mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2025-02-07 15:59:25 +03:00
Code Issues Projects Releases Wiki Activity

Update upgrade scripts

Browse Source 
- Replace the obsolete ike-frag option in ikev2.conf (if exists),
  which was removed in Libreswan 4.1.
This commit is contained in:
hwdsl2 2020-11-12 00:39:20 -06:00
parent 5a13026701
commit 694679b59c
2 changed files with 14 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
extras/vpnupgrade.sh
View File

@ -116,33 +116,10 @@ Version to install: Libreswan $SWAN_VER
EOF
cat <<'EOF'
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following updates to your /etc/ipsec.conf:
NOTE: This script will make the following changes to your IPsec config:
- Replace obsolete ipsec.conf options
- Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers for "ike=" and "phase2alg="
EOF
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
cat <<'EOF'
- Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
EOF
fi
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
cat <<'EOF'
- Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
EOF
fi
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
|| [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
cat <<'EOF'
- Move "ikev2=never" to section "conn shared"
EOF
fi
cat <<'EOF'
Your other VPN configuration files will not be modified.
@ -250,7 +227,7 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
exiterr "Libreswan $SWAN_VER failed to build."
fi
# Update ipsec.conf
# Update IPsec config
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
@ -286,6 +263,10 @@ if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
fi
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
# Restart IPsec service
mkdir -p /run/pluto
service ipsec restart

33
extras/vpnupgrade_centos.sh
View File

@ -107,33 +107,10 @@ Version to install: Libreswan $SWAN_VER
EOF
cat <<'EOF'
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following updates to your /etc/ipsec.conf:
NOTE: This script will make the following changes to your IPsec config:
- Replace obsolete ipsec.conf options
- Fix obsolete ipsec.conf and/or ikev2.conf options
- Optimize VPN ciphers for "ike=" and "phase2alg="
EOF
if [ "$dns_state" = "1" ] || [ "$dns_state" = "2" ]; then
cat <<'EOF'
- Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
EOF
fi
if [ "$dns_state" = "3" ] || [ "$dns_state" = "4" ]; then
cat <<'EOF'
- Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
EOF
fi
if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
|| [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
cat <<'EOF'
- Move "ikev2=never" to section "conn shared"
EOF
fi
cat <<'EOF'
Your other VPN configuration files will not be modified.
@ -259,7 +236,7 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
# Update ipsec.conf
# Update IPsec config
IKE_NEW=" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW=" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
@ -289,6 +266,10 @@ if [ "$SWAN_VER" = "3.29" ] || [ "$SWAN_VER" = "3.31" ] \
sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
fi
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
fi
# Restart IPsec service
mkdir -p /run/pluto
service ipsec restart