Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
al linux
IPSEC
提交
b8642ebf
I
IPSEC
项目概览
al linux
/
IPSEC
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
I
IPSEC
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
b8642ebf
编写于
9月 11, 2020
作者:
al linux
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
上传新文件
上级
dcf2838f
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
333 addition
and
0 deletion
+333
-0
extras/vpnupgrade.sh
extras/vpnupgrade.sh
+333
-0
未找到文件。
extras/vpnupgrade.sh
0 → 100644
浏览文件 @
b8642ebf
#!/bin/sh
#
# Script to upgrade Libreswan on Ubuntu and Debian
#
# Copyright (C) 2016-2020 Lin Song <linsongui@gmail.com>
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org
SWAN_VER
=
3.32
### DO NOT edit below this line ###
export
PATH
=
"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
exiterr
()
{
echo
"Error:
$1
"
>
&2
;
exit
1
;
}
exiterr2
()
{
exiterr
"'apt-get install' failed."
;
}
vpnupgrade
()
{
os_type
=
$(
lsb_release
-si
2>/dev/null
)
if
[
-z
"
$os_type
"
]
;
then
[
-f
/etc/os-release
]
&&
os_type
=
$(
.
/etc/os-release
&&
printf
'%s'
"
$ID
"
)
[
-f
/etc/lsb-release
]
&&
os_type
=
$(
.
/etc/lsb-release
&&
printf
'%s'
"
$DISTRIB_ID
"
)
fi
if
!
printf
'%s'
"
$os_type
"
|
head
-n
1 |
grep
-qiF
-e
ubuntu
-e
debian
-e
raspbian
;
then
echo
"Error: This script only supports Ubuntu and Debian."
>
&2
echo
"For CentOS/RHEL, use https://git.io/vpnupgrade-centos"
>
&2
exit
1
fi
if
[
"
$(
sed
's/\..*//'
/etc/debian_version
)
"
=
"7"
]
;
then
exiterr
"Debian 7 is not supported."
fi
if
[
-f
/proc/user_beancounters
]
;
then
exiterr
"OpenVZ VPS is not supported."
fi
if
[
"
$(
id
-u
)
"
!=
0
]
;
then
exiterr
"Script must be run as root. Try 'sudo sh
$0
'"
fi
case
"
$SWAN_VER
"
in
3.19|3.2[01235679]|3.3[12]
)
/bin/true
;;
*
)
cat
1>&2
<<
EOF
Error: Libreswan version '
$SWAN_VER
' is not supported.
This script can install one of the following versions:
3.19-3.23, 3.25-3.27, 3.29, 3.31 and 3.32
EOF
exit
1
;;
esac
dns_state
=
0
case
"
$SWAN_VER
"
in
3.2[35679]|3.3[12]
)
DNS_SRV1
=
$(
grep
"modecfgdns1="
/etc/ipsec.conf |
head
-n
1 |
cut
-d
'='
-f
2
)
DNS_SRV2
=
$(
grep
"modecfgdns2="
/etc/ipsec.conf |
head
-n
1 |
cut
-d
'='
-f
2
)
[
-n
"
$DNS_SRV1
"
]
&&
dns_state
=
2
[
-n
"
$DNS_SRV1
"
]
&&
[
-n
"
$DNS_SRV2
"
]
&&
dns_state
=
1
[
"
$(
grep
-c
"modecfgdns1="
/etc/ipsec.conf
)
"
-gt
"1"
]
&&
dns_state
=
5
;;
3.19|3.2[012]
)
DNS_SRVS
=
$(
grep
"modecfgdns="
/etc/ipsec.conf |
head
-n
1 |
cut
-d
'='
-f
2
)
DNS_SRVS
=
$(
printf
'%s'
"
$DNS_SRVS
"
|
cut
-d
'"'
-f
2 |
cut
-d
"'"
-f
2 |
sed
's/,/ /g'
|
tr
-s
' '
)
DNS_SRV1
=
$(
printf
'%s'
"
$DNS_SRVS
"
|
cut
-d
' '
-f
1
)
DNS_SRV2
=
$(
printf
'%s'
"
$DNS_SRVS
"
|
cut
-s
-d
' '
-f
2
)
[
-n
"
$DNS_SRV1
"
]
&&
dns_state
=
4
[
-n
"
$DNS_SRV1
"
]
&&
[
-n
"
$DNS_SRV2
"
]
&&
dns_state
=
3
[
"
$(
grep
-c
"modecfgdns="
/etc/ipsec.conf
)
"
-gt
"1"
]
&&
dns_state
=
6
;;
esac
ipsec_ver
=
$(
/usr/local/sbin/ipsec
--version
2>/dev/null
)
ipsec_ver_short
=
$(
printf
'%s'
"
$ipsec_ver
"
|
sed
-e
's/Linux Libreswan/Libreswan/'
-e
's/ (netkey) on .*//'
)
if
!
printf
'%s'
"
$ipsec_ver
"
|
grep
-q
"Libreswan"
;
then
exiterr
"This script requires Libreswan already installed."
fi
if
printf
'%s'
"
$ipsec_ver
"
|
grep
-qF
"
$SWAN_VER
"
;
then
echo
"You already have Libreswan version
$SWAN_VER
installed! "
echo
"If you continue, the same version will be re-installed."
echo
printf
"Do you want to continue anyway? [y/N] "
read
-r
response
case
$response
in
[
yY][eE][sS]|[yY]
)
echo
;;
*
)
echo
"Abort. No changes were made."
exit
1
;;
esac
fi
clear
cat
<<
EOF
Welcome! This script will build and install Libreswan on your server.
Additional packages required for compilation will also be installed.
It is intended for upgrading servers to a newer Libreswan version.
Current version:
$ipsec_ver_short
Version to install: Libreswan
$SWAN_VER
EOF
cat
<<
'
EOF
'
NOTE: Libreswan versions 3.19 and newer require some configuration changes.
This script will make the following updates to your /etc/ipsec.conf:
- Replace "auth=esp" with "phase2=esp"
- Replace "forceencaps=yes" with "encapsulation=yes"
- Optimize VPN ciphers for "ike=" and "phase2alg="
EOF
if
[
"
$dns_state
"
=
"1"
]
||
[
"
$dns_state
"
=
"2"
]
;
then
cat
<<
'
EOF
'
- Replace "modecfgdns1" and "modecfgdns2" with "modecfgdns"
EOF
fi
if
[
"
$dns_state
"
=
"3"
]
||
[
"
$dns_state
"
=
"4"
]
;
then
cat
<<
'
EOF
'
- Replace "modecfgdns" with "modecfgdns1" and "modecfgdns2"
EOF
fi
if
[
"
$SWAN_VER
"
=
"3.29"
]
||
[
"
$SWAN_VER
"
=
"3.31"
]
||
[
"
$SWAN_VER
"
=
"3.32"
]
;
then
cat
<<
'
EOF
'
- Move "ikev2=never" to section "conn shared"
EOF
fi
cat
<<
'
EOF
'
Your other VPN configuration files will not be modified.
EOF
case
"
$SWAN_VER
"
in
3.19|3.2[01235679]|3.31
)
cat
<<
'
EOF
'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
See: https://libreswan.org/security/
Are you sure you want to install an older version?
EOF
;;
esac
case
"
$SWAN_VER
"
in
3.2[35]
)
cat
<<
'
EOF
'
WARNING: Libreswan 3.23 and 3.25 have an issue with connecting multiple
IPsec/XAuth VPN clients from behind the same NAT (e.g. home router).
DO NOT install 3.23/3.25 if your use cases include the above.
EOF
;;
esac
printf
"Do you want to continue? [y/N] "
read
-r
response
case
$response
in
[
yY][eE][sS]|[yY]
)
echo
echo
"Please be patient. Setup is continuing..."
echo
;;
*
)
echo
"Abort. No changes were made."
exit
1
;;
esac
# Create and change to working dir
mkdir
-p
/opt/src
cd
/opt/src
||
exit
1
# Update package index
export
DEBIAN_FRONTEND
=
noninteractive
apt-get
-yq
update
||
exiterr
"'apt-get update' failed."
# Install necessary packages
apt-get
-yq
install
libnss3-dev libnspr4-dev pkg-config
\
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev
\
libcurl4-nss-dev libnss3-tools libevent-dev
\
flex bison gcc make wget
sed
||
exiterr2
# Compile and install Libreswan
swan_file
=
"libreswan-
$SWAN_VER
.tar.gz"
swan_url1
=
"https://github.com/libreswan/libreswan/archive/v
$SWAN_VER
.tar.gz"
swan_url2
=
"https://download.libreswan.org/
$swan_file
"
if
!
{
wget
-t
3
-T
30
-nv
-O
"
$swan_file
"
"
$swan_url1
"
||
wget
-t
3
-T
30
-nv
-O
"
$swan_file
"
"
$swan_url2
"
;
}
;
then
exit
1
fi
/bin/rm
-rf
"/opt/src/libreswan-
$SWAN_VER
"
tar
xzf
"
$swan_file
"
&&
/bin/rm
-f
"
$swan_file
"
cd
"libreswan-
$SWAN_VER
"
||
exit
1
[
"
$SWAN_VER
"
=
"3.22"
]
&&
sed
-i
'/^#define LSWBUF_CANARY/s/-2$/((char) -2)/'
include/lswlog.h
[
"
$SWAN_VER
"
=
"3.23"
]
||
[
"
$SWAN_VER
"
=
"3.25"
]
&&
sed
-i
'/docker-targets\.mk/d'
Makefile
[
"
$SWAN_VER
"
=
"3.26"
]
&&
sed
-i
's/-lfreebl //'
mk/config.mk
[
"
$SWAN_VER
"
=
"3.26"
]
&&
sed
-i
'/blapi\.h/d'
programs/pluto/keys.c
if
[
"
$SWAN_VER
"
=
"3.31"
]
;
then
sed
-i
'916iif (!st->st_seen_fragvid) { return FALSE; }'
programs/pluto/ikev2.c
sed
-i
'1033s/if (/if (LIN(POLICY_IKE_FRAG_ALLOW, sk->ike->sa.st_connection->policy) \&\& sk->ike->sa.st_seen_fragvid \&\& /'
\
programs/pluto/ikev2_message.c
fi
cat
>
Makefile.inc.local
<<
'
EOF
'
WERROR_CFLAGS = -w
USE_DNSSEC = false
USE_DH31 = false
USE_NSS_AVA_COPY = true
USE_NSS_IPSEC_PROFILE = false
USE_GLIBC_KERN_FLIP_HEADERS = true
EOF
if
[
"
$SWAN_VER
"
=
"3.31"
]
||
[
"
$SWAN_VER
"
=
"3.32"
]
;
then
echo
"USE_DH2 = true"
>>
Makefile.inc.local
if
!
grep
-qs
IFLA_XFRM_LINK /usr/include/linux/if_link.h
;
then
echo
"USE_XFRM_INTERFACE_IFLA_HEADER = true"
>>
Makefile.inc.local
fi
fi
if
[
"
$(
packaging/utils/lswan_detect.sh init
)
"
=
"systemd"
]
;
then
apt-get
-yq
install
libsystemd-dev
||
exiterr2
fi
NPROCS
=
$(
grep
-c
^processor /proc/cpuinfo
)
[
-z
"
$NPROCS
"
]
&&
NPROCS
=
1
make
"-j
$((
NPROCS+1
))
"
-s
base
&&
make
-s
install-base
# Verify the install and clean up
cd
/opt/src
||
exit
1
/bin/rm
-rf
"/opt/src/libreswan-
$SWAN_VER
"
if
!
/usr/local/sbin/ipsec
--version
2>/dev/null |
grep
-qF
"
$SWAN_VER
"
;
then
exiterr
"Libreswan
$SWAN_VER
failed to build."
fi
# Update ipsec.conf
IKE_NEW
=
" ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024"
PHASE2_NEW
=
" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2"
if
uname
-m
|
grep
-qi
'^arm'
;
then
if
!
modprobe
-q
sha512
;
then
PHASE2_NEW
=
" phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2"
fi
fi
sed
-i
".old-
$(
date
+%F-%T
)
"
\
-e
"s/^[[:space:]]
\+
auth=esp
\$
/ phase2=esp/g"
\
-e
"s/^[[:space:]]
\+
forceencaps=yes
\$
/ encapsulation=yes/g"
\
-e
"s/^[[:space:]]
\+
ike=.
\+\$
/
$IKE_NEW
/g"
\
-e
"s/^[[:space:]]
\+
phase2alg=.
\+\$
/
$PHASE2_NEW
/g"
/etc/ipsec.conf
if
[
"
$dns_state
"
=
"1"
]
;
then
sed
-i
-e
"s/modecfgdns1=.*/modecfgdns=
\"
$DNS_SRV1
$DNS_SRV2
\"
/"
\
-e
"/modecfgdns2/d"
/etc/ipsec.conf
elif
[
"
$dns_state
"
=
"2"
]
;
then
sed
-i
"s/modecfgdns1=.*/modecfgdns=
$DNS_SRV1
/"
/etc/ipsec.conf
elif
[
"
$dns_state
"
=
"3"
]
;
then
sed
-i
"/modecfgdns=/a
\
modecfgdns2=
$DNS_SRV2
"
/etc/ipsec.conf
sed
-i
"s/modecfgdns=.*/modecfgdns1=
$DNS_SRV1
/"
/etc/ipsec.conf
elif
[
"
$dns_state
"
=
"4"
]
;
then
sed
-i
"s/modecfgdns=.*/modecfgdns1=
$DNS_SRV1
/"
/etc/ipsec.conf
fi
if
[
"
$SWAN_VER
"
=
"3.29"
]
||
[
"
$SWAN_VER
"
=
"3.31"
]
||
[
"
$SWAN_VER
"
=
"3.32"
]
;
then
sed
-i
"/ikev2=never/d"
/etc/ipsec.conf
sed
-i
"/conn shared/a
\
ikev2=never"
/etc/ipsec.conf
fi
# Restart IPsec service
mkdir
-p
/run/pluto
service ipsec restart
cat
<<
EOF
===========================================
Libreswan
$SWAN_VER
successfully installed!
===========================================
EOF
if
[
"
$dns_state
"
=
"5"
]
;
then
cat
<<
'
EOF
'
IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
and replace all occurrences of these two lines:
modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2
with a single line like this:
modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
Then run "sudo service ipsec restart".
EOF
elif
[
"
$dns_state
"
=
"6"
]
;
then
cat
<<
'
EOF
'
IMPORTANT: Users downgrading to Libreswan 3.22 or older must edit /etc/ipsec.conf
and replace all occurrences of this line:
modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
with two lines like this:
modecfgdns1=DNS_SERVER_1
modecfgdns2=DNS_SERVER_2
Then run "sudo service ipsec restart".
EOF
fi
}
## Defer setup until we have the complete script
vpnupgrade
"
$@
"
exit
0
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录