |
671 |
|
|
+ |
672 |
|
|
+ # Following come from ipsecDB or configDB or hardcoded |
673 |
|
|
+ my $left = |
674 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'left' ) |
675 |
|
|
+ || $configDB->get_prop( $dbKey, 'left' ) |
676 |
|
|
+ || '%defaultroute'; |
677 |
|
|
+ $OUT .= " left=$left\n"; |
678 |
|
|
+ |
679 |
|
|
+ if ( $security eq 'certs' ) { |
680 |
|
|
+ my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' ); |
681 |
|
|
+ $OUT .= " leftid=$leftid\n"; |
682 |
|
|
+ } |
683 |
|
|
+ |
684 |
|
|
+ # These ONLY come from the ipsec_configurations db |
685 |
|
|
+ elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) { |
686 |
|
|
+ $OUT .= " leftid=$leftid\n"; |
687 |
|
|
+ } |
688 |
|
|
+ |
689 |
|
|
+ my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) |
690 |
|
|
+ || ''; |
691 |
|
|
+ $OUT .= " leftsourceip=$leftsourceip\n"; |
692 |
|
|
+ |
693 |
|
|
+ my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) |
694 |
|
|
+ || ''; |
695 |
|
|
+ $OUT .= " leftsubnet=$leftsub\n"; |
696 |
|
|
+ |
697 |
|
|
+ # If we are a static host to a dynamic client we HAVE to set right %any |
698 |
|
|
+ |
699 |
|
|
+ my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; |
700 |
|
|
+ |
701 |
|
|
+ if ( $iptype eq 'stattodyn' ) { |
702 |
|
|
+ $OUT .= " right=%any\n"; |
703 |
|
|
+ } |
704 |
|
|
+ else { |
705 |
|
|
+ $OUT .= " right=$right\n"; |
706 |
|
|
+ } |
707 |
|
|
+ |
708 |
|
|
+ if ( $security eq 'certs' ) { |
709 |
|
|
+ my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' ); |
710 |
|
|
+ $OUT .= " rightid=$rightid\n"; |
711 |
|
|
+ } |
712 |
|
|
+ |
713 |
|
|
+ elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) { |
714 |
|
|
+ $OUT .= " rightid=$rightid\n"; |
715 |
|
|
+ } |
716 |
|
|
+ |
717 |
|
|
+ my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || ''; |
718 |
|
|
+ $OUT .= " rightsubnet=$rightsubnet\n"; |
719 |
|
|
+ |
720 |
|
|
+ } # End If |
721 |
|
|
+ else { |
722 |
|
|
+ $OUT .= "# conn $ipsecprop disabled\n"; |
723 |
|
|
+ } |
724 |
|
|
|
725 |
|
|
- } # End If |
726 |
|
|
- else { |
727 |
|
|
- $OUT .= "# conn $ipsecprop disabled\n"; |
728 |
|
|
- } |
729 |
|
|
+ } # End unless |
730 |
|
|
} # End foreach |
731 |
|
|
} # End else |
732 |
|
|
} |
733 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords |
734 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-06-15 00:33:57.112000044 +0200 |
735 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-06-15 00:34:07.806999374 +0200 |
736 |
|
|
@@ -19,94 +19,98 @@ |
737 |
|
|
|
738 |
|
|
else { |
739 |
|
|
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') |
740 |
|
|
- or die("cant connect to ipsec database"); |
741 |
|
|
+ or die("cant connect to ipsec database"); |
742 |
|
|
|
743 |
|
|
# This should get all the connections in an array |
744 |
|
|
|
745 |
|
|
my @connections = $ipsecDB->keys; |
746 |
|
|
|
747 |
|
|
$OUT .= "# ipsec.secrets\n\n"; |
748 |
|
|
- |
749 |
|
|
+ |
750 |
|
|
my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" ); |
751 |
|
|
- |
752 |
|
|
+ |
753 |
|
|
foreach my $ipsecprop (@connections) { |
754 |
|
|
|
755 |
|
|
- # first we verify if IPSec is enabled for the connection |
756 |
|
|
+ if ( $ipsecprop ne 'L2TPD-PSK' ) { |
757 |
|
|
|
758 |
|
|
- my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) |
759 |
|
|
- || "disabled"; |
760 |
|
|
+ # first we verify if IPSec is enabled for the connection |
761 |
|
|
|
762 |
|
|
- if ( $ipsecstatus eq "enabled" ) { |
763 |
|
|
+ my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) |
764 |
|
|
+ || "disabled"; |
765 |
|
|
|
766 |
|
|
- my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; |
767 |
|
|
+ if ( $ipsecstatus eq "enabled" ) { |
768 |
|
|
|
769 |
|
|
- # Hmm..... if left is not set it defaults to %defaultroute which we don't want here |
770 |
|
|
+ my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; |
771 |
|
|
|
772 |
|
|
- my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP; |
773 |
|
|
- my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret'; |
774 |
|
|
- my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; |
775 |
|
|
- my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || ''; |
776 |
|
|
- my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || ''; |
777 |
|
|
+ # Hmm..... if left is not set it defaults to %defaultroute which we don't want here |
778 |
|
|
|
779 |
|
|
- # Double quote is not allowed in configuration |
780 |
|
|
- if ( $passwd =~ /"/ ) { |
781 |
|
|
- die("Ipsec Error - PSK value cannot contain double quotes (\")"); |
782 |
|
|
- } |
783 |
|
|
+ my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP; |
784 |
|
|
+ my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret'; |
785 |
|
|
+ my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; |
786 |
|
|
+ my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || ''; |
787 |
|
|
+ my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || ''; |
788 |
|
|
|
789 |
|
|
- $OUT .= "# $ipsecprop is enabled\n"; |
790 |
|
|
+ # Double quote is not allowed in configuration |
791 |
|
|
+ if ( $passwd =~ /"/ ) { |
792 |
|
|
+ die("Ipsec Error - PSK value cannot contain double quotes (\")"); |
793 |
|
|
+ } |
794 |
|
|
|
795 |
|
|
- if ( $security eq 'certs' ) { |
796 |
|
|
- $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n"; |
797 |
|
|
- } |
798 |
|
|
+ $OUT .= "# $ipsecprop is enabled\n"; |
799 |
|
|
|
800 |
|
|
- elsif ( $security eq 'secret' ) { |
801 |
|
|
+ if ( $security eq 'certs' ) { |
802 |
|
|
+ $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n"; |
803 |
|
|
+ } |
804 |
|
|
|
805 |
|
|
- # If dynamic it must be %any here |
806 |
|
|
- # If not it can be ExternalIP if left not set |
807 |
|
|
+ elsif ( $security eq 'secret' ) { |
808 |
|
|
|
809 |
|
|
- # IF we have IDs then use them in preference to %any |
810 |
|
|
+ # If dynamic it must be %any here |
811 |
|
|
+ # If not it can be ExternalIP if left not set |
812 |
|
|
|
813 |
|
|
- my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || ''; |
814 |
|
|
- my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || ''; |
815 |
|
|
+ # IF we have IDs then use them in preference to %any |
816 |
|
|
|
817 |
|
|
- if ( $iptype eq 'stattodyn' ) { |
818 |
|
|
- if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) { |
819 |
|
|
- $OUT .= "$left %any \: PSK \"$passwd\""; |
820 |
|
|
+ my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || ''; |
821 |
|
|
+ my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || ''; |
822 |
|
|
+ |
823 |
|
|
+ if ( $iptype eq 'stattodyn' ) { |
824 |
|
|
+ if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) { |
825 |
|
|
+ $OUT .= "$left %any \: PSK \"$passwd\""; |
826 |
|
|
+ } |
827 |
|
|
+ else { |
828 |
|
|
+ $OUT .= "$leftid $rightid \: PSK \"$passwd\""; |
829 |
|
|
+ } |
830 |
|
|
} |
831 |
|
|
- else { |
832 |
|
|
- $OUT .= "$leftid $rightid \: PSK \"$passwd\""; |
833 |
|
|
+ |
834 |
|
|
+ elsif ( $iptype eq 'dyntostat' ) { |
835 |
|
|
+ if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) { |
836 |
|
|
+ $OUT .= "%any $right\: PSK \"$passwd\""; |
837 |
|
|
+ } |
838 |
|
|
+ else { |
839 |
|
|
+ $OUT .= "$leftid $rightid \: PSK \"$passwd\""; |
840 |
|
|
+ } |
841 |
|
|
} |
842 |
|
|
- } |
843 |
|
|
|
844 |
|
|
- elsif ( $iptype eq 'dyntostat' ) { |
845 |
|
|
- if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) { |
846 |
|
|
- $OUT .= "%any $right\: PSK \"$passwd\""; |
847 |
|
|
+ elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) { |
848 |
|
|
+ $OUT .= "$leftid $rightid \: PSK \"$passwd\""; |
849 |
|
|
} |
850 |
|
|
+ |
851 |
|
|
else { |
852 |
|
|
- $OUT .= "$leftid $rightid \: PSK \"$passwd\""; |
853 |
|
|
+ $OUT .= "$left $right \: PSK \"$passwd\""; |
854 |
|
|
} |
855 |
|
|
} |
856 |
|
|
|
857 |
|
|
- elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) { |
858 |
|
|
- $OUT .= "$leftid $rightid \: PSK \"$passwd\""; |
859 |
|
|
+ elsif ( $security eq "rsasig" ) { |
860 |
|
|
+ $OUT .= "# Connection to $ipsecprop is RSA\n"; |
861 |
|
|
+ $OUT .= "# Our RSA key is in separate file\n"; |
862 |
|
|
} |
863 |
|
|
|
864 |
|
|
else { |
865 |
|
|
- $OUT .= "$left $right \: PSK \"$passwd\""; |
866 |
|
|
+ $OUT .= "# $ipsecprop is disabled\n"; |
867 |
|
|
+ $OUT .= "\n"; |
868 |
|
|
} |
869 |
|
|
- } |
870 |
|
|
- |
871 |
|
|
- elsif ( $security eq "rsasig" ) { |
872 |
|
|
- $OUT .= "# Connection to $ipsecprop is RSA\n"; |
873 |
|
|
- $OUT .= "# Our RSA key is in separate file\n"; |
874 |
|
|
- } |
875 |
|
|
- |
876 |
|
|
- else { |
877 |
|
|
- $OUT .= "# $ipsecprop is disabled\n"; |
878 |
|
|
$OUT .= "\n"; |
879 |
|
|
- } |
880 |
|
|
- $OUT .= "\n"; |
881 |
|
|
- } |
882 |
|
|
- } |
883 |
|
|
- } |
884 |
|
|
+ } # if |
885 |
|
|
+ } #unless |
886 |
|
|
+ } #foreach |
887 |
|
|
+ } #else |
888 |
|
|
} |
889 |
|
|
+ |