From 7e3a38ca540491f9381731f0479dbd2a13b57c74 Mon Sep 17 00:00:00 2001 From: hwdsl2 Date: Sun, 24 Jan 2021 15:08:06 -0600 Subject: [PATCH] Update IKEv2 script - New: Users can now specify '--listclients' to list the names of existing IKEv2 clients - Other minor improvements --- extras/ikev2setup.sh | 45 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 9 deletions(-) diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh index 522d2b8..f3d54fa 100644 --- a/extras/ikev2setup.sh +++ b/extras/ikev2setup.sh @@ -88,7 +88,7 @@ EOF case $swan_ver in 3.19|3.2[01235679]|3.3[12]|4.*) - /bin/true + true ;; *) cat 1>&2 </dev/null 2>&1; then exiterr "Invalid client name. Client '$client_name' already exists." @@ -163,10 +165,16 @@ check_arguments() { if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \ || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ || [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \ + || case $client_name in -*) true;; *) false;; esac \ || ! certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then exiterr "Invalid client name, or client does not exist." fi fi + if [ "$list_clients" = "1" ]; then + if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then + exiterr "You must first set up IKEv2 before listing clients." + fi + fi } check_ca_cert_exists() { @@ -269,6 +277,11 @@ get_server_address() { check_ip "$server_addr" || check_dns_name "$server_addr" || exiterr "Could not get VPN server address." } +list_existing_clients() { + echo "Checking for existing IKEv2 client(s)..." + certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' -e '\.' | tail -n +3 | cut -f1 -d ' ' +} + enter_server_address() { echo "Do you want IKEv2 VPN clients to connect to this server using a DNS name," printf "e.g. vpn.example.com, instead of its IP address? [y/N] " @@ -310,9 +323,11 @@ enter_client_name() { read -rp "Client name: " client_name while [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \ || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ + || case $client_name in -*) true;; *) false;; esac \ || certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; do if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \ - || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+'; then + || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ + || case $client_name in -*) true;; *) false;; esac; then echo "Invalid client name." else echo "Invalid client name. Client '$client_name' already exists." @@ -329,9 +344,11 @@ enter_client_name_with_defaults() { [ -z "$client_name" ] && client_name=vpnclient while [ "${#client_name}" -gt "64" ] \ || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ + || case $client_name in -*) true;; *) false;; esac \ || certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; do if [ "${#client_name}" -gt "64" ] \ - || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+'; then + || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ + || case $client_name in -*) true;; *) false;; esac; then echo "Invalid client name." else echo "Invalid client name. Client '$client_name' already exists." @@ -343,14 +360,14 @@ enter_client_name_with_defaults() { enter_client_name_for_export() { echo - echo "Checking for existing IKEv2 client(s)..." - certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' -e '\.' | tail -n +3 | cut -f1 -d ' ' + list_existing_clients get_server_address echo read -rp "Enter the name of the IKEv2 client to export: " client_name while [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \ || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ || [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \ + || case $client_name in -*) true;; *) false;; esac \ || ! certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; do echo "Invalid client name, or client does not exist." read -rp "Enter the name of the IKEv2 client to export: " client_name @@ -1095,6 +1112,7 @@ ikev2setup() { use_defaults=0 add_client_using_defaults=0 export_client_using_defaults=0 + list_clients=0 while [ "$#" -gt 0 ]; do case $1 in --auto) @@ -1113,6 +1131,10 @@ ikev2setup() { shift shift ;; + --listclients) + list_clients=1 + shift + ;; -h|--help) show_usage ;; @@ -1150,6 +1172,11 @@ ikev2setup() { exit 0 fi + if [ "$list_clients" = "1" ]; then + list_existing_clients + exit 0 + fi + if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then select_menu_option case $selected_option in