Update IKEv2 script
- New: Delete an IKEv2 client certificate using the IKEv2 helper script. - Cleanup
This commit is contained in:
parent
4458692f47
commit
78517c43c9
@ -151,7 +151,7 @@ confirm_or_abort() {
|
|||||||
show_header() {
|
show_header() {
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
|
|
||||||
IKEv2 Script Copyright (c) 2020-2022 Lin Song 6 Apr 2022
|
IKEv2 Script Copyright (c) 2020-2022 Lin Song 7 Apr 2022
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
@ -170,6 +170,7 @@ Options:
|
|||||||
--exportclient [client name] export configuration for an existing client
|
--exportclient [client name] export configuration for an existing client
|
||||||
--listclients list the names of existing clients
|
--listclients list the names of existing clients
|
||||||
--revokeclient [client name] revoke a client certificate
|
--revokeclient [client name] revoke a client certificate
|
||||||
|
--deleteclient [client name] delete a client certificate
|
||||||
--removeikev2 remove IKEv2 and delete all certificates and keys from the IPsec database
|
--removeikev2 remove IKEv2 and delete all certificates and keys from the IPsec database
|
||||||
-h, --help show this help message and exit
|
-h, --help show this help message and exit
|
||||||
|
|
||||||
@ -209,11 +210,11 @@ check_arguments() {
|
|||||||
echo " To manage VPN clients, re-run this script without '--auto'." >&2
|
echo " To manage VPN clients, re-run this script without '--auto'." >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
if [ "$((add_client + export_client + list_clients + revoke_client))" -gt 1 ]; then
|
if [ "$((add_client + export_client + list_clients + revoke_client + delete_client))" -gt 1 ]; then
|
||||||
show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient', '--listclients' or '--revokeclient'."
|
show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient', '--listclients', '--revokeclient' or '--deleteclient'."
|
||||||
fi
|
fi
|
||||||
if [ "$remove_ikev2" = "1" ]; then
|
if [ "$remove_ikev2" = "1" ]; then
|
||||||
if [ "$((add_client + export_client + list_clients + revoke_client + use_defaults))" -gt 0 ]; then
|
if [ "$((add_client + export_client + list_clients + revoke_client + delete_client + use_defaults))" -gt 0 ]; then
|
||||||
show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters."
|
show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters."
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -222,6 +223,7 @@ check_arguments() {
|
|||||||
[ "$export_client" = "1" ] && exiterr "You must first set up IKEv2 before exporting a client."
|
[ "$export_client" = "1" ] && exiterr "You must first set up IKEv2 before exporting a client."
|
||||||
[ "$list_clients" = "1" ] && exiterr "You must first set up IKEv2 before listing clients."
|
[ "$list_clients" = "1" ] && exiterr "You must first set up IKEv2 before listing clients."
|
||||||
[ "$revoke_client" = "1" ] && exiterr "You must first set up IKEv2 before revoking a client certificate."
|
[ "$revoke_client" = "1" ] && exiterr "You must first set up IKEv2 before revoking a client certificate."
|
||||||
|
[ "$delete_client" = "1" ] && exiterr "You must first set up IKEv2 before deleting a client certificate."
|
||||||
[ "$remove_ikev2" = "1" ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server."
|
[ "$remove_ikev2" = "1" ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server."
|
||||||
fi
|
fi
|
||||||
if [ "$add_client" = "1" ]; then
|
if [ "$add_client" = "1" ]; then
|
||||||
@ -231,14 +233,14 @@ check_arguments() {
|
|||||||
exiterr "Invalid client name. Client '$client_name' already exists."
|
exiterr "Invalid client name. Client '$client_name' already exists."
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$export_client" = "1" ] || [ "$revoke_client" = "1" ]; then
|
if [ "$export_client" = "1" ] || [ "$revoke_client" = "1" ] || [ "$delete_client" = "1" ]; then
|
||||||
get_server_address
|
get_server_address
|
||||||
if [ -z "$client_name" ] || ! check_client_name "$client_name" \
|
if [ -z "$client_name" ] || ! check_client_name "$client_name" \
|
||||||
|| [ "$client_name" = "$CA_NAME" ] || [ "$client_name" = "$server_addr" ] \
|
|| [ "$client_name" = "$CA_NAME" ] || [ "$client_name" = "$server_addr" ] \
|
||||||
|| ! check_cert_exists "$client_name"; then
|
|| ! check_cert_exists "$client_name"; then
|
||||||
exiterr "Invalid client name, or client does not exist."
|
exiterr "Invalid client name, or client does not exist."
|
||||||
fi
|
fi
|
||||||
if ! check_cert_status "$client_name"; then
|
if [ "$delete_client" = "0" ] && ! check_cert_status "$client_name"; then
|
||||||
printf '%s' "Error: Certificate '$client_name' " >&2
|
printf '%s' "Error: Certificate '$client_name' " >&2
|
||||||
if printf '%s' "$cert_status" | grep -q "revoked"; then
|
if printf '%s' "$cert_status" | grep -q "revoked"; then
|
||||||
if [ "$revoke_client" = "1" ]; then
|
if [ "$revoke_client" = "1" ]; then
|
||||||
@ -375,13 +377,16 @@ list_existing_clients() {
|
|||||||
[ "$max_len" -lt "16" ] && max_len=16
|
[ "$max_len" -lt "16" ] && max_len=16
|
||||||
printf "%-${max_len}s %s\n" 'Client Name' 'Certificate Status'
|
printf "%-${max_len}s %s\n" 'Client Name' 'Certificate Status'
|
||||||
printf "%-${max_len}s %s\n" '------------' '-------------------'
|
printf "%-${max_len}s %s\n" '------------' '-------------------'
|
||||||
printf '%s\n' "$client_names" | LC_ALL=C sort | while read -r line; do
|
if [ -n "$client_names" ]; then
|
||||||
printf "%-${max_len}s " "$line"
|
printf '%s\n' "$client_names" | LC_ALL=C sort | while read -r line; do
|
||||||
client_status=$(certutil -V -u C -d "$CERT_DB" -n "$line" | grep -o -e ' valid' -e expired -e revoked | sed -e 's/^ //')
|
printf "%-${max_len}s " "$line"
|
||||||
[ -z "$client_status" ] && client_status=unknown
|
client_status=$(certutil -V -u C -d "$CERT_DB" -n "$line" | grep -o -e ' valid' -e expired -e revoked | sed -e 's/^ //')
|
||||||
printf '%s\n' "$client_status"
|
[ -z "$client_status" ] && client_status=unknown
|
||||||
done
|
printf '%s\n' "$client_status"
|
||||||
|
done
|
||||||
|
fi
|
||||||
client_count=$(printf '%s\n' "$client_names" | wc -l 2>/dev/null)
|
client_count=$(printf '%s\n' "$client_names" | wc -l 2>/dev/null)
|
||||||
|
[ -z "$client_names" ] && client_count=0
|
||||||
if [ "$client_count" = "1" ]; then
|
if [ "$client_count" = "1" ]; then
|
||||||
printf '\n%s\n' "Total: 1 client"
|
printf '\n%s\n' "Total: 1 client"
|
||||||
elif [ -n "$client_count" ]; then
|
elif [ -n "$client_count" ]; then
|
||||||
@ -453,6 +458,11 @@ enter_client_name() {
|
|||||||
enter_client_name_for() {
|
enter_client_name_for() {
|
||||||
echo
|
echo
|
||||||
list_existing_clients
|
list_existing_clients
|
||||||
|
if [ "$client_count" = "0" ]; then
|
||||||
|
echo
|
||||||
|
echo "No IKEv2 clients in the IPsec database. Nothing to $1." >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
get_server_address
|
get_server_address
|
||||||
echo
|
echo
|
||||||
read -rp "Enter the name of the IKEv2 client to $1: " client_name
|
read -rp "Enter the name of the IKEv2 client to $1: " client_name
|
||||||
@ -464,6 +474,7 @@ enter_client_name_for() {
|
|||||||
|| [ "$client_name" = "$server_addr" ] || ! check_cert_exists "$client_name"; then
|
|| [ "$client_name" = "$server_addr" ] || ! check_cert_exists "$client_name"; then
|
||||||
echo "Invalid client name, or client does not exist."
|
echo "Invalid client name, or client does not exist."
|
||||||
else
|
else
|
||||||
|
[ "$1" = "delete" ] && break
|
||||||
printf '%s' "Error: Certificate '$client_name' "
|
printf '%s' "Error: Certificate '$client_name' "
|
||||||
if printf '%s' "$cert_status" | grep -q "revoked"; then
|
if printf '%s' "$cert_status" | grep -q "revoked"; then
|
||||||
if [ "$1" = "revoke" ]; then
|
if [ "$1" = "revoke" ]; then
|
||||||
@ -639,11 +650,12 @@ Select an option:
|
|||||||
2) Export configuration for an existing client
|
2) Export configuration for an existing client
|
||||||
3) List existing clients
|
3) List existing clients
|
||||||
4) Revoke a client certificate
|
4) Revoke a client certificate
|
||||||
5) Remove IKEv2
|
5) Delete a client certificate
|
||||||
6) Exit
|
6) Remove IKEv2
|
||||||
|
7) Exit
|
||||||
EOF
|
EOF
|
||||||
read -rp "Option: " selected_option
|
read -rp "Option: " selected_option
|
||||||
until [[ "$selected_option" =~ ^[1-6]$ ]]; do
|
until [[ "$selected_option" =~ ^[1-7]$ ]]; do
|
||||||
printf '%s\n' "$selected_option: invalid selection."
|
printf '%s\n' "$selected_option: invalid selection."
|
||||||
read -rp "Option: " selected_option
|
read -rp "Option: " selected_option
|
||||||
done
|
done
|
||||||
@ -1183,6 +1195,11 @@ reload_crls() {
|
|||||||
ipsec crls
|
ipsec crls
|
||||||
}
|
}
|
||||||
|
|
||||||
|
delete_client_cert() {
|
||||||
|
certutil -F -d "$CERT_DB" -n "$client_name"
|
||||||
|
certutil -D -d "$CERT_DB" -n "$client_name" 2>/dev/null
|
||||||
|
}
|
||||||
|
|
||||||
print_client_added() {
|
print_client_added() {
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
|
|
||||||
@ -1211,6 +1228,10 @@ print_client_revoked() {
|
|||||||
echo "Certificate '$client_name' revoked!"
|
echo "Certificate '$client_name' revoked!"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
print_client_deleted() {
|
||||||
|
echo "Certificate '$client_name' deleted!"
|
||||||
|
}
|
||||||
|
|
||||||
print_setup_complete() {
|
print_setup_complete() {
|
||||||
printf '\e[2K\e[1A\e[2K\r'
|
printf '\e[2K\e[1A\e[2K\r'
|
||||||
[ "$use_defaults" = "1" ] && printf '\e[1A\e[2K\e[1A\e[2K\e[1A\e[2K\r'
|
[ "$use_defaults" = "1" ] && printf '\e[1A\e[2K\e[1A\e[2K\e[1A\e[2K\r'
|
||||||
@ -1295,6 +1316,17 @@ EOF
|
|||||||
confirm_or_abort "Are you sure you want to revoke '$client_name'? [y/N] "
|
confirm_or_abort "Are you sure you want to revoke '$client_name'? [y/N] "
|
||||||
}
|
}
|
||||||
|
|
||||||
|
confirm_delete_cert() {
|
||||||
|
cat <<EOF
|
||||||
|
WARNING: Deleting a client certificate from the IPsec database *WILL NOT* prevent
|
||||||
|
VPN client(s) from connecting using that certificate! For this use case,
|
||||||
|
you *MUST* revoke the client certificate instead of deleting it.
|
||||||
|
This *cannot* be undone!
|
||||||
|
|
||||||
|
EOF
|
||||||
|
confirm_or_abort "Are you sure you want to delete '$client_name'? [y/N] "
|
||||||
|
}
|
||||||
|
|
||||||
confirm_remove_ikev2() {
|
confirm_remove_ikev2() {
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
WARNING: This option will remove IKEv2 from this VPN server, but keep the IPsec/L2TP
|
WARNING: This option will remove IKEv2 from this VPN server, but keep the IPsec/L2TP
|
||||||
@ -1344,6 +1376,7 @@ ikev2setup() {
|
|||||||
export_client=0
|
export_client=0
|
||||||
list_clients=0
|
list_clients=0
|
||||||
revoke_client=0
|
revoke_client=0
|
||||||
|
delete_client=0
|
||||||
remove_ikev2=0
|
remove_ikev2=0
|
||||||
while [ "$#" -gt 0 ]; do
|
while [ "$#" -gt 0 ]; do
|
||||||
case $1 in
|
case $1 in
|
||||||
@ -1373,6 +1406,12 @@ ikev2setup() {
|
|||||||
shift
|
shift
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
|
--deleteclient)
|
||||||
|
delete_client=1
|
||||||
|
client_name="$2"
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
;;
|
||||||
--removeikev2)
|
--removeikev2)
|
||||||
remove_ikev2=1
|
remove_ikev2=1
|
||||||
shift
|
shift
|
||||||
@ -1434,6 +1473,14 @@ ikev2setup() {
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$delete_client" = "1" ]; then
|
||||||
|
show_header
|
||||||
|
confirm_delete_cert
|
||||||
|
delete_client_cert
|
||||||
|
print_client_deleted
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$remove_ikev2" = "1" ]; then
|
if [ "$remove_ikev2" = "1" ]; then
|
||||||
check_ipsec_conf
|
check_ipsec_conf
|
||||||
show_header
|
show_header
|
||||||
@ -1488,6 +1535,14 @@ ikev2setup() {
|
|||||||
exit 0
|
exit 0
|
||||||
;;
|
;;
|
||||||
5)
|
5)
|
||||||
|
enter_client_name_for delete
|
||||||
|
echo
|
||||||
|
confirm_delete_cert
|
||||||
|
delete_client_cert
|
||||||
|
print_client_deleted
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
6)
|
||||||
check_ipsec_conf
|
check_ipsec_conf
|
||||||
echo
|
echo
|
||||||
confirm_remove_ikev2
|
confirm_remove_ikev2
|
||||||
|
Loading…
Reference in New Issue
Block a user