From 2dbdee12877f26645c5cf56db8f1bfa20f30bada Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Mon, 16 Jan 2017 12:30:37 -0600 Subject: [PATCH] Upgrade to Libreswan 3.19 - Upgrade to new Libreswan version 3.19 - Some changes are required in the VPN config files - Ref: https://lists.libreswan.org/pipermail/swan-announce/2017/000023.html --- extras/vpnupgrade.sh | 26 ++++++++++++++++++++++++-- extras/vpnupgrade_centos.sh | 26 ++++++++++++++++++++++++-- vpnsetup.sh | 7 +++---- vpnsetup_centos.sh | 7 +++---- 4 files changed, 54 insertions(+), 12 deletions(-) diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh index 737e409..3387012 100644 --- a/extras/vpnupgrade.sh +++ b/extras/vpnupgrade.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.18 +swan_ver=3.19 ### DO NOT edit below this line ### @@ -68,7 +68,26 @@ Welcome! This script will build and install Libreswan $swan_ver on your server. Additional packages required for Libreswan compilation will also be installed. This is intended for use on servers running an older version of Libreswan. -Your existing VPN configuration files will NOT be modified. + +EOF + +cat <<'EOF' +!!! IMPORTANT NOTE !!! + +The new Libreswan version 3.19 requires some configuration changes. +This script will make the following changes to your /etc/ipsec.conf: + +Replace this line: + auth=esp +with the following: + phase2=esp + +Replace this line: + forceencaps=yes +with the following: + encapsulation=yes + +Your other VPN configuration files will not be modified. EOF @@ -134,6 +153,9 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then exiterr "Libreswan $swan_ver failed to build." fi +# Update ipsec.conf options +sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf + # Restart IPsec service service ipsec restart diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh index 98eabbf..4590dc3 100644 --- a/extras/vpnupgrade_centos.sh +++ b/extras/vpnupgrade_centos.sh @@ -11,7 +11,7 @@ # know how you have improved it! # Check https://libreswan.org for the latest version -swan_ver=3.18 +swan_ver=3.19 ### DO NOT edit below this line ### @@ -64,7 +64,26 @@ Welcome! This script will build and install Libreswan $swan_ver on your server. Additional packages required for Libreswan compilation will also be installed. This is intended for use on servers running an older version of Libreswan. -Your existing VPN configuration files will NOT be modified. + +EOF + +cat <<'EOF' +!!! IMPORTANT NOTE !!! + +The new Libreswan version 3.19 requires some configuration changes. +This script will make the following changes to your /etc/ipsec.conf: + +Replace this line: + auth=esp +with the following: + phase2=esp + +Replace this line: + forceencaps=yes +with the following: + encapsulation=yes + +Your other VPN configuration files will not be modified. EOF @@ -131,6 +150,9 @@ restorecon /etc/ipsec.d/*db 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null +# Update ipsec.conf options +sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf + # Restart IPsec service service ipsec restart diff --git a/vpnsetup.sh b/vpnsetup.sh index 64d05a9..2f3c111 100755 --- a/vpnsetup.sh +++ b/vpnsetup.sh @@ -170,7 +170,7 @@ apt-get -yq install fail2ban || exiterr2 print_status "Compiling and installing Libreswan..." -swan_ver=3.18 +swan_ver=3.19 swan_file="libreswan-$swan_ver.tar.gz" swan_url1="https://download.libreswan.org/$swan_file" swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" @@ -201,7 +201,6 @@ cat > /etc/ipsec.conf < /etc/ipsec.conf <