From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/2] ipsec: Add script to ensure VPNs are always on
Date: Wed, 05 Feb 2020 16:53:20 +0000 [thread overview]
Message-ID: <E03F10A9-7A4A-4435-A9B0-26E2E312143E@ipfire.org> (raw)
In-Reply-To: <99d97378-cc20-8660-e6b0-b782d20f54db@rymes.com>
[-- Attachment #1: Type: text/plain, Size: 9064 bytes --]
Hi,
> On 5 Feb 2020, at 15:23, Tom Rymes <trymes(a)rymes.com> wrote:
>
> I probably misunderstood something here, but if we're setting all tunnels to auto=route, what's the difference between On-Demand and Always-On?
Thank you for looking at this. Good question.
For strongswan there will be no difference any more, but the script that checks the tunnels every 5 minutes will only try to bring up the “always on” tunnels.
> Also, this should be a nice improvement for reliability, as lots of folks don't know that choosing "Always-On" means "auto=start", which is far less reliable.
I think it is best to not offer these options any more. I suppose this only matters for users where one peer is behind NAT. Then you want to make sure that the tunnel is always up (but wouldn’t you normally always care about this?) or you would want the other side not to initiate a connection.
Best,
-Michael
>
> Tom
>
> On 02/05/2020 6:24 AM, Michael Tremer wrote:
>> With an IPFire box behind NAT it is difficult to keep an IPsec
>> VPN up all of the time. On-demand mode does not work when one
>> side cannot initiate the connection.
>> This patch adds a script which will check every 5 minutes or
>> when RED comes up if all VPNs are up and launch those which
>> are not.
>> This should ensure that we are constantly attempting to
>> establish the connection.
>> Additionally this patch changes that "always-on" VPNs will
>> be "routed" like "on-demand" connections. When we see traffic,
>> we will now automatically try to bring up the tunnel.
>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>> ---
>> config/cron/crontab | 3 ++
>> config/rootfiles/common/aarch64/stage2 | 1 +
>> config/rootfiles/common/stage2 | 1 +
>> config/rootfiles/common/x86_64/stage2 | 1 +
>> html/cgi-bin/vpnmain.cgi | 10 ++++--
>> src/misc-progs/ipsecctrl.c | 1 +
>> src/scripts/ipsec-always-on | 65 ++++++++++++++++++++++++++++++++++
>> 7 files changed, 79 insertions(+), 3 deletions(-)
>> create mode 100644 src/scripts/ipsec-always-on
>> diff --git a/config/cron/crontab b/config/cron/crontab
>> index 56801394e..46cbe6ece 100644
>> --- a/config/cron/crontab
>> +++ b/config/cron/crontab
>> @@ -30,6 +30,9 @@ HOME=/
>> # Update dynamic DNS records every five minutes.
>> */5 * * * * [ -f "/var/ipfire/red/active" ] && /usr/bin/ddns update-all
>> +# Make sure VPNs are up
>> +*/5 * * * * /usr/local/bin/ipsec-always-on
>> +
>> # Logwatch
>> 05 0 * * * /usr/local/bin/logwatch > /var/log/logwatch/`date -I -d yesterday`; \
>> LOGWATCH_KEEP=$(sed -ne 's/^LOGWATCH_KEEP=\([0-9]\+\)$/\1/p' /var/ipfire/logging/settings); \
>> diff --git a/config/rootfiles/common/aarch64/stage2 b/config/rootfiles/common/aarch64/stage2
>> index f4169a44e..eda34f743 100644
>> --- a/config/rootfiles/common/aarch64/stage2
>> +++ b/config/rootfiles/common/aarch64/stage2
>> @@ -95,6 +95,7 @@ usr/local/bin/convert-dns-settings
>> usr/local/bin/convert-ovpn
>> usr/local/bin/filesystem-cleanup
>> usr/local/bin/hddshutdown
>> +usr/local/bin/ipsec-always-on
>> usr/local/bin/ipsec-interfaces
>> usr/local/bin/makegraphs
>> usr/local/bin/qosd
>> diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
>> index fca540431..cc0e1dea5 100644
>> --- a/config/rootfiles/common/stage2
>> +++ b/config/rootfiles/common/stage2
>> @@ -94,6 +94,7 @@ usr/local/bin/convert-dns-settings
>> usr/local/bin/convert-ovpn
>> usr/local/bin/filesystem-cleanup
>> usr/local/bin/hddshutdown
>> +usr/local/bin/ipsec-always-on
>> usr/local/bin/ipsec-interfaces
>> usr/local/bin/makegraphs
>> usr/local/bin/qosd
>> diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2
>> index cc67837e5..28a99ceec 100644
>> --- a/config/rootfiles/common/x86_64/stage2
>> +++ b/config/rootfiles/common/x86_64/stage2
>> @@ -96,6 +96,7 @@ usr/local/bin/convert-dns-settings
>> usr/local/bin/convert-ovpn
>> usr/local/bin/filesystem-cleanup
>> usr/local/bin/hddshutdown
>> +usr/local/bin/ipsec-always-on
>> usr/local/bin/ipsec-interfaces
>> usr/local/bin/makegraphs
>> usr/local/bin/qosd
>> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
>> index 43cdc5aa0..b3cd3e51e 100644
>> --- a/html/cgi-bin/vpnmain.cgi
>> +++ b/html/cgi-bin/vpnmain.cgi
>> @@ -453,7 +453,7 @@ sub writeipsecfiles {
>> my $start_action = $lconfighash{$key}[33];
>> if (!$start_action) {
>> - $start_action = "start";
>> + $start_action = "route";
>> }
>> my $inactivity_timeout = $lconfighash{$key}[34];
>> @@ -466,13 +466,17 @@ sub writeipsecfiles {
>> print CONF "\tauto=add\n";
>> print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n";
>> } else {
>> - print CONF "\tauto=$start_action\n";
>> -
>> # If in on-demand mode, we terminate the tunnel
>> # after 15 min of no traffic
>> if ($start_action eq 'route' && $inactivity_timeout > 0) {
>> print CONF "\tinactivity=$inactivity_timeout\n";
>> }
>> +
>> + # Always route connections so that we have the triggers
>> + if ($start_action eq "start") {
>> + $start_action = "route";
>> + }
>> + print CONF "\tauto=$start_action\n";
>> }
>> # Fragmentation
>> diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c
>> index 2a64775f0..54e3b3410 100644
>> --- a/src/misc-progs/ipsecctrl.c
>> +++ b/src/misc-progs/ipsecctrl.c
>> @@ -216,6 +216,7 @@ int main(int argc, char *argv[]) {
>> safe_system("/usr/lib/firewall/ipsec-policy >/dev/null");
>> safe_system("/usr/local/bin/ipsec-interfaces >/dev/null");
>> safe_system("/usr/sbin/ipsec restart >/dev/null");
>> + safe_system("/usr/local/bin/ipsec-always-on >/dev/null");
>> exit(0);
>> }
>> diff --git a/src/scripts/ipsec-always-on b/src/scripts/ipsec-always-on
>> new file mode 100644
>> index 000000000..34cae169d
>> --- /dev/null
>> +++ b/src/scripts/ipsec-always-on
>> @@ -0,0 +1,65 @@
>> +#!/bin/bash
>> +###############################################################################
>> +# #
>> +# IPFire.org - A linux based firewall #
>> +# Copyright (C) 2020 IPFire Team #
>> +# #
>> +# This program is free software: you can redistribute it and/or modify #
>> +# it under the terms of the GNU General Public License as published by #
>> +# the Free Software Foundation, either version 3 of the License, or #
>> +# (at your option) any later version. #
>> +# #
>> +# This program is distributed in the hope that it will be useful, #
>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of #
>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
>> +# GNU General Public License for more details. #
>> +# #
>> +# You should have received a copy of the GNU General Public License #
>> +# along with this program. If not, see <http://www.gnu.org/licenses/>. #
>> +# #
>> +###############################################################################
>> +
>> +VPN_CONFIG="/var/ipfire/vpn/config"
>> +
>> +VARS=(
>> + id status name lefthost type ctype psk local local_id leftsubnets
>> + remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
>> + x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
>> + route x23 mode interface_mode interface_address interface_mtu rest
>> +)
>> +
>> +# Load IPsec configuration
>> +eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
>> +
>> +log() {
>> + logger -t ipsec "$@"
>> +}
>> +
>> +main() {
>> + # Do nothing if IPsec is disabled
>> + if [ "${ENABLED}" != "on" ]; then
>> + return 0
>> + fi
>> +
>> + # Do nothing if we are not online
>> + if [ ! -e "/var/ipfire/red/active" ]; then
>> + return 0
>> + fi
>> +
>> + local "${VARS[@]}"
>> + while IFS="," read -r "${VARS[@]}"; do
>> + # Skip disabled connections
>> + [ "${status}" = "on" ] || continue
>> +
>> + # Skip all connections that are not in always-on mode
>> + [ "${route}" = "start" ] || continue
>> +
>> + # If the connection is not up, try bringing it up
>> + if ! ipsec status "${name}" | grep -q "INSTALLED"; then
>> + log "Trying to start ${name}..."
>> + ipsec stroke up-nb "${name}" &>/dev/null
>> + fi
>> + done < "${VPN_CONFIG}"
>> +}
>> +
>> +main "$@" || exit $?
next prev parent reply other threads:[~2020-02-05 16:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-05 11:24 Michael Tremer
2020-02-05 11:24 ` [PATCH 2/2] ipsec: Silence charon Michael Tremer
2020-02-05 15:25 ` Tom Rymes
2020-02-05 16:55 ` Michael Tremer
2020-02-05 17:16 ` Tom Rymes
2020-02-05 15:23 ` [PATCH 1/2] ipsec: Add script to ensure VPNs are always on Tom Rymes
2020-02-05 16:53 ` Michael Tremer [this message]
2020-02-05 17:19 ` Tom Rymes
2020-02-05 17:22 ` Michael Tremer
2020-02-05 17:36 ` Tom Rymes
2020-02-06 15:03 ` Michael Tremer
2020-02-06 20:06 ` Tom Rymes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E03F10A9-7A4A-4435-A9B0-26E2E312143E@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox