Update IKEv2 script
- Improve checking for MOBIKE support. Linux kernels on QNAP systems
do not support MOBIKE.
Ref: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/247
- Switch to use /etc/ipsec.d/.vpnconfig to store generated password
for IKEv2 client config files, instead of vpnclient.p12.password.
Migrate to use .vpnconfig if the older config file is found.
Ref: 45ee41d
This commit is contained in:
parent
0951ca4925
commit
8d26e0b6c9
@ -581,6 +581,9 @@ check_mobike_support() {
|
|||||||
mobike_support=0
|
mobike_support=0
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
if uname -a | grep -qi qnap; then
|
||||||
|
mobike_support=0
|
||||||
|
fi
|
||||||
if [ "$mobike_support" = "1" ]; then
|
if [ "$mobike_support" = "1" ]; then
|
||||||
bigecho2 "Checking for MOBIKE support... available"
|
bigecho2 "Checking for MOBIKE support... available"
|
||||||
else
|
else
|
||||||
@ -685,20 +688,26 @@ create_client_cert() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
create_p12_password() {
|
create_p12_password() {
|
||||||
p12_password_file="${export_dir}vpnclient.p12.password"
|
config_file="/etc/ipsec.d/.vpnconfig"
|
||||||
if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$p12_password_file"; then
|
config_file_old="${export_dir}vpnclient.p12.password"
|
||||||
. "$p12_password_file"
|
update_config=0
|
||||||
|
if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then
|
||||||
|
. "$config_file"
|
||||||
p12_password="$IKEV2_CONFIG_PASSWORD"
|
p12_password="$IKEV2_CONFIG_PASSWORD"
|
||||||
|
elif grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file_old"; then
|
||||||
|
. "$config_file_old"
|
||||||
|
p12_password="$IKEV2_CONFIG_PASSWORD"
|
||||||
|
/bin/rm -f "$config_file_old"
|
||||||
|
update_config=1
|
||||||
else
|
else
|
||||||
p12_password=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' </dev/urandom 2>/dev/null | head -c 18)
|
p12_password=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' </dev/urandom 2>/dev/null | head -c 18)
|
||||||
[ -z "$p12_password" ] && exiterr "Could not generate a random password for .p12 file."
|
[ -z "$p12_password" ] && exiterr "Could not generate a random password for .p12 file."
|
||||||
if [ ! -f "$p12_password_file" ]; then
|
update_config=1
|
||||||
printf '%s\n' "IKEV2_CONFIG_PASSWORD=$p12_password" > "$p12_password_file"
|
|
||||||
if [ "$export_to_home_dir" = "1" ]; then
|
|
||||||
chown "$SUDO_USER:$SUDO_USER" "$p12_password_file"
|
|
||||||
fi
|
|
||||||
chmod 600 "$p12_password_file"
|
|
||||||
fi
|
fi
|
||||||
|
if [ "$update_config" = "1" ]; then
|
||||||
|
mkdir -p /etc/ipsec.d
|
||||||
|
printf '%s\n' "IKEV2_CONFIG_PASSWORD='$p12_password'" >> "$config_file"
|
||||||
|
chmod 600 "$config_file"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1244,6 +1253,10 @@ delete_certificates() {
|
|||||||
crlutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null
|
crlutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null
|
||||||
certutil -F -d sql:/etc/ipsec.d -n "IKEv2 VPN CA"
|
certutil -F -d sql:/etc/ipsec.d -n "IKEv2 VPN CA"
|
||||||
certutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null
|
certutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null
|
||||||
|
config_file="/etc/ipsec.d/.vpnconfig"
|
||||||
|
if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then
|
||||||
|
sed -i '/IKEV2_CONFIG_PASSWORD=/d' "$config_file"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
print_ikev2_removed() {
|
print_ikev2_removed() {
|
||||||
|
Loading…
Reference in New Issue
Block a user