diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..cbb3a13
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+*.rpm
+*.log
+*spec-20*
+*.tar.gz
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..fccfcdb
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,21 @@
+# Makefile for source rpm: smeserver-libreswan
+# $Id: Makefile,v 1.1 2021/02/22 16:03:26 brianr Exp $
+NAME := smeserver-libreswan
+SPECFILE = $(firstword $(wildcard *.spec))
+
+define find-makefile-common
+for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
+endef
+
+MAKEFILE_COMMON := $(shell $(find-makefile-common))
+
+ifeq ($(MAKEFILE_COMMON),)
+# attept a checkout
+define checkout-makefile-common
+test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
+endef
+
+MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
+endif
+
+include $(MAKEFILE_COMMON)
diff --git a/README.md b/README.md
index a0a2bf6..ff61feb 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,18 @@
-# smeserver-libreswan
+# 
smeserver-libreswan
-SMEServer Koozali developed git repo for smeserver-libreswan smecontribs
\ No newline at end of file
+SMEServer Koozali developed git repo for smeserver-libreswan smecontribs
+
+## Wiki
+
https://wiki.koozali.org/Libreswan
+
https://wiki.koozali.org/Libreswan_IPSEC
+
https://wiki.koozali.org/Libreswan-xl2tpd
+
https://wiki.koozali.org/Smeserver-libreswan-xl2tpd
+
+## Bugzilla
+Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-libreswan&product=SME%20Contribs&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
+
+## Description
+
+
*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
+*Once it has been checked, then this comment will be deleted*
+
diff --git a/additional/COPYING b/additional/COPYING
new file mode 100644
index 0000000..eeb586b
--- /dev/null
+++ b/additional/COPYING
@@ -0,0 +1,340 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+�
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+�
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+�
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+�
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+�
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+
+ Copyright (C) 19yy
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) 19yy name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ , 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/contriborbase b/contriborbase
new file mode 100644
index 0000000..9b7fd51
--- /dev/null
+++ b/contriborbase
@@ -0,0 +1 @@
+contribs10
diff --git a/createlinks b/createlinks
new file mode 100644
index 0000000..f7dc569
--- /dev/null
+++ b/createlinks
@@ -0,0 +1,68 @@
+#! /usr/bin/perl -w
+
+# Need some thought on when the templates should be expanded and when the action should be called.
+
+use esmith::Build::CreateLinks qw(:all);
+
+# our event specific for updating with yum without reboot
+$event = "smeserver-libreswan-update";
+
+#add here the path to your templates needed to expand
+#see the /etc/systemd/system-preset/49-koozali.preset should be present for systemd integration on all you yum update event
+
+foreach my $file (qw(
+ /etc/systemd/system-preset/49-koozali.preset
+ /etc/ipsec.conf
+ /etc/ipsec.secrets
+ /etc/ipsec.d/ipsec.conf
+ /etc/ipsec.d/ipsec.secrets
+ /etc/rc.d/init.d/masq
+ /etc/sysctl.conf
+))
+{
+ templates2events($file, qw(
+ smeserver-libreswan-update
+ post-upgrade
+ console-save
+ bootstrap-console-save
+ remoteaccess-update
+ ));
+}
+
+#action needed in case we have a systemd unit
+event_link("systemd-default", $event, "10");
+event_link("systemd-reload", $event, "50");
+
+#action specific to this package
+foreach my $event_link (qw (
+ smeserver-libreswan-update
+ remoteaccess-update
+ console-save
+))
+{
+ event_link("ipsec-update", $event_link, "60");
+}
+
+#services we need to restart
+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/ipsec");
+safe_symlink("adjust", "root/etc/e-smith/events/$event/services2adjust/masq");
+
+# Set up generic logfile timestamp renaming/symlinking
+
+foreach (qw(
+ /var/log/pluto/pluto.log
+ ))
+{
+ safe_touch "root/etc/e-smith/events/logrotate/logfiles2timestamp/$_";
+}
+
+#--------------------------------------------------
+# actions for logrotate event
+#--------------------------------------------------
+
+$event = "logrotate";
+
+safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/ipsec");
+
+
+
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/UDPPorts b/root/etc/e-smith/db/configuration/defaults/ipsec/UDPPorts
new file mode 100644
index 0000000..73ba5d6
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/UDPPorts
@@ -0,0 +1 @@
+500,4500
\ No newline at end of file
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/access b/root/etc/e-smith/db/configuration/defaults/ipsec/access
new file mode 100644
index 0000000..3e18ebf
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/access
@@ -0,0 +1 @@
+private
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/auto b/root/etc/e-smith/db/configuration/defaults/ipsec/auto
new file mode 100644
index 0000000..d44e18f
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/auto
@@ -0,0 +1 @@
+start
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/connectiontype b/root/etc/e-smith/db/configuration/defaults/ipsec/connectiontype
new file mode 100644
index 0000000..c3eb4ab
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/connectiontype
@@ -0,0 +1 @@
+tunnel
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/debug b/root/etc/e-smith/db/configuration/defaults/ipsec/debug
new file mode 100644
index 0000000..621e94f
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/debug
@@ -0,0 +1 @@
+none
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/dpdaction b/root/etc/e-smith/db/configuration/defaults/ipsec/dpdaction
new file mode 100644
index 0000000..eea5a27
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/dpdaction
@@ -0,0 +1 @@
+restart
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/dpddelay b/root/etc/e-smith/db/configuration/defaults/ipsec/dpddelay
new file mode 100644
index 0000000..64bb6b7
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/dpddelay
@@ -0,0 +1 @@
+30
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/dpdtimeout b/root/etc/e-smith/db/configuration/defaults/ipsec/dpdtimeout
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/dpdtimeout
@@ -0,0 +1 @@
+10
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/ikelifetime b/root/etc/e-smith/db/configuration/defaults/ipsec/ikelifetime
new file mode 100644
index 0000000..d472b07
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/ikelifetime
@@ -0,0 +1 @@
+3600s
\ No newline at end of file
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/ipsecversion b/root/etc/e-smith/db/configuration/defaults/ipsec/ipsecversion
new file mode 100644
index 0000000..396a0ba
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/ipsecversion
@@ -0,0 +1 @@
+yes
\ No newline at end of file
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/left b/root/etc/e-smith/db/configuration/defaults/ipsec/left
new file mode 100644
index 0000000..54d1312
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/left
@@ -0,0 +1 @@
+%defaultroute
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/pfs b/root/etc/e-smith/db/configuration/defaults/ipsec/pfs
new file mode 100644
index 0000000..7cfab5b
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/pfs
@@ -0,0 +1 @@
+yes
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/salifetime b/root/etc/e-smith/db/configuration/defaults/ipsec/salifetime
new file mode 100644
index 0000000..d6dcb5b
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/salifetime
@@ -0,0 +1 @@
+28800s
\ No newline at end of file
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/security b/root/etc/e-smith/db/configuration/defaults/ipsec/security
new file mode 100644
index 0000000..536aca3
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/security
@@ -0,0 +1 @@
+secret
\ No newline at end of file
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/status b/root/etc/e-smith/db/configuration/defaults/ipsec/status
new file mode 100644
index 0000000..87e7bda
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/status
@@ -0,0 +1 @@
+disabled
\ No newline at end of file
diff --git a/root/etc/e-smith/db/configuration/defaults/ipsec/type b/root/etc/e-smith/db/configuration/defaults/ipsec/type
new file mode 100644
index 0000000..ce93fac
--- /dev/null
+++ b/root/etc/e-smith/db/configuration/defaults/ipsec/type
@@ -0,0 +1 @@
+service
\ No newline at end of file
diff --git a/root/etc/e-smith/events/actions/ipsec-update b/root/etc/e-smith/events/actions/ipsec-update
new file mode 100644
index 0000000..d39878a
--- /dev/null
+++ b/root/etc/e-smith/events/actions/ipsec-update
@@ -0,0 +1,313 @@
+#!/usr/bin/perl -w
+#----------------------------------------------------------------------
+# Ipsec actions
+# Copyright (C) 2015 John Crisp
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License or more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#----------------------------------------------------------------------
+
+# Note that we do not need to use the init ipsec script - we can start and
+# stop directly using /usr/sbin/ipsec which will call the init script
+
+# Probably ought to check somewhere that the status of services is public
+# But if it is private then you have to re-expand masq someplace
+
+use strict;
+use warnings;
+use esmith::ConfigDB;
+
+my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
+my $ipsecDB = esmith::ConfigDB->open('ipsec_connections')
+ or die("Ipsec Error - cant connect to ipsec database");
+
+my $ipsecDBkey = 'ipsec';
+my $xl2tpdDBkey = 'xl2tpd';
+my $xl2tpdipsecprop = "L2TPD-PSK";
+
+# Check on access status - we'll use this later
+# If status goes to disabled we should set this private
+
+my $ipsec_access = $configDB->get_prop( $ipsecDBkey, 'access' ) || 'private';
+print "Ipsec Information - IpsecAccessState: $ipsec_access\n";
+
+# If the service is set disabled then make sure it is stopped
+# Note that ipsec is not a service so we cannot use the normal service commands
+
+if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'disabled' ) {
+
+ # Always reset redirects on stop
+ print "Ipsec Information - reset redirects";
+ resetRedirects();
+
+ # Sort out xl2tpd - if ipsec is disabled it has to be stopped
+
+ print "Xl2tpd Information - ipsec is disabled - Stopping xl2tpd \n";
+ my $myStopXl2tpd = qx(/etc/rc.d/init.d/xl2tpd stop) || die("xl2tpd Error - Unable to launch xl2tpd stop : $!\n");
+
+ if ( not defined $myStopXl2tpd ) {
+ die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
+ }
+
+ # Do we check if it is already stopped ?
+ # For now we stop it regardless
+
+ print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
+ my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop) || die("Ipsec Error - Unable to launch ipsec stop : $!\n");
+
+ if ( not defined $myStopConnection ) {
+ die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
+ }
+
+ exit 0;
+}
+
+# If the ipsec service is set to enabled AND running (then check the connections)
+
+if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'enabled' ) {
+
+ # Sort out xl2tpd - if ipsec is enabled, AND xl2tpd then see if it is started
+ my $xl2tpdstatus = $configDB->get_prop( $xl2tpdDBkey, 'status' ) || 'disabled';
+
+ if ( $xl2tpdstatus eq 'enabled' ) {
+ my $xl2tpdService = (`ps ax | grep -v grep | grep xl2tpd`);
+
+ #If the service is not running then start it
+ unless ( $xl2tpdService =~ m/xl2tpd/ ) {
+
+ print "Xl2tpd Information - xl2tpd enabled but stopped - restarting xl2tpd \n";
+ my $myStartXl2tpd = qx(/etc/rc.d/init.d/xl2tpd restart)
+ || die("xl2tpd Error - Unable to launch xl2tpd restart : $!\n");
+
+ if ( not defined $myStartXl2tpd ) {
+ die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
+ }
+
+ }
+ }
+
+ my $status = (`ps ax | grep -v grep | grep pluto`);
+
+ # If the ipsec service is running
+ if ( $status =~ m/_plutorun/ ) {
+
+ # Lets do some stuff
+ print "Ipsec Information - ipsec is running !\n";
+
+ # make sure reDirects are right
+ setRedirects();
+
+ # Load the connections
+ my @connections = $ipsecDB->keys;
+
+ foreach my $ipsecprop (@connections) {
+
+ #Check the individual connection status
+ my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' )
+ || "disabled";
+
+ # What type of connection are we ?
+ my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
+
+ # Lets check the last state and if it doesn't exist set it disabled
+ if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
+ my $previpsecstatus = "disabled";
+ $ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
+ }
+
+ # Now we should have it
+ my $previpsecstatus = $ipsecDB->get_prop( $ipsecprop, 'PreviousState' );
+
+ print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
+
+ # Lets reread secrets anyway
+ print "Ipsec Information - Restart - ReReading Secrets\n";
+ my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
+
+ die("Ipsec Error - Unable launch ipsec reread secrets : $!\n")
+ if not defined $reread;
+ die("Ipsec Error - Unable to reread ipsec secrets ( error code $?)\n")
+ if $?;
+
+ # If we are enabled
+ if ( ( $previpsecstatus eq "enabled" )
+ && ( $ipsecstatus eq "enabled" ) ) {
+
+ # Restart
+ print "Ipsec Information - Restarting connection - $ipsecprop\n";
+
+ # Have to use system here as replace usually returns 1280
+ # Replace just rereads the config and does --delete --add
+ system("/usr/sbin/ipsec auto --replace $ipsecprop");
+ print "Ipsec Information - Restart system - replace return code: $?\n";
+
+ # If connection = start then bring it up
+ if ( $connection eq 'start' ) {
+ print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
+
+ # If it is start rather than add we try and force it to come up
+ startConnection($ipsecprop);
+ print "Ipsec Information - En - En auto --up\n";
+ print "Ipsec Information - Restart system - up return code: $?\n";
+ }
+
+ # Set Previous status
+ changeState( $ipsecprop, $ipsecstatus );
+
+ }
+
+ # If status is disabled then stop it
+ elsif (( $previpsecstatus eq "disabled" )
+ && ( $ipsecstatus eq "disabled" ) ) {
+
+ # Stop
+ print "Ipsec Information - Stop connection - $ipsecprop\n";
+ stopConnection($ipsecprop);
+
+ # Set Previous status
+ changeState( $ipsecDBkey, $ipsecstatus );
+ }
+
+ # If status was disabled and now enabled then start it
+ elsif (( $previpsecstatus eq "disabled" )
+ && ( $ipsecstatus eq "enabled" ) ) {
+
+ # Start
+ print "Enabling connection $ipsecprop\n";
+
+ # Have to use system here as replace usually returns 1280 and not 0
+ system("/usr/sbin/ipsec auto --replace $ipsecprop");
+ print "Ipsec Information - Restart system - return code: $?\n";
+
+ if ( $connection eq 'start' ) {
+
+ # Have to use exec here as system waits for a return and if the connection
+ # does not come up it will just hang. So fire 'n forget
+ print "Ipsec Information - Dis- En - - Auto --async --up $ipsecprop\n";
+
+ startConnection($ipsecprop);
+ print "Ipsec Information - Dis - En auto --up\n";
+ print "Ipsec Information - Restart system - up return code: $?\n";
+
+ #or die "exec failed!";
+ }
+
+ # Set Previous status
+ changeState( $ipsecprop, $ipsecstatus );
+ }
+
+ # If status was enabled and now disabled then stop it
+ elsif (( $previpsecstatus eq "enabled" )
+ && ( $ipsecstatus eq "disabled" ) ) {
+
+ # Stop and remove - do we need to ?
+ print "Ipsec Information - Stopping connection $ipsecprop\n ";
+ stopConnection($ipsecprop);
+
+ # Set Previous status
+ changeState( $ipsecprop, $ipsecstatus );
+ }
+
+ # Should never be here as it means the statuses are other than enabled or disabled
+ else {
+ print "Ipsec Error - Something went wrong with ipsec connection status\n";
+ }
+
+ }
+
+ }
+
+ # If it isn't running then start it up
+ # Auto connections start themselves. Added connections wait
+ else {
+ print "Ipsec Information - Disable Reverse Path Filtering\n";
+ setRedirects();
+
+ # Make sure access = public
+ unless ( $ipsec_access eq 'public' ) {
+ $configDB->set_prop( $ipsecDBkey, 'access', 'public' );
+ }
+
+ print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
+ my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
+ die("Ipsec Error - Unable to launch ipsec start : $!\n ")
+ if not defined $myStartConnection;
+ die("Ipsec Error - Unable to launch ipsec start ( error code $?)\n ") if $?;
+
+ exit 0;
+ }
+
+ exit 0;
+
+}
+
+#### Subroutines here
+
+sub changeState {
+
+ #@_ contains $ipsecDBkey and $ipsecstatus
+ $ipsecDB->set_prop( $_[0], 'PreviousState', $_[1] );
+}
+
+sub startConnection {
+ system("/usr/sbin/ipsec auto --asynchronous --up $_[0]");
+}
+
+sub stopConnection {
+ print "Ipsec Information - SubRoutine - stop connection $_[0]\n ";
+ system("/usr/sbin/ipsec auto --down $_[0]");
+ print "Ipsec Information - system down code: $?\n";
+ system("/usr/sbin/ipsec auto --delete $_[0]");
+ print "Ipsec Information - system delete code: $?\n";
+}
+
+sub setRedirects {
+
+ my $internalIf = $configDB->get_prop( 'InternalInterface', 'Name' );
+ my $externalIf = $configDB->get_prop( 'ExternalInterface', 'Name' );
+
+ # Big warning - this is a potential security issue
+ # Make sure you read and understand what happens !
+ # If I knew which specific interfaces to change we could reduce the lines here
+ system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
+ or die("Ipsec Error - A problem occurred with sysctl: $?");
+ system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
+ or die("Ipsec Error - A problem occurred with sysctl: $?");
+
+ system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
+ or die("Ipsec Error - A problem occurred with sysctl: $?");
+ system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
+ or die("Ipsec Error - A problem occurred with sysctl: $?");
+
+ system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0
+ or die("Ipsec Error - A problem occurred with sysctl: $?");
+ system("/sbin/sysctl -w net.ipv4.conf.all.rp_filter=0") == 0
+ or die("Ipsec Error - A problem occurred with sysctl: $?");
+ system("/sbin/sysctl -w net.ipv4.conf.$externalIf.rp_filter=0") == 0
+ or die("Ipsec Error - A problem occurred with sysctl: $?");
+ system("/sbin/sysctl -w net.ipv4.conf.$internalIf.rp_filter=0") == 0
+ or die("Ipsec Error - A problem occurred with sysctl: $?");
+
+
+}
+
+sub resetRedirects {
+
+ # /etc/syctl.conf is expanded on ipsec-update
+ # This should reload the file - if ipsec is disabled it should reset to defaults
+ # If ipsec is enabled it should disable rp_filtering
+ system("/sbin/sysctl -p") == 0
+ or die("Ipsec Error - A problem occurred with sysctl: $?");
+}
+
diff --git a/root/etc/e-smith/templates/etc/ipsec.conf/10Setup b/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
new file mode 100644
index 0000000..e15491b
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/ipsec.conf/10Setup
@@ -0,0 +1,98 @@
+{
+ use strict;
+ use warnings;
+ use esmith::ConfigDB;
+
+ my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
+ my $dbKey = 'ipsec';
+ my $systemMode = $configDB->get("SystemMode")->value;
+ my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';
+
+ if ( $systemMode ne 'servergateway' ) {
+ $OUT .= "# System not in Server Gateway mode\n";
+ }
+
+ elsif ( $ipsecStatus ne 'enabled' ) {
+ $OUT .= "# Ipsec not enabled\n";
+ }
+
+ else {
+ my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
+ or die("cant connect to ipsec database");
+
+ my $dbKey = 'ipsec';
+
+ # Generic setup file
+ my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
+ my $keepalive = $configDB->get_prop( $dbKey, 'keepalive' ) || '';
+
+ # A standard config is included in the RPM but we need to generate a new one so we can modify settings
+
+ $OUT .= "config setup\n";
+ $OUT .= " protostack=netkey\n";
+ $OUT .= " plutodebug=$debugstatus\n";
+ $OUT .= " #klipsdebug=none\n";
+ $OUT .= " log=/var/log/pluto/pluto.log\n";
+ $OUT .= " dumpdir=/var/run/pluto/\n";
+
+ if ( $keepalive ne '' ) {
+ $OUT .= " keep-alive=$keepalive\n";
+ }
+
+ # This should get all the connections in an array
+
+ my @connections = $ipsecDB->keys;
+
+ my $virtual_private = '';
+ my @subnetArr = ();
+
+ foreach my $ipsecprop (@connections) {
+
+ # Note that L2TPD needs the localsubnet in here
+ # Second thoughts I don't think it does
+ # Only when you have subnet <-> subnet
+
+ my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled";
+
+ my $ipsecrecord = $ipsecDB->get($ipsecprop);
+ my $type = $ipsecrecord->prop('type');
+
+ if ( $ipsecstatus eq 'enabled' && ( $type eq 'ipsec' || $type eq 'xl2tpd' ) ) {
+
+ my $rightsubnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' );
+
+ unless ($rightsubnet) {
+ warn("Warning $ipsecprop has no right subnet");
+ }
+
+ # Check if the network is a unique value
+ if ( $rightsubnet && !( $rightsubnet ~~ @subnetArr ) ) {
+ push( @subnetArr, $rightsubnet );
+ }
+ }
+ } # End foreach
+
+ $virtual_private .= " virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,";
+
+ unless ( @subnetArr == 0 ) {
+
+ # For NAT and vhost:%priv seting exclude any right subnets
+ foreach my $subnet (@subnetArr) {
+ $virtual_private .= "%v4:!$subnet,";
+ }
+
+ # Remove last character ','
+ chop($virtual_private);
+ $OUT .= "$virtual_private\n";
+ $OUT .= "\n";
+
+ } #end unless
+
+ # I think that this is all we really need. as long as we don't have complex subnets etc
+ # $OUT .= " virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12";
+ $OUT .= "include /etc/ipsec.d/ipsec.conf\n";
+
+ } # End else
+ # End
+}
+
diff --git a/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection b/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection
new file mode 100644
index 0000000..5cc2382
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection
@@ -0,0 +1,270 @@
+{
+ use strict;
+ use warnings;
+ use esmith::ConfigDB;
+ use NetAddr::IP;
+
+ my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
+ my $dbKey = 'ipsec';
+ my $systemMode = $configDB->get("SystemMode")->value;
+ my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';
+
+ if ( $systemMode ne 'servergateway' ) {
+ $OUT .= "# System not in Server Gateway mode\n";
+ }
+
+ elsif ( $ipsecStatus ne 'enabled' ) {
+ $OUT .= "# Ipsec not enabled\n";
+ }
+
+ else {
+ my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
+ or die("cant connect to ipsec database");
+
+ # This should get all the connections in an array
+
+ my @connections = $ipsecDB->keys;
+
+ $OUT .= "# ipsec.conf\n\n";
+
+ foreach my $ipsecprop (@connections) {
+
+ if ( $ipsecprop ne 'L2TPD-PSK' ) {
+
+ # first we verify if IPSec is enabled for the connection
+
+ my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
+
+ if ( $ipsecstatus eq 'enabled' ) {
+
+ $OUT .= "conn $ipsecprop\n";
+
+ # These should be from $configDB-> ipsec
+
+ # Not templated this - maybe later with L2TPD
+ # We currently use a password file but this could be integrated with other authent later
+
+ # Lazy - assume that it is security (password by default) - options are rsasig|certs
+
+ # Careful - property 'type' has a special meaning in configDB and returns 'service'
+
+ my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
+ || 'tunnel';
+ $OUT .= " type=$connectiontype\n";
+
+ my $security = $ipsecDB->get_prop( $ipsecprop, 'security' )
+ || 'secret';
+
+ # my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ?
+
+ if ( $security eq 'rsasig' ) {
+ $OUT .= " authby=rsasig\n";
+
+ my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
+ || '';
+ $OUT .= " leftrsasigkey=$leftrsasig\n";
+
+ my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
+ || '';
+ $OUT .= " rightrsasigkey=$rightrsasig\n";
+
+ }
+
+ elsif ( $security eq 'certs' ) {
+
+ $OUT .= " authby=rsasig\n";
+
+ my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
+ || '%cert';
+ $OUT .= " leftrsasigkey=$leftrsasig\n";
+
+ my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
+ || '%cert';
+ $OUT .= " rightrsasigkey=$rightrsasig\n";
+
+ my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' )
+ || '"LeftCertName"';
+ $OUT .= " leftcert=\"$leftcert\"\n";
+
+ my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' )
+ || '"RightCertName"';
+ $OUT .= " rightcert=\"$rightcert\"\n";
+
+ }
+
+ else {
+ $OUT .= " authby=$security\n";
+ }
+
+ # Use connection value if it exists, if not use generic db value
+ my $auto =
+ $ipsecDB->get_prop( $ipsecprop, 'auto' )
+ || $configDB->get_prop( $dbKey, 'auto' )
+ || 'start';
+
+ # If we are a static host to a dynamic client we are always add
+ my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
+
+ if ( $iptype eq 'stattodyn' ) {
+ $OUT .= " auto=add\n";
+ }
+ else {
+ $OUT .= " auto=$auto\n";
+ }
+
+ # We should change ipsecversion to 'ikev2'
+ my $ipsecversion =
+ $ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
+ || $configDB->get_prop( $dbKey, 'ipsecversion' )
+ || 'permit';
+
+ $OUT .= " ikev2=$ipsecversion\n";
+
+ # Set the Phase one and Phase two default strengths - these are set to aes
+ my $ike =
+ $ipsecDB->get_prop( $ipsecprop, 'ike' )
+ || $configDB->get_prop( $dbKey, 'ike' )
+ || 'aes-sha1';
+ $OUT .= " ike=$ike\n";
+
+ # We should change phase2 to phase2alg
+ my $phase2 =
+ $ipsecDB->get_prop( $ipsecprop, 'phase2' )
+ || $configDB->get_prop( $dbKey, 'phase2' )
+ || 'aes-sha1';
+ $OUT .= " phase2alg=$phase2\n";
+
+ # mtu can only be set per connection
+ my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
+ || '';
+
+ unless ( $mtu eq '' ) {
+ $OUT .= " mtu=$mtu\n";
+ }
+
+ # These should be from $configDB-> ipsec unless they exist in ipsec_connections
+
+ my $forceencaps =
+ $ipsecDB->get_prop( $ipsecprop, 'forceencaps' )
+ || $configDB->get_prop( $dbKey, 'forceencaps' )
+ || 'no';
+
+ $OUT .= " encapsulation=$forceencaps\n";
+
+ my $keyingtries =
+ $ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
+ || $configDB->get_prop( $dbKey, 'keyingtries' )
+ || '%forever';
+ $OUT .= " keyingtries=$keyingtries\n";
+
+ # Following come from ipsecDB or configDB or hardcoded
+ my $ikelifetime =
+ $ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
+ || $configDB->get_prop( $dbKey, 'ikelifetime' )
+ || '3600s';
+ $OUT .= " ikelifetime=$ikelifetime\n";
+
+ my $salifetime =
+ $ipsecDB->get_prop( $ipsecprop, 'salifetime' )
+ || $configDB->get_prop( $dbKey, 'salifetime' )
+ || '28800s';
+ $OUT .= " salifetime=$salifetime\n";
+
+ # Add is for incoming and is better that server dpd is ignored
+ # Disabled for now
+
+ # if ( $auto ne 'add' ) {}
+ my $dpdaction =
+ $ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
+ || $configDB->get_prop( $dbKey, 'dpdaction' )
+ || 'restart';
+ $OUT .= " dpdaction=$dpdaction\n";
+
+ my $dpddelay =
+ $ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
+ || $configDB->get_prop( $dbKey, 'dpddelay' )
+ || '30';
+ $OUT .= " dpddelay=$dpddelay\n";
+
+ my $dpdtimeout =
+ $ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
+ || $configDB->get_prop( $dbKey, 'dpdtimeout' )
+ || '10';
+ $OUT .= " dpdtimeout=$dpdtimeout\n";
+
+ # default to yes unless overridden in the connection db
+ my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
+ $OUT .= " pfs=$pfs\n";
+
+ # Following come from ipsecDB or configDB or hardcoded
+ my $left =
+ $ipsecDB->get_prop( $ipsecprop, 'left' )
+ || $configDB->get_prop( $dbKey, 'left' )
+ || '%defaultroute';
+ $OUT .= " left=$left\n";
+
+ if ( $security eq 'certs' ) {
+ my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' );
+ $OUT .= " leftid=$leftid\n";
+ }
+
+ # These ONLY come from the ipsec_configurations db
+ elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) {
+ $OUT .= " leftid=$leftid\n";
+ }
+
+ # Left sourceIP and leftsubnet can be taken from the Internal interface
+ # but we can allow them to be overridden
+
+ #my $internalAddr = $configDB->get_prop( 'InternalInterface', 'IPAddress' );
+ my $internalMask = $configDB->get_prop( 'InternalInterface', 'Netmask' );
+ my $internalNetwork = $configDB->get_prop( 'InternalInterface', 'Network' );
+
+ my $ip = NetAddr::IP->new( $internalNetwork, $internalMask ) or die "Invalid host/mask";
+ my $internalCIDRNetwork = ( $ip->network() );
+
+ my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
+ || $configDB->get_prop( 'InternalInterface', 'IPAddress' );
+ $OUT .= " leftsourceip=$leftsourceip\n";
+
+ my $leftsubnet = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) || $internalCIDRNetwork;
+ $OUT .= " leftsubnet=$leftsubnet\n";
+
+ # If we are a static host to a dynamic client we HAVE to set right %any
+ # Should never be empty
+ my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '%any';
+
+ if ( $iptype eq 'stattodyn' ) {
+ $OUT .= " right=%any\n";
+ }
+ else {
+ $OUT .= " right=$right\n";
+ }
+
+ if ( $security eq 'certs' ) {
+ my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' );
+ $OUT .= " rightid=$rightid\n";
+ }
+
+ elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) {
+ $OUT .= " rightid=$rightid\n";
+ }
+
+ my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
+ if ( $rightsubnet ne '' ) {
+ $OUT .= " rightsubnet=$rightsubnet\n";
+ }
+
+ my $reauth = $ipsecDB->get_prop( $ipsecprop, 'reauth' ) || '';
+ if ( $reauth eq 'y' || $reauth eq 'yes' || $reauth eq '1' ) {
+ $OUT .= " reauth=yes\n";
+ }
+ } # End if ( $ipsecstatus eq 'enabled' )
+ else {
+ $OUT .= "# conn $ipsecprop disabled\n";
+ }
+ } # End if ( $ipsecprop ne 'L2TPD-PSK' )
+ } # End foreach
+ } # End else
+}
+
diff --git a/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords b/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords
new file mode 100644
index 0000000..d1f7da4
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords
@@ -0,0 +1,116 @@
+
+{
+ use strict;
+ use warnings;
+ use esmith::ConfigDB;
+
+ my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
+ my $dbKey = 'ipsec';
+ my $systemMode = $configDB->get("SystemMode")->value;
+ my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';
+
+ if ( $systemMode ne 'servergateway' ) {
+ $OUT .= "# System not in Server Gateway mode\n";
+ }
+
+ elsif ( $ipsecStatus ne 'enabled' ) {
+ $OUT .= "# Ipsec not enabled\n";
+ }
+
+ else {
+ my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
+ or die("cant connect to ipsec database");
+
+ # This should get all the connections in an array
+
+ my @connections = $ipsecDB->keys;
+
+ $OUT .= "# ipsec.secrets\n\n";
+
+ my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
+
+ foreach my $ipsecprop (@connections) {
+
+ if ( $ipsecprop ne 'L2TPD-PSK' ) {
+
+ # first we verify if IPSec is enabled for the connection
+
+ my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
+ || "disabled";
+
+ if ( $ipsecstatus eq "enabled" ) {
+
+ my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
+
+ # Hmm..... if left is not set it defaults to %defaultroute which we don't want here
+
+ my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP;
+ my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
+ my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
+ my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
+ my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || '';
+
+ # Double quote is not allowed in configuration
+ if ( $passwd =~ /"/ ) {
+ die("Ipsec Error - PSK value cannot contain double quotes (\")");
+ }
+
+ $OUT .= "# $ipsecprop is enabled\n";
+
+ if ( $security eq 'certs' ) {
+ $OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
+ }
+
+ elsif ( $security eq 'secret' ) {
+
+ # If dynamic it must be %any here
+ # If not it can be ExternalIP if left not set
+
+ # IF we have IDs then use them in preference to %any
+
+ my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '';
+ my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';
+
+ if ( $iptype eq 'stattodyn' ) {
+ if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
+ $OUT .= "$left %any \: PSK \"$passwd\"";
+ }
+ else {
+ $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
+ }
+ }
+
+ elsif ( $iptype eq 'dyntostat' ) {
+ if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
+ $OUT .= "%any $right\: PSK \"$passwd\"";
+ }
+ else {
+ $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
+ }
+ }
+
+ elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) {
+ $OUT .= "$leftid $rightid \: PSK \"$passwd\"";
+ }
+
+ else {
+ $OUT .= "$left $right \: PSK \"$passwd\"";
+ }
+ }
+
+ elsif ( $security eq "rsasig" ) {
+ $OUT .= "# Connection to $ipsecprop is RSA\n";
+ $OUT .= "# Our RSA key is in separate file\n";
+ }
+
+ else {
+ $OUT .= "# $ipsecprop is disabled\n";
+ $OUT .= "\n";
+ }
+ $OUT .= "\n";
+ } # if
+ } #unless
+ } #foreach
+ } #else
+}
+
diff --git a/root/etc/e-smith/templates/etc/ipsec.secrets/10Setup b/root/etc/e-smith/templates/etc/ipsec.secrets/10Setup
new file mode 100644
index 0000000..2325d8d
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/ipsec.secrets/10Setup
@@ -0,0 +1 @@
+include /etc/ipsec.d/*.secrets
diff --git a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
new file mode 100644
index 0000000..1a865e7
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
@@ -0,0 +1,16 @@
+# Required PostRouting for VPN
+
+{
+ my $ipsec_status = $ipsec{status} || '';
+
+# print "Ipsec Information - 40AllowIpsec - $ipsec_status\n";
+
+ if ( $ipsec_status eq 'enabled' ) {
+ $OUT .= " # Do not NAT VPN traffic\n";
+ $OUT .= " /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
+ }
+
+ else {
+ $OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n";
+ }
+}
diff --git a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
new file mode 100644
index 0000000..09a2cff
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
@@ -0,0 +1,18 @@
+# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
+
+{
+ my $ipsec_status = $ipsec{status} || '';
+
+# print "Ipsec Information - 56AllowESP - $ipsec_status\n";
+
+ if ( $ipsec_status eq 'enabled' ) {
+ $OUT .= " /sbin/iptables --new-chain esp-in\n";
+ $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
+ $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
+ $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
+ $OUT .= " /sbin/iptables --append esp-in -j denylog\n";
+ }
+ else {
+ $OUT .= " # 56AllowESP disabled\n";
+ }
+}
diff --git a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
new file mode 100644
index 0000000..62a4e81
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
@@ -0,0 +1,16 @@
+# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
+
+{
+ my $ipsec_status = $ipsec{status} || '';
+
+# print "Ipsec Information - 90AdjustESP - $ipsec_status\n";
+
+ if ( $ipsec_status eq 'enabled' ) {
+ my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
+ $OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
+ $OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n";
+ }
+ else {
+ $OUT .= " # 90adjustESP disabled\n";
+ }
+}
diff --git a/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications b/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications
new file mode 100644
index 0000000..bea9b65
--- /dev/null
+++ b/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications
@@ -0,0 +1,29 @@
+{
+# Set up sysctl.conf for ipsec
+# need a check on release version as v8 needs
+# net.core.xfrm_larval_drop = 1
+# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9'
+
+use strict;
+use warnings;
+use esmith::ConfigDB;
+
+my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
+
+ if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) {
+
+ $OUT .= <= 9.2
+Requires: libreswan >= 3.29
+AutoReqProv: no
+
+%description
+Libreswan is a free software implementation of the most widely supported and standardised VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE")
+
+%changelog
+* Sat Sep 07 2024 cvs2git.sh aka Brian Read 0.5-37.sme
+- Roll up patches and move to git repo [SME: 12338]
+
+* Sat Sep 07 2024 BogusDateBot
+- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
+ by assuming the date is correct and changing the weekday.
+
+* Wed May 24 2023 John Crisp 0.5-36.sme
+- Change ipsec.conf log setting
+- Create /var/log/pluto/pluto.log
+- Add reauth 'yes' as an added option
+- Update createlinks
+
+* Mon Mar 01 2021 Brian Read 0.5-35.sme
+- Initial Import in SME10 tree [SME: 11405]
+- Update for systemd
+
+* Mon Feb 17 2020 John Crisp 0.5-34.sme
+- auto insert leftsourceip and subnet from internal interface
+- Force right to have a value
+
+* Fri Feb 14 2020 John Crisp 0.5-33.sme
+- update keyingtries
+- update virtual-private
+
+* Thu Jan 30 2020 John Crisp 0.5-32.sme
+- Fix xl2tpd status check
+
+* Thu Oct 17 2019 John Crisp 0.5-31.sme
+- Allow rightsubnet for xl2tpd in virtual_private
+- Add check for empty virtual_private hosts
+
+* Sun Oct 13 2019 John Crisp 0.5-30.sme
+- Fix issue when there is no xl2tpd key
+
+* Sat Aug 31 2019 John Crisp 0.5-29.sme
+- Bump required Libreswan to 3.29
+- add reauth option
+
+* Thu Jun 21 2018 John Crisp 0.5-28.sme
+- Bump required Libreswan to 3.23
+- Change forceencaps to encapsulation
+- Remove obsolete nat_traversal
+- Modify ipsec.conf for no rightsubnet in xl2tpd
+
+* Tue Sep 19 2017 John Crisp 0.5-27.sme
+- Allow variable network interface names - Stefano Zamboni
+
+* Thu Jun 15 2017 John Crisp 0.5-26.sme
+- add keep-alive option in main ipsec.conf
+- add forceencaps option overall default and per connection
+- small code tidy
+- Add support for L2TPD
+
+* Thu Jan 26 2017 John Crisp 0.5-25.sme
+ - Fix the ipsec.conf as well
+ - remove automatic \@ in IDs - Fixes [SME: 9729]
+
+* Thu Jan 26 2017 John Crisp 0.5-24.sme
+ - remove automatic \@ in IDs - Fixes [SME: 9729]
+ - fix swapped left/right IDs in password file
+
+* Wed Jan 25 2017 John Crisp 0.5-23.sme
+- Add the ability to use PEM/PKCS#12 certificates - fixes [SME: 9942]
+- lots of code tidying
+
+* Wed Dec 21 2016 John Crisp 0.5-22.sme
+- update logrotate completely now I realise it is symlinked
+- remove UPDPort and add UPDPorts due to ipsec v2
+
+* Wed Dec 21 2016 John Crisp 0.5-21.sme
+- add more variations for ike v1/2
+- remove logrotate template
+- add /etc/e-smith/events/logrotate/logfiles2timestamp/var/log/pluto.log
+- Fix some log noise when first installed and still disabled
+
+* Sat Apr 23 2016 John Crisp 0.5-20.sme
+- Fix typo in createlinks for sysctl.conf
+
+* Mon Apr 04 2016 John Crisp 0.5-19.sme
+- Fix ID in ipsec.secrets if ID is set
+
+* Thu Mar 24 2016 John Crisp 0.5-18.sme
+- Add debug db key to /etc/ipsec.conf
+- Remove setting public/private keys as they won't affect unless templates are re-expanded
+- Set xfrm_larval_drop drop correctly
+
+* Tue Mar 22 2016 John Crisp 0.5-17.sme
+- Move pluto.log to /var/log/pluto
+- bump libreswan requires version to 3.16
+- regenerate masq template on ipsec-update
+- change wiki location page
+- add sysctl.conf template
+- modify masq templates for ipsec status enabled/disabled
+- only load ipsec.conf rather than *.conf to avoid loading v6neighbor-hole.conf
+
+* Thu Mar 10 2016 John Crisp 0.5-16.sme
+- Fix masq templates for missing db entries on install
+
+* Wed Mar 09 2016 JP Pialasse 0.5-15.sme
+- first import in SME buildsys
+
+* Wed Feb 17 2016 John Crisp 0.5-13
+- Fix small typo in readme
+
+* Fri Dec 04 2015 John Crisp 0.5-12
+- Add keyingtries
+- Finally fix add issues using asynchronous
+
+* Wed Dec 02 2015 John Crisp 0.5-11
+- Determine host IPtype - static or dynamic IP
+- auto --up changed to exec
+- Add checks for Left/Right ID in secrets file
+
+* Tue Dec 01 2015 John Crisp 0.5-10
+- Allow dynamic addresses
+- Add iptype
+- disallow " in PSK passwords
+- Revised logging messages
+
+* Mon Nov 30 2015 John Crisp 0.5-9
+- Amended templates to allow for rsasig. Early cert settings removed
+
+* Wed Nov 25 2015 John Crisp 0.5-8
+- Revised masq templates - disable on ipsec disable
+- Template ipsec.secrets so Terry won't break it again
+- Set requires e-smith >=9 and libreswan >=3.14
+
+* Wed Nov 18 2015 John Crisp 0.5-7
+- add 90adjustESP
+
+* Tue Nov 17 2015 John Crisp 0.5-6
+- more update to masq firewalls - change -p 50 to -p ESP
+
+* Tue Nov 17 2015 John Crisp 0.5-5
+- update masq firewall rules
+- document clean up
+
+* Wed May 27 2015 John Crisp 0.5-4
+- set dpd actions off if ipsec is 'add'
+- add salifetime key and rename ikelifetime and keylife
+- change defaults for salifetime and ikelifetime
+- add in rsasig support
+
+* Wed Apr 22 2015 John Crisp 0.5-3
+- change default ike from aes-sha to aes-sha1
+
+* Tue Mar 24 2015 John Crisp 0.5-2
+- More minor fixes - should work OK with xl2tpd
+
+* Thu Mar 19 2015 John Crisp 0.5-1
+- Remove templates2expand and added to createlinks
+- modified ipsec.secret template
+- various other fixes
+
+* Fri Mar 13 2015 John Crisp 0.4-5
+- Big changes again - now have PreviousState to detect changes
+- Createlinks to S10 to run after expand-templates
+
+* Thu Mar 5 2015 John Crisp 0.4-4
+- Changed lots. Removed sysctl.conf template
+- Changed firewall template
+
+* Tue Mar 3 2015 John Crisp 0.4-3
+- Load of code tidying and prep from xl2tpd
+
+* Fri Feb 27 2015 John Crisp 0.4-2
+- Update action script and allow for system not in gateway mode
+- add ike and phase2alg db settings
+
+* Tue Feb 24 2015 John Crisp 0.4-1
+- New ipsec-action script
+- Numerous template changes
+
+* Fri Jan 16 2015 John Crisp 0.3-1
+- remove debugging lines
+- remove expand templates from spec file
+- add status check for ipsec.conf
+- add comment to masq template
+- updated db defaults
+- ipsec.conf not expanded on install
+- missed auto=start
+
+* Fri Jan 16 2015 John Crisp 0.2-1
+- remove rc.local modifications
+- add /etc/sysctl.conf patches
+
+* Thu Jan 15 2015 John Crisp 0.1-1
+- initial release
+
+%prep
+%setup
+
+%build
+perl createlinks
+
+%install
+rm -rf $RPM_BUILD_ROOT
+(cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT)
+rm -f %{name}-%{version}-filelist
+/sbin/e-smith/genfilelist $RPM_BUILD_ROOT > %{name}-%{version}-filelist
+echo "%doc COPYING" >> %{name}-%{version}-filelist
+
+
+%clean
+cd ..
+rm -rf %{name}-%{version}
+
+%files -f %{name}-%{version}-filelist
+%defattr(-,root,root)
+
+%pre
+%preun
+%post
+
+/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
+#/sbin/e-smith/expand-template /etc/inittab
+#/sbin/init q
+
+if [[ ! -d /var/log/pluto ]]
+then
+ mkdir /var/log/pluto
+fi
+
+echo "see https://wiki.contribs.org/Libreswan"
+
+%postun
+/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
+#/sbin/e-smith/expand-template /etc/inittab
+#/sbin/init q