Add libreswan
This commit is contained in:
parent
633c67fef8
commit
6542cad141
|
@ -0,0 +1,26 @@
|
|||
# Contributor: Alex Denes <caskd@redxen.eu>
|
||||
# Maintainer: Alex Denes <caskd@redxen.eu>
|
||||
|
||||
. ../APKBUILD-config.template
|
||||
|
||||
pkgver=2021.08.15.07
|
||||
pkgrel=0
|
||||
source="
|
||||
ipsec.conf
|
||||
oe-local.conf
|
||||
rxpriv.policy
|
||||
"
|
||||
|
||||
package() {
|
||||
rx_install ipsec.conf
|
||||
echo "%any %any6 : PSK \"$(cat /dev/urandom | tr -dc '[:alnum:]' | head -c 128)\"" > ipsec.secrets # Generate strong PSK for all hosts
|
||||
rx_install ipsec.secrets
|
||||
_rx_installdir="$_rx_installdir/ipsec.d" rx_install oe-local.conf
|
||||
_rx_installdir="$_rx_installdir/ipsec.d/policies" rx_install rxpriv.policy rxpriv
|
||||
}
|
||||
|
||||
sha512sums="
|
||||
564da558940148a118dfcb3a1aa28abdebad53a6bb96e3c4f9c27e1370ad7e9c0e9f9e80866aa930bc858198c70f437231fe006c8418e651519a835305a77b2d ipsec.conf
|
||||
64e11bfcfbbec0713a3996d59e6cf1bca4d88518284ba1fc98623249fab428b17fa33521dc11071bd59be190637463dea5769a6f6433bc748cba39bed3184c2c oe-local.conf
|
||||
fdafb14889aa7b149f419f7bafd30fe3da0a780a385741143ddbd3456a1365bde63d67c6b0dccfc1e44405862443c65c0077d89bfd69a1619e2d1008a72f3501 rxpriv.policy
|
||||
"
|
|
@ -0,0 +1,10 @@
|
|||
config setup
|
||||
# plutodebug="control parsing"
|
||||
# plutodebug="all crypt"
|
||||
plutodebug=none
|
||||
ipsecdir=/etc/redxen/libreswan/ipsec.d
|
||||
nssdir=/run/pluto/nss
|
||||
dumpdir=/run/pluto
|
||||
secretsfile=/etc/redxen/libreswan/ipsec.secrets
|
||||
|
||||
include /etc/redxen/libreswan/ipsec.d/*.conf
|
|
@ -0,0 +1 @@
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
conn rxpriv
|
||||
type=tunnel
|
||||
authby=null
|
||||
negotiationshunt=hold
|
||||
failureshunt=drop
|
||||
ikev2=insist
|
||||
auto=route
|
||||
leftid=%null
|
||||
# Send packets from eth1 local IP
|
||||
left=%eth1
|
||||
rightid=%null
|
||||
# Send and receive packets from hosts in the policies dir
|
||||
right=%opportunisticgroup
|
|
@ -0,0 +1,14 @@
|
|||
# One IPv4 or IPv6 CIDR per line, optionally specifying a further
|
||||
# narrowing of protocol, source port and destination port
|
||||
#
|
||||
# examples:
|
||||
# encrypt all traffic to an IPv4 or IPv6 host or subnet
|
||||
# 10.0.1.0/24
|
||||
# 10.1.1.1/32
|
||||
# 2a03:6000:1004:1::/64
|
||||
#
|
||||
# encrypt all smtp traffic to some host
|
||||
# 10.0.1.0/24 tcp 0 25
|
||||
# encrypt all incoming smtp traffic
|
||||
# 0.0.0.0/0 tcp 25 0
|
||||
10.10.0.0/16
|
|
@ -0,0 +1,12 @@
|
|||
# Contributor: Alex Denes <caskd@redxen.eu>
|
||||
# Maintainer: Alex Denes <caskd@redxen.eu>
|
||||
|
||||
. ../APKBUILD-openrc.template
|
||||
|
||||
pkgver=2021.08.15.04
|
||||
pkgrel=0
|
||||
|
||||
sha512sums="
|
||||
75970126b3e41517348cb60c658a206cf986189d72a214d9edbc81c0d4601f77fe2445587f02232fa3c3133b1320b0ceef6fbc65e77c3afc06fd40985cebfdd8 runfile
|
||||
bf95fc7592b04e6bc6d2be04c9e09519cd033ff0d2f09359232ae19414ded13c096c527d0962990051e1f3535c1cad37a478a7df6471f1fd1cc201b790b0fd7c conffile
|
||||
"
|
|
@ -0,0 +1 @@
|
|||
PLUTO_CONFFILE="/etc/redxen/libreswan/ipsec.conf"
|
|
@ -0,0 +1,62 @@
|
|||
#!/sbin/openrc-run
|
||||
|
||||
name="ipsec pluto daemon"
|
||||
extra_commands="configtest"
|
||||
extra_started_commands="reload"
|
||||
description="pluto is an IKE daemon that is used to setup IPSEC VPN connections."
|
||||
description_configtest="Run syntax tests for configuration files only."
|
||||
description_reload="reloads the configuration - does not affect existing connections"
|
||||
|
||||
PLUTO_BINARY=${PLUTO_BINARY:-/usr/libexec/ipsec/pluto}
|
||||
PLUTO_CONFFILE=${PLUTO_CONFFILE:-/etc/ipsec.conf}
|
||||
IPSEC_BINARY=${IPSEC_BINARY:-/usr/sbin/ipsec}
|
||||
IPSEC_NSSDIR=${IPSEC_NSSDIR:-/run/pluto/nss}
|
||||
pidfile=${PLUTO_PIDFILE:-/var/run/pluto/pluto.pid}
|
||||
|
||||
command="${PLUTO_BINARY}"
|
||||
command_args="--config ${PLUTO_CONFFILE} ${PLUTO_OPTS}"
|
||||
|
||||
depend() {
|
||||
need net
|
||||
use logger dns
|
||||
provide ipsec
|
||||
}
|
||||
|
||||
checkconfig() {
|
||||
checkpath --directory /run/pluto
|
||||
checkpath --directory "${IPSEC_NSSDIR}"
|
||||
${IPSEC_BINARY} addconn --checkconfig || return 1
|
||||
}
|
||||
|
||||
configtest() {
|
||||
ebegin "Checking ${SVCNAME} configuration"
|
||||
checkconfig
|
||||
eend $?
|
||||
}
|
||||
|
||||
start_pre() {
|
||||
checkconfig || return 1
|
||||
|
||||
${IPSEC_BINARY} --checknss --nssdir "${IPSEC_NSSDIR}"
|
||||
${IPSEC_BINARY} --checknflog
|
||||
${IPSEC_BINARY} _stackmanager start
|
||||
}
|
||||
|
||||
stop_pre() {
|
||||
if [ "${RC_CMD}" = "restart" ] ; then
|
||||
checkconfig || return 1
|
||||
fi
|
||||
}
|
||||
|
||||
stop_post() {
|
||||
${IPSEC_BINARY} _stackmanager stop
|
||||
${IPSEC_BINARY} --stopnflog
|
||||
eend $RETVAL
|
||||
}
|
||||
|
||||
reload() {
|
||||
checkconfig || return $?
|
||||
ebegin "Reloading ${SVCNAME}"
|
||||
${IPSEC_BINARY} auto --rereadall
|
||||
eend $?
|
||||
}
|
Loading…
Reference in New Issue