initial commit of file from CVS for smeserver-libreswan on Sat Sep 7 20:32:54 AEST 2024
This commit is contained in:
parent
ac540026c3
commit
1fcd21517b
4
.gitignore
vendored
Normal file
4
.gitignore
vendored
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
*.rpm
|
||||||
|
*.log
|
||||||
|
*spec-20*
|
||||||
|
*.tar.gz
|
21
Makefile
Normal file
21
Makefile
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
# Makefile for source rpm: smeserver-libreswan
|
||||||
|
# $Id: Makefile,v 1.1 2021/02/22 16:03:26 brianr Exp $
|
||||||
|
NAME := smeserver-libreswan
|
||||||
|
SPECFILE = $(firstword $(wildcard *.spec))
|
||||||
|
|
||||||
|
define find-makefile-common
|
||||||
|
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
|
||||||
|
endef
|
||||||
|
|
||||||
|
MAKEFILE_COMMON := $(shell $(find-makefile-common))
|
||||||
|
|
||||||
|
ifeq ($(MAKEFILE_COMMON),)
|
||||||
|
# attept a checkout
|
||||||
|
define checkout-makefile-common
|
||||||
|
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
|
||||||
|
endef
|
||||||
|
|
||||||
|
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
|
||||||
|
endif
|
||||||
|
|
||||||
|
include $(MAKEFILE_COMMON)
|
17
README.md
17
README.md
@ -1,3 +1,18 @@
|
|||||||
# smeserver-libreswan
|
# <img src="https://www.koozali.org/images/koozali/Logo/Png/Koozali_logo_2016.png" width="25%" vertical="auto" style="vertical-align:bottom"> smeserver-libreswan
|
||||||
|
|
||||||
SMEServer Koozali developed git repo for smeserver-libreswan smecontribs
|
SMEServer Koozali developed git repo for smeserver-libreswan smecontribs
|
||||||
|
|
||||||
|
## Wiki
|
||||||
|
<br />https://wiki.koozali.org/Libreswan
|
||||||
|
<br />https://wiki.koozali.org/Libreswan_IPSEC
|
||||||
|
<br />https://wiki.koozali.org/Libreswan-xl2tpd
|
||||||
|
<br />https://wiki.koozali.org/Smeserver-libreswan-xl2tpd
|
||||||
|
|
||||||
|
## Bugzilla
|
||||||
|
Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-libreswan&product=SME%20Contribs&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
|
||||||
|
|
||||||
|
## Description
|
||||||
|
|
||||||
|
<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
|
||||||
|
*Once it has been checked, then this comment will be deleted*
|
||||||
|
<br />
|
||||||
|
340
additional/COPYING
Normal file
340
additional/COPYING
Normal file
@ -0,0 +1,340 @@
|
|||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
Version 2, June 1991
|
||||||
|
|
||||||
|
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
|
||||||
|
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies
|
||||||
|
of this license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
Preamble
|
||||||
|
|
||||||
|
The licenses for most software are designed to take away your
|
||||||
|
freedom to share and change it. By contrast, the GNU General Public
|
||||||
|
License is intended to guarantee your freedom to share and change free
|
||||||
|
software--to make sure the software is free for all its users. This
|
||||||
|
General Public License applies to most of the Free Software
|
||||||
|
Foundation's software and to any other program whose authors commit to
|
||||||
|
using it. (Some other Free Software Foundation software is covered by
|
||||||
|
the GNU Library General Public License instead.) You can apply it to
|
||||||
|
your programs, too.
|
||||||
|
|
||||||
|
When we speak of free software, we are referring to freedom, not
|
||||||
|
price. Our General Public Licenses are designed to make sure that you
|
||||||
|
have the freedom to distribute copies of free software (and charge for
|
||||||
|
this service if you wish), that you receive source code or can get it
|
||||||
|
if you want it, that you can change the software or use pieces of it
|
||||||
|
in new free programs; and that you know you can do these things.
|
||||||
|
|
||||||
|
To protect your rights, we need to make restrictions that forbid
|
||||||
|
anyone to deny you these rights or to ask you to surrender the rights.
|
||||||
|
These restrictions translate to certain responsibilities for you if you
|
||||||
|
distribute copies of the software, or if you modify it.
|
||||||
|
|
||||||
|
For example, if you distribute copies of such a program, whether
|
||||||
|
gratis or for a fee, you must give the recipients all the rights that
|
||||||
|
you have. You must make sure that they, too, receive or can get the
|
||||||
|
source code. And you must show them these terms so they know their
|
||||||
|
rights.
|
||||||
|
|
||||||
|
We protect your rights with two steps: (1) copyright the software, and
|
||||||
|
(2) offer you this license which gives you legal permission to copy,
|
||||||
|
distribute and/or modify the software.
|
||||||
|
|
||||||
|
Also, for each author's protection and ours, we want to make certain
|
||||||
|
that everyone understands that there is no warranty for this free
|
||||||
|
software. If the software is modified by someone else and passed on, we
|
||||||
|
want its recipients to know that what they have is not the original, so
|
||||||
|
that any problems introduced by others will not reflect on the original
|
||||||
|
authors' reputations.
|
||||||
|
|
||||||
|
Finally, any free program is threatened constantly by software
|
||||||
|
patents. We wish to avoid the danger that redistributors of a free
|
||||||
|
program will individually obtain patent licenses, in effect making the
|
||||||
|
program proprietary. To prevent this, we have made it clear that any
|
||||||
|
patent must be licensed for everyone's free use or not licensed at all.
|
||||||
|
|
||||||
|
The precise terms and conditions for copying, distribution and
|
||||||
|
modification follow.
|
||||||
|
|
||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||||
|
|
||||||
|
0. This License applies to any program or other work which contains
|
||||||
|
a notice placed by the copyright holder saying it may be distributed
|
||||||
|
under the terms of this General Public License. The "Program", below,
|
||||||
|
refers to any such program or work, and a "work based on the Program"
|
||||||
|
means either the Program or any derivative work under copyright law:
|
||||||
|
that is to say, a work containing the Program or a portion of it,
|
||||||
|
either verbatim or with modifications and/or translated into another
|
||||||
|
language. (Hereinafter, translation is included without limitation in
|
||||||
|
the term "modification".) Each licensee is addressed as "you".
|
||||||
|
|
||||||
|
Activities other than copying, distribution and modification are not
|
||||||
|
covered by this License; they are outside its scope. The act of
|
||||||
|
running the Program is not restricted, and the output from the Program
|
||||||
|
is covered only if its contents constitute a work based on the
|
||||||
|
Program (independent of having been made by running the Program).
|
||||||
|
Whether that is true depends on what the Program does.
|
||||||
|
|
||||||
|
1. You may copy and distribute verbatim copies of the Program's
|
||||||
|
source code as you receive it, in any medium, provided that you
|
||||||
|
conspicuously and appropriately publish on each copy an appropriate
|
||||||
|
copyright notice and disclaimer of warranty; keep intact all the
|
||||||
|
notices that refer to this License and to the absence of any warranty;
|
||||||
|
and give any other recipients of the Program a copy of this License
|
||||||
|
along with the Program.
|
||||||
|
|
||||||
|
You may charge a fee for the physical act of transferring a copy, and
|
||||||
|
you may at your option offer warranty protection in exchange for a fee.
|
||||||
|
|
||||||
|
2. You may modify your copy or copies of the Program or any portion
|
||||||
|
of it, thus forming a work based on the Program, and copy and
|
||||||
|
distribute such modifications or work under the terms of Section 1
|
||||||
|
above, provided that you also meet all of these conditions:
|
||||||
|
|
||||||
|
a) You must cause the modified files to carry prominent notices
|
||||||
|
stating that you changed the files and the date of any change.
|
||||||
|
|
||||||
|
b) You must cause any work that you distribute or publish, that in
|
||||||
|
whole or in part contains or is derived from the Program or any
|
||||||
|
part thereof, to be licensed as a whole at no charge to all third
|
||||||
|
parties under the terms of this License.
|
||||||
|
|
||||||
|
c) If the modified program normally reads commands interactively
|
||||||
|
when run, you must cause it, when started running for such
|
||||||
|
interactive use in the most ordinary way, to print or display an
|
||||||
|
announcement including an appropriate copyright notice and a
|
||||||
|
notice that there is no warranty (or else, saying that you provide
|
||||||
|
a warranty) and that users may redistribute the program under
|
||||||
|
these conditions, and telling the user how to view a copy of this
|
||||||
|
License. (Exception: if the Program itself is interactive but
|
||||||
|
does not normally print such an announcement, your work based on
|
||||||
|
the Program is not required to print an announcement.)
|
||||||
|
|
||||||
|
These requirements apply to the modified work as a whole. If
|
||||||
|
identifiable sections of that work are not derived from the Program,
|
||||||
|
and can be reasonably considered independent and separate works in
|
||||||
|
themselves, then this License, and its terms, do not apply to those
|
||||||
|
sections when you distribute them as separate works. But when you
|
||||||
|
distribute the same sections as part of a whole which is a work based
|
||||||
|
on the Program, the distribution of the whole must be on the terms of
|
||||||
|
this License, whose permissions for other licensees extend to the
|
||||||
|
entire whole, and thus to each and every part regardless of who wrote it.
|
||||||
|
|
||||||
|
Thus, it is not the intent of this section to claim rights or contest
|
||||||
|
your rights to work written entirely by you; rather, the intent is to
|
||||||
|
exercise the right to control the distribution of derivative or
|
||||||
|
collective works based on the Program.
|
||||||
|
|
||||||
|
In addition, mere aggregation of another work not based on the Program
|
||||||
|
with the Program (or with a work based on the Program) on a volume of
|
||||||
|
a storage or distribution medium does not bring the other work under
|
||||||
|
the scope of this License.
|
||||||
|
|
||||||
|
3. You may copy and distribute the Program (or a work based on it,
|
||||||
|
under Section 2) in object code or executable form under the terms of
|
||||||
|
Sections 1 and 2 above provided that you also do one of the following:
|
||||||
|
|
||||||
|
a) Accompany it with the complete corresponding machine-readable
|
||||||
|
source code, which must be distributed under the terms of Sections
|
||||||
|
1 and 2 above on a medium customarily used for software interchange; or,
|
||||||
|
|
||||||
|
b) Accompany it with a written offer, valid for at least three
|
||||||
|
years, to give any third party, for a charge no more than your
|
||||||
|
cost of physically performing source distribution, a complete
|
||||||
|
machine-readable copy of the corresponding source code, to be
|
||||||
|
distributed under the terms of Sections 1 and 2 above on a medium
|
||||||
|
customarily used for software interchange; or,
|
||||||
|
|
||||||
|
c) Accompany it with the information you received as to the offer
|
||||||
|
to distribute corresponding source code. (This alternative is
|
||||||
|
allowed only for noncommercial distribution and only if you
|
||||||
|
received the program in object code or executable form with such
|
||||||
|
an offer, in accord with Subsection b above.)
|
||||||
|
|
||||||
|
The source code for a work means the preferred form of the work for
|
||||||
|
making modifications to it. For an executable work, complete source
|
||||||
|
code means all the source code for all modules it contains, plus any
|
||||||
|
associated interface definition files, plus the scripts used to
|
||||||
|
control compilation and installation of the executable. However, as a
|
||||||
|
special exception, the source code distributed need not include
|
||||||
|
anything that is normally distributed (in either source or binary
|
||||||
|
form) with the major components (compiler, kernel, and so on) of the
|
||||||
|
operating system on which the executable runs, unless that component
|
||||||
|
itself accompanies the executable.
|
||||||
|
|
||||||
|
If distribution of executable or object code is made by offering
|
||||||
|
access to copy from a designated place, then offering equivalent
|
||||||
|
access to copy the source code from the same place counts as
|
||||||
|
distribution of the source code, even though third parties are not
|
||||||
|
compelled to copy the source along with the object code.
|
||||||
|
|
||||||
|
4. You may not copy, modify, sublicense, or distribute the Program
|
||||||
|
except as expressly provided under this License. Any attempt
|
||||||
|
otherwise to copy, modify, sublicense or distribute the Program is
|
||||||
|
void, and will automatically terminate your rights under this License.
|
||||||
|
However, parties who have received copies, or rights, from you under
|
||||||
|
this License will not have their licenses terminated so long as such
|
||||||
|
parties remain in full compliance.
|
||||||
|
|
||||||
|
5. You are not required to accept this License, since you have not
|
||||||
|
signed it. However, nothing else grants you permission to modify or
|
||||||
|
distribute the Program or its derivative works. These actions are
|
||||||
|
prohibited by law if you do not accept this License. Therefore, by
|
||||||
|
modifying or distributing the Program (or any work based on the
|
||||||
|
Program), you indicate your acceptance of this License to do so, and
|
||||||
|
all its terms and conditions for copying, distributing or modifying
|
||||||
|
the Program or works based on it.
|
||||||
|
|
||||||
|
6. Each time you redistribute the Program (or any work based on the
|
||||||
|
Program), the recipient automatically receives a license from the
|
||||||
|
original licensor to copy, distribute or modify the Program subject to
|
||||||
|
these terms and conditions. You may not impose any further
|
||||||
|
restrictions on the recipients' exercise of the rights granted herein.
|
||||||
|
You are not responsible for enforcing compliance by third parties to
|
||||||
|
this License.
|
||||||
|
|
||||||
|
7. If, as a consequence of a court judgment or allegation of patent
|
||||||
|
infringement or for any other reason (not limited to patent issues),
|
||||||
|
conditions are imposed on you (whether by court order, agreement or
|
||||||
|
otherwise) that contradict the conditions of this License, they do not
|
||||||
|
excuse you from the conditions of this License. If you cannot
|
||||||
|
distribute so as to satisfy simultaneously your obligations under this
|
||||||
|
License and any other pertinent obligations, then as a consequence you
|
||||||
|
may not distribute the Program at all. For example, if a patent
|
||||||
|
license would not permit royalty-free redistribution of the Program by
|
||||||
|
all those who receive copies directly or indirectly through you, then
|
||||||
|
the only way you could satisfy both it and this License would be to
|
||||||
|
refrain entirely from distribution of the Program.
|
||||||
|
|
||||||
|
If any portion of this section is held invalid or unenforceable under
|
||||||
|
any particular circumstance, the balance of the section is intended to
|
||||||
|
apply and the section as a whole is intended to apply in other
|
||||||
|
circumstances.
|
||||||
|
|
||||||
|
It is not the purpose of this section to induce you to infringe any
|
||||||
|
patents or other property right claims or to contest validity of any
|
||||||
|
such claims; this section has the sole purpose of protecting the
|
||||||
|
integrity of the free software distribution system, which is
|
||||||
|
implemented by public license practices. Many people have made
|
||||||
|
generous contributions to the wide range of software distributed
|
||||||
|
through that system in reliance on consistent application of that
|
||||||
|
system; it is up to the author/donor to decide if he or she is willing
|
||||||
|
to distribute software through any other system and a licensee cannot
|
||||||
|
impose that choice.
|
||||||
|
|
||||||
|
This section is intended to make thoroughly clear what is believed to
|
||||||
|
be a consequence of the rest of this License.
|
||||||
|
|
||||||
|
8. If the distribution and/or use of the Program is restricted in
|
||||||
|
certain countries either by patents or by copyrighted interfaces, the
|
||||||
|
original copyright holder who places the Program under this License
|
||||||
|
may add an explicit geographical distribution limitation excluding
|
||||||
|
those countries, so that distribution is permitted only in or among
|
||||||
|
countries not thus excluded. In such case, this License incorporates
|
||||||
|
the limitation as if written in the body of this License.
|
||||||
|
|
||||||
|
9. The Free Software Foundation may publish revised and/or new versions
|
||||||
|
of the General Public License from time to time. Such new versions will
|
||||||
|
be similar in spirit to the present version, but may differ in detail to
|
||||||
|
address new problems or concerns.
|
||||||
|
|
||||||
|
Each version is given a distinguishing version number. If the Program
|
||||||
|
specifies a version number of this License which applies to it and "any
|
||||||
|
later version", you have the option of following the terms and conditions
|
||||||
|
either of that version or of any later version published by the Free
|
||||||
|
Software Foundation. If the Program does not specify a version number of
|
||||||
|
this License, you may choose any version ever published by the Free Software
|
||||||
|
Foundation.
|
||||||
|
|
||||||
|
10. If you wish to incorporate parts of the Program into other free
|
||||||
|
programs whose distribution conditions are different, write to the author
|
||||||
|
to ask for permission. For software which is copyrighted by the Free
|
||||||
|
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||||
|
make exceptions for this. Our decision will be guided by the two goals
|
||||||
|
of preserving the free status of all derivatives of our free software and
|
||||||
|
of promoting the sharing and reuse of software generally.
|
||||||
|
|
||||||
|
NO WARRANTY
|
||||||
|
|
||||||
|
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||||
|
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||||
|
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||||
|
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||||
|
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||||
|
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||||
|
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||||
|
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||||
|
REPAIR OR CORRECTION.
|
||||||
|
|
||||||
|
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||||
|
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||||
|
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||||
|
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||||
|
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||||
|
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||||
|
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||||
|
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||||
|
POSSIBILITY OF SUCH DAMAGES.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
How to Apply These Terms to Your New Programs
|
||||||
|
|
||||||
|
If you develop a new program, and you want it to be of the greatest
|
||||||
|
possible use to the public, the best way to achieve this is to make it
|
||||||
|
free software which everyone can redistribute and change under these terms.
|
||||||
|
|
||||||
|
To do so, attach the following notices to the program. It is safest
|
||||||
|
to attach them to the start of each source file to most effectively
|
||||||
|
convey the exclusion of warranty; and each file should have at least
|
||||||
|
the "copyright" line and a pointer to where the full notice is found.
|
||||||
|
|
||||||
|
<one line to give the program's name and a brief idea of what it does.>
|
||||||
|
Copyright (C) 19yy <name of author>
|
||||||
|
|
||||||
|
This program is free software; you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation; either version 2 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this program; if not, write to the Free Software
|
||||||
|
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||||
|
|
||||||
|
|
||||||
|
Also add information on how to contact you by electronic and paper mail.
|
||||||
|
|
||||||
|
If the program is interactive, make it output a short notice like this
|
||||||
|
when it starts in an interactive mode:
|
||||||
|
|
||||||
|
Gnomovision version 69, Copyright (C) 19yy name of author
|
||||||
|
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||||
|
This is free software, and you are welcome to redistribute it
|
||||||
|
under certain conditions; type `show c' for details.
|
||||||
|
|
||||||
|
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||||
|
parts of the General Public License. Of course, the commands you use may
|
||||||
|
be called something other than `show w' and `show c'; they could even be
|
||||||
|
mouse-clicks or menu items--whatever suits your program.
|
||||||
|
|
||||||
|
You should also get your employer (if you work as a programmer) or your
|
||||||
|
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||||
|
necessary. Here is a sample; alter the names:
|
||||||
|
|
||||||
|
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||||
|
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||||
|
|
||||||
|
<signature of Ty Coon>, 1 April 1989
|
||||||
|
Ty Coon, President of Vice
|
||||||
|
|
||||||
|
This General Public License does not permit incorporating your program into
|
||||||
|
proprietary programs. If your program is a subroutine library, you may
|
||||||
|
consider it more useful to permit linking proprietary applications with the
|
||||||
|
library. If this is what you want to do, use the GNU Library General
|
||||||
|
Public License instead of this License.
|
1
contriborbase
Normal file
1
contriborbase
Normal file
@ -0,0 +1 @@
|
|||||||
|
contribs10
|
68
createlinks
Normal file
68
createlinks
Normal file
@ -0,0 +1,68 @@
|
|||||||
|
#! /usr/bin/perl -w
|
||||||
|
|
||||||
|
# Need some thought on when the templates should be expanded and when the action should be called.
|
||||||
|
|
||||||
|
use esmith::Build::CreateLinks qw(:all);
|
||||||
|
|
||||||
|
# our event specific for updating with yum without reboot
|
||||||
|
$event = "smeserver-libreswan-update";
|
||||||
|
|
||||||
|
#add here the path to your templates needed to expand
|
||||||
|
#see the /etc/systemd/system-preset/49-koozali.preset should be present for systemd integration on all you yum update event
|
||||||
|
|
||||||
|
foreach my $file (qw(
|
||||||
|
/etc/systemd/system-preset/49-koozali.preset
|
||||||
|
/etc/ipsec.conf
|
||||||
|
/etc/ipsec.secrets
|
||||||
|
/etc/ipsec.d/ipsec.conf
|
||||||
|
/etc/ipsec.d/ipsec.secrets
|
||||||
|
/etc/rc.d/init.d/masq
|
||||||
|
/etc/sysctl.conf
|
||||||
|
))
|
||||||
|
{
|
||||||
|
templates2events($file, qw(
|
||||||
|
smeserver-libreswan-update
|
||||||
|
post-upgrade
|
||||||
|
console-save
|
||||||
|
bootstrap-console-save
|
||||||
|
remoteaccess-update
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
|
#action needed in case we have a systemd unit
|
||||||
|
event_link("systemd-default", $event, "10");
|
||||||
|
event_link("systemd-reload", $event, "50");
|
||||||
|
|
||||||
|
#action specific to this package
|
||||||
|
foreach my $event_link (qw (
|
||||||
|
smeserver-libreswan-update
|
||||||
|
remoteaccess-update
|
||||||
|
console-save
|
||||||
|
))
|
||||||
|
{
|
||||||
|
event_link("ipsec-update", $event_link, "60");
|
||||||
|
}
|
||||||
|
|
||||||
|
#services we need to restart
|
||||||
|
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/ipsec");
|
||||||
|
safe_symlink("adjust", "root/etc/e-smith/events/$event/services2adjust/masq");
|
||||||
|
|
||||||
|
# Set up generic logfile timestamp renaming/symlinking
|
||||||
|
|
||||||
|
foreach (qw(
|
||||||
|
/var/log/pluto/pluto.log
|
||||||
|
))
|
||||||
|
{
|
||||||
|
safe_touch "root/etc/e-smith/events/logrotate/logfiles2timestamp/$_";
|
||||||
|
}
|
||||||
|
|
||||||
|
#--------------------------------------------------
|
||||||
|
# actions for logrotate event
|
||||||
|
#--------------------------------------------------
|
||||||
|
|
||||||
|
$event = "logrotate";
|
||||||
|
|
||||||
|
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/ipsec");
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -0,0 +1 @@
|
|||||||
|
500,4500
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/access
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/access
Normal file
@ -0,0 +1 @@
|
|||||||
|
private
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/auto
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/auto
Normal file
@ -0,0 +1 @@
|
|||||||
|
start
|
@ -0,0 +1 @@
|
|||||||
|
tunnel
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/debug
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/debug
Normal file
@ -0,0 +1 @@
|
|||||||
|
none
|
@ -0,0 +1 @@
|
|||||||
|
restart
|
@ -0,0 +1 @@
|
|||||||
|
30
|
@ -0,0 +1 @@
|
|||||||
|
10
|
@ -0,0 +1 @@
|
|||||||
|
3600s
|
@ -0,0 +1 @@
|
|||||||
|
yes
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/left
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/left
Normal file
@ -0,0 +1 @@
|
|||||||
|
%defaultroute
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/pfs
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/pfs
Normal file
@ -0,0 +1 @@
|
|||||||
|
yes
|
@ -0,0 +1 @@
|
|||||||
|
28800s
|
@ -0,0 +1 @@
|
|||||||
|
secret
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/status
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/status
Normal file
@ -0,0 +1 @@
|
|||||||
|
disabled
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/type
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/type
Normal file
@ -0,0 +1 @@
|
|||||||
|
service
|
313
root/etc/e-smith/events/actions/ipsec-update
Normal file
313
root/etc/e-smith/events/actions/ipsec-update
Normal file
@ -0,0 +1,313 @@
|
|||||||
|
#!/usr/bin/perl -w
|
||||||
|
#----------------------------------------------------------------------
|
||||||
|
# Ipsec actions
|
||||||
|
# Copyright (C) 2015 John Crisp
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License or more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program; if not, write to the Free Software
|
||||||
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||||
|
#----------------------------------------------------------------------
|
||||||
|
|
||||||
|
# Note that we do not need to use the init ipsec script - we can start and
|
||||||
|
# stop directly using /usr/sbin/ipsec which will call the init script
|
||||||
|
|
||||||
|
# Probably ought to check somewhere that the status of services is public
|
||||||
|
# But if it is private then you have to re-expand masq someplace
|
||||||
|
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
use esmith::ConfigDB;
|
||||||
|
|
||||||
|
my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
|
||||||
|
my $ipsecDB = esmith::ConfigDB->open('ipsec_connections')
|
||||||
|
or die("Ipsec Error - cant connect to ipsec database");
|
||||||
|
|
||||||
|
my $ipsecDBkey = 'ipsec';
|
||||||
|
my $xl2tpdDBkey = 'xl2tpd';
|
||||||
|
my $xl2tpdipsecprop = "L2TPD-PSK";
|
||||||
|
|
||||||
|
# Check on access status - we'll use this later
|
||||||
|
# If status goes to disabled we should set this private
|
||||||
|
|
||||||
|
my $ipsec_access = $configDB->get_prop( $ipsecDBkey, 'access' ) || 'private';
|
||||||
|
print "Ipsec Information - IpsecAccessState: $ipsec_access\n";
|
||||||
|
|
||||||
|
# If the service is set disabled then make sure it is stopped
|
||||||
|
# Note that ipsec is not a service so we cannot use the normal service commands
|
||||||
|
|
||||||
|
if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'disabled' ) {
|
||||||
|
|
||||||
|
# Always reset redirects on stop
|
||||||
|
print "Ipsec Information - reset redirects";
|
||||||
|
resetRedirects();
|
||||||
|
|
||||||
|
# Sort out xl2tpd - if ipsec is disabled it has to be stopped
|
||||||
|
|
||||||
|
print "Xl2tpd Information - ipsec is disabled - Stopping xl2tpd \n";
|
||||||
|
my $myStopXl2tpd = qx(/etc/rc.d/init.d/xl2tpd stop) || die("xl2tpd Error - Unable to launch xl2tpd stop : $!\n");
|
||||||
|
|
||||||
|
if ( not defined $myStopXl2tpd ) {
|
||||||
|
die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Do we check if it is already stopped ?
|
||||||
|
# For now we stop it regardless
|
||||||
|
|
||||||
|
print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
|
||||||
|
my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop) || die("Ipsec Error - Unable to launch ipsec stop : $!\n");
|
||||||
|
|
||||||
|
if ( not defined $myStopConnection ) {
|
||||||
|
die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
|
||||||
|
}
|
||||||
|
|
||||||
|
exit 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
# If the ipsec service is set to enabled AND running (then check the connections)
|
||||||
|
|
||||||
|
if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'enabled' ) {
|
||||||
|
|
||||||
|
# Sort out xl2tpd - if ipsec is enabled, AND xl2tpd then see if it is started
|
||||||
|
my $xl2tpdstatus = $configDB->get_prop( $xl2tpdDBkey, 'status' ) || 'disabled';
|
||||||
|
|
||||||
|
if ( $xl2tpdstatus eq 'enabled' ) {
|
||||||
|
my $xl2tpdService = (`ps ax | grep -v grep | grep xl2tpd`);
|
||||||
|
|
||||||
|
#If the service is not running then start it
|
||||||
|
unless ( $xl2tpdService =~ m/xl2tpd/ ) {
|
||||||
|
|
||||||
|
print "Xl2tpd Information - xl2tpd enabled but stopped - restarting xl2tpd \n";
|
||||||
|
my $myStartXl2tpd = qx(/etc/rc.d/init.d/xl2tpd restart)
|
||||||
|
|| die("xl2tpd Error - Unable to launch xl2tpd restart : $!\n");
|
||||||
|
|
||||||
|
if ( not defined $myStartXl2tpd ) {
|
||||||
|
die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
my $status = (`ps ax | grep -v grep | grep pluto`);
|
||||||
|
|
||||||
|
# If the ipsec service is running
|
||||||
|
if ( $status =~ m/_plutorun/ ) {
|
||||||
|
|
||||||
|
# Lets do some stuff
|
||||||
|
print "Ipsec Information - ipsec is running !\n";
|
||||||
|
|
||||||
|
# make sure reDirects are right
|
||||||
|
setRedirects();
|
||||||
|
|
||||||
|
# Load the connections
|
||||||
|
my @connections = $ipsecDB->keys;
|
||||||
|
|
||||||
|
foreach my $ipsecprop (@connections) {
|
||||||
|
|
||||||
|
#Check the individual connection status
|
||||||
|
my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' )
|
||||||
|
|| "disabled";
|
||||||
|
|
||||||
|
# What type of connection are we ?
|
||||||
|
my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
|
||||||
|
|
||||||
|
# Lets check the last state and if it doesn't exist set it disabled
|
||||||
|
if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
|
||||||
|
my $previpsecstatus = "disabled";
|
||||||
|
$ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
|
||||||
|
}
|
||||||
|
|
||||||
|
# Now we should have it
|
||||||
|
my $previpsecstatus = $ipsecDB->get_prop( $ipsecprop, 'PreviousState' );
|
||||||
|
|
||||||
|
print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
|
||||||
|
|
||||||
|
# Lets reread secrets anyway
|
||||||
|
print "Ipsec Information - Restart - ReReading Secrets\n";
|
||||||
|
my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
|
||||||
|
|
||||||
|
die("Ipsec Error - Unable launch ipsec reread secrets : $!\n")
|
||||||
|
if not defined $reread;
|
||||||
|
die("Ipsec Error - Unable to reread ipsec secrets ( error code $?)\n")
|
||||||
|
if $?;
|
||||||
|
|
||||||
|
# If we are enabled
|
||||||
|
if ( ( $previpsecstatus eq "enabled" )
|
||||||
|
&& ( $ipsecstatus eq "enabled" ) ) {
|
||||||
|
|
||||||
|
# Restart
|
||||||
|
print "Ipsec Information - Restarting connection - $ipsecprop\n";
|
||||||
|
|
||||||
|
# Have to use system here as replace usually returns 1280
|
||||||
|
# Replace just rereads the config and does --delete --add
|
||||||
|
system("/usr/sbin/ipsec auto --replace $ipsecprop");
|
||||||
|
print "Ipsec Information - Restart system - replace return code: $?\n";
|
||||||
|
|
||||||
|
# If connection = start then bring it up
|
||||||
|
if ( $connection eq 'start' ) {
|
||||||
|
print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
|
||||||
|
|
||||||
|
# If it is start rather than add we try and force it to come up
|
||||||
|
startConnection($ipsecprop);
|
||||||
|
print "Ipsec Information - En - En auto --up\n";
|
||||||
|
print "Ipsec Information - Restart system - up return code: $?\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set Previous status
|
||||||
|
changeState( $ipsecprop, $ipsecstatus );
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# If status is disabled then stop it
|
||||||
|
elsif (( $previpsecstatus eq "disabled" )
|
||||||
|
&& ( $ipsecstatus eq "disabled" ) ) {
|
||||||
|
|
||||||
|
# Stop
|
||||||
|
print "Ipsec Information - Stop connection - $ipsecprop\n";
|
||||||
|
stopConnection($ipsecprop);
|
||||||
|
|
||||||
|
# Set Previous status
|
||||||
|
changeState( $ipsecDBkey, $ipsecstatus );
|
||||||
|
}
|
||||||
|
|
||||||
|
# If status was disabled and now enabled then start it
|
||||||
|
elsif (( $previpsecstatus eq "disabled" )
|
||||||
|
&& ( $ipsecstatus eq "enabled" ) ) {
|
||||||
|
|
||||||
|
# Start
|
||||||
|
print "Enabling connection $ipsecprop\n";
|
||||||
|
|
||||||
|
# Have to use system here as replace usually returns 1280 and not 0
|
||||||
|
system("/usr/sbin/ipsec auto --replace $ipsecprop");
|
||||||
|
print "Ipsec Information - Restart system - return code: $?\n";
|
||||||
|
|
||||||
|
if ( $connection eq 'start' ) {
|
||||||
|
|
||||||
|
# Have to use exec here as system waits for a return and if the connection
|
||||||
|
# does not come up it will just hang. So fire 'n forget
|
||||||
|
print "Ipsec Information - Dis- En - - Auto --async --up $ipsecprop\n";
|
||||||
|
|
||||||
|
startConnection($ipsecprop);
|
||||||
|
print "Ipsec Information - Dis - En auto --up\n";
|
||||||
|
print "Ipsec Information - Restart system - up return code: $?\n";
|
||||||
|
|
||||||
|
#or die "exec failed!";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Set Previous status
|
||||||
|
changeState( $ipsecprop, $ipsecstatus );
|
||||||
|
}
|
||||||
|
|
||||||
|
# If status was enabled and now disabled then stop it
|
||||||
|
elsif (( $previpsecstatus eq "enabled" )
|
||||||
|
&& ( $ipsecstatus eq "disabled" ) ) {
|
||||||
|
|
||||||
|
# Stop and remove - do we need to ?
|
||||||
|
print "Ipsec Information - Stopping connection $ipsecprop\n ";
|
||||||
|
stopConnection($ipsecprop);
|
||||||
|
|
||||||
|
# Set Previous status
|
||||||
|
changeState( $ipsecprop, $ipsecstatus );
|
||||||
|
}
|
||||||
|
|
||||||
|
# Should never be here as it means the statuses are other than enabled or disabled
|
||||||
|
else {
|
||||||
|
print "Ipsec Error - Something went wrong with ipsec connection status\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# If it isn't running then start it up
|
||||||
|
# Auto connections start themselves. Added connections wait
|
||||||
|
else {
|
||||||
|
print "Ipsec Information - Disable Reverse Path Filtering\n";
|
||||||
|
setRedirects();
|
||||||
|
|
||||||
|
# Make sure access = public
|
||||||
|
unless ( $ipsec_access eq 'public' ) {
|
||||||
|
$configDB->set_prop( $ipsecDBkey, 'access', 'public' );
|
||||||
|
}
|
||||||
|
|
||||||
|
print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
|
||||||
|
my $myStartConnection = qx(/etc/rc.d/init.d/ipsec start);
|
||||||
|
die("Ipsec Error - Unable to launch ipsec start : $!\n ")
|
||||||
|
if not defined $myStartConnection;
|
||||||
|
die("Ipsec Error - Unable to launch ipsec start ( error code $?)\n ") if $?;
|
||||||
|
|
||||||
|
exit 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
exit 0;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
#### Subroutines here
|
||||||
|
|
||||||
|
sub changeState {
|
||||||
|
|
||||||
|
#@_ contains $ipsecDBkey and $ipsecstatus
|
||||||
|
$ipsecDB->set_prop( $_[0], 'PreviousState', $_[1] );
|
||||||
|
}
|
||||||
|
|
||||||
|
sub startConnection {
|
||||||
|
system("/usr/sbin/ipsec auto --asynchronous --up $_[0]");
|
||||||
|
}
|
||||||
|
|
||||||
|
sub stopConnection {
|
||||||
|
print "Ipsec Information - SubRoutine - stop connection $_[0]\n ";
|
||||||
|
system("/usr/sbin/ipsec auto --down $_[0]");
|
||||||
|
print "Ipsec Information - system down code: $?\n";
|
||||||
|
system("/usr/sbin/ipsec auto --delete $_[0]");
|
||||||
|
print "Ipsec Information - system delete code: $?\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
sub setRedirects {
|
||||||
|
|
||||||
|
my $internalIf = $configDB->get_prop( 'InternalInterface', 'Name' );
|
||||||
|
my $externalIf = $configDB->get_prop( 'ExternalInterface', 'Name' );
|
||||||
|
|
||||||
|
# Big warning - this is a potential security issue
|
||||||
|
# Make sure you read and understand what happens !
|
||||||
|
# If I knew which specific interfaces to change we could reduce the lines here
|
||||||
|
system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
|
||||||
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||||
|
system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
|
||||||
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||||
|
|
||||||
|
system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
|
||||||
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||||
|
system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
|
||||||
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||||
|
|
||||||
|
system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0
|
||||||
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||||
|
system("/sbin/sysctl -w net.ipv4.conf.all.rp_filter=0") == 0
|
||||||
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||||
|
system("/sbin/sysctl -w net.ipv4.conf.$externalIf.rp_filter=0") == 0
|
||||||
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||||
|
system("/sbin/sysctl -w net.ipv4.conf.$internalIf.rp_filter=0") == 0
|
||||||
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
sub resetRedirects {
|
||||||
|
|
||||||
|
# /etc/syctl.conf is expanded on ipsec-update
|
||||||
|
# This should reload the file - if ipsec is disabled it should reset to defaults
|
||||||
|
# If ipsec is enabled it should disable rp_filtering
|
||||||
|
system("/sbin/sysctl -p") == 0
|
||||||
|
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||||
|
}
|
||||||
|
|
98
root/etc/e-smith/templates/etc/ipsec.conf/10Setup
Normal file
98
root/etc/e-smith/templates/etc/ipsec.conf/10Setup
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
{
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
use esmith::ConfigDB;
|
||||||
|
|
||||||
|
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
|
||||||
|
my $dbKey = 'ipsec';
|
||||||
|
my $systemMode = $configDB->get("SystemMode")->value;
|
||||||
|
my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';
|
||||||
|
|
||||||
|
if ( $systemMode ne 'servergateway' ) {
|
||||||
|
$OUT .= "# System not in Server Gateway mode\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
elsif ( $ipsecStatus ne 'enabled' ) {
|
||||||
|
$OUT .= "# Ipsec not enabled\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
else {
|
||||||
|
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
|
||||||
|
or die("cant connect to ipsec database");
|
||||||
|
|
||||||
|
my $dbKey = 'ipsec';
|
||||||
|
|
||||||
|
# Generic setup file
|
||||||
|
my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
|
||||||
|
my $keepalive = $configDB->get_prop( $dbKey, 'keepalive' ) || '';
|
||||||
|
|
||||||
|
# A standard config is included in the RPM but we need to generate a new one so we can modify settings
|
||||||
|
|
||||||
|
$OUT .= "config setup\n";
|
||||||
|
$OUT .= " protostack=netkey\n";
|
||||||
|
$OUT .= " plutodebug=$debugstatus\n";
|
||||||
|
$OUT .= " #klipsdebug=none\n";
|
||||||
|
$OUT .= " log=/var/log/pluto/pluto.log\n";
|
||||||
|
$OUT .= " dumpdir=/var/run/pluto/\n";
|
||||||
|
|
||||||
|
if ( $keepalive ne '' ) {
|
||||||
|
$OUT .= " keep-alive=$keepalive\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
# This should get all the connections in an array
|
||||||
|
|
||||||
|
my @connections = $ipsecDB->keys;
|
||||||
|
|
||||||
|
my $virtual_private = '';
|
||||||
|
my @subnetArr = ();
|
||||||
|
|
||||||
|
foreach my $ipsecprop (@connections) {
|
||||||
|
|
||||||
|
# Note that L2TPD needs the localsubnet in here
|
||||||
|
# Second thoughts I don't think it does
|
||||||
|
# Only when you have subnet <-> subnet
|
||||||
|
|
||||||
|
my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled";
|
||||||
|
|
||||||
|
my $ipsecrecord = $ipsecDB->get($ipsecprop);
|
||||||
|
my $type = $ipsecrecord->prop('type');
|
||||||
|
|
||||||
|
if ( $ipsecstatus eq 'enabled' && ( $type eq 'ipsec' || $type eq 'xl2tpd' ) ) {
|
||||||
|
|
||||||
|
my $rightsubnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' );
|
||||||
|
|
||||||
|
unless ($rightsubnet) {
|
||||||
|
warn("Warning $ipsecprop has no right subnet");
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check if the network is a unique value
|
||||||
|
if ( $rightsubnet && !( $rightsubnet ~~ @subnetArr ) ) {
|
||||||
|
push( @subnetArr, $rightsubnet );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} # End foreach
|
||||||
|
|
||||||
|
$virtual_private .= " virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,";
|
||||||
|
|
||||||
|
unless ( @subnetArr == 0 ) {
|
||||||
|
|
||||||
|
# For NAT and vhost:%priv seting exclude any right subnets
|
||||||
|
foreach my $subnet (@subnetArr) {
|
||||||
|
$virtual_private .= "%v4:!$subnet,";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Remove last character ','
|
||||||
|
chop($virtual_private);
|
||||||
|
$OUT .= "$virtual_private\n";
|
||||||
|
$OUT .= "\n";
|
||||||
|
|
||||||
|
} #end unless
|
||||||
|
|
||||||
|
# I think that this is all we really need. as long as we don't have complex subnets etc
|
||||||
|
# $OUT .= " virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12";
|
||||||
|
$OUT .= "include /etc/ipsec.d/ipsec.conf\n";
|
||||||
|
|
||||||
|
} # End else
|
||||||
|
# End
|
||||||
|
}
|
||||||
|
|
270
root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection
Normal file
270
root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection
Normal file
@ -0,0 +1,270 @@
|
|||||||
|
{
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
use esmith::ConfigDB;
|
||||||
|
use NetAddr::IP;
|
||||||
|
|
||||||
|
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
|
||||||
|
my $dbKey = 'ipsec';
|
||||||
|
my $systemMode = $configDB->get("SystemMode")->value;
|
||||||
|
my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';
|
||||||
|
|
||||||
|
if ( $systemMode ne 'servergateway' ) {
|
||||||
|
$OUT .= "# System not in Server Gateway mode\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
elsif ( $ipsecStatus ne 'enabled' ) {
|
||||||
|
$OUT .= "# Ipsec not enabled\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
else {
|
||||||
|
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
|
||||||
|
or die("cant connect to ipsec database");
|
||||||
|
|
||||||
|
# This should get all the connections in an array
|
||||||
|
|
||||||
|
my @connections = $ipsecDB->keys;
|
||||||
|
|
||||||
|
$OUT .= "# ipsec.conf\n\n";
|
||||||
|
|
||||||
|
foreach my $ipsecprop (@connections) {
|
||||||
|
|
||||||
|
if ( $ipsecprop ne 'L2TPD-PSK' ) {
|
||||||
|
|
||||||
|
# first we verify if IPSec is enabled for the connection
|
||||||
|
|
||||||
|
my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
|
||||||
|
|
||||||
|
if ( $ipsecstatus eq 'enabled' ) {
|
||||||
|
|
||||||
|
$OUT .= "conn $ipsecprop\n";
|
||||||
|
|
||||||
|
# These should be from $configDB-> ipsec
|
||||||
|
|
||||||
|
# Not templated this - maybe later with L2TPD
|
||||||
|
# We currently use a password file but this could be integrated with other authent later
|
||||||
|
|
||||||
|
# Lazy - assume that it is security (password by default) - options are rsasig|certs
|
||||||
|
|
||||||
|
# Careful - property 'type' has a special meaning in configDB and returns 'service'
|
||||||
|
|
||||||
|
my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
|
||||||
|
|| 'tunnel';
|
||||||
|
$OUT .= " type=$connectiontype\n";
|
||||||
|
|
||||||
|
my $security = $ipsecDB->get_prop( $ipsecprop, 'security' )
|
||||||
|
|| 'secret';
|
||||||
|
|
||||||
|
# my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ?
|
||||||
|
|
||||||
|
if ( $security eq 'rsasig' ) {
|
||||||
|
$OUT .= " authby=rsasig\n";
|
||||||
|
|
||||||
|
my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
|
||||||
|
|| '';
|
||||||
|
$OUT .= " leftrsasigkey=$leftrsasig\n";
|
||||||
|
|
||||||
|
my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
|
||||||
|
|| '';
|
||||||
|
$OUT .= " rightrsasigkey=$rightrsasig\n";
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
elsif ( $security eq 'certs' ) {
|
||||||
|
|
||||||
|
$OUT .= " authby=rsasig\n";
|
||||||
|
|
||||||
|
my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
|
||||||
|
|| '%cert';
|
||||||
|
$OUT .= " leftrsasigkey=$leftrsasig\n";
|
||||||
|
|
||||||
|
my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
|
||||||
|
|| '%cert';
|
||||||
|
$OUT .= " rightrsasigkey=$rightrsasig\n";
|
||||||
|
|
||||||
|
my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' )
|
||||||
|
|| '"LeftCertName"';
|
||||||
|
$OUT .= " leftcert=\"$leftcert\"\n";
|
||||||
|
|
||||||
|
my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' )
|
||||||
|
|| '"RightCertName"';
|
||||||
|
$OUT .= " rightcert=\"$rightcert\"\n";
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
else {
|
||||||
|
$OUT .= " authby=$security\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Use connection value if it exists, if not use generic db value
|
||||||
|
my $auto =
|
||||||
|
$ipsecDB->get_prop( $ipsecprop, 'auto' )
|
||||||
|
|| $configDB->get_prop( $dbKey, 'auto' )
|
||||||
|
|| 'start';
|
||||||
|
|
||||||
|
# If we are a static host to a dynamic client we are always add
|
||||||
|
my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
|
||||||
|
|
||||||
|
if ( $iptype eq 'stattodyn' ) {
|
||||||
|
$OUT .= " auto=add\n";
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$OUT .= " auto=$auto\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
# We should change ipsecversion to 'ikev2'
|
||||||
|
my $ipsecversion =
|
||||||
|
$ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
|
||||||
|
|| $configDB->get_prop( $dbKey, 'ipsecversion' )
|
||||||
|
|| 'permit';
|
||||||
|
|
||||||
|
$OUT .= " ikev2=$ipsecversion\n";
|
||||||
|
|
||||||
|
# Set the Phase one and Phase two default strengths - these are set to aes
|
||||||
|
my $ike =
|
||||||
|
$ipsecDB->get_prop( $ipsecprop, 'ike' )
|
||||||
|
|| $configDB->get_prop( $dbKey, 'ike' )
|
||||||
|
|| 'aes-sha1';
|
||||||
|
$OUT .= " ike=$ike\n";
|
||||||
|
|
||||||
|
# We should change phase2 to phase2alg
|
||||||
|
my $phase2 =
|
||||||
|
$ipsecDB->get_prop( $ipsecprop, 'phase2' )
|
||||||
|
|| $configDB->get_prop( $dbKey, 'phase2' )
|
||||||
|
|| 'aes-sha1';
|
||||||
|
$OUT .= " phase2alg=$phase2\n";
|
||||||
|
|
||||||
|
# mtu can only be set per connection
|
||||||
|
my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
|
||||||
|
|| '';
|
||||||
|
|
||||||
|
unless ( $mtu eq '' ) {
|
||||||
|
$OUT .= " mtu=$mtu\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
# These should be from $configDB-> ipsec unless they exist in ipsec_connections
|
||||||
|
|
||||||
|
my $forceencaps =
|
||||||
|
$ipsecDB->get_prop( $ipsecprop, 'forceencaps' )
|
||||||
|
|| $configDB->get_prop( $dbKey, 'forceencaps' )
|
||||||
|
|| 'no';
|
||||||
|
|
||||||
|
$OUT .= " encapsulation=$forceencaps\n";
|
||||||
|
|
||||||
|
my $keyingtries =
|
||||||
|
$ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
|
||||||
|
|| $configDB->get_prop( $dbKey, 'keyingtries' )
|
||||||
|
|| '%forever';
|
||||||
|
$OUT .= " keyingtries=$keyingtries\n";
|
||||||
|
|
||||||
|
# Following come from ipsecDB or configDB or hardcoded
|
||||||
|
my $ikelifetime =
|
||||||
|
$ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
|
||||||
|
|| $configDB->get_prop( $dbKey, 'ikelifetime' )
|
||||||
|
|| '3600s';
|
||||||
|
$OUT .= " ikelifetime=$ikelifetime\n";
|
||||||
|
|
||||||
|
my $salifetime =
|
||||||
|
$ipsecDB->get_prop( $ipsecprop, 'salifetime' )
|
||||||
|
|| $configDB->get_prop( $dbKey, 'salifetime' )
|
||||||
|
|| '28800s';
|
||||||
|
$OUT .= " salifetime=$salifetime\n";
|
||||||
|
|
||||||
|
# Add is for incoming and is better that server dpd is ignored
|
||||||
|
# Disabled for now
|
||||||
|
|
||||||
|
# if ( $auto ne 'add' ) {}
|
||||||
|
my $dpdaction =
|
||||||
|
$ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
|
||||||
|
|| $configDB->get_prop( $dbKey, 'dpdaction' )
|
||||||
|
|| 'restart';
|
||||||
|
$OUT .= " dpdaction=$dpdaction\n";
|
||||||
|
|
||||||
|
my $dpddelay =
|
||||||
|
$ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
|
||||||
|
|| $configDB->get_prop( $dbKey, 'dpddelay' )
|
||||||
|
|| '30';
|
||||||
|
$OUT .= " dpddelay=$dpddelay\n";
|
||||||
|
|
||||||
|
my $dpdtimeout =
|
||||||
|
$ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
|
||||||
|
|| $configDB->get_prop( $dbKey, 'dpdtimeout' )
|
||||||
|
|| '10';
|
||||||
|
$OUT .= " dpdtimeout=$dpdtimeout\n";
|
||||||
|
|
||||||
|
# default to yes unless overridden in the connection db
|
||||||
|
my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
|
||||||
|
$OUT .= " pfs=$pfs\n";
|
||||||
|
|
||||||
|
# Following come from ipsecDB or configDB or hardcoded
|
||||||
|
my $left =
|
||||||
|
$ipsecDB->get_prop( $ipsecprop, 'left' )
|
||||||
|
|| $configDB->get_prop( $dbKey, 'left' )
|
||||||
|
|| '%defaultroute';
|
||||||
|
$OUT .= " left=$left\n";
|
||||||
|
|
||||||
|
if ( $security eq 'certs' ) {
|
||||||
|
my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' );
|
||||||
|
$OUT .= " leftid=$leftid\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
# These ONLY come from the ipsec_configurations db
|
||||||
|
elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) {
|
||||||
|
$OUT .= " leftid=$leftid\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Left sourceIP and leftsubnet can be taken from the Internal interface
|
||||||
|
# but we can allow them to be overridden
|
||||||
|
|
||||||
|
#my $internalAddr = $configDB->get_prop( 'InternalInterface', 'IPAddress' );
|
||||||
|
my $internalMask = $configDB->get_prop( 'InternalInterface', 'Netmask' );
|
||||||
|
my $internalNetwork = $configDB->get_prop( 'InternalInterface', 'Network' );
|
||||||
|
|
||||||
|
my $ip = NetAddr::IP->new( $internalNetwork, $internalMask ) or die "Invalid host/mask";
|
||||||
|
my $internalCIDRNetwork = ( $ip->network() );
|
||||||
|
|
||||||
|
my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
|
||||||
|
|| $configDB->get_prop( 'InternalInterface', 'IPAddress' );
|
||||||
|
$OUT .= " leftsourceip=$leftsourceip\n";
|
||||||
|
|
||||||
|
my $leftsubnet = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) || $internalCIDRNetwork;
|
||||||
|
$OUT .= " leftsubnet=$leftsubnet\n";
|
||||||
|
|
||||||
|
# If we are a static host to a dynamic client we HAVE to set right %any
|
||||||
|
# Should never be empty
|
||||||
|
my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '%any';
|
||||||
|
|
||||||
|
if ( $iptype eq 'stattodyn' ) {
|
||||||
|
$OUT .= " right=%any\n";
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$OUT .= " right=$right\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $security eq 'certs' ) {
|
||||||
|
my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' );
|
||||||
|
$OUT .= " rightid=$rightid\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) {
|
||||||
|
$OUT .= " rightid=$rightid\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
|
||||||
|
if ( $rightsubnet ne '' ) {
|
||||||
|
$OUT .= " rightsubnet=$rightsubnet\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
my $reauth = $ipsecDB->get_prop( $ipsecprop, 'reauth' ) || '';
|
||||||
|
if ( $reauth eq 'y' || $reauth eq 'yes' || $reauth eq '1' ) {
|
||||||
|
$OUT .= " reauth=yes\n";
|
||||||
|
}
|
||||||
|
} # End if ( $ipsecstatus eq 'enabled' )
|
||||||
|
else {
|
||||||
|
$OUT .= "# conn $ipsecprop disabled\n";
|
||||||
|
}
|
||||||
|
} # End if ( $ipsecprop ne 'L2TPD-PSK' )
|
||||||
|
} # End foreach
|
||||||
|
} # End else
|
||||||
|
}
|
||||||
|
|
116
root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords
Normal file
116
root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords
Normal file
@ -0,0 +1,116 @@
|
|||||||
|
|
||||||
|
{
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
use esmith::ConfigDB;
|
||||||
|
|
||||||
|
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
|
||||||
|
my $dbKey = 'ipsec';
|
||||||
|
my $systemMode = $configDB->get("SystemMode")->value;
|
||||||
|
my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';
|
||||||
|
|
||||||
|
if ( $systemMode ne 'servergateway' ) {
|
||||||
|
$OUT .= "# System not in Server Gateway mode\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
elsif ( $ipsecStatus ne 'enabled' ) {
|
||||||
|
$OUT .= "# Ipsec not enabled\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
else {
|
||||||
|
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
|
||||||
|
or die("cant connect to ipsec database");
|
||||||
|
|
||||||
|
# This should get all the connections in an array
|
||||||
|
|
||||||
|
my @connections = $ipsecDB->keys;
|
||||||
|
|
||||||
|
$OUT .= "# ipsec.secrets\n\n";
|
||||||
|
|
||||||
|
my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
|
||||||
|
|
||||||
|
foreach my $ipsecprop (@connections) {
|
||||||
|
|
||||||
|
if ( $ipsecprop ne 'L2TPD-PSK' ) {
|
||||||
|
|
||||||
|
# first we verify if IPSec is enabled for the connection
|
||||||
|
|
||||||
|
my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
|
||||||
|
|| "disabled";
|
||||||
|
|
||||||
|
if ( $ipsecstatus eq "enabled" ) {
|
||||||
|
|
||||||
|
my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
|
||||||
|
|
||||||
|
# Hmm..... if left is not set it defaults to %defaultroute which we don't want here
|
||||||
|
|
||||||
|
my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP;
|
||||||
|
my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
|
||||||
|
my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
|
||||||
|
my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
|
||||||
|
my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || '';
|
||||||
|
|
||||||
|
# Double quote is not allowed in configuration
|
||||||
|
if ( $passwd =~ /"/ ) {
|
||||||
|
die("Ipsec Error - PSK value cannot contain double quotes (\")");
|
||||||
|
}
|
||||||
|
|
||||||
|
$OUT .= "# $ipsecprop is enabled\n";
|
||||||
|
|
||||||
|
if ( $security eq 'certs' ) {
|
||||||
|
$OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
elsif ( $security eq 'secret' ) {
|
||||||
|
|
||||||
|
# If dynamic it must be %any here
|
||||||
|
# If not it can be ExternalIP if left not set
|
||||||
|
|
||||||
|
# IF we have IDs then use them in preference to %any
|
||||||
|
|
||||||
|
my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '';
|
||||||
|
my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';
|
||||||
|
|
||||||
|
if ( $iptype eq 'stattodyn' ) {
|
||||||
|
if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
|
||||||
|
$OUT .= "$left %any \: PSK \"$passwd\"";
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$OUT .= "$leftid $rightid \: PSK \"$passwd\"";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
elsif ( $iptype eq 'dyntostat' ) {
|
||||||
|
if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
|
||||||
|
$OUT .= "%any $right\: PSK \"$passwd\"";
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$OUT .= "$leftid $rightid \: PSK \"$passwd\"";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) {
|
||||||
|
$OUT .= "$leftid $rightid \: PSK \"$passwd\"";
|
||||||
|
}
|
||||||
|
|
||||||
|
else {
|
||||||
|
$OUT .= "$left $right \: PSK \"$passwd\"";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
elsif ( $security eq "rsasig" ) {
|
||||||
|
$OUT .= "# Connection to $ipsecprop is RSA\n";
|
||||||
|
$OUT .= "# Our RSA key is in separate file\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
else {
|
||||||
|
$OUT .= "# $ipsecprop is disabled\n";
|
||||||
|
$OUT .= "\n";
|
||||||
|
}
|
||||||
|
$OUT .= "\n";
|
||||||
|
} # if
|
||||||
|
} #unless
|
||||||
|
} #foreach
|
||||||
|
} #else
|
||||||
|
}
|
||||||
|
|
1
root/etc/e-smith/templates/etc/ipsec.secrets/10Setup
Normal file
1
root/etc/e-smith/templates/etc/ipsec.secrets/10Setup
Normal file
@ -0,0 +1 @@
|
|||||||
|
include /etc/ipsec.d/*.secrets
|
16
root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
Normal file
16
root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# Required PostRouting for VPN
|
||||||
|
|
||||||
|
{
|
||||||
|
my $ipsec_status = $ipsec{status} || '';
|
||||||
|
|
||||||
|
# print "Ipsec Information - 40AllowIpsec - $ipsec_status\n";
|
||||||
|
|
||||||
|
if ( $ipsec_status eq 'enabled' ) {
|
||||||
|
$OUT .= " # Do not NAT VPN traffic\n";
|
||||||
|
$OUT .= " /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
else {
|
||||||
|
$OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n";
|
||||||
|
}
|
||||||
|
}
|
18
root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
Normal file
18
root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
|
||||||
|
|
||||||
|
{
|
||||||
|
my $ipsec_status = $ipsec{status} || '';
|
||||||
|
|
||||||
|
# print "Ipsec Information - 56AllowESP - $ipsec_status\n";
|
||||||
|
|
||||||
|
if ( $ipsec_status eq 'enabled' ) {
|
||||||
|
$OUT .= " /sbin/iptables --new-chain esp-in\n";
|
||||||
|
$OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
|
||||||
|
$OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
|
||||||
|
$OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
|
||||||
|
$OUT .= " /sbin/iptables --append esp-in -j denylog\n";
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$OUT .= " # 56AllowESP disabled\n";
|
||||||
|
}
|
||||||
|
}
|
16
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
Normal file
16
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
|
||||||
|
|
||||||
|
{
|
||||||
|
my $ipsec_status = $ipsec{status} || '';
|
||||||
|
|
||||||
|
# print "Ipsec Information - 90AdjustESP - $ipsec_status\n";
|
||||||
|
|
||||||
|
if ( $ipsec_status eq 'enabled' ) {
|
||||||
|
my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
|
||||||
|
$OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
|
||||||
|
$OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n";
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$OUT .= " # 90adjustESP disabled\n";
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,29 @@
|
|||||||
|
{
|
||||||
|
# Set up sysctl.conf for ipsec
|
||||||
|
# need a check on release version as v8 needs
|
||||||
|
# net.core.xfrm_larval_drop = 1
|
||||||
|
# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9'
|
||||||
|
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
use esmith::ConfigDB;
|
||||||
|
|
||||||
|
my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
|
||||||
|
|
||||||
|
if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) {
|
||||||
|
|
||||||
|
$OUT .= <<CONFIG_END
|
||||||
|
# Ipsec overrides
|
||||||
|
net.ipv4.conf.all.rp_filter = 0
|
||||||
|
net.ipv4.conf.all.send_redirects = 0
|
||||||
|
net.ipv4.conf.default.accept_redirects = 0
|
||||||
|
net.ipv4.conf.default.rp_filter = 0
|
||||||
|
net.ipv4.conf.default.send_redirects = 0
|
||||||
|
net.ipv4.conf.dummy0.rp_filter = 0
|
||||||
|
net.ipv4.conf.eth0.rp_filter = 0
|
||||||
|
net.ipv4.conf.eth1.rp_filter = 0
|
||||||
|
net.ipv4.conf.lo.rp_filter = 0
|
||||||
|
|
||||||
|
CONFIG_END
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,5 @@
|
|||||||
|
[Unit]
|
||||||
|
After=network.target network.service wan.service
|
||||||
|
[Install]
|
||||||
|
WantedBy=sme-server.target
|
||||||
|
|
253
smeserver-libreswan.spec
Normal file
253
smeserver-libreswan.spec
Normal file
@ -0,0 +1,253 @@
|
|||||||
|
%define name smeserver-libreswan
|
||||||
|
%define version 0.5
|
||||||
|
%define release 37
|
||||||
|
Summary: Plugin to enable IPSEC connections
|
||||||
|
Name: %{name}
|
||||||
|
Version: %{version}
|
||||||
|
Release: %{release}%{?dist}
|
||||||
|
License: GNU GPL version 2
|
||||||
|
URL: http://libreswan.org/
|
||||||
|
Group: SMEserver/addon
|
||||||
|
Source: %{name}-%{version}.tar.xz
|
||||||
|
|
||||||
|
BuildRoot: /var/tmp/%{name}-%{version}
|
||||||
|
BuildArchitectures: noarch
|
||||||
|
BuildRequires: e-smith-devtools
|
||||||
|
Requires: e-smith-release >= 9.2
|
||||||
|
Requires: libreswan >= 3.29
|
||||||
|
AutoReqProv: no
|
||||||
|
|
||||||
|
%description
|
||||||
|
Libreswan is a free software implementation of the most widely supported and standardised VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE")
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Sat Sep 07 2024 cvs2git.sh aka Brian Read <brianr@koozali.org> 0.5-37.sme
|
||||||
|
- Roll up patches and move to git repo [SME: 12338]
|
||||||
|
|
||||||
|
* Sat Sep 07 2024 BogusDateBot
|
||||||
|
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
|
||||||
|
by assuming the date is correct and changing the weekday.
|
||||||
|
|
||||||
|
* Wed May 24 2023 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-36.sme
|
||||||
|
- Change ipsec.conf log setting
|
||||||
|
- Create /var/log/pluto/pluto.log
|
||||||
|
- Add reauth 'yes' as an added option
|
||||||
|
- Update createlinks
|
||||||
|
|
||||||
|
* Mon Mar 01 2021 Brian Read <brianr@bjsystems.co.uk> 0.5-35.sme
|
||||||
|
- Initial Import in SME10 tree [SME: 11405]
|
||||||
|
- Update for systemd
|
||||||
|
|
||||||
|
* Mon Feb 17 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-34.sme
|
||||||
|
- auto insert leftsourceip and subnet from internal interface
|
||||||
|
- Force right to have a value
|
||||||
|
|
||||||
|
* Fri Feb 14 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-33.sme
|
||||||
|
- update keyingtries
|
||||||
|
- update virtual-private
|
||||||
|
|
||||||
|
* Thu Jan 30 2020 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-32.sme
|
||||||
|
- Fix xl2tpd status check
|
||||||
|
|
||||||
|
* Thu Oct 17 2019 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-31.sme
|
||||||
|
- Allow rightsubnet for xl2tpd in virtual_private
|
||||||
|
- Add check for empty virtual_private hosts
|
||||||
|
|
||||||
|
* Sun Oct 13 2019 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-30.sme
|
||||||
|
- Fix issue when there is no xl2tpd key
|
||||||
|
|
||||||
|
* Sat Aug 31 2019 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-29.sme
|
||||||
|
- Bump required Libreswan to 3.29
|
||||||
|
- add reauth option
|
||||||
|
|
||||||
|
* Thu Jun 21 2018 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-28.sme
|
||||||
|
- Bump required Libreswan to 3.23
|
||||||
|
- Change forceencaps to encapsulation
|
||||||
|
- Remove obsolete nat_traversal
|
||||||
|
- Modify ipsec.conf for no rightsubnet in xl2tpd
|
||||||
|
|
||||||
|
* Tue Sep 19 2017 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-27.sme
|
||||||
|
- Allow variable network interface names - Stefano Zamboni
|
||||||
|
|
||||||
|
* Thu Jun 15 2017 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-26.sme
|
||||||
|
- add keep-alive option in main ipsec.conf
|
||||||
|
- add forceencaps option overall default and per connection
|
||||||
|
- small code tidy
|
||||||
|
- Add support for L2TPD
|
||||||
|
|
||||||
|
* Thu Jan 26 2017 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-25.sme
|
||||||
|
- Fix the ipsec.conf as well
|
||||||
|
- remove automatic \@ in IDs - Fixes [SME: 9729]
|
||||||
|
|
||||||
|
* Thu Jan 26 2017 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-24.sme
|
||||||
|
- remove automatic \@ in IDs - Fixes [SME: 9729]
|
||||||
|
- fix swapped left/right IDs in password file
|
||||||
|
|
||||||
|
* Wed Jan 25 2017 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-23.sme
|
||||||
|
- Add the ability to use PEM/PKCS#12 certificates - fixes [SME: 9942]
|
||||||
|
- lots of code tidying
|
||||||
|
|
||||||
|
* Wed Dec 21 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-22.sme
|
||||||
|
- update logrotate completely now I realise it is symlinked
|
||||||
|
- remove UPDPort and add UPDPorts due to ipsec v2
|
||||||
|
|
||||||
|
* Wed Dec 21 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-21.sme
|
||||||
|
- add more variations for ike v1/2
|
||||||
|
- remove logrotate template
|
||||||
|
- add /etc/e-smith/events/logrotate/logfiles2timestamp/var/log/pluto.log
|
||||||
|
- Fix some log noise when first installed and still disabled
|
||||||
|
|
||||||
|
* Sat Apr 23 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-20.sme
|
||||||
|
- Fix typo in createlinks for sysctl.conf
|
||||||
|
|
||||||
|
* Mon Apr 04 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-19.sme
|
||||||
|
- Fix ID in ipsec.secrets if ID is set
|
||||||
|
|
||||||
|
* Thu Mar 24 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-18.sme
|
||||||
|
- Add debug db key to /etc/ipsec.conf
|
||||||
|
- Remove setting public/private keys as they won't affect unless templates are re-expanded
|
||||||
|
- Set xfrm_larval_drop drop correctly
|
||||||
|
|
||||||
|
* Tue Mar 22 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-17.sme
|
||||||
|
- Move pluto.log to /var/log/pluto
|
||||||
|
- bump libreswan requires version to 3.16
|
||||||
|
- regenerate masq template on ipsec-update
|
||||||
|
- change wiki location page
|
||||||
|
- add sysctl.conf template
|
||||||
|
- modify masq templates for ipsec status enabled/disabled
|
||||||
|
- only load ipsec.conf rather than *.conf to avoid loading v6neighbor-hole.conf
|
||||||
|
|
||||||
|
* Thu Mar 10 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-16.sme
|
||||||
|
- Fix masq templates for missing db entries on install
|
||||||
|
|
||||||
|
* Wed Mar 09 2016 JP Pialasse <tests@pialasse.com> 0.5-15.sme
|
||||||
|
- first import in SME buildsys
|
||||||
|
|
||||||
|
* Wed Feb 17 2016 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-13
|
||||||
|
- Fix small typo in readme
|
||||||
|
|
||||||
|
* Fri Dec 04 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-12
|
||||||
|
- Add keyingtries
|
||||||
|
- Finally fix add issues using asynchronous
|
||||||
|
|
||||||
|
* Wed Dec 02 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-11
|
||||||
|
- Determine host IPtype - static or dynamic IP
|
||||||
|
- auto --up changed to exec
|
||||||
|
- Add checks for Left/Right ID in secrets file
|
||||||
|
|
||||||
|
* Tue Dec 01 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-10
|
||||||
|
- Allow dynamic addresses
|
||||||
|
- Add iptype
|
||||||
|
- disallow " in PSK passwords
|
||||||
|
- Revised logging messages
|
||||||
|
|
||||||
|
* Mon Nov 30 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-9
|
||||||
|
- Amended templates to allow for rsasig. Early cert settings removed
|
||||||
|
|
||||||
|
* Wed Nov 25 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-8
|
||||||
|
- Revised masq templates - disable on ipsec disable
|
||||||
|
- Template ipsec.secrets so Terry won't break it again
|
||||||
|
- Set requires e-smith >=9 and libreswan >=3.14
|
||||||
|
|
||||||
|
* Wed Nov 18 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-7
|
||||||
|
- add 90adjustESP
|
||||||
|
|
||||||
|
* Tue Nov 17 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-6
|
||||||
|
- more update to masq firewalls - change -p 50 to -p ESP
|
||||||
|
|
||||||
|
* Tue Nov 17 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-5
|
||||||
|
- update masq firewall rules
|
||||||
|
- document clean up
|
||||||
|
|
||||||
|
* Wed May 27 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-4
|
||||||
|
- set dpd actions off if ipsec is 'add'
|
||||||
|
- add salifetime key and rename ikelifetime and keylife
|
||||||
|
- change defaults for salifetime and ikelifetime
|
||||||
|
- add in rsasig support
|
||||||
|
|
||||||
|
* Wed Apr 22 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-3
|
||||||
|
- change default ike from aes-sha to aes-sha1
|
||||||
|
|
||||||
|
* Tue Mar 24 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-2
|
||||||
|
- More minor fixes - should work OK with xl2tpd
|
||||||
|
|
||||||
|
* Thu Mar 19 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-1
|
||||||
|
- Remove templates2expand and added to createlinks
|
||||||
|
- modified ipsec.secret template
|
||||||
|
- various other fixes
|
||||||
|
|
||||||
|
* Fri Mar 13 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.4-5
|
||||||
|
- Big changes again - now have PreviousState to detect changes
|
||||||
|
- Createlinks to S10 to run after expand-templates
|
||||||
|
|
||||||
|
* Thu Mar 5 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.4-4
|
||||||
|
- Changed lots. Removed sysctl.conf template
|
||||||
|
- Changed firewall template
|
||||||
|
|
||||||
|
* Tue Mar 3 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.4-3
|
||||||
|
- Load of code tidying and prep from xl2tpd
|
||||||
|
|
||||||
|
* Fri Feb 27 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.4-2
|
||||||
|
- Update action script and allow for system not in gateway mode
|
||||||
|
- add ike and phase2alg db settings
|
||||||
|
|
||||||
|
* Tue Feb 24 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.4-1
|
||||||
|
- New ipsec-action script
|
||||||
|
- Numerous template changes
|
||||||
|
|
||||||
|
* Fri Jan 16 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.3-1
|
||||||
|
- remove debugging lines
|
||||||
|
- remove expand templates from spec file
|
||||||
|
- add status check for ipsec.conf
|
||||||
|
- add comment to masq template
|
||||||
|
- updated db defaults
|
||||||
|
- ipsec.conf not expanded on install
|
||||||
|
- missed auto=start
|
||||||
|
|
||||||
|
* Fri Jan 16 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.2-1
|
||||||
|
- remove rc.local modifications
|
||||||
|
- add /etc/sysctl.conf patches
|
||||||
|
|
||||||
|
* Thu Jan 15 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.1-1
|
||||||
|
- initial release
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%setup
|
||||||
|
|
||||||
|
%build
|
||||||
|
perl createlinks
|
||||||
|
|
||||||
|
%install
|
||||||
|
rm -rf $RPM_BUILD_ROOT
|
||||||
|
(cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT)
|
||||||
|
rm -f %{name}-%{version}-filelist
|
||||||
|
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT > %{name}-%{version}-filelist
|
||||||
|
echo "%doc COPYING" >> %{name}-%{version}-filelist
|
||||||
|
|
||||||
|
|
||||||
|
%clean
|
||||||
|
cd ..
|
||||||
|
rm -rf %{name}-%{version}
|
||||||
|
|
||||||
|
%files -f %{name}-%{version}-filelist
|
||||||
|
%defattr(-,root,root)
|
||||||
|
|
||||||
|
%pre
|
||||||
|
%preun
|
||||||
|
%post
|
||||||
|
|
||||||
|
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
|
||||||
|
#/sbin/e-smith/expand-template /etc/inittab
|
||||||
|
#/sbin/init q
|
||||||
|
|
||||||
|
if [[ ! -d /var/log/pluto ]]
|
||||||
|
then
|
||||||
|
mkdir /var/log/pluto
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "see https://wiki.contribs.org/Libreswan"
|
||||||
|
|
||||||
|
%postun
|
||||||
|
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
|
||||||
|
#/sbin/e-smith/expand-template /etc/inittab
|
||||||
|
#/sbin/init q
|
Loading…
Reference in New Issue
Block a user