Add libreswan

2021-08-15 15:31:50 +00:00 · 2021-08-15 15:31:50 +00:00 · 6542cad141
parent 633c67fef8
commit 6542cad141
8 changed files with 139 additions and 0 deletions
--- a/config/libreswan/APKBUILD
+++ b/config/libreswan/APKBUILD
@ -0,0 +1,26 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+
+. ../APKBUILD-config.template
+
+pkgver=2021.08.15.07
+pkgrel=0
+source="
+	ipsec.conf
+	oe-local.conf
+	rxpriv.policy
+"
+
+package() {
+	rx_install ipsec.conf
+	echo "%any %any6 : PSK \"$(cat /dev/urandom | tr -dc '[:alnum:]' | head -c 128)\"" > ipsec.secrets # Generate strong PSK for all hosts
+	rx_install ipsec.secrets
+	_rx_installdir="$_rx_installdir/ipsec.d" rx_install oe-local.conf
+	_rx_installdir="$_rx_installdir/ipsec.d/policies" rx_install rxpriv.policy rxpriv
+}
+
+sha512sums="
+564da558940148a118dfcb3a1aa28abdebad53a6bb96e3c4f9c27e1370ad7e9c0e9f9e80866aa930bc858198c70f437231fe006c8418e651519a835305a77b2d  ipsec.conf
+64e11bfcfbbec0713a3996d59e6cf1bca4d88518284ba1fc98623249fab428b17fa33521dc11071bd59be190637463dea5769a6f6433bc748cba39bed3184c2c  oe-local.conf
+fdafb14889aa7b149f419f7bafd30fe3da0a780a385741143ddbd3456a1365bde63d67c6b0dccfc1e44405862443c65c0077d89bfd69a1619e2d1008a72f3501  rxpriv.policy
+"
--- a/config/libreswan/ipsec.conf
+++ b/config/libreswan/ipsec.conf
@ -0,0 +1,10 @@
+config setup
+	# plutodebug="control parsing"
+	# plutodebug="all crypt"
+	plutodebug=none
+	ipsecdir=/etc/redxen/libreswan/ipsec.d
+	nssdir=/run/pluto/nss
+	dumpdir=/run/pluto
+	secretsfile=/etc/redxen/libreswan/ipsec.secrets
+
+include /etc/redxen/libreswan/ipsec.d/*.conf
--- a/config/libreswan/ipsec.secrets
+++ b/config/libreswan/ipsec.secrets
@ -0,0 +1 @@
+
--- a/config/libreswan/oe-local.conf
+++ b/config/libreswan/oe-local.conf
@ -0,0 +1,13 @@
+conn rxpriv
+	type=tunnel
+	authby=null
+	negotiationshunt=hold
+	failureshunt=drop
+	ikev2=insist
+	auto=route
+	leftid=%null
+	# Send packets from eth1 local IP
+	left=%eth1
+	rightid=%null
+	# Send and receive packets from hosts in the policies dir
+	right=%opportunisticgroup
--- a/config/libreswan/rxpriv.policy
+++ b/config/libreswan/rxpriv.policy
@ -0,0 +1,14 @@
+# One IPv4 or IPv6 CIDR per line, optionally specifying a further
+# narrowing of protocol, source port and destination port
+#
+# examples:
+# encrypt all traffic to an IPv4 or IPv6 host or subnet
+# 10.0.1.0/24
+# 10.1.1.1/32
+# 2a03:6000:1004:1::/64
+#
+# encrypt all smtp traffic to some host
+#  10.0.1.0/24  tcp  0  25
+# encrypt all incoming smtp traffic
+#  0.0.0.0/0  tcp  25  0
+10.10.0.0/16
--- a/openrc/libreswan/APKBUILD
+++ b/openrc/libreswan/APKBUILD
@ -0,0 +1,12 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+
+. ../APKBUILD-openrc.template
+
+pkgver=2021.08.15.04
+pkgrel=0
+
+sha512sums="
+75970126b3e41517348cb60c658a206cf986189d72a214d9edbc81c0d4601f77fe2445587f02232fa3c3133b1320b0ceef6fbc65e77c3afc06fd40985cebfdd8  runfile
+bf95fc7592b04e6bc6d2be04c9e09519cd033ff0d2f09359232ae19414ded13c096c527d0962990051e1f3535c1cad37a478a7df6471f1fd1cc201b790b0fd7c  conffile
+"
--- a/openrc/libreswan/conffile
+++ b/openrc/libreswan/conffile
@ -0,0 +1 @@
+PLUTO_CONFFILE="/etc/redxen/libreswan/ipsec.conf"
--- a/openrc/libreswan/runfile
+++ b/openrc/libreswan/runfile
@ -0,0 +1,62 @@
+#!/sbin/openrc-run
+
+name="ipsec pluto daemon"
+extra_commands="configtest"
+extra_started_commands="reload"
+description="pluto is an IKE daemon that is used to setup IPSEC VPN connections."
+description_configtest="Run syntax tests for configuration files only."
+description_reload="reloads the configuration - does not affect existing connections"
+
+PLUTO_BINARY=${PLUTO_BINARY:-/usr/libexec/ipsec/pluto}
+PLUTO_CONFFILE=${PLUTO_CONFFILE:-/etc/ipsec.conf}
+IPSEC_BINARY=${IPSEC_BINARY:-/usr/sbin/ipsec}
+IPSEC_NSSDIR=${IPSEC_NSSDIR:-/run/pluto/nss}
+pidfile=${PLUTO_PIDFILE:-/var/run/pluto/pluto.pid}
+
+command="${PLUTO_BINARY}"
+command_args="--config ${PLUTO_CONFFILE} ${PLUTO_OPTS}"
+
+depend() {
+	need net
+	use logger dns
+	provide ipsec
+}
+
+checkconfig() {
+	checkpath --directory /run/pluto
+	checkpath --directory "${IPSEC_NSSDIR}"
+	${IPSEC_BINARY} addconn --checkconfig || return 1
+}
+
+configtest() {
+	ebegin "Checking ${SVCNAME} configuration"
+	checkconfig
+	eend $?
+}
+
+start_pre() {
+	checkconfig || return 1
+
+	${IPSEC_BINARY} --checknss --nssdir "${IPSEC_NSSDIR}"
+	${IPSEC_BINARY} --checknflog
+	${IPSEC_BINARY} _stackmanager start
+}
+
+stop_pre() {
+	if [ "${RC_CMD}" = "restart" ] ; then
+		checkconfig || return 1
+	fi
+}
+
+stop_post() {
+	${IPSEC_BINARY} _stackmanager stop
+	${IPSEC_BINARY} --stopnflog
+	eend $RETVAL
+}
+
+reload() {
+	checkconfig || return $?
+	ebegin "Reloading ${SVCNAME}"
+	${IPSEC_BINARY} auto --rereadall
+	eend $?
+}
				`@ -0,0 +1 @@`
				`PLUTO_CONFFILE="/etc/redxen/libreswan/ipsec.conf"`