Improve version check

- Improve Libreswan version check in upgrade scripts, including
  checking for supported versions and showing upgrade/downgrade info
- Clean up notes

extras/vpnupgrade.sh

@@ -47,11 +47,15 @@ if [ -z "$SWAN_VER" ]; then
   exiterr "Libreswan version 'SWAN_VER' not specified."
 fi
 
+swan_ver_is_supported=0
 case "$SWAN_VER" in
-  3.24|3.2[6-9])
+  3.19|3.2[01235])
-    exiterr "Libreswan version $SWAN_VER is not available."
+    swan_ver_is_supported=1
     ;;
 esac
+if [ "$swan_ver_is_supported" != "1" ]; then
+  exiterr "Libreswan version $SWAN_VER is not supported."
+fi
 
 ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)"
 if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
@@ -75,12 +79,23 @@ if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then
   esac
 fi
 
-is_downgrade_to_322=0
+is_upgrade_to_323_or_newer=0
-if [ "$SWAN_VER" = "3.22" ]; then
+case "$SWAN_VER" in
-  if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
+  3.2[35])
-    is_downgrade_to_322=1
+    if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
-  fi
+      is_upgrade_to_323_or_newer=1
-fi
+    fi
+    ;;
+esac
+
+is_downgrade_to_322_or_older=0
+case "$SWAN_VER" in
+  3.19|3.2[012])
+    if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
+      is_downgrade_to_322_or_older=1
+    fi
+    ;;
+esac
 
 clear
 
@@ -95,34 +110,28 @@ Version to be installed: Libreswan $SWAN_VER
 
 EOF
 
-if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then
+case "$SWAN_VER" in
+  3.2[35])
 cat <<'EOF'
 WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
-         IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
+  IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
-         DO NOT upgrade to 3.23/3.25 if your use cases include the above.
+  DO NOT upgrade to 3.23/3.25 if your use cases include the above.
 
 EOF
-fi
+    ;;
+esac
 
 cat <<'EOF'
 NOTE: Libreswan versions 3.19 and newer require some configuration changes.
-      This script will make the following changes to your /etc/ipsec.conf:
+  This script will make the following updates to your /etc/ipsec.conf:
 
-      Replace this line:
+  1. Replace "auth=esp" with "phase2=esp"
-          auth=esp
+  2. Replace "forceencaps=yes" with "encapsulation=yes"
-      with the following:
+  3. Consolidate VPN ciphers for "ike=" and "phase2alg=",
-          phase2=esp
+     re-add "MODP1024" to the list of allowed "ike=" ciphers,
+     which was removed from the defaults in Libreswan 3.19.
 
-      Replace this line:
+  Your other VPN configuration files will not be modified.
-          forceencaps=yes
-      with the following:
-          encapsulation=yes
-
-      Consolidate VPN ciphers for "ike=" and "phase2alg=".
-      Re-add "MODP1024" to the list of allowed "ike=" ciphers,
-      which was removed from the defaults in Libreswan 3.19.
-
-      Your other VPN configuration files will not be modified.
 
 EOF
 
@@ -186,7 +195,7 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
   exiterr "Libreswan $SWAN_VER failed to build."
 fi
 
-# Update ipsec.conf for Libreswan 3.19 and newer
+# Update ipsec.conf
 IKE_NEW="  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
 PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
 if uname -m | grep -qi '^arm'; then
@@ -206,28 +215,36 @@ echo
 echo "Libreswan $SWAN_VER was installed successfully! "
 echo
 
-case "$SWAN_VER" in
+if [ "$is_upgrade_to_323_or_newer" = "1" ]; then
-  3.2[3-9])
 cat <<'EOF'
-NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines:
+IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit
-          modecfgdns1=DNS_SERVER_1
+  /etc/ipsec.conf and replace these two lines:
-          modecfgdns2=DNS_SERVER_2
+
-      with a single line like this:
+    modecfgdns1=DNS_SERVER_1
-          modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+    modecfgdns2=DNS_SERVER_2
-      Then run "service ipsec restart".
+
+  with a single line like this:
+
+    modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+
+  Then run "service ipsec restart".
 
 EOF
-    ;;
+fi
-esac
 
-if [ "$is_downgrade_to_322" = "1" ]; then
+if [ "$is_downgrade_to_322_or_older" = "1" ]; then
 cat <<'EOF'
-NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line:
+IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit
-          modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+  /etc/ipsec.conf and replace this line:
-      with two lines like this:
+
-          modecfgdns1=DNS_SERVER_1
+    modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
-          modecfgdns2=DNS_SERVER_2
+
-      Then run "service ipsec restart".
+  with two lines like this:
+
+    modecfgdns1=DNS_SERVER_1
+    modecfgdns2=DNS_SERVER_2
+
+  Then run "service ipsec restart".
 
 EOF
 fi

extras/vpnupgrade_centos.sh

@@ -38,11 +38,15 @@ if [ -z "$SWAN_VER" ]; then
   exiterr "Libreswan version 'SWAN_VER' not specified."
 fi
 
+swan_ver_is_supported=0
 case "$SWAN_VER" in
-  3.24|3.2[6-9])
+  3.19|3.2[01235])
-    exiterr "Libreswan version $SWAN_VER is not available."
+    swan_ver_is_supported=1
     ;;
 esac
+if [ "$swan_ver_is_supported" != "1" ]; then
+  exiterr "Libreswan version $SWAN_VER is not supported."
+fi
 
 ipsec_ver="$(/usr/local/sbin/ipsec --version 2>/dev/null)"
 if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
@@ -66,12 +70,23 @@ if printf '%s' "$ipsec_ver" | grep -qF "$SWAN_VER"; then
   esac
 fi
 
-is_downgrade_to_322=0
+is_upgrade_to_323_or_newer=0
-if [ "$SWAN_VER" = "3.22" ]; then
+case "$SWAN_VER" in
-  if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
+  3.2[35])
-    is_downgrade_to_322=1
+    if ! printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
-  fi
+      is_upgrade_to_323_or_newer=1
-fi
+    fi
+    ;;
+esac
+
+is_downgrade_to_322_or_older=0
+case "$SWAN_VER" in
+  3.19|3.2[012])
+    if printf '%s' "$ipsec_ver" | grep -qF -e "3.23" -e "3.25"; then
+      is_downgrade_to_322_or_older=1
+    fi
+    ;;
+esac
 
 clear
 
@@ -86,34 +101,28 @@ Version to be installed: Libreswan $SWAN_VER
 
 EOF
 
-if [ "$SWAN_VER" = "3.23" ] || [ "$SWAN_VER" = "3.25" ]; then
+case "$SWAN_VER" in
+  3.2[35])
 cat <<'EOF'
 WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
-         IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
+  IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
-         DO NOT upgrade to 3.23/3.25 if your use cases include the above.
+  DO NOT upgrade to 3.23/3.25 if your use cases include the above.
 
 EOF
-fi
+    ;;
+esac
 
 cat <<'EOF'
 NOTE: Libreswan versions 3.19 and newer require some configuration changes.
-      This script will make the following changes to your /etc/ipsec.conf:
+  This script will make the following updates to your /etc/ipsec.conf:
 
-      Replace this line:
+  1. Replace "auth=esp" with "phase2=esp"
-          auth=esp
+  2. Replace "forceencaps=yes" with "encapsulation=yes"
-      with the following:
+  3. Consolidate VPN ciphers for "ike=" and "phase2alg=",
-          phase2=esp
+     re-add "MODP1024" to the list of allowed "ike=" ciphers,
+     which was removed from the defaults in Libreswan 3.19.
 
-      Replace this line:
+  Your other VPN configuration files will not be modified.
-          forceencaps=yes
-      with the following:
-          encapsulation=yes
-
-      Consolidate VPN ciphers for "ike=" and "phase2alg=".
-      Re-add "MODP1024" to the list of allowed "ike=" ciphers,
-      which was removed from the defaults in Libreswan 3.19.
-
-      Your other VPN configuration files will not be modified.
 
 EOF
 
@@ -190,7 +199,7 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
 restorecon /usr/local/sbin -Rv 2>/dev/null
 restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
-# Update ipsec.conf for Libreswan 3.19 and newer
+# Update ipsec.conf
 IKE_NEW="  ike=3des-sha1,3des-sha2,aes-sha1,aes-sha1;modp1024,aes-sha2,aes-sha2;modp1024"
 PHASE2_NEW="  phase2alg=3des-sha1,3des-sha2,aes-sha1,aes-sha2,aes256-sha2_512"
 sed -i".old-$(date +%F-%T)" \
@@ -207,28 +216,36 @@ echo
 echo "Libreswan $SWAN_VER was installed successfully! "
 echo
 
-case "$SWAN_VER" in
+if [ "$is_upgrade_to_323_or_newer" = "1" ]; then
-  3.2[3-9])
 cat <<'EOF'
-NOTE: Users upgrading to Libreswan 3.23 or newer should edit "/etc/ipsec.conf" and replace these two lines:
+IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit
-          modecfgdns1=DNS_SERVER_1
+  /etc/ipsec.conf and replace these two lines:
-          modecfgdns2=DNS_SERVER_2
+
-      with a single line like this:
+    modecfgdns1=DNS_SERVER_1
-          modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+    modecfgdns2=DNS_SERVER_2
-      Then run "service ipsec restart".
+
+  with a single line like this:
+
+    modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+
+  Then run "service ipsec restart".
 
 EOF
-    ;;
+fi
-esac
 
-if [ "$is_downgrade_to_322" = "1" ]; then
+if [ "$is_downgrade_to_322_or_older" = "1" ]; then
 cat <<'EOF'
-NOTE: Users downgrading to Libreswan 3.22 should edit "/etc/ipsec.conf" and replace this line:
+IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit
-          modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
+  /etc/ipsec.conf and replace this line:
-      with two lines like this:
+
-          modecfgdns1=DNS_SERVER_1
+    modecfgdns="DNS_SERVER_1, DNS_SERVER_2"
-          modecfgdns2=DNS_SERVER_2
+
-      Then run "service ipsec restart".
+  with two lines like this:
+
+    modecfgdns1=DNS_SERVER_1
+    modecfgdns2=DNS_SERVER_2
+
+  Then run "service ipsec restart".
 
 EOF
 fi