1 |
brianr |
1.1 |
diff -ruN smeserver-libreswan-0.5.old/createlinks smeserver-libreswan-0.5/createlinks |
2 |
|
|
--- smeserver-libreswan-0.5.old/createlinks 2016-12-22 11:34:27.074000958 +0100 |
3 |
|
|
+++ smeserver-libreswan-0.5/createlinks 2016-12-22 11:34:39.047000957 +0100 |
4 |
|
|
@@ -38,3 +38,20 @@ |
5 |
|
|
service_link_enhanced("ipsec", "K21", "1"); |
6 |
|
|
|
7 |
|
|
safe_symlink("adjust", "root/etc/e-smith/events/$event/services2adjust/masq"); |
8 |
|
|
+ |
9 |
|
|
+# Set up generic logfile timestamp renaming/symlinking |
10 |
|
|
+ |
11 |
|
|
+foreach (qw( |
12 |
|
|
+ /var/log/pluto/pluto.log |
13 |
|
|
+ )) |
14 |
|
|
+{ |
15 |
|
|
+ safe_touch "root/etc/e-smith/events/logrotate/logfiles2timestamp/$_"; |
16 |
|
|
+} |
17 |
|
|
+ |
18 |
|
|
+#-------------------------------------------------- |
19 |
|
|
+# actions for logrotate event |
20 |
|
|
+#-------------------------------------------------- |
21 |
|
|
+ |
22 |
|
|
+$event = "logrotate"; |
23 |
|
|
+ |
24 |
|
|
+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/ipsec"); |
25 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/ipsecversion smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/ipsecversion |
26 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/ipsecversion 1970-01-01 01:00:00.000000000 +0100 |
27 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/ipsecversion 2016-12-22 11:34:39.030000959 +0100 |
28 |
|
|
@@ -0,0 +1 @@ |
29 |
|
|
+yes |
30 |
|
|
\ No newline at end of file |
31 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/UDPPort smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/UDPPort |
32 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/UDPPort 2016-02-17 14:19:42.000000000 +0100 |
33 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/UDPPort 1970-01-01 01:00:00.000000000 +0100 |
34 |
|
|
@@ -1 +0,0 @@ |
35 |
|
|
-500 |
36 |
|
|
\ No newline at end of file |
37 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/UDPPorts smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/UDPPorts |
38 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/UDPPorts 1970-01-01 01:00:00.000000000 +0100 |
39 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/UDPPorts 2016-12-22 11:34:39.018000956 +0100 |
40 |
|
|
@@ -0,0 +1 @@ |
41 |
|
|
+500,4500 |
42 |
|
|
\ No newline at end of file |
43 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup |
44 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-12-22 11:34:27.070000958 +0100 |
45 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-12-22 11:34:39.047000957 +0100 |
46 |
|
|
@@ -1,77 +1,79 @@ |
47 |
|
|
#!/usr/bin/perl -w |
48 |
|
|
|
49 |
|
|
{ |
50 |
|
|
- use strict; |
51 |
|
|
- use warnings; |
52 |
|
|
- use esmith::ConfigDB; |
53 |
|
|
+ use strict; |
54 |
|
|
+ use warnings; |
55 |
|
|
+ use esmith::ConfigDB; |
56 |
|
|
|
57 |
|
|
- my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); |
58 |
|
|
+ my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); |
59 |
|
|
+ my $dbKey = 'ipsec'; |
60 |
|
|
+ my $systemMode = $configDB->get("SystemMode")->value; |
61 |
|
|
+ my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled'; |
62 |
|
|
|
63 |
|
|
- my $systemMode = $configDB->get("SystemMode")->value; |
64 |
|
|
+ if ( $systemMode ne 'servergateway' ) { |
65 |
|
|
+ $OUT .= "# System not in Server Gateway mode\n"; |
66 |
|
|
+ } |
67 |
|
|
|
68 |
|
|
- if ( $systemMode ne 'servergateway' ) |
69 |
|
|
- { |
70 |
|
|
- $OUT .= "# System not in Server Gateway mode\n"; |
71 |
|
|
- } |
72 |
|
|
+ elsif ( $ipsecStatus ne 'enabled' ) { |
73 |
|
|
+ $OUT .= "# Ipsec not enabled\n"; |
74 |
|
|
+ } |
75 |
|
|
|
76 |
|
|
- else |
77 |
|
|
- { |
78 |
|
|
+ else { |
79 |
|
|
+ my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') |
80 |
|
|
+ or die("cant connect to ipsec database"); |
81 |
|
|
|
82 |
|
|
- my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') |
83 |
|
|
- or die("cant connect to ipsec database"); |
84 |
|
|
+ my $dbKey = 'ipsec'; |
85 |
|
|
|
86 |
|
|
- my $dbKey = 'ipsec'; |
87 |
|
|
+ # Generic setup file |
88 |
|
|
+ my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none'; |
89 |
|
|
|
90 |
|
|
- # Generic setup file |
91 |
|
|
- my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none'; |
92 |
|
|
- |
93 |
|
|
-# A standard config is included in the RPM but we need to generate a new one so we can modify settings |
94 |
|
|
+ # A standard config is included in the RPM but we need to generate a new one so we can modify settings |
95 |
|
|
|
96 |
|
|
- $OUT .= "config setup\n"; |
97 |
|
|
- $OUT .= " protostack=netkey\n"; |
98 |
|
|
- $OUT .= " plutodebug=$debugstatus\n"; |
99 |
|
|
- $OUT .= " #klipsdebug=none\n"; |
100 |
|
|
- $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n"; |
101 |
|
|
- $OUT .= " dumpdir=/var/run/pluto/\n"; |
102 |
|
|
- $OUT .= " nat_traversal=yes\n"; |
103 |
|
|
+ $OUT .= "config setup\n"; |
104 |
|
|
+ $OUT .= " protostack=netkey\n"; |
105 |
|
|
+ $OUT .= " plutodebug=$debugstatus\n"; |
106 |
|
|
+ $OUT .= " #klipsdebug=none\n"; |
107 |
|
|
+ $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n"; |
108 |
|
|
+ $OUT .= " dumpdir=/var/run/pluto/\n"; |
109 |
|
|
+ $OUT .= " nat_traversal=yes\n"; |
110 |
|
|
|
111 |
|
|
- # This should get all the connections in an array |
112 |
|
|
+ # This should get all the connections in an array |
113 |
|
|
|
114 |
|
|
- my @connections = $ipsecDB->keys; |
115 |
|
|
+ my @connections = $ipsecDB->keys; |
116 |
|
|
|
117 |
|
|
- $OUT .= " virtual_private="; |
118 |
|
|
+ $OUT .= " virtual_private="; |
119 |
|
|
|
120 |
|
|
- my $virtual_private = ''; |
121 |
|
|
+ my $virtual_private = ''; |
122 |
|
|
|
123 |
|
|
- foreach my $ipsecprop (@connections) { |
124 |
|
|
+ foreach my $ipsecprop (@connections) { |
125 |
|
|
|
126 |
|
|
- my $type = $ipsecDB->get_prop("$ipsecprop",'type'); |
127 |
|
|
- print "Connection: $ipsecprop Type: $type\n"; |
128 |
|
|
+ my $type = $ipsecDB->get_prop( "$ipsecprop", 'type' ); |
129 |
|
|
+ print "Connection: $ipsecprop Type: $type\n"; |
130 |
|
|
|
131 |
|
|
- if ( $type eq "ipsec") { |
132 |
|
|
- print "Connection: $ipsecprop\n"; |
133 |
|
|
- my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled"; |
134 |
|
|
+ if ( $type eq "ipsec" ) { |
135 |
|
|
+ print "Connection: $ipsecprop\n"; |
136 |
|
|
+ my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled"; |
137 |
|
|
|
138 |
|
|
- if ( $ipsecstatus eq "enabled" ) { |
139 |
|
|
- my $subnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' ); |
140 |
|
|
- $virtual_private .= "%v4:$subnet,"; |
141 |
|
|
- } |
142 |
|
|
+ if ( $ipsecstatus eq "enabled" ) { |
143 |
|
|
+ my $subnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' ); |
144 |
|
|
+ $virtual_private .= "%v4:$subnet,"; |
145 |
|
|
+ } |
146 |
|
|
|
147 |
|
|
- # End if |
148 |
|
|
- } |
149 |
|
|
+ # End if |
150 |
|
|
+ } |
151 |
|
|
|
152 |
|
|
- # End foreach |
153 |
|
|
- } |
154 |
|
|
+ # End foreach |
155 |
|
|
+ } |
156 |
|
|
|
157 |
|
|
- # Remove last character ',' |
158 |
|
|
- chop($virtual_private); |
159 |
|
|
- $OUT .= "$virtual_private\n"; |
160 |
|
|
- $OUT .= "\n"; |
161 |
|
|
- $OUT .= "include /etc/ipsec.d/ipsec.conf\n"; |
162 |
|
|
+ # Remove last character ',' |
163 |
|
|
+ chop($virtual_private); |
164 |
|
|
+ $OUT .= "$virtual_private\n"; |
165 |
|
|
+ $OUT .= "\n"; |
166 |
|
|
+ $OUT .= "include /etc/ipsec.d/ipsec.conf\n"; |
167 |
|
|
|
168 |
|
|
- # End else |
169 |
|
|
- } |
170 |
|
|
+ # End else |
171 |
|
|
+ } |
172 |
|
|
|
173 |
|
|
-# End |
174 |
|
|
+ # End |
175 |
|
|
} |
176 |
|
|
|
177 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection |
178 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2016-02-17 14:19:42.000000000 +0100 |
179 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2016-12-22 11:34:39.036000959 +0100 |
180 |
|
|
@@ -5,21 +5,23 @@ |
181 |
|
|
use warnings; |
182 |
|
|
use esmith::ConfigDB; |
183 |
|
|
|
184 |
|
|
- my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); |
185 |
|
|
- |
186 |
|
|
- my $systemMode = $configDB->get("SystemMode")->value; |
187 |
|
|
+ my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); |
188 |
|
|
+ my $dbKey = 'ipsec'; |
189 |
|
|
+ my $systemMode = $configDB->get("SystemMode")->value; |
190 |
|
|
+ my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled'; |
191 |
|
|
|
192 |
|
|
if ( $systemMode ne 'servergateway' ) { |
193 |
|
|
$OUT .= "# System not in Server Gateway mode\n"; |
194 |
|
|
} |
195 |
|
|
|
196 |
|
|
- else { |
197 |
|
|
+ elsif ( $ipsecStatus ne 'enabled' ) { |
198 |
|
|
+ $OUT .= "# Ipsec not enabled\n"; |
199 |
|
|
+ } |
200 |
|
|
|
201 |
|
|
+ else { |
202 |
|
|
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') |
203 |
|
|
or die("cant connect to ipsec database"); |
204 |
|
|
|
205 |
|
|
- my $dbKey = 'ipsec'; |
206 |
|
|
- |
207 |
|
|
# This should get all the connections in an array |
208 |
|
|
|
209 |
|
|
my @connections = $ipsecDB->keys; |
210 |
|
|
@@ -108,10 +110,13 @@ |
211 |
|
|
$OUT .= " auto=$auto\n"; |
212 |
|
|
} |
213 |
|
|
|
214 |
|
|
- my $ipsecversion = $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' ) || ''; |
215 |
|
|
- if ( $ipsecversion eq 'v2' ) { |
216 |
|
|
- $OUT .= " ikev2=insist\n"; |
217 |
|
|
- } |
218 |
|
|
+ # We should change ipsecversion to ikev2status |
219 |
|
|
+ my $ipsecversion = |
220 |
|
|
+ $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' ) |
221 |
|
|
+ || $configDB->get_prop( $dbKey, 'ipsecversion' ) |
222 |
|
|
+ || 'permit'; |
223 |
|
|
+ |
224 |
|
|
+ $OUT .= " ikev2=$ipsecversion\n"; |
225 |
|
|
|
226 |
|
|
# Set the Phase one and Phase two default strengths - these are set to aes |
227 |
|
|
my $ike = |
228 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords |
229 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2016-12-22 11:34:27.073000958 +0100 |
230 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2016-12-22 11:34:39.036000959 +0100 |
231 |
|
|
@@ -5,20 +5,23 @@ |
232 |
|
|
use warnings; |
233 |
|
|
use esmith::ConfigDB; |
234 |
|
|
|
235 |
|
|
- my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); |
236 |
|
|
- |
237 |
|
|
- my $systemMode = $configDB->get("SystemMode")->value; |
238 |
|
|
+ my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB"); |
239 |
|
|
+ my $dbKey = 'ipsec'; |
240 |
|
|
+ my $systemMode = $configDB->get("SystemMode")->value; |
241 |
|
|
+ my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled'; |
242 |
|
|
|
243 |
|
|
if ( $systemMode ne 'servergateway' ) { |
244 |
|
|
$OUT .= "# System not in Server Gateway mode\n"; |
245 |
|
|
} |
246 |
|
|
|
247 |
|
|
+ elsif ( $ipsecStatus ne 'enabled' ) { |
248 |
|
|
+ $OUT .= "# Ipsec not enabled\n"; |
249 |
|
|
+ } |
250 |
|
|
+ |
251 |
|
|
else { |
252 |
|
|
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') |
253 |
|
|
or die("cant connect to ipsec database"); |
254 |
|
|
|
255 |
|
|
- my $dbKey = 'ipsec'; |
256 |
|
|
- |
257 |
|
|
my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" ); |
258 |
|
|
|
259 |
|
|
# This should get all the connections in an array |
260 |
|
|
@@ -79,8 +82,8 @@ |
261 |
|
|
$OUT .= "\@$rightid \@$leftid \: PSK \"$passwd\""; |
262 |
|
|
} |
263 |
|
|
} |
264 |
|
|
- |
265 |
|
|
- elsif (( $leftid ne '' ) && ( $rightid ne '' )) { |
266 |
|
|
+ |
267 |
|
|
+ elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) { |
268 |
|
|
$OUT .= "\@$rightid \@$leftid \: PSK \"$passwd\""; |
269 |
|
|
} |
270 |
|
|
|
271 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto |
272 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2016-12-22 11:34:27.065000961 +0100 |
273 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 1970-01-01 01:00:00.000000000 +0100 |
274 |
|
|
@@ -1,8 +0,0 @@ |
275 |
|
|
-/var/log/pluto/pluto.log \{ |
276 |
|
|
- missingok |
277 |
|
|
- notifempty |
278 |
|
|
- compress |
279 |
|
|
- daily |
280 |
|
|
- rotate 10 |
281 |
|
|
- create 0600 root root |
282 |
|
|
-\} |