diff --git a/config/libreswan/APKBUILD b/config/libreswan/APKBUILD new file mode 100644 index 0000000..a9d902f --- /dev/null +++ b/config/libreswan/APKBUILD @@ -0,0 +1,26 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes + +. ../APKBUILD-config.template + +pkgver=2021.08.15.07 +pkgrel=0 +source=" + ipsec.conf + oe-local.conf + rxpriv.policy +" + +package() { + rx_install ipsec.conf + echo "%any %any6 : PSK \"$(cat /dev/urandom | tr -dc '[:alnum:]' | head -c 128)\"" > ipsec.secrets # Generate strong PSK for all hosts + rx_install ipsec.secrets + _rx_installdir="$_rx_installdir/ipsec.d" rx_install oe-local.conf + _rx_installdir="$_rx_installdir/ipsec.d/policies" rx_install rxpriv.policy rxpriv +} + +sha512sums=" +564da558940148a118dfcb3a1aa28abdebad53a6bb96e3c4f9c27e1370ad7e9c0e9f9e80866aa930bc858198c70f437231fe006c8418e651519a835305a77b2d ipsec.conf +64e11bfcfbbec0713a3996d59e6cf1bca4d88518284ba1fc98623249fab428b17fa33521dc11071bd59be190637463dea5769a6f6433bc748cba39bed3184c2c oe-local.conf +fdafb14889aa7b149f419f7bafd30fe3da0a780a385741143ddbd3456a1365bde63d67c6b0dccfc1e44405862443c65c0077d89bfd69a1619e2d1008a72f3501 rxpriv.policy +" diff --git a/config/libreswan/ipsec.conf b/config/libreswan/ipsec.conf new file mode 100644 index 0000000..315dbc6 --- /dev/null +++ b/config/libreswan/ipsec.conf @@ -0,0 +1,10 @@ +config setup + # plutodebug="control parsing" + # plutodebug="all crypt" + plutodebug=none + ipsecdir=/etc/redxen/libreswan/ipsec.d + nssdir=/run/pluto/nss + dumpdir=/run/pluto + secretsfile=/etc/redxen/libreswan/ipsec.secrets + +include /etc/redxen/libreswan/ipsec.d/*.conf diff --git a/config/libreswan/ipsec.secrets b/config/libreswan/ipsec.secrets new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/config/libreswan/ipsec.secrets @@ -0,0 +1 @@ + diff --git a/config/libreswan/oe-local.conf b/config/libreswan/oe-local.conf new file mode 100644 index 0000000..2c6c5c3 --- /dev/null +++ b/config/libreswan/oe-local.conf @@ -0,0 +1,13 @@ +conn rxpriv + type=tunnel + authby=null + negotiationshunt=hold + failureshunt=drop + ikev2=insist + auto=route + leftid=%null + # Send packets from eth1 local IP + left=%eth1 + rightid=%null + # Send and receive packets from hosts in the policies dir + right=%opportunisticgroup diff --git a/config/libreswan/rxpriv.policy b/config/libreswan/rxpriv.policy new file mode 100644 index 0000000..c6b70cb --- /dev/null +++ b/config/libreswan/rxpriv.policy @@ -0,0 +1,14 @@ +# One IPv4 or IPv6 CIDR per line, optionally specifying a further +# narrowing of protocol, source port and destination port +# +# examples: +# encrypt all traffic to an IPv4 or IPv6 host or subnet +# 10.0.1.0/24 +# 10.1.1.1/32 +# 2a03:6000:1004:1::/64 +# +# encrypt all smtp traffic to some host +# 10.0.1.0/24 tcp 0 25 +# encrypt all incoming smtp traffic +# 0.0.0.0/0 tcp 25 0 +10.10.0.0/16 diff --git a/openrc/libreswan/APKBUILD b/openrc/libreswan/APKBUILD new file mode 100644 index 0000000..211eeca --- /dev/null +++ b/openrc/libreswan/APKBUILD @@ -0,0 +1,12 @@ +# Contributor: Alex Denes +# Maintainer: Alex Denes + +. ../APKBUILD-openrc.template + +pkgver=2021.08.15.04 +pkgrel=0 + +sha512sums=" +75970126b3e41517348cb60c658a206cf986189d72a214d9edbc81c0d4601f77fe2445587f02232fa3c3133b1320b0ceef6fbc65e77c3afc06fd40985cebfdd8 runfile +bf95fc7592b04e6bc6d2be04c9e09519cd033ff0d2f09359232ae19414ded13c096c527d0962990051e1f3535c1cad37a478a7df6471f1fd1cc201b790b0fd7c conffile +" diff --git a/openrc/libreswan/conffile b/openrc/libreswan/conffile new file mode 100644 index 0000000..b3464a8 --- /dev/null +++ b/openrc/libreswan/conffile @@ -0,0 +1 @@ +PLUTO_CONFFILE="/etc/redxen/libreswan/ipsec.conf" diff --git a/openrc/libreswan/runfile b/openrc/libreswan/runfile new file mode 100644 index 0000000..3406799 --- /dev/null +++ b/openrc/libreswan/runfile @@ -0,0 +1,62 @@ +#!/sbin/openrc-run + +name="ipsec pluto daemon" +extra_commands="configtest" +extra_started_commands="reload" +description="pluto is an IKE daemon that is used to setup IPSEC VPN connections." +description_configtest="Run syntax tests for configuration files only." +description_reload="reloads the configuration - does not affect existing connections" + +PLUTO_BINARY=${PLUTO_BINARY:-/usr/libexec/ipsec/pluto} +PLUTO_CONFFILE=${PLUTO_CONFFILE:-/etc/ipsec.conf} +IPSEC_BINARY=${IPSEC_BINARY:-/usr/sbin/ipsec} +IPSEC_NSSDIR=${IPSEC_NSSDIR:-/run/pluto/nss} +pidfile=${PLUTO_PIDFILE:-/var/run/pluto/pluto.pid} + +command="${PLUTO_BINARY}" +command_args="--config ${PLUTO_CONFFILE} ${PLUTO_OPTS}" + +depend() { + need net + use logger dns + provide ipsec +} + +checkconfig() { + checkpath --directory /run/pluto + checkpath --directory "${IPSEC_NSSDIR}" + ${IPSEC_BINARY} addconn --checkconfig || return 1 +} + +configtest() { + ebegin "Checking ${SVCNAME} configuration" + checkconfig + eend $? +} + +start_pre() { + checkconfig || return 1 + + ${IPSEC_BINARY} --checknss --nssdir "${IPSEC_NSSDIR}" + ${IPSEC_BINARY} --checknflog + ${IPSEC_BINARY} _stackmanager start +} + +stop_pre() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi +} + +stop_post() { + ${IPSEC_BINARY} _stackmanager stop + ${IPSEC_BINARY} --stopnflog + eend $RETVAL +} + +reload() { + checkconfig || return $? + ebegin "Reloading ${SVCNAME}" + ${IPSEC_BINARY} auto --rereadall + eend $? +}