1
0
mirror of synced 2024-11-28 23:56:04 +03:00

New Libreswan version

- Use new Libreswan version 4.3
- Support updating to Libreswan 4.3
- Other small improvements
- Update tests
This commit is contained in:
hwdsl2 2021-02-21 23:54:37 -06:00
parent 78a9f608e5
commit 1972501725
8 changed files with 72 additions and 34 deletions

View File

@ -322,6 +322,32 @@ jobs:
ipsec status | grep -q xauth-psk ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp ipsec status | grep -q ikev2-cp
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
sed -i '/pluto/d' /var/log/secure
pkill -HUP rsyslog
else
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
fi
sed -i 's/^SWAN_VER=.*/SWAN_VER=4.3/' vpnupgrade.sh
sh vpnupgrade.sh <<ANSWERS
y
ANSWERS
if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
systemctl restart ipsec
sleep 10
grep pluto /var/log/secure
else
sleep 10
grep pluto /var/log/auth.log
fi
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
bash ikev2.sh --removeikev2 <<ANSWERS bash ikev2.sh --removeikev2 <<ANSWERS
y y
ANSWERS ANSWERS
@ -589,6 +615,21 @@ jobs:
ipsec status | grep -q xauth-psk ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp ipsec status | grep -q ikev2-cp
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
sed -i 's/^SWAN_VER=.*/SWAN_VER=4.3/' vpnupgrade.sh
sh vpnupgrade.sh <<ANSWERS
y
ANSWERS
sleep 10
grep pluto /var/log/auth.log
ipsec status
ipsec status | grep -q l2tp-psk
ipsec status | grep -q xauth-psk
ipsec status | grep -q ikev2-cp
bash ikev2.sh --removeikev2 <<ANSWERS bash ikev2.sh --removeikev2 <<ANSWERS
y y
ANSWERS ANSWERS

View File

@ -73,7 +73,7 @@ check_os_type() {
check_swan_install() { check_swan_install() {
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey).*//') swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan //' -e 's/ (netkey).*//' -e 's/^U//' -e 's/\/K.*//')
if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \ if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \
|| ! printf '%s' "$ipsec_ver" | grep -q "Libreswan" \ || ! printf '%s' "$ipsec_ver" | grep -q "Libreswan" \
|| [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then || [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then

View File

@ -14,7 +14,7 @@
# know how you have improved it! # know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org # Specify which Libreswan version to install. See: https://libreswan.org
SWAN_VER=4.2 SWAN_VER=4.3
### DO NOT edit below this line ### ### DO NOT edit below this line ###
@ -60,22 +60,21 @@ if [ "$(id -u)" != 0 ]; then
fi fi
case $SWAN_VER in case $SWAN_VER in
3.32|4.[12]) 3.32|4.[123])
/bin/true true
;; ;;
*) *)
cat 1>&2 <<EOF cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported. Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of these versions: This script can install one of these versions:
3.32, 4.1 or 4.2 3.32, 4.1, 4.2 or 4.3
EOF EOF
exit 1 exit 1
;; ;;
esac esac
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
ipsec_ver_short=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey).*//') swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan //' -e 's/ (netkey).*//' -e 's/^U//' -e 's/\/K.*//')
swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed. Error: This script requires Libreswan already installed.
@ -84,7 +83,7 @@ EOF
exit 1 exit 1
fi fi
swan_ver_cur=4.2 swan_ver_cur=4.3
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER" swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url") swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \ if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
@ -132,7 +131,7 @@ Welcome! This script will build and install Libreswan on your server.
Additional packages required for compilation will also be installed. Additional packages required for compilation will also be installed.
It is intended for upgrading servers to a newer Libreswan version. It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver_short Current version: Libreswan $swan_ver_old
Version to install: Libreswan $SWAN_VER Version to install: Libreswan $SWAN_VER
EOF EOF
@ -145,7 +144,7 @@ Note: This script will make the following changes to your VPN configuration:
EOF EOF
if [ "$SWAN_VER" != "4.2" ]; then if [ "$SWAN_VER" != "4.3" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See https://libreswan.org/security/ for more information. See https://libreswan.org/security/ for more information.

View File

@ -14,7 +14,7 @@
# know how you have improved it! # know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org # Specify which Libreswan version to install. See: https://libreswan.org
SWAN_VER=4.2 SWAN_VER=4.3
### DO NOT edit below this line ### ### DO NOT edit below this line ###
@ -39,22 +39,21 @@ if [ "$(id -u)" != 0 ]; then
fi fi
case $SWAN_VER in case $SWAN_VER in
3.32|4.[12]) 3.32|4.[123])
/bin/true true
;; ;;
*) *)
cat 1>&2 <<EOF cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported. Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of these versions: This script can install one of these versions:
3.32, 4.1 or 4.2 3.32, 4.1, 4.2 or 4.3
EOF EOF
exit 1 exit 1
;; ;;
esac esac
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
ipsec_ver_short=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey).*//') swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan //' -e 's/ (netkey).*//' -e 's/^U//' -e 's/\/K.*//')
swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed. Error: This script requires Libreswan already installed.
@ -63,7 +62,7 @@ EOF
exit 1 exit 1
fi fi
swan_ver_cur=4.2 swan_ver_cur=4.3
swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER" swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url") swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \ if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
@ -111,7 +110,7 @@ Welcome! This script will build and install Libreswan on your server.
Additional packages required for compilation will also be installed. Additional packages required for compilation will also be installed.
It is intended for upgrading servers to a newer Libreswan version. It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver_short Current version: Libreswan $swan_ver_old
Version to install: Libreswan $SWAN_VER Version to install: Libreswan $SWAN_VER
EOF EOF
@ -124,7 +123,7 @@ Note: This script will make the following changes to your VPN configuration:
EOF EOF
if [ "$SWAN_VER" != "4.2" ]; then if [ "$SWAN_VER" != "4.3" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See https://libreswan.org/security/ for more information. See https://libreswan.org/security/ for more information.

View File

@ -14,7 +14,7 @@
# know how you have improved it! # know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org # Specify which Libreswan version to install. See: https://libreswan.org
SWAN_VER=4.2 SWAN_VER=4.3
### DO NOT edit below this line ### ### DO NOT edit below this line ###
@ -51,22 +51,21 @@ if [ "$(id -u)" != 0 ]; then
fi fi
case $SWAN_VER in case $SWAN_VER in
3.32|4.[12]) 3.32|4.[123])
/bin/true true
;; ;;
*) *)
cat 1>&2 <<EOF cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported. Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of these versions: This script can install one of these versions:
3.32, 4.1 or 4.2 3.32, 4.1, 4.2 or 4.3
EOF EOF
exit 1 exit 1
;; ;;
esac esac
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
ipsec_ver_short=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey).*//') swan_ver_old=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan //' -e 's/ (netkey).*//' -e 's/^U//' -e 's/\/K.*//')
swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed. Error: This script requires Libreswan already installed.
@ -75,7 +74,7 @@ EOF
exit 1 exit 1
fi fi
swan_ver_cur=4.2 swan_ver_cur=4.3
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER" swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url") swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \ if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
@ -123,7 +122,7 @@ Welcome! This script will build and install Libreswan on your server.
Additional packages required for compilation will also be installed. Additional packages required for compilation will also be installed.
It is intended for upgrading servers to a newer Libreswan version. It is intended for upgrading servers to a newer Libreswan version.
Current version: $ipsec_ver_short Current version: Libreswan $swan_ver_old
Version to install: Libreswan $SWAN_VER Version to install: Libreswan $SWAN_VER
EOF EOF
@ -136,7 +135,7 @@ Note: This script will make the following changes to your VPN configuration:
EOF EOF
if [ "$SWAN_VER" != "4.2" ]; then if [ "$SWAN_VER" != "4.3" ]; then
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See https://libreswan.org/security/ for more information. See https://libreswan.org/security/ for more information.

View File

@ -197,7 +197,7 @@ bigecho "Installing Fail2Ban to protect SSH..."
bigecho "Downloading Libreswan..." bigecho "Downloading Libreswan..."
SWAN_VER=4.2 SWAN_VER=4.3
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
@ -519,7 +519,7 @@ service xl2tpd restart 2>/dev/null
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanver?arch=$os_arch&ver=$SWAN_VER" swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanver?arch=$os_arch&ver=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url") swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \ if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
&& [ "$SWAN_VER" != "$swan_ver_latest" ] \ && [ -n "$SWAN_VER" ] && [ "$SWAN_VER" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then && printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
cat <<EOF cat <<EOF

View File

@ -161,7 +161,7 @@ bigecho "Installing Fail2Ban to protect SSH..."
bigecho "Downloading Libreswan..." bigecho "Downloading Libreswan..."
SWAN_VER=4.2 SWAN_VER=4.3
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
@ -443,7 +443,7 @@ service xl2tpd restart 2>/dev/null
swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanver?arch=$os_arch&ver=$SWAN_VER" swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanver?arch=$os_arch&ver=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url") swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \ if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
&& [ "$SWAN_VER" != "$swan_ver_latest" ] \ && [ -n "$SWAN_VER" ] && [ "$SWAN_VER" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then && printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
cat <<EOF cat <<EOF

View File

@ -209,7 +209,7 @@ bigecho "Installing Fail2Ban to protect SSH..."
bigecho "Downloading Libreswan..." bigecho "Downloading Libreswan..."
SWAN_VER=4.2 SWAN_VER=4.3
swan_file="libreswan-$SWAN_VER.tar.gz" swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz" swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file" swan_url2="https://download.libreswan.org/$swan_file"
@ -528,7 +528,7 @@ service xl2tpd restart 2>/dev/null
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanver?arch=$os_arch&ver=$SWAN_VER" swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanver?arch=$os_arch&ver=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url") swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \ if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
&& [ "$SWAN_VER" != "$swan_ver_latest" ] \ && [ -n "$SWAN_VER" ] && [ "$SWAN_VER" != "$swan_ver_latest" ] \
&& printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then && printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
cat <<EOF cat <<EOF