uci commit uhttpd && \
opkg install shadow-useradd shadow-groupadd shadow-usermod sudo && \
opkg install mwan3 jq bash && \
- opkg install strongswan-default && \
+ opkg install strongswan-default luasocket && \
opkg install luci-app-mwan3; exit 0
COPY system /etc/config/system
COPY ipsec /etc/config/ipsec
COPY ipsec_exec /etc/init.d/ipsec
+COPY updown /etc/updown
+COPY updown_oip /etc/updown_oip
COPY sdewan.user /etc/sdewan.user
COPY sdewan_svc.info /etc/sdewan_svc.info
COPY app_cr.info /etc/app_cr.info
uci commit uhttpd && \
opkg install shadow-useradd shadow-groupadd shadow-usermod sudo && \
opkg install mwan3 jq bash && \
- opkg install strongswan-default && \
+ opkg install strongswan-default luasocket && \
opkg install luci-app-mwan3; exit 0
COPY system /etc/config/system
COPY ipsec /etc/config/ipsec
COPY ipsec_exec /etc/init.d/ipsec
+COPY updown /etc/updown
+COPY updown_oip /etc/updown_oip
COPY sdewan.user /etc/sdewan.user
COPY sdewan_svc.info /etc/sdewan_svc.info
COPY app_cr.info /etc/app_cr.info
if [ "$auth_method" = "psk" ]; then
ipsec_xappend " leftauth=psk"
ipsec_xappend " rightauth=psk"
+ secret_xappend " : PSK $pre_shared_key"
[ "$remote_sourceip" != "" ] && ipsec_xappend " rightsourceip=$remote_sourceip"
[ "$remote_subnet" != "" ] && ipsec_xappend " rightsubnet=$remote_subnet"
elif [ "$auth_method" = "pubkey" ]; then
ipsec_xappend " leftauth=pubkey"
ipsec_xappend " rightauth=pubkey"
+ ipsec_xappend " leftcert=$local_public_cert"
+ ipsec_xappend " leftsendcert=yes"
+ ipsec_xappend " rightsendcert=yes"
+ secret_xappend " : RSA $local_private_cert"
[ "$remote_sourceip" != "" ] && ipsec_xappend " rightsourceip=$remote_sourceip"
[ "$remote_subnet" != "" ] && ipsec_xappend " rightsubnet=$remote_subnet"
warning "AuthenticationMethod $auth_method not supported"
fi
- [ -n "$local_identifier" ] && ipsec_xappend " leftid=$local_identifier"
- [ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier"
+ [ -n "$local_identifier" ] && ipsec_xappend " leftid=\"$local_identifier\""
+ [ -n "$remote_identifier" ] && ipsec_xappend " rightid=\"$remote_identifier\""
[ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown"
[ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown"
ipsec_xappend " keyexchange=$keyexchange"
- [ "$type" = "VTI-based" ] && ipsec_xappend " mark=$mark"
+ [ "$type" = "VTI-based" ] && [ -n "$mark" ] && ipsec_xappend " mark=$mark"
set_crypto_proposal "$1"
[ -n "${crypto_proposal}" ] && ipsec_xappend " esp=$crypto_proposal"
local pre_shared_key
local auth_method
local type
+ local local_public_cert
+ local local_private_cert
config_name=$1
config_get local_identifier "$1" local_identifier ""
config_get remote_identifier "$1" remote_identifier ""
config_get type "$1" type "policy-based"
+ config_get local_public_cert "$1" local_public_cert
+ config_get local_private_cert "$1" local_private_cert
[ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
[ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway "
[ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway "
- secret_xappend ": PSK \"$pre_shared_key\""
-
set_crypto_proposal "$1"
ike_proposal="$crypto_proposal"
local routing_table_id
local interface
local device_list
+ local vip_enabled
ipsec_reset
secret_reset
secret_xappend "# generated by /etc/init.d/ipsec"
config_get debug "$1" debug 0
- config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
+ config_get_bool rtinstall_enabled "$1" rtinstall_enabled 0
+ config_get_bool vip_enabled "$1" vip_enabled 0
[ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no
+ [ $vip_enabled -eq 1] && install_virtual_ip=yes || install_virtual_ip=no
# prepare extra charon config option ignore_routing_tables
for routing_table in $(config_get "$1" "ignore_routing_tables"); do
swan_xappend "# generated by /etc/init.d/ipsec"
swan_xappend "charon {"
swan_xappend " load_modular = yes"
+ swan_xappend " install_virtual_ip = $install_virtual_ip"
swan_xappend " install_routes = $install_routes"
[ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored"
[ -n "$device_list" ] && swan_xappend " interfaces_use = $device_list"
--- /dev/null
+#!/bin/bash
+
+# set charon.install_virtual_ip = no to prevent the daemon from also installing the VIP
+
+set -o nounset
+set -o errexit
+
+MARK=`echo ${PLUTO_MARK_IN} | cut -d'/' -f1`
+VTI_IF="vti${MARK}"
+
+case "${PLUTO_VERB}" in
+ up-client)
+ #ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote "${PLUTO_PEER}" mode vti \
+ ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote 0.0.0.0 mode vti \
+ key "${PLUTO_MARK_OUT%%/*}"
+ ip link set "${VTI_IF}" up
+ ip addr add "${PLUTO_MY_SOURCEIP}" dev "${VTI_IF}"
+ ip rule add to "${PLUTO_MY_SOURCEIP}" table 40
+ ip rule add from "${PLUTO_MY_SOURCEIP}" table 40
+ ip route add "${PLUTO_PEER}" dev "${VTI_IF}" src "${PLUTO_MY_SOURCEIP}" table 40
+ sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
+ ;;
+ down-client)
+ ip rule del from all to "${PLUTO_MY_SOURCEIP}"
+ ip rule del from "${PLUTO_MY_SOURCEIP}"
+ ip tunnel del "${VTI_IF}"
+ ;;
+esac
Code Review / icn / sdwan.git / commitdiff