Update IKEv2 script

- Allow specifying the validity period of client certificates
2025-02-08 00:09:24 +03:00 · 2020-07-02 11:48:35 -05:00 · 2020-07-02 11:48:35 -05:00 · 012c19fed1
commit 012c19fed1
parent 9ec99c8512
1 changed files with 33 additions and 2 deletions
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@ -36,7 +36,7 @@ new_client() {
  certutil -z <(head -c 1024 /dev/urandom) \
    -S -c "IKEv2 VPN CA" -n "$client_name" \
    -s "O=IKEv2 VPN,CN=$client_name" \
-    -k rsa -g 4096 -v 120 \
+    -k rsa -g 4096 -v "$client_validity" \
    -d sql:/etc/ipsec.d -t ",," \
    --keyUsage digitalSignature,keyEncipherment \
    --extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null || exit 1
@ -139,6 +139,18 @@ if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; t
    read -rp "Client name: " client_name
  done
  echo
  echo "Specify the validity period (in months) for this VPN client certificate."
  read -rp "Enter a number between 1 and 120: [120] " client_validity
  [ -z "$client_validity" ] && client_validity=120
  while printf '%s' "$client_validity" | LC_ALL=C grep -q '[^0-9]\+' \
    || [ "$client_validity" -lt "1" ] || [ "$client_validity" -gt "120" ] \
    || [ "$client_validity" != "$((10#$client_validity))" ]; do
    echo "Invalid validity period."
    read -rp "Enter a number between 1 and 120: [120] " client_validity
    [ -z "$client_validity" ] && client_validity=120
  done
  echo
  echo "The CA certificate was exported during initial IKEv2 setup. Required for iOS clients only."
  printf "Do you want to export the CA certificate again? [y/N] "
@ -249,6 +261,19 @@ while [ "${#client_name}" -gt "64" ] || printf '%s' "$client_name" | LC_ALL=C gr
  [ -z "$client_name" ] && client_name=vpnclient
 done
 # Enter validity period
 echo
 echo "Specify the validity period (in months) for this VPN client certificate."
 read -rp "Enter a number between 1 and 120: [120] " client_validity
 [ -z "$client_validity" ] && client_validity=120
 while printf '%s' "$client_validity" | LC_ALL=C grep -q '[^0-9]\+' \
  || [ "$client_validity" -lt "1" ] || [ "$client_validity" -gt "120" ] \
  || [ "$client_validity" != "$((10#$client_validity))" ]; do
  echo "Invalid validity period."
  read -rp "Enter a number between 1 and 120: [120] " client_validity
  [ -z "$client_validity" ] && client_validity=120
 done
 # Check for MOBIKE support
 mobike_support=0
 case "$swan_ver" in
@ -275,7 +300,7 @@ if [ "$mobike_support" = "1" ]; then
    fi
  else
    echo
-    echo "NOTE: DO NOT enable MOBIKE support, if your Docker host runs Ubuntu Linux."
+    echo "IMPORTANT: *DO NOT* enable MOBIKE support, if your Docker host runs Ubuntu Linux."
  fi
 fi
@ -319,6 +344,12 @@ VPN server address: $server_addr
 VPN client name: $client_name
 EOF
 if [ "$client_validity" = "1" ]; then
  echo "Client cert valid for: 1 month"
 else
  echo "Client cert valid for: $client_validity months"
 fi
 if [ "$mobike_support" = "1" ]; then
  if [ "$mobike_enable" = "1" ]; then
    echo "Enable MOBIKE support: Yes"