Improve update scripts

- Refactor VPN update scripts into functions - Cleanup
2024-11-26 14:56:08 +03:00 · 2021-08-22 00:43:14 -05:00 · 2021-08-22 00:43:14 -05:00 · 52216d8f59
commit 52216d8f59
parent 665349336d
3 changed files with 639 additions and 546 deletions
--- a/extras/vpnupgrade_amzn.sh
+++ b/extras/vpnupgrade_amzn.sh
@ -19,24 +19,26 @@ SWAN_VER=4.4
 ### DO NOT edit below this line ###
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 [ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
 exiterr()  { echo "Error: $1" >&2; exit 1; }
 exiterr2() { exiterr "'yum install' failed."; }
 bigecho() { echo "## $1"; }
-vpnupgrade() {
+check_root() {
-
+  if [ "$(id -u)" != 0 ]; then
-[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
+    exiterr "Script must be run as root. Try 'sudo sh $0'"
  fi
 }
 check_os() {
  os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
  if ! grep -qs "Amazon Linux release 2" /etc/system-release; then
    exiterr "This script only supports Amazon Linux 2."
  fi
 }
-if [ "$(id -u)" != 0 ]; then
+check_libreswan() {
  exiterr "Script must be run as root. Try 'sudo sh $0'"
 fi
  case $SWAN_VER in
    3.32|4.[1234])
      true
@ -61,33 +63,12 @@ EOF
    exit 1
  fi
 swan_ver_cur=4.4
 swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
 if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
  && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
  && printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
  echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
  echo "      To update to the new version, exit this script and run:"
  echo "      wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh"
  echo
  printf "Do you want to continue anyway? [y/N] "
  read -r response
  case $response in
    [yY][eE][sS]|[yY])
      echo
      ;;
    *)
      echo "Abort. No changes were made."
      exit 1
      ;;
  esac
 fi
  if [ "$swan_ver_old" = "$SWAN_VER" ]; then
-  echo "You already have Libreswan version $SWAN_VER installed! "
+cat <<EOF
-  echo "If you continue, the same version will be re-installed."
+You already have Libreswan version $SWAN_VER installed!
-  echo
+If you continue, the same version will be re-installed.
 EOF
    printf "Do you want to continue anyway? [y/N] "
    read -r response
    case $response in
@ -100,7 +81,9 @@ if [ "$swan_ver_old" = "$SWAN_VER" ]; then
        ;;
    esac
  fi
 }
 show_setup_info() {
 cat <<EOF
 Welcome! Use this script to update Libreswan on your IPsec VPN server.
@ -108,9 +91,6 @@ Welcome! Use this script to update Libreswan on your IPsec VPN server.
 Current version:    Libreswan $swan_ver_old
 Version to install: Libreswan $SWAN_VER
 EOF
 cat <<'EOF'
 Note: This script will make the following changes to your VPN configuration:
      - Fix obsolete ipsec.conf and/or ikev2.conf options
      - Optimize VPN ciphers
@ -132,19 +112,24 @@ read -r response
  case $response in
    [yY][eE][sS]|[yY])
      echo
    bigecho "Please be patient. Setup is continuing..."
      ;;
    *)
      echo "Abort. No changes were made."
      exit 1
      ;;
  esac
 }
 # shellcheck disable=SC2154,SC2039,SC3047
 start_setup() {
  trap 'dlo=$dl;dl=$LINENO' DEBUG 2>/dev/null
  trap 'finish $? $((dlo+1))' EXIT
  mkdir -p /opt/src
  cd /opt/src || exit 1
 }
 install_pkgs() {
  bigecho "Installing required packages..."
  (
    set -x
    yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
@ -152,9 +137,10 @@ bigecho "Installing required packages..."
      flex bison gcc make wget sed tar \
      systemd-devel libevent-devel fipscheck-devel >/dev/null
  ) || exiterr2
 }
 get_libreswan() {
  bigecho "Downloading Libreswan..."
  swan_file="libreswan-$SWAN_VER.tar.gz"
  swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
  swan_url2="https://download.libreswan.org/$swan_file"
@ -164,9 +150,10 @@ swan_url2="https://download.libreswan.org/$swan_file"
  ) || exit 1
  /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
  tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 }
 install_libreswan() {
  bigecho "Compiling and installing Libreswan, please wait..."
  cd "libreswan-$SWAN_VER" || exit 1
  [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
 cat > Makefile.inc.local <<'EOF'
@ -193,14 +180,16 @@ cd /opt/src || exit 1
  if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
    exiterr "Libreswan $SWAN_VER failed to build."
  fi
 }
-# Restore SELinux contexts
+restore_selinux() {
  restorecon /etc/ipsec.d/*db 2>/dev/null
  restorecon /usr/local/sbin -Rv 2>/dev/null
  restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 }
 update_config() {
  bigecho "Updating VPN configuration..."
  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
  PHASE2_NEW="  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
@ -233,12 +222,15 @@ sed -i "/conn shared/a \  ikev2=never" /etc/ipsec.conf
  if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
    sed -i 's/^[[:space:]]\+ike-frag=/  fragmentation=/' /etc/ipsec.d/ikev2.conf
  fi
 }
 restart_ipsec() {
  bigecho "Restarting IPsec service..."
  mkdir -p /run/pluto
  service ipsec restart 2>/dev/null
 }
 show_setup_complete() {
 cat <<EOF
 ================================================
@ -263,7 +255,43 @@ IMPORTANT: You must edit /etc/ipsec.conf and replace
 EOF
  fi
 }
 check_swan_ver() {
  swan_ver_cur=4.4
  swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
  [ "$1" != "0" ] && swan_ver_url="$swan_ver_url&e=$2"
  swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
  if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
    && [ "$1" = "0" ] && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
    && printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
 cat <<EOF
 Note: A newer version of Libreswan ($swan_ver_latest) is available.
      To update, run:
      wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
 EOF
  fi
 }
 finish() {
  check_swan_ver "$1" "$2"
  exit "$1"
 }
 vpnupgrade() {
  check_root
  check_os
  check_libreswan
  show_setup_info
  start_setup
  install_pkgs
  get_libreswan
  install_libreswan
  restore_selinux
  update_config
  restart_ipsec
  show_setup_complete
 }
 ## Defer setup until we have the complete script
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@ -19,15 +19,25 @@ SWAN_VER=4.4
 ### DO NOT edit below this line ###
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 [ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
 exiterr()  { echo "Error: $1" >&2; exit 1; }
 exiterr2() { exiterr "'yum install' failed."; }
 bigecho() { echo "## $1"; }
-vpnupgrade() {
+check_root() {
  if [ "$(id -u)" != 0 ]; then
    exiterr "Script must be run as root. Try 'sudo sh $0'"
  fi
 }
-[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
+check_vz() {
  if [ -f /proc/user_beancounters ]; then
    exiterr "OpenVZ VPS is not supported."
  fi
 }
 check_os() {
  os_type=centos
  os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
  rh_file="/etc/redhat-release"
@ -44,15 +54,9 @@ elif grep -qs "release 8" "$rh_file"; then
  else
    exiterr "This script only supports CentOS/RHEL 7 and 8."
  fi
 }
-if [ -f /proc/user_beancounters ]; then
+check_libreswan() {
  exiterr "OpenVZ VPS is not supported."
 fi
 if [ "$(id -u)" != 0 ]; then
  exiterr "Script must be run as root. Try 'sudo sh $0'"
 fi
  case $SWAN_VER in
    3.32|4.[1234])
      true
@ -77,33 +81,12 @@ EOF
    exit 1
  fi
 swan_ver_cur=4.4
 swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
 if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
  && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
  && printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
  echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
  echo "      To update to the new version, exit this script and run:"
  echo "      wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh"
  echo
  printf "Do you want to continue anyway? [y/N] "
  read -r response
  case $response in
    [yY][eE][sS]|[yY])
      echo
      ;;
    *)
      echo "Abort. No changes were made."
      exit 1
      ;;
  esac
 fi
  if [ "$swan_ver_old" = "$SWAN_VER" ]; then
-  echo "You already have Libreswan version $SWAN_VER installed! "
+cat <<EOF
-  echo "If you continue, the same version will be re-installed."
+You already have Libreswan version $SWAN_VER installed!
-  echo
+If you continue, the same version will be re-installed.
 EOF
    printf "Do you want to continue anyway? [y/N] "
    read -r response
    case $response in
@ -116,7 +99,9 @@ if [ "$swan_ver_old" = "$SWAN_VER" ]; then
        ;;
    esac
  fi
 }
 show_setup_info() {
 cat <<EOF
 Welcome! Use this script to update Libreswan on your IPsec VPN server.
@ -124,9 +109,6 @@ Welcome! Use this script to update Libreswan on your IPsec VPN server.
 Current version:    Libreswan $swan_ver_old
 Version to install: Libreswan $SWAN_VER
 EOF
 cat <<'EOF'
 Note: This script will make the following changes to your VPN configuration:
      - Fix obsolete ipsec.conf and/or ikev2.conf options
      - Optimize VPN ciphers
@ -148,32 +130,38 @@ read -r response
  case $response in
    [yY][eE][sS]|[yY])
      echo
    bigecho "Please be patient. Setup is continuing..."
      ;;
    *)
      echo "Abort. No changes were made."
      exit 1
      ;;
  esac
 }
 # shellcheck disable=SC2154,SC2039,SC3047
 start_setup() {
  trap 'dlo=$dl;dl=$LINENO' DEBUG 2>/dev/null
  trap 'finish $? $((dlo+1))' EXIT
  mkdir -p /opt/src
  cd /opt/src || exit 1
 }
 install_pkgs_1() {
  bigecho "Installing required packages..."
  (
    set -x
    yum -y -q install nss-devel nspr-devel pkgconfig pam-devel \
      libcap-ng-devel libselinux-devel curl-devel nss-tools \
      flex bison gcc make wget sed tar >/dev/null
  ) || exiterr2
 }
 install_pkgs_2() {
  erp="--enablerepo"
  rp1="$erp=*server-*optional*"
  rp2="$erp=*releases-optional*"
  rp3="$erp=[Pp]ower[Tt]ools"
  [ "$os_type" = "rhel" ] && rp3="$erp=codeready-builder-for-rhel-8-*"
  if [ "$os_ver" = "7" ]; then
    (
      set -x
@ -185,9 +173,10 @@ else
      yum "$rp3" -y -q install systemd-devel libevent-devel fipscheck-devel >/dev/null
    ) || exiterr2
  fi
 }
 get_libreswan() {
  bigecho "Downloading Libreswan..."
  swan_file="libreswan-$SWAN_VER.tar.gz"
  swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
  swan_url2="https://download.libreswan.org/$swan_file"
@ -197,9 +186,10 @@ swan_url2="https://download.libreswan.org/$swan_file"
  ) || exit 1
  /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
  tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 }
 install_libreswan() {
  bigecho "Compiling and installing Libreswan, please wait..."
  cd "libreswan-$SWAN_VER" || exit 1
  [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
 cat > Makefile.inc.local <<'EOF'
@ -226,14 +216,16 @@ cd /opt/src || exit 1
  if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
    exiterr "Libreswan $SWAN_VER failed to build."
  fi
 }
-# Restore SELinux contexts
+restore_selinux() {
  restorecon /etc/ipsec.d/*db 2>/dev/null
  restorecon /usr/local/sbin -Rv 2>/dev/null
  restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 }
 update_config() {
  bigecho "Updating VPN configuration..."
  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
  PHASE2_NEW="  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
@ -266,12 +258,15 @@ sed -i "/conn shared/a \  ikev2=never" /etc/ipsec.conf
  if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
    sed -i 's/^[[:space:]]\+ike-frag=/  fragmentation=/' /etc/ipsec.d/ikev2.conf
  fi
 }
 restart_ipsec() {
  bigecho "Restarting IPsec service..."
  mkdir -p /run/pluto
  service ipsec restart 2>/dev/null
 }
 show_setup_complete() {
 cat <<EOF
 ================================================
@ -296,7 +291,45 @@ IMPORTANT: You must edit /etc/ipsec.conf and replace
 EOF
  fi
 }
 check_swan_ver() {
  swan_ver_cur=4.4
  swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
  [ "$1" != "0" ] && swan_ver_url="$swan_ver_url&e=$2"
  swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
  if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
    && [ "$1" = "0" ] && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
    && printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
 cat <<EOF
 Note: A newer version of Libreswan ($swan_ver_latest) is available.
      To update, run:
      wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
 EOF
  fi
 }
 finish() {
  check_swan_ver "$1" "$2"
  exit "$1"
 }
 vpnupgrade() {
  check_root
  check_vz
  check_os
  check_libreswan
  show_setup_info
  start_setup
  install_pkgs_1
  install_pkgs_2
  get_libreswan
  install_libreswan
  restore_selinux
  update_config
  restart_ipsec
  show_setup_complete
 }
 ## Defer setup until we have the complete script
--- a/extras/vpnupgrade_ubuntu.sh
+++ b/extras/vpnupgrade_ubuntu.sh
@ -19,15 +19,25 @@ SWAN_VER=4.4
 ### DO NOT edit below this line ###
 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 [ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
 exiterr()  { echo "Error: $1" >&2; exit 1; }
 exiterr2() { exiterr "'apt-get install' failed."; }
 bigecho() { echo "## $1"; }
-vpnupgrade() {
+check_root() {
  if [ "$(id -u)" != 0 ]; then
    exiterr "Script must be run as root. Try 'sudo sh $0'"
  fi
 }
-[ -n "$VPN_UPDATE_SWAN_VER" ] && SWAN_VER="$VPN_UPDATE_SWAN_VER"
+check_vz() {
  if [ -f /proc/user_beancounters ]; then
    exiterr "OpenVZ VPS is not supported."
  fi
 }
 check_os() {
  os_type=$(lsb_release -si 2>/dev/null)
  os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
  [ -z "$os_type" ] && [ -f /etc/os-release ] && os_type=$(. /etc/os-release && printf '%s' "$ID")
@ -45,20 +55,13 @@ case $os_type in
      exiterr "This script only supports Ubuntu and Debian."
      ;;
  esac
  os_ver=$(sed 's/\..*//' /etc/debian_version | tr -dc 'A-Za-z0-9')
  if [ "$os_ver" = "8" ] || [ "$os_ver" = "jessiesid" ]; then
    exiterr "Debian 8 or Ubuntu < 16.04 is not supported."
  fi
 }
-if [ -f /proc/user_beancounters ]; then
+check_libreswan() {
  exiterr "OpenVZ VPS is not supported."
 fi
 if [ "$(id -u)" != 0 ]; then
  exiterr "Script must be run as root. Try 'sudo sh $0'"
 fi
  case $SWAN_VER in
    3.32|4.[1234])
      true
@ -87,33 +90,12 @@ EOF
    exit 1
  fi
 swan_ver_cur=4.4
 swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
 if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
  && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
  && printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
  echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
  echo "      To update to the new version, exit this script and run:"
  echo "      wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh"
  echo
  printf "Do you want to continue anyway? [y/N] "
  read -r response
  case $response in
    [yY][eE][sS]|[yY])
      echo
      ;;
    *)
      echo "Abort. No changes were made."
      exit 1
      ;;
  esac
 fi
  if [ "$swan_ver_old" = "$SWAN_VER" ]; then
-  echo "You already have Libreswan version $SWAN_VER installed! "
+cat <<EOF
-  echo "If you continue, the same version will be re-installed."
+You already have Libreswan version $SWAN_VER installed!
-  echo
+If you continue, the same version will be re-installed.
 EOF
    printf "Do you want to continue anyway? [y/N] "
    read -r response
    case $response in
@ -126,7 +108,9 @@ if [ "$swan_ver_old" = "$SWAN_VER" ]; then
        ;;
    esac
  fi
 }
 show_setup_info() {
 cat <<EOF
 Welcome! Use this script to update Libreswan on your IPsec VPN server.
@ -134,9 +118,6 @@ Welcome! Use this script to update Libreswan on your IPsec VPN server.
 Current version:    Libreswan $swan_ver_old
 Version to install: Libreswan $SWAN_VER
 EOF
 cat <<'EOF'
 Note: This script will make the following changes to your VPN configuration:
      - Fix obsolete ipsec.conf and/or ikev2.conf options
      - Optimize VPN ciphers
@ -158,24 +139,32 @@ read -r response
  case $response in
    [yY][eE][sS]|[yY])
      echo
    bigecho "Please be patient. Setup is continuing..."
      ;;
    *)
      echo "Abort. No changes were made."
      exit 1
      ;;
  esac
 }
 # shellcheck disable=SC2154,SC2039,SC3047
 start_setup() {
  trap 'dlo=$dl;dl=$LINENO' DEBUG 2>/dev/null
  trap 'finish $? $((dlo+1))' EXIT
  mkdir -p /opt/src
  cd /opt/src || exit 1
 }
 install_pkgs_1() {
  bigecho "Installing required packages..."
  export DEBIAN_FRONTEND=noninteractive
  (
    set -x
    apt-get -yqq update
  ) || exiterr "'apt-get update' failed."
 }
 install_pkgs_2() {
  (
    set -x
    apt-get -yqq install libnss3-dev libnspr4-dev pkg-config \
@ -183,9 +172,10 @@ export DEBIAN_FRONTEND=noninteractive
      libcurl4-nss-dev libnss3-tools libevent-dev libsystemd-dev \
      flex bison gcc make wget sed >/dev/null
  ) || exiterr2
 }
 get_libreswan() {
  bigecho "Downloading Libreswan..."
  swan_file="libreswan-$SWAN_VER.tar.gz"
  swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
  swan_url2="https://download.libreswan.org/$swan_file"
@ -195,9 +185,10 @@ swan_url2="https://download.libreswan.org/$swan_file"
  ) || exit 1
  /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
  tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 }
 install_libreswan() {
  bigecho "Compiling and installing Libreswan, please wait..."
  cd "libreswan-$SWAN_VER" || exit 1
  [ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
 cat > Makefile.inc.local <<'EOF'
@ -232,9 +223,10 @@ cd /opt/src || exit 1
  if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
    exiterr "Libreswan $SWAN_VER failed to build."
  fi
 }
 update_config() {
  bigecho "Updating VPN configuration..."
  IKE_NEW="  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
  PHASE2_NEW="  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
@ -273,12 +265,15 @@ sed -i "/conn shared/a \  ikev2=never" /etc/ipsec.conf
  if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
    sed -i 's/^[[:space:]]\+ike-frag=/  fragmentation=/' /etc/ipsec.d/ikev2.conf
  fi
 }
 restart_ipsec() {
  bigecho "Restarting IPsec service..."
  mkdir -p /run/pluto
  service ipsec restart 2>/dev/null
 }
 show_setup_complete() {
 cat <<EOF
 ================================================
@ -303,7 +298,44 @@ IMPORTANT: You must edit /etc/ipsec.conf and replace
 EOF
  fi
 }
 check_swan_ver() {
  swan_ver_cur=4.4
  swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
  [ "$1" != "0" ] && swan_ver_url="$swan_ver_url&e=$2"
  swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
  if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
    && [ "$1" = "0" ] && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
    && printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
 cat <<EOF
 Note: A newer version of Libreswan ($swan_ver_latest) is available.
      To update, run:
      wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
 EOF
  fi
 }
 finish() {
  check_swan_ver "$1" "$2"
  exit "$1"
 }
 vpnupgrade() {
  check_root
  check_vz
  check_os
  check_libreswan
  show_setup_info
  start_setup
  install_pkgs_1
  install_pkgs_2
  get_libreswan
  install_libreswan
  update_config
  restart_ipsec
  show_setup_complete
 }
 ## Defer setup until we have the complete script