diff options
Diffstat (limited to 'testing/tests/libipsec')
10 files changed, 717 insertions, 2040 deletions
diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown index aea6d8555..7c510261d 100755 --- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown index aea6d8555..7c510261d 100755 --- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown index 1a68ada0e..1b362e65c 100755 --- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown index 1a68ada0e..1b362e65c 100755 --- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown index 1a68ada0e..1b362e65c 100755 --- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown +++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown index 1a68ada0e..1b362e65c 100755 --- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown +++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat index d59ea3c34..3a9493ba3 100644 --- a/testing/tests/libipsec/rw-suite-b/evaltest.dat +++ b/testing/tests/libipsec/rw-suite-b/evaltest.dat @@ -1,8 +1,8 @@ carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES +dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-256 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown index 15c239466..7d0c583b3 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown +++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -395,7 +227,7 @@ down-host:) # connection to me going down # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ @@ -406,8 +238,8 @@ up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT @@ -444,7 +276,7 @@ down-client:) if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ @@ -462,6 +294,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -486,6 +326,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -525,6 +372,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -568,6 +424,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -584,16 +447,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown index 15c239466..7d0c583b3 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown +++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -395,7 +227,7 @@ down-host:) # connection to me going down # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ @@ -406,8 +238,8 @@ up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT @@ -444,7 +276,7 @@ down-client:) if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ @@ -462,6 +294,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -486,6 +326,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -525,6 +372,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -568,6 +424,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -584,16 +447,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown index 15c239466..7d0c583b3 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown +++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -395,7 +227,7 @@ down-host:) # connection to me going down # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ @@ -406,8 +238,8 @@ up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT @@ -444,7 +276,7 @@ down-client:) if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ @@ -462,6 +294,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -486,6 +326,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -525,6 +372,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -568,6 +424,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -584,16 +447,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. |