summaryrefslogtreecommitdiff
path: root/package/strongswan/files
diff options
context:
space:
mode:
Diffstat (limited to 'package/strongswan/files')
-rw-r--r--package/strongswan/files/ipsec.button34
-rw-r--r--package/strongswan/files/ipsec.conf34
-rw-r--r--package/strongswan/files/ipsec.config21
-rw-r--r--package/strongswan/files/ipsec.cron2
-rw-r--r--package/strongswan/files/ipsec.iface8
-rw-r--r--package/strongswan/files/ipsec.init101
6 files changed, 200 insertions, 0 deletions
diff --git a/package/strongswan/files/ipsec.button b/package/strongswan/files/ipsec.button
new file mode 100644
index 0000000..9bd9023
--- /dev/null
+++ b/package/strongswan/files/ipsec.button
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# snarf the code that loads the config values
+# since we also load the functions, might as well save the shell calls
+. /etc/init.d/ipsec
+
+[ -n "$IPSEC_RESET_BUTTON" -a "$BUTTON" = "$IPSEC_RESET_BUTTON" ] || exit
+
+if [ ! -e /var/run/pluto.pid ] ; then
+
+ [ "$ACTION" = "pressed" ] && start
+
+else
+
+ if [ "$ACTION" = "pressed" ] ; then
+
+ stop
+
+ elif [ "$ACTION" = "released" ] ; then
+
+ while [ -e /var/run/pluto.pid ] ; do
+ sleep 1
+ done
+
+ while ps auxww | grep ipsec | grep -v grep ; do
+ sleep 1
+ done
+
+ start
+
+ fi
+
+fi
+
diff --git a/package/strongswan/files/ipsec.conf b/package/strongswan/files/ipsec.conf
new file mode 100644
index 0000000..8f59008
--- /dev/null
+++ b/package/strongswan/files/ipsec.conf
@@ -0,0 +1,34 @@
+
+version 2.0
+
+config setup
+ interfaces=%defaultroute
+ nat_traversal=yes # required on both ends
+ uniqueids=yes # makes sense on client, not server
+ hidetos=no
+
+conn %default
+ authby=rsasig
+ keyingtries=3
+ keyexchange=ike
+ left=%defaultroute
+ leftrsasigkey=%cert
+ rightrsasigkey=%cert
+ dpdtimeout=30 # keepalive must arrive within
+ dpddelay=5 # secs before keepalives start
+ compress=no # breaks double nat installations
+ pfs=yes
+
+conn sample
+ leftca=%same
+ leftcert=my.certificate.crt
+ leftsourceip=192.168.10.1
+ leftsubnet=192.168.10.0/24
+ right=my.vpn.concentrator.net.
+ rightca=%same
+ rightid="C=??, ST=??, O=??, OU=??, CN=my.vpn.concentrator.net, E=root@concentrator.net"
+ rightsourceip=192.168.11.1
+ rightsubnet=192.168.11.0/24
+ dpdaction=hold
+ auto=start
+
diff --git a/package/strongswan/files/ipsec.config b/package/strongswan/files/ipsec.config
new file mode 100644
index 0000000..b4865e4
--- /dev/null
+++ b/package/strongswan/files/ipsec.config
@@ -0,0 +1,21 @@
+
+# Configure button/light behavior here.
+config device
+ option reset_button ses
+ option status_start ses_orange
+ option status_valid ses_white
+
+# iptables setup for traffic to/from this host
+config filter
+ option rule_in input_rule
+ option dest_in ACCEPT
+ option rule_out output_rule
+ option dest_out ACCEPT
+
+# iptables setup for traffic to/from another host
+config forward
+ option rule_in forwarding_rule
+ option dest_in forwarding_vpn_in
+ option rule_out forwarding_rule
+ option dest_out forwarding_vpn_out
+
diff --git a/package/strongswan/files/ipsec.cron b/package/strongswan/files/ipsec.cron
new file mode 100644
index 0000000..d8c7dcc
--- /dev/null
+++ b/package/strongswan/files/ipsec.cron
@@ -0,0 +1,2 @@
+#!/bin/sh
+/usr/sbin/ipsec wakeup
diff --git a/package/strongswan/files/ipsec.iface b/package/strongswan/files/ipsec.iface
new file mode 100644
index 0000000..95e0958
--- /dev/null
+++ b/package/strongswan/files/ipsec.iface
@@ -0,0 +1,8 @@
+NAME=ipsec
+CTLFILE="/var/run/pluto.ctl"
+
+[ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] || exit
+
+[ -e "$CTLFILE" ] || exit
+
+/etc/init.d/ipsec restart
diff --git a/package/strongswan/files/ipsec.init b/package/strongswan/files/ipsec.init
new file mode 100644
index 0000000..4e8b8a2
--- /dev/null
+++ b/package/strongswan/files/ipsec.init
@@ -0,0 +1,101 @@
+#!/bin/sh /etc/rc.common
+
+START=65
+
+config_cb() {
+ local cfg="$CONFIG_SECTION"
+ local cfgt
+ config_get cfgt "$cfg" TYPE
+
+ case "$cfgt" in
+ device)
+ config_get IPSEC_RESET_BUTTON $cfg reset_button
+ config_get IPSEC_STATUS_LED_START $cfg status_start
+ config_get IPSEC_STATUS_LED_VALID $cfg status_valid
+ ;;
+ filter)
+ config_get IPSEC_UPDOWN_RULE_IN $cfg rule_in
+ config_get IPSEC_UPDOWN_DEST_IN $cfg dest_in
+ config_get IPSEC_UPDOWN_RULE_OUT $cfg rule_out
+ config_get IPSEC_UPDOWN_DEST_OUT $cfg dest_out
+ ;;
+ forward)
+ config_get IPSEC_UPDOWN_FWD_RULE_IN $cfg rule_in
+ config_get IPSEC_UPDOWN_FWD_DEST_IN $cfg dest_in
+ config_get IPSEC_UPDOWN_FWD_RULE_OUT $cfg rule_out
+ config_get IPSEC_UPDOWN_FWD_DEST_OUT $cfg dest_out
+ ;;
+ *)
+ ;;
+ esac
+}
+
+config_load ipsec
+
+export IPSEC_RESET_BUTTON
+export IPSEC_STATUS_LED_START
+export IPSEC_STATUS_LED_VALID
+
+export IPSEC_UPDOWN_RULE_IN
+export IPSEC_UPDOWN_DEST_IN
+export IPSEC_UPDOWN_RULE_OUT
+export IPSEC_UPDOWN_DEST_OUT
+
+export IPSEC_UPDOWN_FWD_RULE_IN
+export IPSEC_UPDOWN_FWD_DEST_IN
+export IPSEC_UPDOWN_FWD_RULE_OUT
+export IPSEC_UPDOWN_FWD_DEST_OUT
+
+
+start() {
+
+ [ -f /etc/ipsec.conf ] || exit
+ [ -e /var/run/starter.pid ] && exit
+
+ /usr/sbin/ipsec _showstatus start
+
+ # stuff the dnsmasq cache in case dns is on our own subnet
+ for peer in `grep left= /etc/ipsec.conf | \
+ cut -f 1 -d% | cut -f 2 -d=` ; do
+ ping -c 1 $peer > /dev/null 2>&1
+ done
+
+ /usr/sbin/ipsec start || exit
+
+ # work around broken routing behavior:
+ # a route to the local wan segment will appear
+ # the need was removed in the patched _updown script
+
+ while ! route -n | grep -q ipsec ; do sleep 1 ; done
+
+ defint=`route -n | awk '/^0.0.0.0/{print $8}'`
+ defnet=`route -n | grep $defint | awk '!/^0.0.0.0/{print $1}'`
+ dnmask=`route -n | grep $defint | awk '!/^0.0.0.0/{print $3}'`
+ tundev=`route -n | grep $defnet | awk '/ipsec/{print $8}'`
+
+ route del -net $defnet netmask $dnmask dev $tundev
+}
+
+
+stop() {
+
+ /usr/sbin/ipsec stop 2> /dev/null
+
+ # wait until the shutdown actually happens
+ while [ -e /var/run/starter.pid ] ; do
+ if [ -d /proc/`cat /var/run/starter.pid` ] ; then
+ sleep 1
+ else
+ rm /var/run/starter.pid
+ fi
+ done
+
+ # kill any lingering processes
+ while ps auxww | grep -q ipsec | grep -v init.d; do
+ kill `ps auxww | grep -v init.d | awk '/\/ipsec\//{print $1}'` 2> /dev/null
+ sleep 1
+ done
+
+ ipsec _showstatus stop
+}
+