ipsec client files generating; config fixes

2017-08-18 18:47:41 +03:00 · 2017-08-18 18:47:41 +03:00 · 1b484cf3c4
commit 1b484cf3c4
parent 12f998e0b6
10 changed files with 195 additions and 59 deletions
--- a/ipsec/adduser.sh
+++ b/ipsec/adduser.sh
@ -8,6 +8,12 @@ if [[ ! -e $CHAPSECRETS ]] || [[ ! -r $CHAPSECRETS ]] || [[ ! -w $CHAPSECRETS ]]
    exit 1
 fi
 ADDUSER="no"
 ANSUSER="yes"
 while [ "$ANSUSER" != "$ADDUSER" ]; 
 do
 	if [[ $# -gt 0 ]]; then
 	    LOGIN="$1"
 	fi
@ -25,6 +31,8 @@ do
 	    echo
 	done
 	DELETED=0
 	$DIR/checkuser.sh $LOGIN
 	if [[ $? -eq 0 ]]; then
@ -36,12 +44,58 @@ if [[ $? -eq 0 ]]; then
 			exit 1
 		else
 			$DIR/deluser.sh $LOGIN
-		# to avoid dublicate message
+			DELETED=1
 		echo -e "$LOGIN\t    *\t    $PASSWORD\t    *" >> $CHAPSECRETS
 		exit 0
 		fi
 	fi
 	echo -e "$LOGIN\t    *\t    $PASSWORD\t    *" >> $CHAPSECRETS
 	if [ $DELETED -eq 0 ]; then
 		echo "$CHAPSECRETS updated!"
 	fi
 	PSK=$(sed -n "s/^[^#]\+[[:space:]]\+PSK[[:space:]]\+\"\(.\+\)\"/\1/p" $SECRETSFILE)
 	STARTDIR=$(pwd)
 	mkdir "$STARTDIR/$LOGIN"
 	DISTFILE=$STARTDIR/$LOGIN/setup.sh
 	cp -rf setup.sh.dist "$DISTFILE"
 	sed -i -e "s@_PSK_@$PSK@g" "$DISTFILE"
 	sed -i -e "s@_SERVERLOCALIP_@$LOCALPREFIX.0.1@g" "$DISTFILE"
 	DISTFILE=$STARTDIR/$LOGIN/ipsec.conf
 	cp -rf ipsec.conf.dist "$DISTFILE"
 	sed -i -e "s@LEFTIP@%any@g" "$DISTFILE"
 	sed -i -e "s@LEFTPORT@%any@g" "$DISTFILE"
 	sed -i -e "s@RIGHTIP@$IP@g" "$DISTFILE"
 	sed -i -e "s@RIGHTPORT@1701@g" "$DISTFILE"
 	DISTFILE=$STARTDIR/$LOGIN/xl2tpd.conf
 	cp -rf client-xl2tpd.conf.dist "$DISTFILE"
 	sed -i -e "s@REMOTEIP@$IP@g" "$DISTFILE"
 	DISTFILE=$STARTDIR/$LOGIN/options.xl2tpd
 	cp -rf client-options.xl2tpd.dist "$DISTFILE"
 	sed -i -e "s@_LOGIN_@$LOGIN@g" "$DISTFILE"
 	sed -i -e "s@_PASSWORD_@$PASSWORD@g" "$DISTFILE"
 	cp -rf connect.sh.dist "$STARTDIR/$LOGIN/connect.sh"
 	cp -rf disconnect.sh.dist "$STARTDIR/$LOGIN/disconnect.sh"
 	chmod +x "$STARTDIR/$LOGIN/setup.sh" "$STARTDIR/$LOGIN/connect.sh" "$STARTDIR/$LOGIN/disconnect.sh"
 	USERNAME=${SUDO_USER:-$USER}
 	chown -R $USERNAME:$USERNAME $STARTDIR/$LOGIN/
 	echo
 	echo "Created directory $STARTDIR/$LOGIN with client-side installation file."
 	if [[ $# -eq 0 ]]; then
 		echo
 		read -p "Would you want add another user? [no] " ANSUSER
 		: ${ANSUSER:=$ADDUSER}
 	else
 		ANSUSER=$ADDUSER
 	fi
 done
--- a/ipsec/client-options.xl2tpd.dist
+++ b/ipsec/client-options.xl2tpd.dist
@ -0,0 +1,17 @@
 ipcp-accept-local
 ipcp-accept-remote
 refuse-eap
 require-mschap-v2
 noccp
 noauth
 idle 1800
 mtu 1410
 mru 1410
 defaultroute
 replacedefaultroute
 usepeerdns
 debug
 lock
 connect-delay 5000
 name "_LOGIN_"
 password "_PASSWORD_"
--- a/ipsec/client-xl2tpd.conf.dist
+++ b/ipsec/client-xl2tpd.conf.dist
@ -0,0 +1,5 @@
 [lac L2TP-PSK-NAT]
 lns = REMOTEIP
 ppp debug = no
 pppoptfile = /etc/ppp/options.xl2tpd
 length bit = yes
--- a/ipsec/connect.sh.dist
+++ b/ipsec/connect.sh.dist
@ -0,0 +1,14 @@
 #!/usr/bin/env bash
 set -e
 if [[ "$EUID" -ne 0 ]]; then
 	echo "Sorry, you need to run this as root"
 	exit 1
 fi
 ipsec up L2TP-PSK-NAT
 sleep 2
 echo "c L2TP-PSK-NAT" > /var/run/xl2tpd/l2tp-control     
 sleep 2
--- a/ipsec/disconnect.sh.dist
+++ b/ipsec/disconnect.sh.dist
@ -0,0 +1,14 @@
 #!/usr/bin/env bash
 set -e
 if [[ "$EUID" -ne 0 ]]; then
 	echo "Sorry, you need to run this as root"
 	exit 1
 fi
 echo "d L2TP-PSK-NAT" > /var/run/xl2tpd/l2tp-control
 sleep 2
 ipsec down L2TP-PSK-NAT
 sleep 2
--- a/ipsec/install.sh
+++ b/ipsec/install.sh
@ -12,23 +12,6 @@ echo
 echo "Installing strongSwan and xl2tp server..."
 apt-get install strongswan xl2tpd cron iptables procps
 ADDUSER="no"
 ANSUSER="yes"
 echo
 echo "Configuring VPN users..."
 while [ "$ANSUSER" != "$ADDUSER" ]; 
 do
 	$DIR/adduser.sh
 	read -p "Would you want add another user? [no] " ANSUSER
 	: ${ANSUSER:=$ADDUSER}
 done
 echo
 echo "Configuring PSK..."
 $DIR/psk.sh
 echo
 echo "Configuring routing..."
 $DIR/sysctl.sh
@ -52,6 +35,14 @@ echo
 echo "Configuring DNS parameters..."
 $DIR/dns.sh
 echo
 echo "Configuring PSK..."
 $DIR/psk.sh
 echo
 echo "Configuring VPN users..."
 $DIR/adduser.sh
 echo
 echo "Adding cron jobs..."
 yes | cp -rf $DIR/checkserver.sh $CHECKSERVER
--- a/ipsec/ipsec.conf.dist
+++ b/ipsec/ipsec.conf.dist
@ -7,15 +7,14 @@ conn L2TP-PSK-NAT
    rekey=no
    ikelifetime=8h
    keylife=1h
    ike=aes256-sha1,aes128-sha1,3des-sha1
    esp=aes256-sha1-modp2048
    keylife=1h
    type=transport
-    left=PUBLICIP
+    left=LEFTIP
-    leftprotoport=17/1701
+    leftprotoport=17/LEFTPORT
-    right=%any
+    right=RIGHTIP
-    rightprotoport=17/%any
+    rightprotoport=17/RIGHTPORT
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
-
+    keyexchange=ikev2
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
--- a/ipsec/iptables-setup.sh
+++ b/ipsec/iptables-setup.sh
@ -39,11 +39,17 @@ read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP
 if [ "$STATIC" == "$ANSIP" ]; then
    # SNAT
-    sed -i -e "s@PUBLICIP@$IP@g" $IPSECCONFIG
+    sed -i -e "s@LEFTIP@$IP@g" $IPSECCONFIG
    sed -i -e "s@LEFTPORT@1701@g" $IPSECCONFIG
    sed -i -e "s@RIGHTIP@%any@g" $IPSECCONFIG
    sed -i -e "s@RIGHTPORT@%any@g" $IPSECCONFIG
    eval iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP $COMMENT
 else
    # MASQUERADE
-    sed -i -e "s@PUBLICIP@%$GATE@g" $IPSECCONFIG
+    sed -i -e "s@LEFTIP@%$GATE@g" $IPSECCONFIG
    sed -i -e "s@LEFTPORT@1701@g" $IPSECCONFIG
    sed -i -e "s@RIGHTIP@%any@g" $IPSECCONFIG
    sed -i -e "s@RIGHTPORT@%any@g" $IPSECCONFIG
    eval iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE $COMMENT
 fi
--- a/ipsec/psk.sh
+++ b/ipsec/psk.sh
@ -19,6 +19,6 @@ done
 # comment existing PSK
 sed -i -e "/[[:space:]]\+PSK[[:space:]]\+/s/^/# /" $SECRETSFILE
-echo "%any %any : PSK \"$PSK\"" >> $SECRETSFILE
+echo -e "\n%any %any : PSK \"$PSK\"" >> $SECRETSFILE
 echo "$SECRETSFILE updated!"
--- a/ipsec/setup.sh.dist
+++ b/ipsec/setup.sh.dist
@ -0,0 +1,36 @@
 #!/usr/bin/env bash
 PSK=_PSK_
 SERVERLOCALIP=_SERVERLOCALIP_
 XL2TPDFILE=/etc/xl2tpd/xl2tpd.conf
 IPSECFILE=/etc/ipsec.conf
 OPTIONSXL2TPD=/etc/ppp/options.xl2tpd
 IPSECRETS=/etc/ipsec.secrets
 set -e
 if [[ "$EUID" -ne 0 ]]; then
 	echo "Sorry, you need to run this as root"
 	exit 1
 fi
 DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
 echo
 echo "Installing necessary packets..."
 apt-get install strongswan xl2tpd
 echo
 echo "Installing configuration files..."
 yes | cp -rf $DIR/ipsec.conf $IPSECFILE
 yes | cp -rf $DIR/xl2tpd.conf $XL2TPDFILE
 yes | cp -rf $DIR/options.xl2tpd $OPTIONSXL2TPD
 echo -e "\n$SERVERLOCALIP %any : PSK \"$PSK\"" >> $IPSECRETS
 echo "$IPSECRETS updated!"
 service strongswan restart
 service xl2tpd restart