Initial commit

Makefile

+all: strongswan-conf swanctl-conf ipsec-notify vpn-config
+	tar xf strongswan-5.6.3.tar.bz2
+	cd strongswan-5.6.3 && ./configure --prefix=/usr --sysconfdir=/etc --enable-systemd --enable-swanctl --disable-charon --disable-stroke --disable-scepclient --disable-connmark
+	$(MAKE) -C strongswan-5.6.3
+# FIXME: strongswan tests failure!
+#	$(MAKE) -C strongswan-5.6.3 check
+	$(MAKE) -C strongswan-5.6.3 install
+	systemctl enable strongswan-swanctl
+	@echo "$$STRONGSWAN_CONF" > /etc/strongswan.conf
+	@echo "$$SWANCTL_CONF" > /etc/swanctl/swanctl.conf
+	@echo "$$IPSEC_NOTIFY" > /usr/sbin/ipsec-notify.sh
+	chmod 755 /usr/sbin/ipsec-notify.sh
+	install -v -Dm755 vpn /usr/share/easycwmp/functions/vpn
+	@echo "$$VPN_CONFIG" > /etc/config/vpn
+	rm -rf strongswan-5.6.3
+
+strongswan-conf:
+define STRONGSWAN_CONF
+# strongswan.conf - strongSwan configuration file
+#
+# Refer to the strongswan.conf(5) manpage for details
+#
+# Configuration changes should be made in the included files
+
+charon {
+        load_modular = yes
+        plugins {
+                include strongswan.d/charon/*.conf
+        }
+        fragment_size = 1400
+        install_routes = 0
+        install_virtual_ip = no
+}
+
+include strongswan.d/*.conf
+endef
+export STRONGSWAN_CONF
+
+swanctl-conf:
+define SWANCTL_CONF
+connections {
+}
+endef
+export SWANCTL_CONF
+
+ipsec-notify:
+define IPSEC_NOTIFY
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+
+VTI_IF="vti0"
+
+case "$${PLUTO_VERB}" in
+    up-client)
+        ip tunnel add "$${VTI_IF}" local "$${PLUTO_ME}" remote 0.0.0.0 mode vti \
+            okey "$${PLUTO_MARK_OUT%%/*}" ikey "$${PLUTO_MARK_IN%%/*}"
+        ip link set "$${VTI_IF}" up
+        ip addr add "$${PLUTO_MY_SOURCEIP}" dev "$${VTI_IF}"
+        ip route add "$${PLUTO_PEER_CLIENT}" dev "$${VTI_IF}" table 220
+        sysctl -w "net.ipv4.conf.$${VTI_IF}.disable_policy=1"
+        networks=`printf %s "$$(ip route list proto kernel scope link | awk -F " " "{ print \\$$1 }")" | tr '\\n' ','`
+        if [ ! -z "$$networks" ] ; then
+            ip route list proto kernel scope link | awk -F " " "{ print \$$1 \" \" \$$2 \" \" \$$3 }" | while read -r route; do
+                ip route add table 220 $$route 2> /dev/null
+            done
+        fi
+        ;;
+    down-client)
+        networks=`printf %s "$$(ip route list proto kernel scope link | awk -F " " "{ print \\$$1 }")" | tr '\\n' ','`
+        if [ ! -z "$$networks" ] ; then
+            ip route list proto kernel scope link | awk -F " " "{ print \$$1 \" \" \$$2 \" \" \$$3 }" | while read -r route; do
+                ip route del table 220 $$route 2> /dev/null
+            done
+        fi
+        ip tunnel del "$${VTI_IF}"
+        ;;
+esac
+endef
+export IPSEC_NOTIFY
+
+vpn-config:
+define VPN_CONFIG
+
+config vpn 'hub'
+	option address ''
+	option subnet ''
+
+config ca 'issuer'
+	option uri ''
+	option DN ''
+endef
+export VPN_CONFIG

strongswan.groups

+etc
+	/etc/.*
+bin
+	/lib/systemd/system/.*
+	/usr/sbin/.*
+	/usr/libexec/ipsec/.*
+	/usr/bin/.*
+	/usr/share/easycwmp/.*
+lib
+	/usr/lib/ipsec/.*
+doc
+	/usr/share/strongswan/templates/config/.*
+man
+	/usr/share/man/.*

vpn

+#!/bin/sh
+
+#common_execute_method_param "$parameter" "$permission" "$get_cmd" "$set_cmd" "xsd:$type" "$forcedinform"
+#  $forcedinform should be set to 1 if the parameter is included in the inform message otherwise empty
+#  Default of $type = string
+
+#############################
+#   Entry point functuons   #
+#############################
+
+prefix_list="$prefix_list $DMROOT.VPN."
+entry_execute_method_list="$entry_execute_method_list entry_execute_method_root_VPN"
+entry_execute_method_list_forcedinform="$entry_execute_method_list_forcedinform  entry_execute_method_root_VPN"
+
+entry_execute_method_root_VPN() {
+	case "$1" in ""|"$DMROOT."|"$DMROOT.VPN."*)
+		common_execute_method_obj "$DMROOT.VPN." "0"
+		common_execute_method_param "$DMROOT.VPN.CertificateStatus" "0" "vpn_get_certificate_status"
+		common_execute_method_param "$DMROOT.VPN.Hub" "1" "vpn_get_hub" "vpn_set_hub"
+		common_execute_method_param "$DMROOT.VPN.Subnet" "1" "vpn_get_subnet" "vpn_set_subnet"
+		common_execute_method_param "$DMROOT.VPN.Issuer" "1" "vpn_get_issuer_URI" "vpn_set_issuer_URI"
+		common_execute_method_param "$DMROOT.VPN.DN" "1" "vpn_get_DN" "vpn_set_DN"
+		return 0;
+		;;
+	esac
+	return $E_INVALID_PARAMETER_NAME;
+}
+
+make_key_and_certificate() {
+	local SIGNER=`vpn_get_issuer_URI`
+	local DN=`vpn_get_DN`
+	if [[ -n "$SIGNER" && -n "$DN" ]]; then
+		local ID=`deviceid`
+
+		if [ ! -s /etc/swanctl/private/$ID.key.pem ]; then
+			openssl genrsa -out /etc/swanctl/private/$ID.key.pem 4096
+			chmod 400 /etc/swanctl/private/$ID.key.pem
+			rm /etc/swanctl/x509/$ID.cert.pem
+		fi
+
+		pki --req --in /etc/swanctl/private/$ID.key.pem --dn "$DN, CN=$ID" --san $ID --outform pem > /etc/swanctl/x509/$ID.csr.pem
+		curl -s -X POST --data-binary @/etc/swanctl/x509/$ID.csr.pem $SIGNER > /etc/swanctl/x509/$ID.cert.pem.new
+		if [ -s /etc/swanctl/x509/$ID.cert.pem.new ]; then
+			mv -f /etc/swanctl/x509/$ID.cert.pem.new /etc/swanctl/x509/$ID.cert.pem
+		else
+		    if [ -e /etc/swanctl/x509/$ID.cert.pem ]; then
+			rm /etc/swanctl/x509/$ID.cert.pem.new
+		    else
+			mv -f /etc/swanctl/x509/$ID.cert.pem.new /etc/swanctl/x509/$ID.cert.pem
+		    fi
+		fi
+		rm /etc/swanctl/x509/$ID.csr.pem
+
+		curl -s $SIGNER | awk '{print $0 "-----END CERTIFICATE-----"> "/etc/swanctl/x509ca/cacert-" NR ".cert.pem"}' RS='-----END CERTIFICATE-----\n'
+
+		configure_ipsec
+	fi
+}
+
+configure_ipsec() {
+	local VPNID=`vpn_get_hub`
+	local VPNSUBNET=`vpn_get_subnet`
+	local SIGNER=`vpn_get_issuer_URI`
+	local DN=`vpn_get_DN`
+	if [[ -n "$VPNID" && -n "$VPNSUBNET" && -n "$SIGNER" && -n "$DN" ]]; then
+		local ID=`deviceid`
+
+cat << EOF > /etc/swanctl/swanctl.conf
+connections {
+
+   home {
+      remote_addrs = $VPNID
+      vips = 0.0.0.0
+      dpd_delay = 30
+      dpd_timeout = 90
+      version = 2
+      fragmentation = yes
+      proposals = aes128-sha256-modp2048
+      keyingtries = 0
+
+      local {
+         auth = pubkey
+         certs = $ID.cert.pem
+         id = $ID
+      }
+
+      remote {
+         id = $VPNID
+      }
+
+      children {
+         hub {
+            remote_ts = $VPNSUBNET
+            esp_proposals = aes128-sha256-modp2048
+
+            updown = /usr/sbin/ipsec-notify.sh
+            mark_in = 2
+            mark_out = 2
+
+            start_action = start
+            close_action = start
+            dpd_action = restart
+         }
+      }
+   }
+}
+EOF
+
+		systemctl restart strongswan-swanctl
+	fi
+}
+
+#######################################
+#   Data model parameters functions   #
+#######################################
+
+vpn_get_certificate_status() {
+	local ID=`deviceid`
+	if [ -s /etc/swanctl/private/$ID.key.pem ]; then
+		if [ -f /etc/swanctl/x509/$ID.cert.pem ]; then
+			if [ -s /etc/swanctl/x509/$ID.cert.pem ]; then
+				echo "Installed"
+			else
+				echo "Issuer rejected"
+			fi
+		else
+			echo "No certificate"
+		fi
+	else
+	    echo "Private key absent"
+	fi
+}
+
+vpn_get_hub() {
+	echo `$UCI_GET vpn.hub.address`
+}
+
+vpn_set_hub() {
+	local address=`$UCI_GET vpn.hub.address`
+	if [ "$address" != "$1" ]; then
+		$UCI_SET vpn.hub.address="$1"
+		$UCI_COMMIT
+		configure_ipsec
+	fi
+}
+
+vpn_get_subnet() {
+	echo `$UCI_GET vpn.hub.subnet`
+}
+
+vpn_set_subnet() {
+	local subnet=`$UCI_GET vpn.hub.subnet`
+	if [ "$subnet" != "$1" ]; then
+		$UCI_SET vpn.hub.subnet="$1"
+		$UCI_COMMIT
+		configure_ipsec
+	fi
+}
+
+vpn_get_issuer_URI() {
+	echo `$UCI_GET vpn.issuer.uri`
+}
+
+vpn_set_issuer_URI() {
+	local uri=`$UCI_GET vpn.issuer.uri`
+	if [ "$uri" != "$1" ] ; then
+		$UCI_SET vpn.issuer.uri="$1"
+		$UCI_COMMIT
+		make_key_and_certificate
+	fi
+}
+
+vpn_get_DN() {
+	echo `$UCI_GET vpn.issuer.DN`
+}
+
+vpn_set_DN() {
+	local dn=`$UCI_GET vpn.issuer.DN`
+	if [ "$dn" != "$1" ]; then
+		$UCI_SET vpn.issuer.DN="$1"
+		$UCI_COMMIT
+		make_key_and_certificate
+	fi
+}