ipsec client files generating; config fixes

8 years ago · 4775905979
parent e2ac3e8ffe
commit 4775905979
10 changed files with 192 additions and 56 deletions
--- a/ipsec/adduser.sh
+++ b/ipsec/adduser.sh
@ -8,40 +8,94 @@ if [[ ! -e $CHAPSECRETS ]] || [[ ! -r $CHAPSECRETS ]] || [[ ! -w $CHAPSECRETS ]]
    exit 1
 fi

-if [[ $# -gt 0 ]]; then
-    LOGIN="$1"
-fi
+ADDUSER="no"
+ANSUSER="yes"

-while [[ -z "$LOGIN" ]];
+while [ "$ANSUSER" != "$ADDUSER" ]; 
 do
-    read -p "Enter name: " LOGIN
-done

-unset PASSWORD
+	if [[ $# -gt 0 ]]; then
+	    LOGIN="$1"
+	fi

-while [[ -z "$PASSWORD" ]];
-do
-    read -p "Enter password: " PASSWORD
-    echo
-done
+	while [[ -z "$LOGIN" ]];
+	do
+	    read -p "Enter name: " LOGIN
+	done

-$DIR/checkuser.sh $LOGIN
+	unset PASSWORD

-if [[ $? -eq 0 ]]; then
-	NOTREM="no"
-	read -p "User '$LOGIN' already exists. Do you want to remove existing user? [no] " ANSREM
-	: ${ANSREM:=$NOTREM}
-	
-	if [ "$NOTREM" == "$ANSREM" ]; then
-		exit 1
-	else
-		$DIR/deluser.sh $LOGIN
-		# to avoid dublicate message
-		echo -e "$LOGIN\t    *\t    $PASSWORD\t    *" >> $CHAPSECRETS
-		exit 0
+	while [[ -z "$PASSWORD" ]];
+	do
+	    read -p "Enter password: " PASSWORD
+	    echo
+	done
+
+	DELETED=0
+
+	$DIR/checkuser.sh $LOGIN
+
+	if [[ $? -eq 0 ]]; then
+		NOTREM="no"
+		read -p "User '$LOGIN' already exists. Do you want to remove existing user? [no] " ANSREM
+		: ${ANSREM:=$NOTREM}
+
+		if [ "$NOTREM" == "$ANSREM" ]; then
+			exit 1
+		else
+			$DIR/deluser.sh $LOGIN
+			DELETED=1
+		fi
 	fi
-fi

-echo -e "$LOGIN\t    *\t    $PASSWORD\t    *" >> $CHAPSECRETS
+	echo -e "$LOGIN\t    *\t    $PASSWORD\t    *" >> $CHAPSECRETS
+
+	if [ $DELETED -eq 0 ]; then
+		echo "$CHAPSECRETS updated!"
+	fi

-echo "$CHAPSECRETS updated!"
+	PSK=$(sed -n "s/^[^#]\+[[:space:]]\+PSK[[:space:]]\+\"\(.\+\)\"/\1/p" $SECRETSFILE)
+
+	STARTDIR=$(pwd)
+
+	mkdir "$STARTDIR/$LOGIN"
+	DISTFILE=$STARTDIR/$LOGIN/setup.sh
+	cp -rf setup.sh.dist "$DISTFILE"
+	sed -i -e "s@_PSK_@$PSK@g" "$DISTFILE"
+	sed -i -e "s@_SERVERLOCALIP_@$LOCALPREFIX.0.1@g" "$DISTFILE"
+
+	DISTFILE=$STARTDIR/$LOGIN/ipsec.conf
+	cp -rf ipsec.conf.dist "$DISTFILE"
+	sed -i -e "s@LEFTIP@%any@g" "$DISTFILE"
+	sed -i -e "s@LEFTPORT@%any@g" "$DISTFILE"
+	sed -i -e "s@RIGHTIP@$IP@g" "$DISTFILE"
+	sed -i -e "s@RIGHTPORT@1701@g" "$DISTFILE"
+
+	DISTFILE=$STARTDIR/$LOGIN/xl2tpd.conf
+	cp -rf client-xl2tpd.conf.dist "$DISTFILE"
+	sed -i -e "s@REMOTEIP@$IP@g" "$DISTFILE"
+
+	DISTFILE=$STARTDIR/$LOGIN/options.xl2tpd
+	cp -rf client-options.xl2tpd.dist "$DISTFILE"
+	sed -i -e "s@_LOGIN_@$LOGIN@g" "$DISTFILE"
+	sed -i -e "s@_PASSWORD_@$PASSWORD@g" "$DISTFILE"
+
+	cp -rf connect.sh.dist "$STARTDIR/$LOGIN/connect.sh"
+	cp -rf disconnect.sh.dist "$STARTDIR/$LOGIN/disconnect.sh"
+
+	chmod +x "$STARTDIR/$LOGIN/setup.sh" "$STARTDIR/$LOGIN/connect.sh" "$STARTDIR/$LOGIN/disconnect.sh"
+
+	USERNAME=${SUDO_USER:-$USER}
+	chown -R $USERNAME:$USERNAME $STARTDIR/$LOGIN/
+	echo
+	echo "Created directory $STARTDIR/$LOGIN with client-side installation file."
+
+	
+	if [[ $# -eq 0 ]]; then
+		echo
+		read -p "Would you want add another user? [no] " ANSUSER
+		: ${ANSUSER:=$ADDUSER}
+	else
+		ANSUSER=$ADDUSER
+	fi
+done
--- a/ipsec/client-options.xl2tpd.dist
+++ b/ipsec/client-options.xl2tpd.dist
@ -0,0 +1,17 @@
+ipcp-accept-local
+ipcp-accept-remote
+refuse-eap
+require-mschap-v2
+noccp
+noauth
+idle 1800
+mtu 1410
+mru 1410
+defaultroute
+replacedefaultroute
+usepeerdns
+debug
+lock
+connect-delay 5000
+name "_LOGIN_"
+password "_PASSWORD_"
--- a/ipsec/client-xl2tpd.conf.dist
+++ b/ipsec/client-xl2tpd.conf.dist
@ -0,0 +1,5 @@
+[lac L2TP-PSK-NAT]
+lns = REMOTEIP
+ppp debug = no
+pppoptfile = /etc/ppp/options.xl2tpd
+length bit = yes
--- a/ipsec/connect.sh.dist
+++ b/ipsec/connect.sh.dist
@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -e
+
+
+if [[ "$EUID" -ne 0 ]]; then
+	echo "Sorry, you need to run this as root"
+	exit 1
+fi
+
+ipsec up L2TP-PSK-NAT
+sleep 2
+echo "c L2TP-PSK-NAT" > /var/run/xl2tpd/l2tp-control     
+sleep 2
--- a/ipsec/disconnect.sh.dist
+++ b/ipsec/disconnect.sh.dist
@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+set -e
+
+
+if [[ "$EUID" -ne 0 ]]; then
+	echo "Sorry, you need to run this as root"
+	exit 1
+fi
+
+echo "d L2TP-PSK-NAT" > /var/run/xl2tpd/l2tp-control
+sleep 2
+ipsec down L2TP-PSK-NAT
+sleep 2
--- a/ipsec/install.sh
+++ b/ipsec/install.sh
@ -12,23 +12,6 @@ echo
 echo "Installing strongSwan and xl2tp server..."
 apt-get install strongswan xl2tpd cron iptables procps

-ADDUSER="no"
-ANSUSER="yes"
-
-echo
-echo "Configuring VPN users..."
-while [ "$ANSUSER" != "$ADDUSER" ]; 
-do
-	$DIR/adduser.sh
-
-	read -p "Would you want add another user? [no] " ANSUSER
-	: ${ANSUSER:=$ADDUSER}
-done
-
-echo
-echo "Configuring PSK..."
-$DIR/psk.sh
-
 echo
 echo "Configuring routing..."
 $DIR/sysctl.sh
@ -52,6 +35,14 @@ echo
 echo "Configuring DNS parameters..."
 $DIR/dns.sh

+echo
+echo "Configuring PSK..."
+$DIR/psk.sh
+
+echo
+echo "Configuring VPN users..."
+$DIR/adduser.sh
+
 echo
 echo "Adding cron jobs..."
 yes | cp -rf $DIR/checkserver.sh $CHECKSERVER
--- a/ipsec/ipsec.conf.dist
+++ b/ipsec/ipsec.conf.dist
@ -7,15 +7,14 @@ conn L2TP-PSK-NAT
    rekey=no
    ikelifetime=8h
    keylife=1h
-    ike=aes256-sha1,aes128-sha1,3des-sha1
-    esp=aes256-sha1-modp2048
-    keylife=1h
    type=transport
-    left=PUBLICIP
-    leftprotoport=17/1701
-    right=%any
-    rightprotoport=17/%any
+    left=LEFTIP
+    leftprotoport=17/LEFTPORT
+    right=RIGHTIP
+    rightprotoport=17/RIGHTPORT
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
-
+    keyexchange=ikev2
+    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
+    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
--- a/ipsec/iptables-setup.sh
+++ b/ipsec/iptables-setup.sh
@ -39,11 +39,17 @@ read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP

 if [ "$STATIC" == "$ANSIP" ]; then
    # SNAT
-    sed -i -e "s@PUBLICIP@$IP@g" $IPSECCONFIG
+    sed -i -e "s@LEFTIP@$IP@g" $IPSECCONFIG
+    sed -i -e "s@LEFTPORT@1701@g" $IPSECCONFIG
+    sed -i -e "s@RIGHTIP@%any@g" $IPSECCONFIG
+    sed -i -e "s@RIGHTPORT@%any@g" $IPSECCONFIG
    eval iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP $COMMENT
 else
    # MASQUERADE
-    sed -i -e "s@PUBLICIP@%$GATE@g" $IPSECCONFIG
+    sed -i -e "s@LEFTIP@%$GATE@g" $IPSECCONFIG
+    sed -i -e "s@LEFTPORT@1701@g" $IPSECCONFIG
+    sed -i -e "s@RIGHTIP@%any@g" $IPSECCONFIG
+    sed -i -e "s@RIGHTPORT@%any@g" $IPSECCONFIG
    eval iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE $COMMENT
 fi

--- a/ipsec/psk.sh
+++ b/ipsec/psk.sh
@ -19,6 +19,6 @@ done
 # comment existing PSK
 sed -i -e "/[[:space:]]\+PSK[[:space:]]\+/s/^/# /" $SECRETSFILE

-echo "%any %any : PSK \"$PSK\"" >> $SECRETSFILE
+echo -e "\n%any %any : PSK \"$PSK\"" >> $SECRETSFILE

 echo "$SECRETSFILE updated!"
--- a/ipsec/setup.sh.dist
+++ b/ipsec/setup.sh.dist
@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+PSK=_PSK_
+SERVERLOCALIP=_SERVERLOCALIP_
+
+XL2TPDFILE=/etc/xl2tpd/xl2tpd.conf
+IPSECFILE=/etc/ipsec.conf
+OPTIONSXL2TPD=/etc/ppp/options.xl2tpd
+IPSECRETS=/etc/ipsec.secrets
+
+set -e
+
+if [[ "$EUID" -ne 0 ]]; then
+	echo "Sorry, you need to run this as root"
+	exit 1
+fi
+
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+
+echo
+echo "Installing necessary packets..."
+
+apt-get install strongswan xl2tpd
+
+echo
+echo "Installing configuration files..."
+yes | cp -rf $DIR/ipsec.conf $IPSECFILE
+yes | cp -rf $DIR/xl2tpd.conf $XL2TPDFILE
+yes | cp -rf $DIR/options.xl2tpd $OPTIONSXL2TPD
+
+echo -e "\n$SERVERLOCALIP %any : PSK \"$PSK\"" >> $IPSECRETS
+
+echo "$IPSECRETS updated!"
+
+service strongswan restart
+service xl2tpd restart