From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jonatan Schlag To: network@lists.ipfire.org Subject: [PATCH] ipsec: add local address, dpd settings and start action settings Date: Thu, 03 Aug 2017 18:33:28 +0200 Message-ID: <1501778008-13667-1-git-send-email-jonatan.schlag@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2709783716433008320==" List-Id: --===============2709783716433008320== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Signed-off-by: Jonatan Schlag --- src/functions/functions.ipsec | 177 ++++++++++++++++++++++++++++++++++++++++= +- 1 file changed, 173 insertions(+), 4 deletions(-) diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec index 1c05f57..d600105 100644 --- a/src/functions/functions.ipsec +++ b/src/functions/functions.ipsec @@ -19,16 +19,22 @@ # = # ############################################################################= ### =20 -IPSEC_CONNECTION_CONFIG_SETTINGS=3D"AUTH_MODE INACTIVITY_TIMEOUT LOCAL_ID LO= CAL_PREFIX" +IPSEC_CONNECTION_CONFIG_SETTINGS=3D"AUTH_MODE DPD_ACTION DPD_DELAY DPD_TIMEO= UT" +PSEC_CONNECTION_CONFIG_SETTINGS=3D"INACTIVITY_TIMEOUT LOCAL_ADDRESS LOCAL_ID= LOCAL_PREFIX" IPSEC_CONNECTION_CONFIG_SETTINGS=3D"${IPSEC_CONNECTION_CONFIG_SETTINGS} MODE= PEER PSK" IPSEC_CONNECTION_CONFIG_SETTINGS=3D"${IPSEC_CONNECTION_CONFIG_SETTINGS} REMO= TE_ID REMOTE_PREFIX" IPSEC_CONNECTION_CONFIG_SETTINGS=3D"${IPSEC_CONNECTION_CONFIG_SETTINGS} SECU= RITY_POLICY" =20 # Default values -IPSEC_DEFAULT_MODE=3D"tunnel" IPSEC_DEFAULT_AUTH_MODE=3D"PSK" +IPSEC_DEFAULT_DPD_ACTION=3D"restart" +IPSEC_DEFAULT_DPD_DELAY=3D"30" +IPSEC_DEFAULT_DPD_TIMEOUT=3D"120" IPSEC_DEFAULT_INACTIVITY_TIMEOUT=3D"0" +IPSEC_DEFAULT_MODE=3D"tunnel" IPSEC_DEFAULT_SECURITY_POLICY=3D"system" +IPSEC_DEFAULT_START_ACTION=3D"on-demand" + =20 IPSEC_VALID_MODES=3D"gre-transport tunnel vti" IPSEC_VALID_AUTH_MODES=3D"PSK" @@ -56,7 +62,7 @@ cli_ipsec_connection() { shift 2 =20 case "${key}" in - authentication|inactivity_timeout|local|mode|peer|remote|security_policy) + authentication|dpd|inactivity_timeout|local|mode|peer|remote|security_pol= icy|start_action) ipsec_connection_${key} ${connection} $@ ;; show) @@ -358,6 +364,119 @@ ipsec_connection_authentication_psk() { return ${EXIT_OK} } =20 + +# Handle the cli after authentification +ipsec_connection_dpd() { + if [ ! $# -gt 1 ]; then + log ERROR "Not enough arguments" + return ${EXIT_ERROR} + fi + + local connection=3D${1} + local cmd=3D${2} + shift 2 + + case ${cmd} in + action) + ipsec_connection_dpd_action "${connection}" $@ + ;; + delay) + ipsec_connection_dpd_delay "${connection}" $@ + ;; + timeout) + ipsec_connection_dpd_timeout "${connection}" $@ + ;; + *) + log ERROR "Unrecognized argument: ${cmd}" + return ${EXIT_ERROR} + ;; + esac +} + +# Set the default dpd action +ipsec_connection_dpd_action() { + if [ ! $# -eq 2 ]; then + log ERROR "Not enough arguments" + return ${EXIT_ERROR} + fi + local connection=3D${1} + local action=3D${2} + + if ! isoneof action "restart" "clear"; then + log ERROR "dpd action '${action}' is invalid" + return ${EXIT_ERROR} + fi + + if ! ipsec_connection_write_config_key "${connection}" "DPD_ACTION" ${actio= n}; then + log ERROR "Could not write configuration settings" + return ${EXIT_ERROR} + fi +} + +# Set the dpd delay +ipsec_connection_dpd_delay() { + if [ ! $# -ge 2 ]; then + log ERROR "Not enough arguments" + return ${EXIT_ERROR} + fi + + local connection=3D${1} + shift 1 + local value=3D$@ + + if ! isinteger value; then + value=3D$(parse_time $@) + if [ ! $? -eq 0 ]; then + log ERROR "Parsing the passed time was not sucessful please check the pas= sed values." + return ${EXIT_ERROR} + fi + fi + + if [ ${value} -lt 0 ]; then + log ERROR "The passed time value must be in the sum greater or equal zero = seconds." + return ${EXIT_ERROR} + fi + + if ! ipsec_connection_write_config_key "${connection}" "DPD_DELAY" ${value}= ; then + log ERROR "Could not write configuration settings" + return ${EXIT_ERROR} + fi + + return ${EXIT_OK} +} + +# Set the dpd timeout +ipsec_connection_dpd_timeout() { + if [ ! $# -ge 2 ]; then + log ERROR "Not enough arguments" + return ${EXIT_ERROR} + fi + + local connection=3D${1} + shift 1 + local value=3D$@ + + if ! isinteger value; then + value=3D$(parse_time $@) + if [ ! $? -eq 0 ]; then + log ERROR "Parsing the passed time was not sucessful please check the pas= sed values." + return ${EXIT_ERROR} + fi + fi + + if [ ${value} -le 0 ]; then + log ERROR "The passed time value must be in the sum greater or equal zero = seconds." + return ${EXIT_ERROR} + fi + + if ! ipsec_connection_write_config_key "${connection}" "DPD_TIMEOUT" ${valu= e}; then + log ERROR "Could not write configuration settings" + return ${EXIT_ERROR} + fi + + return ${EXIT_OK} +} + # Handle the cli after local ipsec_connection_local() { if [ ! $# -ge 2 ]; then @@ -370,6 +489,9 @@ ipsec_connection_local() { shift 2 =20 case ${cmd} in + address) + ipsec_connection_local_address "${connection}" $@ + ;; id) ipsec_connection_id "${connection}" "LOCAL" $@ ;; @@ -407,6 +529,28 @@ ipsec_connection_mode() { return ${EXIT_OK} } =20 +# Set the local address +ipsec_connection_local_address() { + if [ ! $# -eq 2 ]; then + log ERROR "Not enough arguments" + return ${EXIT_ERROR} + fi + local connection=3D${1} + local local_address=3D${2} + + if ! ipsec_connection_check_peer ${local_address}; then + log ERROR "Local address '${local_address}' is invalid" + return ${EXIT_ERROR} + fi + + if ! ipsec_connection_write_config_key "${connection}" "LOCAL_ADDRESS" ${lo= cal_address}; then + log ERROR "Could not write configuration settings" + return ${EXIT_ERROR} + fi + + return ${EXIT_OK} +} + # Set the peer to connect to ipsec_connection_peer() { if [ ! $# -eq 2 ]; then @@ -612,6 +756,25 @@ ipsec_connection_inactivity_timeout() { return ${EXIT_OK} } =20 +# Set the default start action +ipsec_connection_start_action() { + if [ ! $# -eq 2 ]; then + log ERROR "Not enough arguments" + return ${EXIT_ERROR} + fi + local connection=3D${1} + local action=3D${2} + + if ! isoneof action "on-demand" "always-on"; then + log ERROR "Start action '${action}' is invalid" + return ${EXIT_ERROR} + fi + + if ! ipsec_connection_write_config_key "${connection}" "START_ACTION" ${act= ion}; then + log ERROR "Could not write configuration settings" + return ${EXIT_ERROR} + fi +} =20 # Set the security policy to use ipsec_connection_security_policy() { @@ -702,8 +865,14 @@ ipsec_connection_new() { =20 local ${IPSEC_CONNECTION_CONFIG_SETTINGS} =20 - MODE=3D${IPSEC_DEFAULT_MODE} AUTH_MODE=3D${IPSEC_DEFAULT_AUTH_MODE} + DPD_ACTION=3D${IPSEC_DEFAULT_DPD_ACTION} + DPD_DELAY=3D${IPSEC_DEFAULT_DPD_DELAY} + DPD_TIMEOUT=3D${IPSEC_DEFAULT_DPD_TIMEOUT} + MODE=3D${IPSEC_DEFAULT_MODE} + START_ACTION=3D${IPSEC_DEFAULT_START_ACTION} + + INACTIVITY_TIMEOUT=3D${IPSEC_DEFAULT_INACTIVITY_TIMEOUT} SECURITY_POLICY=3D${IPSEC_DEFAULT_SECURITY_POLICY} =20 --=20 2.6.3 --===============2709783716433008320==--