Update IKEv2 script
- New: Users can now specify '--addclient [client name]' or '--exportclient [client name]' command-line arguments to automatically add or export an IKEv2 client using default options. - Show script usage when '-h' or '--help' is specified. - Other minor improvements
This commit is contained in:
parent
83d7309147
commit
625ddd3d32
@ -73,42 +73,6 @@ check_os_type() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
check_utils_exist() {
|
|
||||||
command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
|
|
||||||
command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort."
|
|
||||||
}
|
|
||||||
|
|
||||||
check_container() {
|
|
||||||
in_container=0
|
|
||||||
export_dir=~/
|
|
||||||
if grep -qs "hwdsl2" /opt/src/run.sh; then
|
|
||||||
in_container=1
|
|
||||||
export_dir="/etc/ipsec.d/"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_ca_cert_exists() {
|
|
||||||
if certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null 2>&1; then
|
|
||||||
exiterr "Certificate 'IKEv2 VPN CA' already exists."
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_server_cert_exists() {
|
|
||||||
if certutil -L -d sql:/etc/ipsec.d -n "$server_addr" >/dev/null 2>&1; then
|
|
||||||
echo "Error: Certificate '$server_addr' already exists." >&2
|
|
||||||
echo "Abort. No changes were made." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_client_cert_exists() {
|
|
||||||
if certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
|
|
||||||
echo "Error: Client '$client_name' already exists." >&2
|
|
||||||
echo "Abort. No changes were made." >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_swan_install() {
|
check_swan_install() {
|
||||||
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
|
ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
|
||||||
swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey).*//')
|
swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey).*//')
|
||||||
@ -139,6 +103,94 @@ EOF
|
|||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_utils_exist() {
|
||||||
|
command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
|
||||||
|
command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort."
|
||||||
|
}
|
||||||
|
|
||||||
|
check_container() {
|
||||||
|
in_container=0
|
||||||
|
export_dir=~/
|
||||||
|
if grep -qs "hwdsl2" /opt/src/run.sh; then
|
||||||
|
in_container=1
|
||||||
|
export_dir="/etc/ipsec.d/"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
show_usage() {
|
||||||
|
if [ -n "$1" ]; then
|
||||||
|
echo "Error: $1" >&2;
|
||||||
|
fi
|
||||||
|
cat 1>&2 <<EOF
|
||||||
|
Usage: $0 [options]
|
||||||
|
|
||||||
|
Options:
|
||||||
|
--auto run IKEv2 setup in auto mode using default options (for initial IKEv2 setup only)
|
||||||
|
--addclient [client name] add a new IKEv2 client using default options (after IKEv2 setup)
|
||||||
|
--exportclient [client name] export an existing IKEv2 client using default options (after IKEv2 setup)
|
||||||
|
-h, --help show this help message and exit
|
||||||
|
|
||||||
|
If you want to customize options, run this script without arguments.
|
||||||
|
EOF
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
check_arguments() {
|
||||||
|
if [ "$use_defaults" = "1" ]; then
|
||||||
|
if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
|
||||||
|
show_usage "Invalid parameter. '--auto' can only be specified for initial IKEv2 setup."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ "$add_client_using_defaults" = "1" ] && [ "$export_client_using_defaults" = "1" ]; then
|
||||||
|
show_usage "Invalid parameters. '--addclient' and '--exportclient' cannot be specified at the same time."
|
||||||
|
fi
|
||||||
|
if [ "$add_client_using_defaults" = "1" ]; then
|
||||||
|
if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then
|
||||||
|
exiterr "You must first set up IKEv2 before adding a new client."
|
||||||
|
fi
|
||||||
|
if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
|
||||||
|
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+'; then
|
||||||
|
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
|
||||||
|
elif certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
|
||||||
|
exiterr "Invalid client name. Client '$client_name' already exists."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ "$export_client_using_defaults" = "1" ]; then
|
||||||
|
if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then
|
||||||
|
exiterr "You must first set up IKEv2 before exporting a client configuration."
|
||||||
|
fi
|
||||||
|
get_server_address
|
||||||
|
if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
|
||||||
|
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|
||||||
|
|| [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \
|
||||||
|
|| ! certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
|
||||||
|
exiterr "Invalid client name, or client does not exist."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
check_ca_cert_exists() {
|
||||||
|
if certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null 2>&1; then
|
||||||
|
exiterr "Certificate 'IKEv2 VPN CA' already exists."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
check_server_cert_exists() {
|
||||||
|
if certutil -L -d sql:/etc/ipsec.d -n "$server_addr" >/dev/null 2>&1; then
|
||||||
|
echo "Error: Certificate '$server_addr' already exists." >&2
|
||||||
|
echo "Abort. No changes were made." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
check_client_cert_exists() {
|
||||||
|
if certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
|
||||||
|
echo "Error: Client '$client_name' already exists." >&2
|
||||||
|
echo "Abort. No changes were made." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
check_swan_ver() {
|
check_swan_ver() {
|
||||||
if [ "$in_container" = "0" ]; then
|
if [ "$in_container" = "0" ]; then
|
||||||
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverikev2?arch=$os_arch&ver=$swan_ver&auto=$use_defaults"
|
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverikev2?arch=$os_arch&ver=$swan_ver&auto=$use_defaults"
|
||||||
@ -197,6 +249,14 @@ show_start_message() {
|
|||||||
bigecho "Starting IKEv2 setup in auto mode, using default options."
|
bigecho "Starting IKEv2 setup in auto mode, using default options."
|
||||||
}
|
}
|
||||||
|
|
||||||
|
show_add_client_message() {
|
||||||
|
bigecho2 "Adding a new IKEv2 client '$client_name', using default options."
|
||||||
|
}
|
||||||
|
|
||||||
|
show_export_client_message() {
|
||||||
|
bigecho2 "Exporting existing IKEv2 client '$client_name', using default options."
|
||||||
|
}
|
||||||
|
|
||||||
get_server_ip() {
|
get_server_ip() {
|
||||||
echo "Trying to auto discover IP of this server..."
|
echo "Trying to auto discover IP of this server..."
|
||||||
public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
public_ip=$(dig @resolver1.opendns.com -t A -4 myip.opendns.com +short)
|
||||||
@ -540,6 +600,8 @@ EOF
|
|||||||
|
|
||||||
install_base64_uuidgen() {
|
install_base64_uuidgen() {
|
||||||
if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then
|
if ! command -v base64 >/dev/null 2>&1 || ! command -v uuidgen >/dev/null 2>&1; then
|
||||||
|
bigecho "Installing required packages..."
|
||||||
|
|
||||||
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
if [ "$os_type" = "ubuntu" ] || [ "$os_type" = "debian" ] || [ "$os_type" = "raspbian" ]; then
|
||||||
export DEBIAN_FRONTEND=noninteractive
|
export DEBIAN_FRONTEND=noninteractive
|
||||||
apt-get -yqq update || exiterr "'apt-get update' failed."
|
apt-get -yqq update || exiterr "'apt-get update' failed."
|
||||||
@ -553,7 +615,6 @@ install_base64_uuidgen() {
|
|||||||
create_mobileconfig() {
|
create_mobileconfig() {
|
||||||
bigecho "Creating .mobileconfig for iOS and macOS..."
|
bigecho "Creating .mobileconfig for iOS and macOS..."
|
||||||
|
|
||||||
install_base64_uuidgen
|
|
||||||
[ -z "$server_addr" ] && get_server_address
|
[ -z "$server_addr" ] && get_server_address
|
||||||
|
|
||||||
p12_base64=$(base64 -w 52 "$export_dir$client_name-$SYS_DT.p12")
|
p12_base64=$(base64 -w 52 "$export_dir$client_name-$SYS_DT.p12")
|
||||||
@ -719,7 +780,6 @@ EOF
|
|||||||
create_android_profile() {
|
create_android_profile() {
|
||||||
bigecho "Creating client profile for Android..."
|
bigecho "Creating client profile for Android..."
|
||||||
|
|
||||||
install_base64_uuidgen
|
|
||||||
[ -z "$server_addr" ] && get_server_address
|
[ -z "$server_addr" ] && get_server_address
|
||||||
|
|
||||||
p12_base64_oneline=$(base64 -w 52 "$export_dir$client_name-$SYS_DT.p12" | sed 's/$/\\n/' | tr -d '\n')
|
p12_base64_oneline=$(base64 -w 52 "$export_dir$client_name-$SYS_DT.p12" | sed 's/$/\\n/' | tr -d '\n')
|
||||||
@ -1026,21 +1086,70 @@ print_ikev2_removed_message() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
ikev2setup() {
|
ikev2setup() {
|
||||||
case $1 in
|
|
||||||
--auto)
|
|
||||||
use_defaults=1
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
use_defaults=0
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
check_run_as_root
|
check_run_as_root
|
||||||
check_os_type
|
check_os_type
|
||||||
check_swan_install
|
check_swan_install
|
||||||
check_utils_exist
|
check_utils_exist
|
||||||
check_container
|
check_container
|
||||||
|
|
||||||
|
use_defaults=0
|
||||||
|
add_client_using_defaults=0
|
||||||
|
export_client_using_defaults=0
|
||||||
|
while [ "$#" -gt 0 ]; do
|
||||||
|
case $1 in
|
||||||
|
--auto)
|
||||||
|
use_defaults=1
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--addclient)
|
||||||
|
add_client_using_defaults=1
|
||||||
|
client_name="$2"
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--exportclient)
|
||||||
|
export_client_using_defaults=1
|
||||||
|
client_name="$2"
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
-h|--help)
|
||||||
|
show_usage
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
show_usage "Unknown parameter: $1"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
check_arguments
|
||||||
|
|
||||||
|
if [ "$add_client_using_defaults" = "1" ]; then
|
||||||
|
show_add_client_message
|
||||||
|
client_validity=120
|
||||||
|
use_own_password=0
|
||||||
|
create_client_cert
|
||||||
|
export_p12_file
|
||||||
|
install_base64_uuidgen
|
||||||
|
create_mobileconfig
|
||||||
|
create_android_profile
|
||||||
|
print_client_added_message
|
||||||
|
print_client_info
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$export_client_using_defaults" = "1" ]; then
|
||||||
|
show_export_client_message
|
||||||
|
use_own_password=0
|
||||||
|
export_p12_file
|
||||||
|
install_base64_uuidgen
|
||||||
|
create_mobileconfig
|
||||||
|
create_android_profile
|
||||||
|
print_client_exported_message
|
||||||
|
print_client_info
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
|
if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
|
||||||
select_menu_option
|
select_menu_option
|
||||||
case $selected_option in
|
case $selected_option in
|
||||||
@ -1050,6 +1159,7 @@ ikev2setup() {
|
|||||||
select_p12_password
|
select_p12_password
|
||||||
create_client_cert
|
create_client_cert
|
||||||
export_p12_file
|
export_p12_file
|
||||||
|
install_base64_uuidgen
|
||||||
create_mobileconfig
|
create_mobileconfig
|
||||||
create_android_profile
|
create_android_profile
|
||||||
print_client_added_message
|
print_client_added_message
|
||||||
@ -1060,6 +1170,7 @@ ikev2setup() {
|
|||||||
enter_client_name_for_export
|
enter_client_name_for_export
|
||||||
select_p12_password
|
select_p12_password
|
||||||
export_p12_file
|
export_p12_file
|
||||||
|
install_base64_uuidgen
|
||||||
create_mobileconfig
|
create_mobileconfig
|
||||||
create_android_profile
|
create_android_profile
|
||||||
print_client_exported_message
|
print_client_exported_message
|
||||||
@ -1120,6 +1231,7 @@ ikev2setup() {
|
|||||||
create_server_cert
|
create_server_cert
|
||||||
create_client_cert
|
create_client_cert
|
||||||
export_p12_file
|
export_p12_file
|
||||||
|
install_base64_uuidgen
|
||||||
create_mobileconfig
|
create_mobileconfig
|
||||||
create_android_profile
|
create_android_profile
|
||||||
add_ikev2_connection
|
add_ikev2_connection
|
||||||
|
Loading…
Reference in New Issue
Block a user