Update IKEv2 script
- Cleanup
This commit is contained in:
parent
7c0d08442e
commit
f072e8312a
@ -38,6 +38,13 @@ check_root() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_container() {
|
||||||
|
in_container=0
|
||||||
|
if grep -qs "hwdsl2" /opt/src/run.sh; then
|
||||||
|
in_container=1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
check_os() {
|
check_os() {
|
||||||
os_type=centos
|
os_type=centos
|
||||||
os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
|
os_arch=$(uname -m | tr -dc 'A-Za-z0-9_-')
|
||||||
@ -91,6 +98,37 @@ EOF
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_libreswan() {
|
||||||
|
ipsec_ver=$(ipsec --version 2>/dev/null)
|
||||||
|
if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \
|
||||||
|
|| ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
|
||||||
|
cat 1>&2 <<'EOF'
|
||||||
|
Error: Your must first set up the IPsec VPN server before setting up IKEv2.
|
||||||
|
See: https://github.com/hwdsl2/setup-ipsec-vpn
|
||||||
|
EOF
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
check_swan_ver() {
|
||||||
|
swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//')
|
||||||
|
if ! printf '%s\n%s' "3.23" "$swan_ver" | sort -C -V; then
|
||||||
|
cat 1>&2 <<EOF
|
||||||
|
Error: Libreswan version '$swan_ver' is not supported.
|
||||||
|
This script requires Libreswan 3.23 or newer.
|
||||||
|
To update Libreswan, run:
|
||||||
|
wget https://git.io/vpnupgrade -qO vpnup.sh && sudo sh vpnup.sh
|
||||||
|
EOF
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
check_utils_exist() {
|
||||||
|
command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
|
||||||
|
command -v crlutil >/dev/null 2>&1 || exiterr "'crlutil' not found. Abort."
|
||||||
|
command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort."
|
||||||
|
}
|
||||||
|
|
||||||
abort_and_exit() {
|
abort_and_exit() {
|
||||||
echo "Abort. No changes were made." >&2
|
echo "Abort. No changes were made." >&2
|
||||||
exit 1
|
exit 1
|
||||||
@ -109,48 +147,10 @@ confirm_or_abort() {
|
|||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
check_libreswan() {
|
|
||||||
ipsec_ver=$(ipsec --version 2>/dev/null)
|
|
||||||
swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//')
|
|
||||||
if ( ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf && ! grep -qs "hwdsl2" /opt/src/run.sh ) \
|
|
||||||
|| ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
|
|
||||||
cat 1>&2 <<'EOF'
|
|
||||||
Error: Your must first set up the IPsec VPN server before setting up IKEv2.
|
|
||||||
See: https://github.com/hwdsl2/setup-ipsec-vpn
|
|
||||||
EOF
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_swan_ver() {
|
|
||||||
if ! printf '%s\n%s' "3.23" "$swan_ver" | sort -C -V; then
|
|
||||||
cat 1>&2 <<EOF
|
|
||||||
Error: Libreswan version '$swan_ver' is not supported.
|
|
||||||
This script requires Libreswan 3.23 or newer.
|
|
||||||
To update Libreswan, run:
|
|
||||||
wget https://git.io/vpnupgrade -qO vpnup.sh && sudo sh vpnup.sh
|
|
||||||
EOF
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_utils_exist() {
|
|
||||||
command -v certutil >/dev/null 2>&1 || exiterr "'certutil' not found. Abort."
|
|
||||||
command -v crlutil >/dev/null 2>&1 || exiterr "'crlutil' not found. Abort."
|
|
||||||
command -v pk12util >/dev/null 2>&1 || exiterr "'pk12util' not found. Abort."
|
|
||||||
}
|
|
||||||
|
|
||||||
check_container() {
|
|
||||||
in_container=0
|
|
||||||
if grep -qs "hwdsl2" /opt/src/run.sh; then
|
|
||||||
in_container=1
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
show_header() {
|
show_header() {
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
|
|
||||||
IKEv2 Script Copyright (c) 2020-2022 Lin Song 12 Feb 2022
|
IKEv2 Script Copyright (c) 2020-2022 Lin Song 15 Feb 2022
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
@ -179,7 +179,7 @@ EOF
|
|||||||
}
|
}
|
||||||
|
|
||||||
check_ikev2_exists() {
|
check_ikev2_exists() {
|
||||||
grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]
|
grep -qs "conn ikev2-cp" "$IPSEC_CONF" || [ -f "$IKEV2_CONF" ]
|
||||||
}
|
}
|
||||||
|
|
||||||
check_client_name() {
|
check_client_name() {
|
||||||
@ -188,72 +188,61 @@ check_client_name() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
check_cert_exists() {
|
check_cert_exists() {
|
||||||
certutil -L -d sql:/etc/ipsec.d -n "$1" >/dev/null 2>&1
|
certutil -L -d "$CERT_DB" -n "$1" >/dev/null 2>&1
|
||||||
}
|
}
|
||||||
|
|
||||||
check_cert_exists_and_exit() {
|
check_cert_exists_and_exit() {
|
||||||
if certutil -L -d sql:/etc/ipsec.d -n "$1" >/dev/null 2>&1; then
|
if certutil -L -d "$CERT_DB" -n "$1" >/dev/null 2>&1; then
|
||||||
echo "Error: Certificate '$1' already exists." >&2
|
echo "Error: Certificate '$1' already exists." >&2
|
||||||
abort_and_exit
|
abort_and_exit
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
check_cert_status() {
|
check_cert_status() {
|
||||||
cert_status=$(certutil -V -u C -d sql:/etc/ipsec.d -n "$1")
|
cert_status=$(certutil -V -u C -d "$CERT_DB" -n "$1")
|
||||||
}
|
}
|
||||||
|
|
||||||
check_arguments() {
|
check_arguments() {
|
||||||
if [ "$use_defaults" = "1" ]; then
|
if [ "$use_defaults" = "1" ] && check_ikev2_exists; then
|
||||||
if check_ikev2_exists; then
|
|
||||||
echo "Warning: Ignoring parameter '--auto'. Use '-h' for usage information." >&2
|
echo "Warning: Ignoring parameter '--auto'. Use '-h' for usage information." >&2
|
||||||
fi
|
fi
|
||||||
fi
|
|
||||||
if [ "$((add_client + export_client + list_clients + revoke_client))" -gt 1 ]; then
|
if [ "$((add_client + export_client + list_clients + revoke_client))" -gt 1 ]; then
|
||||||
show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient', '--listclients' or '--revokeclient'."
|
show_usage "Invalid parameters. Specify only one of '--addclient', '--exportclient', '--listclients' or '--revokeclient'."
|
||||||
fi
|
fi
|
||||||
|
if [ "$remove_ikev2" = "1" ]; then
|
||||||
|
if [ "$((add_client + export_client + list_clients + revoke_client + use_defaults))" -gt 0 ]; then
|
||||||
|
show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if ! check_ikev2_exists; then
|
||||||
|
[ "$add_client" = "1" ] && exiterr "You must first set up IKEv2 before adding a client."
|
||||||
|
[ "$export_client" = "1" ] && exiterr "You must first set up IKEv2 before exporting a client."
|
||||||
|
[ "$list_clients" = "1" ] && exiterr "You must first set up IKEv2 before listing clients."
|
||||||
|
[ "$revoke_client" = "1" ] && exiterr "You must first set up IKEv2 before revoking a client certificate."
|
||||||
|
[ "$remove_ikev2" = "1" ] && exiterr "Cannot remove IKEv2 because it has not been set up on this server."
|
||||||
|
fi
|
||||||
if [ "$add_client" = "1" ]; then
|
if [ "$add_client" = "1" ]; then
|
||||||
check_ikev2_exists || exiterr "You must first set up IKEv2 before adding a client."
|
|
||||||
if [ -z "$client_name" ] || ! check_client_name "$client_name"; then
|
if [ -z "$client_name" ] || ! check_client_name "$client_name"; then
|
||||||
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
|
exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
|
||||||
elif check_cert_exists "$client_name"; then
|
elif check_cert_exists "$client_name"; then
|
||||||
exiterr "Invalid client name. Client '$client_name' already exists."
|
exiterr "Invalid client name. Client '$client_name' already exists."
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$export_client" = "1" ]; then
|
if [ "$export_client" = "1" ] || [ "$revoke_client" = "1" ]; then
|
||||||
check_ikev2_exists || exiterr "You must first set up IKEv2 before exporting a client."
|
|
||||||
get_server_address
|
get_server_address
|
||||||
if [ -z "$client_name" ] || ! check_client_name "$client_name" \
|
if [ -z "$client_name" ] || ! check_client_name "$client_name" \
|
||||||
|| [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \
|
|| [ "$client_name" = "$CA_NAME" ] || [ "$client_name" = "$server_addr" ] \
|
||||||
|| ! check_cert_exists "$client_name"; then
|
|| ! check_cert_exists "$client_name"; then
|
||||||
exiterr "Invalid client name, or client does not exist."
|
exiterr "Invalid client name, or client does not exist."
|
||||||
fi
|
fi
|
||||||
if ! check_cert_status "$client_name"; then
|
if ! check_cert_status "$client_name"; then
|
||||||
printf '%s' "Error: Certificate '$client_name' " >&2
|
printf '%s' "Error: Certificate '$client_name' " >&2
|
||||||
if printf '%s' "$cert_status" | grep -q "revoked"; then
|
if printf '%s' "$cert_status" | grep -q "revoked"; then
|
||||||
echo "has been revoked." >&2
|
|
||||||
elif printf '%s' "$cert_status" | grep -q "expired"; then
|
|
||||||
echo "has expired." >&2
|
|
||||||
else
|
|
||||||
echo "is invalid." >&2
|
|
||||||
fi
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
if [ "$list_clients" = "1" ]; then
|
|
||||||
check_ikev2_exists || exiterr "You must first set up IKEv2 before listing clients."
|
|
||||||
fi
|
|
||||||
if [ "$revoke_client" = "1" ]; then
|
if [ "$revoke_client" = "1" ]; then
|
||||||
check_ikev2_exists || exiterr "You must first set up IKEv2 before revoking a client certificate."
|
|
||||||
get_server_address
|
|
||||||
if [ -z "$client_name" ] || ! check_client_name "$client_name" \
|
|
||||||
|| [ "$client_name" = "IKEv2 VPN CA" ] || [ "$client_name" = "$server_addr" ] \
|
|
||||||
|| ! check_cert_exists "$client_name"; then
|
|
||||||
exiterr "Invalid client name, or client does not exist."
|
|
||||||
fi
|
|
||||||
if ! check_cert_status "$client_name"; then
|
|
||||||
printf '%s' "Error: Certificate '$client_name' " >&2
|
|
||||||
if printf '%s' "$cert_status" | grep -q "revoked"; then
|
|
||||||
echo "has already been revoked." >&2
|
echo "has already been revoked." >&2
|
||||||
|
else
|
||||||
|
echo "has been revoked." >&2
|
||||||
|
fi
|
||||||
elif printf '%s' "$cert_status" | grep -q "expired"; then
|
elif printf '%s' "$cert_status" | grep -q "expired"; then
|
||||||
echo "has expired." >&2
|
echo "has expired." >&2
|
||||||
else
|
else
|
||||||
@ -262,12 +251,6 @@ check_arguments() {
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$remove_ikev2" = "1" ]; then
|
|
||||||
check_ikev2_exists || exiterr "Cannot remove IKEv2 because it has not been set up on this server."
|
|
||||||
if [ "$((add_client + export_client + list_clients + revoke_client + use_defaults))" -gt 0 ]; then
|
|
||||||
show_usage "Invalid parameters. '--removeikev2' cannot be specified with other parameters."
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
check_server_dns_name() {
|
check_server_dns_name() {
|
||||||
@ -283,9 +266,50 @@ check_custom_dns() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_and_set_client_name() {
|
||||||
|
if [ -n "$VPN_CLIENT_NAME" ]; then
|
||||||
|
client_name="$VPN_CLIENT_NAME"
|
||||||
|
check_client_name "$client_name" \
|
||||||
|
|| exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
|
||||||
|
else
|
||||||
|
client_name=vpnclient
|
||||||
|
fi
|
||||||
|
check_cert_exists "$client_name" && exiterr "Client '$client_name' already exists."
|
||||||
|
}
|
||||||
|
|
||||||
|
set_server_address() {
|
||||||
|
if [ -n "$VPN_DNS_NAME" ]; then
|
||||||
|
use_dns_name=1
|
||||||
|
server_addr="$VPN_DNS_NAME"
|
||||||
|
else
|
||||||
|
use_dns_name=0
|
||||||
|
get_server_ip
|
||||||
|
check_ip "$public_ip" || exiterr "Cannot detect this server's public IP."
|
||||||
|
server_addr="$public_ip"
|
||||||
|
fi
|
||||||
|
check_cert_exists_and_exit "$server_addr"
|
||||||
|
}
|
||||||
|
|
||||||
|
set_dns_servers() {
|
||||||
|
if [ -n "$VPN_DNS_SRV1" ] && [ -n "$VPN_DNS_SRV2" ]; then
|
||||||
|
dns_server_1="$VPN_DNS_SRV1"
|
||||||
|
dns_server_2="$VPN_DNS_SRV2"
|
||||||
|
dns_servers="$VPN_DNS_SRV1 $VPN_DNS_SRV2"
|
||||||
|
elif [ -n "$VPN_DNS_SRV1" ]; then
|
||||||
|
dns_server_1="$VPN_DNS_SRV1"
|
||||||
|
dns_server_2=""
|
||||||
|
dns_servers="$VPN_DNS_SRV1"
|
||||||
|
else
|
||||||
|
dns_server_1=8.8.8.8
|
||||||
|
dns_server_2=8.8.4.4
|
||||||
|
dns_servers="8.8.8.8 8.8.4.4"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
show_welcome() {
|
show_welcome() {
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
Welcome! Use this script to set up IKEv2 on your IPsec VPN server.
|
Welcome! Use this script to set up IKEv2 on your IPsec VPN server.
|
||||||
|
|
||||||
I need to ask you a few questions before starting setup.
|
I need to ask you a few questions before starting setup.
|
||||||
You can use the default options and just press enter if you are OK with them.
|
You can use the default options and just press enter if you are OK with them.
|
||||||
|
|
||||||
@ -341,15 +365,15 @@ get_server_ip() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
get_server_address() {
|
get_server_address() {
|
||||||
server_addr=$(grep -s "leftcert=" /etc/ipsec.d/ikev2.conf | cut -f2 -d=)
|
server_addr=$(grep -s "leftcert=" "$IKEV2_CONF" | cut -f2 -d=)
|
||||||
[ -z "$server_addr" ] && server_addr=$(grep -s "leftcert=" /etc/ipsec.conf | cut -f2 -d=)
|
[ -z "$server_addr" ] && server_addr=$(grep -s "leftcert=" "$IPSEC_CONF" | cut -f2 -d=)
|
||||||
check_ip "$server_addr" || check_dns_name "$server_addr" || exiterr "Could not get VPN server address."
|
check_ip "$server_addr" || check_dns_name "$server_addr" || exiterr "Could not get VPN server address."
|
||||||
}
|
}
|
||||||
|
|
||||||
list_existing_clients() {
|
list_existing_clients() {
|
||||||
echo "Checking for existing IKEv2 client(s)..."
|
echo "Checking for existing IKEv2 client(s)..."
|
||||||
echo
|
echo
|
||||||
client_names=$(certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' -e '\.' | tail -n +3 | cut -f1 -d ' ')
|
client_names=$(certutil -L -d "$CERT_DB" | grep -v -e '^$' -e "$CA_NAME" -e '\.' | tail -n +3 | cut -f1 -d ' ')
|
||||||
max_len=$(printf '%s\n' "$client_names" | wc -L 2>/dev/null)
|
max_len=$(printf '%s\n' "$client_names" | wc -L 2>/dev/null)
|
||||||
[[ $max_len =~ ^[0-9]+$ ]] || max_len=64
|
[[ $max_len =~ ^[0-9]+$ ]] || max_len=64
|
||||||
[ "$max_len" -gt "64" ] && max_len=64
|
[ "$max_len" -gt "64" ] && max_len=64
|
||||||
@ -358,7 +382,7 @@ list_existing_clients() {
|
|||||||
printf "%-${max_len}s %s\n" '------------' '-------------------'
|
printf "%-${max_len}s %s\n" '------------' '-------------------'
|
||||||
printf '%s\n' "$client_names" | LC_ALL=C sort | while read -r line; do
|
printf '%s\n' "$client_names" | LC_ALL=C sort | while read -r line; do
|
||||||
printf "%-${max_len}s " "$line"
|
printf "%-${max_len}s " "$line"
|
||||||
client_status=$(certutil -V -u C -d sql:/etc/ipsec.d -n "$line" | grep -o -e ' valid' -e expired -e revoked | sed -e 's/^ //')
|
client_status=$(certutil -V -u C -d "$CERT_DB" -n "$line" | grep -o -e ' valid' -e expired -e revoked | sed -e 's/^ //')
|
||||||
[ -z "$client_status" ] && client_status=unknown
|
[ -z "$client_status" ] && client_status=unknown
|
||||||
printf '%s\n' "$client_status"
|
printf '%s\n' "$client_status"
|
||||||
done
|
done
|
||||||
@ -402,33 +426,26 @@ enter_client_name() {
|
|||||||
echo
|
echo
|
||||||
echo "Provide a name for the IKEv2 VPN client."
|
echo "Provide a name for the IKEv2 VPN client."
|
||||||
echo "Use one word only, no special characters except '-' and '_'."
|
echo "Use one word only, no special characters except '-' and '_'."
|
||||||
|
if [ "$1" = "with_defaults" ]; then
|
||||||
|
read -rp "Client name: [vpnclient] " client_name
|
||||||
|
[ -z "$client_name" ] && client_name=vpnclient
|
||||||
|
else
|
||||||
read -rp "Client name: " client_name
|
read -rp "Client name: " client_name
|
||||||
[ -z "$client_name" ] && abort_and_exit
|
[ -z "$client_name" ] && abort_and_exit
|
||||||
|
fi
|
||||||
while ! check_client_name "$client_name" || check_cert_exists "$client_name"; do
|
while ! check_client_name "$client_name" || check_cert_exists "$client_name"; do
|
||||||
if ! check_client_name "$client_name"; then
|
if ! check_client_name "$client_name"; then
|
||||||
echo "Invalid client name."
|
echo "Invalid client name."
|
||||||
else
|
else
|
||||||
echo "Invalid client name. Client '$client_name' already exists."
|
echo "Invalid client name. Client '$client_name' already exists."
|
||||||
fi
|
fi
|
||||||
|
if [ "$1" = "with_defaults" ]; then
|
||||||
|
read -rp "Client name: [vpnclient] " client_name
|
||||||
|
[ -z "$client_name" ] && client_name=vpnclient
|
||||||
|
else
|
||||||
read -rp "Client name: " client_name
|
read -rp "Client name: " client_name
|
||||||
[ -z "$client_name" ] && abort_and_exit
|
[ -z "$client_name" ] && abort_and_exit
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
enter_client_name_with_defaults() {
|
|
||||||
echo
|
|
||||||
echo "Provide a name for the IKEv2 VPN client."
|
|
||||||
echo "Use one word only, no special characters except '-' and '_'."
|
|
||||||
read -rp "Client name: [vpnclient] " client_name
|
|
||||||
[ -z "$client_name" ] && client_name=vpnclient
|
|
||||||
while ! check_client_name "$client_name" || check_cert_exists "$client_name"; do
|
|
||||||
if ! check_client_name "$client_name"; then
|
|
||||||
echo "Invalid client name."
|
|
||||||
else
|
|
||||||
echo "Invalid client name. Client '$client_name' already exists."
|
|
||||||
fi
|
fi
|
||||||
read -rp "Client name: [vpnclient] " client_name
|
|
||||||
[ -z "$client_name" ] && client_name=vpnclient
|
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -439,10 +456,10 @@ enter_client_name_for() {
|
|||||||
echo
|
echo
|
||||||
read -rp "Enter the name of the IKEv2 client to $1: " client_name
|
read -rp "Enter the name of the IKEv2 client to $1: " client_name
|
||||||
[ -z "$client_name" ] && abort_and_exit
|
[ -z "$client_name" ] && abort_and_exit
|
||||||
while ! check_client_name "$client_name" || [ "$client_name" = "IKEv2 VPN CA" ] \
|
while ! check_client_name "$client_name" || [ "$client_name" = "$CA_NAME" ] \
|
||||||
|| [ "$client_name" = "$server_addr" ] || ! check_cert_exists "$client_name" \
|
|| [ "$client_name" = "$server_addr" ] || ! check_cert_exists "$client_name" \
|
||||||
|| ! check_cert_status "$client_name"; do
|
|| ! check_cert_status "$client_name"; do
|
||||||
if ! check_client_name "$client_name" || [ "$client_name" = "IKEv2 VPN CA" ] \
|
if ! check_client_name "$client_name" || [ "$client_name" = "$CA_NAME" ] \
|
||||||
|| [ "$client_name" = "$server_addr" ] || ! check_cert_exists "$client_name"; then
|
|| [ "$client_name" = "$server_addr" ] || ! check_cert_exists "$client_name"; then
|
||||||
echo "Invalid client name, or client does not exist."
|
echo "Invalid client name, or client does not exist."
|
||||||
else
|
else
|
||||||
@ -464,7 +481,7 @@ enter_client_name_for() {
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
enter_client_cert_validity() {
|
enter_client_validity() {
|
||||||
echo
|
echo
|
||||||
echo "Specify the validity period (in months) for this client certificate."
|
echo "Specify the validity period (in months) for this client certificate."
|
||||||
read -rp "Enter a number between 1 and 120: [120] " client_validity
|
read -rp "Enter a number between 1 and 120: [120] " client_validity
|
||||||
@ -578,8 +595,7 @@ EOF
|
|||||||
}
|
}
|
||||||
|
|
||||||
check_config_password() {
|
check_config_password() {
|
||||||
config_file="/etc/ipsec.d/.vpnconfig"
|
if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$CONFIG_FILE"; then
|
||||||
if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then
|
|
||||||
use_config_password=1
|
use_config_password=1
|
||||||
else
|
else
|
||||||
use_config_password=0
|
use_config_password=0
|
||||||
@ -592,7 +608,7 @@ cat <<'EOF'
|
|||||||
|
|
||||||
IKEv2 client config files contain the client certificate, private key and CA certificate.
|
IKEv2 client config files contain the client certificate, private key and CA certificate.
|
||||||
This script can optionally generate a random password to protect these files.
|
This script can optionally generate a random password to protect these files.
|
||||||
Future client config files will also be protected using the same password.
|
Future client config files will also be protected using this password.
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
printf "Protect client config files using a password? [y/N] "
|
printf "Protect client config files using a password? [y/N] "
|
||||||
@ -680,10 +696,10 @@ create_client_cert() {
|
|||||||
bigecho2 "Generating client certificate..."
|
bigecho2 "Generating client certificate..."
|
||||||
sleep 1
|
sleep 1
|
||||||
certutil -z <(head -c 1024 /dev/urandom) \
|
certutil -z <(head -c 1024 /dev/urandom) \
|
||||||
-S -c "IKEv2 VPN CA" -n "$client_name" \
|
-S -c "$CA_NAME" -n "$client_name" \
|
||||||
-s "O=IKEv2 VPN,CN=$client_name" \
|
-s "O=IKEv2 VPN,CN=$client_name" \
|
||||||
-k rsa -g 3072 -v "$client_validity" \
|
-k rsa -g 3072 -v "$client_validity" \
|
||||||
-d sql:/etc/ipsec.d -t ",," \
|
-d "$CERT_DB" -t ",," \
|
||||||
--keyUsage digitalSignature,keyEncipherment \
|
--keyUsage digitalSignature,keyEncipherment \
|
||||||
--extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null 2>&1 || exiterr "Failed to create client certificate."
|
--extKeyUsage serverAuth,clientAuth -8 "$client_name" >/dev/null 2>&1 || exiterr "Failed to create client certificate."
|
||||||
}
|
}
|
||||||
@ -697,13 +713,14 @@ get_p12_password() {
|
|||||||
if [ "$use_config_password" = "0" ]; then
|
if [ "$use_config_password" = "0" ]; then
|
||||||
create_p12_password
|
create_p12_password
|
||||||
else
|
else
|
||||||
config_file="/etc/ipsec.d/.vpnconfig"
|
p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$CONFIG_FILE" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//")
|
||||||
p12_password=$(grep -s '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file" | tail -n 1 | cut -f2- -d= | sed -e "s/^'//" -e "s/'$//")
|
|
||||||
if [ -z "$p12_password" ]; then
|
if [ -z "$p12_password" ]; then
|
||||||
create_p12_password
|
create_p12_password
|
||||||
mkdir -p /etc/ipsec.d
|
if [ -n "$CONFIG_FILE" ] && [ -n "$CONFIG_DIR" ]; then
|
||||||
printf '%s\n' "IKEV2_CONFIG_PASSWORD='$p12_password'" >> "$config_file"
|
mkdir -p "$CONFIG_DIR"
|
||||||
chmod 600 "$config_file"
|
printf '%s\n' "IKEV2_CONFIG_PASSWORD='$p12_password'" >> "$CONFIG_FILE"
|
||||||
|
chmod 600 "$CONFIG_FILE"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@ -713,25 +730,22 @@ export_p12_file() {
|
|||||||
get_p12_password
|
get_p12_password
|
||||||
p12_file="$export_dir$client_name.p12"
|
p12_file="$export_dir$client_name.p12"
|
||||||
p12_file_enc="$export_dir$client_name.enc.p12"
|
p12_file_enc="$export_dir$client_name.enc.p12"
|
||||||
pk12util -W "$p12_password" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file_enc" >/dev/null || exit 1
|
pk12util -W "$p12_password" -d "$CERT_DB" -n "$client_name" -o "$p12_file_enc" >/dev/null || exit 1
|
||||||
if [ "$os_type" = "alpine" ] || { [ "$os_type" = "ubuntu" ] && [ "$os_ver" = "11" ]; }; then
|
if [ "$os_type" = "alpine" ] || { [ "$os_type" = "ubuntu" ] && [ "$os_ver" = "11" ]; }; then
|
||||||
pem_file="$export_dir$client_name.temp.pem"
|
pem_file="$export_dir$client_name.temp.pem"
|
||||||
openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
||||||
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
|
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
|
||||||
-name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
-name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
||||||
if [ "$use_config_password" = "1" ]; then
|
if [ "$use_config_password" = "0" ]; then
|
||||||
/bin/cp -f "$p12_file_enc" "$p12_file"
|
|
||||||
else
|
|
||||||
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
|
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
|
||||||
-name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
|
-name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
|
||||||
fi
|
fi
|
||||||
/bin/rm -f "$pem_file"
|
/bin/rm -f "$pem_file"
|
||||||
else
|
elif [ "$use_config_password" = "0" ]; then
|
||||||
|
pk12util -W "" -d "$CERT_DB" -n "$client_name" -o "$p12_file" >/dev/null || exit 1
|
||||||
|
fi
|
||||||
if [ "$use_config_password" = "1" ]; then
|
if [ "$use_config_password" = "1" ]; then
|
||||||
/bin/cp -f "$p12_file_enc" "$p12_file"
|
/bin/cp -f "$p12_file_enc" "$p12_file"
|
||||||
else
|
|
||||||
pk12util -W "" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file" >/dev/null || exit 1
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
if [ "$export_to_home_dir" = "1" ]; then
|
if [ "$export_to_home_dir" = "1" ]; then
|
||||||
chown "$SUDO_USER:$SUDO_USER" "$p12_file"
|
chown "$SUDO_USER:$SUDO_USER" "$p12_file"
|
||||||
@ -776,8 +790,8 @@ create_mobileconfig() {
|
|||||||
p12_base64=$(base64 -w 52 "$p12_file_enc")
|
p12_base64=$(base64 -w 52 "$p12_file_enc")
|
||||||
/bin/rm -f "$p12_file_enc"
|
/bin/rm -f "$p12_file_enc"
|
||||||
[ -z "$p12_base64" ] && exiterr "Could not encode .p12 file."
|
[ -z "$p12_base64" ] && exiterr "Could not encode .p12 file."
|
||||||
ca_base64=$(certutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -a | grep -v CERTIFICATE)
|
ca_base64=$(certutil -L -d "$CERT_DB" -n "$CA_NAME" -a | grep -v CERTIFICATE)
|
||||||
[ -z "$ca_base64" ] && exiterr "Could not encode IKEv2 VPN CA certificate."
|
[ -z "$ca_base64" ] && exiterr "Could not encode $CA_NAME certificate."
|
||||||
uuid1=$(uuidgen)
|
uuid1=$(uuidgen)
|
||||||
[ -z "$uuid1" ] && exiterr "Could not generate UUID value."
|
[ -z "$uuid1" ] && exiterr "Could not generate UUID value."
|
||||||
mc_file="$export_dir$client_name.mobileconfig"
|
mc_file="$export_dir$client_name.mobileconfig"
|
||||||
@ -922,7 +936,7 @@ $ca_base64
|
|||||||
</dict>
|
</dict>
|
||||||
</array>
|
</array>
|
||||||
<key>PayloadDisplayName</key>
|
<key>PayloadDisplayName</key>
|
||||||
<string>IKEv2 VPN ($server_addr)</string>
|
<string>IKEv2 VPN $server_addr</string>
|
||||||
<key>PayloadIdentifier</key>
|
<key>PayloadIdentifier</key>
|
||||||
<string>com.apple.vpn.managed.$(uuidgen)</string>
|
<string>com.apple.vpn.managed.$(uuidgen)</string>
|
||||||
<key>PayloadRemovalDisallowed</key>
|
<key>PayloadRemovalDisallowed</key>
|
||||||
@ -952,7 +966,7 @@ create_android_profile() {
|
|||||||
cat > "$sswan_file" <<EOF
|
cat > "$sswan_file" <<EOF
|
||||||
{
|
{
|
||||||
"uuid": "$uuid2",
|
"uuid": "$uuid2",
|
||||||
"name": "IKEv2 VPN ($server_addr)",
|
"name": "IKEv2 VPN $server_addr",
|
||||||
"type": "ikev2-cert",
|
"type": "ikev2-cert",
|
||||||
"remote": {
|
"remote": {
|
||||||
"addr": "$server_addr"
|
"addr": "$server_addr"
|
||||||
@ -985,10 +999,10 @@ export_client_config() {
|
|||||||
create_ca_server_certs() {
|
create_ca_server_certs() {
|
||||||
bigecho2 "Generating CA and server certificates..."
|
bigecho2 "Generating CA and server certificates..."
|
||||||
certutil -z <(head -c 1024 /dev/urandom) \
|
certutil -z <(head -c 1024 /dev/urandom) \
|
||||||
-S -x -n "IKEv2 VPN CA" \
|
-S -x -n "$CA_NAME" \
|
||||||
-s "O=IKEv2 VPN,CN=IKEv2 VPN CA" \
|
-s "O=IKEv2 VPN,CN=$CA_NAME" \
|
||||||
-k rsa -g 3072 -v 120 \
|
-k rsa -g 3072 -v 120 \
|
||||||
-d sql:/etc/ipsec.d -t "CT,," -2 >/dev/null 2>&1 <<ANSWERS || exiterr "Failed to create CA certificate."
|
-d "$CERT_DB" -t "CT,," -2 >/dev/null 2>&1 <<ANSWERS || exiterr "Failed to create CA certificate."
|
||||||
y
|
y
|
||||||
|
|
||||||
N
|
N
|
||||||
@ -996,19 +1010,19 @@ ANSWERS
|
|||||||
sleep 1
|
sleep 1
|
||||||
if [ "$use_dns_name" = "1" ]; then
|
if [ "$use_dns_name" = "1" ]; then
|
||||||
certutil -z <(head -c 1024 /dev/urandom) \
|
certutil -z <(head -c 1024 /dev/urandom) \
|
||||||
-S -c "IKEv2 VPN CA" -n "$server_addr" \
|
-S -c "$CA_NAME" -n "$server_addr" \
|
||||||
-s "O=IKEv2 VPN,CN=$server_addr" \
|
-s "O=IKEv2 VPN,CN=$server_addr" \
|
||||||
-k rsa -g 3072 -v 120 \
|
-k rsa -g 3072 -v 120 \
|
||||||
-d sql:/etc/ipsec.d -t ",," \
|
-d "$CERT_DB" -t ",," \
|
||||||
--keyUsage digitalSignature,keyEncipherment \
|
--keyUsage digitalSignature,keyEncipherment \
|
||||||
--extKeyUsage serverAuth \
|
--extKeyUsage serverAuth \
|
||||||
--extSAN "dns:$server_addr" >/dev/null 2>&1 || exiterr "Failed to create server certificate."
|
--extSAN "dns:$server_addr" >/dev/null 2>&1 || exiterr "Failed to create server certificate."
|
||||||
else
|
else
|
||||||
certutil -z <(head -c 1024 /dev/urandom) \
|
certutil -z <(head -c 1024 /dev/urandom) \
|
||||||
-S -c "IKEv2 VPN CA" -n "$server_addr" \
|
-S -c "$CA_NAME" -n "$server_addr" \
|
||||||
-s "O=IKEv2 VPN,CN=$server_addr" \
|
-s "O=IKEv2 VPN,CN=$server_addr" \
|
||||||
-k rsa -g 3072 -v 120 \
|
-k rsa -g 3072 -v 120 \
|
||||||
-d sql:/etc/ipsec.d -t ",," \
|
-d "$CERT_DB" -t ",," \
|
||||||
--keyUsage digitalSignature,keyEncipherment \
|
--keyUsage digitalSignature,keyEncipherment \
|
||||||
--extKeyUsage serverAuth \
|
--extKeyUsage serverAuth \
|
||||||
--extSAN "ip:$server_addr,dns:$server_addr" >/dev/null 2>&1 || exiterr "Failed to create server certificate."
|
--extSAN "ip:$server_addr,dns:$server_addr" >/dev/null 2>&1 || exiterr "Failed to create server certificate."
|
||||||
@ -1017,11 +1031,11 @@ ANSWERS
|
|||||||
|
|
||||||
add_ikev2_connection() {
|
add_ikev2_connection() {
|
||||||
bigecho2 "Adding a new IKEv2 connection..."
|
bigecho2 "Adding a new IKEv2 connection..."
|
||||||
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' /etc/ipsec.conf; then
|
if ! grep -qs '^include /etc/ipsec\.d/\*\.conf$' "$IPSEC_CONF"; then
|
||||||
echo >> /etc/ipsec.conf
|
echo >> "$IPSEC_CONF"
|
||||||
echo 'include /etc/ipsec.d/*.conf' >> /etc/ipsec.conf
|
echo 'include /etc/ipsec.d/*.conf' >> "$IPSEC_CONF"
|
||||||
fi
|
fi
|
||||||
cat > /etc/ipsec.d/ikev2.conf <<EOF
|
cat > "$IKEV2_CONF" <<EOF
|
||||||
|
|
||||||
conn ikev2-cp
|
conn ikev2-cp
|
||||||
left=%defaultroute
|
left=%defaultroute
|
||||||
@ -1049,27 +1063,27 @@ conn ikev2-cp
|
|||||||
encapsulation=yes
|
encapsulation=yes
|
||||||
EOF
|
EOF
|
||||||
if [ "$use_dns_name" = "1" ]; then
|
if [ "$use_dns_name" = "1" ]; then
|
||||||
cat >> /etc/ipsec.d/ikev2.conf <<EOF
|
cat >> "$IKEV2_CONF" <<EOF
|
||||||
leftid=@$server_addr
|
leftid=@$server_addr
|
||||||
EOF
|
EOF
|
||||||
else
|
else
|
||||||
cat >> /etc/ipsec.d/ikev2.conf <<EOF
|
cat >> "$IKEV2_CONF" <<EOF
|
||||||
leftid=$server_addr
|
leftid=$server_addr
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
if [ -n "$dns_server_2" ]; then
|
if [ -n "$dns_server_2" ]; then
|
||||||
cat >> /etc/ipsec.d/ikev2.conf <<EOF
|
cat >> "$IKEV2_CONF" <<EOF
|
||||||
modecfgdns="$dns_servers"
|
modecfgdns="$dns_servers"
|
||||||
EOF
|
EOF
|
||||||
else
|
else
|
||||||
cat >> /etc/ipsec.d/ikev2.conf <<EOF
|
cat >> "$IKEV2_CONF" <<EOF
|
||||||
modecfgdns=$dns_server_1
|
modecfgdns=$dns_server_1
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
if [ "$mobike_enable" = "1" ]; then
|
if [ "$mobike_enable" = "1" ]; then
|
||||||
echo " mobike=yes" >> /etc/ipsec.d/ikev2.conf
|
echo " mobike=yes" >> "$IKEV2_CONF"
|
||||||
else
|
else
|
||||||
echo " mobike=no" >> /etc/ipsec.d/ikev2.conf
|
echo " mobike=no" >> "$IKEV2_CONF"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1104,18 +1118,18 @@ restart_ipsec_service() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
create_crl() {
|
create_crl() {
|
||||||
if ! crlutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null 2>&1; then
|
if ! crlutil -L -d "$CERT_DB" -n "$CA_NAME" >/dev/null 2>&1; then
|
||||||
crlutil -G -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -c /dev/null >/dev/null
|
crlutil -G -d "$CERT_DB" -n "$CA_NAME" -c /dev/null >/dev/null
|
||||||
fi
|
fi
|
||||||
sleep 2
|
sleep 2
|
||||||
}
|
}
|
||||||
|
|
||||||
add_client_cert_to_crl() {
|
add_client_cert_to_crl() {
|
||||||
sn_txt=$(certutil -L -d sql:/etc/ipsec.d -n "$client_name" | grep -A 1 'Serial Number' | tail -n 1)
|
sn_txt=$(certutil -L -d "$CERT_DB" -n "$client_name" | grep -A 1 'Serial Number' | tail -n 1)
|
||||||
sn_hex=$(printf '%s' "$sn_txt" | sed -e 's/^ *//' -e 's/://g')
|
sn_hex=$(printf '%s' "$sn_txt" | sed -e 's/^ *//' -e 's/://g')
|
||||||
sn_dec=$((16#$sn_hex))
|
sn_dec=$((16#$sn_hex))
|
||||||
[ -z "$sn_dec" ] && exiterr "Could not find serial number of client certificate."
|
[ -z "$sn_dec" ] && exiterr "Could not find serial number of client certificate."
|
||||||
crlutil -M -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" >/dev/null <<EOF || exiterr "Failed to add client certificate to CRL."
|
crlutil -M -d "$CERT_DB" -n "$CA_NAME" >/dev/null <<EOF || exiterr "Failed to add client certificate to CRL."
|
||||||
addcert $sn_dec $(date -u +%Y%m%d%H%M%SZ)
|
addcert $sn_dec $(date -u +%Y%m%d%H%M%SZ)
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
@ -1219,9 +1233,9 @@ EOF
|
|||||||
}
|
}
|
||||||
|
|
||||||
check_ipsec_conf() {
|
check_ipsec_conf() {
|
||||||
if grep -qs "conn ikev2-cp" /etc/ipsec.conf; then
|
if grep -qs "conn ikev2-cp" "$IPSEC_CONF"; then
|
||||||
cat 1>&2 <<'EOF'
|
cat 1>&2 <<EOF
|
||||||
Error: IKEv2 configuration section found in /etc/ipsec.conf.
|
Error: IKEv2 configuration section found in $IPSEC_CONF.
|
||||||
This script cannot automatically remove IKEv2 from this server.
|
This script cannot automatically remove IKEv2 from this server.
|
||||||
To manually remove IKEv2, see https://git.io/ikev2
|
To manually remove IKEv2, see https://git.io/ikev2
|
||||||
EOF
|
EOF
|
||||||
@ -1251,23 +1265,22 @@ EOF
|
|||||||
}
|
}
|
||||||
|
|
||||||
delete_ikev2_conf() {
|
delete_ikev2_conf() {
|
||||||
bigecho "Deleting /etc/ipsec.d/ikev2.conf..."
|
bigecho "Deleting $IKEV2_CONF..."
|
||||||
/bin/rm -f /etc/ipsec.d/ikev2.conf
|
/bin/rm -f "$IKEV2_CONF"
|
||||||
}
|
}
|
||||||
|
|
||||||
delete_certificates() {
|
delete_certificates() {
|
||||||
echo
|
echo
|
||||||
bigecho "Deleting certificates and keys from the IPsec database..."
|
bigecho "Deleting certificates and keys from the IPsec database..."
|
||||||
certutil -L -d sql:/etc/ipsec.d | grep -v -e '^$' -e 'IKEv2 VPN CA' | tail -n +3 | cut -f1 -d ' ' | while read -r line; do
|
certutil -L -d "$CERT_DB" | grep -v -e '^$' -e "$CA_NAME" | tail -n +3 | cut -f1 -d ' ' | while read -r line; do
|
||||||
certutil -F -d sql:/etc/ipsec.d -n "$line"
|
certutil -F -d "$CERT_DB" -n "$line"
|
||||||
certutil -D -d sql:/etc/ipsec.d -n "$line" 2>/dev/null
|
certutil -D -d "$CERT_DB" -n "$line" 2>/dev/null
|
||||||
done
|
done
|
||||||
crlutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null
|
crlutil -D -d "$CERT_DB" -n "$CA_NAME" 2>/dev/null
|
||||||
certutil -F -d sql:/etc/ipsec.d -n "IKEv2 VPN CA"
|
certutil -F -d "$CERT_DB" -n "$CA_NAME"
|
||||||
certutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null
|
certutil -D -d "$CERT_DB" -n "$CA_NAME" 2>/dev/null
|
||||||
config_file="/etc/ipsec.d/.vpnconfig"
|
if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$CONFIG_FILE"; then
|
||||||
if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then
|
sed -i '/IKEV2_CONFIG_PASSWORD=/d' "$CONFIG_FILE"
|
||||||
sed -i '/IKEV2_CONFIG_PASSWORD=/d' "$config_file"
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1331,6 +1344,13 @@ ikev2setup() {
|
|||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
|
CA_NAME="IKEv2 VPN CA"
|
||||||
|
CERT_DB="sql:/etc/ipsec.d"
|
||||||
|
CONFIG_DIR="/etc/ipsec.d"
|
||||||
|
CONFIG_FILE="/etc/ipsec.d/.vpnconfig"
|
||||||
|
IKEV2_CONF="/etc/ipsec.d/ikev2.conf"
|
||||||
|
IPSEC_CONF="/etc/ipsec.conf"
|
||||||
|
|
||||||
check_arguments
|
check_arguments
|
||||||
check_config_password
|
check_config_password
|
||||||
get_export_dir
|
get_export_dir
|
||||||
@ -1393,7 +1413,7 @@ ikev2setup() {
|
|||||||
case $selected_option in
|
case $selected_option in
|
||||||
1)
|
1)
|
||||||
enter_client_name
|
enter_client_name
|
||||||
enter_client_cert_validity
|
enter_client_validity
|
||||||
select_config_password
|
select_config_password
|
||||||
echo
|
echo
|
||||||
create_client_cert
|
create_client_cert
|
||||||
@ -1447,15 +1467,15 @@ ikev2setup() {
|
|||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
check_cert_exists_and_exit "IKEv2 VPN CA"
|
check_cert_exists_and_exit "$CA_NAME"
|
||||||
|
|
||||||
if [ "$use_defaults" = "0" ]; then
|
if [ "$use_defaults" = "0" ]; then
|
||||||
show_header
|
show_header
|
||||||
show_welcome
|
show_welcome
|
||||||
enter_server_address
|
enter_server_address
|
||||||
check_cert_exists_and_exit "$server_addr"
|
check_cert_exists_and_exit "$server_addr"
|
||||||
enter_client_name_with_defaults
|
enter_client_name with_defaults
|
||||||
enter_client_cert_validity
|
enter_client_validity
|
||||||
enter_custom_dns
|
enter_custom_dns
|
||||||
check_mobike_support
|
check_mobike_support
|
||||||
select_mobike
|
select_mobike
|
||||||
@ -1464,40 +1484,12 @@ ikev2setup() {
|
|||||||
else
|
else
|
||||||
check_server_dns_name
|
check_server_dns_name
|
||||||
check_custom_dns
|
check_custom_dns
|
||||||
if [ -n "$VPN_CLIENT_NAME" ]; then
|
check_and_set_client_name
|
||||||
client_name="$VPN_CLIENT_NAME"
|
|
||||||
check_client_name "$client_name" \
|
|
||||||
|| exiterr "Invalid client name. Use one word only, no special characters except '-' and '_'."
|
|
||||||
else
|
|
||||||
client_name=vpnclient
|
|
||||||
fi
|
|
||||||
check_cert_exists "$client_name" && exiterr "Client '$client_name' already exists."
|
|
||||||
client_validity=120
|
client_validity=120
|
||||||
show_header
|
show_header
|
||||||
show_start_setup
|
show_start_setup
|
||||||
if [ -n "$VPN_DNS_NAME" ]; then
|
set_server_address
|
||||||
use_dns_name=1
|
set_dns_servers
|
||||||
server_addr="$VPN_DNS_NAME"
|
|
||||||
else
|
|
||||||
use_dns_name=0
|
|
||||||
get_server_ip
|
|
||||||
check_ip "$public_ip" || exiterr "Cannot detect this server's public IP."
|
|
||||||
server_addr="$public_ip"
|
|
||||||
fi
|
|
||||||
check_cert_exists_and_exit "$server_addr"
|
|
||||||
if [ -n "$VPN_DNS_SRV1" ] && [ -n "$VPN_DNS_SRV2" ]; then
|
|
||||||
dns_server_1="$VPN_DNS_SRV1"
|
|
||||||
dns_server_2="$VPN_DNS_SRV2"
|
|
||||||
dns_servers="$VPN_DNS_SRV1 $VPN_DNS_SRV2"
|
|
||||||
elif [ -n "$VPN_DNS_SRV1" ]; then
|
|
||||||
dns_server_1="$VPN_DNS_SRV1"
|
|
||||||
dns_server_2=""
|
|
||||||
dns_servers="$VPN_DNS_SRV1"
|
|
||||||
else
|
|
||||||
dns_server_1=8.8.8.8
|
|
||||||
dns_server_2=8.8.4.4
|
|
||||||
dns_servers="8.8.8.8 8.8.4.4"
|
|
||||||
fi
|
|
||||||
check_mobike_support
|
check_mobike_support
|
||||||
mobike_enable="$mobike_support"
|
mobike_enable="$mobike_support"
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user