diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update --- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update 2017-06-15 00:33:57.103000044 +0200 +++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update 2017-06-15 00:34:07.806999374 +0200 @@ -21,70 +21,84 @@ # Note that we do not need to use the init ipsec script - we can start and # stop directly using /usr/sbin/ipsec which will call the init script +# Probably ought to check somewhere that the status of services is public +# But if it is private then you have to re-expand masq someplace + use strict; use warnings; use esmith::ConfigDB; my $configDB = esmith::ConfigDB->open or die("can't open Config DB"); my $ipsecDB = esmith::ConfigDB->open('ipsec_connections') - or die("Ipsec Error - cant connect to ipsec database"); + or die("Ipsec Error - cant connect to ipsec database"); -my $dbKey = 'ipsec'; +my $ipsecDBkey = 'ipsec'; +my $xl2tpdDBkey = 'xl2tpd'; +my $xl2tpdipsecprop = "L2TPD-PSK"; # Check on access status - we'll use this later # If status goes to disabled we should set this private -my $ipsec_access = $configDB->get_prop( $dbKey, 'access' ) || 'private'; +my $ipsec_access = $configDB->get_prop( $ipsecDBkey, 'access' ) || 'private'; print "Ipsec Information - IpsecAccessState: $ipsec_access\n"; # If the service is set disabled then make sure it is stopped # Note that ipsec is not a service so we cannot use the normal service commands -if ( $configDB->get_prop( $dbKey, 'status' ) eq 'disabled' ) { +if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'disabled' ) { + + # Always reset redirects on stop + print "Ipsec Information - reset redirects"; + resetRedirects(); + + # Sort out xl2tpd - if ipsec is disabled it has to be stopped + + print "Xl2tpd Information - ipsec is disabled - Stopping xl2tpd \n"; + my $myStopXl2tpd = qx(/etc/rc.d/init.d/xl2tpd stop) || die("xl2tpd Error - Unable to launch xl2tpd stop : $!\n"); + + if ( not defined $myStopXl2tpd ) { + die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?; + } # Do we check if it is already stopped ? # For now we stop it regardless print "Ipsec Information - ipsec disabled - Stopping ipsec \n"; + my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop) || die("Ipsec Error - Unable to launch ipsec stop : $!\n"); - # First set ipsec access to private which disables firewall rule - # Is this the correct syntax - what about die ? - # This is problematic as masq templates are already expanded and may be wrong - - # Make sure access = private - # No point in this unless we expand the masq template again - - #unless ( $ipsec_access eq 'private' ) { - # $configDB->set_prop( $dbKey, 'access', 'private' ); - #} + if ( not defined $myStopConnection ) { + die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?; + } - my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop); - die("Ipsec Error - Unable to launch ipsec stop : $!\n") + exit 0; +} - if not defined $myStopConnection; - die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?; +# If the ipsec service is set to enabled AND running (then check the connections) - print "Ipsec Information - reset redirects"; - resetRedirects(); +if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'enabled' ) { - exit 0; -} + # Sort out xl2tpd - if ipsec is enabled, AND xl2tpd then see if it is started + if ( $configDB->get_prop( $xl2tpdDBkey, 'status' ) eq 'enabled' ) { + my $xl2tpdstatus = (`ps ax | grep -v grep | grep xl2tpd`); -# If the service is set to enabled AND running (then check the connections) + #If the service is not running then start it + unless ( $xl2tpdstatus =~ m/_xl2tpd/ ) { -if ( $configDB->get_prop( $dbKey, 'status' ) eq 'enabled' ) { + print "Xl2tpd Information - xl2tpd enabled but stopped - starting xl2tpd \n"; + my $myStartXl2tpd = qx(/etc/rc.d/init.d/xl2tpd start) + || die("xl2tpd Error - Unable to launch xl2tpd start : $!\n"); - # Make sure access = public - # No point in this unless we expand the masq template again - - #unless ( $ipsec_access eq 'public' ) { - # $configDB->set_prop( $dbKey, 'access', 'public' ); - #} + if ( not defined $myStartXl2tpd ) { + die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?; + } + + } + } my $status = (`ps ax | grep -v grep | grep pluto`); - #If the service is running - if ( $status =~ m/_plutorun/ ) { + # If the ipsec service is running + if ( $status =~ m/_plutorun/ ) { # Lets do some stuff print "Ipsec Information - ipsec is running !\n"; @@ -99,7 +113,7 @@ #Check the individual connection status my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) - || "disabled"; + || "disabled"; # What type of connection are we ? my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || ''; @@ -120,13 +134,13 @@ my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets); die("Ipsec Error - Unable launch ipsec reread secrets : $!\n") - if not defined $reread; + if not defined $reread; die("Ipsec Error - Unable to reread ipsec secrets ( error code $?)\n") - if $?; + if $?; # If we are enabled - if ( ( $previpsecstatus eq "enabled" ) - && ( $ipsecstatus eq "enabled" ) ) { + if ( ( $previpsecstatus eq "enabled" ) + && ( $ipsecstatus eq "enabled" ) ) { # Restart print "Ipsec Information - Restarting connection - $ipsecprop\n"; @@ -152,20 +166,20 @@ } # If status is disabled then stop it - elsif ( ( $previpsecstatus eq "disabled" ) - && ( $ipsecstatus eq "disabled" ) ) { + elsif (( $previpsecstatus eq "disabled" ) + && ( $ipsecstatus eq "disabled" ) ) { # Stop print "Ipsec Information - Stop connection - $ipsecprop\n"; stopConnection($ipsecprop); # Set Previous status - changeState( $dbKey, $ipsecstatus ); + changeState( $ipsecDBkey, $ipsecstatus ); } # If status was disabled and now enabled then start it - elsif ( ( $previpsecstatus eq "disabled" ) - && ( $ipsecstatus eq "enabled" ) ) { + elsif (( $previpsecstatus eq "disabled" ) + && ( $ipsecstatus eq "enabled" ) ) { # Start print "Enabling connection $ipsecprop\n"; @@ -192,8 +206,8 @@ } # If status was enabled and now disabled then stop it - elsif ( ( $previpsecstatus eq "enabled" ) - && ( $ipsecstatus eq "disabled" ) ) { + elsif (( $previpsecstatus eq "enabled" ) + && ( $ipsecstatus eq "disabled" ) ) { # Stop and remove - do we need to ? print "Ipsec Information - Stopping connection $ipsecprop\n "; @@ -220,13 +234,13 @@ # Make sure access = public unless ( $ipsec_access eq 'public' ) { - $configDB->set_prop( $dbKey, 'access', 'public' ); + $configDB->set_prop( $ipsecDBkey, 'access', 'public' ); } print "Ipsec Information - ipsec enabled - Starting ipsec\n "; my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start); die("Ipsec Error - Unable to launch ipsec start : $!\n ") - if not defined $myStartConnection; + if not defined $myStartConnection; die("Ipsec Error - Unable to launch ipsec start ( error code $?)\n ") if $?; exit 0; @@ -240,7 +254,7 @@ sub changeState { - #@_ contains $dbKey and $ipsecstatus + #@_ contains $ipsecDBkey and $ipsecstatus $ipsecDB->set_prop( $_[0], 'PreviousState', $_[1] ); } @@ -262,23 +276,23 @@ # Make sure you read and understand what happens ! # If I knew which specific interfaces to change we could reduce the lines here system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0 - or die("Ipsec Error - A problem occurred with sysctl: $?"); + or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0 - or die("Ipsec Error - A problem occurred with sysctl: $?"); + or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0 - or die("Ipsec Error - A problem occurred with sysctl: $?"); + or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0 - or die("Ipsec Error - A problem occurred with sysctl: $?"); + or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0 - or die("Ipsec Error - A problem occurred with sysctl: $?"); + or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.all.rp_filter=0") == 0 - or die("Ipsec Error - A problem occurred with sysctl: $?"); + or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0") == 0 - or die("Ipsec Error - A problem occurred with sysctl: $?"); + or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.eth1.rp_filter=0") == 0 - or die("Ipsec Error - A problem occurred with sysctl: $?"); + or die("Ipsec Error - A problem occurred with sysctl: $?"); # On v8 this is set to 0 so we would need # system ("/sbin/sysctl -w net.core.xfrm_larval_drop=1") == 0 or die ("A problem occurred with sysctl: $?"); @@ -291,6 +305,6 @@ # This should reload the file - if ipsec is disabled it should reset to defaults # If ipsec is enabled it should disable rp_filtering system("/sbin/sysctl -p") == 0 - or die("Ipsec Error - A problem occurred with sysctl: $?"); + or die("Ipsec Error - A problem occurred with sysctl: $?"); } diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2017-06-15 00:33:57.108000046 +0200 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2017-06-15 00:34:07.806999374 +0200 @@ -1,5 +1,3 @@ -#!/usr/bin/perl -w - { use strict; use warnings; @@ -25,7 +23,8 @@ my $dbKey = 'ipsec'; # Generic setup file - my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none'; + my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none'; + my $keepalive = $configDB->get_prop( $dbKey, 'keepalive' ) || ''; # A standard config is included in the RPM but we need to generate a new one so we can modify settings @@ -37,6 +36,10 @@ $OUT .= " dumpdir=/var/run/pluto/\n"; $OUT .= " nat_traversal=yes\n"; + if ( $keepalive ne '' ) { + $OUT .= " keep-alive=$keepalive\n"; + } + # This should get all the connections in an array my @connections = $ipsecDB->keys; @@ -44,25 +47,29 @@ $OUT .= " virtual_private="; my $virtual_private = ''; - + my @subnetArr = (); + foreach my $ipsecprop (@connections) { - my $type = $ipsecDB->get_prop( "$ipsecprop", 'type' ); - print "Connection: $ipsecprop Type: $type\n"; + # Note that L2TPD needs the localsubnet in here - if ( $type eq "ipsec" ) { - print "Connection: $ipsecprop\n"; - my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled"; - - if ( $ipsecstatus eq "enabled" ) { - my $subnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' ); - $virtual_private .= "%v4:$subnet,"; - } + my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled"; + + if ( $ipsecstatus eq 'enabled' ) { + my $rightsubnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' ); - # End if + # Check if the network is a unique value + if ( !( $rightsubnet ~~ @subnetArr ) ) { + print "$rightsubnet\n"; + + push( @subnetArr, $rightsubnet ); + } } - # End foreach + } # End foreach + + foreach my $subnet (@subnetArr) { + $virtual_private .= "%v4:$subnet,"; } # Remove last character ',' diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-06-15 00:33:57.113000043 +0200 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection 2017-06-15 00:34:07.806999374 +0200 @@ -19,7 +19,7 @@ else { my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') - or die("cant connect to ipsec database"); + or die("cant connect to ipsec database"); # This should get all the connections in an array @@ -29,215 +29,226 @@ foreach my $ipsecprop (@connections) { - # first we verify if IPSec is enabled for the connection + if ( $ipsecprop ne 'L2TPD-PSK' ) { - my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled'; + # first we verify if IPSec is enabled for the connection - if ( $ipsecstatus eq 'enabled' ) { + my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled'; - $OUT .= "conn $ipsecprop\n"; - - # These should be from $configDB-> ipsec + if ( $ipsecstatus eq 'enabled' ) { - # Not templated this - maybe later with L2TPD - # We currently use a password file but this could be integrated with other authent later + $OUT .= "conn $ipsecprop\n"; - # Lazy - assume that it is security (password by default) - options are rsasig|certs + # These should be from $configDB-> ipsec - # Careful - property 'type' has a special meaning in configDB and returns 'service' + # Not templated this - maybe later with L2TPD + # We currently use a password file but this could be integrated with other authent later - my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' ) - || 'tunnel'; - $OUT .= " type=$connectiontype\n"; + # Lazy - assume that it is security (password by default) - options are rsasig|certs - my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) - || 'secret'; + # Careful - property 'type' has a special meaning in configDB and returns 'service' - # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ? + my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' ) + || 'tunnel'; + $OUT .= " type=$connectiontype\n"; - if ( $security eq 'rsasig' ) { - $OUT .= " authby=rsasig\n"; + my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) + || 'secret'; - my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' ) - || ''; - $OUT .= " leftrsasigkey=$leftrsasig\n"; + # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ? - my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' ) - || ''; - $OUT .= " rightrsasigkey=$rightrsasig\n"; + if ( $security eq 'rsasig' ) { + $OUT .= " authby=rsasig\n"; - } + my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' ) + || ''; + $OUT .= " leftrsasigkey=$leftrsasig\n"; - elsif ( $security eq 'certs' ) { + my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' ) + || ''; + $OUT .= " rightrsasigkey=$rightrsasig\n"; - $OUT .= " authby=rsasig\n"; + } - my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' ) - || '%cert'; - $OUT .= " leftrsasigkey=$leftrsasig\n"; + elsif ( $security eq 'certs' ) { - my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' ) - || '%cert'; - $OUT .= " rightrsasigkey=$rightrsasig\n"; + $OUT .= " authby=rsasig\n"; - my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' ) - || '"LeftCertName"'; - $OUT .= " leftcert=\"$leftcert\"\n"; + my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' ) + || '%cert'; + $OUT .= " leftrsasigkey=$leftrsasig\n"; - my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' ) - || '"RightCertName"'; - $OUT .= " rightcert=\"$rightcert\"\n"; + my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' ) + || '%cert'; + $OUT .= " rightrsasigkey=$rightrsasig\n"; - } + my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' ) + || '"LeftCertName"'; + $OUT .= " leftcert=\"$leftcert\"\n"; - else { - $OUT .= " authby=$security\n"; - } + my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' ) + || '"RightCertName"'; + $OUT .= " rightcert=\"$rightcert\"\n"; - # Use connection value if it exists, if not use generic db value - my $auto = - $ipsecDB->get_prop( $ipsecprop, 'auto' ) - || $configDB->get_prop( $dbKey, 'auto' ) - || 'start'; + } - # If we are a static host to a dynamic client we are always add - my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; + else { + $OUT .= " authby=$security\n"; + } - if ( $iptype eq 'stattodyn' ) { - $OUT .= " auto=add\n"; - } - else { - $OUT .= " auto=$auto\n"; - } + # Use connection value if it exists, if not use generic db value + my $auto = + $ipsecDB->get_prop( $ipsecprop, 'auto' ) + || $configDB->get_prop( $dbKey, 'auto' ) + || 'start'; - # We should change ipsecversion to ikev2status - my $ipsecversion = - $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' ) - || $configDB->get_prop( $dbKey, 'ipsecversion' ) - || 'permit'; - - $OUT .= " ikev2=$ipsecversion\n"; - - # Set the Phase one and Phase two default strengths - these are set to aes - my $ike = - $ipsecDB->get_prop( $ipsecprop, 'ike' ) - || $configDB->get_prop( $dbKey, 'ike' ) - || 'aes-sha1'; - $OUT .= " ike=$ike\n"; - - my $phase2 = - $ipsecDB->get_prop( $ipsecprop, 'phase2' ) - || $configDB->get_prop( $dbKey, 'phase2' ) - || 'aes-sha1'; - $OUT .= " phase2alg=$phase2\n"; - - # mtu can only be set per connection - my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' ) - || ''; + # If we are a static host to a dynamic client we are always add + my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; - unless ( $mtu eq '' ) { - $OUT .= " mtu=$mtu\n"; - } + if ( $iptype eq 'stattodyn' ) { + $OUT .= " auto=add\n"; + } + else { + $OUT .= " auto=$auto\n"; + } - # These should be from $configDB-> ipsec unless they exist in ipsec_connections + # We should change ipsecversion to 'ikev2' + my $ipsecversion = + $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' ) + || $configDB->get_prop( $dbKey, 'ipsecversion' ) + || 'permit'; - my $keyingtries = - $ipsecDB->get_prop( $ipsecprop, 'keyingtries' ) - || $configDB->get_prop( $dbKey, 'keyingtries' ) - || '0'; - $OUT .= " keyingtries=$keyingtries\n"; - - # Following come from ipsecDB or configDB or hardcoded - my $ikelifetime = - $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' ) - || $configDB->get_prop( $dbKey, 'ikelifetime' ) - || '3600s'; - $OUT .= " ikelifetime=$ikelifetime\n"; - - my $salifetime = - $ipsecDB->get_prop( $ipsecprop, 'salifetime' ) - || $configDB->get_prop( $dbKey, 'salifetime' ) - || '28800s'; - $OUT .= " salifetime=$salifetime\n"; - - # Add is for incoming and is better that server dpd is ignored - # Disabled for now - - # if ( $auto ne 'add' ) {} - my $dpdaction = - $ipsecDB->get_prop( $ipsecprop, 'dpdaction' ) - || $configDB->get_prop( $dbKey, 'dpdaction' ) - || 'restart'; - $OUT .= " dpdaction=$dpdaction\n"; - - my $dpddelay = - $ipsecDB->get_prop( $ipsecprop, 'dpddelay' ) - || $configDB->get_prop( $dbKey, 'dpddelay' ) - || '30'; - $OUT .= " dpddelay=$dpddelay\n"; - - my $dpdtimeout = - $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' ) - || $configDB->get_prop( $dbKey, 'dpdtimeout' ) - || '10'; - $OUT .= " dpdtimeout=$dpdtimeout\n"; - - # default to yes unless overridden in the connection db - my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes'; - $OUT .= " pfs=$pfs\n"; - - # Following come from ipsecDB or configDB or hardcoded - my $left = - $ipsecDB->get_prop( $ipsecprop, 'left' ) - || $configDB->get_prop( $dbKey, 'left' ) - || '%defaultroute'; - $OUT .= " left=$left\n"; - - if ( $security eq 'certs' ) { - my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' ); - $OUT .= " leftid=$leftid\n"; - } + $OUT .= " ikev2=$ipsecversion\n"; - # These ONLY come from the ipsec_configurations db - elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) { - $OUT .= " leftid=$leftid\n"; - } + # Set the Phase one and Phase two default strengths - these are set to aes + my $ike = + $ipsecDB->get_prop( $ipsecprop, 'ike' ) + || $configDB->get_prop( $dbKey, 'ike' ) + || 'aes-sha1'; + $OUT .= " ike=$ike\n"; - my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) - || ''; - $OUT .= " leftsourceip=$leftsourceip\n"; + # We should change phase2 to phase2alg + my $phase2 = + $ipsecDB->get_prop( $ipsecprop, 'phase2' ) + || $configDB->get_prop( $dbKey, 'phase2' ) + || 'aes-sha1'; + $OUT .= " phase2alg=$phase2\n"; - my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) - || ''; - $OUT .= " leftsubnet=$leftsub\n"; + # mtu can only be set per connection + my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' ) + || ''; - # If we are a static host to a dynamic client we HAVE to set right %any + unless ( $mtu eq '' ) { + $OUT .= " mtu=$mtu\n"; + } - my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; + # These should be from $configDB-> ipsec unless they exist in ipsec_connections - if ( $iptype eq 'stattodyn' ) { - $OUT .= " right=%any\n"; - } - else { - $OUT .= " right=$right\n"; - } + my $forceencaps = + $ipsecDB->get_prop( $ipsecprop, 'forceencaps' ) + || $configDB->get_prop( $dbKey, 'forceencaps' ) + || 'no'; + $OUT .= " forceencaps=$forceencaps\n"; - if ( $security eq 'certs' ) { - my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' ); - $OUT .= " rightid=$rightid\n"; - } + my $keyingtries = + $ipsecDB->get_prop( $ipsecprop, 'keyingtries' ) + || $configDB->get_prop( $dbKey, 'keyingtries' ) + || '0'; + $OUT .= " keyingtries=$keyingtries\n"; - elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) { - $OUT .= " rightid=$rightid\n"; - } + # Following come from ipsecDB or configDB or hardcoded + my $ikelifetime = + $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' ) + || $configDB->get_prop( $dbKey, 'ikelifetime' ) + || '3600s'; + $OUT .= " ikelifetime=$ikelifetime\n"; + + my $salifetime = + $ipsecDB->get_prop( $ipsecprop, 'salifetime' ) + || $configDB->get_prop( $dbKey, 'salifetime' ) + || '28800s'; + $OUT .= " salifetime=$salifetime\n"; + + # Add is for incoming and is better that server dpd is ignored + # Disabled for now - my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || ''; - $OUT .= " rightsubnet=$rightsubnet\n"; + # if ( $auto ne 'add' ) {} + my $dpdaction = + $ipsecDB->get_prop( $ipsecprop, 'dpdaction' ) + || $configDB->get_prop( $dbKey, 'dpdaction' ) + || 'restart'; + $OUT .= " dpdaction=$dpdaction\n"; + + my $dpddelay = + $ipsecDB->get_prop( $ipsecprop, 'dpddelay' ) + || $configDB->get_prop( $dbKey, 'dpddelay' ) + || '30'; + $OUT .= " dpddelay=$dpddelay\n"; + + my $dpdtimeout = + $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' ) + || $configDB->get_prop( $dbKey, 'dpdtimeout' ) + || '10'; + $OUT .= " dpdtimeout=$dpdtimeout\n"; + + # default to yes unless overridden in the connection db + my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes'; + $OUT .= " pfs=$pfs\n"; + + # Following come from ipsecDB or configDB or hardcoded + my $left = + $ipsecDB->get_prop( $ipsecprop, 'left' ) + || $configDB->get_prop( $dbKey, 'left' ) + || '%defaultroute'; + $OUT .= " left=$left\n"; + + if ( $security eq 'certs' ) { + my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' ); + $OUT .= " leftid=$leftid\n"; + } + + # These ONLY come from the ipsec_configurations db + elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) { + $OUT .= " leftid=$leftid\n"; + } + + my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' ) + || ''; + $OUT .= " leftsourceip=$leftsourceip\n"; + + my $leftsub = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) + || ''; + $OUT .= " leftsubnet=$leftsub\n"; + + # If we are a static host to a dynamic client we HAVE to set right %any + + my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; + + if ( $iptype eq 'stattodyn' ) { + $OUT .= " right=%any\n"; + } + else { + $OUT .= " right=$right\n"; + } + + if ( $security eq 'certs' ) { + my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' ); + $OUT .= " rightid=$rightid\n"; + } + + elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) { + $OUT .= " rightid=$rightid\n"; + } + + my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || ''; + $OUT .= " rightsubnet=$rightsubnet\n"; + + } # End If + else { + $OUT .= "# conn $ipsecprop disabled\n"; + } - } # End If - else { - $OUT .= "# conn $ipsecprop disabled\n"; - } + } # End unless } # End foreach } # End else } diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-06-15 00:33:57.112000044 +0200 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords 2017-06-15 00:34:07.806999374 +0200 @@ -19,94 +19,98 @@ else { my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections') - or die("cant connect to ipsec database"); + or die("cant connect to ipsec database"); # This should get all the connections in an array my @connections = $ipsecDB->keys; $OUT .= "# ipsec.secrets\n\n"; - + my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" ); - + foreach my $ipsecprop (@connections) { - # first we verify if IPSec is enabled for the connection + if ( $ipsecprop ne 'L2TPD-PSK' ) { - my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) - || "disabled"; + # first we verify if IPSec is enabled for the connection - if ( $ipsecstatus eq "enabled" ) { + my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) + || "disabled"; - my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; + if ( $ipsecstatus eq "enabled" ) { - # Hmm..... if left is not set it defaults to %defaultroute which we don't want here + my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || ''; - my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP; - my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret'; - my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; - my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || ''; - my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || ''; + # Hmm..... if left is not set it defaults to %defaultroute which we don't want here - # Double quote is not allowed in configuration - if ( $passwd =~ /"/ ) { - die("Ipsec Error - PSK value cannot contain double quotes (\")"); - } + my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP; + my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret'; + my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || ''; + my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || ''; + my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || ''; - $OUT .= "# $ipsecprop is enabled\n"; + # Double quote is not allowed in configuration + if ( $passwd =~ /"/ ) { + die("Ipsec Error - PSK value cannot contain double quotes (\")"); + } - if ( $security eq 'certs' ) { - $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n"; - } + $OUT .= "# $ipsecprop is enabled\n"; - elsif ( $security eq 'secret' ) { + if ( $security eq 'certs' ) { + $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n"; + } - # If dynamic it must be %any here - # If not it can be ExternalIP if left not set + elsif ( $security eq 'secret' ) { - # IF we have IDs then use them in preference to %any + # If dynamic it must be %any here + # If not it can be ExternalIP if left not set - my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || ''; - my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || ''; + # IF we have IDs then use them in preference to %any - if ( $iptype eq 'stattodyn' ) { - if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) { - $OUT .= "$left %any \: PSK \"$passwd\""; + my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || ''; + my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || ''; + + if ( $iptype eq 'stattodyn' ) { + if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) { + $OUT .= "$left %any \: PSK \"$passwd\""; + } + else { + $OUT .= "$leftid $rightid \: PSK \"$passwd\""; + } } - else { - $OUT .= "$leftid $rightid \: PSK \"$passwd\""; + + elsif ( $iptype eq 'dyntostat' ) { + if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) { + $OUT .= "%any $right\: PSK \"$passwd\""; + } + else { + $OUT .= "$leftid $rightid \: PSK \"$passwd\""; + } } - } - elsif ( $iptype eq 'dyntostat' ) { - if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) { - $OUT .= "%any $right\: PSK \"$passwd\""; + elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) { + $OUT .= "$leftid $rightid \: PSK \"$passwd\""; } + else { - $OUT .= "$leftid $rightid \: PSK \"$passwd\""; + $OUT .= "$left $right \: PSK \"$passwd\""; } } - elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) { - $OUT .= "$leftid $rightid \: PSK \"$passwd\""; + elsif ( $security eq "rsasig" ) { + $OUT .= "# Connection to $ipsecprop is RSA\n"; + $OUT .= "# Our RSA key is in separate file\n"; } else { - $OUT .= "$left $right \: PSK \"$passwd\""; + $OUT .= "# $ipsecprop is disabled\n"; + $OUT .= "\n"; } - } - - elsif ( $security eq "rsasig" ) { - $OUT .= "# Connection to $ipsecprop is RSA\n"; - $OUT .= "# Our RSA key is in separate file\n"; - } - - else { - $OUT .= "# $ipsecprop is disabled\n"; $OUT .= "\n"; - } - $OUT .= "\n"; - } - } - } + } # if + } #unless + } #foreach + } #else } +