1 #!/bin/sh /etc/rc.common
7 PROG
=/usr
/lib
/ipsec
/charon
9 .
$IPKG_INSTROOT/lib
/functions.sh
10 .
$IPKG_INSTROOT/lib
/functions
/network.sh
12 STRONGSWAN_CONF_FILE
=/etc
/strongswan.conf
13 STRONGSWAN_VAR_CONF_FILE
=/var
/ipsec
/strongswan.conf
15 SWANCTL_CONF_FILE
=/etc
/swanctl
/swanctl.conf
16 SWANCTL_VAR_CONF_FILE
=/var
/swanctl
/swanctl.conf
24 local multiplier number suffix
26 suffix
="${timestring//[0-9 ]}"
27 number
="${timestring%%$suffix}"
28 [ "$number$suffix" != "$timestring" ] && return 1
41 echo $
(( number
* multiplier
))
47 if [ $seconds -eq 0 ]; then
49 elif [ $
((seconds
% 86400)) -eq 0 ]; then
50 echo "$((seconds / 86400))d"
51 elif [ $
((seconds
% 3600)) -eq 0 ]; then
52 echo "$((seconds / 3600))h"
53 elif [ $
((seconds
% 60)) -eq 0 ]; then
54 echo "$((seconds / 60))m"
70 echo "$indent$cmd" >> "$file"
75 file_reset
"$STRONGSWAN_VAR_CONF_FILE"
79 xappend
"$STRONGSWAN_VAR_CONF_FILE" "$@"
103 file_reset
"$SWANCTL_VAR_CONF_FILE"
107 xappend
"$SWANCTL_VAR_CONF_FILE" "$@"
111 swanctl_xappend
"" "$@"
115 swanctl_xappend
" " "$@"
119 swanctl_xappend
" " "$@"
123 swanctl_xappend
" " "$@"
127 swanctl_xappend
" " "$@"
131 echo "WARNING: $@" >&2
140 local var
="$2" value
="$1" delim
="${3:- }"
141 append
"$var" "$value" "$delim"
148 aes
*gcm
*|aes
*ccm
*|aes
*gmac
*)
157 config_esp_proposal
() {
160 local encryption_algorithm
164 config_get encryption_algorithm
"$conf" encryption_algorithm
165 config_get hash_algorithm
"$conf" hash_algorithm
166 config_get dh_group
"$conf" dh_group
168 # check for AEAD and clobber hash_algorithm if set
169 if is_aead
"$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
170 fatal
"Can't have $hash_algorithm with $encryption_algorithm"
174 [ -n "$encryption_algorithm" ] && \
175 crypto
="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
178 iter_esp_proposal
() {
184 config_list_foreach
"$conf" crypto_proposal config_esp_proposal
186 export -n "$var=$crypto"
189 config_ike_proposal
() {
192 local encryption_algorithm
197 config_get encryption_algorithm
"$conf" encryption_algorithm
198 config_get hash_algorithm
"$conf" hash_algorithm
199 config_get dh_group
"$conf" dh_group
200 config_get prf_algorithm
"$conf" prf_algorithm
202 # check for AEAD and clobber hash_algorithm if set
203 if is_aead
"$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
204 fatal
"Can't have $hash_algorithm with $encryption_algorithm"
208 [ -n "$encryption_algorithm" ] && \
209 crypto
="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${prf_algorithm:+-${prf_algorithm}}${dh_group:+-${dh_group}}"
212 iter_ike_proposal
() {
218 config_list_foreach
"$conf" crypto_proposal config_ike_proposal
220 export -n "$var=$crypto"
224 # Generic ipsec conn section shared by tunnel and transport
249 config_get startaction
"$conf" startaction
"route"
250 config_get local_nat
"$conf" local_nat
""
251 config_get updown
"$conf" updown
""
252 config_get firewall
"$conf" firewall
""
253 config_get lifetime
"$conf" lifetime
""
254 config_get dpdaction
"$conf" dpdaction
"none"
255 config_get closeaction
"$conf" closeaction
"none"
256 config_get if_id
"$conf" if_id
""
257 config_get rekeytime
"$conf" rekeytime
""
258 config_get_bool ipcomp
"$conf" ipcomp
0
259 config_get interface
"$conf" interface
""
260 config_get hw_offload
"$conf" hw_offload
""
261 config_get priority
"$conf" priority
""
262 config_get rekeybytes
"$conf" rekeybytes
""
263 config_get lifebytes
"$conf" lifebytes
""
264 config_get rekeypackets
"$conf" rekeypackets
""
265 config_get lifepackets
"$conf" lifepackets
""
266 config_get replay_window
"$conf" replay_window
""
268 config_list_foreach
"$conf" local_subnet append_var local_subnet
","
269 config_list_foreach
"$conf" remote_subnet append_var remote_subnet
","
272 iter_esp_proposal
"$conf" esp_proposal
274 # translate from ipsec to swanctl
275 case "$startaction" in
277 startaction
="none" ;;
279 startaction
="trap" ;;
281 # already using new syntax
284 fatal
"Startaction $startaction unknown"
289 case "$closeaction" in
291 closeaction
="none" ;;
293 closeaction
="trap" ;;
295 closeaction
="start" ;;
297 # already using new syntax
300 fatal
"Closeaction $closeaction unknown"
305 [ -n "$closeaction" -a "$closeaction" != "none" ] && warning
"Closeaction $closeaction can cause instability"
319 # already using new syntax
322 fatal
"Dpdaction $dpdaction unknown"
327 case "$hw_offload" in
331 fatal
"hw_offload value $hw_offload invalid"
336 [ -n "$local_nat" ] && local_subnet
="$local_nat"
338 swanctl_xappend3
"$conf {"
340 [ -n "$local_subnet" ] && swanctl_xappend4
"local_ts = $local_subnet"
341 [ -n "$remote_subnet" ] && swanctl_xappend4
"remote_ts = $remote_subnet"
343 [ -n "$hw_offload" ] && swanctl_xappend4
"hw_offload = $hw_offload"
344 [ $ipcomp -eq 1 ] && swanctl_xappend4
"ipcomp = 1"
345 [ -n "$interface" ] && swanctl_xappend4
"interface = $interface"
346 [ -n "$priority" ] && swanctl_xappend4
"priority = $priority"
347 [ -n "$if_id" ] && swanctl_xappend4
"if_id_in = $if_id" "if_id_out = $if_id"
348 [ -n "$startaction" -a "$startaction" != "none" ] && swanctl_xappend4
"start_action = $startaction"
349 [ -n "$closeaction" -a "$closeaction" != "none" ] && swanctl_xappend4
"close_action = $closeaction"
350 swanctl_xappend4
"esp_proposals = $esp_proposal"
351 swanctl_xappend4
"mode = $mode"
353 if [ -n "$lifetime" ]; then
354 swanctl_xappend4
"life_time = $lifetime"
355 elif [ -n "$rekeytime" ]; then
356 swanctl_xappend4
"life_time = $(seconds2time $(((110 * $(time2seconds $rekeytime)) / 100)))"
358 [ -n "$rekeytime" ] && swanctl_xappend4
"rekey_time = $rekeytime"
359 if [ -n "$lifebytes" ]; then
360 swanctl_xappend4
"life_bytes = $lifebytes"
361 elif [ -n "$rekeybytes" ]; then
362 swanctl_xappend4
"life_bytes = $(((110 * rekeybytes) / 100))"
364 [ -n "$rekeybytes" ] && swanctl_xappend4
"rekey_bytes = $rekeybytes"
365 if [ -n "$lifepackets" ]; then
366 swanctl_xappend4
"life_packets = $lifepackets"
367 elif [ -n "$rekeypackets" ]; then
368 swanctl_xappend4
"life_packets = $(((110 * rekeypackets) / 100))"
370 [ -n "$rekeypackets" ] && swanctl_xappend4
"rekey_packets = $rekeypackets"
371 [ -n "$inactivity" ] && swanctl_xappend4
"inactivity = $inactivity"
373 [ -n "$updown" ] && swanctl_xappend4
"updown = $updown"
374 [ -n "$dpdaction" ] && swanctl_xappend4
"dpd_action = $dpdaction"
375 [ -n "$replay_window" ] && swanctl_xappend4
"replay_window = $replay_window"
381 config_child
"$1" "tunnel"
385 config_child
"$1" "transport"
401 config_get addrs
"$conf" addrs
402 config_list_foreach
"$conf" dns append_var dns
","
403 config_list_foreach
"$conf" nbns append_var nbns
","
404 config_list_foreach
"$conf" dhcp append_var dhcp
","
405 config_list_foreach
"$conf" netmask append_var netmask
","
406 config_list_foreach
"$conf" server append_var server
","
407 config_list_foreach
"$conf" subnet append_var subnet
","
408 config_list_foreach
"$conf" split_include append_var split_include
","
409 config_list_foreach
"$conf" split_exclude append_var split_exclude
","
411 swanctl_xappend1
"$conf {"
412 [ -n "$addrs" ] && swanctl_xappend2
"addrs = $addrs"
413 [ -n "$dns" ] && swanctl_xappend2
"dns = $dns"
414 [ -n "$nbns" ] && swanctl_xappend2
"nbns = $nbns"
415 [ -n "$dhcp" ] && swanctl_xappend2
"dhcp = $dhcp"
416 [ -n "$netmask" ] && swanctl_xappend2
"netmask = $netmask"
417 [ -n "$server" ] && swanctl_xappend2
"server = $server"
418 [ -n "$subnet" ] && swanctl_xappend2
"subnet = $subnet"
419 [ -n "$split_include" ] && swanctl_xappend2
"split_include = $split_include"
420 [ -n "$split_exclude" ] && swanctl_xappend2
"split_exclude = $split_exclude"
431 local local_identifier
433 local remote_identifier
446 local remote_ca_certs
449 config_get_bool enabled
"$conf" enabled
0
450 [ $enabled -eq 0 ] && return
452 config_get gateway
"$conf" gateway
453 config_get pre_shared_key
"$conf" pre_shared_key
454 config_get auth_method
"$conf" authentication_method
455 config_get local_identifier
"$conf" local_identifier
""
456 config_get remote_identifier
"$conf" remote_identifier
""
457 config_get local_ip
"$conf" local_ip
"%any"
458 config_get keyingtries
"$conf" keyingtries
"3"
459 config_get dpddelay
"$conf" dpddelay
"30s"
460 config_get inactivity
"$conf" inactivity
461 config_get keyexchange
"$conf" keyexchange
"ikev2"
462 config_get fragmentation
"$conf" fragmentation
"yes"
463 config_get_bool mobike
"$conf" mobike
1
464 config_get local_cert
"$conf" local_cert
""
465 config_get local_key
"$conf" local_key
""
466 config_get ca_cert
"$conf" ca_cert
""
467 config_get rekeytime
"$conf" rekeytime
468 config_get overtime
"$conf" overtime
470 config_list_foreach
"$conf" local_sourceip append_var local_sourceip
","
471 config_list_foreach
"$conf" remote_ca_certs append_var remote_ca_certs
","
472 config_list_foreach
"$conf" pools append_var pools
","
474 case "$fragmentation" in
476 fragmentation
="no" ;;
478 fragmentation
="yes" ;;
480 # already using new syntax
483 fatal
"Fragmentation $fragmentation not supported"
488 [ "$gateway" = "any" ] && remote_gateway
="%any" || remote_gateway
="$gateway"
490 if [ -n "$local_key" ]; then
491 [ "$(dirname "$local_key")" != "." ] && \
492 fatal
"local_key $local_key can't be pathname"
493 [ -f "/etc/swanctl/private/$local_key" ] || \
494 fatal
"local_key $local_key not found"
498 iter_ike_proposal
"$conf" ike_proposal
500 [ -n "$firewall" ] && fatal
"Firewall not supported"
502 if [ "$auth_method" = pubkey
]; then
503 if [ -n "$ca_cert" ]; then
504 [ "$(dirname "$ca_cert")" != "." ] && \
505 fatal
"ca_cert $ca_cert can't be pathname"
506 [ -f "/etc/swanctl/x509ca/$ca_cert" ] || \
507 fatal
"ca_cert $ca_cert not found"
510 if [ -n "$local_cert" ]; then
511 [ "$(dirname "$local_cert")" != "." ] && \
512 fatal
"local_cert $local_cert can't be pathname"
513 [ -f "/etc/swanctl/x509/$local_cert" ] || \
514 fatal
"local_cert $local_cert not found"
518 swanctl_xappend0
"# config for $conf"
519 swanctl_xappend0
"connections {"
520 swanctl_xappend1
"$conf {"
521 swanctl_xappend2
"local_addrs = $local_ip"
522 swanctl_xappend2
"remote_addrs = $remote_gateway"
524 [ -n "$local_sourceip" ] && swanctl_xappend2
"vips = $local_sourceip"
525 [ -n "$fragmentation" ] && swanctl_xappend2
"fragmentation = $fragmentation"
526 [ -n "$pools" ] && swanctl_xappend2
"pools = $pools"
528 swanctl_xappend2
"local {"
529 swanctl_xappend3
"auth = $auth_method"
531 [ -n "$local_identifier" ] && swanctl_xappend3
"id = \"$local_identifier\""
532 [ "$auth_method" = pubkey
] && [ -n "$local_cert" ] && \
533 swanctl_xappend3
"certs = $local_cert"
536 swanctl_xappend2
"remote {"
537 swanctl_xappend3
"auth = $auth_method"
538 [ -n "$remote_identifier" ] && swanctl_xappend3
"id = \"$remote_identifier\""
539 [ -n "$remote_ca_certs" ] && swanctl_xappend3
"cacerts = \"$remote_ca_certs\""
542 swanctl_xappend2
"children {"
544 config_list_foreach
"$conf" tunnel config_tunnel
546 config_list_foreach
"$conf" transport config_transport
550 case "$keyexchange" in
554 swanctl_xappend2
"version = 1" ;;
556 swanctl_xappend2
"version = 2" ;;
558 fatal
"Keyexchange $keyexchange not supported"
563 [ $mobike -eq 1 ] && swanctl_xappend2
"mobike = yes" || swanctl_xappend2
"mobike = no"
565 if [ -n "$rekeytime" ]; then
566 swanctl_xappend2
"rekey_time = $rekeytime"
568 if [ -z "$overtime" ]; then
569 overtime
=$
(seconds2time $
(($
(time2seconds
$rekeytime) / 10)))
572 [ -n "$overtime" ] && swanctl_xappend2
"over_time = $overtime"
574 swanctl_xappend2
"proposals = $ike_proposal"
575 [ -n "$dpddelay" ] && swanctl_xappend2
"dpd_delay = $dpddelay"
576 [ "$keyingtries" = "%forever" ] && swanctl_xappend2
"keyingtries = 0" || swanctl_xappend2
"keyingtries = $keyingtries"
581 if [ "$auth_method" = pubkey
]; then
584 if [ -n "$ca_cert" ]; then
585 swanctl_xappend0
"authorities {"
586 swanctl_xappend1
"$conf {"
587 swanctl_xappend2
"cacert = $ca_cert"
592 elif [ "$auth_method" = psk
]; then
595 swanctl_xappend0
"secrets {"
596 swanctl_xappend1
"ike-$conf {"
597 swanctl_xappend2
"secret = $pre_shared_key"
598 if [ -n "$local_identifier" ]; then
599 swanctl_xappend2
"id1 = $local_identifier"
600 if [ -n "$remote_identifier" ]; then
601 swanctl_xappend2
"id2 = $remote_identifier"
607 fatal
"AuthenticationMode $auth_mode not supported"
610 swanctl_xappend0
"pools {"
611 config_list_foreach
"$conf" pools config_pool
618 swanctl_xappend0
"# generated by /etc/init.d/swanctl"
624 local rtinstall_enabled
626 local routing_table_id
630 config_get debug
"$conf" debug
0
631 config_get_bool rtinstall_enabled
"$conf" rtinstall_enabled
1
632 [ $rtinstall_enabled -eq 1 ] && install_routes
=yes || install_routes
=no
634 # prepare extra charon config option ignore_routing_tables
635 for routing_table
in $
(config_get
"$conf" "ignore_routing_tables"); do
636 if [ "$routing_table" -ge 0 ] 2>/dev
/null
; then
637 routing_table_id
=$routing_table
639 routing_table_id
=$
(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc
/iproute
2/rt_tables
)
642 [ -n "$routing_table_id" ] && append routing_tables_ignored
"$routing_table_id"
645 config_list_foreach
"$conf" interface append_var interface_list
647 if [ -z "$interface_list" ]; then
650 for interface
in $interface_list; do
651 network_get_device device
$interface
652 [ -n "$device" ] && append device_list
"$device" ","
654 [ -n "$device_list" ] && WAIT_FOR_INTF
=0 || WAIT_FOR_INTF
=1
659 swan_xappend0
"# generated by /etc/init.d/swanctl"
660 swan_xappend0
"charon {"
661 swan_xappend1
"install_routes = $install_routes"
662 [ -n "$routing_tables_ignored" ] && swan_xappend1
"ignore_routing_tables = $routing_tables_ignored"
663 [ -n "$device_list" ] && swan_xappend1
"interfaces_use = $device_list"
664 swan_xappend1
"start-scripts {"
665 swan_xappend2
"load-all = /usr/sbin/swanctl --load-all --noprompt"
667 swan_xappend1
"syslog {"
668 swan_xappend2
"identifier = ipsec"
669 swan_xappend2
"daemon {"
670 swan_xappend3
"default = $debug"
677 mkdir
-p /var
/ipsec
/var
/swanctl
683 # needed by do_postamble
684 local debug install_routes routing_tables_ignored device_list
687 config_foreach config_ipsec ipsec
688 config_foreach config_remote remote
694 swanctl
--stats > /dev
/null
2>&1
700 [ $WAIT_FOR_INTF -eq 0 ] && {
701 swanctl
--load-all --noprompt
715 procd_add_reload_trigger
"ipsec"
718 config_foreach service_trigger_ipsec ipsec
721 service_trigger_ipsec
() {
722 local interface interface_list
723 config_list_foreach
"$1" interface append_var interface_list
724 for interface
in $interface_list; do
725 procd_add_reload_interface_trigger
$interface
732 [ $WAIT_FOR_INTF -eq 1 ] && return
734 if [ $CONFIG_FAIL -ne 0 ]; then
735 procd_set_param error
"Invalid configuration"
741 procd_set_param
command $PROG
743 procd_set_param
file $SWANCTL_CONF_FILE
744 procd_append_param
file /etc
/swanctl
/conf.d
/*.conf
745 procd_append_param
file $STRONGSWAN_CONF_FILE
747 procd_set_param respawn