/[smecontribs]/rpms/smeserver-libreswan/contribs9/smeserver-libreswan-forceencaps-l2tpd.patch
ViewVC logotype

Annotation of /rpms/smeserver-libreswan/contribs9/smeserver-libreswan-forceencaps-l2tpd.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Wed Jun 14 22:55:13 2017 UTC (6 years, 11 months ago) by reetspetit
Branch: MAIN
CVS Tags: smeserver-libreswan-0_5-26_el6_sme, smeserver-libreswan-0_5-31_el6_sme, smeserver-libreswan-0_5-33_el6_sme, smeserver-libreswan-0_5-30_el6_sme, smeserver-libreswan-0_5-32_el6_sme, smeserver-libreswan-0_5-28_el6_sme, smeserver-libreswan-0_5-27_el6_sme, smeserver-libreswan-0_5-29_el6_sme, smeserver-libreswan-0_5-34_el6_sme, HEAD 
*** empty log message ***
1 reetspetit 1.1 diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update
2     --- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update 2017-06-15 00:33:57.103000044 +0200
3     +++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update 2017-06-15 00:34:07.806999374 +0200
4     @@ -21,70 +21,84 @@
5     # Note that we do not need to use the init ipsec script - we can start and
6     # stop directly using /usr/sbin/ipsec which will call the init script
7    
8     +# Probably ought to check somewhere that the status of services is public
9     +# But if it is private then you have to re-expand masq someplace
10     +
11     use strict;
12     use warnings;
13     use esmith::ConfigDB;
14    
15     my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
16     my $ipsecDB = esmith::ConfigDB->open('ipsec_connections')
17     - or die("Ipsec Error - cant connect to ipsec database");
18     + or die("Ipsec Error - cant connect to ipsec database");
19    
20     -my $dbKey = 'ipsec';
21     +my $ipsecDBkey = 'ipsec';
22     +my $xl2tpdDBkey = 'xl2tpd';
23     +my $xl2tpdipsecprop = "L2TPD-PSK";
24    
25     # Check on access status - we'll use this later
26     # If status goes to disabled we should set this private
27    
28     -my $ipsec_access = $configDB->get_prop( $dbKey, 'access' ) || 'private';
29     +my $ipsec_access = $configDB->get_prop( $ipsecDBkey, 'access' ) || 'private';
30     print "Ipsec Information - IpsecAccessState: $ipsec_access\n";
31    
32     # If the service is set disabled then make sure it is stopped
33     # Note that ipsec is not a service so we cannot use the normal service commands
34    
35     -if ( $configDB->get_prop( $dbKey, 'status' ) eq 'disabled' ) {
36     +if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'disabled' ) {
37     +
38     + # Always reset redirects on stop
39     + print "Ipsec Information - reset redirects";
40     + resetRedirects();
41     +
42     + # Sort out xl2tpd - if ipsec is disabled it has to be stopped
43     +
44     + print "Xl2tpd Information - ipsec is disabled - Stopping xl2tpd \n";
45     + my $myStopXl2tpd = qx(/etc/rc.d/init.d/xl2tpd stop) || die("xl2tpd Error - Unable to launch xl2tpd stop : $!\n");
46     +
47     + if ( not defined $myStopXl2tpd ) {
48     + die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
49     + }
50    
51     # Do we check if it is already stopped ?
52     # For now we stop it regardless
53    
54     print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
55     + my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop) || die("Ipsec Error - Unable to launch ipsec stop : $!\n");
56    
57     - # First set ipsec access to private which disables firewall rule
58     - # Is this the correct syntax - what about die ?
59     - # This is problematic as masq templates are already expanded and may be wrong
60     -
61     - # Make sure access = private
62     - # No point in this unless we expand the masq template again
63     -
64     - #unless ( $ipsec_access eq 'private' ) {
65     - # $configDB->set_prop( $dbKey, 'access', 'private' );
66     - #}
67     + if ( not defined $myStopConnection ) {
68     + die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
69     + }
70    
71     - my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop);
72     - die("Ipsec Error - Unable to launch ipsec stop : $!\n")
73     + exit 0;
74     +}
75    
76     - if not defined $myStopConnection;
77     - die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
78     +# If the ipsec service is set to enabled AND running (then check the connections)
79    
80     - print "Ipsec Information - reset redirects";
81     - resetRedirects();
82     +if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'enabled' ) {
83    
84     - exit 0;
85     -}
86     + # Sort out xl2tpd - if ipsec is enabled, AND xl2tpd then see if it is started
87     + if ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) eq 'enabled' ) {
88     + my $xl2tpdstatus = (`ps ax | grep -v grep | grep xl2tpd`);
89    
90     -# If the service is set to enabled AND running (then check the connections)
91     + #If the service is not running then start it
92     + unless ( $xl2tpdstatus =~ m/_xl2tpd/ ) {
93    
94     -if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) {
95     + print "Xl2tpd Information - xl2tpd enabled but stopped - starting xl2tpd \n";
96     + my $myStartXl2tpd = qx(/etc/rc.d/init.d/xl2tpd start)
97     + || die("xl2tpd Error - Unable to launch xl2tpd start : $!\n");
98    
99     - # Make sure access = public
100     - # No point in this unless we expand the masq template again
101     -
102     - #unless ( $ipsec_access eq 'public' ) {
103     - # $configDB->set_prop( $dbKey, 'access', 'public' );
104     - #}
105     + if ( not defined $myStartXl2tpd ) {
106     + die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
107     + }
108     +
109     + }
110     + }
111    
112     my $status = (`ps ax | grep -v grep | grep pluto`);
113    
114     - #If the service is running
115     - if ( $status =~ m/_plutorun/ ) {
116     + # If the ipsec service is running
117     + if ( $status =~ m/_plutorun/ ) {
118    
119     # Lets do some stuff
120     print "Ipsec Information - ipsec is running !\n";
121     @@ -99,7 +113,7 @@
122    
123     #Check the individual connection status
124     my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' )
125     - || "disabled";
126     + || "disabled";
127    
128     # What type of connection are we ?
129     my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
130     @@ -120,13 +134,13 @@
131     my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
132    
133     die("Ipsec Error - Unable launch ipsec reread secrets : $!\n")
134     - if not defined $reread;
135     + if not defined $reread;
136     die("Ipsec Error - Unable to reread ipsec secrets ( error code $?)\n")
137     - if $?;
138     + if $?;
139    
140     # If we are enabled
141     - if ( ( $previpsecstatus eq "enabled" )
142     - && ( $ipsecstatus eq "enabled" ) ) {
143     + if ( ( $previpsecstatus eq "enabled" )
144     + && ( $ipsecstatus eq "enabled" ) ) {
145    
146     # Restart
147     print "Ipsec Information - Restarting connection - $ipsecprop\n";
148     @@ -152,20 +166,20 @@
149     }
150    
151     # If status is disabled then stop it
152     - elsif ( ( $previpsecstatus eq "disabled" )
153     - && ( $ipsecstatus eq "disabled" ) ) {
154     + elsif (( $previpsecstatus eq "disabled" )
155     + && ( $ipsecstatus eq "disabled" ) ) {
156    
157     # Stop
158     print "Ipsec Information - Stop connection - $ipsecprop\n";
159     stopConnection($ipsecprop);
160    
161     # Set Previous status
162     - changeState( $dbKey, $ipsecstatus );
163     + changeState( $ipsecDBkey, $ipsecstatus );
164     }
165    
166     # If status was disabled and now enabled then start it
167     - elsif ( ( $previpsecstatus eq "disabled" )
168     - && ( $ipsecstatus eq "enabled" ) ) {
169     + elsif (( $previpsecstatus eq "disabled" )
170     + && ( $ipsecstatus eq "enabled" ) ) {
171    
172     # Start
173     print "Enabling connection $ipsecprop\n";
174     @@ -192,8 +206,8 @@
175     }
176    
177     # If status was enabled and now disabled then stop it
178     - elsif ( ( $previpsecstatus eq "enabled" )
179     - && ( $ipsecstatus eq "disabled" ) ) {
180     + elsif (( $previpsecstatus eq "enabled" )
181     + && ( $ipsecstatus eq "disabled" ) ) {
182    
183     # Stop and remove - do we need to ?
184     print "Ipsec Information - Stopping connection $ipsecprop\n ";
185     @@ -220,13 +234,13 @@
186    
187     # Make sure access = public
188     unless ( $ipsec_access eq 'public' ) {
189     - $configDB->set_prop( $dbKey, 'access', 'public' );
190     + $configDB->set_prop( $ipsecDBkey, 'access', 'public' );
191     }
192    
193     print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
194     my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
195     die("Ipsec Error - Unable to launch ipsec start : $!\n ")
196     - if not defined $myStartConnection;
197     + if not defined $myStartConnection;
198     die("Ipsec Error - Unable to launch ipsec start ( error code $?)\n ") if $?;
199    
200     exit 0;
201     @@ -240,7 +254,7 @@
202    
203     sub changeState {
204    
205     - #@_ contains $dbKey and $ipsecstatus
206     + #@_ contains $ipsecDBkey and $ipsecstatus
207     $ipsecDB->set_prop( $_[0], 'PreviousState', $_[1] );
208     }
209    
210     @@ -262,23 +276,23 @@
211     # Make sure you read and understand what happens !
212     # If I knew which specific interfaces to change we could reduce the lines here
213     system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
214     - or die("Ipsec Error - A problem occurred with sysctl: $?");
215     + or die("Ipsec Error - A problem occurred with sysctl: $?");
216     system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
217     - or die("Ipsec Error - A problem occurred with sysctl: $?");
218     + or die("Ipsec Error - A problem occurred with sysctl: $?");
219    
220     system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
221     - or die("Ipsec Error - A problem occurred with sysctl: $?");
222     + or die("Ipsec Error - A problem occurred with sysctl: $?");
223     system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
224     - or die("Ipsec Error - A problem occurred with sysctl: $?");
225     + or die("Ipsec Error - A problem occurred with sysctl: $?");
226    
227     system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0
228     - or die("Ipsec Error - A problem occurred with sysctl: $?");
229     + or die("Ipsec Error - A problem occurred with sysctl: $?");
230     system("/sbin/sysctl -w net.ipv4.conf.all.rp_filter=0") == 0
231     - or die("Ipsec Error - A problem occurred with sysctl: $?");
232     + or die("Ipsec Error - A problem occurred with sysctl: $?");
233     system("/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0") == 0
234     - or die("Ipsec Error - A problem occurred with sysctl: $?");
235     + or die("Ipsec Error - A problem occurred with sysctl: $?");
236     system("/sbin/sysctl -w net.ipv4.conf.eth1.rp_filter=0") == 0
237     - or die("Ipsec Error - A problem occurred with sysctl: $?");
238     + or die("Ipsec Error - A problem occurred with sysctl: $?");
239    
240     # On v8 this is set to 0 so we would need
241     # system ("/sbin/sysctl -w net.core.xfrm_larval_drop=1") == 0 or die ("A problem occurred with sysctl: $?");
242     @@ -291,6 +305,6 @@
243     # This should reload the file - if ipsec is disabled it should reset to defaults
244     # If ipsec is enabled it should disable rp_filtering
245     system("/sbin/sysctl -p") == 0
246     - or die("Ipsec Error - A problem occurred with sysctl: $?");
247     + or die("Ipsec Error - A problem occurred with sysctl: $?");
248     }
249    
250     diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
251     --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2017-06-15 00:33:57.108000046 +0200
252     +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2017-06-15 00:34:07.806999374 +0200
253     @@ -1,5 +1,3 @@
254     -#!/usr/bin/perl -w
255     -
256     {
257     use strict;
258     use warnings;
259     @@ -25,7 +23,8 @@
260     my $dbKey = 'ipsec';
261    
262     # Generic setup file
263     - my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
264     + my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
265     + my $keepalive = $configDB->get_prop( $dbKey, 'keepalive' ) || '';
266    
267     # A standard config is included in the RPM but we need to generate a new one so we can modify settings
268    
269     @@ -37,6 +36,10 @@
270     $OUT .= " dumpdir=/var/run/pluto/\n";
271     $OUT .= " nat_traversal=yes\n";
272    
273     + if ( $keepalive ne '' ) {
274     + $OUT .= " keep-alive=$keepalive\n";
275     + }
276     +
277     # This should get all the connections in an array
278    
279     my @connections = $ipsecDB->keys;
280     @@ -44,25 +47,29 @@
281     $OUT .= " virtual_private=";
282    
283     my $virtual_private = '';
284     -
285     + my @subnetArr = ();
286     +
287     foreach my $ipsecprop (@connections) {
288    
289     - my $type = $ipsecDB->get_prop( "$ipsecprop", 'type' );
290     - print "Connection: $ipsecprop Type: $type\n";
291     + # Note that L2TPD needs the localsubnet in here
292    
293     - if ( $type eq "ipsec" ) {
294     - print "Connection: $ipsecprop\n";
295     - my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled";
296     -
297     - if ( $ipsecstatus eq "enabled" ) {
298     - my $subnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' );
299     - $virtual_private .= "%v4:$subnet,";
300     - }
301     + my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled";
302     +
303     + if ( $ipsecstatus eq 'enabled' ) {
304     + my $rightsubnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' );
305    
306     - # End if
307     + # Check if the network is a unique value
308     + if ( !( $rightsubnet ~~ @subnetArr ) ) {
309     + print "$rightsubnet\n";
310     +
311     + push( @subnetArr, $rightsubnet );
312     + }
313     }
314    
315     - # End foreach
316     + } # End foreach
317     +
318     + foreach my $subnet (@subnetArr) {
319     + $virtual_private .= "%v4:$subnet,";
320     }
321    
322     # Remove last character ','
323     diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection
324     --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-06-15 00:33:57.113000043 +0200
325     +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-06-15 00:34:07.806999374 +0200
326     @@ -19,7 +19,7 @@
327    
328     else {
329     my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
330     - or die("cant connect to ipsec database");
331     + or die("cant connect to ipsec database");
332    
333     # This should get all the connections in an array
334    
335     @@ -29,215 +29,226 @@
336    
337     foreach my $ipsecprop (@connections) {
338    
339     - # first we verify if IPSec is enabled for the connection
340     + if ( $ipsecprop ne 'L2TPD-PSK' ) {
341    
342     - my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
343     + # first we verify if IPSec is enabled for the connection
344    
345     - if ( $ipsecstatus eq 'enabled' ) {
346     + my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
347    
348     - $OUT .= "conn $ipsecprop\n";
349     -
350     - # These should be from $configDB-> ipsec
351     + if ( $ipsecstatus eq 'enabled' ) {
352    
353     - # Not templated this - maybe later with L2TPD
354     - # We currently use a password file but this could be integrated with other authent later
355     + $OUT .= "conn $ipsecprop\n";
356    
357     - # Lazy - assume that it is security (password by default) - options are rsasig|certs
358     + # These should be from $configDB-> ipsec
359    
360     - # Careful - property 'type' has a special meaning in configDB and returns 'service'
361     + # Not templated this - maybe later with L2TPD
362     + # We currently use a password file but this could be integrated with other authent later
363    
364     - my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
365     - || 'tunnel';
366     - $OUT .= " type=$connectiontype\n";
367     + # Lazy - assume that it is security (password by default) - options are rsasig|certs
368    
369     - my $security = $ipsecDB->get_prop( $ipsecprop, 'security' )
370     - || 'secret';
371     + # Careful - property 'type' has a special meaning in configDB and returns 'service'
372    
373     - # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ?
374     + my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
375     + || 'tunnel';
376     + $OUT .= " type=$connectiontype\n";
377    
378     - if ( $security eq 'rsasig' ) {
379     - $OUT .= " authby=rsasig\n";
380     + my $security = $ipsecDB->get_prop( $ipsecprop, 'security' )
381     + || 'secret';
382    
383     - my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
384     - || '';
385     - $OUT .= " leftrsasigkey=$leftrsasig\n";
386     + # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ?
387    
388     - my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
389     - || '';
390     - $OUT .= " rightrsasigkey=$rightrsasig\n";
391     + if ( $security eq 'rsasig' ) {
392     + $OUT .= " authby=rsasig\n";
393    
394     - }
395     + my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
396     + || '';
397     + $OUT .= " leftrsasigkey=$leftrsasig\n";
398    
399     - elsif ( $security eq 'certs' ) {
400     + my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
401     + || '';
402     + $OUT .= " rightrsasigkey=$rightrsasig\n";
403    
404     - $OUT .= " authby=rsasig\n";
405     + }
406    
407     - my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
408     - || '%cert';
409     - $OUT .= " leftrsasigkey=$leftrsasig\n";
410     + elsif ( $security eq 'certs' ) {
411    
412     - my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
413     - || '%cert';
414     - $OUT .= " rightrsasigkey=$rightrsasig\n";
415     + $OUT .= " authby=rsasig\n";
416    
417     - my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' )
418     - || '"LeftCertName"';
419     - $OUT .= " leftcert=\"$leftcert\"\n";
420     + my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
421     + || '%cert';
422     + $OUT .= " leftrsasigkey=$leftrsasig\n";
423    
424     - my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' )
425     - || '"RightCertName"';
426     - $OUT .= " rightcert=\"$rightcert\"\n";
427     + my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
428     + || '%cert';
429     + $OUT .= " rightrsasigkey=$rightrsasig\n";
430    
431     - }
432     + my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' )
433     + || '"LeftCertName"';
434     + $OUT .= " leftcert=\"$leftcert\"\n";
435    
436     - else {
437     - $OUT .= " authby=$security\n";
438     - }
439     + my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' )
440     + || '"RightCertName"';
441     + $OUT .= " rightcert=\"$rightcert\"\n";
442    
443     - # Use connection value if it exists, if not use generic db value
444     - my $auto =
445     - $ipsecDB->get_prop( $ipsecprop, 'auto' )
446     - || $configDB->get_prop( $dbKey, 'auto' )
447     - || 'start';
448     + }
449    
450     - # If we are a static host to a dynamic client we are always add
451     - my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
452     + else {
453     + $OUT .= " authby=$security\n";
454     + }
455    
456     - if ( $iptype eq 'stattodyn' ) {
457     - $OUT .= " auto=add\n";
458     - }
459     - else {
460     - $OUT .= " auto=$auto\n";
461     - }
462     + # Use connection value if it exists, if not use generic db value
463     + my $auto =
464     + $ipsecDB->get_prop( $ipsecprop, 'auto' )
465     + || $configDB->get_prop( $dbKey, 'auto' )
466     + || 'start';
467    
468     - # We should change ipsecversion to ikev2status
469     - my $ipsecversion =
470     - $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
471     - || $configDB->get_prop( $dbKey, 'ipsecversion' )
472     - || 'permit';
473     -
474     - $OUT .= " ikev2=$ipsecversion\n";
475     -
476     - # Set the Phase one and Phase two default strengths - these are set to aes
477     - my $ike =
478     - $ipsecDB->get_prop( $ipsecprop, 'ike' )
479     - || $configDB->get_prop( $dbKey, 'ike' )
480     - || 'aes-sha1';
481     - $OUT .= " ike=$ike\n";
482     -
483     - my $phase2 =
484     - $ipsecDB->get_prop( $ipsecprop, 'phase2' )
485     - || $configDB->get_prop( $dbKey, 'phase2' )
486     - || 'aes-sha1';
487     - $OUT .= " phase2alg=$phase2\n";
488     -
489     - # mtu can only be set per connection
490     - my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
491     - || '';
492     + # If we are a static host to a dynamic client we are always add
493     + my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
494    
495     - unless ( $mtu eq '' ) {
496     - $OUT .= " mtu=$mtu\n";
497     - }
498     + if ( $iptype eq 'stattodyn' ) {
499     + $OUT .= " auto=add\n";
500     + }
501     + else {
502     + $OUT .= " auto=$auto\n";
503     + }
504    
505     - # These should be from $configDB-> ipsec unless they exist in ipsec_connections
506     + # We should change ipsecversion to 'ikev2'
507     + my $ipsecversion =
508     + $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
509     + || $configDB->get_prop( $dbKey, 'ipsecversion' )
510     + || 'permit';
511    
512     - my $keyingtries =
513     - $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
514     - || $configDB->get_prop( $dbKey, 'keyingtries' )
515     - || '0';
516     - $OUT .= " keyingtries=$keyingtries\n";
517     -
518     - # Following come from ipsecDB or configDB or hardcoded
519     - my $ikelifetime =
520     - $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
521     - || $configDB->get_prop( $dbKey, 'ikelifetime' )
522     - || '3600s';
523     - $OUT .= " ikelifetime=$ikelifetime\n";
524     -
525     - my $salifetime =
526     - $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
527     - || $configDB->get_prop( $dbKey, 'salifetime' )
528     - || '28800s';
529     - $OUT .= " salifetime=$salifetime\n";
530     -
531     - # Add is for incoming and is better that server dpd is ignored
532     - # Disabled for now
533     -
534     - # if ( $auto ne 'add' ) {}
535     - my $dpdaction =
536     - $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
537     - || $configDB->get_prop( $dbKey, 'dpdaction' )
538     - || 'restart';
539     - $OUT .= " dpdaction=$dpdaction\n";
540     -
541     - my $dpddelay =
542     - $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
543     - || $configDB->get_prop( $dbKey, 'dpddelay' )
544     - || '30';
545     - $OUT .= " dpddelay=$dpddelay\n";
546     -
547     - my $dpdtimeout =
548     - $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
549     - || $configDB->get_prop( $dbKey, 'dpdtimeout' )
550     - || '10';
551     - $OUT .= " dpdtimeout=$dpdtimeout\n";
552     -
553     - # default to yes unless overridden in the connection db
554     - my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
555     - $OUT .= " pfs=$pfs\n";
556     -
557     - # Following come from ipsecDB or configDB or hardcoded
558     - my $left =
559     - $ipsecDB->get_prop( $ipsecprop, 'left' )
560     - || $configDB->get_prop( $dbKey, 'left' )
561     - || '%defaultroute';
562     - $OUT .= " left=$left\n";
563     -
564     - if ( $security eq 'certs' ) {
565     - my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' );
566     - $OUT .= " leftid=$leftid\n";
567     - }
568     + $OUT .= " ikev2=$ipsecversion\n";
569    
570     - # These ONLY come from the ipsec_configurations db
571     - elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) {
572     - $OUT .= " leftid=$leftid\n";
573     - }
574     + # Set the Phase one and Phase two default strengths - these are set to aes
575     + my $ike =
576     + $ipsecDB->get_prop( $ipsecprop, 'ike' )
577     + || $configDB->get_prop( $dbKey, 'ike' )
578     + || 'aes-sha1';
579     + $OUT .= " ike=$ike\n";
580    
581     - my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
582     - || '';
583     - $OUT .= " leftsourceip=$leftsourceip\n";
584     + # We should change phase2 to phase2alg
585     + my $phase2 =
586     + $ipsecDB->get_prop( $ipsecprop, 'phase2' )
587     + || $configDB->get_prop( $dbKey, 'phase2' )
588     + || 'aes-sha1';
589     + $OUT .= " phase2alg=$phase2\n";
590    
591     - my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' )
592     - || '';
593     - $OUT .= " leftsubnet=$leftsub\n";
594     + # mtu can only be set per connection
595     + my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
596     + || '';
597    
598     - # If we are a static host to a dynamic client we HAVE to set right %any
599     + unless ( $mtu eq '' ) {
600     + $OUT .= " mtu=$mtu\n";
601     + }
602    
603     - my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
604     + # These should be from $configDB-> ipsec unless they exist in ipsec_connections
605    
606     - if ( $iptype eq 'stattodyn' ) {
607     - $OUT .= " right=%any\n";
608     - }
609     - else {
610     - $OUT .= " right=$right\n";
611     - }
612     + my $forceencaps =
613     + $ipsecDB->get_prop( $ipsecprop, 'forceencaps' )
614     + || $configDB->get_prop( $dbKey, 'forceencaps' )
615     + || 'no';
616     + $OUT .= " forceencaps=$forceencaps\n";
617    
618     - if ( $security eq 'certs' ) {
619     - my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' );
620     - $OUT .= " rightid=$rightid\n";
621     - }
622     + my $keyingtries =
623     + $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
624     + || $configDB->get_prop( $dbKey, 'keyingtries' )
625     + || '0';
626     + $OUT .= " keyingtries=$keyingtries\n";
627    
628     - elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) {
629     - $OUT .= " rightid=$rightid\n";
630     - }
631     + # Following come from ipsecDB or configDB or hardcoded
632     + my $ikelifetime =
633     + $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
634     + || $configDB->get_prop( $dbKey, 'ikelifetime' )
635     + || '3600s';
636     + $OUT .= " ikelifetime=$ikelifetime\n";
637     +
638     + my $salifetime =
639     + $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
640     + || $configDB->get_prop( $dbKey, 'salifetime' )
641     + || '28800s';
642     + $OUT .= " salifetime=$salifetime\n";
643     +
644     + # Add is for incoming and is better that server dpd is ignored
645     + # Disabled for now
646    
647     - my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
648     - $OUT .= " rightsubnet=$rightsubnet\n";
649     + # if ( $auto ne 'add' ) {}
650     + my $dpdaction =
651     + $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
652     + || $configDB->get_prop( $dbKey, 'dpdaction' )
653     + || 'restart';
654     + $OUT .= " dpdaction=$dpdaction\n";
655     +
656     + my $dpddelay =
657     + $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
658     + || $configDB->get_prop( $dbKey, 'dpddelay' )
659     + || '30';
660     + $OUT .= " dpddelay=$dpddelay\n";
661     +
662     + my $dpdtimeout =
663     + $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
664     + || $configDB->get_prop( $dbKey, 'dpdtimeout' )
665     + || '10';
666     + $OUT .= " dpdtimeout=$dpdtimeout\n";
667     +
668     + # default to yes unless overridden in the connection db
669     + my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
670     + $OUT .= " pfs=$pfs\n";
671     +
672     + # Following come from ipsecDB or configDB or hardcoded
673     + my $left =
674     + $ipsecDB->get_prop( $ipsecprop, 'left' )
675     + || $configDB->get_prop( $dbKey, 'left' )
676     + || '%defaultroute';
677     + $OUT .= " left=$left\n";
678     +
679     + if ( $security eq 'certs' ) {
680     + my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' );
681     + $OUT .= " leftid=$leftid\n";
682     + }
683     +
684     + # These ONLY come from the ipsec_configurations db
685     + elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) {
686     + $OUT .= " leftid=$leftid\n";
687     + }
688     +
689     + my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
690     + || '';
691     + $OUT .= " leftsourceip=$leftsourceip\n";
692     +
693     + my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' )
694     + || '';
695     + $OUT .= " leftsubnet=$leftsub\n";
696     +
697     + # If we are a static host to a dynamic client we HAVE to set right %any
698     +
699     + my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
700     +
701     + if ( $iptype eq 'stattodyn' ) {
702     + $OUT .= " right=%any\n";
703     + }
704     + else {
705     + $OUT .= " right=$right\n";
706     + }
707     +
708     + if ( $security eq 'certs' ) {
709     + my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' );
710     + $OUT .= " rightid=$rightid\n";
711     + }
712     +
713     + elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) {
714     + $OUT .= " rightid=$rightid\n";
715     + }
716     +
717     + my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
718     + $OUT .= " rightsubnet=$rightsubnet\n";
719     +
720     + } # End If
721     + else {
722     + $OUT .= "# conn $ipsecprop disabled\n";
723     + }
724    
725     - } # End If
726     - else {
727     - $OUT .= "# conn $ipsecprop disabled\n";
728     - }
729     + } # End unless
730     } # End foreach
731     } # End else
732     }
733     diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords
734     --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-06-15 00:33:57.112000044 +0200
735     +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-06-15 00:34:07.806999374 +0200
736     @@ -19,94 +19,98 @@
737    
738     else {
739     my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
740     - or die("cant connect to ipsec database");
741     + or die("cant connect to ipsec database");
742    
743     # This should get all the connections in an array
744    
745     my @connections = $ipsecDB->keys;
746    
747     $OUT .= "# ipsec.secrets\n\n";
748     -
749     +
750     my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
751     -
752     +
753     foreach my $ipsecprop (@connections) {
754    
755     - # first we verify if IPSec is enabled for the connection
756     + if ( $ipsecprop ne 'L2TPD-PSK' ) {
757    
758     - my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
759     - || "disabled";
760     + # first we verify if IPSec is enabled for the connection
761    
762     - if ( $ipsecstatus eq "enabled" ) {
763     + my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
764     + || "disabled";
765    
766     - my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
767     + if ( $ipsecstatus eq "enabled" ) {
768    
769     - # Hmm..... if left is not set it defaults to %defaultroute which we don't want here
770     + my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
771    
772     - my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP;
773     - my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
774     - my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
775     - my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
776     - my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || '';
777     + # Hmm..... if left is not set it defaults to %defaultroute which we don't want here
778    
779     - # Double quote is not allowed in configuration
780     - if ( $passwd =~ /"/ ) {
781     - die("Ipsec Error - PSK value cannot contain double quotes (\")");
782     - }
783     + my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP;
784     + my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
785     + my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
786     + my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
787     + my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || '';
788    
789     - $OUT .= "# $ipsecprop is enabled\n";
790     + # Double quote is not allowed in configuration
791     + if ( $passwd =~ /"/ ) {
792     + die("Ipsec Error - PSK value cannot contain double quotes (\")");
793     + }
794    
795     - if ( $security eq 'certs' ) {
796     - $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
797     - }
798     + $OUT .= "# $ipsecprop is enabled\n";
799    
800     - elsif ( $security eq 'secret' ) {
801     + if ( $security eq 'certs' ) {
802     + $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
803     + }
804    
805     - # If dynamic it must be %any here
806     - # If not it can be ExternalIP if left not set
807     + elsif ( $security eq 'secret' ) {
808    
809     - # IF we have IDs then use them in preference to %any
810     + # If dynamic it must be %any here
811     + # If not it can be ExternalIP if left not set
812    
813     - my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '';
814     - my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';
815     + # IF we have IDs then use them in preference to %any
816    
817     - if ( $iptype eq 'stattodyn' ) {
818     - if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
819     - $OUT .= "$left %any \: PSK \"$passwd\"";
820     + my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '';
821     + my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';
822     +
823     + if ( $iptype eq 'stattodyn' ) {
824     + if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
825     + $OUT .= "$left %any \: PSK \"$passwd\"";
826     + }
827     + else {
828     + $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
829     + }
830     }
831     - else {
832     - $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
833     +
834     + elsif ( $iptype eq 'dyntostat' ) {
835     + if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
836     + $OUT .= "%any $right\: PSK \"$passwd\"";
837     + }
838     + else {
839     + $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
840     + }
841     }
842     - }
843    
844     - elsif ( $iptype eq 'dyntostat' ) {
845     - if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
846     - $OUT .= "%any $right\: PSK \"$passwd\"";
847     + elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) {
848     + $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
849     }
850     +
851     else {
852     - $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
853     + $OUT .= "$left $right \: PSK \"$passwd\"";
854     }
855     }
856    
857     - elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) {
858     - $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
859     + elsif ( $security eq "rsasig" ) {
860     + $OUT .= "# Connection to $ipsecprop is RSA\n";
861     + $OUT .= "# Our RSA key is in separate file\n";
862     }
863    
864     else {
865     - $OUT .= "$left $right \: PSK \"$passwd\"";
866     + $OUT .= "# $ipsecprop is disabled\n";
867     + $OUT .= "\n";
868     }
869     - }
870     -
871     - elsif ( $security eq "rsasig" ) {
872     - $OUT .= "# Connection to $ipsecprop is RSA\n";
873     - $OUT .= "# Our RSA key is in separate file\n";
874     - }
875     -
876     - else {
877     - $OUT .= "# $ipsecprop is disabled\n";
878     $OUT .= "\n";
879     - }
880     - $OUT .= "\n";
881     - }
882     - }
883     - }
884     + } # if
885     + } #unless
886     + } #foreach
887     + } #else
888     }
889     +
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed