initial commit of file from CVS for smeserver-libreswan on Wed 12 Feb 10:54:54 GMT 2025

This commit is contained in:
2025-02-12 10:54:54 +00:00
parent 5b494cfee1
commit 2e6096aeff
33 changed files with 1608 additions and 2 deletions

View File

@@ -0,0 +1 @@
500,4500

View File

@@ -0,0 +1 @@
private

View File

@@ -0,0 +1 @@
start

View File

@@ -0,0 +1 @@
tunnel

View File

@@ -0,0 +1 @@
none

View File

@@ -0,0 +1 @@
restart

View File

@@ -0,0 +1 @@
30

View File

@@ -0,0 +1 @@
10

View File

@@ -0,0 +1 @@
3600s

View File

@@ -0,0 +1 @@
yes

View File

@@ -0,0 +1 @@
%defaultroute

View File

@@ -0,0 +1 @@
yes

View File

@@ -0,0 +1 @@
28800s

View File

@@ -0,0 +1 @@
secret

View File

@@ -0,0 +1 @@
disabled

View File

@@ -0,0 +1 @@
service

View File

@@ -0,0 +1,315 @@
#!/usr/bin/perl -w
#----------------------------------------------------------------------
# Ipsec actions
# Copyright (C) 2015 John Crisp
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License or more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#----------------------------------------------------------------------
# Feb 2025 this needs updating for systemd
# Note that we do not need to use the init ipsec script - we can start and
# stop directly using /usr/sbin/ipsec which will call the init script
# Probably ought to check somewhere that the status of services is public
# But if it is private then you have to re-expand masq someplace
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
my $ipsecDB = esmith::ConfigDB->open('ipsec_connections')
or die("Ipsec Error - cant connect to ipsec database");
my $ipsecDBkey = 'ipsec';
my $xl2tpdDBkey = 'xl2tpd';
my $xl2tpdipsecprop = "L2TPD-PSK";
# Check on access status - we'll use this later
# If status goes to disabled we should set this private
my $ipsec_access = $configDB->get_prop( $ipsecDBkey, 'access' ) || 'private';
print "Ipsec Information - IpsecAccessState: $ipsec_access\n";
# If the service is set disabled then make sure it is stopped
# Note that ipsec is not a service so we cannot use the normal service commands
if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'disabled' ) {
# Always reset redirects on stop
print "Ipsec Information - reset redirects";
resetRedirects();
# Sort out xl2tpd - if ipsec is disabled it has to be stopped
print "Xl2tpd Information - ipsec is disabled - Stopping xl2tpd \n";
my $myStopXl2tpd = qx(/etc/rc.d/init.d/xl2tpd stop) || die("xl2tpd Error - Unable to launch xl2tpd stop : $!\n");
if ( not defined $myStopXl2tpd ) {
die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
}
# Do we check if it is already stopped ?
# For now we stop it regardless
print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop) || die("Ipsec Error - Unable to launch ipsec stop : $!\n");
if ( not defined $myStopConnection ) {
die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
}
exit 0;
}
# If the ipsec service is set to enabled AND running (then check the connections)
if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'enabled' ) {
# Sort out xl2tpd - if ipsec is enabled, AND xl2tpd then see if it is started
my $xl2tpdstatus = $configDB->get_prop( $xl2tpdDBkey, 'status' ) || 'disabled';
if ( $xl2tpdstatus eq 'enabled' ) {
my $xl2tpdService = (`ps ax | grep -v grep | grep xl2tpd`);
#If the service is not running then start it
unless ( $xl2tpdService =~ m/xl2tpd/ ) {
print "Xl2tpd Information - xl2tpd enabled but stopped - restarting xl2tpd \n";
my $myStartXl2tpd = qx(/etc/rc.d/init.d/xl2tpd restart)
|| die("xl2tpd Error - Unable to launch xl2tpd restart : $!\n");
if ( not defined $myStartXl2tpd ) {
die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
}
}
}
my $status = (`ps ax | grep -v grep | grep pluto`);
# If the ipsec service is running
if ( $status =~ m/_plutorun/ ) {
# Lets do some stuff
print "Ipsec Information - ipsec is running !\n";
# make sure reDirects are right
setRedirects();
# Load the connections
my @connections = $ipsecDB->keys;
foreach my $ipsecprop (@connections) {
#Check the individual connection status
my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' )
|| "disabled";
# What type of connection are we ?
my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
# Lets check the last state and if it doesn't exist set it disabled
if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
my $previpsecstatus = "disabled";
$ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
}
# Now we should have it
my $previpsecstatus = $ipsecDB->get_prop( $ipsecprop, 'PreviousState' );
print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
# Lets reread secrets anyway
print "Ipsec Information - Restart - ReReading Secrets\n";
my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
die("Ipsec Error - Unable launch ipsec reread secrets : $!\n")
if not defined $reread;
die("Ipsec Error - Unable to reread ipsec secrets ( error code $?)\n")
if $?;
# If we are enabled
if ( ( $previpsecstatus eq "enabled" )
&& ( $ipsecstatus eq "enabled" ) ) {
# Restart
print "Ipsec Information - Restarting connection - $ipsecprop\n";
# Have to use system here as replace usually returns 1280
# Replace just rereads the config and does --delete --add
system("/usr/sbin/ipsec auto --replace $ipsecprop");
print "Ipsec Information - Restart system - replace return code: $?\n";
# If connection = start then bring it up
if ( $connection eq 'start' ) {
print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
# If it is start rather than add we try and force it to come up
startConnection($ipsecprop);
print "Ipsec Information - En - En auto --up\n";
print "Ipsec Information - Restart system - up return code: $?\n";
}
# Set Previous status
changeState( $ipsecprop, $ipsecstatus );
}
# If status is disabled then stop it
elsif (( $previpsecstatus eq "disabled" )
&& ( $ipsecstatus eq "disabled" ) ) {
# Stop
print "Ipsec Information - Stop connection - $ipsecprop\n";
stopConnection($ipsecprop);
# Set Previous status
changeState( $ipsecDBkey, $ipsecstatus );
}
# If status was disabled and now enabled then start it
elsif (( $previpsecstatus eq "disabled" )
&& ( $ipsecstatus eq "enabled" ) ) {
# Start
print "Enabling connection $ipsecprop\n";
# Have to use system here as replace usually returns 1280 and not 0
system("/usr/sbin/ipsec auto --replace $ipsecprop");
print "Ipsec Information - Restart system - return code: $?\n";
if ( $connection eq 'start' ) {
# Have to use exec here as system waits for a return and if the connection
# does not come up it will just hang. So fire 'n forget
print "Ipsec Information - Dis- En - - Auto --async --up $ipsecprop\n";
startConnection($ipsecprop);
print "Ipsec Information - Dis - En auto --up\n";
print "Ipsec Information - Restart system - up return code: $?\n";
#or die "exec failed!";
}
# Set Previous status
changeState( $ipsecprop, $ipsecstatus );
}
# If status was enabled and now disabled then stop it
elsif (( $previpsecstatus eq "enabled" )
&& ( $ipsecstatus eq "disabled" ) ) {
# Stop and remove - do we need to ?
print "Ipsec Information - Stopping connection $ipsecprop\n ";
stopConnection($ipsecprop);
# Set Previous status
changeState( $ipsecprop, $ipsecstatus );
}
# Should never be here as it means the statuses are other than enabled or disabled
else {
print "Ipsec Error - Something went wrong with ipsec connection status\n";
}
}
}
# If it isn't running then start it up
# Auto connections start themselves. Added connections wait
else {
print "Ipsec Information - Disable Reverse Path Filtering\n";
setRedirects();
# Make sure access = public
unless ( $ipsec_access eq 'public' ) {
$configDB->set_prop( $ipsecDBkey, 'access', 'public' );
}
print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
my $myStartConnection = qx(/usr/sbin/ipsec start);
die("Ipsec Error - Unable to launch ipsec start : $!\n ")
if not defined $myStartConnection;
die("Ipsec Error - Unable to launch ipsec start ( error code $?)\n ") if $?;
exit 0;
}
exit 0;
}
#### Subroutines here
sub changeState {
#@_ contains $ipsecDBkey and $ipsecstatus
$ipsecDB->set_prop( $_[0], 'PreviousState', $_[1] );
}
sub startConnection {
system("/usr/sbin/ipsec auto --asynchronous --up $_[0]");
}
sub stopConnection {
print "Ipsec Information - SubRoutine - stop connection $_[0]\n ";
system("/usr/sbin/ipsec auto --down $_[0]");
print "Ipsec Information - system down code: $?\n";
system("/usr/sbin/ipsec auto --delete $_[0]");
print "Ipsec Information - system delete code: $?\n";
}
sub setRedirects {
my $internalIf = $configDB->get_prop( 'InternalInterface', 'Name' );
my $externalIf = $configDB->get_prop( 'ExternalInterface', 'Name' );
# Big warning - this is a potential security issue
# Make sure you read and understand what happens !
# If I knew which specific interfaces to change we could reduce the lines here
system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
or die("Ipsec Error - A problem occurred with sysctl: $?");
system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
or die("Ipsec Error - A problem occurred with sysctl: $?");
system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
or die("Ipsec Error - A problem occurred with sysctl: $?");
system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
or die("Ipsec Error - A problem occurred with sysctl: $?");
system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0
or die("Ipsec Error - A problem occurred with sysctl: $?");
system("/sbin/sysctl -w net.ipv4.conf.all.rp_filter=0") == 0
or die("Ipsec Error - A problem occurred with sysctl: $?");
system("/sbin/sysctl -w net.ipv4.conf.$externalIf.rp_filter=0") == 0
or die("Ipsec Error - A problem occurred with sysctl: $?");
system("/sbin/sysctl -w net.ipv4.conf.$internalIf.rp_filter=0") == 0
or die("Ipsec Error - A problem occurred with sysctl: $?");
}
sub resetRedirects {
# /etc/syctl.conf is expanded on ipsec-update
# This should reload the file - if ipsec is disabled it should reset to defaults
# If ipsec is enabled it should disable rp_filtering
system("/sbin/sysctl -p") == 0
or die("Ipsec Error - A problem occurred with sysctl: $?");
}

View File

@@ -0,0 +1,98 @@
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $dbKey = 'ipsec';
my $systemMode = $configDB->get("SystemMode")->value;
my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';
if ( $systemMode ne 'servergateway' ) {
$OUT .= "# System not in Server Gateway mode\n";
}
elsif ( $ipsecStatus ne 'enabled' ) {
$OUT .= "# Ipsec not enabled\n";
}
else {
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
or die("cant connect to ipsec database");
my $dbKey = 'ipsec';
# Generic setup file
my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
my $keepalive = $configDB->get_prop( $dbKey, 'keepalive' ) || '';
# A standard config is included in the RPM but we need to generate a new one so we can modify settings
$OUT .= "config setup\n";
$OUT .= " protostack=netkey\n";
$OUT .= " plutodebug=$debugstatus\n";
$OUT .= " #klipsdebug=none\n";
$OUT .= " log=/var/log/pluto/pluto.log\n";
$OUT .= " dumpdir=/var/run/pluto/\n";
if ( $keepalive ne '' ) {
$OUT .= " keep-alive=$keepalive\n";
}
# This should get all the connections in an array
my @connections = $ipsecDB->keys;
my $virtual_private = '';
my @subnetArr = ();
foreach my $ipsecprop (@connections) {
# Note that L2TPD needs the localsubnet in here
# Second thoughts I don't think it does
# Only when you have subnet <-> subnet
my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled";
my $ipsecrecord = $ipsecDB->get($ipsecprop);
my $type = $ipsecrecord->prop('type');
if ( $ipsecstatus eq 'enabled' && ( $type eq 'ipsec' || $type eq 'xl2tpd' ) ) {
my $rightsubnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' );
unless ($rightsubnet) {
warn("Warning $ipsecprop has no right subnet");
}
# Check if the network is a unique value
if ( $rightsubnet && !( $rightsubnet ~~ @subnetArr ) ) {
push( @subnetArr, $rightsubnet );
}
}
} # End foreach
$virtual_private .= " virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,";
unless ( @subnetArr == 0 ) {
# For NAT and vhost:%priv seting exclude any right subnets
foreach my $subnet (@subnetArr) {
$virtual_private .= "%v4:!$subnet,";
}
# Remove last character ','
chop($virtual_private);
$OUT .= "$virtual_private\n";
$OUT .= "\n";
} #end unless
# I think that this is all we really need. as long as we don't have complex subnets etc
# $OUT .= " virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12";
$OUT .= "include /etc/ipsec.d/ipsec.conf\n";
} # End else
# End
}

View File

@@ -0,0 +1,270 @@
{
use strict;
use warnings;
use esmith::ConfigDB;
use NetAddr::IP;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $dbKey = 'ipsec';
my $systemMode = $configDB->get("SystemMode")->value;
my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';
if ( $systemMode ne 'servergateway' ) {
$OUT .= "# System not in Server Gateway mode\n";
}
elsif ( $ipsecStatus ne 'enabled' ) {
$OUT .= "# Ipsec not enabled\n";
}
else {
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
or die("cant connect to ipsec database");
# This should get all the connections in an array
my @connections = $ipsecDB->keys;
$OUT .= "# ipsec.conf\n\n";
foreach my $ipsecprop (@connections) {
if ( $ipsecprop ne 'L2TPD-PSK' ) {
# first we verify if IPSec is enabled for the connection
my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
if ( $ipsecstatus eq 'enabled' ) {
$OUT .= "conn $ipsecprop\n";
# These should be from $configDB-> ipsec
# Not templated this - maybe later with L2TPD
# We currently use a password file but this could be integrated with other authent later
# Lazy - assume that it is security (password by default) - options are rsasig|certs
# Careful - property 'type' has a special meaning in configDB and returns 'service'
my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
|| 'tunnel';
$OUT .= " type=$connectiontype\n";
my $security = $ipsecDB->get_prop( $ipsecprop, 'security' )
|| 'secret';
# my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ?
if ( $security eq 'rsasig' ) {
$OUT .= " authby=rsasig\n";
my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
|| '';
$OUT .= " leftrsasigkey=$leftrsasig\n";
my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
|| '';
$OUT .= " rightrsasigkey=$rightrsasig\n";
}
elsif ( $security eq 'certs' ) {
$OUT .= " authby=rsasig\n";
my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
|| '%cert';
$OUT .= " leftrsasigkey=$leftrsasig\n";
my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
|| '%cert';
$OUT .= " rightrsasigkey=$rightrsasig\n";
my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' )
|| '"LeftCertName"';
$OUT .= " leftcert=\"$leftcert\"\n";
my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' )
|| '"RightCertName"';
$OUT .= " rightcert=\"$rightcert\"\n";
}
else {
$OUT .= " authby=$security\n";
}
# Use connection value if it exists, if not use generic db value
my $auto =
$ipsecDB->get_prop( $ipsecprop, 'auto' )
|| $configDB->get_prop( $dbKey, 'auto' )
|| 'start';
# If we are a static host to a dynamic client we are always add
my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
if ( $iptype eq 'stattodyn' ) {
$OUT .= " auto=add\n";
}
else {
$OUT .= " auto=$auto\n";
}
# We should change ipsecversion to 'ikev2'
my $ipsecversion =
$ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
|| $configDB->get_prop( $dbKey, 'ipsecversion' )
|| 'permit';
$OUT .= " ikev2=$ipsecversion\n";
# Set the Phase one and Phase two default strengths - these are set to aes
my $ike =
$ipsecDB->get_prop( $ipsecprop, 'ike' )
|| $configDB->get_prop( $dbKey, 'ike' )
|| 'aes-sha1';
$OUT .= " ike=$ike\n";
# We should change phase2 to phase2alg
my $phase2 =
$ipsecDB->get_prop( $ipsecprop, 'phase2' )
|| $configDB->get_prop( $dbKey, 'phase2' )
|| 'aes-sha1';
$OUT .= " phase2alg=$phase2\n";
# mtu can only be set per connection
my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
|| '';
unless ( $mtu eq '' ) {
$OUT .= " mtu=$mtu\n";
}
# These should be from $configDB-> ipsec unless they exist in ipsec_connections
my $forceencaps =
$ipsecDB->get_prop( $ipsecprop, 'forceencaps' )
|| $configDB->get_prop( $dbKey, 'forceencaps' )
|| 'no';
$OUT .= " encapsulation=$forceencaps\n";
my $keyingtries =
$ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
|| $configDB->get_prop( $dbKey, 'keyingtries' )
|| '%forever';
$OUT .= " keyingtries=$keyingtries\n";
# Following come from ipsecDB or configDB or hardcoded
my $ikelifetime =
$ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
|| $configDB->get_prop( $dbKey, 'ikelifetime' )
|| '3600s';
$OUT .= " ikelifetime=$ikelifetime\n";
my $salifetime =
$ipsecDB->get_prop( $ipsecprop, 'salifetime' )
|| $configDB->get_prop( $dbKey, 'salifetime' )
|| '28800s';
$OUT .= " salifetime=$salifetime\n";
# Add is for incoming and is better that server dpd is ignored
# Disabled for now
# if ( $auto ne 'add' ) {}
my $dpdaction =
$ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
|| $configDB->get_prop( $dbKey, 'dpdaction' )
|| 'restart';
$OUT .= " dpdaction=$dpdaction\n";
my $dpddelay =
$ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
|| $configDB->get_prop( $dbKey, 'dpddelay' )
|| '30';
$OUT .= " dpddelay=$dpddelay\n";
my $dpdtimeout =
$ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
|| $configDB->get_prop( $dbKey, 'dpdtimeout' )
|| '10';
$OUT .= " dpdtimeout=$dpdtimeout\n";
# default to yes unless overridden in the connection db
my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
$OUT .= " pfs=$pfs\n";
# Following come from ipsecDB or configDB or hardcoded
my $left =
$ipsecDB->get_prop( $ipsecprop, 'left' )
|| $configDB->get_prop( $dbKey, 'left' )
|| '%defaultroute';
$OUT .= " left=$left\n";
if ( $security eq 'certs' ) {
my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' );
$OUT .= " leftid=$leftid\n";
}
# These ONLY come from the ipsec_configurations db
elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) {
$OUT .= " leftid=$leftid\n";
}
# Left sourceIP and leftsubnet can be taken from the Internal interface
# but we can allow them to be overridden
#my $internalAddr = $configDB->get_prop( 'InternalInterface', 'IPAddress' );
my $internalMask = $configDB->get_prop( 'InternalInterface', 'Netmask' );
my $internalNetwork = $configDB->get_prop( 'InternalInterface', 'Network' );
my $ip = NetAddr::IP->new( $internalNetwork, $internalMask ) or die "Invalid host/mask";
my $internalCIDRNetwork = ( $ip->network() );
my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
|| $configDB->get_prop( 'InternalInterface', 'IPAddress' );
$OUT .= " leftsourceip=$leftsourceip\n";
my $leftsubnet = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) || $internalCIDRNetwork;
$OUT .= " leftsubnet=$leftsubnet\n";
# If we are a static host to a dynamic client we HAVE to set right %any
# Should never be empty
my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '%any';
if ( $iptype eq 'stattodyn' ) {
$OUT .= " right=%any\n";
}
else {
$OUT .= " right=$right\n";
}
if ( $security eq 'certs' ) {
my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' );
$OUT .= " rightid=$rightid\n";
}
elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) {
$OUT .= " rightid=$rightid\n";
}
my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
if ( $rightsubnet ne '' ) {
$OUT .= " rightsubnet=$rightsubnet\n";
}
my $reauth = $ipsecDB->get_prop( $ipsecprop, 'reauth' ) || '';
if ( $reauth eq 'y' || $reauth eq 'yes' || $reauth eq '1' ) {
$OUT .= " reauth=yes\n";
}
} # End if ( $ipsecstatus eq 'enabled' )
else {
$OUT .= "# conn $ipsecprop disabled\n";
}
} # End if ( $ipsecprop ne 'L2TPD-PSK' )
} # End foreach
} # End else
}

View File

@@ -0,0 +1,116 @@
{
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
my $dbKey = 'ipsec';
my $systemMode = $configDB->get("SystemMode")->value;
my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';
if ( $systemMode ne 'servergateway' ) {
$OUT .= "# System not in Server Gateway mode\n";
}
elsif ( $ipsecStatus ne 'enabled' ) {
$OUT .= "# Ipsec not enabled\n";
}
else {
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
or die("cant connect to ipsec database");
# This should get all the connections in an array
my @connections = $ipsecDB->keys;
$OUT .= "# ipsec.secrets\n\n";
my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
foreach my $ipsecprop (@connections) {
if ( $ipsecprop ne 'L2TPD-PSK' ) {
# first we verify if IPSec is enabled for the connection
my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
|| "disabled";
if ( $ipsecstatus eq "enabled" ) {
my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
# Hmm..... if left is not set it defaults to %defaultroute which we don't want here
my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP;
my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || '';
# Double quote is not allowed in configuration
if ( $passwd =~ /"/ ) {
die("Ipsec Error - PSK value cannot contain double quotes (\")");
}
$OUT .= "# $ipsecprop is enabled\n";
if ( $security eq 'certs' ) {
$OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
}
elsif ( $security eq 'secret' ) {
# If dynamic it must be %any here
# If not it can be ExternalIP if left not set
# IF we have IDs then use them in preference to %any
my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '';
my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';
if ( $iptype eq 'stattodyn' ) {
if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
$OUT .= "$left %any \: PSK \"$passwd\"";
}
else {
$OUT .= "$leftid $rightid \: PSK \"$passwd\"";
}
}
elsif ( $iptype eq 'dyntostat' ) {
if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
$OUT .= "%any $right\: PSK \"$passwd\"";
}
else {
$OUT .= "$leftid $rightid \: PSK \"$passwd\"";
}
}
elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) {
$OUT .= "$leftid $rightid \: PSK \"$passwd\"";
}
else {
$OUT .= "$left $right \: PSK \"$passwd\"";
}
}
elsif ( $security eq "rsasig" ) {
$OUT .= "# Connection to $ipsecprop is RSA\n";
$OUT .= "# Our RSA key is in separate file\n";
}
else {
$OUT .= "# $ipsecprop is disabled\n";
$OUT .= "\n";
}
$OUT .= "\n";
} # if
} #unless
} #foreach
} #else
}

View File

@@ -0,0 +1 @@
include /etc/ipsec.d/*.secrets

View File

@@ -0,0 +1,16 @@
# Required PostRouting for VPN
{
my $ipsec_status = $ipsec{status} || '';
# print "Ipsec Information - 40AllowIpsec - $ipsec_status\n";
if ( $ipsec_status eq 'enabled' ) {
$OUT .= " # Do not NAT VPN traffic\n";
$OUT .= " /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
}
else {
$OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n";
}
}

View File

@@ -0,0 +1,18 @@
# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
{
my $ipsec_status = $ipsec{status} || '';
# print "Ipsec Information - 56AllowESP - $ipsec_status\n";
if ( $ipsec_status eq 'enabled' ) {
$OUT .= " /sbin/iptables --new-chain esp-in\n";
$OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
$OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
$OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
$OUT .= " /sbin/iptables --append esp-in -j denylog\n";
}
else {
$OUT .= " # 56AllowESP disabled\n";
}
}

View File

@@ -0,0 +1,16 @@
# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
{
my $ipsec_status = $ipsec{status} || '';
# print "Ipsec Information - 90AdjustESP - $ipsec_status\n";
if ( $ipsec_status eq 'enabled' ) {
my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
$OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
$OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n";
}
else {
$OUT .= " # 90adjustESP disabled\n";
}
}

View File

@@ -0,0 +1,29 @@
{
# Set up sysctl.conf for ipsec
# need a check on release version as v8 needs
# net.core.xfrm_larval_drop = 1
# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9'
use strict;
use warnings;
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) {
$OUT .= <<CONFIG_END
# Ipsec overrides
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.dummy0.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
CONFIG_END
}
}

View File

@@ -0,0 +1,5 @@
[Unit]
After=network.target network.service wan.service
[Install]
WantedBy=sme-server.target