mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-02-12 10:09:24 +03:00
Code Issues Projects Releases Wiki Activity

Update upgrade scripts

Browse Source 
- Clean up Libreswan build flags for CentOS
- Minor improvements
This commit is contained in:
hwdsl2 2020-12-14 23:12:15 -06:00
parent f9d84216d6
commit 3b1403668d
3 changed files with 39 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
extras/ikev2setup.sh
View File

@ -2,6 +2,9 @@
# #
# Script to set up IKEv2 on Ubuntu, Debian and CentOS/RHEL # Script to set up IKEv2 on Ubuntu, Debian and CentOS/RHEL
# #
# The latest version of this script is available at:
# https://github.com/hwdsl2/setup-ipsec-vpn
#
# Copyright (C) 2020 Lin Song <linsongui@gmail.com> # Copyright (C) 2020 Lin Song <linsongui@gmail.com>
# #
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0

32
extras/vpnupgrade.sh
View File

@ -2,6 +2,9 @@
# #
# Script to upgrade Libreswan on Ubuntu and Debian # Script to upgrade Libreswan on Ubuntu and Debian
# #
# The latest version of this script is available at:
# https://github.com/hwdsl2/setup-ipsec-vpn
#
# Copyright (C) 2016-2020 Lin Song <linsongui@gmail.com> # Copyright (C) 2016-2020 Lin Song <linsongui@gmail.com>
# #
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
@ -55,18 +58,15 @@ EOF
;; ;;
esac esac
dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
ipsec_ver_short=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//') ipsec_ver_short=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')
swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //') swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
exiterr "This script requires Libreswan already installed." cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed.
See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then if [ "$swan_ver_old" = "$SWAN_VER" ]; then
@ -101,7 +101,6 @@ EOF
cat <<'EOF' cat <<'EOF'
NOTE: This script will make the following changes to your IPsec config: NOTE: This script will make the following changes to your IPsec config:
- Fix obsolete ipsec.conf and/or ikev2.conf options - Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers - Optimize VPN ciphers
@ -222,6 +221,13 @@ if uname -m | grep -qi '^arm'; then
fi fi
fi fi
dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$(date +%F-%T)" \ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
@ -256,11 +262,11 @@ service ipsec restart
cat <<EOF cat <<EOF
=========================================== ================================================
Libreswan $SWAN_VER successfully installed! Libreswan $SWAN_VER has been successfully installed!
=========================================== ================================================
EOF EOF
@ -268,12 +274,10 @@ if [ "$dns_state" = "3" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
and replace all occurrences of these two lines: and replace all occurrences of these two lines:
modecfgdns1=DNS_SERVER_1 modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2 modecfgdns2=DNS_SERVER_2
with a single line like this: with a single line like this:
modecfgdns="DNS_SERVER_1 DNS_SERVER_2" modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
Then run "sudo service ipsec restart". Then run "sudo service ipsec restart".

40
extras/vpnupgrade_centos.sh
View File

@ -2,6 +2,9 @@
# #
# Script to upgrade Libreswan on CentOS and RHEL # Script to upgrade Libreswan on CentOS and RHEL
# #
# The latest version of this script is available at:
# https://github.com/hwdsl2/setup-ipsec-vpn
#
# Copyright (C) 2016-2020 Lin Song <linsongui@gmail.com> # Copyright (C) 2016-2020 Lin Song <linsongui@gmail.com>
# #
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
@ -50,18 +53,15 @@ EOF
;; ;;
esac esac
dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null) ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
ipsec_ver_short=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//') ipsec_ver_short=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux Libreswan/Libreswan/' -e 's/ (netkey) on .*//')
swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //') swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
exiterr "This script requires Libreswan already installed." cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed.
See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi fi
if [ "$swan_ver_old" = "$SWAN_VER" ]; then if [ "$swan_ver_old" = "$SWAN_VER" ]; then
@ -96,7 +96,6 @@ EOF
cat <<'EOF' cat <<'EOF'
NOTE: This script will make the following changes to your IPsec config: NOTE: This script will make the following changes to your IPsec config:
- Fix obsolete ipsec.conf and/or ikev2.conf options - Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers - Optimize VPN ciphers
@ -178,14 +177,6 @@ cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w WERROR_CFLAGS=-w
USE_DNSSEC=false USE_DNSSEC=false
EOF EOF
if [ "$SWAN_VER" != "4.1" ]; then
cat >> Makefile.inc.local <<'EOF'
USE_DH31=false
USE_NSS_AVA_COPY=true
USE_NSS_IPSEC_PROFILE=false
USE_GLIBC_KERN_FLIP_HEADERS=true
EOF
fi
if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
echo "USE_DH2=true" >> Makefile.inc.local echo "USE_DH2=true" >> Makefile.inc.local
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
@ -216,6 +207,13 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024" IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2" PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
dns_state=0
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2
[ -n "$DNS_SRV1" ] && [ -n "$DNS_SRV2" ] && dns_state=1
[ "$(grep -c "modecfgdns1=" /etc/ipsec.conf)" -gt "1" ] && dns_state=3
sed -i".old-$(date +%F-%T)" \ sed -i".old-$(date +%F-%T)" \
-e "s/^[[:space:]]\+auth=/ phase2=/" \ -e "s/^[[:space:]]\+auth=/ phase2=/" \
-e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \ -e "s/^[[:space:]]\+forceencaps=/ encapsulation=/" \
@ -250,11 +248,11 @@ service ipsec restart
cat <<EOF cat <<EOF
=========================================== ================================================
Libreswan $SWAN_VER successfully installed! Libreswan $SWAN_VER has been successfully installed!
=========================================== ================================================
EOF EOF
@ -262,12 +260,10 @@ if [ "$dns_state" = "3" ]; then
cat <<'EOF' cat <<'EOF'
IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
and replace all occurrences of these two lines: and replace all occurrences of these two lines:
modecfgdns1=DNS_SERVER_1 modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2 modecfgdns2=DNS_SERVER_2
with a single line like this: with a single line like this:
modecfgdns="DNS_SERVER_1 DNS_SERVER_2" modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
Then run "sudo service ipsec restart". Then run "sudo service ipsec restart".