diff -ruN smeserver-libreswan-0.5.old/createlinks smeserver-libreswan-0.5/createlinks --- smeserver-libreswan-0.5.old/createlinks 2016-03-24 17:00:47.283000614 +0100 +++ smeserver-libreswan-0.5/createlinks 2016-03-24 17:01:12.827000640 +0100 @@ -13,6 +13,7 @@ /etc/ipsec.d/ipsec.conf /etc/ipsec.d/ipsec.secrets /etc/rc.d/init.d/masq + /etc/syctl.conf )) { templates2events("$_", qw( diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/debug --- smeserver-libreswan-0.5.old/root/etc/e-smith/db/configuration/defaults/ipsec/debug 1970-01-01 01:00:00.000000000 +0100 +++ smeserver-libreswan-0.5/root/etc/e-smith/db/configuration/defaults/ipsec/debug 2016-03-24 17:01:12.826000654 +0100 @@ -0,0 +1 @@ +none diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update --- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 17:00:47.283000614 +0100 +++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update 2016-03-24 17:01:12.826000654 +0100 @@ -49,7 +49,14 @@ # First set ipsec access to private which disables firewall rule # Is this the correct syntax - what about die ? - $configDB->set_prop( $dbKey, 'access', 'private' ); + # This is problematic as masq templates are already expanded and may be wrong + + # Make sure access = private + # No point in this unless we expand the masq template again + + #unless ( $ipsec_access eq 'private' ) { + # $configDB->set_prop( $dbKey, 'access', 'private' ); + #} my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop); die("Ipsec Error - Unable to launch ipsec stop : $!\n") @@ -57,7 +64,7 @@ if not defined $myStopConnection; die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?; - print "Ipsec Information - Enable Reverse Path Filtering"; + print "Ipsec Information - reset redirects"; resetRedirects(); exit 0; @@ -68,9 +75,11 @@ if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) { # Make sure access = public - unless ( $ipsec_access eq 'public' ) { - $configDB->set_prop( $dbKey, 'access', 'public' ); - } + # No point in this unless we expand the masq template again + + #unless ( $ipsec_access eq 'public' ) { + # $configDB->set_prop( $dbKey, 'access', 'public' ); + #} my $status = (`ps ax | grep -v grep | grep pluto`); @@ -96,7 +105,6 @@ my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || ''; # Lets check the last state and if it doesn't exist set it disabled - if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) { my $previpsecstatus = "disabled"; $ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus ); @@ -108,7 +116,6 @@ print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n"; # Lets reread secrets anyway - print "Ipsec Information - Restart - ReReading Secrets\n"; my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets); @@ -122,19 +129,19 @@ && ( $ipsecstatus eq "enabled" ) ) { # Restart - print "Ipsec Information - Restarting connection - $ipsecprop\n"; # Have to use system here as replace usually returns 1280 + # Replace just rereads the config and does --delete --add system("/usr/sbin/ipsec auto --replace $ipsecprop"); print "Ipsec Information - Restart system - replace return code: $?\n"; - # If connection -= start then.... + # If connection = start then bring it up if ( $connection eq 'start' ) { print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n"; + # If it is start rather than add we try and force it to come up startConnection($ipsecprop); - print "Ipsec Information - En - En auto --up\n"; print "Ipsec Information - Restart system - up return code: $?\n"; } @@ -149,24 +156,21 @@ && ( $ipsecstatus eq "disabled" ) ) { # Stop - print "Ipsec Information - Stop connection - $ipsecprop\n"; - stopConnection($ipsecprop); # Set Previous status changeState( $dbKey, $ipsecstatus ); } + # If status was disabled and now enabled then start it elsif ( ( $previpsecstatus eq "disabled" ) && ( $ipsecstatus eq "enabled" ) ) { # Start - # Set Previous status - print "Enabling connection $ipsecprop\n"; - # Have to use system here as replace usually return 1280 + # Have to use system here as replace usually returns 1280 and not 0 system("/usr/sbin/ipsec auto --replace $ipsecprop"); print "Ipsec Information - Restart system - return code: $?\n"; @@ -183,25 +187,24 @@ #or die "exec failed!"; } + # Set Previous status changeState( $ipsecprop, $ipsecstatus ); } + # If status was enabled and now disabled then stop it elsif ( ( $previpsecstatus eq "enabled" ) && ( $ipsecstatus eq "disabled" ) ) { # Stop and remove - do we need to ? - print "Ipsec Information - Stopping connection $ipsecprop\n "; stopConnection($ipsecprop); # Set Previous status changeState( $ipsecprop, $ipsecstatus ); - } + # Should never be here as it means the statuses are other than enabled or disabled else { - - # Can't be here as it means the statuses are other than enabled or disabled print "Ipsec Error - Something went wrong with ipsec connection status\n"; } @@ -212,15 +215,14 @@ # If it isn't running then start it up # Auto connections start themselves. Added connections wait else { - print "Ipsec Information - Disable Reverse Path Filtering\n"; - setRedirects(); # Make sure access = public unless ( $ipsec_access eq 'public' ) { $configDB->set_prop( $dbKey, 'access', 'public' ); } + print "Ipsec Information - ipsec enabled - Starting ipsec\n "; my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start); die("Ipsec Error - Unable to launch ipsec start : $!\n ") @@ -258,13 +260,12 @@ # Big warning - this is a potential security issue # Make sure you read and understand what happens ! - # If I knew which specific interfaces to change we could reduce the lines here system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0 or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0 or die("Ipsec Error - A problem occurred with sysctl: $?"); - + system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0 or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0 @@ -286,8 +287,9 @@ sub resetRedirects { - # system ("expand-template /etc/sysctl.conf") == 0 or die ("A problem occurred with sysctl.conf: $?"); - # This should reset back to defaults + # /etc/syctl.conf is expanded on ipsec-update + # This should reload the file - if ipsec is disabled it should reset to defaults + # If ipsec is enabled it should disable rp_filtering system("/sbin/sysctl -p") == 0 or die("Ipsec Error - A problem occurred with sysctl: $?"); } diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 17:00:47.283000614 +0100 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-24 17:01:12.827000640 +0100 @@ -23,12 +23,13 @@ my $dbKey = 'ipsec'; # Generic setup file - + my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none'; + # A standard config is included in the RPM but we need to generate a new one so we can modify settings $OUT .= "config setup\n"; $OUT .= " protostack=netkey\n"; - $OUT .= " #plutodebug=none\n"; + $OUT .= " plutodebug=$debugstatus\n"; $OUT .= " #klipsdebug=none\n"; $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n"; $OUT .= " dumpdir=/var/run/pluto/\n";