mirror/setup-ipsec-vpn
1
0
Fork 0
mirror of synced 2024-11-25 06:16:07 +03:00
Code Issues Projects Releases Wiki Activity

Improve IKEv2 setup

Browse Source 
- Use /etc/ipsec.d/ikev2.conf for IKEv2 configuration
- Allow running from inside a container, so that it can be used with:
  https://github.com/hwdsl2/docker-ipsec-vpn-server
This commit is contained in:
hwdsl2 2020-05-30 23:09:32 -05:00
parent 5894ea2e1f
commit e1e1b67afd
3 changed files with 80 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
extras/ikev2setup.sh
View File

@ -37,7 +37,7 @@ ipsec_ver=$(/usr/local/sbin/ipsec --version 2>/dev/null)
swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey) on .*//') swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/Linux //' -e 's/Libreswan //' -e 's/ (netkey) on .*//')
if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \ if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \
|| ! printf '%s' "$ipsec_ver" | grep -q "Libreswan" \ || ! printf '%s' "$ipsec_ver" | grep -q "Libreswan" \
|| [ ! -f "/etc/ppp/chap-secrets" ] || [ ! -f "/etc/ipsec.d/passwd" ]; then || [ ! -f /etc/ppp/chap-secrets ] || [ ! -f /etc/ipsec.d/passwd ]; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: Your must first set up the IPsec VPN server before setting up IKEv2. Error: Your must first set up the IPsec VPN server before setting up IKEv2.
See: https://github.com/hwdsl2/setup-ipsec-vpn See: https://github.com/hwdsl2/setup-ipsec-vpn
@ -45,6 +45,11 @@ EOF
exit 1 exit 1
fi fi
in_container=0
if grep -qs "hwdsl2" /opt/src/run.sh; then
in_container=1
fi
case "$swan_ver" in case "$swan_ver" in
3.19|3.2[01235679]|3.3[12]) 3.19|3.2[01235679]|3.3[12])
/bin/true /bin/true
@ -61,7 +66,7 @@ EOF
;; ;;
esac esac
if grep -qs "conn ikev2-cp" /etc/ipsec.conf; then if grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]; then
cat 1>&2 <<'EOF' cat 1>&2 <<'EOF'
Error: It looks like IKEv2 has already been set up on this server. Error: It looks like IKEv2 has already been set up on this server.
To generate certificates for additional VPN clients, see step 4 in section To generate certificates for additional VPN clients, see step 4 in section
@ -130,31 +135,50 @@ if uname -m | grep -qi '^arm'; then
fi fi
if [ "$mobike_support" = "1" ]; then if [ "$mobike_support" = "1" ]; then
os_type="$(lsb_release -si 2>/dev/null)" if [ "$in_container" = "0" ]; then
if [ -z "$os_type" ]; then os_type="$(lsb_release -si 2>/dev/null)"
[ -f /etc/os-release ] && os_type="$(. /etc/os-release && printf '%s' "$ID")" if [ -z "$os_type" ]; then
[ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID")" [ -f /etc/os-release ] && os_type="$(. /etc/os-release && printf '%s' "$ID")"
[ "$os_type" = "ubuntu" ] && os_type=Ubuntu [ -f /etc/lsb-release ] && os_type="$(. /etc/lsb-release && printf '%s' "$DISTRIB_ID")"
fi [ "$os_type" = "ubuntu" ] && os_type=Ubuntu
[ -z "$os_type" ] && [ -f /etc/redhat-release ] && os_type=CentOS/RHEL fi
if [ -z "$os_type" ] || [ "$os_type" = "Ubuntu" ]; then [ -z "$os_type" ] && [ -f /etc/redhat-release ] && os_type=CentOS/RHEL
mobike_support=0 if [ -z "$os_type" ] || [ "$os_type" = "Ubuntu" ]; then
mobike_support=0
fi
else
echo
echo "NOTE: DO NOT enable MOBIKE support, if your Docker host runs Ubuntu Linux."
fi fi
fi fi
mobike_enable=0 mobike_enable=0
if [ "$mobike_support" = "1" ]; then if [ "$mobike_support" = "1" ]; then
echo if [ "$in_container" = "0" ]; then
printf "Do you want to enable MOBIKE support? [Y/n] " echo
read -r response printf "Do you want to enable MOBIKE support? [Y/n] "
case $response in read -r response
[yY][eE][sS]|[yY]|'') case $response in
mobike_enable=1 [yY][eE][sS]|[yY]|'')
;; mobike_enable=1
*) ;;
mobike_enable=0 *)
;; mobike_enable=0
esac ;;
esac
else
echo
printf "Do you want to enable MOBIKE support? [y/N] "
read -r response
case $response in
[yY][eE][sS]|[yY])
mobike_enable=1
;;
*)
mobike_enable=0
;;
esac
fi
fi fi
cat <<EOF cat <<EOF
@ -193,9 +217,14 @@ case $response in
;; ;;
esac esac
bigecho "Adding a new IKEv2 connection to /etc/ipsec.conf..." bigecho "Adding a new IKEv2 connection..."
cat >> /etc/ipsec.conf <<EOF if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then
echo >> /etc/ipsec.conf
echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf
fi
cat > /etc/ipsec.d/ikev2.conf <<EOF
conn ikev2-cp conn ikev2-cp
left=%defaultroute left=%defaultroute
@ -224,18 +253,18 @@ EOF
case "$swan_ver" in case "$swan_ver" in
3.2[35679]|3.3[12]) 3.2[35679]|3.3[12])
cat >> /etc/ipsec.conf <<'EOF' cat >> /etc/ipsec.d/ikev2.conf <<'EOF'
modecfgdns="8.8.8.8 8.8.4.4" modecfgdns="8.8.8.8 8.8.4.4"
encapsulation=yes encapsulation=yes
EOF EOF
if [ "$mobike_enable" = "1" ]; then if [ "$mobike_enable" = "1" ]; then
echo " mobike=yes" >> /etc/ipsec.conf echo " mobike=yes" >> /etc/ipsec.d/ikev2.conf
else else
echo " mobike=no" >> /etc/ipsec.conf echo " mobike=no" >> /etc/ipsec.d/ikev2.conf
fi fi
;; ;;
3.19|3.2[012]) 3.19|3.2[012])
cat >> /etc/ipsec.conf <<'EOF' cat >> /etc/ipsec.d/ikev2.conf <<'EOF'
modecfgdns1=8.8.8.8 modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4 modecfgdns2=8.8.4.4
encapsulation=yes encapsulation=yes
@ -293,7 +322,11 @@ certutil -z <(head -c 1024 /dev/urandom) \
bigecho "Exporting CA certificate..." bigecho "Exporting CA certificate..."
certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ~/"vpnca-$SYS_DT.cer" if [ "$in_container" = "0" ]; then
certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o ~/"vpnca-$SYS_DT.cer"
else
certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a -o "/etc/ipsec.d/vpnca-$SYS_DT.cer"
fi
bigecho "Exporting .p12 file..." bigecho "Exporting .p12 file..."
@ -304,7 +337,11 @@ When importing into an iOS or macOS device, this password cannot be empty.
EOF EOF
pk12util -d sql:/etc/ipsec.d -n "vpnclient" -o ~/"vpnclient-$SYS_DT.p12" if [ "$in_container" = "0" ]; then
pk12util -d sql:/etc/ipsec.d -n "vpnclient" -o ~/"vpnclient-$SYS_DT.p12"
else
pk12util -d sql:/etc/ipsec.d -n "vpnclient" -o "/etc/ipsec.d/vpnclient-$SYS_DT.p12"
fi
bigecho "Restarting IPsec service..." bigecho "Restarting IPsec service..."
@ -313,7 +350,7 @@ service ipsec restart
cat <<EOF cat <<EOF
======================================================= =============================================================
IKEv2 VPN setup is now complete! IKEv2 VPN setup is now complete!
@ -321,15 +358,20 @@ Client configuration is available at:
EOF EOF
printf '%s\n' ~/"vpnclient-$SYS_DT.p12" if [ "$in_container" = "0" ]; then
printf '%s\n' ~/"vpnca-$SYS_DT.cer (for iOS clients)" printf '%s\n' ~/"vpnclient-$SYS_DT.p12"
printf '%s\n' ~/"vpnca-$SYS_DT.cer (for iOS clients)"
else
printf '%s\n' "/etc/ipsec.d/vpnclient-$SYS_DT.p12"
printf '%s\n' "/etc/ipsec.d/vpnca-$SYS_DT.cer (for iOS clients)"
fi
cat <<EOF cat <<EOF
Next steps: Configure IKEv2 VPN clients. See: Next steps: Configure IKEv2 VPN clients. See:
https://git.io/ikev2clients https://git.io/ikev2clients
======================================================= =============================================================
EOF EOF

2
vpnsetup.sh
View File

@ -270,6 +270,8 @@ conn xauth-psk
ike-frag=yes ike-frag=yes
cisco-unity=yes cisco-unity=yes
also=shared also=shared
include /etc/ipsec.d/*.conf
EOF EOF
if uname -m | grep -qi '^arm'; then if uname -m | grep -qi '^arm'; then

2
vpnsetup_centos.sh
View File

@ -273,6 +273,8 @@ conn xauth-psk
ike-frag=yes ike-frag=yes
cisco-unity=yes cisco-unity=yes
also=shared also=shared
include /etc/ipsec.d/*.conf
EOF EOF
# Specify IPsec PSK # Specify IPsec PSK