1
0
mirror of synced 2024-11-21 20:46:10 +03:00

Upgrade to Libreswan 3.19

- Upgrade to new Libreswan version 3.19
- Some changes are required in the VPN config files
- Ref:
  https://lists.libreswan.org/pipermail/swan-announce/2017/000023.html
This commit is contained in:
hwdsl2 2017-01-16 12:30:37 -06:00
parent ad8295721d
commit 2dbdee1287
4 changed files with 54 additions and 12 deletions

View File

@ -11,7 +11,7 @@
# know how you have improved it!
# Check https://libreswan.org for the latest version
swan_ver=3.18
swan_ver=3.19
### DO NOT edit below this line ###
@ -68,7 +68,26 @@ Welcome! This script will build and install Libreswan $swan_ver on your server.
Additional packages required for Libreswan compilation will also be installed.
This is intended for use on servers running an older version of Libreswan.
Your existing VPN configuration files will NOT be modified.
EOF
cat <<'EOF'
!!! IMPORTANT NOTE !!!
The new Libreswan version 3.19 requires some configuration changes.
This script will make the following changes to your /etc/ipsec.conf:
Replace this line:
auth=esp
with the following:
phase2=esp
Replace this line:
forceencaps=yes
with the following:
encapsulation=yes
Your other VPN configuration files will not be modified.
EOF
@ -134,6 +153,9 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then
exiterr "Libreswan $swan_ver failed to build."
fi
# Update ipsec.conf options
sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
# Restart IPsec service
service ipsec restart

View File

@ -11,7 +11,7 @@
# know how you have improved it!
# Check https://libreswan.org for the latest version
swan_ver=3.18
swan_ver=3.19
### DO NOT edit below this line ###
@ -64,7 +64,26 @@ Welcome! This script will build and install Libreswan $swan_ver on your server.
Additional packages required for Libreswan compilation will also be installed.
This is intended for use on servers running an older version of Libreswan.
Your existing VPN configuration files will NOT be modified.
EOF
cat <<'EOF'
!!! IMPORTANT NOTE !!!
The new Libreswan version 3.19 requires some configuration changes.
This script will make the following changes to your /etc/ipsec.conf:
Replace this line:
auth=esp
with the following:
phase2=esp
Replace this line:
forceencaps=yes
with the following:
encapsulation=yes
Your other VPN configuration files will not be modified.
EOF
@ -131,6 +150,9 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update ipsec.conf options
sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
# Restart IPsec service
service ipsec restart

View File

@ -170,7 +170,7 @@ apt-get -yq install fail2ban || exiterr2
print_status "Compiling and installing Libreswan..."
swan_ver=3.18
swan_ver=3.19
swan_file="libreswan-$swan_ver.tar.gz"
swan_url1="https://download.libreswan.org/$swan_file"
swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
@ -201,7 +201,6 @@ cat > /etc/ipsec.conf <<EOF
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/23
protostack=netkey
nhelpers=0
@ -212,7 +211,7 @@ conn shared
left=$PRIVATE_IP
leftid=$PUBLIC_IP
right=%any
forceencaps=yes
encapsulation=yes
authby=secret
pfs=no
rekey=no
@ -231,7 +230,7 @@ conn l2tp-psk
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
auth=esp
phase2=esp
also=shared
conn xauth-psk

View File

@ -160,7 +160,7 @@ yum -y install fail2ban || exiterr2
print_status "Compiling and installing Libreswan..."
swan_ver=3.18
swan_ver=3.19
swan_file="libreswan-$swan_ver.tar.gz"
swan_url1="https://download.libreswan.org/$swan_file"
swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
@ -188,7 +188,6 @@ cat > /etc/ipsec.conf <<EOF
version 2.0
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/23
protostack=netkey
nhelpers=0
@ -199,7 +198,7 @@ conn shared
left=$PRIVATE_IP
leftid=$PUBLIC_IP
right=%any
forceencaps=yes
encapsulation=yes
authby=secret
pfs=no
rekey=no
@ -218,7 +217,7 @@ conn l2tp-psk
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
auth=esp
phase2=esp
also=shared
conn xauth-psk