mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-02-14 19:13:16 +03:00
Code Issues Projects Releases Wiki Activity

Support Libreswan 3.28

Browse Source 
- Support upgrading to new Libreswan version 3.28
- Patch applied for Debian 9/8. See:
  https://lists.libreswan.org/pipermail/swan/2019/003210.html
- Patch applied for CentOS 6. See:
  5db185497d
  and 4b93354f35
This commit is contained in:
hwdsl2 2019-06-02 21:08:43 -05:00
parent b579991206
commit 1659d0336c
2 changed files with 59 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
extras/vpnupgrade.sh
View File

@ -11,7 +11,7 @@
# know how you have improved it! # know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org # Specify which Libreswan version to install. See: https://libreswan.org
SWAN_VER=3.27 SWAN_VER=3.28
### DO NOT edit below this line ### ### DO NOT edit below this line ###
@ -44,14 +44,14 @@ if [ "$(id -u)" != 0 ]; then
fi fi
case "$SWAN_VER" in case "$SWAN_VER" in
3.19|3.2[0123567]) 3.19|3.2[01235678])
/bin/true /bin/true
;; ;;
*) *)
cat 1>&2 <<EOF cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported. Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of the following versions: This script can install one of the following versions:
3.19-3.23, 3.25-3.26 and 3.27 3.19-3.23, 3.25-3.27 and 3.28
EOF EOF
exit 1 exit 1
;; ;;
@ -59,7 +59,7 @@ esac
dns_state=0 dns_state=0
case "$SWAN_VER" in case "$SWAN_VER" in
3.2[3567]) 3.2[35678])
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && dns_state=2
@ -128,20 +128,26 @@ cat <<'EOF'
NOTE: Libreswan versions 3.19 and newer require some configuration changes. NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following updates to your /etc/ipsec.conf: This script will make the following updates to your /etc/ipsec.conf:
1. Replace "auth=esp" with "phase2=esp" - Replace "auth=esp" with "phase2=esp"
2. Replace "forceencaps=yes" with "encapsulation=yes" - Replace "forceencaps=yes" with "encapsulation=yes"
3. Optimize VPN ciphers for "ike=" and "phase2alg=" - Optimize VPN ciphers for "ike=" and "phase2alg="
EOF EOF
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
cat <<'EOF' cat <<'EOF'
4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" - Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
EOF EOF
fi fi
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
cat <<'EOF' cat <<'EOF'
4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" - Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
EOF
fi
if [ "$SWAN_VER" = "3.28" ]; then
cat <<'EOF'
- Move "ikev2=never" to section "conn shared"
EOF EOF
fi fi
@ -193,10 +199,22 @@ cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ] && sed -i '/docker-targets\.mk/d' Makefile [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ] && sed -i '/docker-targets\.mk/d' Makefile
[ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk [ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk
[ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c [ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c
if [ "$SWAN_VER" = "3.28" ]; then
if ! printf '%s' "$os_type" | head -n 1 | grep -qiF ubuntu; then
apt-get -yq install patch || exiterr2
patch_url1="https://raw.githubusercontent.com/libreswan/libreswan/37c4736005462084c5d7bc698e13f26fc73a9a4f/programs/barf/barf.in"
patch_url2="https://github.com/libreswan/libreswan/commit/716f4b712724c6698469563e531dea3667507ceb.patch"
wget -t 3 -T 30 -nv -O programs/barf/barf.in "$patch_url1" || exit 1
wget -t 3 -T 30 -nv -O xfrm.patch "$patch_url2" || exit 1
patch -p1 < xfrm.patch || exit 1
fi
fi
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS = WERROR_CFLAGS =
USE_DNSSEC = false USE_DNSSEC = false
USE_DH31 = false USE_DH31 = false
USE_NSS_AVA_COPY=true
USE_NSS_IPSEC_PROFILE=false
USE_GLIBC_KERN_FLIP_HEADERS = true USE_GLIBC_KERN_FLIP_HEADERS = true
EOF EOF
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
@ -239,6 +257,11 @@ elif [ "$dns_state" = "4" ]; then
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
fi fi
if [ "$SWAN_VER" = "3.28" ]; then
sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf
fi
# Restart IPsec service # Restart IPsec service
mkdir -p /run/pluto mkdir -p /run/pluto
service ipsec restart service ipsec restart

36
extras/vpnupgrade_centos.sh
View File

@ -11,7 +11,7 @@
# know how you have improved it! # know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org # Specify which Libreswan version to install. See: https://libreswan.org
SWAN_VER=3.27 SWAN_VER=3.28
### DO NOT edit below this line ### ### DO NOT edit below this line ###
@ -35,14 +35,14 @@ if [ "$(id -u)" != 0 ]; then
fi fi
case "$SWAN_VER" in case "$SWAN_VER" in
3.19|3.2[0123567]) 3.19|3.2[01235678])
/bin/true /bin/true
;; ;;
*) *)
cat 1>&2 <<EOF cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported. Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of the following versions: This script can install one of the following versions:
3.19-3.23, 3.25-3.26 and 3.27 3.19-3.23, 3.25-3.27 and 3.28
EOF EOF
exit 1 exit 1
;; ;;
@ -50,7 +50,7 @@ esac
dns_state=0 dns_state=0
case "$SWAN_VER" in case "$SWAN_VER" in
3.2[3567]) 3.2[35678])
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && dns_state=2
@ -119,20 +119,26 @@ cat <<'EOF'
NOTE: Libreswan versions 3.19 and newer require some configuration changes. NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following updates to your /etc/ipsec.conf: This script will make the following updates to your /etc/ipsec.conf:
1. Replace "auth=esp" with "phase2=esp" - Replace "auth=esp" with "phase2=esp"
2. Replace "forceencaps=yes" with "encapsulation=yes" - Replace "forceencaps=yes" with "encapsulation=yes"
3. Optimize VPN ciphers for "ike=" and "phase2alg=" - Optimize VPN ciphers for "ike=" and "phase2alg="
EOF EOF
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
cat <<'EOF' cat <<'EOF'
4. Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns" - Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
EOF EOF
fi fi
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
cat <<'EOF' cat <<'EOF'
4. Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2" - Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
EOF
fi
if [ "$SWAN_VER" = "3.28" ]; then
cat <<'EOF'
- Move "ikev2=never" to section "conn shared"
EOF EOF
fi fi
@ -193,10 +199,17 @@ cd "libreswan-$SWAN_VER" || exit 1
[ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ] && sed -i '/docker-targets\.mk/d' Makefile [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ] && sed -i '/docker-targets\.mk/d' Makefile
[ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk [ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk
[ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c [ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c
if [ "$SWAN_VER" = "3.28" ]; then
if grep -qs "release 6" /etc/redhat-release; then
sed -i '28iLDFLAGS += -lrt' testing/timecheck/Makefile
fi
fi
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS = WERROR_CFLAGS =
USE_DNSSEC = false USE_DNSSEC = false
USE_DH31 = false USE_DH31 = false
USE_NSS_AVA_COPY=true
USE_NSS_IPSEC_PROFILE=false
USE_GLIBC_KERN_FLIP_HEADERS = true USE_GLIBC_KERN_FLIP_HEADERS = true
EOF EOF
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
@ -237,6 +250,11 @@ elif [ "$dns_state" = "4" ]; then
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
fi fi
if [ "$SWAN_VER" = "3.28" ]; then
sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf
fi
# Restart IPsec service # Restart IPsec service
mkdir -p /run/pluto mkdir -p /run/pluto
service ipsec restart service ipsec restart