mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-02-19 21:43:17 +03:00
Code Issues Projects Releases Wiki Activity

Update upgrade scripts

Browse Source 
- Support upgrading to Libreswan 3.31
This commit is contained in:
hwdsl2 2020-04-12 00:28:00 -05:00
parent 2c660bb914
commit 48d9b06bab
2 changed files with 68 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
extras/vpnupgrade.sh
View File

@ -11,7 +11,7 @@
# know how you have improved it! # know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org # Specify which Libreswan version to install. See: https://libreswan.org
SWAN_VER=3.29 SWAN_VER=3.31
### DO NOT edit below this line ### ### DO NOT edit below this line ###
@ -46,14 +46,14 @@ if [ "$(id -u)" != 0 ]; then
fi fi
case "$SWAN_VER" in case "$SWAN_VER" in
3.19|3.2[01235679]) 3.19|3.2[01235679]|3.31)
/bin/true /bin/true
;; ;;
*) *)
cat 1>&2 <<EOF cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported. Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of the following versions: This script can install one of the following versions:
3.19-3.23, 3.25-3.27 and 3.29 3.19-3.23, 3.25-3.27, 3.29 and 3.31
EOF EOF
exit 1 exit 1
;; ;;
@ -61,7 +61,7 @@ esac
dns_state=0 dns_state=0
case "$SWAN_VER" in case "$SWAN_VER" in
3.2[35679]) 3.2[35679]|3.31)
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && dns_state=2
@ -115,28 +115,6 @@ Version to install: Libreswan $SWAN_VER
EOF EOF
case "$SWAN_VER" in
3.19|3.2[0123567])
cat <<'EOF'
WARNING: Older versions of Libreswan may contain security vulnerabilities.
See: https://libreswan.org/security/
Are you sure you want to install an older version?
EOF
;;
esac
case "$SWAN_VER" in
3.2[35])
cat <<'EOF'
WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
DO NOT install 3.23/3.25 if your use cases include the above.
EOF
;;
esac
cat <<'EOF' cat <<'EOF'
NOTE: Libreswan versions 3.19 and newer require some configuration changes. NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following updates to your /etc/ipsec.conf: This script will make the following updates to your /etc/ipsec.conf:
@ -158,7 +136,7 @@ cat <<'EOF'
EOF EOF
fi fi
if [ "$SWAN_VER" = "3.29" ]; then if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then
cat <<'EOF' cat <<'EOF'
- Move "ikev2=never" to section "conn shared" - Move "ikev2=never" to section "conn shared"
EOF EOF
@ -170,6 +148,28 @@ cat <<'EOF'
EOF EOF
case "$SWAN_VER" in
3.19|3.2[01235679])
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See: https://libreswan.org/security/
Are you sure you want to install an older version?
EOF
;;
esac
case "$SWAN_VER" in
3.2[35])
cat <<'EOF'
WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
DO NOT install 3.23/3.25 if your use cases include the above.
EOF
;;
esac
printf "Do you wish to continue? [y/N] " printf "Do you wish to continue? [y/N] "
read -r response read -r response
case $response in case $response in
@ -220,6 +220,12 @@ USE_NSS_AVA_COPY = true
USE_NSS_IPSEC_PROFILE = false USE_NSS_IPSEC_PROFILE = false
USE_GLIBC_KERN_FLIP_HEADERS = true USE_GLIBC_KERN_FLIP_HEADERS = true
EOF EOF
if [ "$SWAN_VER" = "3.31" ]; then
echo "USE_DH2 = true" >> Makefile.inc.local
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local
fi
fi
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
apt-get -yq install libsystemd-dev || exiterr2 apt-get -yq install libsystemd-dev || exiterr2
fi fi
@ -260,7 +266,7 @@ elif [ "$dns_state" = "4" ]; then
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
fi fi
if [ "$SWAN_VER" = "3.29" ]; then if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf
fi fi

62
extras/vpnupgrade_centos.sh
View File

@ -11,7 +11,7 @@
# know how you have improved it! # know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org # Specify which Libreswan version to install. See: https://libreswan.org
SWAN_VER=3.29 SWAN_VER=3.31
### DO NOT edit below this line ### ### DO NOT edit below this line ###
@ -37,14 +37,14 @@ if [ "$(id -u)" != 0 ]; then
fi fi
case "$SWAN_VER" in case "$SWAN_VER" in
3.19|3.2[01235679]) 3.19|3.2[01235679]|3.31)
/bin/true /bin/true
;; ;;
*) *)
cat 1>&2 <<EOF cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported. Error: Libreswan version '$SWAN_VER' is not supported.
This script can install one of the following versions: This script can install one of the following versions:
3.19-3.23, 3.25-3.27 and 3.29 3.19-3.23, 3.25-3.27, 3.29 and 3.31
EOF EOF
exit 1 exit 1
;; ;;
@ -52,7 +52,7 @@ esac
dns_state=0 dns_state=0
case "$SWAN_VER" in case "$SWAN_VER" in
3.2[35679]) 3.2[35679]|3.31)
DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV1=$(grep "modecfgdns1=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2) DNS_SRV2=$(grep "modecfgdns2=" /etc/ipsec.conf | head -n 1 | cut -d '=' -f 2)
[ -n "$DNS_SRV1" ] && dns_state=2 [ -n "$DNS_SRV1" ] && dns_state=2
@ -106,28 +106,6 @@ Version to install: Libreswan $SWAN_VER
EOF EOF
case "$SWAN_VER" in
3.19|3.2[0123567])
cat <<'EOF'
WARNING: Older versions of Libreswan may contain security vulnerabilities.
See: https://libreswan.org/security/
Are you sure you want to install an older version?
EOF
;;
esac
case "$SWAN_VER" in
3.2[35])
cat <<'EOF'
WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
DO NOT install 3.23/3.25 if your use cases include the above.
EOF
;;
esac
cat <<'EOF' cat <<'EOF'
NOTE: Libreswan versions 3.19 and newer require some configuration changes. NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following updates to your /etc/ipsec.conf: This script will make the following updates to your /etc/ipsec.conf:
@ -149,7 +127,7 @@ cat <<'EOF'
EOF EOF
fi fi
if [ "$SWAN_VER" = "3.29" ]; then if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then
cat <<'EOF' cat <<'EOF'
- Move "ikev2=never" to section "conn shared" - Move "ikev2=never" to section "conn shared"
EOF EOF
@ -161,6 +139,28 @@ cat <<'EOF'
EOF EOF
case "$SWAN_VER" in
3.19|3.2[01235679])
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See: https://libreswan.org/security/
Are you sure you want to install an older version?
EOF
;;
esac
case "$SWAN_VER" in
3.2[35])
cat <<'EOF'
WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
DO NOT install 3.23/3.25 if your use cases include the above.
EOF
;;
esac
printf "Do you wish to continue? [y/N] " printf "Do you wish to continue? [y/N] "
read -r response read -r response
case $response in case $response in
@ -229,6 +229,12 @@ USE_NSS_AVA_COPY = true
USE_NSS_IPSEC_PROFILE = false USE_NSS_IPSEC_PROFILE = false
USE_GLIBC_KERN_FLIP_HEADERS = true USE_GLIBC_KERN_FLIP_HEADERS = true
EOF EOF
if [ "$SWAN_VER" = "3.31" ]; then
echo "USE_DH2 = true" >> Makefile.inc.local
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local
fi
fi
NPROCS=$(grep -c ^processor /proc/cpuinfo) NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1 [ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base make "-j$((NPROCS+1))" -s base && make -s install-base
@ -267,7 +273,7 @@ elif [ "$dns_state" = "4" ]; then
sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf sed -i "s/modecfgdns=.*/modecfgdns1=$DNS_SRV1/" /etc/ipsec.conf
fi fi
if [ "$SWAN_VER" = "3.29" ]; then if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ]; then
sed -i "/ikev2=never/d" /etc/ipsec.conf sed -i "/ikev2=never/d" /etc/ipsec.conf
sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf sed -i "/dpdaction=clear/a \ ikev2=never" /etc/ipsec.conf
fi fi