forked from hwdsl2/setup-ipsec-vpn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathikev2onlymode.sh
executable file
·178 lines (153 loc) · 4.29 KB
/
ikev2onlymode.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
#!/bin/bash
#
# Script to enable or disable IKEv2-only mode
#
# Copyright (C) 2022-2023 Lin Song <[email protected]>
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it!
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
SYS_DT=$(date +%F-%T | tr ':' '_')
exiterr() { echo "Error: $1" >&2; exit 1; }
bigecho() { echo "## $1"; }
check_root() {
if [ "$(id -u)" != 0 ]; then
exiterr "Script must be run as root. Try 'sudo bash $0'"
fi
}
abort_and_exit() {
echo "Abort. No changes were made." >&2
exit 1
}
continue_or_abort() {
printf '%s' "$1"
read -r response
case $response in
[yY][eE][sS]|[yY]|'')
echo
;;
*)
abort_and_exit
;;
esac
}
check_ikev2_exists() {
grep -qs "conn ikev2-cp" /etc/ipsec.conf || [ -f /etc/ipsec.d/ikev2.conf ]
}
check_libreswan() {
ipsec_ver=$(ipsec --version 2>/dev/null)
swan_ver=$(printf '%s' "$ipsec_ver" | sed -e 's/.*Libreswan U\?//' -e 's/\( (\|\/K\).*//')
if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf \
|| ! grep -qs "config setup" /etc/ipsec.conf \
|| ! printf '%s' "$ipsec_ver" | grep -qi 'libreswan'; then
cat 1>&2 <<'EOF'
Error: Your must first set up the IPsec VPN server before selecting IKEv2-only mode.
See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
if ! check_ikev2_exists; then
cat 1>&2 <<'EOF'
Error: Your must first set up IKEv2 before selecting IKEv2-only mode.
See: https://vpnsetup.net/ikev2
EOF
exit 1
fi
}
check_swan_ver() {
if ! printf '%s\n%s' "4.2" "$swan_ver" | sort -C -V; then
cat 1>&2 <<EOF
Error: Libreswan version '$swan_ver' is not supported.
IKEv2-only mode requires Libreswan 4.2 or newer.
To update Libreswan, run:
wget https://get.vpnsetup.net/upg -O vpnup.sh && sudo sh vpnup.sh
EOF
exit 1
fi
}
get_ikev2_only_status() {
if grep -qs "ikev1-policy=drop" /etc/ipsec.conf \
|| grep -qs "ikev1-policy=reject" /etc/ipsec.conf; then
ikev2_only_status=ENABLED
option_text="Disable IKEv2-only mode"
else
ikev2_only_status=DISABLED
option_text="Enable IKEv2-only mode"
fi
}
confirm_disable_ikev2_only() {
cat <<'EOF'
Note: This option will disable IKEv2-only mode on this VPN server. With IKEv2-only
mode disabled, VPN clients can connect to this server using IKEv1 (including
IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes) in addition to IKEv2.
EOF
continue_or_abort "Do you want to continue? [Y/n] "
}
confirm_enable_ikev2_only() {
cat <<'EOF'
Note: This option will enable IKEv2-only mode on this VPN server. With IKEv2-only
mode enabled, VPN clients can *only* connect to this server using IKEv2.
All IKEv1 connections (including IPsec/L2TP and IPsec/XAuth ("Cisco IPsec")
modes) will be dropped.
EOF
continue_or_abort "Do you want to continue? [Y/n] "
}
toggle_ikev2_only() {
if [ "$ikev2_only_status" = "ENABLED" ]; then
confirm_disable_ikev2_only
bigecho "Disabling IKEv2-only mode..."
sed -i".old-$SYS_DT" "/ikev1-policy=/d" /etc/ipsec.conf
elif [ "$ikev2_only_status" = "DISABLED" ]; then
confirm_enable_ikev2_only
bigecho "Enabling IKEv2-only mode..."
sed -i".old-$SYS_DT" "/ikev1-policy=/d" /etc/ipsec.conf
sed -i "/config setup/a \ ikev1-policy=drop" /etc/ipsec.conf
fi
}
restart_ipsec_service() {
bigecho "Restarting IPsec service..."
mkdir -p /run/pluto
service ipsec restart 2>/dev/null
}
print_complete() {
cat <<'EOF'
Done!
EOF
}
select_menu_option() {
cat <<EOF
IKEv2-only mode is currently $ikev2_only_status on this VPN server.
Select an option:
1) $option_text
2) Exit
EOF
read -rp "Option: " selected_option
until [[ "$selected_option" =~ ^[1-2]$ ]]; do
printf '%s\n' "$selected_option: invalid selection."
read -rp "Option: " selected_option
done
}
ikev2onlymode() {
check_root
check_libreswan
check_swan_ver
get_ikev2_only_status
select_menu_option
case $selected_option in
1)
toggle_ikev2_only
restart_ipsec_service
print_complete
exit 0
;;
*)
exit 0
;;
esac
}
## Defer until we have the complete script
ikev2onlymode "$@"
exit 0