New Libreswan version

- Use new Libreswan version 4.3
- Support updating to Libreswan 4.3
- Other small improvements
- Update tests

.github/workflows/main.yml

@@ -322,6 +322,32 @@ jobs:
           ipsec status | grep -q xauth-psk
           ipsec status | grep -q ikev2-cp
 
+          if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
+            sed -i '/pluto/d' /var/log/secure
+            pkill -HUP rsyslog
+          else
+            sed -i '/pluto/d' /var/log/auth.log
+            pkill -HUP rsyslog
+          fi
+
+          sed -i 's/^SWAN_VER=.*/SWAN_VER=4.3/' vpnupgrade.sh
+          sh vpnupgrade.sh <<ANSWERS
+          y
+          ANSWERS
+
+          if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
+            systemctl restart ipsec
+            sleep 10
+            grep pluto /var/log/secure
+          else
+            sleep 10
+            grep pluto /var/log/auth.log
+          fi
+          ipsec status
+          ipsec status | grep -q l2tp-psk
+          ipsec status | grep -q xauth-psk
+          ipsec status | grep -q ikev2-cp
+
           bash ikev2.sh --removeikev2 <<ANSWERS
           y
           ANSWERS
@@ -589,6 +615,21 @@ jobs:
           ipsec status | grep -q xauth-psk
           ipsec status | grep -q ikev2-cp
 
+          sed -i '/pluto/d' /var/log/auth.log
+          pkill -HUP rsyslog
+
+          sed -i 's/^SWAN_VER=.*/SWAN_VER=4.3/' vpnupgrade.sh
+          sh vpnupgrade.sh <<ANSWERS
+          y
+          ANSWERS
+
+          sleep 10
+          grep pluto /var/log/auth.log
+          ipsec status
+          ipsec status | grep -q l2tp-psk
+          ipsec status | grep -q xauth-psk
+          ipsec status | grep -q ikev2-cp
+
           bash ikev2.sh --removeikev2 <<ANSWERS
           y
           ANSWERS

extras/ikev2setup.sh

@@ -73,7 +73,7 @@ check_os_type() {
 
 check_swan_install() {
   ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
-  swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey).*//')
+  swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan //' -e 's/ (netkey).*//' -e 's/^U//' -e 's/\/K.*//')
   if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \
     || ! printf '%s' "$ipsec_ver" | grep -q "Libreswan" \
     || [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then

extras/vpnupgrade.sh

@@ -14,7 +14,7 @@
 # know how you have improved it!
 
 # Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=4.2
+SWAN_VER=4.3
 
 ### DO NOT edit below this line ###
 
@@ -60,22 +60,21 @@ if [ "$(id -u)" != 0 ]; then
 fi
 
 case $SWAN_VER in
-  3.32|4.[12])
-    /bin/true
+  3.32|4.[123])
+    true
     ;;
   *)
 cat 1>&2 <<EOF
 Error: Libreswan version '$SWAN_VER' is not supported.
        This script can install one of these versions:
-       3.32, 4.1 or 4.2
+       3.32, 4.1, 4.2 or 4.3
 EOF
     exit 1
     ;;
 esac
 
 ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
-ipsec_ver_short=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey).*//')
-swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //')
+swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan //' -e 's/ (netkey).*//' -e 's/^U//' -e 's/\/K.*//')
 if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
 cat 1>&2 <<'EOF'
 Error: This script requires Libreswan already installed.
@@ -84,7 +83,7 @@ EOF
   exit 1
 fi
 
-swan_ver_cur=4.2
+swan_ver_cur=4.3
 swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
 if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
@@ -132,7 +131,7 @@ Welcome! This script will build and install Libreswan on your server.
 Additional packages required for compilation will also be installed.
 It is intended for upgrading servers to a newer Libreswan version.
 
-Current version:    $ipsec_ver_short
+Current version:    Libreswan $swan_ver_old
 Version to install: Libreswan $SWAN_VER
 
 EOF
@@ -145,7 +144,7 @@ Note: This script will make the following changes to your VPN configuration:
 
 EOF
 
-if [ "$SWAN_VER" != "4.2" ]; then
+if [ "$SWAN_VER" != "4.3" ]; then
 cat <<'EOF'
 WARNING: Older versions of Libreswan could contain known security vulnerabilities.
          See https://libreswan.org/security/ for more information.

extras/vpnupgrade_amzn.sh

@@ -14,7 +14,7 @@
 # know how you have improved it!
 
 # Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=4.2
+SWAN_VER=4.3
 
 ### DO NOT edit below this line ###
 
@@ -39,22 +39,21 @@ if [ "$(id -u)" != 0 ]; then
 fi
 
 case $SWAN_VER in
-  3.32|4.[12])
-    /bin/true
+  3.32|4.[123])
+    true
     ;;
   *)
 cat 1>&2 <<EOF
 Error: Libreswan version '$SWAN_VER' is not supported.
        This script can install one of these versions:
-       3.32, 4.1 or 4.2
+       3.32, 4.1, 4.2 or 4.3
 EOF
     exit 1
     ;;
 esac
 
 ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
-ipsec_ver_short=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey).*//')
-swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //')
+swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan //' -e 's/ (netkey).*//' -e 's/^U//' -e 's/\/K.*//')
 if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
 cat 1>&2 <<'EOF'
 Error: This script requires Libreswan already installed.
@@ -63,7 +62,7 @@ EOF
   exit 1
 fi
 
-swan_ver_cur=4.2
+swan_ver_cur=4.3
 swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
 if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
@@ -111,7 +110,7 @@ Welcome! This script will build and install Libreswan on your server.
 Additional packages required for compilation will also be installed.
 It is intended for upgrading servers to a newer Libreswan version.
 
-Current version:    $ipsec_ver_short
+Current version:    Libreswan $swan_ver_old
 Version to install: Libreswan $SWAN_VER
 
 EOF
@@ -124,7 +123,7 @@ Note: This script will make the following changes to your VPN configuration:
 
 EOF
 
-if [ "$SWAN_VER" != "4.2" ]; then
+if [ "$SWAN_VER" != "4.3" ]; then
 cat <<'EOF'
 WARNING: Older versions of Libreswan could contain known security vulnerabilities.
          See https://libreswan.org/security/ for more information.

extras/vpnupgrade_centos.sh

@@ -14,7 +14,7 @@
 # know how you have improved it!
 
 # Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=4.2
+SWAN_VER=4.3
 
 ### DO NOT edit below this line ###
 
@@ -51,22 +51,21 @@ if [ "$(id -u)" != 0 ]; then
 fi
 
 case $SWAN_VER in
-  3.32|4.[12])
-    /bin/true
+  3.32|4.[123])
+    true
     ;;
   *)
 cat 1>&2 <<EOF
 Error: Libreswan version '$SWAN_VER' is not supported.
        This script can install one of these versions:
-       3.32, 4.1 or 4.2
+       3.32, 4.1, 4.2 or 4.3
 EOF
     exit 1
     ;;
 esac
 
 ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
-ipsec_ver_short=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey).*//')
-swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //')
+swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan //' -e 's/ (netkey).*//' -e 's/^U//' -e 's/\/K.*//')
 if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
 cat 1>&2 <<'EOF'
 Error: This script requires Libreswan already installed.
@@ -75,7 +74,7 @@ EOF
   exit 1
 fi
 
-swan_ver_cur=4.2
+swan_ver_cur=4.3
 swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
 if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
@@ -123,7 +122,7 @@ Welcome! This script will build and install Libreswan on your server.
 Additional packages required for compilation will also be installed.
 It is intended for upgrading servers to a newer Libreswan version.
 
-Current version:    $ipsec_ver_short
+Current version:    Libreswan $swan_ver_old
 Version to install: Libreswan $SWAN_VER
 
 EOF
@@ -136,7 +135,7 @@ Note: This script will make the following changes to your VPN configuration:
 
 EOF
 
-if [ "$SWAN_VER" != "4.2" ]; then
+if [ "$SWAN_VER" != "4.3" ]; then
 cat <<'EOF'
 WARNING: Older versions of Libreswan could contain known security vulnerabilities.
          See https://libreswan.org/security/ for more information.

vpnsetup.sh

@@ -197,7 +197,7 @@ bigecho "Installing Fail2Ban to protect SSH..."
 
 bigecho "Downloading Libreswan..."
 
-SWAN_VER=4.2
+SWAN_VER=4.3
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -519,7 +519,7 @@ service xl2tpd restart 2>/dev/null
 swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanver?arch=$os_arch&ver=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
 if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
-  && [ "$SWAN_VER" != "$swan_ver_latest" ] \
+  && [ -n "$SWAN_VER" ] && [ "$SWAN_VER" != "$swan_ver_latest" ] \
   && printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
 cat <<EOF
 

vpnsetup_amzn.sh

@@ -161,7 +161,7 @@ bigecho "Installing Fail2Ban to protect SSH..."
 
 bigecho "Downloading Libreswan..."
 
-SWAN_VER=4.2
+SWAN_VER=4.3
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -443,7 +443,7 @@ service xl2tpd restart 2>/dev/null
 swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanver?arch=$os_arch&ver=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
 if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
-  && [ "$SWAN_VER" != "$swan_ver_latest" ] \
+  && [ -n "$SWAN_VER" ] && [ "$SWAN_VER" != "$swan_ver_latest" ] \
   && printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
 cat <<EOF
 

vpnsetup_centos.sh

@@ -209,7 +209,7 @@ bigecho "Installing Fail2Ban to protect SSH..."
 
 bigecho "Downloading Libreswan..."
 
-SWAN_VER=4.2
+SWAN_VER=4.3
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -528,7 +528,7 @@ service xl2tpd restart 2>/dev/null
 swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanver?arch=$os_arch&ver=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
 if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
-  && [ "$SWAN_VER" != "$swan_ver_latest" ] \
+  && [ -n "$SWAN_VER" ] && [ "$SWAN_VER" != "$swan_ver_latest" ] \
   && printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
 cat <<EOF