diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-01-25 16:19:45.651000000 +0100 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-01-25 16:20:03.868000104 +0100 @@ -1,4 +1,3 @@ -#!/usr/bin/perl -w { use strict; @@ -26,212 +25,220 @@ my @connections = $ipsecDB->keys; + $OUT .= "# ipsec.conf\n\n"; + foreach my $ipsecprop (@connections) { - if ( $ipsecDB->get_prop( $ipsecprop, 'type' ) eq 'ipsec' ) { - # first we verify if IPSec is enabled for the connection + # first we verify if IPSec is enabled for the connection - my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled'; + my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled'; - if ( $ipsecstatus ne 'enabled' ) { - $OUT .= "# $ipsecprop is disabled\n" - unless $ipsecstatus eq "enabled"; - } - else { + if ( $ipsecstatus eq 'enabled' ) { - $OUT .= "conn $ipsecprop\n"; + $OUT .= "conn $ipsecprop\n"; + + # These should be from $configDB-> ipsec - # These should be from $configDB-> ipsec + # Not templated this - maybe later with L2TPD + # We currently use a password file but this could be integrated with other authent later - # Not templated this - maybe later with L2TPD - # We currently use a password file but this could be integrated with other authent later + # Lazy - assume that it is security (password by default) - options are rsasig|certs - # Lazy - assume that it is security (password by default) - option is rsasig + # Careful - property 'type' has a special meaning in configDB and returns 'service' - # Careful - property 'type' has a special meaning in configDB and returns 'service' - - my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' ) - || 'tunnel'; - $OUT .= " type=$connectiontype\n"; - - my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' ) - || 'secret'; - my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; - - if ( $security eq "rsasig" ) { - $OUT .= " authby=rsasig\n"; - - my $leftrsasig = $ipsecDB->get_prop( "$ipsecprop", 'leftrsasig' ) - || ''; - $OUT .= " leftrsasigkey=$leftrsasig\n"; - - my $rightrsasig = $ipsecDB->get_prop( "$ipsecprop", 'rightrsasig' ) - || ''; - $OUT .= " rightrsasigkey=$rightrsasig\n"; - - } - - # Prep for certs - # Problem here is that certificate settings are basically the same as rsasig - # I think we can use a key to identify the type of connection and adjust accordingly - # elsif ( $security eq "certificate" ) { - # $OUT .= " authby=rsasig\n"; - # leftcert=$keyname.$ServerName.$DomainName - # leftrsasigkey=%cert - # leftid=leftid - # leftsendcert=always - maybe not needed - - # rightca=%same - # rightrsasigkey=%cert - # rightid=%fromcert ? - - # $OUT .= " leftid=\"CN=$certname\"\n"; - # $OUT .= " leftcert=$certname\n"; - - # } - - else { - $OUT .= " authby=$security\n"; - } - - # Use connection value if it exists, if not use generic db value - my $auto = - $ipsecDB->get_prop( $ipsecprop, 'auto' ) - || $configDB->get_prop( $dbKey, 'auto' ) - || 'start'; - - # If we are a static host to a dynamic client we are always add - my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; - - if ( $iptype eq 'stattodyn' ) { - $OUT .= " auto=add\n"; - } - else { - $OUT .= " auto=$auto\n"; - } - - # We should change ipsecversion to ikev2status - my $ipsecversion = - $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' ) - || $configDB->get_prop( $dbKey, 'ipsecversion' ) - || 'permit'; - - $OUT .= " ikev2=$ipsecversion\n"; - - # Set the Phase one and Phase two default strengths - these are set to aes - my $ike = - $ipsecDB->get_prop( $ipsecprop, 'ike' ) - || $configDB->get_prop( $dbKey, 'ike' ) - || 'aes-sha1'; - $OUT .= " ike=$ike\n"; - - my $phase2 = - $ipsecDB->get_prop( $ipsecprop, 'phase2' ) - || $configDB->get_prop( $dbKey, 'phase2' ) - || 'aes-sha1'; - $OUT .= " phase2alg=$phase2\n"; + my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' ) + || 'tunnel'; + $OUT .= " type=$connectiontype\n"; - # mtu can only be set per connection - my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' ) - || ''; - unless ( $mtu eq '' ) { - $OUT .= " mtu=$mtu\n"; - } - - # These should be from $configDB-> ipsec unless they exist in ipsec_connections - - my $keyingtries = - $ipsecDB->get_prop( $ipsecprop, 'keyingtries' ) - || $configDB->get_prop( $dbKey, 'keyingtries' ) - || '0'; - $OUT .= " keyingtries=$keyingtries\n"; - - # Following come from ipsecDB or configDB or hardcoded - my $ikelifetime = - $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' ) - || $configDB->get_prop( $dbKey, 'ikelifetime' ) - || '3600s'; - $OUT .= " ikelifetime=$ikelifetime\n"; - - my $salifetime = - $ipsecDB->get_prop( $ipsecprop, 'salifetime' ) - || $configDB->get_prop( $dbKey, 'salifetime' ) - || '28800s'; - $OUT .= " salifetime=$salifetime\n"; - - # Add is for incoming and is better that server dpd is ignored - # Disabled for now - - # if ( $auto ne 'add' ) { - my $dpdaction = - $ipsecDB->get_prop( $ipsecprop, 'dpdaction' ) - || $configDB->get_prop( $dbKey, 'dpdaction' ) - || 'restart'; - $OUT .= " dpdaction=$dpdaction\n"; - - my $dpddelay = - $ipsecDB->get_prop( $ipsecprop, 'dpddelay' ) - || $configDB->get_prop( $dbKey, 'dpddelay' ) - || '30'; - $OUT .= " dpddelay=$dpddelay\n"; - - my $dpdtimeout = - $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' ) - || $configDB->get_prop( $dbKey, 'dpdtimeout' ) - || '10'; - $OUT .= " dpdtimeout=$dpdtimeout\n"; - - # } - - # default to yes unless overridden in the connection db - my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes'; - $OUT .= " pfs=$pfs\n"; - - # Following come from ipsecDB or configDB or hardcoded - my $left = - $ipsecDB->get_prop( $ipsecprop, 'left' ) - || $configDB->get_prop( $dbKey, 'left' ) - || '%defaultroute'; - $OUT .= " left=$left\n"; - - # These ONLY come from the ipsec_configurations db - if ( ( my $leftid = $ipsecDB->get_prop( "$ipsecprop", 'leftid' ) || '' ) ne '' ) { - $OUT .= " leftid=\@$leftid\n"; - } - my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) + my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) + || 'secret'; + + # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ? + + if ( $security eq 'rsasig' ) { + $OUT .= " authby=rsasig\n"; + + my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' ) || ''; - $OUT .= " leftsourceip=$leftsourceip\n"; + $OUT .= " leftrsasigkey=$leftrsasig\n"; - my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) + my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' ) || ''; - $OUT .= " leftsubnet=$leftsub\n"; + $OUT .= " rightrsasigkey=$rightrsasig\n"; + + } - # If we are a static host to a dynamic client we HAVE to set right %any + elsif ( $security eq 'certs' ) { - my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; + $OUT .= " authby=rsasig\n"; - if ( $iptype eq 'stattodyn' ) { - $OUT .= " right=%any\n"; - } - else { - $OUT .= " right=$right\n"; - } + my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' ) + || '%cert'; + $OUT .= " leftrsasigkey=$leftrsasig\n"; - if ( ( my $rightid = $ipsecDB->get_prop( "$ipsecprop", 'rightid' ) || '' ) ne '' ) { - $OUT .= " rightid=\@$rightid\n"; - } + my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' ) + || '%cert'; + $OUT .= " rightrsasigkey=$rightrsasig\n"; - my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || ''; - $OUT .= " rightsubnet=$rightsubnet\n"; + my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' ) + || '"LeftCertName"'; + $OUT .= " leftcert=\"$leftcert\"\n"; + + my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' ) + || '"RightCertName"'; + $OUT .= " rightcert=\"$rightcert\"\n"; } - } - } + else { + $OUT .= " authby=$security\n"; + } - # End For - } + # Use connection value if it exists, if not use generic db value + my $auto = + $ipsecDB->get_prop( $ipsecprop, 'auto' ) + || $configDB->get_prop( $dbKey, 'auto' ) + || 'start'; + + # If we are a static host to a dynamic client we are always add + my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; + + if ( $iptype eq 'stattodyn' ) { + $OUT .= " auto=add\n"; + } + else { + $OUT .= " auto=$auto\n"; + } - # End Else + # We should change ipsecversion to ikev2status + my $ipsecversion = + $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' ) + || $configDB->get_prop( $dbKey, 'ipsecversion' ) + || 'permit'; + + $OUT .= " ikev2=$ipsecversion\n"; + + # Set the Phase one and Phase two default strengths - these are set to aes + my $ike = + $ipsecDB->get_prop( $ipsecprop, 'ike' ) + || $configDB->get_prop( $dbKey, 'ike' ) + || 'aes-sha1'; + $OUT .= " ike=$ike\n"; + + my $phase2 = + $ipsecDB->get_prop( $ipsecprop, 'phase2' ) + || $configDB->get_prop( $dbKey, 'phase2' ) + || 'aes-sha1'; + $OUT .= " phase2alg=$phase2\n"; + + # mtu can only be set per connection + my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' ) + || ''; + + unless ( $mtu eq '' ) { + $OUT .= " mtu=$mtu\n"; + } + # These should be from $configDB-> ipsec unless they exist in ipsec_connections + + my $keyingtries = + $ipsecDB->get_prop( $ipsecprop, 'keyingtries' ) + || $configDB->get_prop( $dbKey, 'keyingtries' ) + || '0'; + $OUT .= " keyingtries=$keyingtries\n"; + + # Following come from ipsecDB or configDB or hardcoded + my $ikelifetime = + $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' ) + || $configDB->get_prop( $dbKey, 'ikelifetime' ) + || '3600s'; + $OUT .= " ikelifetime=$ikelifetime\n"; + + my $salifetime = + $ipsecDB->get_prop( $ipsecprop, 'salifetime' ) + || $configDB->get_prop( $dbKey, 'salifetime' ) + || '28800s'; + $OUT .= " salifetime=$salifetime\n"; + + # Add is for incoming and is better that server dpd is ignored + # Disabled for now + + # if ( $auto ne 'add' ) {} + my $dpdaction = + $ipsecDB->get_prop( $ipsecprop, 'dpdaction' ) + || $configDB->get_prop( $dbKey, 'dpdaction' ) + || 'restart'; + $OUT .= " dpdaction=$dpdaction\n"; + + my $dpddelay = + $ipsecDB->get_prop( $ipsecprop, 'dpddelay' ) + || $configDB->get_prop( $dbKey, 'dpddelay' ) + || '30'; + $OUT .= " dpddelay=$dpddelay\n"; + + my $dpdtimeout = + $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' ) + || $configDB->get_prop( $dbKey, 'dpdtimeout' ) + || '10'; + $OUT .= " dpdtimeout=$dpdtimeout\n"; + + # default to yes unless overridden in the connection db + my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes'; + $OUT .= " pfs=$pfs\n"; + + # Following come from ipsecDB or configDB or hardcoded + my $left = + $ipsecDB->get_prop( $ipsecprop, 'left' ) + || $configDB->get_prop( $dbKey, 'left' ) + || '%defaultroute'; + $OUT .= " left=$left\n"; + + if ( $security eq 'certs' ) { + my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' ); + $OUT .= " leftid=$leftid\n"; + } + + # These ONLY come from the ipsec_configurations db + elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) { + $OUT .= " leftid=\@$leftid\n"; + } + + my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) + || ''; + $OUT .= " leftsourceip=$leftsourceip\n"; + + my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) + || ''; + $OUT .= " leftsubnet=$leftsub\n"; + + # If we are a static host to a dynamic client we HAVE to set right %any + + my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; + + if ( $iptype eq 'stattodyn' ) { + $OUT .= " right=%any\n"; + } + else { + $OUT .= " right=$right\n"; + } + + if ( $security eq 'certs' ) { + my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' ); + $OUT .= " rightid=$rightid\n"; + } + + elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) { + $OUT .= " rightid=\@$rightid\n"; + } + + my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || ''; + $OUT .= " rightsubnet=$rightsubnet\n"; + + } # End If + else { + $OUT .= "# conn $ipsecprop disabled\n"; + } + } # End foreach + } # End else } + diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-01-25 16:19:45.652000000 +0100 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-01-25 16:20:03.867000123 +0100 @@ -1,4 +1,3 @@ -#!/usr/bin/perl -w { use strict; @@ -22,31 +21,32 @@ my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') or die("cant connect to ipsec database"); - my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" ); - # This should get all the connections in an array my @connections = $ipsecDB->keys; - $OUT .= "# ipsec.secrets\n"; - + $OUT .= "# ipsec.secrets\n\n"; + + my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" ); + foreach my $ipsecprop (@connections) { # first we verify if IPSec is enabled for the connection - my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) + my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || "disabled"; if ( $ipsecstatus eq "enabled" ) { - my $right = $ipsecDB->get_prop( "$ipsecprop", 'right' ) || ''; + + my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; # Hmm..... if left is not set it defaults to %defaultroute which we don't want here - my $left = $ipsecDB->get_prop( "$ipsecprop", 'left' ) || $ExternalIP; - my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' ) || 'secret'; - my $iptype = $ipsecDB->get_prop( "$ipsecprop", 'iptype' ) || ''; - my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; - my $passwd = $ipsecDB->get_prop( "$ipsecprop", 'passwd' ) || ''; + my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP; + my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret'; + my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; + my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || ''; + my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || ''; # Double quote is not allowed in configuration if ( $passwd =~ /"/ ) { @@ -55,15 +55,19 @@ $OUT .= "# $ipsecprop is enabled\n"; - if ( $security eq "secret" ) { + if ( $security eq 'certs' ) { + $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n"; + } + + elsif ( $security eq 'secret' ) { # If dynamic it must be %any here # If not it can be ExternalIP if left not set # IF we have IDs then use them in preference to %any - my $leftid = $ipsecDB->get_prop( "$ipsecprop", 'leftid' ) || ''; - my $rightid = $ipsecDB->get_prop( "$ipsecprop", 'rightid' ) || ''; + my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || ''; + my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || ''; if ( $iptype eq 'stattodyn' ) { if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) { @@ -101,7 +105,7 @@ $OUT .= "# $ipsecprop is disabled\n"; $OUT .= "\n"; } - $OUT .= "\n\n"; + $OUT .= "\n"; } } }