From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jonatan Schlag To: network@lists.ipfire.org Subject: [PATCH] ipsec: add status feature Date: Fri, 04 Aug 2017 22:20:42 +0200 Message-ID: <1501878042-10339-1-git-send-email-jonatan.schlag@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2260110649431916715==" List-Id: --===============2260110649431916715== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable We can now disable and enable IPsec connections. Signed-off-by: Jonatan Schlag --- src/functions/functions.ipsec | 44 ++++++++++++++++++++++++-= -- src/functions/functions.vpn-security-policies | 4 ++- 2 files changed, 43 insertions(+), 5 deletions(-) diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec index 015b3b8..32a6a2c 100644 --- a/src/functions/functions.ipsec +++ b/src/functions/functions.ipsec @@ -33,13 +33,15 @@ IPSEC_CONNECTION_CONFIG_SETTINGS=3D"\ PSK \ REMOTE_ID \ REMOTE_PREFIX \ - SECURITY_POLICY" + SECURITY_POLICY \ + ENABLED" =20 # Default values IPSEC_DEFAULT_AUTH_MODE=3D"PSK" IPSEC_DEFAULT_DPD_ACTION=3D"restart" IPSEC_DEFAULT_DPD_DELAY=3D"30" IPSEC_DEFAULT_DPD_TIMEOUT=3D"120" +IPSEC_DEFAULT_ENABLED=3D"true" IPSEC_DEFAULT_INACTIVITY_TIMEOUT=3D"0" IPSEC_DEFAULT_MODE=3D"tunnel" IPSEC_DEFAULT_SECURITY_POLICY=3D"system" @@ -71,7 +73,7 @@ cli_ipsec_connection() { shift 2 =20 case "${key}" in - authentication|down|dpd|inactivity_timeout|local|mode|peer|remote|securit= y_policy|start_action|up) + authentication|down|disable|dpd|enable|inactivity_timeout|local|mode|peer= |remote|security_policy|start_action|up) ipsec_connection_${key} ${connection} $@ ;; show) @@ -198,6 +200,28 @@ cli_ipsec_connection_show() { return ${EXIT_OK} } =20 +ipsec_connection_disable() { + local connection=3D${1} + + if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "false"; t= hen + log ERROR "Could not write configuration settings" + return ${EXIT_ERROR} + fi + + ipsec_reload ${connection} +} + +ipsec_connection_enable() { + local connection=3D${1} + + if ! ipsec_connection_write_config_key "${connection}" "ENABLED" "true"; th= en + log ERROR "Could not write configuration settings" + return ${EXIT_ERROR} + fi + + ipsec_reload "${connection}" +} + # This function writes all values to a via ${connection} specificated VPN IP= sec configuration file ipsec_connection_write_config() { assert [ $# -ge 1 ] @@ -304,11 +328,22 @@ ipsec_strongswan_load() { ipsec_reload() { local connection=3D${1} =20 - if ! ipsec_connection_to_strongswan ${connection}; then - log ERROR "Could not generate strongswan config for ${connnection}" + local ENABLED + + if ! ipsec_connection_read_config "${connection}" "ENABLED"; then + log ERROR "Could not read configuration for IPsec connection ${connection}" return ${EXIT_ERROR} fi =20 + if enabled ${ENABLED}; then + if ! ipsec_connection_to_strongswan ${connection}; then + log ERROR "Could not generate strongswan config for ${connnection}" + return ${EXIT_ERROR} + fi + else + unlink "${NETWORK_IPSEC_SWANCTL_CONNECTIONS_DIR}/${connection}.conf" + fi + ipsec_strongswan_load } =20 @@ -913,6 +948,7 @@ ipsec_connection_new() { DPD_ACTION=3D${IPSEC_DEFAULT_DPD_ACTION} DPD_DELAY=3D${IPSEC_DEFAULT_DPD_DELAY} DPD_TIMEOUT=3D${IPSEC_DEFAULT_DPD_TIMEOUT} + ENABLED=3D${IPSEC_DEFAULT_ENABLED} MODE=3D${IPSEC_DEFAULT_MODE} START_ACTION=3D${IPSEC_DEFAULT_START_ACTION} =20 diff --git a/src/functions/functions.vpn-security-policies b/src/functions/fu= nctions.vpn-security-policies index 670c12d..294f0da 100644 --- a/src/functions/functions.vpn-security-policies +++ b/src/functions/functions.vpn-security-policies @@ -346,11 +346,13 @@ vpn_security_policies_reload() { =20 local connection for connection in $(ipsec_list_connections); do + local SECURITY_POLICY ENABLED + if ! ipsec_connection_read_config "${connection}" "SECURITY_POLICY"; then continue fi =20 - if [[ "${SECURITY_POLICY}" =3D "${name}" ]]; then + if [[ "${SECURITY_POLICY}" =3D "${name}" ]] && enabled ENABLED; then if ! ipsec_connection_to_strongswan "${connection}"; then log ERROR "Could not generate strongswan config for ${connnection}" fi --=20 2.6.3 --===============2260110649431916715==--