initial commit of file from CVS for smeserver-libreswan on Wed 12 Feb 10:54:54 GMT 2025
This commit is contained in:
@@ -0,0 +1 @@
|
||||
500,4500
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/access
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/access
Normal file
@@ -0,0 +1 @@
|
||||
private
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/auto
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/auto
Normal file
@@ -0,0 +1 @@
|
||||
start
|
@@ -0,0 +1 @@
|
||||
tunnel
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/debug
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/debug
Normal file
@@ -0,0 +1 @@
|
||||
none
|
@@ -0,0 +1 @@
|
||||
restart
|
@@ -0,0 +1 @@
|
||||
30
|
@@ -0,0 +1 @@
|
||||
10
|
@@ -0,0 +1 @@
|
||||
3600s
|
@@ -0,0 +1 @@
|
||||
yes
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/left
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/left
Normal file
@@ -0,0 +1 @@
|
||||
%defaultroute
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/pfs
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/pfs
Normal file
@@ -0,0 +1 @@
|
||||
yes
|
@@ -0,0 +1 @@
|
||||
28800s
|
@@ -0,0 +1 @@
|
||||
secret
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/status
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/status
Normal file
@@ -0,0 +1 @@
|
||||
disabled
|
1
root/etc/e-smith/db/configuration/defaults/ipsec/type
Normal file
1
root/etc/e-smith/db/configuration/defaults/ipsec/type
Normal file
@@ -0,0 +1 @@
|
||||
service
|
315
root/etc/e-smith/events/actions/ipsec-update
Normal file
315
root/etc/e-smith/events/actions/ipsec-update
Normal file
@@ -0,0 +1,315 @@
|
||||
#!/usr/bin/perl -w
|
||||
#----------------------------------------------------------------------
|
||||
# Ipsec actions
|
||||
# Copyright (C) 2015 John Crisp
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License or more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
#----------------------------------------------------------------------
|
||||
|
||||
# Feb 2025 this needs updating for systemd
|
||||
|
||||
# Note that we do not need to use the init ipsec script - we can start and
|
||||
# stop directly using /usr/sbin/ipsec which will call the init script
|
||||
|
||||
# Probably ought to check somewhere that the status of services is public
|
||||
# But if it is private then you have to re-expand masq someplace
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
use esmith::ConfigDB;
|
||||
|
||||
my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
|
||||
my $ipsecDB = esmith::ConfigDB->open('ipsec_connections')
|
||||
or die("Ipsec Error - cant connect to ipsec database");
|
||||
|
||||
my $ipsecDBkey = 'ipsec';
|
||||
my $xl2tpdDBkey = 'xl2tpd';
|
||||
my $xl2tpdipsecprop = "L2TPD-PSK";
|
||||
|
||||
# Check on access status - we'll use this later
|
||||
# If status goes to disabled we should set this private
|
||||
|
||||
my $ipsec_access = $configDB->get_prop( $ipsecDBkey, 'access' ) || 'private';
|
||||
print "Ipsec Information - IpsecAccessState: $ipsec_access\n";
|
||||
|
||||
# If the service is set disabled then make sure it is stopped
|
||||
# Note that ipsec is not a service so we cannot use the normal service commands
|
||||
|
||||
if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'disabled' ) {
|
||||
|
||||
# Always reset redirects on stop
|
||||
print "Ipsec Information - reset redirects";
|
||||
resetRedirects();
|
||||
|
||||
# Sort out xl2tpd - if ipsec is disabled it has to be stopped
|
||||
|
||||
print "Xl2tpd Information - ipsec is disabled - Stopping xl2tpd \n";
|
||||
my $myStopXl2tpd = qx(/etc/rc.d/init.d/xl2tpd stop) || die("xl2tpd Error - Unable to launch xl2tpd stop : $!\n");
|
||||
|
||||
if ( not defined $myStopXl2tpd ) {
|
||||
die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
|
||||
}
|
||||
|
||||
# Do we check if it is already stopped ?
|
||||
# For now we stop it regardless
|
||||
|
||||
print "Ipsec Information - ipsec disabled - Stopping ipsec \n";
|
||||
my $myStopConnection = qx(/etc/rc.d/init.d/ipsec stop) || die("Ipsec Error - Unable to launch ipsec stop : $!\n");
|
||||
|
||||
if ( not defined $myStopConnection ) {
|
||||
die("Ipsec Error - Unable to stop ipsec( error code $?)\n") if $?;
|
||||
}
|
||||
|
||||
exit 0;
|
||||
}
|
||||
|
||||
# If the ipsec service is set to enabled AND running (then check the connections)
|
||||
|
||||
if ( $configDB->get_prop( $ipsecDBkey, 'status' ) eq 'enabled' ) {
|
||||
|
||||
# Sort out xl2tpd - if ipsec is enabled, AND xl2tpd then see if it is started
|
||||
my $xl2tpdstatus = $configDB->get_prop( $xl2tpdDBkey, 'status' ) || 'disabled';
|
||||
|
||||
if ( $xl2tpdstatus eq 'enabled' ) {
|
||||
my $xl2tpdService = (`ps ax | grep -v grep | grep xl2tpd`);
|
||||
|
||||
#If the service is not running then start it
|
||||
unless ( $xl2tpdService =~ m/xl2tpd/ ) {
|
||||
|
||||
print "Xl2tpd Information - xl2tpd enabled but stopped - restarting xl2tpd \n";
|
||||
my $myStartXl2tpd = qx(/etc/rc.d/init.d/xl2tpd restart)
|
||||
|| die("xl2tpd Error - Unable to launch xl2tpd restart : $!\n");
|
||||
|
||||
if ( not defined $myStartXl2tpd ) {
|
||||
die("Ipsec Error - Unable to stop xl2tpd( error code $?)\n") if $?;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
my $status = (`ps ax | grep -v grep | grep pluto`);
|
||||
|
||||
# If the ipsec service is running
|
||||
if ( $status =~ m/_plutorun/ ) {
|
||||
|
||||
# Lets do some stuff
|
||||
print "Ipsec Information - ipsec is running !\n";
|
||||
|
||||
# make sure reDirects are right
|
||||
setRedirects();
|
||||
|
||||
# Load the connections
|
||||
my @connections = $ipsecDB->keys;
|
||||
|
||||
foreach my $ipsecprop (@connections) {
|
||||
|
||||
#Check the individual connection status
|
||||
my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' )
|
||||
|| "disabled";
|
||||
|
||||
# What type of connection are we ?
|
||||
my $connection = $ipsecDB->get_prop( "$ipsecprop", 'auto' ) || '';
|
||||
|
||||
# Lets check the last state and if it doesn't exist set it disabled
|
||||
if ( not defined( $ipsecDB->get_prop( $ipsecprop, 'PreviousState' ) ) ) {
|
||||
my $previpsecstatus = "disabled";
|
||||
$ipsecDB->set_prop( $ipsecprop, "PreviousState", $previpsecstatus );
|
||||
}
|
||||
|
||||
# Now we should have it
|
||||
my $previpsecstatus = $ipsecDB->get_prop( $ipsecprop, 'PreviousState' );
|
||||
|
||||
print "Ipsec Information - PrevState: $previpsecstatus CurrState: $ipsecstatus\n";
|
||||
|
||||
# Lets reread secrets anyway
|
||||
print "Ipsec Information - Restart - ReReading Secrets\n";
|
||||
my $reread = qx(/usr/sbin/ipsec auto --rereadsecrets);
|
||||
|
||||
die("Ipsec Error - Unable launch ipsec reread secrets : $!\n")
|
||||
if not defined $reread;
|
||||
die("Ipsec Error - Unable to reread ipsec secrets ( error code $?)\n")
|
||||
if $?;
|
||||
|
||||
# If we are enabled
|
||||
if ( ( $previpsecstatus eq "enabled" )
|
||||
&& ( $ipsecstatus eq "enabled" ) ) {
|
||||
|
||||
# Restart
|
||||
print "Ipsec Information - Restarting connection - $ipsecprop\n";
|
||||
|
||||
# Have to use system here as replace usually returns 1280
|
||||
# Replace just rereads the config and does --delete --add
|
||||
system("/usr/sbin/ipsec auto --replace $ipsecprop");
|
||||
print "Ipsec Information - Restart system - replace return code: $?\n";
|
||||
|
||||
# If connection = start then bring it up
|
||||
if ( $connection eq 'start' ) {
|
||||
print "Ipsec Information - En - En - Auto --async --up $ipsecprop\n";
|
||||
|
||||
# If it is start rather than add we try and force it to come up
|
||||
startConnection($ipsecprop);
|
||||
print "Ipsec Information - En - En auto --up\n";
|
||||
print "Ipsec Information - Restart system - up return code: $?\n";
|
||||
}
|
||||
|
||||
# Set Previous status
|
||||
changeState( $ipsecprop, $ipsecstatus );
|
||||
|
||||
}
|
||||
|
||||
# If status is disabled then stop it
|
||||
elsif (( $previpsecstatus eq "disabled" )
|
||||
&& ( $ipsecstatus eq "disabled" ) ) {
|
||||
|
||||
# Stop
|
||||
print "Ipsec Information - Stop connection - $ipsecprop\n";
|
||||
stopConnection($ipsecprop);
|
||||
|
||||
# Set Previous status
|
||||
changeState( $ipsecDBkey, $ipsecstatus );
|
||||
}
|
||||
|
||||
# If status was disabled and now enabled then start it
|
||||
elsif (( $previpsecstatus eq "disabled" )
|
||||
&& ( $ipsecstatus eq "enabled" ) ) {
|
||||
|
||||
# Start
|
||||
print "Enabling connection $ipsecprop\n";
|
||||
|
||||
# Have to use system here as replace usually returns 1280 and not 0
|
||||
system("/usr/sbin/ipsec auto --replace $ipsecprop");
|
||||
print "Ipsec Information - Restart system - return code: $?\n";
|
||||
|
||||
if ( $connection eq 'start' ) {
|
||||
|
||||
# Have to use exec here as system waits for a return and if the connection
|
||||
# does not come up it will just hang. So fire 'n forget
|
||||
print "Ipsec Information - Dis- En - - Auto --async --up $ipsecprop\n";
|
||||
|
||||
startConnection($ipsecprop);
|
||||
print "Ipsec Information - Dis - En auto --up\n";
|
||||
print "Ipsec Information - Restart system - up return code: $?\n";
|
||||
|
||||
#or die "exec failed!";
|
||||
}
|
||||
|
||||
# Set Previous status
|
||||
changeState( $ipsecprop, $ipsecstatus );
|
||||
}
|
||||
|
||||
# If status was enabled and now disabled then stop it
|
||||
elsif (( $previpsecstatus eq "enabled" )
|
||||
&& ( $ipsecstatus eq "disabled" ) ) {
|
||||
|
||||
# Stop and remove - do we need to ?
|
||||
print "Ipsec Information - Stopping connection $ipsecprop\n ";
|
||||
stopConnection($ipsecprop);
|
||||
|
||||
# Set Previous status
|
||||
changeState( $ipsecprop, $ipsecstatus );
|
||||
}
|
||||
|
||||
# Should never be here as it means the statuses are other than enabled or disabled
|
||||
else {
|
||||
print "Ipsec Error - Something went wrong with ipsec connection status\n";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# If it isn't running then start it up
|
||||
# Auto connections start themselves. Added connections wait
|
||||
else {
|
||||
print "Ipsec Information - Disable Reverse Path Filtering\n";
|
||||
setRedirects();
|
||||
|
||||
# Make sure access = public
|
||||
unless ( $ipsec_access eq 'public' ) {
|
||||
$configDB->set_prop( $ipsecDBkey, 'access', 'public' );
|
||||
}
|
||||
|
||||
print "Ipsec Information - ipsec enabled - Starting ipsec\n ";
|
||||
my $myStartConnection = qx(/usr/sbin/ipsec start);
|
||||
die("Ipsec Error - Unable to launch ipsec start : $!\n ")
|
||||
if not defined $myStartConnection;
|
||||
die("Ipsec Error - Unable to launch ipsec start ( error code $?)\n ") if $?;
|
||||
|
||||
exit 0;
|
||||
}
|
||||
|
||||
exit 0;
|
||||
|
||||
}
|
||||
|
||||
#### Subroutines here
|
||||
|
||||
sub changeState {
|
||||
|
||||
#@_ contains $ipsecDBkey and $ipsecstatus
|
||||
$ipsecDB->set_prop( $_[0], 'PreviousState', $_[1] );
|
||||
}
|
||||
|
||||
sub startConnection {
|
||||
system("/usr/sbin/ipsec auto --asynchronous --up $_[0]");
|
||||
}
|
||||
|
||||
sub stopConnection {
|
||||
print "Ipsec Information - SubRoutine - stop connection $_[0]\n ";
|
||||
system("/usr/sbin/ipsec auto --down $_[0]");
|
||||
print "Ipsec Information - system down code: $?\n";
|
||||
system("/usr/sbin/ipsec auto --delete $_[0]");
|
||||
print "Ipsec Information - system delete code: $?\n";
|
||||
}
|
||||
|
||||
sub setRedirects {
|
||||
|
||||
my $internalIf = $configDB->get_prop( 'InternalInterface', 'Name' );
|
||||
my $externalIf = $configDB->get_prop( 'ExternalInterface', 'Name' );
|
||||
|
||||
# Big warning - this is a potential security issue
|
||||
# Make sure you read and understand what happens !
|
||||
# If I knew which specific interfaces to change we could reduce the lines here
|
||||
system("/sbin/sysctl -w net.ipv4.conf.all.send_redirects=0") == 0
|
||||
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||
system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0
|
||||
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||
|
||||
system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0
|
||||
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||
system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0
|
||||
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||
|
||||
system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0
|
||||
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||
system("/sbin/sysctl -w net.ipv4.conf.all.rp_filter=0") == 0
|
||||
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||
system("/sbin/sysctl -w net.ipv4.conf.$externalIf.rp_filter=0") == 0
|
||||
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||
system("/sbin/sysctl -w net.ipv4.conf.$internalIf.rp_filter=0") == 0
|
||||
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||
|
||||
|
||||
}
|
||||
|
||||
sub resetRedirects {
|
||||
|
||||
# /etc/syctl.conf is expanded on ipsec-update
|
||||
# This should reload the file - if ipsec is disabled it should reset to defaults
|
||||
# If ipsec is enabled it should disable rp_filtering
|
||||
system("/sbin/sysctl -p") == 0
|
||||
or die("Ipsec Error - A problem occurred with sysctl: $?");
|
||||
}
|
||||
|
98
root/etc/e-smith/templates/etc/ipsec.conf/10Setup
Normal file
98
root/etc/e-smith/templates/etc/ipsec.conf/10Setup
Normal file
@@ -0,0 +1,98 @@
|
||||
{
|
||||
use strict;
|
||||
use warnings;
|
||||
use esmith::ConfigDB;
|
||||
|
||||
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
|
||||
my $dbKey = 'ipsec';
|
||||
my $systemMode = $configDB->get("SystemMode")->value;
|
||||
my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';
|
||||
|
||||
if ( $systemMode ne 'servergateway' ) {
|
||||
$OUT .= "# System not in Server Gateway mode\n";
|
||||
}
|
||||
|
||||
elsif ( $ipsecStatus ne 'enabled' ) {
|
||||
$OUT .= "# Ipsec not enabled\n";
|
||||
}
|
||||
|
||||
else {
|
||||
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
|
||||
or die("cant connect to ipsec database");
|
||||
|
||||
my $dbKey = 'ipsec';
|
||||
|
||||
# Generic setup file
|
||||
my $debugstatus = $configDB->get_prop( $dbKey, 'debug' ) || 'none';
|
||||
my $keepalive = $configDB->get_prop( $dbKey, 'keepalive' ) || '';
|
||||
|
||||
# A standard config is included in the RPM but we need to generate a new one so we can modify settings
|
||||
|
||||
$OUT .= "config setup\n";
|
||||
$OUT .= " protostack=netkey\n";
|
||||
$OUT .= " plutodebug=$debugstatus\n";
|
||||
$OUT .= " #klipsdebug=none\n";
|
||||
$OUT .= " log=/var/log/pluto/pluto.log\n";
|
||||
$OUT .= " dumpdir=/var/run/pluto/\n";
|
||||
|
||||
if ( $keepalive ne '' ) {
|
||||
$OUT .= " keep-alive=$keepalive\n";
|
||||
}
|
||||
|
||||
# This should get all the connections in an array
|
||||
|
||||
my @connections = $ipsecDB->keys;
|
||||
|
||||
my $virtual_private = '';
|
||||
my @subnetArr = ();
|
||||
|
||||
foreach my $ipsecprop (@connections) {
|
||||
|
||||
# Note that L2TPD needs the localsubnet in here
|
||||
# Second thoughts I don't think it does
|
||||
# Only when you have subnet <-> subnet
|
||||
|
||||
my $ipsecstatus = $ipsecDB->get_prop( "$ipsecprop", 'status' ) || "disabled";
|
||||
|
||||
my $ipsecrecord = $ipsecDB->get($ipsecprop);
|
||||
my $type = $ipsecrecord->prop('type');
|
||||
|
||||
if ( $ipsecstatus eq 'enabled' && ( $type eq 'ipsec' || $type eq 'xl2tpd' ) ) {
|
||||
|
||||
my $rightsubnet = $ipsecDB->get_prop( "$ipsecprop", 'rightsubnet' );
|
||||
|
||||
unless ($rightsubnet) {
|
||||
warn("Warning $ipsecprop has no right subnet");
|
||||
}
|
||||
|
||||
# Check if the network is a unique value
|
||||
if ( $rightsubnet && !( $rightsubnet ~~ @subnetArr ) ) {
|
||||
push( @subnetArr, $rightsubnet );
|
||||
}
|
||||
}
|
||||
} # End foreach
|
||||
|
||||
$virtual_private .= " virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,";
|
||||
|
||||
unless ( @subnetArr == 0 ) {
|
||||
|
||||
# For NAT and vhost:%priv seting exclude any right subnets
|
||||
foreach my $subnet (@subnetArr) {
|
||||
$virtual_private .= "%v4:!$subnet,";
|
||||
}
|
||||
|
||||
# Remove last character ','
|
||||
chop($virtual_private);
|
||||
$OUT .= "$virtual_private\n";
|
||||
$OUT .= "\n";
|
||||
|
||||
} #end unless
|
||||
|
||||
# I think that this is all we really need. as long as we don't have complex subnets etc
|
||||
# $OUT .= " virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12";
|
||||
$OUT .= "include /etc/ipsec.d/ipsec.conf\n";
|
||||
|
||||
} # End else
|
||||
# End
|
||||
}
|
||||
|
270
root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection
Normal file
270
root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection
Normal file
@@ -0,0 +1,270 @@
|
||||
{
|
||||
use strict;
|
||||
use warnings;
|
||||
use esmith::ConfigDB;
|
||||
use NetAddr::IP;
|
||||
|
||||
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
|
||||
my $dbKey = 'ipsec';
|
||||
my $systemMode = $configDB->get("SystemMode")->value;
|
||||
my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';
|
||||
|
||||
if ( $systemMode ne 'servergateway' ) {
|
||||
$OUT .= "# System not in Server Gateway mode\n";
|
||||
}
|
||||
|
||||
elsif ( $ipsecStatus ne 'enabled' ) {
|
||||
$OUT .= "# Ipsec not enabled\n";
|
||||
}
|
||||
|
||||
else {
|
||||
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
|
||||
or die("cant connect to ipsec database");
|
||||
|
||||
# This should get all the connections in an array
|
||||
|
||||
my @connections = $ipsecDB->keys;
|
||||
|
||||
$OUT .= "# ipsec.conf\n\n";
|
||||
|
||||
foreach my $ipsecprop (@connections) {
|
||||
|
||||
if ( $ipsecprop ne 'L2TPD-PSK' ) {
|
||||
|
||||
# first we verify if IPSec is enabled for the connection
|
||||
|
||||
my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' ) || 'disabled';
|
||||
|
||||
if ( $ipsecstatus eq 'enabled' ) {
|
||||
|
||||
$OUT .= "conn $ipsecprop\n";
|
||||
|
||||
# These should be from $configDB-> ipsec
|
||||
|
||||
# Not templated this - maybe later with L2TPD
|
||||
# We currently use a password file but this could be integrated with other authent later
|
||||
|
||||
# Lazy - assume that it is security (password by default) - options are rsasig|certs
|
||||
|
||||
# Careful - property 'type' has a special meaning in configDB and returns 'service'
|
||||
|
||||
my $connectiontype = $configDB->get_prop( $dbKey, 'connectiontype' )
|
||||
|| 'tunnel';
|
||||
$OUT .= " type=$connectiontype\n";
|
||||
|
||||
my $security = $ipsecDB->get_prop( $ipsecprop, 'security' )
|
||||
|| 'secret';
|
||||
|
||||
# my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || ''; ???? Is this required ?
|
||||
|
||||
if ( $security eq 'rsasig' ) {
|
||||
$OUT .= " authby=rsasig\n";
|
||||
|
||||
my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
|
||||
|| '';
|
||||
$OUT .= " leftrsasigkey=$leftrsasig\n";
|
||||
|
||||
my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
|
||||
|| '';
|
||||
$OUT .= " rightrsasigkey=$rightrsasig\n";
|
||||
|
||||
}
|
||||
|
||||
elsif ( $security eq 'certs' ) {
|
||||
|
||||
$OUT .= " authby=rsasig\n";
|
||||
|
||||
my $leftrsasig = $ipsecDB->get_prop( $ipsecprop, 'leftrsasig' )
|
||||
|| '%cert';
|
||||
$OUT .= " leftrsasigkey=$leftrsasig\n";
|
||||
|
||||
my $rightrsasig = $ipsecDB->get_prop( $ipsecprop, 'rightrsasig' )
|
||||
|| '%cert';
|
||||
$OUT .= " rightrsasigkey=$rightrsasig\n";
|
||||
|
||||
my $leftcert = $ipsecDB->get_prop( $ipsecprop, 'leftcert' )
|
||||
|| '"LeftCertName"';
|
||||
$OUT .= " leftcert=\"$leftcert\"\n";
|
||||
|
||||
my $rightcert = $ipsecDB->get_prop( $ipsecprop, 'rightcert' )
|
||||
|| '"RightCertName"';
|
||||
$OUT .= " rightcert=\"$rightcert\"\n";
|
||||
|
||||
}
|
||||
|
||||
else {
|
||||
$OUT .= " authby=$security\n";
|
||||
}
|
||||
|
||||
# Use connection value if it exists, if not use generic db value
|
||||
my $auto =
|
||||
$ipsecDB->get_prop( $ipsecprop, 'auto' )
|
||||
|| $configDB->get_prop( $dbKey, 'auto' )
|
||||
|| 'start';
|
||||
|
||||
# If we are a static host to a dynamic client we are always add
|
||||
my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
|
||||
|
||||
if ( $iptype eq 'stattodyn' ) {
|
||||
$OUT .= " auto=add\n";
|
||||
}
|
||||
else {
|
||||
$OUT .= " auto=$auto\n";
|
||||
}
|
||||
|
||||
# We should change ipsecversion to 'ikev2'
|
||||
my $ipsecversion =
|
||||
$ipsecDB->get_prop( $ipsecprop, 'ipsecversion' )
|
||||
|| $configDB->get_prop( $dbKey, 'ipsecversion' )
|
||||
|| 'permit';
|
||||
|
||||
$OUT .= " ikev2=$ipsecversion\n";
|
||||
|
||||
# Set the Phase one and Phase two default strengths - these are set to aes
|
||||
my $ike =
|
||||
$ipsecDB->get_prop( $ipsecprop, 'ike' )
|
||||
|| $configDB->get_prop( $dbKey, 'ike' )
|
||||
|| 'aes-sha1';
|
||||
$OUT .= " ike=$ike\n";
|
||||
|
||||
# We should change phase2 to phase2alg
|
||||
my $phase2 =
|
||||
$ipsecDB->get_prop( $ipsecprop, 'phase2' )
|
||||
|| $configDB->get_prop( $dbKey, 'phase2' )
|
||||
|| 'aes-sha1';
|
||||
$OUT .= " phase2alg=$phase2\n";
|
||||
|
||||
# mtu can only be set per connection
|
||||
my $mtu = $ipsecDB->get_prop( $ipsecprop, 'mtu' )
|
||||
|| '';
|
||||
|
||||
unless ( $mtu eq '' ) {
|
||||
$OUT .= " mtu=$mtu\n";
|
||||
}
|
||||
|
||||
# These should be from $configDB-> ipsec unless they exist in ipsec_connections
|
||||
|
||||
my $forceencaps =
|
||||
$ipsecDB->get_prop( $ipsecprop, 'forceencaps' )
|
||||
|| $configDB->get_prop( $dbKey, 'forceencaps' )
|
||||
|| 'no';
|
||||
|
||||
$OUT .= " encapsulation=$forceencaps\n";
|
||||
|
||||
my $keyingtries =
|
||||
$ipsecDB->get_prop( $ipsecprop, 'keyingtries' )
|
||||
|| $configDB->get_prop( $dbKey, 'keyingtries' )
|
||||
|| '%forever';
|
||||
$OUT .= " keyingtries=$keyingtries\n";
|
||||
|
||||
# Following come from ipsecDB or configDB or hardcoded
|
||||
my $ikelifetime =
|
||||
$ipsecDB->get_prop( $ipsecprop, 'ikelifetime' )
|
||||
|| $configDB->get_prop( $dbKey, 'ikelifetime' )
|
||||
|| '3600s';
|
||||
$OUT .= " ikelifetime=$ikelifetime\n";
|
||||
|
||||
my $salifetime =
|
||||
$ipsecDB->get_prop( $ipsecprop, 'salifetime' )
|
||||
|| $configDB->get_prop( $dbKey, 'salifetime' )
|
||||
|| '28800s';
|
||||
$OUT .= " salifetime=$salifetime\n";
|
||||
|
||||
# Add is for incoming and is better that server dpd is ignored
|
||||
# Disabled for now
|
||||
|
||||
# if ( $auto ne 'add' ) {}
|
||||
my $dpdaction =
|
||||
$ipsecDB->get_prop( $ipsecprop, 'dpdaction' )
|
||||
|| $configDB->get_prop( $dbKey, 'dpdaction' )
|
||||
|| 'restart';
|
||||
$OUT .= " dpdaction=$dpdaction\n";
|
||||
|
||||
my $dpddelay =
|
||||
$ipsecDB->get_prop( $ipsecprop, 'dpddelay' )
|
||||
|| $configDB->get_prop( $dbKey, 'dpddelay' )
|
||||
|| '30';
|
||||
$OUT .= " dpddelay=$dpddelay\n";
|
||||
|
||||
my $dpdtimeout =
|
||||
$ipsecDB->get_prop( $ipsecprop, 'dpdtimeout' )
|
||||
|| $configDB->get_prop( $dbKey, 'dpdtimeout' )
|
||||
|| '10';
|
||||
$OUT .= " dpdtimeout=$dpdtimeout\n";
|
||||
|
||||
# default to yes unless overridden in the connection db
|
||||
my $pfs = $ipsecDB->get_prop( $ipsecprop, 'pfs' ) || 'yes';
|
||||
$OUT .= " pfs=$pfs\n";
|
||||
|
||||
# Following come from ipsecDB or configDB or hardcoded
|
||||
my $left =
|
||||
$ipsecDB->get_prop( $ipsecprop, 'left' )
|
||||
|| $configDB->get_prop( $dbKey, 'left' )
|
||||
|| '%defaultroute';
|
||||
$OUT .= " left=$left\n";
|
||||
|
||||
if ( $security eq 'certs' ) {
|
||||
my $leftid = ( $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '%fromcert' );
|
||||
$OUT .= " leftid=$leftid\n";
|
||||
}
|
||||
|
||||
# These ONLY come from the ipsec_configurations db
|
||||
elsif ( ( my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '' ) ne '' ) {
|
||||
$OUT .= " leftid=$leftid\n";
|
||||
}
|
||||
|
||||
# Left sourceIP and leftsubnet can be taken from the Internal interface
|
||||
# but we can allow them to be overridden
|
||||
|
||||
#my $internalAddr = $configDB->get_prop( 'InternalInterface', 'IPAddress' );
|
||||
my $internalMask = $configDB->get_prop( 'InternalInterface', 'Netmask' );
|
||||
my $internalNetwork = $configDB->get_prop( 'InternalInterface', 'Network' );
|
||||
|
||||
my $ip = NetAddr::IP->new( $internalNetwork, $internalMask ) or die "Invalid host/mask";
|
||||
my $internalCIDRNetwork = ( $ip->network() );
|
||||
|
||||
my $leftsourceip = $ipsecDB->get_prop( $ipsecprop, 'leftsourceip' )
|
||||
|| $configDB->get_prop( 'InternalInterface', 'IPAddress' );
|
||||
$OUT .= " leftsourceip=$leftsourceip\n";
|
||||
|
||||
my $leftsubnet = $ipsecDB->get_prop( $ipsecprop, 'leftsubnet' ) || $internalCIDRNetwork;
|
||||
$OUT .= " leftsubnet=$leftsubnet\n";
|
||||
|
||||
# If we are a static host to a dynamic client we HAVE to set right %any
|
||||
# Should never be empty
|
||||
my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '%any';
|
||||
|
||||
if ( $iptype eq 'stattodyn' ) {
|
||||
$OUT .= " right=%any\n";
|
||||
}
|
||||
else {
|
||||
$OUT .= " right=$right\n";
|
||||
}
|
||||
|
||||
if ( $security eq 'certs' ) {
|
||||
my $rightid = ( $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '%fromcert' );
|
||||
$OUT .= " rightid=$rightid\n";
|
||||
}
|
||||
|
||||
elsif ( ( my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '' ) ne '' ) {
|
||||
$OUT .= " rightid=$rightid\n";
|
||||
}
|
||||
|
||||
my $rightsubnet = $ipsecDB->get_prop( $ipsecprop, 'rightsubnet' ) || '';
|
||||
if ( $rightsubnet ne '' ) {
|
||||
$OUT .= " rightsubnet=$rightsubnet\n";
|
||||
}
|
||||
|
||||
my $reauth = $ipsecDB->get_prop( $ipsecprop, 'reauth' ) || '';
|
||||
if ( $reauth eq 'y' || $reauth eq 'yes' || $reauth eq '1' ) {
|
||||
$OUT .= " reauth=yes\n";
|
||||
}
|
||||
} # End if ( $ipsecstatus eq 'enabled' )
|
||||
else {
|
||||
$OUT .= "# conn $ipsecprop disabled\n";
|
||||
}
|
||||
} # End if ( $ipsecprop ne 'L2TPD-PSK' )
|
||||
} # End foreach
|
||||
} # End else
|
||||
}
|
||||
|
116
root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords
Normal file
116
root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords
Normal file
@@ -0,0 +1,116 @@
|
||||
|
||||
{
|
||||
use strict;
|
||||
use warnings;
|
||||
use esmith::ConfigDB;
|
||||
|
||||
my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
|
||||
my $dbKey = 'ipsec';
|
||||
my $systemMode = $configDB->get("SystemMode")->value;
|
||||
my $ipsecStatus = $configDB->get_prop( $dbKey, 'status' ) || 'disabled';
|
||||
|
||||
if ( $systemMode ne 'servergateway' ) {
|
||||
$OUT .= "# System not in Server Gateway mode\n";
|
||||
}
|
||||
|
||||
elsif ( $ipsecStatus ne 'enabled' ) {
|
||||
$OUT .= "# Ipsec not enabled\n";
|
||||
}
|
||||
|
||||
else {
|
||||
my $ipsecDB = esmith::ConfigDB->open_ro('ipsec_connections')
|
||||
or die("cant connect to ipsec database");
|
||||
|
||||
# This should get all the connections in an array
|
||||
|
||||
my @connections = $ipsecDB->keys;
|
||||
|
||||
$OUT .= "# ipsec.secrets\n\n";
|
||||
|
||||
my $ExternalIP = $configDB->get_prop( "ExternalInterface", "IPAddress" );
|
||||
|
||||
foreach my $ipsecprop (@connections) {
|
||||
|
||||
if ( $ipsecprop ne 'L2TPD-PSK' ) {
|
||||
|
||||
# first we verify if IPSec is enabled for the connection
|
||||
|
||||
my $ipsecstatus = $ipsecDB->get_prop( $ipsecprop, 'status' )
|
||||
|| "disabled";
|
||||
|
||||
if ( $ipsecstatus eq "enabled" ) {
|
||||
|
||||
my $right = $ipsecDB->get_prop( $ipsecprop, 'right' ) || '';
|
||||
|
||||
# Hmm..... if left is not set it defaults to %defaultroute which we don't want here
|
||||
|
||||
my $left = $ipsecDB->get_prop( $ipsecprop, 'left' ) || $ExternalIP;
|
||||
my $security = $ipsecDB->get_prop( $ipsecprop, 'security' ) || 'secret';
|
||||
my $iptype = $ipsecDB->get_prop( $ipsecprop, 'iptype' ) || '';
|
||||
my $certname = $ipsecDB->get_prop( $ipsecprop, 'certname' ) || '';
|
||||
my $passwd = $ipsecDB->get_prop( $ipsecprop, 'passwd' ) || '';
|
||||
|
||||
# Double quote is not allowed in configuration
|
||||
if ( $passwd =~ /"/ ) {
|
||||
die("Ipsec Error - PSK value cannot contain double quotes (\")");
|
||||
}
|
||||
|
||||
$OUT .= "# $ipsecprop is enabled\n";
|
||||
|
||||
if ( $security eq 'certs' ) {
|
||||
$OUT .= "# Certificates enabled for $ipsecprop - no settings required\n";
|
||||
}
|
||||
|
||||
elsif ( $security eq 'secret' ) {
|
||||
|
||||
# If dynamic it must be %any here
|
||||
# If not it can be ExternalIP if left not set
|
||||
|
||||
# IF we have IDs then use them in preference to %any
|
||||
|
||||
my $leftid = $ipsecDB->get_prop( $ipsecprop, 'leftid' ) || '';
|
||||
my $rightid = $ipsecDB->get_prop( $ipsecprop, 'rightid' ) || '';
|
||||
|
||||
if ( $iptype eq 'stattodyn' ) {
|
||||
if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
|
||||
$OUT .= "$left %any \: PSK \"$passwd\"";
|
||||
}
|
||||
else {
|
||||
$OUT .= "$leftid $rightid \: PSK \"$passwd\"";
|
||||
}
|
||||
}
|
||||
|
||||
elsif ( $iptype eq 'dyntostat' ) {
|
||||
if ( ( $leftid eq '' ) && ( $rightid eq '' ) ) {
|
||||
$OUT .= "%any $right\: PSK \"$passwd\"";
|
||||
}
|
||||
else {
|
||||
$OUT .= "$leftid $rightid \: PSK \"$passwd\"";
|
||||
}
|
||||
}
|
||||
|
||||
elsif ( ( $leftid ne '' ) && ( $rightid ne '' ) ) {
|
||||
$OUT .= "$leftid $rightid \: PSK \"$passwd\"";
|
||||
}
|
||||
|
||||
else {
|
||||
$OUT .= "$left $right \: PSK \"$passwd\"";
|
||||
}
|
||||
}
|
||||
|
||||
elsif ( $security eq "rsasig" ) {
|
||||
$OUT .= "# Connection to $ipsecprop is RSA\n";
|
||||
$OUT .= "# Our RSA key is in separate file\n";
|
||||
}
|
||||
|
||||
else {
|
||||
$OUT .= "# $ipsecprop is disabled\n";
|
||||
$OUT .= "\n";
|
||||
}
|
||||
$OUT .= "\n";
|
||||
} # if
|
||||
} #unless
|
||||
} #foreach
|
||||
} #else
|
||||
}
|
||||
|
1
root/etc/e-smith/templates/etc/ipsec.secrets/10Setup
Normal file
1
root/etc/e-smith/templates/etc/ipsec.secrets/10Setup
Normal file
@@ -0,0 +1 @@
|
||||
include /etc/ipsec.d/*.secrets
|
16
root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
Normal file
16
root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec
Normal file
@@ -0,0 +1,16 @@
|
||||
# Required PostRouting for VPN
|
||||
|
||||
{
|
||||
my $ipsec_status = $ipsec{status} || '';
|
||||
|
||||
# print "Ipsec Information - 40AllowIpsec - $ipsec_status\n";
|
||||
|
||||
if ( $ipsec_status eq 'enabled' ) {
|
||||
$OUT .= " # Do not NAT VPN traffic\n";
|
||||
$OUT .= " /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n";
|
||||
}
|
||||
|
||||
else {
|
||||
$OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n";
|
||||
}
|
||||
}
|
18
root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
Normal file
18
root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP
Normal file
@@ -0,0 +1,18 @@
|
||||
# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE
|
||||
|
||||
{
|
||||
my $ipsec_status = $ipsec{status} || '';
|
||||
|
||||
# print "Ipsec Information - 56AllowESP - $ipsec_status\n";
|
||||
|
||||
if ( $ipsec_status eq 'enabled' ) {
|
||||
$OUT .= " /sbin/iptables --new-chain esp-in\n";
|
||||
$OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n";
|
||||
$OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n";
|
||||
$OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n";
|
||||
$OUT .= " /sbin/iptables --append esp-in -j denylog\n";
|
||||
}
|
||||
else {
|
||||
$OUT .= " # 56AllowESP disabled\n";
|
||||
}
|
||||
}
|
16
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
Normal file
16
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP
Normal file
@@ -0,0 +1,16 @@
|
||||
# based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE
|
||||
|
||||
{
|
||||
my $ipsec_status = $ipsec{status} || '';
|
||||
|
||||
# print "Ipsec Information - 90AdjustESP - $ipsec_status\n";
|
||||
|
||||
if ( $ipsec_status eq 'enabled' ) {
|
||||
my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog";
|
||||
$OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n";
|
||||
$OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n";
|
||||
}
|
||||
else {
|
||||
$OUT .= " # 90adjustESP disabled\n";
|
||||
}
|
||||
}
|
@@ -0,0 +1,29 @@
|
||||
{
|
||||
# Set up sysctl.conf for ipsec
|
||||
# need a check on release version as v8 needs
|
||||
# net.core.xfrm_larval_drop = 1
|
||||
# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9'
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
use esmith::ConfigDB;
|
||||
|
||||
my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
|
||||
|
||||
if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) {
|
||||
|
||||
$OUT .= <<CONFIG_END
|
||||
# Ipsec overrides
|
||||
net.ipv4.conf.all.rp_filter = 0
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.default.rp_filter = 0
|
||||
net.ipv4.conf.default.send_redirects = 0
|
||||
net.ipv4.conf.dummy0.rp_filter = 0
|
||||
net.ipv4.conf.eth0.rp_filter = 0
|
||||
net.ipv4.conf.eth1.rp_filter = 0
|
||||
net.ipv4.conf.lo.rp_filter = 0
|
||||
|
||||
CONFIG_END
|
||||
}
|
||||
}
|
@@ -0,0 +1,5 @@
|
||||
[Unit]
|
||||
After=network.target network.service wan.service
|
||||
[Install]
|
||||
WantedBy=sme-server.target
|
||||
|
Reference in New Issue
Block a user