Update upgrade scripts
- Support upgrading to Libreswan 4.1
This commit is contained in:
parent
afb8a7acce
commit
1dee0d4262
24
.github/workflows/main.yml
vendored
24
.github/workflows/main.yml
vendored
@ -181,15 +181,15 @@ jobs:
|
|||||||
systemctl restart ipsec
|
systemctl restart ipsec
|
||||||
sleep 10
|
sleep 10
|
||||||
grep pluto /var/log/secure
|
grep pluto /var/log/secure
|
||||||
grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"'
|
grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
|
||||||
grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"'
|
grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
|
||||||
grep pluto /var/log/secure | grep -q 'added connection description "ikev2-cp"'
|
grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
|
||||||
else
|
else
|
||||||
sleep 10
|
sleep 10
|
||||||
grep pluto /var/log/auth.log
|
grep pluto /var/log/auth.log
|
||||||
grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"'
|
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
|
||||||
grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"'
|
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
|
||||||
grep pluto /var/log/auth.log | grep -q 'added connection description "ikev2-cp"'
|
grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ls -ld vpnsetup.sh
|
ls -ld vpnsetup.sh
|
||||||
@ -373,14 +373,14 @@ jobs:
|
|||||||
sleep 10
|
sleep 10
|
||||||
if [ "$OS_NAME" = "centos" ]; then
|
if [ "$OS_NAME" = "centos" ]; then
|
||||||
grep pluto /var/log/secure
|
grep pluto /var/log/secure
|
||||||
grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"'
|
grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
|
||||||
grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"'
|
grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
|
||||||
grep pluto /var/log/secure | grep -q 'added connection description "ikev2-cp"'
|
grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
|
||||||
else
|
else
|
||||||
grep pluto /var/log/auth.log
|
grep pluto /var/log/auth.log
|
||||||
grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"'
|
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
|
||||||
grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"'
|
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
|
||||||
grep pluto /var/log/auth.log | grep -q 'added connection description "ikev2-cp"'
|
grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ls -ld vpnsetup.sh
|
ls -ld vpnsetup.sh
|
||||||
|
@ -11,7 +11,7 @@
|
|||||||
# know how you have improved it!
|
# know how you have improved it!
|
||||||
|
|
||||||
# Specify which Libreswan version to install. See: https://libreswan.org
|
# Specify which Libreswan version to install. See: https://libreswan.org
|
||||||
SWAN_VER=3.32
|
SWAN_VER=4.1
|
||||||
|
|
||||||
### DO NOT edit below this line ###
|
### DO NOT edit below this line ###
|
||||||
|
|
||||||
@ -46,14 +46,14 @@ if [ "$(id -u)" != 0 ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
case "$SWAN_VER" in
|
case "$SWAN_VER" in
|
||||||
3.19|3.2[01235679]|3.3[12])
|
3.19|3.2[01235679]|3.3[12]|4.1)
|
||||||
/bin/true
|
/bin/true
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
cat 1>&2 <<EOF
|
cat 1>&2 <<EOF
|
||||||
Error: Libreswan version '$SWAN_VER' is not supported.
|
Error: Libreswan version '$SWAN_VER' is not supported.
|
||||||
This script can install one of the following versions:
|
This script can install one of the following versions:
|
||||||
3.19-3.23, 3.25-3.27, 3.29, 3.31 and 3.32
|
3.19-3.23, 3.25-3.27, 3.29, 3.31-3.32 or 4.1
|
||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
@ -61,7 +61,7 @@ esac
|
|||||||
|
|
||||||
dns_state=0
|
dns_state=0
|
||||||
case "$SWAN_VER" in
|
case "$SWAN_VER" in
|
||||||
3.2[35679]|3.3[12])
|
3.2[35679]|3.3[12]|4.1)
|
||||||
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
[ -n "$DNS_SRV1" ] && dns_state=2
|
[ -n "$DNS_SRV1" ] && dns_state=2
|
||||||
@ -119,8 +119,7 @@ cat <<'EOF'
|
|||||||
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
|
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
|
||||||
This script will make the following updates to your /etc/ipsec.conf:
|
This script will make the following updates to your /etc/ipsec.conf:
|
||||||
|
|
||||||
- Replace "auth=esp" with "phase2=esp"
|
- Replace obsolete ipsec.conf options
|
||||||
- Replace "forceencaps=yes" with "encapsulation=yes"
|
|
||||||
- Optimize VPN ciphers for "ike=" and "phase2alg="
|
- Optimize VPN ciphers for "ike=" and "phase2alg="
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
@ -136,7 +135,8 @@ cat <<'EOF'
|
|||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then
|
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
|
||||||
|
|| [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
- Move "ikev2=never" to section "conn shared"
|
- Move "ikev2=never" to section "conn shared"
|
||||||
EOF
|
EOF
|
||||||
@ -149,7 +149,7 @@ cat <<'EOF'
|
|||||||
EOF
|
EOF
|
||||||
|
|
||||||
case "$SWAN_VER" in
|
case "$SWAN_VER" in
|
||||||
3.19|3.2[01235679]|3.31)
|
3.19|3.2[01235679]|3.3[12])
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
||||||
See: https://libreswan.org/security/
|
See: https://libreswan.org/security/
|
||||||
@ -225,12 +225,16 @@ USE_NSS_AVA_COPY = true
|
|||||||
USE_NSS_IPSEC_PROFILE=false
|
USE_NSS_IPSEC_PROFILE=false
|
||||||
USE_GLIBC_KERN_FLIP_HEADERS=true
|
USE_GLIBC_KERN_FLIP_HEADERS=true
|
||||||
EOF
|
EOF
|
||||||
if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then
|
if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
|
||||||
echo "USE_DH2=true" >> Makefile.inc.local
|
echo "USE_DH2=true" >> Makefile.inc.local
|
||||||
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
|
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
|
||||||
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
|
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
if [ "$SWAN_VER" = "4.1" ]; then
|
||||||
|
echo "USE_NSS_KDF=false" >> Makefile.inc.local
|
||||||
|
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
|
||||||
|
fi
|
||||||
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
|
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
|
||||||
apt-get -yq install libsystemd-dev || exiterr2
|
apt-get -yq install libsystemd-dev || exiterr2
|
||||||
fi
|
fi
|
||||||
@ -258,6 +262,8 @@ fi
|
|||||||
sed -i".old-$(date +%F-%T)" \
|
sed -i".old-$(date +%F-%T)" \
|
||||||
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
|
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
|
||||||
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
|
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
|
||||||
|
-e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/g" \
|
||||||
|
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/g" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
|
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
|
||||||
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
|
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
|
||||||
|
|
||||||
@ -273,7 +279,8 @@ elif [ "$dns_state" = "4" ]; then
|
|||||||
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
|
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then
|
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
|
||||||
|
|| [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
|
||||||
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
||||||
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
|
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
|
@ -11,7 +11,7 @@
|
|||||||
# know how you have improved it!
|
# know how you have improved it!
|
||||||
|
|
||||||
# Specify which Libreswan version to install. See: https://libreswan.org
|
# Specify which Libreswan version to install. See: https://libreswan.org
|
||||||
SWAN_VER=3.32
|
SWAN_VER=4.1
|
||||||
|
|
||||||
### DO NOT edit below this line ###
|
### DO NOT edit below this line ###
|
||||||
|
|
||||||
@ -37,14 +37,14 @@ if [ "$(id -u)" != 0 ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
case "$SWAN_VER" in
|
case "$SWAN_VER" in
|
||||||
3.19|3.2[01235679]|3.3[12])
|
3.19|3.2[01235679]|3.3[12]|4.1)
|
||||||
/bin/true
|
/bin/true
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
cat 1>&2 <<EOF
|
cat 1>&2 <<EOF
|
||||||
Error: Libreswan version '$SWAN_VER' is not supported.
|
Error: Libreswan version '$SWAN_VER' is not supported.
|
||||||
This script can install one of the following versions:
|
This script can install one of the following versions:
|
||||||
3.19-3.23, 3.25-3.27, 3.29, 3.31 and 3.32
|
3.19-3.23, 3.25-3.27, 3.29, 3.31-3.32 or 4.1
|
||||||
EOF
|
EOF
|
||||||
exit 1
|
exit 1
|
||||||
;;
|
;;
|
||||||
@ -52,7 +52,7 @@ esac
|
|||||||
|
|
||||||
dns_state=0
|
dns_state=0
|
||||||
case "$SWAN_VER" in
|
case "$SWAN_VER" in
|
||||||
3.2[35679]|3.3[12])
|
3.2[35679]|3.3[12]|4.1)
|
||||||
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||||
[ -n "$DNS_SRV1" ] && dns_state=2
|
[ -n "$DNS_SRV1" ] && dns_state=2
|
||||||
@ -110,8 +110,7 @@ cat <<'EOF'
|
|||||||
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
|
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
|
||||||
This script will make the following updates to your /etc/ipsec.conf:
|
This script will make the following updates to your /etc/ipsec.conf:
|
||||||
|
|
||||||
- Replace "auth=esp" with "phase2=esp"
|
- Replace obsolete ipsec.conf options
|
||||||
- Replace "forceencaps=yes" with "encapsulation=yes"
|
|
||||||
- Optimize VPN ciphers for "ike=" and "phase2alg="
|
- Optimize VPN ciphers for "ike=" and "phase2alg="
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
@ -127,7 +126,8 @@ cat <<'EOF'
|
|||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then
|
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
|
||||||
|
|| [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
- Move "ikev2=never" to section "conn shared"
|
- Move "ikev2=never" to section "conn shared"
|
||||||
EOF
|
EOF
|
||||||
@ -140,7 +140,7 @@ cat <<'EOF'
|
|||||||
EOF
|
EOF
|
||||||
|
|
||||||
case "$SWAN_VER" in
|
case "$SWAN_VER" in
|
||||||
3.19|3.2[01235679]|3.31)
|
3.19|3.2[01235679]|3.3[12])
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
||||||
See: https://libreswan.org/security/
|
See: https://libreswan.org/security/
|
||||||
@ -232,12 +232,16 @@ USE_NSS_AVA_COPY = true
|
|||||||
USE_NSS_IPSEC_PROFILE=false
|
USE_NSS_IPSEC_PROFILE=false
|
||||||
USE_GLIBC_KERN_FLIP_HEADERS=true
|
USE_GLIBC_KERN_FLIP_HEADERS=true
|
||||||
EOF
|
EOF
|
||||||
if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then
|
if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
|
||||||
echo "USE_DH2=true" >> Makefile.inc.local
|
echo "USE_DH2=true" >> Makefile.inc.local
|
||||||
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
|
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
|
||||||
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
|
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
if [ "$SWAN_VER" = "4.1" ]; then
|
||||||
|
echo "USE_NSS_KDF=false" >> Makefile.inc.local
|
||||||
|
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
|
||||||
|
fi
|
||||||
NPROCS=$(grep -c ^processor /proc/cpuinfo)
|
NPROCS=$(grep -c ^processor /proc/cpuinfo)
|
||||||
[ -z "$NPROCS" ] && NPROCS=1
|
[ -z "$NPROCS" ] && NPROCS=1
|
||||||
make "-j$((NPROCS+1))" -s base && make -s install-base
|
make "-j$((NPROCS+1))" -s base && make -s install-base
|
||||||
@ -250,9 +254,9 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Restore SELinux contexts
|
# Restore SELinux contexts
|
||||||
restorecon /etc/ipsec.d/*db >/dev/null 2>&1
|
restorecon /etc/ipsec.d/*db 2>/dev/null
|
||||||
restorecon /usr/local/sbin -Rv >/dev/null 2>&1
|
restorecon /usr/local/sbin -Rv 2>/dev/null
|
||||||
restorecon /usr/local/libexec/ipsec -Rv >/dev/null 2>&1
|
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
|
||||||
|
|
||||||
# Update ipsec.conf
|
# Update ipsec.conf
|
||||||
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
|
||||||
@ -261,6 +265,8 @@ PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes
|
|||||||
sed -i".old-$(date +%F-%T)" \
|
sed -i".old-$(date +%F-%T)" \
|
||||||
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
|
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
|
||||||
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
|
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
|
||||||
|
-e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/g" \
|
||||||
|
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/g" \
|
||||||
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
|
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
|
||||||
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
|
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
|
||||||
|
|
||||||
@ -276,7 +282,8 @@ elif [ "$dns_state" = "4" ]; then
|
|||||||
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
|
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then
|
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
|
||||||
|
|| [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
|
||||||
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
||||||
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
|
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user