1 |
brianr |
1.1 |
diff -ruN smeserver-libreswan-0.5.old/createlinks smeserver-libreswan-0.5/createlinks |
2 |
|
|
--- smeserver-libreswan-0.5.old/createlinks 2016-02-17 14:19:42.000000000 +0100 |
3 |
|
|
+++ smeserver-libreswan-0.5/createlinks 2016-03-22 18:26:42.624000613 +0100 |
4 |
|
|
@@ -12,6 +12,7 @@ |
5 |
|
|
/etc/ipsec.secrets |
6 |
|
|
/etc/ipsec.d/ipsec.conf |
7 |
|
|
/etc/ipsec.d/ipsec.secrets |
8 |
|
|
+ /etc/rc.d/init.d/masq |
9 |
|
|
)) |
10 |
|
|
{ |
11 |
|
|
templates2events("$_", qw( |
12 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update |
13 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update 2016-02-17 14:19:42.000000000 +0100 |
14 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update 2016-03-22 18:26:42.623000615 +0100 |
15 |
|
|
@@ -43,7 +43,7 @@ |
16 |
|
|
if ( $configDB->get_prop( $dbKey, 'status' ) eq 'disabled' ) { |
17 |
|
|
|
18 |
|
|
# Do we check if it is already stopped ? |
19 |
|
|
- # For now we stop it regradless |
20 |
|
|
+ # For now we stop it regardless |
21 |
|
|
|
22 |
|
|
print "Ipsec Information - ipsec disabled - Stopping ipsec \n"; |
23 |
|
|
|
24 |
|
|
@@ -264,16 +264,11 @@ |
25 |
|
|
or die("Ipsec Error - A problem occurred with sysctl: $?"); |
26 |
|
|
system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0 |
27 |
|
|
or die("Ipsec Error - A problem occurred with sysctl: $?"); |
28 |
|
|
- |
29 |
|
|
- # I don;t beleive these are required |
30 |
|
|
- # system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0 |
31 |
|
|
- # or die("Ipsec Error - A problem occurred with sysctl: $?"); |
32 |
|
|
- # system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0 |
33 |
|
|
- # or die("Ipsec Error - A problem occurred with sysctl: $?"); |
34 |
|
|
- # system("/sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects=0") == 0 |
35 |
|
|
- # or die("Ipsec Error - A problem occurred with sysctl: $?"); |
36 |
|
|
- # system("/sbin/sysctl -w net.ipv4.conf.eth1.accept_redirects=0") == 0 |
37 |
|
|
- # or die("Ipsec Error - A problem occurred with sysctl: $?"); |
38 |
|
|
+ |
39 |
|
|
+ system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0 |
40 |
|
|
+ or die("Ipsec Error - A problem occurred with sysctl: $?"); |
41 |
|
|
+ system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0 |
42 |
|
|
+ or die("Ipsec Error - A problem occurred with sysctl: $?"); |
43 |
|
|
|
44 |
|
|
system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0 |
45 |
|
|
or die("Ipsec Error - A problem occurred with sysctl: $?"); |
46 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup |
47 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-02-17 14:19:42.000000000 +0100 |
48 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-22 18:26:42.624000613 +0100 |
49 |
|
|
@@ -30,7 +30,7 @@ |
50 |
|
|
$OUT .= " protostack=netkey\n"; |
51 |
|
|
$OUT .= " #plutodebug=none\n"; |
52 |
|
|
$OUT .= " #klipsdebug=none\n"; |
53 |
|
|
- $OUT .= " plutostderrlog=/var/log/pluto.log\n"; |
54 |
|
|
+ $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n"; |
55 |
|
|
$OUT .= " dumpdir=/var/run/pluto/\n"; |
56 |
|
|
$OUT .= " nat_traversal=yes\n"; |
57 |
|
|
|
58 |
|
|
@@ -66,7 +66,7 @@ |
59 |
|
|
chop($virtual_private); |
60 |
|
|
$OUT .= "$virtual_private\n"; |
61 |
|
|
$OUT .= "\n"; |
62 |
|
|
- $OUT .= "include /etc/ipsec.d/*.conf\n"; |
63 |
|
|
+ $OUT .= "include /etc/ipsec.d/ipsec.conf\n"; |
64 |
|
|
|
65 |
|
|
# End else |
66 |
|
|
} |
67 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto |
68 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2016-02-17 14:19:42.000000000 +0100 |
69 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2016-03-22 18:26:42.623000615 +0100 |
70 |
|
|
@@ -1,4 +1,4 @@ |
71 |
|
|
-/var/log/pluto.log \{ |
72 |
|
|
+/var/log/pluto/pluto.log \{ |
73 |
|
|
missingok |
74 |
|
|
notifempty |
75 |
|
|
compress |
76 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec |
77 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:26:25.223000613 +0100 |
78 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:26:42.624000613 +0100 |
79 |
|
|
@@ -1,9 +1,16 @@ |
80 |
|
|
+# Required PostRouting for VPN |
81 |
|
|
+ |
82 |
|
|
{ |
83 |
|
|
- my $ipsec_access = $ipsec{access} || ''; |
84 |
|
|
+ my $ipsec_status = $ipsec{status} || ''; |
85 |
|
|
+ |
86 |
|
|
+# print "Ipsec Information - 40AllowIpsec - $ipsec_status\n"; |
87 |
|
|
|
88 |
|
|
- if ( $ipsec_access eq 'public' ) { |
89 |
|
|
+ if ( $ipsec_status eq 'enabled' ) { |
90 |
|
|
$OUT .= " # Do not NAT VPN traffic\n"; |
91 |
|
|
- $OUT .= |
92 |
|
|
-" /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n"; |
93 |
|
|
+ $OUT .= " /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n"; |
94 |
|
|
+ } |
95 |
|
|
+ |
96 |
|
|
+ else { |
97 |
|
|
+ $OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n"; |
98 |
|
|
} |
99 |
|
|
} |
100 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP |
101 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2016-03-22 18:26:25.223000613 +0100 |
102 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2016-03-22 18:26:42.623000615 +0100 |
103 |
|
|
@@ -1,14 +1,18 @@ |
104 |
|
|
# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE |
105 |
|
|
|
106 |
|
|
{ |
107 |
|
|
-my $ipsec_access = $ipsec{access} || ''; |
108 |
|
|
+ my $ipsec_status = $ipsec{status} || ''; |
109 |
|
|
|
110 |
|
|
-if ($ipsec_access eq 'public') { |
111 |
|
|
+# print "Ipsec Information - 56AllowESP - $ipsec_status\n"; |
112 |
|
|
|
113 |
|
|
- $OUT .= " /sbin/iptables --new-chain esp-in\n"; |
114 |
|
|
- $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n"; |
115 |
|
|
- $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n"; |
116 |
|
|
- $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n"; |
117 |
|
|
- $OUT .= " /sbin/iptables --append esp-in -j denylog\n"; |
118 |
|
|
- } |
119 |
|
|
+ if ( $ipsec_status eq 'enabled' ) { |
120 |
|
|
+ $OUT .= " /sbin/iptables --new-chain esp-in\n"; |
121 |
|
|
+ $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n"; |
122 |
|
|
+ $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n"; |
123 |
|
|
+ $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n"; |
124 |
|
|
+ $OUT .= " /sbin/iptables --append esp-in -j denylog\n"; |
125 |
|
|
+ } |
126 |
|
|
+ else { |
127 |
|
|
+ $OUT .= " # 56AllowESP disabled\n"; |
128 |
|
|
+ } |
129 |
|
|
} |
130 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP |
131 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2016-03-22 18:26:25.241000615 +0100 |
132 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2016-03-22 18:26:42.623000615 +0100 |
133 |
|
|
@@ -1,12 +1,16 @@ |
134 |
|
|
# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE |
135 |
|
|
+ |
136 |
|
|
{ |
137 |
|
|
- my $ipsec_access = $ipsec{access} || ''; |
138 |
|
|
- my $ipsec_status = $ipsec{status}; |
139 |
|
|
- if ( $ipsec_access eq 'public' ) { |
140 |
|
|
- |
141 |
|
|
- my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog"; |
142 |
|
|
+ my $ipsec_status = $ipsec{status} || ''; |
143 |
|
|
+ |
144 |
|
|
+# print "Ipsec Information - 90AdjustESP - $ipsec_status\n"; |
145 |
|
|
|
146 |
|
|
+ if ( $ipsec_status eq 'enabled' ) { |
147 |
|
|
+ my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog"; |
148 |
|
|
$OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n"; |
149 |
|
|
$OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n"; |
150 |
|
|
} |
151 |
|
|
+ else { |
152 |
|
|
+ $OUT .= " # 90adjustESP disabled\n"; |
153 |
|
|
+ } |
154 |
|
|
} |
155 |
|
|
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications |
156 |
|
|
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 1970-01-01 01:00:00.000000000 +0100 |
157 |
|
|
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 2016-03-22 18:26:42.624000613 +0100 |
158 |
|
|
@@ -0,0 +1,29 @@ |
159 |
|
|
+{ |
160 |
|
|
+# Set up sysctl.conf for ipsec |
161 |
|
|
+# need a check on release version as v8 needs |
162 |
|
|
+# net.core.xfrm_larval_drop = 1 |
163 |
|
|
+# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9' |
164 |
|
|
+ |
165 |
|
|
+use strict; |
166 |
|
|
+use warnings; |
167 |
|
|
+use esmith::ConfigDB; |
168 |
|
|
+ |
169 |
|
|
+my $configDB = esmith::ConfigDB->open or die("can't open Config DB"); |
170 |
|
|
+ |
171 |
|
|
+ if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) { |
172 |
|
|
+ |
173 |
|
|
+ $OUT .= <<CONFIG_END |
174 |
|
|
+# Ipsec overrides |
175 |
|
|
+net.ipv4.conf.all.rp_filter = 0 |
176 |
|
|
+net.ipv4.conf.all.send_redirects = 0 |
177 |
|
|
+net.ipv4.conf.default.accept_redirects = 0 |
178 |
|
|
+net.ipv4.conf.default.rp_filter = 0 |
179 |
|
|
+net.ipv4.conf.default.send_redirects = 0 |
180 |
|
|
+net.ipv4.conf.dummy0.rp_filter = 0 |
181 |
|
|
+net.ipv4.conf.eth0.rp_filter = 0 |
182 |
|
|
+net.ipv4.conf.eth1.rp_filter = 0 |
183 |
|
|
+net.ipv4.conf.lo.rp_filter = 0 |
184 |
|
|
+ |
185 |
|
|
+CONFIG_END |
186 |
|
|
+ } |
187 |
|
|
+} |