diff options
Diffstat (limited to 'package/strongswan/files')
-rw-r--r-- | package/strongswan/files/ipsec.button | 34 | ||||
-rw-r--r-- | package/strongswan/files/ipsec.conf | 34 | ||||
-rw-r--r-- | package/strongswan/files/ipsec.config | 21 | ||||
-rw-r--r-- | package/strongswan/files/ipsec.cron | 2 | ||||
-rw-r--r-- | package/strongswan/files/ipsec.iface | 8 | ||||
-rw-r--r-- | package/strongswan/files/ipsec.init | 101 |
6 files changed, 200 insertions, 0 deletions
diff --git a/package/strongswan/files/ipsec.button b/package/strongswan/files/ipsec.button new file mode 100644 index 0000000..9bd9023 --- /dev/null +++ b/package/strongswan/files/ipsec.button @@ -0,0 +1,34 @@ +#!/bin/sh + +# snarf the code that loads the config values +# since we also load the functions, might as well save the shell calls +. /etc/init.d/ipsec + +[ -n "$IPSEC_RESET_BUTTON" -a "$BUTTON" = "$IPSEC_RESET_BUTTON" ] || exit + +if [ ! -e /var/run/pluto.pid ] ; then + + [ "$ACTION" = "pressed" ] && start + +else + + if [ "$ACTION" = "pressed" ] ; then + + stop + + elif [ "$ACTION" = "released" ] ; then + + while [ -e /var/run/pluto.pid ] ; do + sleep 1 + done + + while ps auxww | grep ipsec | grep -v grep ; do + sleep 1 + done + + start + + fi + +fi + diff --git a/package/strongswan/files/ipsec.conf b/package/strongswan/files/ipsec.conf new file mode 100644 index 0000000..8f59008 --- /dev/null +++ b/package/strongswan/files/ipsec.conf @@ -0,0 +1,34 @@ + +version 2.0 + +config setup + interfaces=%defaultroute + nat_traversal=yes # required on both ends + uniqueids=yes # makes sense on client, not server + hidetos=no + +conn %default + authby=rsasig + keyingtries=3 + keyexchange=ike + left=%defaultroute + leftrsasigkey=%cert + rightrsasigkey=%cert + dpdtimeout=30 # keepalive must arrive within + dpddelay=5 # secs before keepalives start + compress=no # breaks double nat installations + pfs=yes + +conn sample + leftca=%same + leftcert=my.certificate.crt + leftsourceip=192.168.10.1 + leftsubnet=192.168.10.0/24 + right=my.vpn.concentrator.net. + rightca=%same + rightid="C=??, ST=??, O=??, OU=??, CN=my.vpn.concentrator.net, E=root@concentrator.net" + rightsourceip=192.168.11.1 + rightsubnet=192.168.11.0/24 + dpdaction=hold + auto=start + diff --git a/package/strongswan/files/ipsec.config b/package/strongswan/files/ipsec.config new file mode 100644 index 0000000..b4865e4 --- /dev/null +++ b/package/strongswan/files/ipsec.config @@ -0,0 +1,21 @@ + +# Configure button/light behavior here. +config device + option reset_button ses + option status_start ses_orange + option status_valid ses_white + +# iptables setup for traffic to/from this host +config filter + option rule_in input_rule + option dest_in ACCEPT + option rule_out output_rule + option dest_out ACCEPT + +# iptables setup for traffic to/from another host +config forward + option rule_in forwarding_rule + option dest_in forwarding_vpn_in + option rule_out forwarding_rule + option dest_out forwarding_vpn_out + diff --git a/package/strongswan/files/ipsec.cron b/package/strongswan/files/ipsec.cron new file mode 100644 index 0000000..d8c7dcc --- /dev/null +++ b/package/strongswan/files/ipsec.cron @@ -0,0 +1,2 @@ +#!/bin/sh +/usr/sbin/ipsec wakeup diff --git a/package/strongswan/files/ipsec.iface b/package/strongswan/files/ipsec.iface new file mode 100644 index 0000000..95e0958 --- /dev/null +++ b/package/strongswan/files/ipsec.iface @@ -0,0 +1,8 @@ +NAME=ipsec +CTLFILE="/var/run/pluto.ctl" + +[ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] || exit + +[ -e "$CTLFILE" ] || exit + +/etc/init.d/ipsec restart diff --git a/package/strongswan/files/ipsec.init b/package/strongswan/files/ipsec.init new file mode 100644 index 0000000..4e8b8a2 --- /dev/null +++ b/package/strongswan/files/ipsec.init @@ -0,0 +1,101 @@ +#!/bin/sh /etc/rc.common + +START=65 + +config_cb() { + local cfg="$CONFIG_SECTION" + local cfgt + config_get cfgt "$cfg" TYPE + + case "$cfgt" in + device) + config_get IPSEC_RESET_BUTTON $cfg reset_button + config_get IPSEC_STATUS_LED_START $cfg status_start + config_get IPSEC_STATUS_LED_VALID $cfg status_valid + ;; + filter) + config_get IPSEC_UPDOWN_RULE_IN $cfg rule_in + config_get IPSEC_UPDOWN_DEST_IN $cfg dest_in + config_get IPSEC_UPDOWN_RULE_OUT $cfg rule_out + config_get IPSEC_UPDOWN_DEST_OUT $cfg dest_out + ;; + forward) + config_get IPSEC_UPDOWN_FWD_RULE_IN $cfg rule_in + config_get IPSEC_UPDOWN_FWD_DEST_IN $cfg dest_in + config_get IPSEC_UPDOWN_FWD_RULE_OUT $cfg rule_out + config_get IPSEC_UPDOWN_FWD_DEST_OUT $cfg dest_out + ;; + *) + ;; + esac +} + +config_load ipsec + +export IPSEC_RESET_BUTTON +export IPSEC_STATUS_LED_START +export IPSEC_STATUS_LED_VALID + +export IPSEC_UPDOWN_RULE_IN +export IPSEC_UPDOWN_DEST_IN +export IPSEC_UPDOWN_RULE_OUT +export IPSEC_UPDOWN_DEST_OUT + +export IPSEC_UPDOWN_FWD_RULE_IN +export IPSEC_UPDOWN_FWD_DEST_IN +export IPSEC_UPDOWN_FWD_RULE_OUT +export IPSEC_UPDOWN_FWD_DEST_OUT + + +start() { + + [ -f /etc/ipsec.conf ] || exit + [ -e /var/run/starter.pid ] && exit + + /usr/sbin/ipsec _showstatus start + + # stuff the dnsmasq cache in case dns is on our own subnet + for peer in `grep left= /etc/ipsec.conf | \ + cut -f 1 -d% | cut -f 2 -d=` ; do + ping -c 1 $peer > /dev/null 2>&1 + done + + /usr/sbin/ipsec start || exit + + # work around broken routing behavior: + # a route to the local wan segment will appear + # the need was removed in the patched _updown script + + while ! route -n | grep -q ipsec ; do sleep 1 ; done + + defint=`route -n | awk '/^0.0.0.0/{print $8}'` + defnet=`route -n | grep $defint | awk '!/^0.0.0.0/{print $1}'` + dnmask=`route -n | grep $defint | awk '!/^0.0.0.0/{print $3}'` + tundev=`route -n | grep $defnet | awk '/ipsec/{print $8}'` + + route del -net $defnet netmask $dnmask dev $tundev +} + + +stop() { + + /usr/sbin/ipsec stop 2> /dev/null + + # wait until the shutdown actually happens + while [ -e /var/run/starter.pid ] ; do + if [ -d /proc/`cat /var/run/starter.pid` ] ; then + sleep 1 + else + rm /var/run/starter.pid + fi + done + + # kill any lingering processes + while ps auxww | grep -q ipsec | grep -v init.d; do + kill `ps auxww | grep -v init.d | awk '/\/ipsec\//{print $1}'` 2> /dev/null + sleep 1 + done + + ipsec _showstatus stop +} + |