New Libreswan version

- Use new Libreswan version 4.4
- Support updating to Libreswan 4.4
- Other small improvements and cleanup

extras/ikev2setup.sh

@@ -108,8 +108,7 @@ Error: Libreswan version '$swan_ver' is not supported.
        This script requires one of these versions:
        3.23, 3.25-3.27, 3.29, 3.31-3.32 or 4.x
        To update Libreswan, run:
-       wget $update_url -O vpnupgrade.sh
+       wget $update_url -O vpnup.sh && sudo sh vpnup.sh
-       sudo sh vpnupgrade.sh
 EOF
       exit 1
       ;;
@@ -238,15 +237,15 @@ check_swan_ver() {
 
 run_swan_update() {
   get_update_url
-  TMPDIR=$(mktemp -d /tmp/vpnupg.XXX 2>/dev/null)
+  TMPDIR=$(mktemp -d /tmp/vpnup.XXX 2>/dev/null)
   if [ -d "$TMPDIR" ]; then
     set -x
-    if wget -t 3 -T 30 -q -O "$TMPDIR/vpnupg.sh" "$update_url"; then
+    if wget -t 3 -T 30 -q -O "$TMPDIR/vpnup.sh" "$update_url"; then
-      /bin/sh "$TMPDIR/vpnupg.sh"
+      /bin/sh "$TMPDIR/vpnup.sh"
     fi
     { set +x; } 2>&-
-    [ ! -s "$TMPDIR/vpnupg.sh" ] && echo "Error: Could not download update script." >&2
+    [ ! -s "$TMPDIR/vpnup.sh" ] && echo "Error: Could not download update script." >&2
-    /bin/rm -f "$TMPDIR/vpnupg.sh"
+    /bin/rm -f "$TMPDIR/vpnup.sh"
     /bin/rmdir "$TMPDIR"
   else
     echo "Error: Could not create temporary directory." >&2
@@ -256,7 +255,7 @@ run_swan_update() {
 }
 
 select_swan_update() {
-  if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+  if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
     && [ "$swan_ver" != "$swan_ver_latest" ] \
     && printf '%s\n%s' "$swan_ver" "$swan_ver_latest" | sort -C -V; then
     echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
@@ -983,7 +982,6 @@ conn ikev2-cp
   ikev2=insist
   rekey=no
   pfs=no
-  fragmentation=yes
   ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
   ikelifetime=24h
@@ -1079,7 +1077,7 @@ EOF
 }
 
 show_swan_update_info() {
-  if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+  if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
     && [ "$swan_ver" != "$swan_ver_latest" ] \
     && printf '%s\n%s' "$swan_ver" "$swan_ver_latest" | sort -C -V; then
     echo
@@ -1087,8 +1085,7 @@ show_swan_update_info() {
     if [ "$in_container" = "0" ]; then
       get_update_url
       echo "      To update, run:"
-      echo "      wget $update_url -O vpnupgrade.sh"
+      echo "      wget $update_url -O vpnup.sh && sudo sh vpnup.sh"
-      echo "      sudo sh vpnupgrade.sh"
     else
       echo "      To update this Docker image, see: https://git.io/updatedockervpn"
     fi

extras/vpnupgrade.sh

@@ -14,7 +14,7 @@
 # know how you have improved it!
 
 # Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=4.3
+SWAN_VER=4.4
 
 ### DO NOT edit below this line ###
 
@@ -60,14 +60,14 @@ if [ "$(id -u)" != 0 ]; then
 fi
 
 case $SWAN_VER in
-  3.32|4.[123])
+  3.32|4.[1234])
     true
     ;;
   *)
 cat 1>&2 <<EOF
 Error: Libreswan version '$SWAN_VER' is not supported.
        This script can install one of these versions:
-       3.32, 4.1, 4.2 or 4.3
+       3.32, 4.1-4.3 or 4.4
 EOF
     exit 1
     ;;
@@ -83,16 +83,15 @@ EOF
   exit 1
 fi
 
-swan_ver_cur=4.3
+swan_ver_cur=4.4
 swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
-if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
   && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
   && printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
   echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
   echo "      To update to the new version, exit this script and run:"
-  echo "      wget https://git.io/vpnupgrade -O vpnupgrade.sh"
+  echo "      wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh"
-  echo "      sudo sh vpnupgrade.sh"
   echo
   printf "Do you want to continue anyway? [y/N] "
   read -r response
@@ -144,7 +143,7 @@ Note: This script will make the following changes to your VPN configuration:
 
 EOF
 
-if [ "$SWAN_VER" != "4.3" ]; then
+if [ "$SWAN_VER" != "4.4" ]; then
 cat <<'EOF'
 WARNING: Older versions of Libreswan could contain known security vulnerabilities.
          See https://libreswan.org/security/ for more information.
@@ -166,7 +165,6 @@ case $response in
     ;;
 esac
 
-# Create and change to working dir
 mkdir -p /opt/src
 cd /opt/src || exit 1
 

extras/vpnupgrade_amzn.sh

@@ -14,7 +14,7 @@
 # know how you have improved it!
 
 # Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=4.3
+SWAN_VER=4.4
 
 ### DO NOT edit below this line ###
 
@@ -39,14 +39,14 @@ if [ "$(id -u)" != 0 ]; then
 fi
 
 case $SWAN_VER in
-  3.32|4.[123])
+  3.32|4.[1234])
     true
     ;;
   *)
 cat 1>&2 <<EOF
 Error: Libreswan version '$SWAN_VER' is not supported.
        This script can install one of these versions:
-       3.32, 4.1, 4.2 or 4.3
+       3.32, 4.1-4.3 or 4.4
 EOF
     exit 1
     ;;
@@ -62,16 +62,15 @@ EOF
   exit 1
 fi
 
-swan_ver_cur=4.3
+swan_ver_cur=4.4
 swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
-if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
   && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
   && printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
   echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
   echo "      To update to the new version, exit this script and run:"
-  echo "      wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh"
+  echo "      wget https://git.io/vpnupgrade-amzn -O vpnup.sh && sudo sh vpnup.sh"
-  echo "      sudo sh vpnupgrade.sh"
   echo
   printf "Do you want to continue anyway? [y/N] "
   read -r response
@@ -123,7 +122,7 @@ Note: This script will make the following changes to your VPN configuration:
 
 EOF
 
-if [ "$SWAN_VER" != "4.3" ]; then
+if [ "$SWAN_VER" != "4.4" ]; then
 cat <<'EOF'
 WARNING: Older versions of Libreswan could contain known security vulnerabilities.
          See https://libreswan.org/security/ for more information.
@@ -145,7 +144,6 @@ case $response in
     ;;
 esac
 
-# Create and change to working dir
 mkdir -p /opt/src
 cd /opt/src || exit 1
 

extras/vpnupgrade_centos.sh

@@ -14,7 +14,7 @@
 # know how you have improved it!
 
 # Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=4.3
+SWAN_VER=4.4
 
 ### DO NOT edit below this line ###
 
@@ -54,14 +54,14 @@ if [ "$(id -u)" != 0 ]; then
 fi
 
 case $SWAN_VER in
-  3.32|4.[123])
+  3.32|4.[1234])
     true
     ;;
   *)
 cat 1>&2 <<EOF
 Error: Libreswan version '$SWAN_VER' is not supported.
        This script can install one of these versions:
-       3.32, 4.1, 4.2 or 4.3
+       3.32, 4.1-4.3 or 4.4
 EOF
     exit 1
     ;;
@@ -77,16 +77,15 @@ EOF
   exit 1
 fi
 
-swan_ver_cur=4.3
+swan_ver_cur=4.4
 swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
-if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
   && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
   && printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
   echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
   echo "      To update to the new version, exit this script and run:"
-  echo "      wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh"
+  echo "      wget https://git.io/vpnupgrade-centos -O vpnup.sh && sudo sh vpnup.sh"
-  echo "      sudo sh vpnupgrade.sh"
   echo
   printf "Do you want to continue anyway? [y/N] "
   read -r response
@@ -138,7 +137,7 @@ Note: This script will make the following changes to your VPN configuration:
 
 EOF
 
-if [ "$SWAN_VER" != "4.3" ]; then
+if [ "$SWAN_VER" != "4.4" ]; then
 cat <<'EOF'
 WARNING: Older versions of Libreswan could contain known security vulnerabilities.
          See https://libreswan.org/security/ for more information.
@@ -160,7 +159,6 @@ case $response in
     ;;
 esac
 
-# Create and change to working dir
 mkdir -p /opt/src
 cd /opt/src || exit 1
 

vpnsetup.sh

@@ -204,7 +204,7 @@ ikev2_url="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/extras/ikev2setu
 
 bigecho "Downloading Libreswan..."
 
-SWAN_VER=4.3
+SWAN_VER=4.4
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -268,7 +268,6 @@ version 2.0
 
 config setup
   virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
-  interfaces=%defaultroute
   uniqueids=no
 
 conn shared
@@ -295,7 +294,6 @@ conn l2tp-psk
   leftprotoport=17/1701
   rightprotoport=17/%any
   type=transport
-  phase2=esp
   also=shared
 
 conn xauth-psk
@@ -308,8 +306,6 @@ conn xauth-psk
   leftmodecfgserver=yes
   rightmodecfgclient=yes
   modecfgpull=yes
-  xauthby=file
-  fragmentation=yes
   cisco-unity=yes
   also=shared
 
@@ -522,15 +518,14 @@ service xl2tpd restart 2>/dev/null
 
 swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanver?arch=$os_arch&ver=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
-if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
   && [ -n "$SWAN_VER" ] && [ "$SWAN_VER" != "$swan_ver_latest" ] \
   && printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
 cat <<EOF
 
 Note: A newer version of Libreswan ($swan_ver_latest) is available.
       To update, run:
-      wget https://git.io/vpnupgrade -O vpnupgrade.sh
+      wget https://git.io/vpnupgrade -O vpnup.sh && sudo sh vpnup.sh
-      sudo sh vpnupgrade.sh
 EOF
 fi
 

vpnsetup_amzn.sh

@@ -168,7 +168,7 @@ ikev2_url="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/extras/ikev2setu
 
 bigecho "Downloading Libreswan..."
 
-SWAN_VER=4.3
+SWAN_VER=4.4
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -224,7 +224,6 @@ version 2.0
 
 config setup
   virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
-  interfaces=%defaultroute
   uniqueids=no
 
 conn shared
@@ -251,7 +250,6 @@ conn l2tp-psk
   leftprotoport=17/1701
   rightprotoport=17/%any
   type=transport
-  phase2=esp
   also=shared
 
 conn xauth-psk
@@ -264,8 +262,6 @@ conn xauth-psk
   leftmodecfgserver=yes
   rightmodecfgclient=yes
   modecfgpull=yes
-  xauthby=file
-  fragmentation=yes
   cisco-unity=yes
   also=shared
 
@@ -446,15 +442,14 @@ service xl2tpd restart 2>/dev/null
 
 swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanver?arch=$os_arch&ver=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
-if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
   && [ -n "$SWAN_VER" ] && [ "$SWAN_VER" != "$swan_ver_latest" ] \
   && printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
 cat <<EOF
 
 Note: A newer version of Libreswan ($swan_ver_latest) is available.
       To update, run:
-      wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh
+      wget https://git.io/vpnupgrade-amzn -O vpnup.sh && sudo sh vpnup.sh
-      sudo sh vpnupgrade.sh
 EOF
 fi
 

vpnsetup_centos.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Script for automatic setup of an IPsec VPN server on CentOS/RHEL 7 and 8
+# Script for automatic setup of an IPsec VPN server on CentOS and RHEL
 # Works on any dedicated server or virtual private server (VPS)
 #
 # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC!
@@ -217,7 +217,7 @@ ikev2_url="https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/extras/ikev2setu
 
 bigecho "Downloading Libreswan..."
 
-SWAN_VER=4.3
+SWAN_VER=4.4
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -273,7 +273,6 @@ version 2.0
 
 config setup
   virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!$L2TP_NET,%v4:!$XAUTH_NET
-  interfaces=%defaultroute
   uniqueids=no
 
 conn shared
@@ -300,7 +299,6 @@ conn l2tp-psk
   leftprotoport=17/1701
   rightprotoport=17/%any
   type=transport
-  phase2=esp
   also=shared
 
 conn xauth-psk
@@ -313,8 +311,6 @@ conn xauth-psk
   leftmodecfgserver=yes
   rightmodecfgclient=yes
   modecfgpull=yes
-  xauthby=file
-  fragmentation=yes
   cisco-unity=yes
   also=shared
 
@@ -534,15 +530,14 @@ service xl2tpd restart 2>/dev/null
 
 swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanver?arch=$os_arch&ver=$SWAN_VER"
 swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
-if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
+if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9]{1,2})(\.([0-9]|[1-9][0-9]{1,2})){1,2}$' \
   && [ -n "$SWAN_VER" ] && [ "$SWAN_VER" != "$swan_ver_latest" ] \
   && printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
 cat <<EOF
 
 Note: A newer version of Libreswan ($swan_ver_latest) is available.
       To update, run:
-      wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh
+      wget https://git.io/vpnupgrade-centos -O vpnup.sh && sudo sh vpnup.sh
-      sudo sh vpnupgrade.sh
 EOF
 fi