mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-21 20:46:10 +03:00
Code Issues Projects Releases Wiki Activity

New Libreswan version

Browse Source 
- Upgrade Libreswan from 3.32 to 4.1
This commit is contained in:
hwdsl2 2020-11-11 00:27:44 -06:00
parent fe01d0aa29
commit afb8a7acce
6 changed files with 46 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
.github/workflows/main.yml vendored
View File

@ -103,13 +103,13 @@ jobs:
iptables -nL -t nat | grep -q '192\.168\.43\.0/24'
if [ "$1" = "centos" ]; then
grep pluto /var/log/secure
grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"'
grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"'
grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
grep xl2tpd /var/log/messages
else
grep pluto /var/log/auth.log
grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"'
grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"'
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
grep xl2tpd /var/log/syslog
fi
cat /var/log/fail2ban.log
@ -147,11 +147,11 @@ jobs:
systemctl restart ipsec
sleep 10
grep pluto /var/log/secure | tail -n 20
grep pluto /var/log/secure | grep -q 'added connection description "ikev2-cp"'
grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
else
sleep 10
grep pluto /var/log/auth.log | tail -n 20
grep pluto /var/log/auth.log | grep -q 'added connection description "ikev2-cp"'
grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
fi
bash ikev2.sh <<ANSWERS
@ -301,13 +301,13 @@ jobs:
iptables -nL -t nat | grep -q '192\.168\.43\.0/24'
if [ "$OS_NAME" = "centos" ]; then
grep pluto /var/log/secure
grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"'
grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"'
grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
grep xl2tpd /var/log/messages
else
grep pluto /var/log/auth.log
grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"'
grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"'
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
grep xl2tpd /var/log/syslog
fi
cat /var/log/fail2ban.log
@ -341,10 +341,10 @@ jobs:
sleep 10
if [ "$OS_NAME" = "centos" ]; then
grep pluto /var/log/secure | tail -n 20
grep pluto /var/log/secure | grep -q 'added connection description "ikev2-cp"'
grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
else
grep pluto /var/log/auth.log | tail -n 20
grep pluto /var/log/auth.log | grep -q 'added connection description "ikev2-cp"'
grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
fi
bash ikev2.sh <<ANSWERS

2
docs/ikev2-howto-zh.md
View File

@ -85,7 +85,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh
ikev2=insist
rekey=no
pfs=no
ike-frag=yes
fragmentation=yes
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
EOF

2
docs/ikev2-howto.md
View File

@ -85,7 +85,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm
ikev2=insist
rekey=no
pfs=no
ike-frag=yes
fragmentation=yes
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
EOF

10
extras/ikev2setup.sh
View File

@ -92,14 +92,14 @@ if grep -qs "hwdsl2" /opt/src/run.sh; then
fi
case "$swan_ver" in
3.19|3.2[01235679]|3.3[12])
3.19|3.2[01235679]|3.3[12]|4.1)
/bin/true
;;
*)
cat 1>&2 <<EOF
Error: Libreswan version '$swan_ver' is not supported.
This script requires one of these versions:
3.19-3.23, 3.25-3.27, 3.29, 3.31 or 3.32
3.19-3.23, 3.25-3.27, 3.29, 3.31-3.32 or 4.1
To upgrade Libreswan, see:
https://github.com/hwdsl2/setup-ipsec-vpn#upgrade-libreswan
EOF
@ -315,7 +315,7 @@ fi
# Check for MOBIKE support
mobike_support=0
case "$swan_ver" in
3.2[35679]|3.3[12])
3.2[35679]|3.3[12]|4.1)
mobike_support=1
;;
esac
@ -490,14 +490,14 @@ conn ikev2-cp
ikev2=insist
rekey=no
pfs=no
ike-frag=yes
fragmentation=yes
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
encapsulation=yes
EOF
case "$swan_ver" in
3.2[35679]|3.3[12])
3.2[35679]|3.3[12]|4.1)
if [ -n "$dns_server_2" ]; then
cat >> /etc/ipsec.d/ikev2.conf <<EOF
modecfgdns="$dns_servers"

22
vpnsetup.sh
View File

@ -182,7 +182,7 @@ apt-get -yq install fail2ban || exiterr2
bigecho "Compiling and installing Libreswan..."
SWAN_VER=3.32
SWAN_VER=4.1
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
@ -193,16 +193,18 @@ fi
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS = -w
USE_DNSSEC = false
USE_DH2 = true
USE_DH31 = false
USE_NSS_AVA_COPY = true
USE_NSS_IPSEC_PROFILE = false
USE_GLIBC_KERN_FLIP_HEADERS = true
WERROR_CFLAGS=-w
USE_DNSSEC=false
USE_DH2=true
USE_DH31=false
USE_NSS_AVA_COPY=true
USE_NSS_IPSEC_PROFILE=false
USE_GLIBC_KERN_FLIP_HEADERS=true
USE_NSS_KDF=false
FINALNSSDIR=/etc/ipsec.d
EOF
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi
if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
apt-get -yq install libsystemd-dev || exiterr2
@ -276,7 +278,7 @@ conn xauth-psk
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
ike-frag=yes
fragmentation=yes
cisco-unity=yes
also=shared

28
vpnsetup_centos.sh
View File

@ -185,7 +185,7 @@ yum "$REPO1" -y install fail2ban || exiterr2
bigecho "Compiling and installing Libreswan..."
SWAN_VER=3.32
SWAN_VER=4.1
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
@ -196,16 +196,18 @@ fi
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS = -w
USE_DNSSEC = false
USE_DH2 = true
USE_DH31 = false
USE_NSS_AVA_COPY = true
USE_NSS_IPSEC_PROFILE = false
USE_GLIBC_KERN_FLIP_HEADERS = true
WERROR_CFLAGS=-w
USE_DNSSEC=false
USE_DH2=true
USE_DH31=false
USE_NSS_AVA_COPY=true
USE_NSS_IPSEC_PROFILE=false
USE_GLIBC_KERN_FLIP_HEADERS=true
USE_NSS_KDF=false
FINALNSSDIR=/etc/ipsec.d
EOF
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
@ -276,7 +278,7 @@ conn xauth-psk
rightmodecfgclient=yes
modecfgpull=yes
xauthby=file
ike-frag=yes
fragmentation=yes
cisco-unity=yes
also=shared
@ -487,9 +489,9 @@ fi
bigecho "Starting services..."
restorecon /etc/ipsec.d/*db >/dev/null
restorecon /usr/local/sbin -Rv >/dev/null
restorecon /usr/local/libexec/ipsec -Rv >/dev/null
restorecon /etc/ipsec.d/*db 2>/dev/null
restorecon /usr/local/sbin -Rv 2>/dev/null
restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
sysctl -e -q -p