mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-29 16:16:03 +03:00
Code Issues Projects Releases Wiki Activity

Update IKEv2 script

Browse Source 
- Add a command-line option to remove IKEv2
- Change the error to a warning when option '--auto' is specified after
  IKEv2 setup
- Other minor improvements
This commit is contained in:
hwdsl2 2021-01-25 22:05:06 -06:00
parent 8c286df143
commit 08d0ca372e
1 changed files with 39 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
extras/ikev2setup.sh
View File

@ -129,6 +129,7 @@ Options:
--addclient [client name] add a new IKEv2 client using default options (after IKEv2 setup) --addclient [client name] add a new IKEv2 client using default options (after IKEv2 setup)
--exportclient [client name] export an existing IKEv2 client using default options (after IKEv2 setup) --exportclient [client name] export an existing IKEv2 client using default options (after IKEv2 setup)
--listclients list the names of existing IKEv2 clients (after IKEv2 setup) --listclients list the names of existing IKEv2 clients (after IKEv2 setup)
--removeikev2 remove IKEv2 and delete all certificates and keys from the IPsec database
-h, --help show this help message and exit -h, --help show this help message and exit
To customize IKEv2 or client options, run this script without arguments. To customize IKEv2 or client options, run this script without arguments.
@ -139,7 +140,9 @@ EOF
check_arguments() { check_arguments() {
if [ "$use_defaults" = "1" ]; then if [ "$use_defaults" = "1" ]; then
if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
show_usage "Invalid parameter. '--auto' can only be specified for initial IKEv2 setup." echo "Warning: Ignoring parameter '--auto', which is valid for initial IKEv2 setup only." >&2
echo " Use '-h' for usage information." >&2
echo >&2
fi fi
fi fi
if [ "$((add_client_using_defaults + export_client_using_defaults + list_clients))" -gt 1 ]; then if [ "$((add_client_using_defaults + export_client_using_defaults + list_clients))" -gt 1 ]; then
@ -175,6 +178,14 @@ check_arguments() {
exiterr "You must first set up IKEv2 before listing clients." exiterr "You must first set up IKEv2 before listing clients."
fi fi
fi fi
if [ "$remove_ikev2" = "1" ]; then
if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then
exiterr "Cannot remove IKEv2 because it has not been set up on this server."
fi
if [ "$((add_client_using_defaults + export_client_using_defaults + list_clients + use_defaults))" -gt 0 ]; then
show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters."
fi
fi
} }
check_ca_cert_exists() { check_ca_cert_exists() {
@ -1057,8 +1068,8 @@ EOF
check_ipsec_conf() { check_ipsec_conf() {
if grep -qs "conn ikev2-cp" /etc/ipsec.conf; then if grep -qs "conn ikev2-cp" /etc/ipsec.conf; then
echo "Error: IKEv2 configuration section found in /etc/ipsec.conf." >&2 echo "Error: IKEv2 configuration section found in /etc/ipsec.conf." >&2
echo "This script cannot automatically remove IKEv2 from this server." >&2 echo " This script cannot automatically remove IKEv2 from this server." >&2
echo "To manually remove IKEv2, see https://git.io/ikev2" >&2 echo " To manually remove IKEv2, see https://git.io/ikev2" >&2
echo "Abort. No changes were made." >&2 echo "Abort. No changes were made." >&2
exit 1 exit 1
fi fi
@ -1066,9 +1077,10 @@ check_ipsec_conf() {
confirm_remove_ikev2() { confirm_remove_ikev2() {
echo echo
echo "This option will remove IKEv2 from the VPN server, but keep the IPsec/L2TP" echo "WARNING: This option will remove IKEv2 from this VPN server, but keep the IPsec/L2TP"
echo "and IPsec/XAuth (\"Cisco IPsec\") modes. All IKEv2 configuration including" echo " and IPsec/XAuth (\"Cisco IPsec\") modes. All IKEv2 configuration including"
echo "certificates will be permanently deleted. This *cannot be undone*!" echo " certificates and keys will be permanently deleted."
echo " This *cannot be undone*! "
echo echo
printf "Are you sure you want to remove IKEv2? [y/N] " printf "Are you sure you want to remove IKEv2? [y/N] "
read -r response read -r response
@ -1089,7 +1101,7 @@ delete_ikev2_conf() {
} }
delete_certificates() { delete_certificates() {
bigecho "Deleting certificates from the IPsec database..." bigecho "Deleting certificates and keys from the IPsec database..."
certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' | tail -n +3 | cut -f1 -d ' ' | while read -r line; do certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' | tail -n +3 | cut -f1 -d ' ' | while read -r line; do
certutil -F -d sql:/etc/ipsec.d -n "$line" certutil -F -d sql:/etc/ipsec.d -n "$line"
certutil -D -d sql:/etc/ipsec.d -n "$line" 2>/dev/null certutil -D -d sql:/etc/ipsec.d -n "$line" 2>/dev/null
@ -1113,6 +1125,7 @@ ikev2setup() {
add_client_using_defaults=0 add_client_using_defaults=0
export_client_using_defaults=0 export_client_using_defaults=0
list_clients=0 list_clients=0
remove_ikev2=0
while [ "$#" -gt 0 ]; do while [ "$#" -gt 0 ]; do
case $1 in case $1 in
--auto) --auto)
@ -1135,6 +1148,10 @@ ikev2setup() {
list_clients=1 list_clients=1
shift shift
;; ;;
--removeikev2)
remove_ikev2=1
shift
;;
-h|--help) -h|--help)
show_usage show_usage
;; ;;
@ -1177,6 +1194,16 @@ ikev2setup() {
exit 0 exit 0
fi fi
if [ "$remove_ikev2" = "1" ]; then
check_ipsec_conf
confirm_remove_ikev2
delete_ikev2_conf
restart_ipsec_service
delete_certificates
print_ikev2_removed_message
exit 0
fi
if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
select_menu_option select_menu_option
case $selected_option in case $selected_option in