mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-22 21:16:02 +03:00
Code Issues Projects Releases Wiki Activity

Update upgrade scripts

Browse Source 
- Support upgrading to Libreswan 4.1
This commit is contained in:
hwdsl2 2020-11-11 01:10:27 -06:00
parent afb8a7acce
commit 1dee0d4262
3 changed files with 65 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
.github/workflows/main.yml vendored
View File

@ -181,15 +181,15 @@ jobs:
systemctl restart ipsec systemctl restart ipsec
sleep 10 sleep 10
grep pluto /var/log/secure grep pluto /var/log/secure
grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"' grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"' grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
grep pluto /var/log/secure | grep -q 'added connection description "ikev2-cp"' grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
else else
sleep 10 sleep 10
grep pluto /var/log/auth.log grep pluto /var/log/auth.log
grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"' grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"' grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
grep pluto /var/log/auth.log | grep -q 'added connection description "ikev2-cp"' grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
fi fi
ls -ld vpnsetup.sh ls -ld vpnsetup.sh
@ -373,14 +373,14 @@ jobs:
sleep 10 sleep 10
if [ "$OS_NAME" = "centos" ]; then if [ "$OS_NAME" = "centos" ]; then
grep pluto /var/log/secure grep pluto /var/log/secure
grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"' grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"' grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
grep pluto /var/log/secure | grep -q 'added connection description "ikev2-cp"' grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
else else
grep pluto /var/log/auth.log grep pluto /var/log/auth.log
grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"' grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"' grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
grep pluto /var/log/auth.log | grep -q 'added connection description "ikev2-cp"' grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
fi fi
ls -ld vpnsetup.sh ls -ld vpnsetup.sh

43
extras/vpnupgrade.sh
View File

@ -11,7 +11,7 @@
# know how you have improved it! # know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org # Specify which Libreswan version to install. See: https://libreswan.org
SWAN_VER=3.32 SWAN_VER=4.1
### DO NOT edit below this line ### ### DO NOT edit below this line ###
@ -46,14 +46,14 @@ if [ "$(id -u)" != 0 ]; then
fi fi
case "$SWAN_VER" in case "$SWAN_VER" in
3.19|3.2[01235679]|3.3[12]) 3.19|3.2[01235679]|3.3[12]|4.1)
/bin/true /bin/true
;; ;;
*) *)
cat 1>&2 <<EOF cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported. Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of the following versions: This script can install one of the following versions:
3.19-3.23, 3.25-3.27, 3.29, 3.31 and 3.32 3.19-3.23, 3.25-3.27, 3.29, 3.31-3.32 or 4.1
EOF EOF
exit 1 exit 1
;; ;;
@ -61,7 +61,7 @@ esac
dns_state=0 dns_state=0
case "$SWAN_VER" in case "$SWAN_VER" in
3.2[35679]|3.3[12]) 3.2[35679]|3.3[12]|4.1)
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && dns_state=2
@ -119,8 +119,7 @@ cat <<'EOF'
NOTE: Libreswan versions 3.19 and newer require some configuration changes. NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following updates to your /etc/ipsec.conf: This script will make the following updates to your /etc/ipsec.conf:
- Replace "auth=esp" with "phase2=esp" - Replace obsolete ipsec.conf options
- Replace "forceencaps=yes" with "encapsulation=yes"
- Optimize VPN ciphers for "ike=" and "phase2alg=" - Optimize VPN ciphers for "ike=" and "phase2alg="
EOF EOF
@ -136,7 +135,8 @@ cat <<'EOF'
EOF EOF
fi fi
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
|| [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
cat <<'EOF' cat <<'EOF'
- Move "ikev2=never" to section "conn shared" - Move "ikev2=never" to section "conn shared"
EOF EOF
@ -149,7 +149,7 @@ cat <<'EOF'
EOF EOF
case "$SWAN_VER" in case "$SWAN_VER" in
3.19|3.2[01235679]|3.31) 3.19|3.2[01235679]|3.3[12])
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See: https://libreswan.org/security/ See: https://libreswan.org/security/
@ -218,19 +218,23 @@ if [ "$SWAN_VER" = "3.31" ]; then
programs/pluto/ikev2_message.c programs/pluto/ikev2_message.c
fi fi
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS = -w WERROR_CFLAGS=-w
USE_DNSSEC = false USE_DNSSEC=false
USE_DH31 = false USE_DH31=false
USE_NSS_AVA_COPY = true USE_NSS_AVA_COPY=true
USE_NSS_IPSEC_PROFILE = false USE_NSS_IPSEC_PROFILE=false
USE_GLIBC_KERN_FLIP_HEADERS = true USE_GLIBC_KERN_FLIP_HEADERS=true
EOF EOF
if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
echo "USE_DH2 = true" >> Makefile.inc.local echo "USE_DH2=true" >> Makefile.inc.local
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi fi
fi fi
if [ "$SWAN_VER" = "4.1" ]; then
echo "USE_NSS_KDF=false" >> Makefile.inc.local
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
fi
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
apt-get -yq install libsystemd-dev || exiterr2 apt-get -yq install libsystemd-dev || exiterr2
fi fi
@ -258,6 +262,8 @@ fi
sed -i".old-$(date +%F-%T)" \ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
-e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/g" \
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/g" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
@ -273,7 +279,8 @@ elif [ "$dns_state" = "4" ]; then
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
fi fi
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
|| [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
fi fi

49
extras/vpnupgrade_centos.sh
View File

@ -11,7 +11,7 @@
# know how you have improved it! # know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org # Specify which Libreswan version to install. See: https://libreswan.org
SWAN_VER=3.32 SWAN_VER=4.1
### DO NOT edit below this line ### ### DO NOT edit below this line ###
@ -37,14 +37,14 @@ if [ "$(id -u)" != 0 ]; then
fi fi
case "$SWAN_VER" in case "$SWAN_VER" in
3.19|3.2[01235679]|3.3[12]) 3.19|3.2[01235679]|3.3[12]|4.1)
/bin/true /bin/true
;; ;;
*) *)
cat 1>&2 <<EOF cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported. Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of the following versions: This script can install one of the following versions:
3.19-3.23, 3.25-3.27, 3.29, 3.31 and 3.32 3.19-3.23, 3.25-3.27, 3.29, 3.31-3.32 or 4.1
EOF EOF
exit 1 exit 1
;; ;;
@ -52,7 +52,7 @@ esac
dns_state=0 dns_state=0
case "$SWAN_VER" in case "$SWAN_VER" in
3.2[35679]|3.3[12]) 3.2[35679]|3.3[12]|4.1)
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && dns_state=2
@ -110,8 +110,7 @@ cat <<'EOF'
NOTE: Libreswan versions 3.19 and newer require some configuration changes. NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following updates to your /etc/ipsec.conf: This script will make the following updates to your /etc/ipsec.conf:
- Replace "auth=esp" with "phase2=esp" - Replace obsolete ipsec.conf options
- Replace "forceencaps=yes" with "encapsulation=yes"
- Optimize VPN ciphers for "ike=" and "phase2alg=" - Optimize VPN ciphers for "ike=" and "phase2alg="
EOF EOF
@ -127,7 +126,8 @@ cat <<'EOF'
EOF EOF
fi fi
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
|| [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
cat <<'EOF' cat <<'EOF'
- Move "ikev2=never" to section "conn shared" - Move "ikev2=never" to section "conn shared"
EOF EOF
@ -140,7 +140,7 @@ cat <<'EOF'
EOF EOF
case "$SWAN_VER" in case "$SWAN_VER" in
3.19|3.2[01235679]|3.31) 3.19|3.2[01235679]|3.3[12])
cat <<'EOF' cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities. WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See: https://libreswan.org/security/ See: https://libreswan.org/security/
@ -225,19 +225,23 @@ if [ "$SWAN_VER" = "3.31" ]; then
programs/pluto/ikev2_message.c programs/pluto/ikev2_message.c
fi fi
cat > Makefile.inc.local <<'EOF' cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS = -w WERROR_CFLAGS=-w
USE_DNSSEC = false USE_DNSSEC=false
USE_DH31 = false USE_DH31=false
USE_NSS_AVA_COPY = true USE_NSS_AVA_COPY=true
USE_NSS_IPSEC_PROFILE = false USE_NSS_IPSEC_PROFILE=false
USE_GLIBC_KERN_FLIP_HEADERS = true USE_GLIBC_KERN_FLIP_HEADERS=true
EOF EOF
if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
echo "USE_DH2 = true" >> Makefile.inc.local echo "USE_DH2=true" >> Makefile.inc.local
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi fi
fi fi
if [ "$SWAN_VER" = "4.1" ]; then
echo "USE_NSS_KDF=false" >> Makefile.inc.local
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base make "-j$((NPROCS+1))" -s base && make -s install-base
@ -250,9 +254,9 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
fi fi
# Restore SELinux contexts # Restore SELinux contexts
restorecon /etc/ipsec.d/*db >/dev/null 2>&1 restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv >/dev/null 2>&1 restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv >/dev/null 2>&1 restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update ipsec.conf # Update ipsec.conf
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
@ -261,6 +265,8 @@ PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes
sed -i".old-$(date +%F-%T)" \ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \ -e "s/^[[:space:]]\+auth=esp\$/ phase2=esp/g" \
-e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \ -e "s/^[[:space:]]\+forceencaps=yes\$/ encapsulation=yes/g" \
-e "s/^[[:space:]]\+sha2_truncbug=/ sha2-truncbug=/g" \
-e "s/^[[:space:]]\+ike-frag=/ fragmentation=/g" \
-e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \ -e "s/^[[:space:]]\+ike=.\+\$/$IKE_NEW/g" \
-e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf -e "s/^[[:space:]]\+phase2alg=.\+\$/$PHASE2_NEW/g" /etc/ipsec.conf
@ -276,7 +282,8 @@ elif [ "$dns_state" = "4" ]; then
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
fi fi
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ]; then if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
|| [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
fi fi