mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-02-16 20:13:19 +03:00
Code Issues Projects Releases Wiki Activity

Upgrade to Libreswan 3.19

Browse Source 
- Upgrade to new Libreswan version 3.19
- Some changes are required in the VPN config files
- Ref:
  https://lists.libreswan.org/pipermail/swan-announce/2017/000023.html
This commit is contained in:
hwdsl2 2017-01-16 12:30:37 -06:00
parent ad8295721d
commit 2dbdee1287
4 changed files with 54 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
extras/vpnupgrade.sh
View File

@ -11,7 +11,7 @@
# know how you have improved it! # know how you have improved it!
# Check https://libreswan.org for the latest version # Check https://libreswan.org for the latest version
swan_ver=3.18 swan_ver=3.19
### DO NOT edit below this line ### ### DO NOT edit below this line ###
@ -68,7 +68,26 @@ Welcome! This script will build and install Libreswan $swan_ver on your server.
Additional packages required for Libreswan compilation will also be installed. Additional packages required for Libreswan compilation will also be installed.
This is intended for use on servers running an older version of Libreswan. This is intended for use on servers running an older version of Libreswan.
Your existing VPN configuration files will NOT be modified.
EOF
cat <<'EOF'
!!! IMPORTANT NOTE !!!
The new Libreswan version 3.19 requires some configuration changes.
This script will make the following changes to your /etc/ipsec.conf:
Replace this line:
auth=esp
with the following:
phase2=esp
Replace this line:
forceencaps=yes
with the following:
encapsulation=yes
Your other VPN configuration files will not be modified.
EOF EOF
@ -134,6 +153,9 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then
exiterr "Libreswan $swan_ver failed to build." exiterr "Libreswan $swan_ver failed to build."
fi fi
# Update ipsec.conf options
sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
# Restart IPsec service # Restart IPsec service
service ipsec restart service ipsec restart

26
extras/vpnupgrade_centos.sh
View File

@ -11,7 +11,7 @@
# know how you have improved it! # know how you have improved it!
# Check https://libreswan.org for the latest version # Check https://libreswan.org for the latest version
swan_ver=3.18 swan_ver=3.19
### DO NOT edit below this line ### ### DO NOT edit below this line ###
@ -64,7 +64,26 @@ Welcome! This script will build and install Libreswan $swan_ver on your server.
Additional packages required for Libreswan compilation will also be installed. Additional packages required for Libreswan compilation will also be installed.
This is intended for use on servers running an older version of Libreswan. This is intended for use on servers running an older version of Libreswan.
Your existing VPN configuration files will NOT be modified.
EOF
cat <<'EOF'
!!! IMPORTANT NOTE !!!
The new Libreswan version 3.19 requires some configuration changes.
This script will make the following changes to your /etc/ipsec.conf:
Replace this line:
auth=esp
with the following:
phase2=esp
Replace this line:
forceencaps=yes
with the following:
encapsulation=yes
Your other VPN configuration files will not be modified.
EOF EOF
@ -131,6 +150,9 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update ipsec.conf options
sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
# Restart IPsec service # Restart IPsec service
service ipsec restart service ipsec restart

7
vpnsetup.sh
View File

@ -170,7 +170,7 @@ apt-get -yq install fail2ban || exiterr2
print_status "Compiling and installing Libreswan..." print_status "Compiling and installing Libreswan..."
swan_ver=3.18 swan_ver=3.19
swan_file="libreswan-$swan_ver.tar.gz" swan_file="libreswan-$swan_ver.tar.gz"
swan_url1="https://download.libreswan.org/$swan_file" swan_url1="https://download.libreswan.org/$swan_file"
swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
@ -201,7 +201,6 @@ cat > /etc/ipsec.conf <<EOF
version 2.0 version 2.0
config setup config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/23 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/23
protostack=netkey protostack=netkey
nhelpers=0 nhelpers=0
@ -212,7 +211,7 @@ conn shared
left=$PRIVATE_IP left=$PRIVATE_IP
leftid=$PUBLIC_IP leftid=$PUBLIC_IP
right=%any right=%any
forceencaps=yes encapsulation=yes
authby=secret authby=secret
pfs=no pfs=no
rekey=no rekey=no
@ -231,7 +230,7 @@ conn l2tp-psk
leftprotoport=17/1701 leftprotoport=17/1701
rightprotoport=17/%any rightprotoport=17/%any
type=transport type=transport
auth=esp phase2=esp
also=shared also=shared
conn xauth-psk conn xauth-psk

7
vpnsetup_centos.sh
View File

@ -160,7 +160,7 @@ yum -y install fail2ban || exiterr2
print_status "Compiling and installing Libreswan..." print_status "Compiling and installing Libreswan..."
swan_ver=3.18 swan_ver=3.19
swan_file="libreswan-$swan_ver.tar.gz" swan_file="libreswan-$swan_ver.tar.gz"
swan_url1="https://download.libreswan.org/$swan_file" swan_url1="https://download.libreswan.org/$swan_file"
swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz" swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
@ -188,7 +188,6 @@ cat > /etc/ipsec.conf <<EOF
version 2.0 version 2.0
config setup config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/23 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/23
protostack=netkey protostack=netkey
nhelpers=0 nhelpers=0
@ -199,7 +198,7 @@ conn shared
left=$PRIVATE_IP left=$PRIVATE_IP
leftid=$PUBLIC_IP leftid=$PUBLIC_IP
right=%any right=%any
forceencaps=yes encapsulation=yes
authby=secret authby=secret
pfs=no pfs=no
rekey=no rekey=no
@ -218,7 +217,7 @@ conn l2tp-psk
leftprotoport=17/1701 leftprotoport=17/1701
rightprotoport=17/%any rightprotoport=17/%any
type=transport type=transport
auth=esp phase2=esp
also=shared also=shared
conn xauth-psk conn xauth-psk