smeserver-libreswan/contribs9/smeserver-libreswan-add-certificates.patch

diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection  2017-01-25 16:19:45.651000000 +0100
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection      2017-01-25 16:20:03.868000104 +0100
@@ -1,4 +1,3 @@
-#!/usr/bin/perl -w
 
 {
     use strict;
@@ -26,212 +25,220 @@
 
         my @connections = $ipsecDB->keys;
 
+        $OUT .= "# ipsec.conf\n\n";
+
         foreach my $ipsecprop (@connections) {
-            if ( $ipsecDB->get_prop( $ipsecprop, 'type' ) eq 'ipsec' ) {
 
-                # first we verify if IPSec is enabled for the connection
+            # first we verify if IPSec is enabled for the connection
 
-                my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
+            my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
 
-                if ( $ipsecstatus ne 'enabled' ) {
-                    $OUT .= "# $ipsecprop is disabled\n"
-                      unless $ipsecstatus eq "enabled";
-                }
-                else {
+            if ( $ipsecstatus eq 'enabled' ) {
 
-                    $OUT .= "conn $ipsecprop\n";
+                $OUT .= "conn $ipsecprop\n";
+                
+                # These should be from $configDB-> ipsec
 
-                    # These should be from $configDB-> ipsec
+                # Not templated this - maybe later with L2TPD
+                # We currently use a password file but this could be integrated with other authent later
 
-                    # Not templated this - maybe later with L2TPD
-                    # We currently use a password file but this could be integrated with other authent later
+                # Lazy - assume that it is security (password by default) - options are rsasig|certs
 
-                    # Lazy - assume that it is security (password by default) - option is rsasig
+                # Careful - property 'type' has a special meaning in configDB and returns 'service'
 
-                    # Careful - property 'type' has a special meaning in configDB and returns 'service'
-
-                    my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
-                      || 'tunnel';
-                    $OUT .= "    type=$connectiontype\n";
-
-                    my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' )
-                      || 'secret';
-                    my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || '';
-
-                    if ( $security eq "rsasig" ) {
-                        $OUT .= "    authby=rsasig\n";
-
-                        my $leftrsasig = $ipsecDB->get_prop( "$ipsecprop", 'leftrsasig' )
-                          || '';
-                        $OUT .= "    leftrsasigkey=$leftrsasig\n";
-
-                        my $rightrsasig = $ipsecDB->get_prop( "$ipsecprop", 'rightrsasig' )
-                          || '';
-                        $OUT .= "    rightrsasigkey=$rightrsasig\n";
-
-                    }
-
-                    # Prep for certs
-                    # Problem here is that certificate settings are basically the same as rsasig
-                    # I think we can use a key to identify the type of connection and adjust accordingly
-                    #                    elsif ( $security eq "certificate" ) {
-                    # $OUT .= "    authby=rsasig\n";
-                    # leftcert=$keyname.$ServerName.$DomainName
-                    # leftrsasigkey=%cert
-                    # leftid=leftid
-                    # leftsendcert=always - maybe not needed
-
-                    # rightca=%same
-                    # rightrsasigkey=%cert
-                    # rightid=%fromcert ?
-
-                    #                        $OUT .= "    leftid=\"CN=$certname\"\n";
-                    #                        $OUT .= "    leftcert=$certname\n";
-
-                    #                    }
-
-                    else {
-                        $OUT .= "    authby=$security\n";
-                    }
-
-                    # Use connection value if it exists, if not use generic db value
-                    my $auto =
-                         $ipsecDB->get_prop( $ipsecprop, 'auto' )
-                      || $configDB->get_prop( $dbKey, 'auto' )
-                      || 'start';
-
-                    # If we are a static host to a dynamic client we are always add
-                    my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
-
-                    if ( $iptype eq 'stattodyn' ) {
-                        $OUT .= "    auto=add\n";
-                    }
-                    else {
-                        $OUT .= "    auto=$auto\n";
-                    }
-
-                    # We should change ipsecversion to ikev2status
-                    my $ipsecversion =
-                         $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
-                      || $configDB->get_prop( $dbKey, 'ipsecversion' )
-                      || 'permit';
-
-                    $OUT .= "    ikev2=$ipsecversion\n";
-
-                    # Set the Phase one and Phase two default strengths - these are set to aes
-                    my $ike =
-                         $ipsecDB->get_prop( $ipsecprop, 'ike' )
-                      || $configDB->get_prop( $dbKey, 'ike' )
-                      || 'aes-sha1';
-                    $OUT .= "    ike=$ike\n";
-
-                    my $phase2 =
-                         $ipsecDB->get_prop( $ipsecprop, 'phase2' )
-                      || $configDB->get_prop( $dbKey, 'phase2' )
-                      || 'aes-sha1';
-                    $OUT .= "    phase2alg=$phase2\n";
+                my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
+                  || 'tunnel';
+                $OUT .= "    type=$connectiontype\n";
 
-                    # mtu can only be set per connection
-                    my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
-                      || '';
-                    unless ( $mtu eq '' ) {
-                        $OUT .= "    mtu=$mtu\n";
-                    }
-
-                    # These should be from $configDB-> ipsec unless they exist in ipsec_connections
-
-                    my $keyingtries =
-                         $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
-                      || $configDB->get_prop( $dbKey, 'keyingtries' )
-                      || '0';
-                    $OUT .= "    keyingtries=$keyingtries\n";
-
-                    # Following come from ipsecDB or configDB or hardcoded
-                    my $ikelifetime =
-                         $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
-                      || $configDB->get_prop( $dbKey, 'ikelifetime' )
-                      || '3600s';
-                    $OUT .= "    ikelifetime=$ikelifetime\n";
-
-                    my $salifetime =
-                         $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
-                      || $configDB->get_prop( $dbKey, 'salifetime' )
-                      || '28800s';
-                    $OUT .= "    salifetime=$salifetime\n";
-
-                    # Add is for incoming and is better that server dpd is ignored
-                    # Disabled for now
-
-                    #                    if ( $auto ne 'add' ) {
-                    my $dpdaction =
-                         $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
-                      || $configDB->get_prop( $dbKey, 'dpdaction' )
-                      || 'restart';
-                    $OUT .= "    dpdaction=$dpdaction\n";
-
-                    my $dpddelay =
-                         $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
-                      || $configDB->get_prop( $dbKey, 'dpddelay' )
-                      || '30';
-                    $OUT .= "    dpddelay=$dpddelay\n";
-
-                    my $dpdtimeout =
-                         $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
-                      || $configDB->get_prop( $dbKey, 'dpdtimeout' )
-                      || '10';
-                    $OUT .= "    dpdtimeout=$dpdtimeout\n";
-
-                    #                    }
-
-                    # default to yes unless overridden in the connection db
-                    my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
-                    $OUT .= "    pfs=$pfs\n";
-
-                    # Following come from ipsecDB or configDB or hardcoded
-                    my $left =
-                         $ipsecDB->get_prop( $ipsecprop, 'left' )
-                      || $configDB->get_prop( $dbKey, 'left' )
-                      || '%defaultroute';
-                    $OUT .= "    left=$left\n";
-
-                    # These ONLY come from the ipsec_configurations db
-                    if ( ( my $leftid = $ipsecDB->get_prop( "$ipsecprop", 'leftid' ) || '' ) ne '' ) {
-                        $OUT .= "    leftid=\@$leftid\n";
-                    }
-                    my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
+                my $security = $ipsecDB->get_prop( $ipsecprop, 'security' )
+                  || 'secret';
+
+                # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ?
+
+                if ( $security eq 'rsasig' ) {
+                    $OUT .= "    authby=rsasig\n";
+
+                    my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
                       || '';
-                    $OUT .= "    leftsourceip=$leftsourceip\n";
+                    $OUT .= "    leftrsasigkey=$leftrsasig\n";
 
-                    my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' )
+                    my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
                       || '';
-                    $OUT .= "    leftsubnet=$leftsub\n";
+                    $OUT .= "    rightrsasigkey=$rightrsasig\n";
+
+                }
 
-                    # If we are a static host to a dynamic client we HAVE to set right %any
+                elsif ( $security eq 'certs' ) {
 
-                    my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
+                    $OUT .= "    authby=rsasig\n";
 
-                    if ( $iptype eq 'stattodyn' ) {
-                        $OUT .= "    right=%any\n";
-                    }
-                    else {
-                        $OUT .= "    right=$right\n";
-                    }
+                    my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
+                      || '%cert';
+                    $OUT .= "    leftrsasigkey=$leftrsasig\n";
 
-                    if ( ( my $rightid = $ipsecDB->get_prop( "$ipsecprop", 'rightid' ) || '' ) ne '' ) {
-                        $OUT .= "    rightid=\@$rightid\n";
-                    }
+                    my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
+                      || '%cert';
+                    $OUT .= "    rightrsasigkey=$rightrsasig\n";
 
-                    my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
-                    $OUT .= "    rightsubnet=$rightsubnet\n";
+                    my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' )
+                      || '"LeftCertName"';
+                    $OUT .= "    leftcert=\"$leftcert\"\n";
+
+                    my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' )
+                      || '"RightCertName"';
+                    $OUT .= "    rightcert=\"$rightcert\"\n";
 
                 }
-            }
 
-        }
+                else {
+                    $OUT .= "    authby=$security\n";
+                }
 
-        # End For
-    }
+                # Use connection value if it exists, if not use generic db value
+                my $auto =
+                     $ipsecDB->get_prop( $ipsecprop, 'auto' )
+                  || $configDB->get_prop( $dbKey, 'auto' )
+                  || 'start';
+
+                # If we are a static host to a dynamic client we are always add
+                my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
+
+                if ( $iptype eq 'stattodyn' ) {
+                    $OUT .= "    auto=add\n";
+                }
+                else {
+                    $OUT .= "    auto=$auto\n";
+                }
 
-    # End Else
+                # We should change ipsecversion to ikev2status
+                my $ipsecversion =
+                     $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
+                  || $configDB->get_prop( $dbKey, 'ipsecversion' )
+                  || 'permit';
+
+                $OUT .= "    ikev2=$ipsecversion\n";
+
+                # Set the Phase one and Phase two default strengths - these are set to aes
+                my $ike =
+                     $ipsecDB->get_prop( $ipsecprop, 'ike' )
+                  || $configDB->get_prop( $dbKey, 'ike' )
+                  || 'aes-sha1';
+                $OUT .= "    ike=$ike\n";
+
+                my $phase2 =
+                     $ipsecDB->get_prop( $ipsecprop, 'phase2' )
+                  || $configDB->get_prop( $dbKey, 'phase2' )
+                  || 'aes-sha1';
+                $OUT .= "    phase2alg=$phase2\n";
+
+                # mtu can only be set per connection
+                my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
+                  || '';
+
+                unless ( $mtu eq '' ) {
+                    $OUT .= "    mtu=$mtu\n";
+                }
 
+                # These should be from $configDB-> ipsec unless they exist in ipsec_connections
+
+                my $keyingtries =
+                     $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
+                  || $configDB->get_prop( $dbKey, 'keyingtries' )
+                  || '0';
+                $OUT .= "    keyingtries=$keyingtries\n";
+
+                # Following come from ipsecDB or configDB or hardcoded
+                my $ikelifetime =
+                     $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
+                  || $configDB->get_prop( $dbKey, 'ikelifetime' )
+                  || '3600s';
+                $OUT .= "    ikelifetime=$ikelifetime\n";
+
+                my $salifetime =
+                     $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
+                  || $configDB->get_prop( $dbKey, 'salifetime' )
+                  || '28800s';
+                $OUT .= "    salifetime=$salifetime\n";
+
+                # Add is for incoming and is better that server dpd is ignored
+                # Disabled for now
+
+                #   if ( $auto ne 'add' ) {}
+                my $dpdaction =
+                     $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
+                  || $configDB->get_prop( $dbKey, 'dpdaction' )
+                  || 'restart';
+                $OUT .= "    dpdaction=$dpdaction\n";
+
+                my $dpddelay =
+                     $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
+                  || $configDB->get_prop( $dbKey, 'dpddelay' )
+                  || '30';
+                $OUT .= "    dpddelay=$dpddelay\n";
+
+                my $dpdtimeout =
+                     $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
+                  || $configDB->get_prop( $dbKey, 'dpdtimeout' )
+                  || '10';
+                $OUT .= "    dpdtimeout=$dpdtimeout\n";
+
+                # default to yes unless overridden in the connection db
+                my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
+                $OUT .= "    pfs=$pfs\n";
+
+                # Following come from ipsecDB or configDB or hardcoded
+                my $left =
+                     $ipsecDB->get_prop( $ipsecprop, 'left' )
+                  || $configDB->get_prop( $dbKey, 'left' )
+                  || '%defaultroute';
+                $OUT .= "    left=$left\n";
+
+                if ( $security eq 'certs' ) {
+                    my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' );
+                    $OUT .= "    leftid=$leftid\n";
+                }
+
+                # These ONLY come from the ipsec_configurations db
+                elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) {
+                    $OUT .= "    leftid=\@$leftid\n";
+                }
+
+                my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
+                  || '';
+                $OUT .= "    leftsourceip=$leftsourceip\n";
+
+                my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' )
+                  || '';
+                $OUT .= "    leftsubnet=$leftsub\n";
+
+                # If we are a static host to a dynamic client we HAVE to set right %any
+
+                my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
+
+                if ( $iptype eq 'stattodyn' ) {
+                    $OUT .= "    right=%any\n";
+                }
+                else {
+                    $OUT .= "    right=$right\n";
+                }
+
+                if ( $security eq 'certs' ) {
+                    my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' );
+                    $OUT .= "    rightid=$rightid\n";
+                }
+
+                elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) {
+                    $OUT .= "    rightid=\@$rightid\n";
+                }
+
+                my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
+                $OUT .= "    rightsubnet=$rightsubnet\n";
+
+            }    # End If
+            else {
+                $OUT .= "# conn $ipsecprop disabled\n";
+            }
+        }    # End foreach
+    }    # End else
 }
+
diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords
--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords        2017-01-25 16:19:45.652000000 +0100
+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords    2017-01-25 16:20:03.867000123 +0100
@@ -1,4 +1,3 @@
-#!/usr/bin/perl -w
 
 {
     use strict;
@@ -22,31 +21,32 @@
         my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
           or die("cant connect to ipsec database");
 
-        my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
-
         # This should get all the connections in an array
 
         my @connections = $ipsecDB->keys;
 
-        $OUT .= "# ipsec.secrets\n";
-
+        $OUT .= "# ipsec.secrets\n\n";
+        
+        my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
+        
         foreach my $ipsecprop (@connections) {
 
             # first we verify if IPSec is enabled for the connection
 
-            my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' )
+            my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
               || "disabled";
 
             if ( $ipsecstatus eq "enabled" ) {
-                my $right = $ipsecDB->get_prop( "$ipsecprop", 'right' ) || '';
+
+                my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
 
                 # Hmm..... if left is not set it defaults to %defaultroute which we don't want here
 
-                my $left     = $ipsecDB->get_prop( "$ipsecprop", 'left' )     || $ExternalIP;
-                my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' ) || 'secret';
-                my $iptype   = $ipsecDB->get_prop( "$ipsecprop", 'iptype' )   || '';
-                my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || '';
-                my $passwd   = $ipsecDB->get_prop( "$ipsecprop", 'passwd' )   || '';
+                my $left     = $ipsecDB->get_prop( $ipsecprop, 'left' )     || $ExternalIP;
+                my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
+                my $iptype   = $ipsecDB->get_prop( $ipsecprop, 'iptype' )   || '';
+                my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
+                my $passwd   = $ipsecDB->get_prop( $ipsecprop, 'passwd' )   || '';
 
                 # Double quote is not allowed in configuration
                 if ( $passwd =~ /"/ ) {
@@ -55,15 +55,19 @@
 
                 $OUT .= "# $ipsecprop is enabled\n";
 
-                if ( $security eq "secret" ) {
+                if ( $security eq 'certs' ) {
+                    $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
+                }
+
+                elsif ( $security eq 'secret' ) {
 
                     # If dynamic it must be %any here
                     # If not it can be ExternalIP if left not set
 
                     # IF we have IDs then use them in preference to %any
 
-                    my $leftid  = $ipsecDB->get_prop( "$ipsecprop", 'leftid' )  || '';
-                    my $rightid = $ipsecDB->get_prop( "$ipsecprop", 'rightid' ) || '';
+                    my $leftid  = $ipsecDB->get_prop( $ipsecprop, 'leftid' )  || '';
+                    my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';
 
                     if ( $iptype eq 'stattodyn' ) {
                         if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
@@ -101,7 +105,7 @@
                     $OUT .= "# $ipsecprop is disabled\n";
                     $OUT .= "\n";
                 }
-                $OUT .= "\n\n";
+                $OUT .= "\n";
             }
         }
     }
1	reetspetit	1.1	diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection
2			--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-01-25 16:19:45.651000000 +0100
3			+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-01-25 16:20:03.868000104 +0100
4			@@ -1,4 +1,3 @@
5			-#!/usr/bin/perl -w
6
7			{
8			use strict;
9			@@ -26,212 +25,220 @@
10
11			my @connections = $ipsecDB->keys;
12
13			+ $OUT .= "# ipsec.conf\n\n";
14			+
15			foreach my $ipsecprop (@connections) {
16			- if ( $ipsecDB->get_prop( $ipsecprop, 'type' ) eq 'ipsec' ) {
17
18			- # first we verify if IPSec is enabled for the connection
19			+ # first we verify if IPSec is enabled for the connection
20
21			- my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) \|\| 'disabled';
22			+ my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) \|\| 'disabled';
23
24			- if ( $ipsecstatus ne 'enabled' ) {
25			- $OUT .= "# $ipsecprop is disabled\n"
26			- unless $ipsecstatus eq "enabled";
27			- }
28			- else {
29			+ if ( $ipsecstatus eq 'enabled' ) {
30
31			- $OUT .= "conn $ipsecprop\n";
32			+ $OUT .= "conn $ipsecprop\n";
33			+
34			+ # These should be from $configDB-> ipsec
35
36			- # These should be from $configDB-> ipsec
37			+ # Not templated this - maybe later with L2TPD
38			+ # We currently use a password file but this could be integrated with other authent later
39
40			- # Not templated this - maybe later with L2TPD
41			- # We currently use a password file but this could be integrated with other authent later
42			+ # Lazy - assume that it is security (password by default) - options are rsasig\|certs
43
44			- # Lazy - assume that it is security (password by default) - option is rsasig
45			+ # Careful - property 'type' has a special meaning in configDB and returns 'service'
46
47			- # Careful - property 'type' has a special meaning in configDB and returns 'service'
48			-
49			- my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
50			- \|\| 'tunnel';
51			- $OUT .= " type=$connectiontype\n";
52			-
53			- my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' )
54			- \|\| 'secret';
55			- my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) \|\| '';
56			-
57			- if ( $security eq "rsasig" ) {
58			- $OUT .= " authby=rsasig\n";
59			-
60			- my $leftrsasig = $ipsecDB->get_prop( "$ipsecprop", 'leftrsasig' )
61			- \|\| '';
62			- $OUT .= " leftrsasigkey=$leftrsasig\n";
63			-
64			- my $rightrsasig = $ipsecDB->get_prop( "$ipsecprop", 'rightrsasig' )
65			- \|\| '';
66			- $OUT .= " rightrsasigkey=$rightrsasig\n";
67			-
68			- }
69			-
70			- # Prep for certs
71			- # Problem here is that certificate settings are basically the same as rsasig
72			- # I think we can use a key to identify the type of connection and adjust accordingly
73			- # elsif ( $security eq "certificate" ) {
74			- # $OUT .= " authby=rsasig\n";
75			- # leftcert=$keyname.$ServerName.$DomainName
76			- # leftrsasigkey=%cert
77			- # leftid=leftid
78			- # leftsendcert=always - maybe not needed
79			-
80			- # rightca=%same
81			- # rightrsasigkey=%cert
82			- # rightid=%fromcert ?
83			-
84			- # $OUT .= " leftid=\"CN=$certname\"\n";
85			- # $OUT .= " leftcert=$certname\n";
86			-
87			- # }
88			-
89			- else {
90			- $OUT .= " authby=$security\n";
91			- }
92			-
93			- # Use connection value if it exists, if not use generic db value
94			- my $auto =
95			- $ipsecDB->get_prop( $ipsecprop, 'auto' )
96			- \|\| $configDB->get_prop( $dbKey, 'auto' )
97			- \|\| 'start';
98			-
99			- # If we are a static host to a dynamic client we are always add
100			- my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) \|\| '';
101			-
102			- if ( $iptype eq 'stattodyn' ) {
103			- $OUT .= " auto=add\n";
104			- }
105			- else {
106			- $OUT .= " auto=$auto\n";
107			- }
108			-
109			- # We should change ipsecversion to ikev2status
110			- my $ipsecversion =
111			- $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
112			- \|\| $configDB->get_prop( $dbKey, 'ipsecversion' )
113			- \|\| 'permit';
114			-
115			- $OUT .= " ikev2=$ipsecversion\n";
116			-
117			- # Set the Phase one and Phase two default strengths - these are set to aes
118			- my $ike =
119			- $ipsecDB->get_prop( $ipsecprop, 'ike' )
120			- \|\| $configDB->get_prop( $dbKey, 'ike' )
121			- \|\| 'aes-sha1';
122			- $OUT .= " ike=$ike\n";
123			-
124			- my $phase2 =
125			- $ipsecDB->get_prop( $ipsecprop, 'phase2' )
126			- \|\| $configDB->get_prop( $dbKey, 'phase2' )
127			- \|\| 'aes-sha1';
128			- $OUT .= " phase2alg=$phase2\n";
129			+ my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
130			+ \|\| 'tunnel';
131			+ $OUT .= " type=$connectiontype\n";
132
133			- # mtu can only be set per connection
134			- my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
135			- \|\| '';
136			- unless ( $mtu eq '' ) {
137			- $OUT .= " mtu=$mtu\n";
138			- }
139			-
140			- # These should be from $configDB-> ipsec unless they exist in ipsec_connections
141			-
142			- my $keyingtries =
143			- $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
144			- \|\| $configDB->get_prop( $dbKey, 'keyingtries' )
145			- \|\| '0';
146			- $OUT .= " keyingtries=$keyingtries\n";
147			-
148			- # Following come from ipsecDB or configDB or hardcoded
149			- my $ikelifetime =
150			- $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
151			- \|\| $configDB->get_prop( $dbKey, 'ikelifetime' )
152			- \|\| '3600s';
153			- $OUT .= " ikelifetime=$ikelifetime\n";
154			-
155			- my $salifetime =
156			- $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
157			- \|\| $configDB->get_prop( $dbKey, 'salifetime' )
158			- \|\| '28800s';
159			- $OUT .= " salifetime=$salifetime\n";
160			-
161			- # Add is for incoming and is better that server dpd is ignored
162			- # Disabled for now
163			-
164			- # if ( $auto ne 'add' ) {
165			- my $dpdaction =
166			- $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
167			- \|\| $configDB->get_prop( $dbKey, 'dpdaction' )
168			- \|\| 'restart';
169			- $OUT .= " dpdaction=$dpdaction\n";
170			-
171			- my $dpddelay =
172			- $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
173			- \|\| $configDB->get_prop( $dbKey, 'dpddelay' )
174			- \|\| '30';
175			- $OUT .= " dpddelay=$dpddelay\n";
176			-
177			- my $dpdtimeout =
178			- $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
179			- \|\| $configDB->get_prop( $dbKey, 'dpdtimeout' )
180			- \|\| '10';
181			- $OUT .= " dpdtimeout=$dpdtimeout\n";
182			-
183			- # }
184			-
185			- # default to yes unless overridden in the connection db
186			- my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) \|\| 'yes';
187			- $OUT .= " pfs=$pfs\n";
188			-
189			- # Following come from ipsecDB or configDB or hardcoded
190			- my $left =
191			- $ipsecDB->get_prop( $ipsecprop, 'left' )
192			- \|\| $configDB->get_prop( $dbKey, 'left' )
193			- \|\| '%defaultroute';
194			- $OUT .= " left=$left\n";
195			-
196			- # These ONLY come from the ipsec_configurations db
197			- if ( ( my $leftid = $ipsecDB->get_prop( "$ipsecprop", 'leftid' ) \|\| '' ) ne '' ) {
198			- $OUT .= " leftid=\@$leftid\n";
199			- }
200			- my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
201			+ my $security = $ipsecDB->get_prop( $ipsecprop, 'security' )
202			+ \|\| 'secret';
203			+
204			+ # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) \|\| ''; ???? Is this required ?
205			+
206			+ if ( $security eq 'rsasig' ) {
207			+ $OUT .= " authby=rsasig\n";
208			+
209			+ my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
210			\|\| '';
211			- $OUT .= " leftsourceip=$leftsourceip\n";
212			+ $OUT .= " leftrsasigkey=$leftrsasig\n";
213
214			- my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' )
215			+ my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
216			\|\| '';
217			- $OUT .= " leftsubnet=$leftsub\n";
218			+ $OUT .= " rightrsasigkey=$rightrsasig\n";
219			+
220			+ }
221
222			- # If we are a static host to a dynamic client we HAVE to set right %any
223			+ elsif ( $security eq 'certs' ) {
224
225			- my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) \|\| '';
226			+ $OUT .= " authby=rsasig\n";
227
228			- if ( $iptype eq 'stattodyn' ) {
229			- $OUT .= " right=%any\n";
230			- }
231			- else {
232			- $OUT .= " right=$right\n";
233			- }
234			+ my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
235			+ \|\| '%cert';
236			+ $OUT .= " leftrsasigkey=$leftrsasig\n";
237
238			- if ( ( my $rightid = $ipsecDB->get_prop( "$ipsecprop", 'rightid' ) \|\| '' ) ne '' ) {
239			- $OUT .= " rightid=\@$rightid\n";
240			- }
241			+ my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
242			+ \|\| '%cert';
243			+ $OUT .= " rightrsasigkey=$rightrsasig\n";
244
245			- my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) \|\| '';
246			- $OUT .= " rightsubnet=$rightsubnet\n";
247			+ my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' )
248			+ \|\| '"LeftCertName"';
249			+ $OUT .= " leftcert=\"$leftcert\"\n";
250			+
251			+ my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' )
252			+ \|\| '"RightCertName"';
253			+ $OUT .= " rightcert=\"$rightcert\"\n";
254
255			}
256			- }
257
258			- }
259			+ else {
260			+ $OUT .= " authby=$security\n";
261			+ }
262
263			- # End For
264			- }
265			+ # Use connection value if it exists, if not use generic db value
266			+ my $auto =
267			+ $ipsecDB->get_prop( $ipsecprop, 'auto' )
268			+ \|\| $configDB->get_prop( $dbKey, 'auto' )
269			+ \|\| 'start';
270			+
271			+ # If we are a static host to a dynamic client we are always add
272			+ my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) \|\| '';
273			+
274			+ if ( $iptype eq 'stattodyn' ) {
275			+ $OUT .= " auto=add\n";
276			+ }
277			+ else {
278			+ $OUT .= " auto=$auto\n";
279			+ }
280
281			- # End Else
282			+ # We should change ipsecversion to ikev2status
283			+ my $ipsecversion =
284			+ $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
285			+ \|\| $configDB->get_prop( $dbKey, 'ipsecversion' )
286			+ \|\| 'permit';
287			+
288			+ $OUT .= " ikev2=$ipsecversion\n";
289			+
290			+ # Set the Phase one and Phase two default strengths - these are set to aes
291			+ my $ike =
292			+ $ipsecDB->get_prop( $ipsecprop, 'ike' )
293			+ \|\| $configDB->get_prop( $dbKey, 'ike' )
294			+ \|\| 'aes-sha1';
295			+ $OUT .= " ike=$ike\n";
296			+
297			+ my $phase2 =
298			+ $ipsecDB->get_prop( $ipsecprop, 'phase2' )
299			+ \|\| $configDB->get_prop( $dbKey, 'phase2' )
300			+ \|\| 'aes-sha1';
301			+ $OUT .= " phase2alg=$phase2\n";
302			+
303			+ # mtu can only be set per connection
304			+ my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
305			+ \|\| '';
306			+
307			+ unless ( $mtu eq '' ) {
308			+ $OUT .= " mtu=$mtu\n";
309			+ }
310
311			+ # These should be from $configDB-> ipsec unless they exist in ipsec_connections
312			+
313			+ my $keyingtries =
314			+ $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
315			+ \|\| $configDB->get_prop( $dbKey, 'keyingtries' )
316			+ \|\| '0';
317			+ $OUT .= " keyingtries=$keyingtries\n";
318			+
319			+ # Following come from ipsecDB or configDB or hardcoded
320			+ my $ikelifetime =
321			+ $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
322			+ \|\| $configDB->get_prop( $dbKey, 'ikelifetime' )
323			+ \|\| '3600s';
324			+ $OUT .= " ikelifetime=$ikelifetime\n";
325			+
326			+ my $salifetime =
327			+ $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
328			+ \|\| $configDB->get_prop( $dbKey, 'salifetime' )
329			+ \|\| '28800s';
330			+ $OUT .= " salifetime=$salifetime\n";
331			+
332			+ # Add is for incoming and is better that server dpd is ignored
333			+ # Disabled for now
334			+
335			+ # if ( $auto ne 'add' ) {}
336			+ my $dpdaction =
337			+ $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
338			+ \|\| $configDB->get_prop( $dbKey, 'dpdaction' )
339			+ \|\| 'restart';
340			+ $OUT .= " dpdaction=$dpdaction\n";
341			+
342			+ my $dpddelay =
343			+ $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
344			+ \|\| $configDB->get_prop( $dbKey, 'dpddelay' )
345			+ \|\| '30';
346			+ $OUT .= " dpddelay=$dpddelay\n";
347			+
348			+ my $dpdtimeout =
349			+ $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
350			+ \|\| $configDB->get_prop( $dbKey, 'dpdtimeout' )
351			+ \|\| '10';
352			+ $OUT .= " dpdtimeout=$dpdtimeout\n";
353			+
354			+ # default to yes unless overridden in the connection db
355			+ my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) \|\| 'yes';
356			+ $OUT .= " pfs=$pfs\n";
357			+
358			+ # Following come from ipsecDB or configDB or hardcoded
359			+ my $left =
360			+ $ipsecDB->get_prop( $ipsecprop, 'left' )
361			+ \|\| $configDB->get_prop( $dbKey, 'left' )
362			+ \|\| '%defaultroute';
363			+ $OUT .= " left=$left\n";
364			+
365			+ if ( $security eq 'certs' ) {
366			+ my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) \|\| '%fromcert' );
367			+ $OUT .= " leftid=$leftid\n";
368			+ }
369			+
370			+ # These ONLY come from the ipsec_configurations db
371			+ elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) \|\| '' ) ne '' ) {
372			+ $OUT .= " leftid=\@$leftid\n";
373			+ }
374			+
375			+ my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
376			+ \|\| '';
377			+ $OUT .= " leftsourceip=$leftsourceip\n";
378			+
379			+ my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' )
380			+ \|\| '';
381			+ $OUT .= " leftsubnet=$leftsub\n";
382			+
383			+ # If we are a static host to a dynamic client we HAVE to set right %any
384			+
385			+ my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) \|\| '';
386			+
387			+ if ( $iptype eq 'stattodyn' ) {
388			+ $OUT .= " right=%any\n";
389			+ }
390			+ else {
391			+ $OUT .= " right=$right\n";
392			+ }
393			+
394			+ if ( $security eq 'certs' ) {
395			+ my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) \|\| '%fromcert' );
396			+ $OUT .= " rightid=$rightid\n";
397			+ }
398			+
399			+ elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) \|\| '' ) ne '' ) {
400			+ $OUT .= " rightid=\@$rightid\n";
401			+ }
402			+
403			+ my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) \|\| '';
404			+ $OUT .= " rightsubnet=$rightsubnet\n";
405			+
406			+ } # End If
407			+ else {
408			+ $OUT .= "# conn $ipsecprop disabled\n";
409			+ }
410			+ } # End foreach
411			+ } # End else
412			}
413			+
414			diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords
415			--- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-01-25 16:19:45.652000000 +0100
416			+++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-01-25 16:20:03.867000123 +0100
417			@@ -1,4 +1,3 @@
418			-#!/usr/bin/perl -w
419
420			{
421			use strict;
422			@@ -22,31 +21,32 @@
423			my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
424			or die("cant connect to ipsec database");
425
426			- my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
427			-
428			# This should get all the connections in an array
429
430			my @connections = $ipsecDB->keys;
431
432			- $OUT .= "# ipsec.secrets\n";
433			-
434			+ $OUT .= "# ipsec.secrets\n\n";
435			+
436			+ my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
437			+
438			foreach my $ipsecprop (@connections) {
439
440			# first we verify if IPSec is enabled for the connection
441
442			- my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' )
443			+ my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
444			\|\| "disabled";
445
446			if ( $ipsecstatus eq "enabled" ) {
447			- my $right = $ipsecDB->get_prop( "$ipsecprop", 'right' ) \|\| '';
448			+
449			+ my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) \|\| '';
450
451			# Hmm..... if left is not set it defaults to %defaultroute which we don't want here
452
453			- my $left = $ipsecDB->get_prop( "$ipsecprop", 'left' ) \|\| $ExternalIP;
454			- my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' ) \|\| 'secret';
455			- my $iptype = $ipsecDB->get_prop( "$ipsecprop", 'iptype' ) \|\| '';
456			- my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) \|\| '';
457			- my $passwd = $ipsecDB->get_prop( "$ipsecprop", 'passwd' ) \|\| '';
458			+ my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) \|\| $ExternalIP;
459			+ my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) \|\| 'secret';
460			+ my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) \|\| '';
461			+ my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) \|\| '';
462			+ my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) \|\| '';
463
464			# Double quote is not allowed in configuration
465			if ( $passwd =~ /"/ ) {
466			@@ -55,15 +55,19 @@
467
468			$OUT .= "# $ipsecprop is enabled\n";
469
470			- if ( $security eq "secret" ) {
471			+ if ( $security eq 'certs' ) {
472			+ $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
473			+ }
474			+
475			+ elsif ( $security eq 'secret' ) {
476
477			# If dynamic it must be %any here
478			# If not it can be ExternalIP if left not set
479
480			# IF we have IDs then use them in preference to %any
481
482			- my $leftid = $ipsecDB->get_prop( "$ipsecprop", 'leftid' ) \|\| '';
483			- my $rightid = $ipsecDB->get_prop( "$ipsecprop", 'rightid' ) \|\| '';
484			+ my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) \|\| '';
485			+ my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) \|\| '';
486
487			if ( $iptype eq 'stattodyn' ) {
488			if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
489			@@ -101,7 +105,7 @@
490			$OUT .= "# $ipsecprop is disabled\n";
491			$OUT .= "\n";
492			}
493			- $OUT .= "\n\n";
494			+ $OUT .= "\n";
495			}
496			}
497			}