399 lines
8.1 KiB
Bash
Executable File
399 lines
8.1 KiB
Bash
Executable File
#! /bin/sh
|
|
# prefix command to run stuff from our programs directory
|
|
# Copyright (C) 1998-2002 Henry Spencer.
|
|
# Copyright (C) 2006 Andreas Steffen
|
|
# Copyright (C) 2006 Martin Willi
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU General Public License as published by the
|
|
# Free Software Foundation; either version 2 of the License, or (at your
|
|
# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
#
|
|
# This program is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
# for more details.
|
|
|
|
# define a minimum PATH environment in case it is not set
|
|
PATH="/sbin:/bin:/usr/sbin:/usr/bin:@IPSEC_SBINDIR@"
|
|
export PATH
|
|
|
|
# name and version of the ipsec implementation
|
|
IPSEC_NAME="@IPSEC_NAME@"
|
|
IPSEC_VERSION="U@IPSEC_VERSION@/K`uname -r`"
|
|
|
|
# where the private directory and the config files are
|
|
IPSEC_DIR="@IPSEC_DIR@"
|
|
IPSEC_SBINDIR="@IPSEC_SBINDIR@"
|
|
IPSEC_CONFDIR="@IPSEC_CONFDIR@"
|
|
IPSEC_PIDDIR="@IPSEC_PIDDIR@"
|
|
|
|
IPSEC_STARTER_PID="${IPSEC_PIDDIR}/starter.pid"
|
|
IPSEC_PLUTO_PID="${IPSEC_PIDDIR}/pluto.pid"
|
|
IPSEC_CHARON_PID="${IPSEC_PIDDIR}/charon.pid"
|
|
|
|
IPSEC_WHACK="${IPSEC_DIR}/whack"
|
|
IPSEC_STROKE="${IPSEC_DIR}/stroke"
|
|
IPSEC_STARTER="${IPSEC_DIR}/starter"
|
|
|
|
export IPSEC_DIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_PLUTO_PID IPSEC_CHARON_PID
|
|
|
|
IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
|
|
|
|
case "$1" in
|
|
'')
|
|
echo "Usage: ipsec command argument ..."
|
|
echo "Use --help for list of commands, or see ipsec(8) manual page"
|
|
echo "or the $IPSEC_NAME documentation for names of the common ones."
|
|
echo "Most have their own manual pages, e.g. ipsec_auto(8)."
|
|
echo "See <http://www.strongswan.org> for more general info."
|
|
exit 0
|
|
;;
|
|
--help)
|
|
echo "Usage: ipsec command argument ..."
|
|
echo "where command is one of:"
|
|
echo " start|restart arguments..."
|
|
echo " update|reload|stop"
|
|
echo " up|down|route|unroute <connectionname>"
|
|
echo " status|statusall [<connectionname>]"
|
|
echo " ready"
|
|
echo " listalgs|listpubkeys|listcerts [--utc]"
|
|
echo " listcacerts|listaacerts|listocspcerts [--utc]"
|
|
echo " listacerts|listgroups|listcainfos [--utc]"
|
|
echo " listcrls|listocsp|listcards|listall [--utc]"
|
|
echo " leases [<poolname> [<address>]]"
|
|
echo " rereadsecrets|rereadgroups"
|
|
echo " rereadcacerts|rereadaacerts|rereadocspcerts"
|
|
echo " rereadacerts|rereadcrls|rereadall"
|
|
echo " purgeocsp|purgeike"
|
|
echo " scencrypt|scdecrypt <value> [--inbase <base>] [--outbase <base>] [--keyid <id>]"
|
|
echo " openac"
|
|
echo " pluto"
|
|
echo " scepclient"
|
|
echo " secrets"
|
|
echo " starter"
|
|
echo " version"
|
|
echo " whack"
|
|
echo " stroke"
|
|
echo
|
|
echo "Some of these functions have their own manual pages, e.g. ipsec_scepclient(8)."
|
|
exit 0
|
|
;;
|
|
--versioncode)
|
|
echo "$IPSEC_VERSION"
|
|
exit 0
|
|
;;
|
|
--directory)
|
|
echo "$IPSEC_DIR"
|
|
exit 0
|
|
;;
|
|
--confdir)
|
|
echo "$IPSEC_CONFDIR"
|
|
exit 0
|
|
;;
|
|
copyright|--copyright)
|
|
set _copyright
|
|
# and fall through, invoking "ipsec _copyright"
|
|
;;
|
|
down)
|
|
shift
|
|
if [ "$#" -ne 1 ]
|
|
then
|
|
echo "Usage: ipsec down <connection name>"
|
|
exit 2
|
|
fi
|
|
rc=7
|
|
if [ -e $IPSEC_PLUTO_PID ]
|
|
then
|
|
$IPSEC_WHACK --name "$1" --terminate
|
|
rc="$?"
|
|
fi
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
$IPSEC_STROKE down "$1"
|
|
rc="$?"
|
|
fi
|
|
exit "$rc"
|
|
;;
|
|
down-srcip)
|
|
shift
|
|
if [ "$#" -lt 1 ]
|
|
then
|
|
echo "Usage: ipsec down-srcip <start> [<end>]"
|
|
exit 2
|
|
fi
|
|
rc=7
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
$IPSEC_STROKE down-srcip $*
|
|
rc="$?"
|
|
fi
|
|
exit "$rc"
|
|
;;
|
|
listcards|rereadgroups)
|
|
op="$1"
|
|
shift
|
|
if [ -e $IPSEC_PLUTO_PID ]
|
|
then
|
|
$IPSEC_WHACK "$@" "--$op"
|
|
rc="$?"
|
|
fi
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
exit 3
|
|
else
|
|
exit 7
|
|
fi
|
|
;;
|
|
leases)
|
|
op="$1"
|
|
rc=7
|
|
shift
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
case "$#" in
|
|
0) $IPSEC_STROKE "$op" ;;
|
|
1) $IPSEC_STROKE "$op" "$1" ;;
|
|
*) $IPSEC_STROKE "$op" "$1" "$2" ;;
|
|
esac
|
|
rc="$?"
|
|
fi
|
|
exit "$rc"
|
|
;;
|
|
listalgs|\listpubkeys|\
|
|
listcerts|listcacerts|listaacerts|\
|
|
listacerts|listgroups|listocspcerts|\
|
|
listcainfos|listcrls|listocsp|listall|\
|
|
rereadsecrets|rereadcacerts|rereadaacerts|\
|
|
rereadacerts|rereadocspcerts|rereadcrls|\
|
|
rereadall|purgeocsp)
|
|
op="$1"
|
|
rc=7
|
|
shift
|
|
if [ -e $IPSEC_PLUTO_PID ]
|
|
then
|
|
$IPSEC_WHACK "$@" "--$op"
|
|
rc="$?"
|
|
fi
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
$IPSEC_STROKE "$op" "$@"
|
|
rc="$?"
|
|
fi
|
|
exit "$rc"
|
|
;;
|
|
purgeike)
|
|
rc=7
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
$IPSEC_STROKE purgeike
|
|
rc="$?"
|
|
fi
|
|
exit "$rc"
|
|
;;
|
|
ready)
|
|
shift
|
|
if [ -e $IPSEC_PLUTO_PID ]
|
|
then
|
|
$IPSEC_WHACK --listen
|
|
exit 0
|
|
else
|
|
exit 7
|
|
fi
|
|
;;
|
|
reload)
|
|
rc=7
|
|
if [ -e $IPSEC_STARTER_PID ]
|
|
then
|
|
echo "Reloading strongSwan IPsec configuration..." >&2
|
|
kill -USR1 `cat $IPSEC_STARTER_PID` 2>/dev/null && rc=0
|
|
else
|
|
echo "Reloading strongSwan IPsec failed: starter is not running" >&2
|
|
fi
|
|
exit "$rc"
|
|
;;
|
|
restart)
|
|
$IPSEC_SBINDIR/ipsec stop
|
|
sleep 2
|
|
shift
|
|
exec $IPSEC_SBINDIR/ipsec start "$@"
|
|
;;
|
|
route|unroute)
|
|
op="$1"
|
|
rc=7
|
|
shift
|
|
if [ "$#" -ne 1 ]
|
|
then
|
|
echo "Usage: ipsec $op <connection name>"
|
|
exit 2
|
|
fi
|
|
if [ -e $IPSEC_PLUTO_PID ]
|
|
then
|
|
$IPSEC_WHACK --name "$1" "--$op"
|
|
rc="$?"
|
|
fi
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
$IPSEC_STROKE "$op" "$1"
|
|
rc="$?"
|
|
fi
|
|
exit "$rc"
|
|
;;
|
|
scencrypt|scdecrypt)
|
|
op="$1"
|
|
shift
|
|
if [ -e $IPSEC_PLUTO_PID ]
|
|
then
|
|
$IPSEC_WHACK "--$op" "$@"
|
|
exit "$?"
|
|
else
|
|
exit 7
|
|
fi
|
|
;;
|
|
secrets)
|
|
rc=7
|
|
if [ -e $IPSEC_PLUTO_PID ]
|
|
then
|
|
$IPSEC_WHACK --rereadsecrets
|
|
rc="$?"
|
|
fi
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
$IPSEC_STROKE rereadsecrets
|
|
rc="$?"
|
|
fi
|
|
exit "$rc"
|
|
;;
|
|
start)
|
|
shift
|
|
if [ -d /var/lock/subsys ]; then
|
|
touch /var/lock/subsys/ipsec
|
|
fi
|
|
exec $IPSEC_STARTER "$@"
|
|
;;
|
|
status|statusall)
|
|
op="$1"
|
|
# Return value is slightly different for the status command:
|
|
# 0 - service up and running
|
|
# 1 - service dead, but /var/run/ pid file exists
|
|
# 2 - service dead, but /var/lock/ lock file exists
|
|
# 3 - service not running (unused)
|
|
# 4 - service status unknown :-(
|
|
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
|
|
shift
|
|
if [ $# -eq 0 ]
|
|
then
|
|
if [ -e $IPSEC_PLUTO_PID ]
|
|
then
|
|
$IPSEC_WHACK "--$op"
|
|
fi
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
$IPSEC_STROKE "$op"
|
|
fi
|
|
else
|
|
if [ -e $IPSEC_PLUTO_PID ]
|
|
then
|
|
$IPSEC_WHACK --name "$1" "--$op"
|
|
fi
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
$IPSEC_STROKE "$op" "$1"
|
|
fi
|
|
fi
|
|
if [ -e $IPSEC_STARTER_PID ]
|
|
then
|
|
kill -0 `cat $IPSEC_STARTER_PID` 2>/dev/null
|
|
exit $?
|
|
fi
|
|
exit 3
|
|
;;
|
|
stop)
|
|
# stopping a not-running service is considered as success
|
|
if [ -e $IPSEC_STARTER_PID ]
|
|
then
|
|
echo "Stopping strongSwan IPsec..." >&2
|
|
spid=`cat $IPSEC_STARTER_PID`
|
|
if [ -n "$spid" ]
|
|
then
|
|
kill $spid 2>/dev/null
|
|
loop=5
|
|
while [ $loop -gt 0 ] ; do
|
|
kill -0 $spid 2>/dev/null || break
|
|
sleep 1
|
|
loop=$(($loop - 1))
|
|
done
|
|
if [ $loop -eq 0 ]
|
|
then
|
|
kill -KILL $spid 2>/dev/null
|
|
rm -f $IPSEC_STARTER_PID
|
|
fi
|
|
fi
|
|
else
|
|
echo "Stopping strongSwan IPsec failed: starter is not running" >&2
|
|
fi
|
|
if [ -d /var/lock/subsys ]; then
|
|
rm -f /var/lock/subsys/ipsec
|
|
fi
|
|
exit 0
|
|
;;
|
|
up)
|
|
shift
|
|
if [ "$#" -ne 1 ]
|
|
then
|
|
echo "Usage: ipsec up <connection name>"
|
|
exit 2
|
|
fi
|
|
rc=7
|
|
if [ -e $IPSEC_PLUTO_PID ]
|
|
then
|
|
$IPSEC_WHACK --name "$1" --initiate
|
|
rc="$?"
|
|
fi
|
|
if [ -e $IPSEC_CHARON_PID ]
|
|
then
|
|
$IPSEC_STROKE up "$1"
|
|
rc="$?"
|
|
fi
|
|
exit "$rc"
|
|
;;
|
|
update)
|
|
if [ -e $IPSEC_STARTER_PID ]
|
|
then
|
|
echo "Updating strongSwan IPsec configuration..." >&2
|
|
kill -HUP `cat $IPSEC_STARTER_PID`
|
|
exit 0
|
|
else
|
|
echo "Updating strongSwan IPsec failed: starter is not running" >&2
|
|
exit 7
|
|
fi
|
|
;;
|
|
version|--version)
|
|
printf "Linux $IPSEC_NAME $IPSEC_VERSION\n"
|
|
printf "$IPSEC_DISTRO\n"
|
|
printf "See 'ipsec --copyright' for copyright information.\n"
|
|
exit 0
|
|
;;
|
|
--*)
|
|
echo "$0: unknown option \`$1' (perhaps command name was omitted?)" >&2
|
|
exit 2
|
|
;;
|
|
esac
|
|
|
|
cmd="$1"
|
|
shift
|
|
|
|
path="$IPSEC_DIR/$cmd"
|
|
|
|
if [ ! -x "$path" ]
|
|
then
|
|
path="$IPSEC_DIR/$cmd"
|
|
if [ ! -x "$path" ]
|
|
then
|
|
echo "$0: unknown IPsec command \`$cmd' (\`ipsec --help' for list)" >&2
|
|
exit 2
|
|
fi
|
|
fi
|
|
|
|
exec $path "$@"
|