mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-02-08 00:09:24 +03:00
Code Issues Projects Releases Wiki Activity

Improve upgrade scripts

Browse Source 
- Add note for users downgrading to 3.22
- Add check for Libreswan 3.25 (not yet supported)
- Print Libreswan versions and improve message
- Cleanup
This commit is contained in:
hwdsl2 2018-06-28 00:03:42 -05:00
parent 59f817575c
commit 0c151515fe
2 changed files with 98 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
extras/vpnupgrade.sh
View File

@ -47,11 +47,16 @@ if [ -z "$SWAN_VER" ]; then
exiterr "Libreswan version 'SWAN_VER' not specified." exiterr "Libreswan version 'SWAN_VER' not specified."
fi fi
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then if [ "$SWAN_VER" = "3.25" ]; then
exiterr "Libreswan 3.25 is not yet supported."
fi
ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)"
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
exiterr "This script requires Libreswan already installed." exiterr "This script requires Libreswan already installed."
fi fi
if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then
echo "You already have Libreswan version $SWAN_VER installed! " echo "You already have Libreswan version $SWAN_VER installed! "
echo "If you continue, the same version will be re-installed." echo "If you continue, the same version will be re-installed."
echo echo
@ -68,13 +73,23 @@ if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
esac esac
fi fi
is_downgrade_to_322=0
if [ "$SWAN_VER" = "3.22" ]; then
if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
is_downgrade_to_322=1
fi
fi
clear clear
cat <<EOF cat <<EOF
Welcome! This script will build and install Libreswan $SWAN_VER on your server. Welcome! This script will build and install Libreswan $SWAN_VER on your server.
Additional packages required for Libreswan compilation will also be installed. Additional packages required for compilation will also be installed.
This is intended for use on servers running an older version of Libreswan. It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver
Version to be installed: Libreswan $SWAN_VER
EOF EOF
@ -88,26 +103,24 @@ EOF
fi fi
cat <<'EOF' cat <<'EOF'
IMPORTANT NOTES: NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following changes to your /etc/ipsec.conf:
Libreswan versions 3.19 and newer require some configuration changes. Replace this line:
This script will make the following changes to your /etc/ipsec.conf: auth=esp
with the following:
phase2=esp
Replace this line: Replace this line:
auth=esp forceencaps=yes
with the following: with the following:
phase2=esp encapsulation=yes
Replace this line: Consolidate VPN ciphers for "ike=" and "phase2alg=".
forceencaps=yes Re-add "MODP1024" to the list of allowed "ike=" ciphers,
with the following: which was removed from the defaults in Libreswan 3.19.
encapsulation=yes
Consolidate VPN ciphers for "ike=" and "phase2alg=". Your other VPN configuration files will not be modified.
Re-add "MODP1024" to the list of allowed "ike=" ciphers,
which was removed from the defaults in Libreswan 3.19.
Your other VPN configuration files will not be modified.
EOF EOF
@ -195,16 +208,29 @@ case "$SWAN_VER" in
cat <<'EOF' cat <<'EOF'
NOTE: Users upgrading to Libreswan 3.23 or newer should edit NOTE: Users upgrading to Libreswan 3.23 or newer should edit
"/etc/ipsec.conf" and replace these two lines: "/etc/ipsec.conf" and replace these two lines:
modecfgdns1=DNS_SERVER_1 modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2 modecfgdns2=DNS_SERVER_2
with a single line like this: with a single line like this:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2" modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
Then run "service ipsec restart". Then run "service ipsec restart".
EOF EOF
;; ;;
esac esac
if [ "$is_downgrade_to_322" = "1" ]; then
cat <<'EOF'
NOTE: Users downgrading to Libreswan 3.22 should edit
"/etc/ipsec.conf" and replace this line:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
with two lines like this:
modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2
Then run "service ipsec restart".
EOF
fi
} }
## Defer setup until we have the complete script ## Defer setup until we have the complete script

72
extras/vpnupgrade_centos.sh
View File

@ -38,11 +38,16 @@ if [ -z "$SWAN_VER" ]; then
exiterr "Libreswan version 'SWAN_VER' not specified." exiterr "Libreswan version 'SWAN_VER' not specified."
fi fi
if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then if [ "$SWAN_VER" = "3.25" ]; then
exiterr "Libreswan 3.25 is not yet supported."
fi
ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)"
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
exiterr "This script requires Libreswan already installed." exiterr "This script requires Libreswan already installed."
fi fi
if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then
echo "You already have Libreswan version $SWAN_VER installed! " echo "You already have Libreswan version $SWAN_VER installed! "
echo "If you continue, the same version will be re-installed." echo "If you continue, the same version will be re-installed."
echo echo
@ -59,13 +64,23 @@ if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
esac esac
fi fi
is_downgrade_to_322=0
if [ "$SWAN_VER" = "3.22" ]; then
if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
is_downgrade_to_322=1
fi
fi
clear clear
cat <<EOF cat <<EOF
Welcome! This script will build and install Libreswan $SWAN_VER on your server. Welcome! This script will build and install Libreswan $SWAN_VER on your server.
Additional packages required for Libreswan compilation will also be installed. Additional packages required for compilation will also be installed.
This is intended for use on servers running an older version of Libreswan. It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver
Version to be installed: Libreswan $SWAN_VER
EOF EOF
@ -79,26 +94,24 @@ EOF
fi fi
cat <<'EOF' cat <<'EOF'
IMPORTANT NOTES: NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following changes to your /etc/ipsec.conf:
Libreswan versions 3.19 and newer require some configuration changes. Replace this line:
This script will make the following changes to your /etc/ipsec.conf: auth=esp
with the following:
phase2=esp
Replace this line: Replace this line:
auth=esp forceencaps=yes
with the following: with the following:
phase2=esp encapsulation=yes
Replace this line: Consolidate VPN ciphers for "ike=" and "phase2alg=".
forceencaps=yes Re-add "MODP1024" to the list of allowed "ike=" ciphers,
with the following: which was removed from the defaults in Libreswan 3.19.
encapsulation=yes
Consolidate VPN ciphers for "ike=" and "phase2alg=". Your other VPN configuration files will not be modified.
Re-add "MODP1024" to the list of allowed "ike=" ciphers,
which was removed from the defaults in Libreswan 3.19.
Your other VPN configuration files will not be modified.
EOF EOF
@ -196,16 +209,29 @@ case "$SWAN_VER" in
cat <<'EOF' cat <<'EOF'
NOTE: Users upgrading to Libreswan 3.23 or newer should edit NOTE: Users upgrading to Libreswan 3.23 or newer should edit
"/etc/ipsec.conf" and replace these two lines: "/etc/ipsec.conf" and replace these two lines:
modecfgdns1=DNS_SERVER_1 modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2 modecfgdns2=DNS_SERVER_2
with a single line like this: with a single line like this:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2" modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
Then run "service ipsec restart". Then run "service ipsec restart".
EOF EOF
;; ;;
esac esac
if [ "$is_downgrade_to_322" = "1" ]; then
cat <<'EOF'
NOTE: Users downgrading to Libreswan 3.22 should edit
"/etc/ipsec.conf" and replace this line:
modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
with two lines like this:
modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2
Then run "service ipsec restart".
EOF
fi
} }
## Defer setup until we have the complete script ## Defer setup until we have the complete script