Update upgrade scripts
- Support upgrading to Libreswan 3.31
This commit is contained in:
hwdsl2
parent
2c660bb914
commit
48d9b06bab
@ -11,7 +11,7 @@
|
||||
# know how you have improved it!
|
||||
|
||||
# Specify which Libreswan version to install. See: https://libreswan.org
|
||||
SWAN_VER=3.29
|
||||
SWAN_VER=3.31
|
||||
|
||||
### DO NOT edit below this line ###
|
||||
|
||||
@ -46,14 +46,14 @@ if [ "$(id -u)" != 0 ]; then
|
||||
fi
|
||||
|
||||
case "$SWAN_VER" in
|
||||
3.19|3.2[01235679])
|
||||
3.19|3.2[01235679]|3.31)
|
||||
/bin/true
|
||||
;;
|
||||
*)
|
||||
cat 1>&2 <<EOF
|
||||
Error: Libreswan version '$SWAN_VER' is not supported.
|
||||
This script can install one of the following versions:
|
||||
3.19-3.23, 3.25-3.27 and 3.29
|
||||
3.19-3.23, 3.25-3.27, 3.29 and 3.31
|
||||
EOF
|
||||
exit 1
|
||||
;;
|
||||
@ -61,7 +61,7 @@ esac
|
||||
|
||||
dns_state=0
|
||||
case "$SWAN_VER" in
|
||||
3.2[35679])
|
||||
3.2[35679]|3.31)
|
||||
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||
[ -n "$DNS_SRV1" ] && dns_state=2
|
||||
@ -115,28 +115,6 @@ Version to install: Libreswan $SWAN_VER
|
||||
|
||||
EOF
|
||||
|
||||
case "$SWAN_VER" in
|
||||
3.19|3.2[0123567])
|
||||
cat <<'EOF'
|
||||
WARNING: Older versions of Libreswan may contain security vulnerabilities.
|
||||
See: https://libreswan.org/security/
|
||||
Are you sure you want to install an older version?
|
||||
|
||||
EOF
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$SWAN_VER" in
|
||||
3.2[35])
|
||||
cat <<'EOF'
|
||||
WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
|
||||
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
|
||||
DO NOT install 3.23/3.25 if your use cases include the above.
|
||||
|
||||
EOF
|
||||
;;
|
||||
esac
|
||||
|
||||
cat <<'EOF'
|
||||
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
|
||||
This script will make the following updates to your /etc/ipsec.conf:
|
||||
@ -158,7 +136,7 @@ cat <<'EOF'
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [ "$SWAN_VER" = "3.29" ]; then
|
||||
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then
|
||||
cat <<'EOF'
|
||||
- Move "ikev2=never" to section "conn shared"
|
||||
EOF
|
||||
@ -170,6 +148,28 @@ cat <<'EOF'
|
||||
|
||||
EOF
|
||||
|
||||
case "$SWAN_VER" in
|
||||
3.19|3.2[01235679])
|
||||
cat <<'EOF'
|
||||
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
||||
See: https://libreswan.org/security/
|
||||
Are you sure you want to install an older version?
|
||||
|
||||
EOF
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$SWAN_VER" in
|
||||
3.2[35])
|
||||
cat <<'EOF'
|
||||
WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
|
||||
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
|
||||
DO NOT install 3.23/3.25 if your use cases include the above.
|
||||
|
||||
EOF
|
||||
;;
|
||||
esac
|
||||
|
||||
printf "Do you wish to continue? [y/N] "
|
||||
read -r response
|
||||
case $response in
|
||||
@ -220,6 +220,12 @@ USE_NSS_AVA_COPY = true
|
||||
USE_NSS_IPSEC_PROFILE = false
|
||||
USE_GLIBC_KERN_FLIP_HEADERS = true
|
||||
EOF
|
||||
if [ "$SWAN_VER" = "3.31" ]; then
|
||||
echo "USE_DH2 = true" >> Makefile.inc.local
|
||||
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
|
||||
echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local
|
||||
fi
|
||||
fi
|
||||
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
|
||||
apt-get -yq install libsystemd-dev || exiterr2
|
||||
fi
|
||||
@ -260,7 +266,7 @@ elif [ "$dns_state" = "4" ]; then
|
||||
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
|
||||
fi
|
||||
|
||||
if [ "$SWAN_VER" = "3.29" ]; then
|
||||
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then
|
||||
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
||||
sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf
|
||||
fi
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
# know how you have improved it!
|
||||
|
||||
# Specify which Libreswan version to install. See: https://libreswan.org
|
||||
SWAN_VER=3.29
|
||||
SWAN_VER=3.31
|
||||
|
||||
### DO NOT edit below this line ###
|
||||
|
||||
@ -37,14 +37,14 @@ if [ "$(id -u)" != 0 ]; then
|
||||
fi
|
||||
|
||||
case "$SWAN_VER" in
|
||||
3.19|3.2[01235679])
|
||||
3.19|3.2[01235679]|3.31)
|
||||
/bin/true
|
||||
;;
|
||||
*)
|
||||
cat 1>&2 <<EOF
|
||||
Error: Libreswan version '$SWAN_VER' is not supported.
|
||||
This script can install one of the following versions:
|
||||
3.19-3.23, 3.25-3.27 and 3.29
|
||||
3.19-3.23, 3.25-3.27, 3.29 and 3.31
|
||||
EOF
|
||||
exit 1
|
||||
;;
|
||||
@ -52,7 +52,7 @@ esac
|
||||
|
||||
dns_state=0
|
||||
case "$SWAN_VER" in
|
||||
3.2[35679])
|
||||
3.2[35679]|3.31)
|
||||
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
|
||||
[ -n "$DNS_SRV1" ] && dns_state=2
|
||||
@ -106,28 +106,6 @@ Version to install: Libreswan $SWAN_VER
|
||||
|
||||
EOF
|
||||
|
||||
case "$SWAN_VER" in
|
||||
3.19|3.2[0123567])
|
||||
cat <<'EOF'
|
||||
WARNING: Older versions of Libreswan may contain security vulnerabilities.
|
||||
See: https://libreswan.org/security/
|
||||
Are you sure you want to install an older version?
|
||||
|
||||
EOF
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$SWAN_VER" in
|
||||
3.2[35])
|
||||
cat <<'EOF'
|
||||
WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
|
||||
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
|
||||
DO NOT install 3.23/3.25 if your use cases include the above.
|
||||
|
||||
EOF
|
||||
;;
|
||||
esac
|
||||
|
||||
cat <<'EOF'
|
||||
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
|
||||
This script will make the following updates to your /etc/ipsec.conf:
|
||||
@ -149,7 +127,7 @@ cat <<'EOF'
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [ "$SWAN_VER" = "3.29" ]; then
|
||||
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then
|
||||
cat <<'EOF'
|
||||
- Move "ikev2=never" to section "conn shared"
|
||||
EOF
|
||||
@ -161,6 +139,28 @@ cat <<'EOF'
|
||||
|
||||
EOF
|
||||
|
||||
case "$SWAN_VER" in
|
||||
3.19|3.2[01235679])
|
||||
cat <<'EOF'
|
||||
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
|
||||
See: https://libreswan.org/security/
|
||||
Are you sure you want to install an older version?
|
||||
|
||||
EOF
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$SWAN_VER" in
|
||||
3.2[35])
|
||||
cat <<'EOF'
|
||||
WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
|
||||
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
|
||||
DO NOT install 3.23/3.25 if your use cases include the above.
|
||||
|
||||
EOF
|
||||
;;
|
||||
esac
|
||||
|
||||
printf "Do you wish to continue? [y/N] "
|
||||
read -r response
|
||||
case $response in
|
||||
@ -229,6 +229,12 @@ USE_NSS_AVA_COPY = true
|
||||
USE_NSS_IPSEC_PROFILE = false
|
||||
USE_GLIBC_KERN_FLIP_HEADERS = true
|
||||
EOF
|
||||
if [ "$SWAN_VER" = "3.31" ]; then
|
||||
echo "USE_DH2 = true" >> Makefile.inc.local
|
||||
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
|
||||
echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local
|
||||
fi
|
||||
fi
|
||||
NPROCS=$(grep -c ^processor /proc/cpuinfo)
|
||||
[ -z "$NPROCS" ] && NPROCS=1
|
||||
make "-j$((NPROCS+1))" -s base && make -s install-base
|
||||
@ -267,7 +273,7 @@ elif [ "$dns_state" = "4" ]; then
|
||||
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
|
||||
fi
|
||||
|
||||
if [ "$SWAN_VER" = "3.29" ]; then
|
||||
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then
|
||||
sed -i "/ikev2=never/d" /etc/ipsec.conf
|
||||
sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user