openwrt_ipsec_racoon.init 分析
racoon.init 脚本分析,基于openwrt 官方的脚本分析 #!/bin/sh /etc/rc.common # 包含了文件, 这个会继续分析
#
# Copyright (C) Vitaly Protsko <villy@sft.ru>
#set -vx USE_PROCD= #
#在openwrt系统内init进程被procd取代,procd作为父进程可以监控子进程的状态
#一旦子进程退出后即可在某一个时刻尝试进行重启进程。
#在op系统内使用procd监控的有uhttpd,netifd等。在/etc/init.d/文件夹内带有USE_PROCD=1标志, START= #启动顺序
STOP= # let 命令是 BASH 中用于计算的工具,用于执行一个或多个表达式,变量计算中不需要加上 $ 来表示变量。如果表达式中包含了空格或其他特殊字符,则必须引起来
let connWait=/
confDir=/var/racoon
confExtZone=
confIntZone=
confPort=
confNATPort=
confIPMode=
#定义第一阶段id
confPh1ID= # 定义一个log 变量
log="logger -t init.d/racoon[$$] "
# shell 包含脚本
. /etc/racoon/functions.sh #onfig racoon
#option foreground ''
#option zone 'vpn'
#list listen 'wan'
#option debug ''
#option ext_zone 'wan'
#option int_zone 'lan'
#option port ''
#option natt_port ''
#option ipversion '' # 函数功能: 给全局的变量赋值,从uci里面取值,调用config_get
# $ 函数的第一个参数是racoon
# 调用过程 config_foreach setup_load racoon
setup_load() {
config_get confExtZone "$1" ext_zone wan
config_get confIntZone "$1" int_zone lan
config_get confPort "$1" port
config_get confNATPort "$1" natt_port
config_get confIPMode "$1" ipversion "" case X$confIPMode in
X4|X6) ;;
*) unset confIPMode ;;
esac
} # 这个函数是写配置文件的头部的,基本全部是常量和一些说明
# 把这些值定向到 配置文件 write_header > $conf
write_header() {
echo "
# autogenerated, don't edit, look at /etc/config/racoon
#
path certificate \"/etc/racoon/certs\";
path script \"/etc/racoon\";
path pre_shared_key \"$confDir/psk.txt\";
path pidfile \"$confDir/racoon.pid\";
padding { maximum_length ; randomize off; strict_check off; exclusive_tail off; }
timer { counter ; interval sec; persend ; phase1 sec; phase2 sec; }
"
} # 还是写配置文件的一部分了,主要是头部,
# 日志部分
# 并打开防火墙
#
# autogenerated, don't edit, look at /etc/config/racoon
#
# path certificate "/etc/racoon/certs";
# path script "/etc/racoon";
# path pre_shared_key "/var/racoon/psk.txt";
# path pidfile "/var/racoon/racoon.pid";
# padding { maximum_length ; randomize off; strict_check off; exclusive_tail off; }
# timer { counter ; interval sec; persend ; phase1 sec; phase2 sec; } # listen {
# isakmp 222.209.232.158 []; isakmp_natt 222.209.232.158 [];
# }
# log debug; setup_conf() {
local conf=$confDir/racoon.conf
local peerconf=$confDir/peers.txt
local pskconf=$confDir/psk.txt
local item
local data data="$(get_zoneiplist $confExtZone)"
if [ "X$data" = X ]; then
$log "No IP addresses found for zone $confExtZone, exitng"
errno=; return
fi write_header > $conf
echo -n > $peerconf
echo -n > $pskconf
chmod $conf $peerconf $pskconf echo "listen {" >> $conf
for item in $data ; do
echo " isakmp $item [$confPort]; isakmp_natt $item [$confNATPort];" >> $conf
done
echo "}" >> $conf config_get_bool item "$1" debug
data=warning
test $item -ne && data=debug
echo "log $data;" >> $conf setup_fw add
} # 这个是设置第一阶段的参数,
# 追加到配置文件里面去
# proposal {
# lifetime time sec;
# encryption_algorithm 3des;
# hash_algorithm md5;
# authentication_method pre_shared_key;
# dh_group modp768;
# } setup_p1() {
local conf=$confDir/racoon.conf
local data echo " proposal {" >> $conf
config_get data "$1" lifetime
echo " lifetime time $data sec;" >> $conf config_get data "$1" enc_alg
test -n "$data" && echo " encryption_algorithm $data;" >> $conf config_get data "$1" hash_alg
test -n "$data" && echo " hash_algorithm $data;" >> $conf config_get data "$1" auth_method
test -n "$data" && echo " authentication_method $data;" >> $conf config_get data "$1" dh_group
echo -e " dh_group $data;\n }" >> $conf
} # 设置防火墙规则
setup_fw() {
local cmd=/usr/sbin/iptables
local mode case "$1" in
add|up|) mode=A ;;
del|down|) mode=D ;;
*) return ;;
esac $cmd -$mode input_${confExtZone}_rule -p AH -j ACCEPT
$cmd -$mode input_${confExtZone}_rule -p ESP -j ACCEPT
$cmd -$mode input_${confExtZone}_rule -p UDP --dport $confPort -j ACCEPT
$cmd -$mode input_${confExtZone}_rule -p UDP --dport $confNATPort -j ACCEPT
} # sainfo anonymous {
# remoteid ;
# pfs_group ;
# lifetime time sec;
# encryption_algorithm des;
# authentication_algorithm hmac_md5;
# compression_algorithm deflate;
# } setup_sa() {
local conf=$confDir/racoon.conf
local remote="${2/ *}"
local client="${2#* }"
local locnet
local remnet
local p2
local data test "$2" = "$client" && unset client if [ -z "$client" ]; then
config_get locnet "$1" local_net
config_get remnet "$1" remote_net
if [ -z "$locnet" ] || [ -z "$remnet" ]; then
$log "Remote and local networks for $1 must be configured ($2)"
errno=; return
fi if [ "$remote" = "anonymous" ]; then
echo "sainfo anonymous {" >> $conf
else
echo "sainfo address $locnet any address $remnet any {" >> $conf
fi
else
echo "sainfo anonymous {" >> $conf
fi config_get p2 "$1" p2_proposal
if [ -z "$p2" ]; then
$log "Phase2 proposal must be configured in $1 sainfo"
errno=; return
fi echo " remoteid $confPh1ID;" >> $conf config_get data "$p2" pfs_group
test -n "$data" && echo " pfs_group $data;" >> $conf
config_get data "$p2" lifetime
test -n "$data" && echo " lifetime time $data sec;" >> $conf
config_get data "$p2" enc_alg
test -n "$data" && echo " encryption_algorithm $data;" >> $conf
config_get data "$p2" auth_alg
test -n "$data" && echo " authentication_algorithm $data;" >> $conf echo -e " compression_algorithm deflate;\n}" >> $conf if [ "$remote" = "anonymous" ]; then
echo -e "mode_cfg {\n auth_source system;\n conf_source local;" >> $conf config_get data "$1" dns4
test -n "$data" && echo " dns4 $data;" >> $conf
config_get data "$1" defdomain
test -n "$data" && echo " default_domain \"$data\";" >> $conf data=${remnet%/*}
let "data=${data##*.}+1"
echo " network4 ${remnet%.*}.$data;" >> $conf let "data=255<<(24-${remnet#*/}+)&"
echo " netmask4 255.255.255.$data;" >> $conf echo -e " split_network include $locnet;\n}" >> $conf elif [ -z "$client" ]; then
config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet"
config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet"
manage_sa add "$locnet" "$remnet" $remote
test $? -gt -o $errno -gt && return $errno manage_fw add $confIntZone $confExtZone "$remnet"
fi
}
# 设置隧道
#
# remote anonymous {
# generate_policy on;
# passive on;
# ph1id ;
# exchange_mode aggressive,main;
# nat_traversal on;
# proposal_check obey;
# weak_phase1_check on;
# verify_identifier on;
# dpd_delay ;
# initial_contact off;
# proposal {
# lifetime time sec;
# encryption_algorithm 3des;
# hash_algorithm md5;
# authentication_method pre_shared_key;
# dh_group modp768;
# }
# }
setup_tunnel() {
local conf=$confDir/racoon.conf
local peerconf=$confDir/peers.txt
local data
local remote
local xauth config_get_bool data "$1" enabled
test "$data" = "" && return config_get remote "$1" remote
if [ "$remote" = "anonymous" ]; then
echo -e "remote anonymous {\n generate_policy on;" >> $conf
echo -e " passive on;" >> $conf
else
data=$(nslookup "$remote" | awk 'NR == 5 {print $3}')
test -n "$data" && remote="$data"
echo -e "remote \"$1\" {\n remote_address $remote;" >> $conf
echo "$data" >> $peerconf
echo -e " script \"p1client-up\" phase1_up;\n script \"p1client-down\" phase1_down;" >> $conf
fi config_get data "$1" pre_shared_key ""
if [ -n "$data" ]; then
if [ "$remote" != "anonymous" ]; then
echo "$remote $data" >> $confDir/psk.txt
else
echo "* $data" >> $confDir/psk.txt
fi
fi let confPh1ID=$confPh1ID+
echo " ph1id $confPh1ID;" >> $conf config_get xauth "$1" username "" config_get data "$1" certificate ""
if [ -n "$data" ]; then
echo -en " verify_cert on;\n my_identifier asn1dn;\n" >> $conf
#echo -en "\"$data.crt\" \"$data.key\";\n send_cr off;\n peers_identifier " >> $conf
echo " ca_type x509 \"cacert.pem\";" >>$conf
echo " certificate_type x509 \"mycert.pem\" \"mykey.pem\";" >>$conf
else
config_get data "$1" my_id_type ""
if [ -n "$data" ]; then
echo -n " my_identifier $data" >> $conf
config_get data "$1" my_id ""
if [ -n "$data" ]; then
echo " \"$data\";" >> $conf
elif [ -n "$xauth" ]; then
echo " \"$xauth\";" >> $conf
else
echo ";" >> $conf
fi
elif [ -n "$xauth" ]; then
echo " my_identifier user_fqdn \"$xauth\";" >> $conf
fi
#echo -n " peers_identifier " >> $conf
fi if [ "$remote" = "anonymous" ]; then
echo "anonymous"
else
config_get data "$1" peer_id_type "asn1dn"
#echo -n "$data" >> $conf config_get data "$1" peer_id ""
#test -n "$data" && echo -n " \"$data\"" >> $conf #echo ";" >> $conf
fi if [ -n "$xauth" ]; then
config_get data "$1" password
if [ -z "$data" ]; then
$log "Password must be given in $1 tunnel"
errno=; return
fi
echo "$xauth $data" >> $confDir/psk.txt echo " xauth_login \"$xauth\";" >> $conf
echo -e " script \"p1client-up\" phase1_up;\n script \"p1client-down\" phase1_down;" >> $conf
fi config_get data "$1" exchange_mode
if [ -z "$data" ]; then
data=main
test -n "$xauth" && data="${data},aggressive"
fi
echo -e " exchange_mode $data;\n nat_traversal on;" >> $conf config_get data "$1" prop_check "obey"
test -n "$data" && echo " proposal_check $data;" >> $conf config_get_bool data "$1" weak_p1check
if [ $data -eq ]; then data=off; else data=on; fi
echo " weak_phase1_check $data;" >> $conf config_get_bool data "$1" verify_id
if [ $data -eq ]; then data=off; else data=on; fi
echo " verify_identifier $data;" >> $conf config_get data "$1" dpd_delay ""
test -n "$data" && echo " dpd_delay $data;" >> $conf unset data
test -n "$xauth" && data="on"
config_get data "$1" mode_cfg "$data"
test -n "$data" && echo " mode_cfg $data;" >> $conf config_get_bool data "$1" init
if [ $data -eq ]; then data=off; else data=on; fi
echo " initial_contact $data;" >> $conf config_list_foreach "$1" p1_proposal setup_p1
echo "}" >> $conf config_list_foreach "$1" sainfo setup_sa "$remote $xauth"
} # 证书部分暂未使用
setup_cert() {
local item
local data for item in key crt ; do
config_get data "$1" $item ""
test -z "$data" && continue echo "$data" |\
sed 's/-\+[A-Z ]\+-\+/\n&\n/g' | sed 's/.\{50,50\}/&\n/g' | sed '/^$/d'\
> $confDir/cert/$.$item chmod $confDir/cert/$.$item
done if [ -s $confDir/cert/$.crt ]; then
data=$(openssl x509 -noout -hash -in $confDir/cert/$.crt)
ln -sf $confDir/cert/$.crt $confDir/cert/$data.
fi
} # 销毁
destroy_sa() {
local locnet
local remnet config_get locnet "$1" local_net
config_get remnet "$1" remote_net
if [ -z "$locnet" ] || [ -z "$remnet" ]; then
$log "Remote and local networks for $1 must be configured"
errno=; return
fi config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet"
config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet"
manage_sa del "$locnet" "$remnet" $
manage_fw del $confIntZone $confExtZone "$remnet"
} # 销毁
destroy_tunnel() {
local data config_get_bool data "$1" enabled
test "$data" = "" && return config_get remote "$1" remote
data=$(nslookup "$remote" | awk 'NR == 5 {print $3}')
test -n "$data" && remote="$data" config_get data "$1" username ""
if [ -z "$data" ]; then
config_list_foreach "$1" sainfo destroy_sa $remote
fi
} destroy_conf() {
setup_fw del
} # 环境监测
check_software() {
local item for item in /usr/sbin/setkey /usr/bin/openssl /usr/sbin/ip ; do
if [ ! -x $item ]; then
$log "Needed program $item not found, exiting"
errno=; return
fi
done
} cleanup_conf() {
config_load racoon
config_foreach setup_load racoon
config_foreach destroy_conf racoon
config_foreach destroy_tunnel tunnel /usr/sbin/setkey -P -F
/usr/sbin/setkey -F
} check_dir() {
local item for item in $confDir $confDir/cert ; do
if [ ! -d $item ]; then
mkdir -m -p $item
fi
done
} wait4wanzone() {
local item=$connWait
local data data="$(get_zoneiplist $confExtZone)"
while [ $item -gt ]; do
test -n "$data" && break
sleep
let "item=$item-1"
data="$(get_zoneiplist $confExtZone)"
done test -z "$data" && return
} start_service() { Enable=$(uci get racoon.ipsec_status.ipsec_enable_status)
[ "$Enable" != "enable" ] && exit check_software
test $? -gt -o $errno -gt && exit $errno check_dir config_load racoon
config_foreach setup_load racoon config_foreach wait4wanzone racoon
if [ $? -gt ] || [ $errno -gt ]; then
$log "No active interfaces in $confExtZone zone found, exiting"
exit $errno
fi config_foreach setup_conf racoon
test $? -gt -o $errno -gt && exit $errno config_foreach setup_tunnel tunnel
test $? -gt -o $errno -gt && exit $errno #config_foreach setup_cert certificate procd_open_instance
procd_set_param command /usr/sbin/racoon
test -n "$confIPMode" && procd_append_param command -$confIPMode
procd_append_param command -F -f $confDir/racoon.conf
procd_set_param file $confDir/racoon.conf
procd_close_instance if [ -x /etc/racoon/vpnctl ]; then
let connWait=$connWait*+
( sleep $connWait; /etc/racoon/vpnctl up ) &
fi
} service_triggers() {
local item
local data procd_add_reload_trigger "racoon" "network" config_load racoon
config_foreach setup_load racoon data=$(get_zoneiflist $confExtZone)
if [ $? -gt ] || [ $errno -gt ] || [ -z "$data" ]; then
$log "Can not find interfaces for $confExtZone zone"
else
for item in $data ; do
procd_add_reload_interface_trigger $item
done
fi
} stop_service() {
cleanup_conf
procd_kill racoon
} trap "cleanup_conf" # EOF /etc/init.d/racoon
racoon.init 脚本分析,基于openwrt 官方的脚本分析
#!/bin/sh /etc/rc.common # 包含了文件, 这个会继续分析## Copyright (C) 2015 Vitaly Protsko <villy@sft.ru>#set -vx
USE_PROCD=1 # #在openwrt系统内init进程被procd取代,procd作为父进程可以监控子进程的状态#一旦子进程退出后即可在某一个时刻尝试进行重启进程。#在op系统内使用procd监控的有uhttpd,netifd等。在/etc/init.d/文件夹内带有USE_PROCD=1标志,
START=99 #启动顺序STOP=40
# let 命令是 BASH 中用于计算的工具,用于执行一个或多个表达式,变量计算中不需要加上 $ 来表示变量。如果表达式中包含了空格或其他特殊字符,则必须引起来let connWait=2/2 confDir=/var/racoonconfExtZone=confIntZone=confPort=confNATPort=confIPMode=#定义第一阶段idconfPh1ID=0
# 定义一个log 变量log="logger -t init.d/racoon[$$] "# shell 包含脚本. /etc/racoon/functions.sh
#onfig racoon #option foreground '1' #option zone 'vpn' #list listen 'wan' #option debug '1' #option ext_zone 'wan' #option int_zone 'lan' #option port '500' #option natt_port '4500' #option ipversion '4'
# 函数功能: 给全局的变量赋值,从uci里面取值,调用config_get # $1 函数的第一个参数是racoon # 调用过程 config_foreach setup_load racoonsetup_load() { config_get confExtZone "$1" ext_zone wan config_get confIntZone "$1" int_zone lan config_get confPort "$1" port 500 config_get confNATPort "$1" natt_port 4500 config_get confIPMode "$1" ipversion ""
case X$confIPMode in X4|X6) ;; *) unset confIPMode ;; esac}
# 这个函数是写配置文件的头部的,基本全部是常量和一些说明 # 把这些值定向到 配置文件 write_header > $confwrite_header() { echo "# autogenerated, don't edit, look at /etc/config/racoon#path certificate \"/etc/racoon/certs\";path script \"/etc/racoon\";path pre_shared_key \"$confDir/psk.txt\";path pidfile \"$confDir/racoon.pid\";padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; }timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; }"}
# 还是写配置文件的一部分了,主要是头部,# 日志部分# 并打开防火墙# # autogenerated, don't edit, look at /etc/config/racoon## path certificate "/etc/racoon/certs";# path script "/etc/racoon";# path pre_shared_key "/var/racoon/psk.txt";# path pidfile "/var/racoon/racoon.pid";# padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; }# timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; }
# listen {# isakmp 222.209.232.158 [500]; isakmp_natt 222.209.232.158 [4500];# }# log debug;
setup_conf() { local conf=$confDir/racoon.conf local peerconf=$confDir/peers.txt local pskconf=$confDir/psk.txt local item local data
data="$(get_zoneiplist $confExtZone)" if [ "X$data" = X ]; then $log "No IP addresses found for zone $confExtZone, exitng" errno=2; return 2 fi
write_header > $conf echo -n > $peerconf echo -n > $pskconf chmod 0600 $conf $peerconf $pskconf
echo "listen {" >> $conf for item in $data ; do echo " isakmp $item [$confPort]; isakmp_natt $item [$confNATPort];" >> $conf done echo "}" >> $conf
config_get_bool item "$1" debug 0 data=warning test $item -ne 0 && data=debug echo "log $data;" >> $conf
setup_fw add}
# 这个是设置第一阶段的参数,# 追加到配置文件里面去# proposal {# lifetime time 86400 sec;# encryption_algorithm 3des;# hash_algorithm md5;# authentication_method pre_shared_key;# dh_group modp768;# }
setup_p1() { local conf=$confDir/racoon.conf local data
echo " proposal {" >> $conf config_get data "$1" lifetime 28800 echo " lifetime time $data sec;" >> $conf
config_get data "$1" enc_alg test -n "$data" && echo " encryption_algorithm $data;" >> $conf
config_get data "$1" hash_alg test -n "$data" && echo " hash_algorithm $data;" >> $conf
config_get data "$1" auth_method test -n "$data" && echo " authentication_method $data;" >> $conf
config_get data "$1" dh_group 2 echo -e " dh_group $data;\n }" >> $conf}
# 设置防火墙规则setup_fw() { local cmd=/usr/sbin/iptables local mode
case "$1" in add|up|1) mode=A ;; del|down|0) mode=D ;; *) return 3 ;; esac
$cmd -$mode input_${confExtZone}_rule -p AH -j ACCEPT $cmd -$mode input_${confExtZone}_rule -p ESP -j ACCEPT $cmd -$mode input_${confExtZone}_rule -p UDP --dport $confPort -j ACCEPT $cmd -$mode input_${confExtZone}_rule -p UDP --dport $confNATPort -j ACCEPT}
# sainfo anonymous {# remoteid 1;# pfs_group 1;# lifetime time 28800 sec;# encryption_algorithm des;# authentication_algorithm hmac_md5;# compression_algorithm deflate;# }
setup_sa() { local conf=$confDir/racoon.conf local remote="${2/ *}" local client="${2#* }" local locnet local remnet local p2 local data
test "$2" = "$client" && unset client
if [ -z "$client" ]; then config_get locnet "$1" local_net config_get remnet "$1" remote_net if [ -z "$locnet" ] || [ -z "$remnet" ]; then $log "Remote and local networks for $1 must be configured ($2)" errno=4; return 4 fi
if [ "$remote" = "anonymous" ]; then echo "sainfo anonymous {" >> $conf else echo "sainfo address $locnet any address $remnet any {" >> $conf fi else echo "sainfo anonymous {" >> $conf fi
config_get p2 "$1" p2_proposal if [ -z "$p2" ]; then $log "Phase2 proposal must be configured in $1 sainfo" errno=5; return 5 fi
echo " remoteid $confPh1ID;" >> $conf
config_get data "$p2" pfs_group test -n "$data" && echo " pfs_group $data;" >> $conf config_get data "$p2" lifetime 14400 test -n "$data" && echo " lifetime time $data sec;" >> $conf config_get data "$p2" enc_alg test -n "$data" && echo " encryption_algorithm $data;" >> $conf config_get data "$p2" auth_alg test -n "$data" && echo " authentication_algorithm $data;" >> $conf
echo -e " compression_algorithm deflate;\n}" >> $conf
if [ "$remote" = "anonymous" ]; then echo -e "mode_cfg {\n auth_source system;\n conf_source local;" >> $conf
config_get data "$1" dns4 test -n "$data" && echo " dns4 $data;" >> $conf config_get data "$1" defdomain test -n "$data" && echo " default_domain \"$data\";" >> $conf
data=${remnet%/*} let "data=${data##*.}+1" echo " network4 ${remnet%.*}.$data;" >> $conf
let "data=255<<(24-${remnet#*/}+8)&255" echo " netmask4 255.255.255.$data;" >> $conf
echo -e " split_network include $locnet;\n}" >> $conf
elif [ -z "$client" ]; then config_list_foreach "$1" remote_exclude manage_nonesa add remote "$locnet" config_list_foreach "$1" local_exclude manage_nonesa add local "$remnet" manage_sa add "$locnet" "$remnet" $remote test $? -gt 0 -o $errno -gt 0 && return $errno
manage_fw add $confIntZone $confExtZone "$remnet" fi}# 设置隧道# # remote anonymous {# generate_policy on;# passive on;# ph1id 1;# exchange_mode aggressive,main;# nat_traversal on;# proposal_check obey;# weak_phase1_check on;# verify_identifier on;# dpd_delay 10;# initial_contact off;# proposal {# lifetime time 86400 sec;# encryption_algorithm 3des;# hash_algorithm md5;# authentication_method pre_shared_key;# dh_group modp768;# }# }setup_tunnel() { local conf=$confDir/racoon.conf local peerconf=$confDir/peers.txt local data local remote local xauth
config_get_bool data "$1" enabled 0 test "$data" = "0" && return 0
config_get remote "$1" remote if [ "$remote" = "anonymous" ]; then echo -e "remote anonymous {\n generate_policy on;" >> $conf echo -e " passive on;" >> $conf else data=$(nslookup "$remote" | awk 'NR == 5 {print $3}') test -n "$data" && remote="$data" echo -e "remote \"$1\" {\n remote_address $remote;" >> $conf echo "$data" >> $peerconf echo -e " script \"p1client-up\" phase1_up;\n script \"p1client-down\" phase1_down;" >> $conf fi
config_get data "$1" pre_shared_key "" if [ -n "$data" ]; then if [ "$remote" != "anonymous" ]; then echo "$remote $data" >> $confDir/psk.txt else echo "* $data" >> $confDir/psk.txt fi fi
let confPh1ID=$confPh1ID+1 echo " ph1id $confPh1ID;" >> $conf
config_get xauth "$1" username ""
config_get data "$1" certificate "" if [ -n "$data" ]; then echo -en " verify_cert on;\n my_identifier asn1dn;\n" >> $conf #echo -en "\"$data.crt\" \"$data.key\";\n send_cr off;\n peers_identifier " >> $conf echo " ca_type x509 \"cacert.pem\";" >>$conf echo " certificate_type x509 \"mycert.pem\" \"mykey.pem\";" >>$conf else config_get data "$1" my_id_type "" if [ -n "$data" ]; then echo -n " my_identifier $data" >> $conf config_get data "$1" my_id "" if [ -n "$data" ]; then echo " \"$data\";" >> $conf elif [ -n "$xauth" ]; then echo " \"$xauth\";" >> $conf else echo ";" >> $conf fi elif [ -n "$xauth" ]; then echo " my_identifier user_fqdn \"$xauth\";" >> $conf fi #echo -n " peers_identifier " >> $conf fi
if [ "$remote" = "anonymous" ]; then echo "anonymous" else config_get data "$1" peer_id_type "asn1dn" #echo -n "$data" >> $conf
config_get data "$1" peer_id "" #test -n "$data" && echo -n " \"$data\"" >> $conf
#echo ";" >> $conf fi
if [ -n "$xauth" ]; then config_get data "$1" password if [ -z "$data" ]; then $log "Password must be given in $1 tunnel" errno=7; return 7 fi echo "$xauth $data" >> $confDir/psk.txt
echo " xauth_login \"$xauth\";" >> $conf echo -e " script \"p1client-up\" phase1_up;\n script \"p1client-down\" phase1_down;" >> $conf fi
config_get data "$1" exchange_mode if [ -z "$data" ]; then data=main test -n "$xauth" && data="${data},aggressive" fi echo -e " exchange_mode $data;\n nat_traversal on;" >> $conf
config_get data "$1" prop_check "obey" test -n "$data" && echo " proposal_check $data;" >> $conf
config_get_bool data "$1" weak_p1check 1 if [ $data -eq 0 ]; then data=off; else data=on; fi echo " weak_phase1_check $data;" >> $conf
config_get_bool data "$1" verify_id 1 if [ $data -eq 0 ]; then data=off; else data=on; fi echo " verify_identifier $data;" >> $conf
config_get data "$1" dpd_delay "" test -n "$data" && echo " dpd_delay $data;" >> $conf
unset data test -n "$xauth" && data="on" config_get data "$1" mode_cfg "$data" test -n "$data" && echo " mode_cfg $data;" >> $conf
config_get_bool data "$1" init 0 if [ $data -eq 0 ]; then data=off; else data=on; fi echo " initial_contact $data;" >> $conf
config_list_foreach "$1" p1_proposal setup_p1 echo "}" >> $conf
config_list_foreach "$1" sainfo setup_sa "$remote $xauth"}
# 证书部分暂未使用setup_cert() { local item local data
for item in key crt ; do config_get data "$1" $item "" test -z "$data" && continue
echo "$data" |\ sed 's/-\+[A-Z ]\+-\+/\n&\n/g' | sed 's/.\{50,50\}/&\n/g' | sed '/^$/d'\ > $confDir/cert/$1.$item
chmod 600 $confDir/cert/$1.$item done
if [ -s $confDir/cert/$1.crt ]; then data=$(openssl x509 -noout -hash -in $confDir/cert/$1.crt) ln -sf $confDir/cert/$1.crt $confDir/cert/$data.0 fi}
# 销毁destroy_sa() { local locnet local remnet
config_get locnet "$1" local_net config_get remnet "$1" remote_net if [ -z "$locnet" ] || [ -z "$remnet" ]; then $log "Remote and local networks for $1 must be configured" errno=4; return 4 fi
config_list_foreach "$1" remote_exclude manage_nonesa del remote "$locnet" config_list_foreach "$1" local_exclude manage_nonesa del local "$remnet" manage_sa del "$locnet" "$remnet" $2 manage_fw del $confIntZone $confExtZone "$remnet"}
# 销毁destroy_tunnel() { local data
config_get_bool data "$1" enabled 0 test "$data" = "0" && return 0
config_get remote "$1" remote data=$(nslookup "$remote" | awk 'NR == 5 {print $3}') test -n "$data" && remote="$data"
config_get data "$1" username "" if [ -z "$data" ]; then config_list_foreach "$1" sainfo destroy_sa $remote fi}
destroy_conf() { setup_fw del}
# 环境监测check_software() { local item
for item in /usr/sbin/setkey /usr/bin/openssl /usr/sbin/ip ; do if [ ! -x $item ]; then $log "Needed program $item not found, exiting" errno=9; return 9 fi done}
cleanup_conf() { config_load racoon config_foreach setup_load racoon config_foreach destroy_conf racoon config_foreach destroy_tunnel tunnel
/usr/sbin/setkey -P -F /usr/sbin/setkey -F}
check_dir() { local item
for item in $confDir $confDir/cert ; do if [ ! -d $item ]; then mkdir -m 0700 -p $item fi done}
wait4wanzone() { local item=$connWait local data
data="$(get_zoneiplist $confExtZone)" while [ $item -gt 0 ]; do test -n "$data" && break sleep 2 let "item=$item-1" data="$(get_zoneiplist $confExtZone)" done
test -z "$data" && return 10}
start_service() {
Enable=$(uci get racoon.ipsec_status.ipsec_enable_status) [ "$Enable" != "enable" ] && exit 0
check_software test $? -gt 0 -o $errno -gt 0 && exit $errno
check_dir
config_load racoon config_foreach setup_load racoon
config_foreach wait4wanzone racoon if [ $? -gt 0 ] || [ $errno -gt 0 ]; then $log "No active interfaces in $confExtZone zone found, exiting" exit $errno fi
config_foreach setup_conf racoon test $? -gt 0 -o $errno -gt 0 && exit $errno
config_foreach setup_tunnel tunnel test $? -gt 0 -o $errno -gt 0 && exit $errno
#config_foreach setup_cert certificate
procd_open_instance procd_set_param command /usr/sbin/racoon test -n "$confIPMode" && procd_append_param command -$confIPMode procd_append_param command -F -f $confDir/racoon.conf procd_set_param file $confDir/racoon.conf procd_close_instance
if [ -x /etc/racoon/vpnctl ]; then let connWait=$connWait*2+2 ( sleep $connWait; /etc/racoon/vpnctl up ) & fi}
service_triggers() { local item local data
procd_add_reload_trigger "racoon" "network"
config_load racoon config_foreach setup_load racoon
data=$(get_zoneiflist $confExtZone) if [ $? -gt 0 ] || [ $errno -gt 0 ] || [ -z "$data" ]; then $log "Can not find interfaces for $confExtZone zone" else for item in $data ; do procd_add_reload_interface_trigger $item done fi}
stop_service() { cleanup_conf procd_kill racoon }
trap "cleanup_conf" 1 2 3 4 5 6 7 8 9 10
# EOF /etc/init.d/racoon
最新文章
- nginx.conf配置文件里的upstream加入健康检查
- ios webView 放大网页解决/input 获得焦点focus 网页放大 解决
- LeetCode132:Palindrome Partitioning II
- slf4j提示Class path contains multiple SLF4J bindings
- innobackupex --slave-info参数的含义和适用场景
- select组件2
- scrapy1.1入门用例简介-2
- MFC类中获得其它类指针
- qt+boost::asio+tcp文件传输
- Java操作memcached(一)
- 第48篇 字符编码探密--ASCII,UTF8,GBK,Unicode
- border-radius:50%和100%究竟有什么区别
- js或jquery实现点击某个按钮或元素显示div,点击页面其他任何地方隐藏div
- SQLServer之创建存储过程
- java 面经
- PCL-Kinfu编译手册
- 转:【专题十一】实现一个基于FTP协议的程序——文件上传下载器
- MySQL DBA 管理常用命令
- notepad++程序员开发插件
- Hive中日期处理