Update IKEv2 script
- Add an option to protect IKEv2 client config files using a password,
which users can select when customizing IKEv2 or client options
Ref: dbc3527
- Change the default action to 'continue' when confirming IKEv2 setup
options
- Other minor improvements
This commit is contained in:
hwdsl2
parent
8a9b83164a
commit
fb85eae7ba
@ -286,7 +286,6 @@ check_custom_dns() {
|
|||||||
show_welcome() {
|
show_welcome() {
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
Welcome! Use this script to set up IKEv2 on your IPsec VPN server.
|
Welcome! Use this script to set up IKEv2 on your IPsec VPN server.
|
||||||
|
|
||||||
I need to ask you a few questions before starting setup.
|
I need to ask you a few questions before starting setup.
|
||||||
You can use the default options and just press enter if you are OK with them.
|
You can use the default options and just press enter if you are OK with them.
|
||||||
|
|
||||||
@ -315,7 +314,7 @@ show_add_client() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
show_export_client() {
|
show_export_client() {
|
||||||
bigecho "Exporting existing IKEv2 client '$client_name'."
|
bigecho "Exporting IKEv2 client '$client_name', using default options."
|
||||||
}
|
}
|
||||||
|
|
||||||
get_export_dir() {
|
get_export_dir() {
|
||||||
@ -565,7 +564,7 @@ The MOBIKE IKEv2 extension allows VPN clients to change network attachment point
|
|||||||
e.g. switch between mobile data and Wi-Fi and keep the IPsec tunnel up on the new IP.
|
e.g. switch between mobile data and Wi-Fi and keep the IPsec tunnel up on the new IP.
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
printf "Do you want to enable MOBIKE support? [Y/n] "
|
printf "Enable MOBIKE support? [Y/n] "
|
||||||
read -r response
|
read -r response
|
||||||
case $response in
|
case $response in
|
||||||
[yY][eE][sS]|[yY]|'')
|
[yY][eE][sS]|[yY]|'')
|
||||||
@ -578,6 +577,25 @@ EOF
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
select_config_password() {
|
||||||
|
cat <<'EOF'
|
||||||
|
|
||||||
|
IKEv2 client config files contain the client certificate, private key and CA certificate.
|
||||||
|
This script can optionally generate a random password to protect these files.
|
||||||
|
|
||||||
|
EOF
|
||||||
|
printf "Protect client config files using a password? [y/N] "
|
||||||
|
read -r response
|
||||||
|
case $response in
|
||||||
|
[yY][eE][sS]|[yY])
|
||||||
|
use_config_password=1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
use_config_password=0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
select_menu_option() {
|
select_menu_option() {
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
IKEv2 is already set up on this server.
|
IKEv2 is already set up on this server.
|
||||||
@ -634,7 +652,16 @@ DNS server(s): $dns_servers
|
|||||||
======================================
|
======================================
|
||||||
|
|
||||||
EOF
|
EOF
|
||||||
confirm_or_abort "Do you want to continue? [y/N] "
|
printf "Do you want to continue? [Y/n] "
|
||||||
|
read -r response
|
||||||
|
case $response in
|
||||||
|
[yY][eE][sS]|[yY]|'')
|
||||||
|
echo
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
abort_and_exit
|
||||||
|
;;
|
||||||
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
create_client_cert() {
|
create_client_cert() {
|
||||||
@ -672,11 +699,19 @@ export_p12_file() {
|
|||||||
openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
openssl pkcs12 -in "$p12_file_enc" -out "$pem_file" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
||||||
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
|
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file_enc" \
|
||||||
-name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
-name "$client_name" -passin "pass:$p12_password" -passout "pass:$p12_password" || exit 1
|
||||||
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
|
if [ "$use_config_password" = "1" ]; then
|
||||||
-name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
|
/bin/cp -f "$p12_file_enc" "$p12_file"
|
||||||
|
else
|
||||||
|
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in "$pem_file" -out "$p12_file" \
|
||||||
|
-name "$client_name" -passin "pass:$p12_password" -passout pass: || exit 1
|
||||||
|
fi
|
||||||
/bin/rm -f "$pem_file"
|
/bin/rm -f "$pem_file"
|
||||||
else
|
else
|
||||||
pk12util -W "" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file" >/dev/null || exit 1
|
if [ "$use_config_password" = "1" ]; then
|
||||||
|
/bin/cp -f "$p12_file_enc" "$p12_file"
|
||||||
|
else
|
||||||
|
pk12util -W "" -d sql:/etc/ipsec.d -n "$client_name" -o "$p12_file" >/dev/null || exit 1
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "$export_to_home_dir" = "1" ]; then
|
if [ "$export_to_home_dir" = "1" ]; then
|
||||||
chown "$SUDO_USER:$SUDO_USER" "$p12_file"
|
chown "$SUDO_USER:$SUDO_USER" "$p12_file"
|
||||||
@ -818,8 +853,14 @@ cat > "$mc_file" <<EOF
|
|||||||
<string>IKEv2</string>
|
<string>IKEv2</string>
|
||||||
</dict>
|
</dict>
|
||||||
<dict>
|
<dict>
|
||||||
|
EOF
|
||||||
|
if [ "$use_config_password" = "0" ]; then
|
||||||
|
cat >> "$mc_file" <<EOF
|
||||||
<key>Password</key>
|
<key>Password</key>
|
||||||
<string>$p12_password</string>
|
<string>$p12_password</string>
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
cat >> "$mc_file" <<EOF
|
||||||
<key>PayloadCertificateFileName</key>
|
<key>PayloadCertificateFileName</key>
|
||||||
<string>$client_name</string>
|
<string>$client_name</string>
|
||||||
<key>PayloadContent</key>
|
<key>PayloadContent</key>
|
||||||
@ -1123,6 +1164,14 @@ $export_dir$client_name.p12 (for Windows & Linux)
|
|||||||
$export_dir$client_name.sswan (for Android)
|
$export_dir$client_name.sswan (for Android)
|
||||||
$export_dir$client_name.mobileconfig (for iOS & macOS)
|
$export_dir$client_name.mobileconfig (for iOS & macOS)
|
||||||
EOF
|
EOF
|
||||||
|
if [ "$use_config_password" = "1" ]; then
|
||||||
|
cat <<EOF
|
||||||
|
|
||||||
|
*IMPORTANT* Password for client config files:
|
||||||
|
$p12_password
|
||||||
|
Write this down, you'll need it for import!
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
cat <<'EOF'
|
cat <<'EOF'
|
||||||
|
|
||||||
Next steps: Configure IKEv2 VPN clients. See:
|
Next steps: Configure IKEv2 VPN clients. See:
|
||||||
@ -1216,6 +1265,7 @@ ikev2setup() {
|
|||||||
check_utils_exist
|
check_utils_exist
|
||||||
|
|
||||||
use_defaults=0
|
use_defaults=0
|
||||||
|
use_config_password=0
|
||||||
add_client=0
|
add_client=0
|
||||||
export_client=0
|
export_client=0
|
||||||
list_clients=0
|
list_clients=0
|
||||||
@ -1324,6 +1374,7 @@ ikev2setup() {
|
|||||||
1)
|
1)
|
||||||
enter_client_name
|
enter_client_name
|
||||||
enter_client_cert_validity
|
enter_client_cert_validity
|
||||||
|
select_config_password
|
||||||
echo
|
echo
|
||||||
create_client_cert
|
create_client_cert
|
||||||
export_client_config
|
export_client_config
|
||||||
@ -1333,6 +1384,7 @@ ikev2setup() {
|
|||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
enter_client_name_for export
|
enter_client_name_for export
|
||||||
|
select_config_password
|
||||||
echo
|
echo
|
||||||
export_client_config
|
export_client_config
|
||||||
print_client_exported
|
print_client_exported
|
||||||
@ -1387,6 +1439,7 @@ ikev2setup() {
|
|||||||
enter_custom_dns
|
enter_custom_dns
|
||||||
check_mobike_support
|
check_mobike_support
|
||||||
select_mobike
|
select_mobike
|
||||||
|
select_config_password
|
||||||
confirm_setup_options
|
confirm_setup_options
|
||||||
else
|
else
|
||||||
check_server_dns_name
|
check_server_dns_name
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user