mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-26 06:46:06 +03:00
Code Issues Projects Releases Wiki Activity

Update IKEv2 script

Browse Source 
- New: Users can now specify '--listclients' to list the names of
  existing IKEv2 clients
- Other minor improvements
This commit is contained in:
hwdsl2 2021-01-24 15:08:06 -06:00
parent 625ddd3d32
commit 7e3a38ca54
1 changed files with 36 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
extras/ikev2setup.sh
View File

@ -88,7 +88,7 @@ EOF
case $swan_ver in case $swan_ver in
3.19|3.2[01235679]|3.3[12]|4.*) 3.19|3.2[01235679]|3.3[12]|4.*)
/bin/true true
;; ;;
*) *)
cat 1>&2 <<EOF cat 1>&2 <<EOF
@ -128,9 +128,10 @@ Options:
--auto run IKEv2 setup in auto mode using default options (for initial IKEv2 setup only) --auto run IKEv2 setup in auto mode using default options (for initial IKEv2 setup only)
--addclient [client name] add a new IKEv2 client using default options (after IKEv2 setup) --addclient [client name] add a new IKEv2 client using default options (after IKEv2 setup)
--exportclient [client name] export an existing IKEv2 client using default options (after IKEv2 setup) --exportclient [client name] export an existing IKEv2 client using default options (after IKEv2 setup)
--listclients list the names of existing IKEv2 clients (after IKEv2 setup)
-h, --help show this help message and exit -h, --help show this help message and exit
If you want to customize options, run this script without arguments. If you want to customize IKEv2 options, run this script without arguments.
EOF EOF
exit 1 exit 1
} }
@ -141,15 +142,16 @@ check_arguments() {
show_usage "Invalid parameter. '--auto' can only be specified for initial IKEv2 setup." show_usage "Invalid parameter. '--auto' can only be specified for initial IKEv2 setup."
fi fi
fi fi
if [ "$add_client_using_defaults" = "1" ] && [ "$export_client_using_defaults" = "1" ]; then if [ "$((add_client_using_defaults + export_client_using_defaults + list_clients))" -gt 1 ]; then
show_usage "Invalid parameters. '--addclient' and '--exportclient' cannot be specified at the same time." show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient' or '--listclients'."
fi fi
if [ "$add_client_using_defaults" = "1" ]; then if [ "$add_client_using_defaults" = "1" ]; then
if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then
exiterr "You must first set up IKEv2 before adding a new client." exiterr "You must first set up IKEv2 before adding a new client."
fi fi
if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \ if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+'; then || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $client_name in -*) true;; *) false;; esac; then
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'." exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
elif certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then elif certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
exiterr "Invalid client name. Client '$client_name' already exists." exiterr "Invalid client name. Client '$client_name' already exists."
@ -163,10 +165,16 @@ check_arguments() {
if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \ if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \ || [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \
|| case $client_name in -*) true;; *) false;; esac \
|| ! certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then || ! certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; then
exiterr "Invalid client name, or client does not exist." exiterr "Invalid client name, or client does not exist."
fi fi
fi fi
if [ "$list_clients" = "1" ]; then
if ! grep -qs "conn ikev2-cp" /etc/ipsec.conf && [ ! -f /etc/ipsec.d/ikev2.conf ]; then
exiterr "You must first set up IKEv2 before listing clients."
fi
fi
} }
check_ca_cert_exists() { check_ca_cert_exists() {
@ -269,6 +277,11 @@ get_server_address() {
check_ip "$server_addr" || check_dns_name "$server_addr" || exiterr "Could not get VPN server address." check_ip "$server_addr" || check_dns_name "$server_addr" || exiterr "Could not get VPN server address."
} }
list_existing_clients() {
echo "Checking for existing IKEv2 client(s)..."
certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' -e '\.' | tail -n +3 | cut -f1 -d ' '
}
enter_server_address() { enter_server_address() {
echo "Do you want IKEv2 VPN clients to connect to this server using a DNS name," echo "Do you want IKEv2 VPN clients to connect to this server using a DNS name,"
printf "e.g. vpn.example.com, instead of its IP address? [y/N] " printf "e.g. vpn.example.com, instead of its IP address? [y/N] "
@ -310,9 +323,11 @@ enter_client_name() {
read -rp "Client name: " client_name read -rp "Client name: " client_name
while [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \ while [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $client_name in -*) true;; *) false;; esac \
|| certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; do || certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; do
if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \ if [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+'; then || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $client_name in -*) true;; *) false;; esac; then
echo "Invalid client name." echo "Invalid client name."
else else
echo "Invalid client name. Client '$client_name' already exists." echo "Invalid client name. Client '$client_name' already exists."
@ -329,9 +344,11 @@ enter_client_name_with_defaults() {
[ -z "$client_name" ] && client_name=vpnclient [ -z "$client_name" ] && client_name=vpnclient
while [ "${#client_name}" -gt "64" ] \ while [ "${#client_name}" -gt "64" ] \
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $client_name in -*) true;; *) false;; esac \
|| certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; do || certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; do
if [ "${#client_name}" -gt "64" ] \ if [ "${#client_name}" -gt "64" ] \
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+'; then || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| case $client_name in -*) true;; *) false;; esac; then
echo "Invalid client name." echo "Invalid client name."
else else
echo "Invalid client name. Client '$client_name' already exists." echo "Invalid client name. Client '$client_name' already exists."
@ -343,14 +360,14 @@ enter_client_name_with_defaults() {
enter_client_name_for_export() { enter_client_name_for_export() {
echo echo
echo "Checking for existing IKEv2 client(s)..." list_existing_clients
certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' -e '\.' | tail -n +3 | cut -f1 -d ' '
get_server_address get_server_address
echo echo
read -rp "Enter the name of the IKEv2 client to export: " client_name read -rp "Enter the name of the IKEv2 client to export: " client_name
while [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \ while [ -z "$client_name" ] || [ "${#client_name}" -gt "64" ] \
|| printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \ || printf '%s' "$client_name" | LC_ALL=C grep -q '[^A-Za-z0-9_-]\+' \
|| [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \ || [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \
|| case $client_name in -*) true;; *) false;; esac \
|| ! certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; do || ! certutil -L -d sql:/etc/ipsec.d -n "$client_name" >/dev/null 2>&1; do
echo "Invalid client name, or client does not exist." echo "Invalid client name, or client does not exist."
read -rp "Enter the name of the IKEv2 client to export: " client_name read -rp "Enter the name of the IKEv2 client to export: " client_name
@ -1095,6 +1112,7 @@ ikev2setup() {
use_defaults=0 use_defaults=0
add_client_using_defaults=0 add_client_using_defaults=0
export_client_using_defaults=0 export_client_using_defaults=0
list_clients=0
while [ "$#" -gt 0 ]; do while [ "$#" -gt 0 ]; do
case $1 in case $1 in
--auto) --auto)
@ -1113,6 +1131,10 @@ ikev2setup() {
shift shift
shift shift
;; ;;
--listclients)
list_clients=1
shift
;;
-h|--help) -h|--help)
show_usage show_usage
;; ;;
@ -1150,6 +1172,11 @@ ikev2setup() {
exit 0 exit 0
fi fi
if [ "$list_clients" = "1" ]; then
list_existing_clients
exit 0
fi
if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
select_menu_option select_menu_option
case $selected_option in case $selected_option in