New Libreswan version

- Upgrade Libreswan from 3.32 to 4.1
2024-11-22 04:56:03 +03:00 · 2020-11-11 00:27:44 -06:00 · 2020-11-11 00:27:44 -06:00 · afb8a7acce
commit afb8a7acce
parent fe01d0aa29
6 changed files with 46 additions and 42 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -103,13 +103,13 @@ jobs:
          iptables -nL -t nat | grep -q '192\.168\.43\.0/24'
          if [ "$1" = "centos" ]; then
            grep pluto /var/log/secure
-            grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"'
-            grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"'
+            grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
+            grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
            grep xl2tpd /var/log/messages
          else
            grep pluto /var/log/auth.log
-            grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"'
-            grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
            grep xl2tpd /var/log/syslog
          fi
          cat /var/log/fail2ban.log
@ -147,11 +147,11 @@ jobs:
            systemctl restart ipsec
            sleep 10
            grep pluto /var/log/secure | tail -n 20
-            grep pluto /var/log/secure | grep -q 'added connection description "ikev2-cp"'
+            grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
          else
            sleep 10
            grep pluto /var/log/auth.log | tail -n 20
-            grep pluto /var/log/auth.log | grep -q 'added connection description "ikev2-cp"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
          fi

          bash ikev2.sh <<ANSWERS
@ -301,13 +301,13 @@ jobs:
          iptables -nL -t nat | grep -q '192\.168\.43\.0/24'
          if [ "$OS_NAME" = "centos" ]; then
            grep pluto /var/log/secure
-            grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"'
-            grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"'
+            grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
+            grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
            grep xl2tpd /var/log/messages
          else
            grep pluto /var/log/auth.log
-            grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"'
-            grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
            grep xl2tpd /var/log/syslog
          fi
          cat /var/log/fail2ban.log
@ -341,10 +341,10 @@ jobs:
          sleep 10
          if [ "$OS_NAME" = "centos" ]; then
            grep pluto /var/log/secure | tail -n 20
-            grep pluto /var/log/secure | grep -q 'added connection description "ikev2-cp"'
+            grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
          else
            grep pluto /var/log/auth.log | tail -n 20
-            grep pluto /var/log/auth.log | grep -q 'added connection description "ikev2-cp"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
          fi

          bash ikev2.sh <<ANSWERS
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@ -85,7 +85,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh
     ikev2=insist
     rekey=no
     pfs=no
-     ike-frag=yes
+     fragmentation=yes
     ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
     phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
   EOF
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@ -85,7 +85,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm
     ikev2=insist
     rekey=no
     pfs=no
-     ike-frag=yes
+     fragmentation=yes
     ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
     phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
   EOF
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@ -92,14 +92,14 @@ if grep -qs "hwdsl2" /opt/src/run.sh; then
 fi

 case "$swan_ver" in
-  3.19|3.2[01235679]|3.3[12])
+  3.19|3.2[01235679]|3.3[12]|4.1)
    /bin/true
    ;;
  *)
 cat 1>&2 <<EOF
 Error: Libreswan version '$swan_ver' is not supported.
  This script requires one of these versions:
-  3.19-3.23, 3.25-3.27, 3.29, 3.31 or 3.32
+  3.19-3.23, 3.25-3.27, 3.29, 3.31-3.32 or 4.1
  To upgrade Libreswan, see:
  https://github.com/hwdsl2/setup-ipsec-vpn#upgrade-libreswan
 EOF
@ -315,7 +315,7 @@ fi
 # Check for MOBIKE support
 mobike_support=0
 case "$swan_ver" in
-  3.2[35679]|3.3[12])
+  3.2[35679]|3.3[12]|4.1)
    mobike_support=1
    ;;
 esac
@ -490,14 +490,14 @@ conn ikev2-cp
  ikev2=insist
  rekey=no
  pfs=no
-  ike-frag=yes
+  fragmentation=yes
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
  encapsulation=yes
 EOF

 case "$swan_ver" in
-  3.2[35679]|3.3[12])
+  3.2[35679]|3.3[12]|4.1)
    if [ -n "$dns_server_2" ]; then
 cat >> /etc/ipsec.d/ikev2.conf <<EOF
  modecfgdns="$dns_servers"
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@ -182,7 +182,7 @@ apt-get -yq install fail2ban || exiterr2

 bigecho "Compiling and installing Libreswan..."

-SWAN_VER=3.32
+SWAN_VER=4.1
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@ -200,6 +200,8 @@ USE_DH31 = false
 USE_NSS_AVA_COPY=true
 USE_NSS_IPSEC_PROFILE=false
 USE_GLIBC_KERN_FLIP_HEADERS=true
+USE_NSS_KDF=false
+FINALNSSDIR=/etc/ipsec.d
 EOF
 if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
  echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
@ -276,7 +278,7 @@ conn xauth-psk
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=file
-  ike-frag=yes
+  fragmentation=yes
  cisco-unity=yes
  also=shared

--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@ -185,7 +185,7 @@ yum "$REPO1" -y install fail2ban || exiterr2

 bigecho "Compiling and installing Libreswan..."

-SWAN_VER=3.32
+SWAN_VER=4.1
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@ -203,6 +203,8 @@ USE_DH31 = false
 USE_NSS_AVA_COPY=true
 USE_NSS_IPSEC_PROFILE=false
 USE_GLIBC_KERN_FLIP_HEADERS=true
+USE_NSS_KDF=false
+FINALNSSDIR=/etc/ipsec.d
 EOF
 if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
  echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
@ -276,7 +278,7 @@ conn xauth-psk
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=file
-  ike-frag=yes
+  fragmentation=yes
  cisco-unity=yes
  also=shared

@ -487,9 +489,9 @@ fi

 bigecho "Starting services..."

-restorecon /etc/ipsec.d/*db >/dev/null
-restorecon /usr/local/sbin -Rv >/dev/null
-restorecon /usr/local/libexec/ipsec -Rv >/dev/null
+restorecon /etc/ipsec.d/*db 2>/dev/null
+restorecon /usr/local/sbin -Rv 2>/dev/null
+restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null

 sysctl -e -q -p