projects / feed / packages.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
strongswan: convert init script to procd
[feed/packages.git] / net / strongswan / files / ipsec.init
1 #!/bin/sh /etc/rc.common
2
3 START=90
4 STOP=10
5
6 USE_PROCD=1
7 PROG=/usr/lib/ipsec/starter
8
9 . $IPKG_INSTROOT/lib/functions.sh
10
11 IPSEC_SECRETS_FILE=/etc/ipsec.secrets
12 IPSEC_CONN_FILE=/etc/ipsec.conf
13 STRONGSWAN_CONF_FILE=/etc/strongswan.conf
14
15 IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets
16 IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
17 STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf
18
19 file_reset() {
20 : > "$1"
21 }
22
23 xappend() {
24 local file="$1"
25 shift
26
27 echo "${@}" >> "${file}"
28 }
29
30 remove_include() {
31 local file="$1"
32 local include="$2"
33
34 sed -i "\_${include}_d" "${file}"
35 }
36
37 remove_includes() {
38 remove_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
39 remove_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
40 remove_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
41 }
42
43 do_include() {
44 local conf="$1"
45 local uciconf="$2"
46 local backup=`mktemp -t -p /tmp/ ipsec-init-XXXXXX`
47
48 [ ! -f "${conf}" ] && rm -rf "${conf}"
49 touch "${conf}"
50
51 cat "${conf}" | grep -v "${uciconf}" > "${backup}"
52 mv "${backup}" "${conf}"
53 xappend "${conf}" "include ${uciconf}"
54 file_reset "${uciconf}"
55 }
56
57 ipsec_reset() {
58 do_include "${IPSEC_CONN_FILE}" "${IPSEC_VAR_CONN_FILE}"
59 }
60
61 ipsec_xappend() {
62 xappend "${IPSEC_VAR_CONN_FILE}" "$@"
63 }
64
65 swan_reset() {
66 do_include "${STRONGSWAN_CONF_FILE}" "${STRONGSWAN_VAR_CONF_FILE}"
67 }
68
69 swan_xappend() {
70 xappend "${STRONGSWAN_VAR_CONF_FILE}" "$@"
71 }
72
73 secret_reset() {
74 do_include "${IPSEC_SECRETS_FILE}" "${IPSEC_VAR_SECRETS_FILE}"
75 }
76
77 secret_xappend() {
78 xappend "${IPSEC_VAR_SECRETS_FILE}" "$@"
79 }
80
81 warning() {
82 echo "WARNING: $@" >&2
83 }
84
85 add_crypto_proposal() {
86 local encryption_algorithm
87 local hash_algorithm
88 local dh_group
89
90 config_get encryption_algorithm "$1" encryption_algorithm
91 config_get hash_algorithm "$1" hash_algorithm
92 config_get dh_group "$1" dh_group
93
94 [ -n "${encryption_algorithm}" ] && \
95 crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
96 }
97
98 set_crypto_proposal() {
99 local conf="$1"
100 local proposal
101
102 crypto=""
103
104 config_get crypto_proposal "$conf" crypto_proposal ""
105 for proposal in $crypto_proposal; do
106 add_crypto_proposal "$proposal"
107 done
108
109 [ -n "${crypto}" ] && {
110 local force_crypto_proposal
111
112 config_get_bool force_crypto_proposal "$conf" force_crypto_proposal
113
114 [ "${force_crypto_proposal}" = "1" ] && crypto="${crypto}!"
115 }
116
117 crypto_proposal="${crypto}"
118 }
119
120 config_conn() {
121 # Generic ipsec conn section shared by tunnel and transport
122 local mode
123 local local_subnet
124 local local_nat
125 local local_sourceip
126 local local_updown
127 local local_firewall
128 local remote_subnet
129 local remote_sourceip
130 local remote_updown
131 local remote_firewall
132 local ikelifetime
133 local lifetime
134 local margintime
135 local keyingtries
136 local dpdaction
137 local dpddelay
138 local inactivity
139 local keyexchange
140
141 config_get mode "$1" mode "route"
142 config_get local_subnet "$1" local_subnet ""
143 config_get local_nat "$1" local_nat ""
144 config_get local_sourceip "$1" local_sourceip ""
145 config_get local_updown "$1" local_updown ""
146 config_get local_firewall "$1" local_firewall ""
147 config_get remote_subnet "$1" remote_subnet ""
148 config_get remote_sourceip "$1" remote_sourceip ""
149 config_get remote_updown "$1" remote_updown ""
150 config_get remote_firewall "$1" remote_firewall ""
151 config_get ikelifetime "$1" ikelifetime "3h"
152 config_get lifetime "$1" lifetime "1h"
153 config_get margintime "$1" margintime "9m"
154 config_get keyingtries "$1" keyingtries "3"
155 config_get dpdaction "$1" dpdaction "none"
156 config_get dpddelay "$1" dpddelay "30s"
157 config_get inactivity "$1" inactivity
158 config_get keyexchange "$1" keyexchange "ikev2"
159
160 [ -n "$local_nat" ] && local_subnet=$local_nat
161
162 ipsec_xappend "conn $config_name-$1"
163 ipsec_xappend " left=%any"
164 ipsec_xappend " right=$remote_gateway"
165
166 [ -n "$local_sourceip" ] && ipsec_xappend " leftsourceip=$local_sourceip"
167 [ -n "$local_subnet" ] && ipsec_xappend " leftsubnet=$local_subnet"
168
169 [ -n "$local_firewall" ] && ipsec_xappend " leftfirewall=$local_firewall"
170 [ -n "$remote_firewall" ] && ipsec_xappend " rightfirewall=$remote_firewall"
171
172 ipsec_xappend " ikelifetime=$ikelifetime"
173 ipsec_xappend " lifetime=$lifetime"
174 ipsec_xappend " margintime=$margintime"
175 ipsec_xappend " keyingtries=$keyingtries"
176 ipsec_xappend " dpdaction=$dpdaction"
177 ipsec_xappend " dpddelay=$dpddelay"
178
179 [ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity"
180
181 if [ "$auth_method" = "psk" ]; then
182 ipsec_xappend " leftauth=psk"
183 ipsec_xappend " rightauth=psk"
184
185 [ "$remote_sourceip" != "" ] && ipsec_xappend " rightsourceip=$remote_sourceip"
186 [ "$remote_subnet" != "" ] && ipsec_xappend " rightsubnet=$remote_subnet"
187
188 ipsec_xappend " auto=$mode"
189 else
190 warning "AuthenticationMethod $auth_method not supported"
191 fi
192
193 [ -n "$local_identifier" ] && ipsec_xappend " leftid=$local_identifier"
194 [ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier"
195 [ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown"
196 [ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown"
197 ipsec_xappend " keyexchange=$keyexchange"
198
199 set_crypto_proposal "$1"
200 [ -n "${crypto_proposal}" ] && ipsec_xappend " esp=$crypto_proposal"
201 [ -n "${ike_proposal}" ] && ipsec_xappend " ike=$ike_proposal"
202 }
203
204 config_tunnel() {
205 config_conn "$1"
206
207 # Specific for the tunnel part
208 ipsec_xappend " type=tunnel"
209 }
210
211 config_transport() {
212 config_conn "$1"
213
214 # Specific for the transport part
215 ipsec_xappend " type=transport"
216 }
217
218 config_remote() {
219 local enabled
220 local gateway
221 local pre_shared_key
222 local auth_method
223
224 config_name=$1
225
226 config_get_bool enabled "$1" enabled 0
227 [ "$enabled" = "0" ] && return
228
229 config_get gateway "$1" gateway
230 config_get pre_shared_key "$1" pre_shared_key
231 config_get auth_method "$1" authentication_method
232 config_get local_identifier "$1" local_identifier ""
233 config_get remote_identifier "$1" remote_identifier ""
234
235 [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
236
237 [ -z "$local_identifier" ] && {
238 local ipdest
239
240 [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
241 local_gateway=`ip route get $ipdest | awk -F"src" '/src/{gsub(/ /,"");print $2}'`
242 }
243
244 [ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway "
245 [ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway "
246
247 secret_xappend ": PSK \"$pre_shared_key\""
248
249 set_crypto_proposal "$1"
250 ike_proposal="$crypto_proposal"
251
252 config_list_foreach "$1" tunnel config_tunnel
253
254 config_list_foreach "$1" transport config_transport
255
256 ipsec_xappend ""
257 }
258
259 config_ipsec() {
260 local debug
261 local rtinstall_enabled
262 local routing_tables_ignored
263 local routing_table
264 local routing_table_id
265 local interface
266 local device_list
267
268 ipsec_reset
269 secret_reset
270 swan_reset
271
272 ipsec_xappend "# generated by /etc/init.d/ipsec"
273 ipsec_xappend "version 2"
274 ipsec_xappend ""
275
276 secret_xappend "# generated by /etc/init.d/ipsec"
277
278 config_get debug "$1" debug 0
279 config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
280 [ $rtinstall_enabled = "1" ] && install_routes=yes || install_routes=no
281
282 # prepare extra charon config option ignore_routing_tables
283 for routing_table in $(config_get "$1" "ignore_routing_tables"); do
284 if [ "$routing_table" -ge 0 ] 2>/dev/null; then
285 routing_table_id=$routing_table
286 else
287 routing_table_id=$(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc/iproute2/rt_tables)
288 fi
289
290 [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
291 done
292
293 swan_xappend "# generated by /etc/init.d/ipsec"
294 swan_xappend "charon {"
295 swan_xappend " load_modular = yes"
296 swan_xappend " install_routes = $install_routes"
297 [ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored"
298 swan_xappend " plugins {"
299 swan_xappend " include /etc/strongswan.d/charon/*.conf"
300 swan_xappend " }"
301 swan_xappend " syslog {"
302 swan_xappend " identifier = ipsec"
303 swan_xappend " daemon {"
304 swan_xappend " default = $debug"
305 swan_xappend " }"
306 swan_xappend " auth {"
307 swan_xappend " default = $debug"
308 swan_xappend " }"
309 swan_xappend " }"
310 swan_xappend "}"
311 }
312
313 prepare_env() {
314 mkdir -p /var/ipsec
315 remove_includes
316 config_load ipsec
317 config_foreach config_ipsec ipsec
318 config_foreach config_remote remote
319 }
320
321 reload_service() {
322 prepare_env
323 if ipsec status > /dev/null 2>&1; then
324 ipsec rereadall
325 ipsec reload
326 else
327 ipsec start
328 fi
329 }
330
331 service_triggers() {
332 procd_add_reload_trigger "ipsec"
333 }
334
335 start_service() {
336 prepare_env
337
338 procd_open_instance
339
340 procd_set_param command $PROG --daemon charon --nofork
341
342 procd_set_param file $IPSEC_CONN_FILE
343 procd_append_param file $IPSEC_SECRETS_FILE
344 procd_append_param file $STRONGSWAN_CONF_FILE
345 procd_append_param file /etc/strongswan.d/*.conf
346 procd_append_param file /etc/strongswan.d/charon/*.conf
347
348 procd_set_param respawn
349
350 procd_close_instance
351 }
Mirror of packages feed