Upgrade to Libreswan 3.19

- Upgrade to new Libreswan version 3.19
- Some changes are required in the VPN config files
- Ref:
  https://lists.libreswan.org/pipermail/swan-announce/2017/000023.html

extras/vpnupgrade.sh

@@ -11,7 +11,7 @@
 # know how you have improved it!
 
 # Check https://libreswan.org for the latest version
-swan_ver=3.18
+swan_ver=3.19
 
 ### DO NOT edit below this line ###
 
@@ -68,7 +68,26 @@ Welcome! This script will build and install Libreswan $swan_ver on your server.
 Additional packages required for Libreswan compilation will also be installed.
 
 This is intended for use on servers running an older version of Libreswan.
-Your existing VPN configuration files will NOT be modified.
+
+EOF
+
+cat <<'EOF'
+!!! IMPORTANT NOTE !!!
+
+The new Libreswan version 3.19 requires some configuration changes.
+This script will make the following changes to your /etc/ipsec.conf:
+
+Replace this line:
+  auth=esp
+with the following:
+  phase2=esp
+
+Replace this line:
+  forceencaps=yes
+with the following:
+  encapsulation=yes
+
+Your other VPN configuration files will not be modified.
 
 EOF
 
@@ -134,6 +153,9 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then
   exiterr "Libreswan $swan_ver failed to build."
 fi
 
+# Update ipsec.conf options
+sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
+
 # Restart IPsec service
 service ipsec restart
 

extras/vpnupgrade_centos.sh

@@ -11,7 +11,7 @@
 # know how you have improved it!
 
 # Check https://libreswan.org for the latest version
-swan_ver=3.18
+swan_ver=3.19
 
 ### DO NOT edit below this line ###
 
@@ -64,7 +64,26 @@ Welcome! This script will build and install Libreswan $swan_ver on your server.
 Additional packages required for Libreswan compilation will also be installed.
 
 This is intended for use on servers running an older version of Libreswan.
-Your existing VPN configuration files will NOT be modified.
+
+EOF
+
+cat <<'EOF'
+!!! IMPORTANT NOTE !!!
+
+The new Libreswan version 3.19 requires some configuration changes.
+This script will make the following changes to your /etc/ipsec.conf:
+
+Replace this line:
+  auth=esp
+with the following:
+  phase2=esp
+
+Replace this line:
+  forceencaps=yes
+with the following:
+  encapsulation=yes
+
+Your other VPN configuration files will not be modified.
 
 EOF
 
@@ -131,6 +150,9 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
 restorecon /usr/local/sbin -Rv 2>/dev/null
 restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
+# Update ipsec.conf options
+sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
+
 # Restart IPsec service
 service ipsec restart
 

vpnsetup.sh

@@ -170,7 +170,7 @@ apt-get -yq install fail2ban || exiterr2
 
 print_status "Compiling and installing Libreswan..."
 
-swan_ver=3.18
+swan_ver=3.19
 swan_file="libreswan-$swan_ver.tar.gz"
 swan_url1="https://download.libreswan.org/$swan_file"
 swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
@@ -201,7 +201,6 @@ cat > /etc/ipsec.conf <<EOF
 version 2.0
 
 config setup
-  nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/23
   protostack=netkey
   nhelpers=0
@@ -212,7 +211,7 @@ conn shared
   left=$PRIVATE_IP
   leftid=$PUBLIC_IP
   right=%any
-  forceencaps=yes
+  encapsulation=yes
   authby=secret
   pfs=no
   rekey=no
@@ -231,7 +230,7 @@ conn l2tp-psk
   leftprotoport=17/1701
   rightprotoport=17/%any
   type=transport
-  auth=esp
+  phase2=esp
   also=shared
 
 conn xauth-psk

vpnsetup_centos.sh

@@ -160,7 +160,7 @@ yum -y install fail2ban || exiterr2
 
 print_status "Compiling and installing Libreswan..."
 
-swan_ver=3.18
+swan_ver=3.19
 swan_file="libreswan-$swan_ver.tar.gz"
 swan_url1="https://download.libreswan.org/$swan_file"
 swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
@@ -188,7 +188,6 @@ cat > /etc/ipsec.conf <<EOF
 version 2.0
 
 config setup
-  nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/23
   protostack=netkey
   nhelpers=0
@@ -199,7 +198,7 @@ conn shared
   left=$PRIVATE_IP
   leftid=$PUBLIC_IP
   right=%any
-  forceencaps=yes
+  encapsulation=yes
   authby=secret
   pfs=no
   rekey=no
@@ -218,7 +217,7 @@ conn l2tp-psk
   leftprotoport=17/1701
   rightprotoport=17/%any
   type=transport
-  auth=esp
+  phase2=esp
   also=shared
 
 conn xauth-psk