#!/bin/sh /etc/rc.common START=90 STOP=10 USE_PROCD=1 PROG=/usr/lib/ipsec/starter . $IPKG_INSTROOT/lib/functions.sh . $IPKG_INSTROOT/lib/functions/network.sh IPSEC_SECRETS_FILE=/etc/ipsec.secrets IPSEC_CONN_FILE=/etc/ipsec.conf STRONGSWAN_CONF_FILE=/etc/strongswan.conf IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf WAIT_FOR_INTF=0 file_reset() { : > "$1" } xappend() { local file="$1" shift echo "$@" >> "$file" } ipsec_reset() { file_reset "$IPSEC_VAR_CONN_FILE" } ipsec_xappend() { xappend "$IPSEC_VAR_CONN_FILE" "$@" } swan_reset() { file_reset "$STRONGSWAN_VAR_CONF_FILE" } swan_xappend() { xappend "$STRONGSWAN_VAR_CONF_FILE" "$@" } secret_reset() { file_reset "$IPSEC_VAR_SECRETS_FILE" } secret_xappend() { xappend "$IPSEC_VAR_SECRETS_FILE" "$@" } warning() { echo "WARNING: $@" >&2 } add_crypto_proposal() { local encryption_algorithm local hash_algorithm local dh_group config_get encryption_algorithm "$1" encryption_algorithm config_get hash_algorithm "$1" hash_algorithm config_get dh_group "$1" dh_group [ -n "${encryption_algorithm}" ] && \ crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}" } set_crypto_proposal() { local conf="$1" local proposal crypto="" config_get crypto_proposal "$conf" crypto_proposal "" for proposal in $crypto_proposal; do add_crypto_proposal "$proposal" done [ -n "${crypto}" ] && { local force_crypto_proposal config_get_bool force_crypto_proposal "$conf" force_crypto_proposal [ "${force_crypto_proposal}" = "1" ] && crypto="${crypto}!" } crypto_proposal="${crypto}" } config_conn() { # Generic ipsec conn section shared by tunnel and transport local mode local local_subnet local local_nat local local_sourceip local local_leftip local local_updown local local_firewall local remote_subnet local remote_sourceip local remote_updown local remote_firewall local ikelifetime local lifetime local margintime local keyingtries local dpdaction local dpddelay local inactivity local keyexchange local reqid local packet_marker config_get mode "$1" mode "route" config_get local_subnet "$1" local_subnet "" config_get local_nat "$1" local_nat "" config_get local_sourceip "$1" local_sourceip "" config_get local_leftip "$1" local_leftip "%any" config_get local_updown "$1" local_updown "" config_get local_firewall "$1" local_firewall "" config_get remote_subnet "$1" remote_subnet "" config_get remote_sourceip "$1" remote_sourceip "" config_get remote_updown "$1" remote_updown "" config_get remote_firewall "$1" remote_firewall "" config_get ikelifetime "$1" ikelifetime "3h" config_get lifetime "$1" lifetime "1h" config_get margintime "$1" margintime "9m" config_get keyingtries "$1" keyingtries "3" config_get dpdaction "$1" dpdaction "none" config_get dpddelay "$1" dpddelay "30s" config_get inactivity "$1" inactivity config_get keyexchange "$1" keyexchange "ikev2" config_get reqid "$1" reqid config_get packet_marker "$1" packet_marker [ -n "$local_nat" ] && local_subnet=$local_nat ipsec_xappend "conn $config_name-$1" ipsec_xappend " left=$local_leftip" ipsec_xappend " right=$remote_gateway" [ -n "$local_sourceip" ] && ipsec_xappend " leftsourceip=$local_sourceip" [ -n "$local_subnet" ] && ipsec_xappend " leftsubnet=${local_subnet// /,}" [ -n "$local_firewall" ] && ipsec_xappend " leftfirewall=$local_firewall" [ -n "$remote_firewall" ] && ipsec_xappend " rightfirewall=$remote_firewall" ipsec_xappend " ikelifetime=$ikelifetime" ipsec_xappend " lifetime=$lifetime" ipsec_xappend " margintime=$margintime" ipsec_xappend " keyingtries=$keyingtries" ipsec_xappend " dpdaction=$dpdaction" ipsec_xappend " dpddelay=$dpddelay" [ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity" [ -n "$reqid" ] && ipsec_xappend " reqid=$reqid" if [ "$auth_method" = "psk" ]; then ipsec_xappend " leftauth=psk" ipsec_xappend " rightauth=psk" [ "$remote_sourceip" != "" ] && ipsec_xappend " rightsourceip=$remote_sourceip" [ "$remote_subnet" != "" ] && ipsec_xappend " rightsubnet=${remote_subnet// /,}" ipsec_xappend " auto=$mode" else warning "AuthenticationMethod $auth_method not supported" fi [ -n "$local_identifier" ] && ipsec_xappend " leftid=$local_identifier" [ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier" [ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown" [ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown" [ -n "$packet_marker" ] && ipsec_xappend " mark=$packet_marker" ipsec_xappend " keyexchange=$keyexchange" set_crypto_proposal "$1" [ -n "${crypto_proposal}" ] && ipsec_xappend " esp=$crypto_proposal" [ -n "${ike_proposal}" ] && ipsec_xappend " ike=$ike_proposal" } config_tunnel() { config_conn "$1" # Specific for the tunnel part ipsec_xappend " type=tunnel" } config_transport() { config_conn "$1" # Specific for the transport part ipsec_xappend " type=transport" } config_remote() { local enabled local gateway local pre_shared_key local auth_method config_name=$1 config_get_bool enabled "$1" enabled 0 [ $enabled -eq 0 ] && return config_get gateway "$1" gateway config_get pre_shared_key "$1" pre_shared_key config_get auth_method "$1" authentication_method config_get local_identifier "$1" local_identifier "" config_get remote_identifier "$1" remote_identifier "" [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway" [ -z "$local_identifier" ] && { local ipdest [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway" local_gateway=$(ip -o route get "$ipdest" | awk '/ src / { print gensub(/^.* src ([^ ]*) .*$/, "\\1", "g"); }') } [ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway " [ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway " secret_xappend ": PSK \"$pre_shared_key\"" set_crypto_proposal "$1" ike_proposal="$crypto_proposal" config_list_foreach "$1" tunnel config_tunnel config_list_foreach "$1" transport config_transport ipsec_xappend "" } do_preamble() { ipsec_xappend "# generated by /etc/init.d/ipsec" ipsec_xappend "version 2" ipsec_xappend "" secret_xappend "# generated by /etc/init.d/ipsec" } config_ipsec() { local debug local rtinstall_enabled local routing_tables_ignored local routing_table local routing_table_id local interface local device_list ipsec_reset secret_reset swan_reset do_preamble config_get debug "$1" debug 0 config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1 [ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no # prepare extra charon config option ignore_routing_tables for routing_table in $(config_get "$1" "ignore_routing_tables"); do if [ "$routing_table" -ge 0 ] 2>/dev/null; then routing_table_id=$routing_table else routing_table_id=$(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc/iproute2/rt_tables) fi [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id" done local interface_list=$(config_get "$1" "interface") if [ -z "$interface_list" ]; then WAIT_FOR_INTF=0 else for interface in $interface_list; do network_get_device device $interface [ -n "$device" ] && append device_list "$device" "," done [ -n "$device_list" ] && WAIT_FOR_INTF=0 || WAIT_FOR_INTF=1 fi swan_xappend "# generated by /etc/init.d/ipsec" swan_xappend "charon {" swan_xappend " load_modular = yes" swan_xappend " install_routes = $install_routes" [ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored" [ -n "$device_list" ] && swan_xappend " interfaces_use = $device_list" swan_xappend " plugins {" swan_xappend " include /etc/strongswan.d/charon/*.conf" swan_xappend " }" swan_xappend " syslog {" swan_xappend " identifier = ipsec" swan_xappend " daemon {" swan_xappend " default = $debug" swan_xappend " }" swan_xappend " }" swan_xappend "}" } prepare_env() { mkdir -p /var/ipsec config_load ipsec config_foreach config_ipsec ipsec config_foreach config_remote remote } service_running() { ipsec status > /dev/null 2>&1 } reload_service() { running && { prepare_env [ $WAIT_FOR_INTF -eq 0 ] && { ipsec rereadall ipsec reload return } } start } stop_service() { ipsec_reset swan_reset secret_reset } check_ipsec_interface() { local intf for intf in $(config_get "$1" interface); do procd_add_interface_trigger "interface.*" "$intf" /etc/init.d/ipsec reload done } service_triggers() { procd_add_reload_trigger "ipsec" config load "ipsec" config_foreach check_ipsec_interface ipsec } start_service() { prepare_env warning "Strongswan is deprecating the ipsec CLI; please migrate to swanctl." [ $WAIT_FOR_INTF -eq 1 ] && return procd_open_instance procd_set_param command $PROG --daemon charon --nofork procd_set_param file $IPSEC_CONN_FILE procd_append_param file $IPSEC_SECRETS_FILE procd_append_param file $STRONGSWAN_CONF_FILE procd_append_param file /etc/strongswan.d/*.conf procd_append_param file /etc/strongswan.d/charon/*.conf procd_set_param respawn procd_close_instance }