From 1808095bb7a6eb40475f45e35571fc1799c06e5b Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Thu, 4 Feb 2021 01:47:04 -0600
Subject: [PATCH] New Libreswan version
- Use new Libreswan version 4.2
- Support updating to Libreswan 4.2 from older versions. The upgrade
scripts can now install one of these versions: 3.32, 4.1 or 4.2.
- Other small improvements
- Update tests
---
.github/workflows/main.yml | 49 ++++++++++++++++++++--
extras/ikev2setup.sh | 24 ++++++-----
extras/vpnupgrade.sh | 81 +++++++++++++++----------------------
extras/vpnupgrade_amzn.sh | 74 ++++++++++++++-------------------
extras/vpnupgrade_centos.sh | 74 ++++++++++++++-------------------
vpnsetup.sh | 18 ++++-----
vpnsetup_amzn.sh | 13 +++---
vpnsetup_centos.sh | 13 +++---
8 files changed, 175 insertions(+), 171 deletions(-)
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 3d2b574..fc09a91 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -243,7 +243,7 @@ jobs:
fi
sed -i '/swan_ver_url/s/^/#/' vpnupgrade.sh
- sed -i '/^SWAN_VER=/s/4.1/3.32/' vpnupgrade.sh
+ sed -i 's/^SWAN_VER=.*/SWAN_VER=3.32/' vpnupgrade.sh
sh vpnupgrade.sh <<ANSWERS
y
ANSWERS
@@ -269,7 +269,33 @@ jobs:
pkill -HUP rsyslog
fi
- sed -i '/^SWAN_VER=/s/3.32/4.1/' vpnupgrade.sh
+ sed -i 's/^SWAN_VER=.*/SWAN_VER=4.1/' vpnupgrade.sh
+ sh vpnupgrade.sh <<ANSWERS
+ y
+ ANSWERS
+
+ if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
+ systemctl restart ipsec
+ sleep 10
+ grep pluto /var/log/secure
+ else
+ sleep 10
+ grep pluto /var/log/auth.log
+ fi
+ ipsec status
+ ipsec status | grep -q l2tp-psk
+ ipsec status | grep -q xauth-psk
+ ipsec status | grep -q ikev2-cp
+
+ if [ "$1" = "centos" ] || [ "$1" = "amazon" ]; then
+ sed -i '/pluto/d' /var/log/secure
+ pkill -HUP rsyslog
+ else
+ sed -i '/pluto/d' /var/log/auth.log
+ pkill -HUP rsyslog
+ fi
+
+ sed -i 's/^SWAN_VER=.*/SWAN_VER=4.2/' vpnupgrade.sh
sh vpnupgrade.sh <<ANSWERS
y
ANSWERS
@@ -503,7 +529,7 @@ jobs:
wget -t 3 -T 30 -nv -O vpnupgrade.sh https://git.io/vpnupgrade
sed -i '/swan_ver_url/s/^/#/' vpnupgrade.sh
- sed -i '/^SWAN_VER=/s/4.1/3.32/' vpnupgrade.sh
+ sed -i 's/^SWAN_VER=.*/SWAN_VER=3.32/' vpnupgrade.sh
sh vpnupgrade.sh <<ANSWERS
y
ANSWERS
@@ -518,7 +544,22 @@ jobs:
sed -i '/pluto/d' /var/log/auth.log
pkill -HUP rsyslog
- sed -i '/^SWAN_VER=/s/3.32/4.1/' vpnupgrade.sh
+ sed -i 's/^SWAN_VER=.*/SWAN_VER=4.1/' vpnupgrade.sh
+ sh vpnupgrade.sh <<ANSWERS
+ y
+ ANSWERS
+
+ sleep 10
+ grep pluto /var/log/auth.log
+ ipsec status
+ ipsec status | grep -q l2tp-psk
+ ipsec status | grep -q xauth-psk
+ ipsec status | grep -q ikev2-cp
+
+ sed -i '/pluto/d' /var/log/auth.log
+ pkill -HUP rsyslog
+
+ sed -i 's/^SWAN_VER=.*/SWAN_VER=4.2/' vpnupgrade.sh
sh vpnupgrade.sh <<ANSWERS
y
ANSWERS
diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh
index 41e8746..cd3690b 100644
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@@ -218,21 +218,22 @@ check_swan_ver() {
select_swan_update() {
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
- && [ "$swan_ver" != "$swan_ver_latest" ]; then
+ && [ "$swan_ver" != "$swan_ver_latest" ] \
+ && printf '%s\n%s' "$swan_ver" "$swan_ver_latest" | sort -C -V; then
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
- echo "It is recommended to update Libreswan before setting up IKEv2."
+ echo " It is recommended to update Libreswan before setting up IKEv2."
if [ "$in_container" = "0" ]; then
- echo "To update, exit this script and run:"
+ echo " To update, exit this script and run:"
update_url=vpnupgrade
if [ "$os_type" = "centos" ] || [ "$os_type" = "rhel" ]; then
update_url=vpnupgrade-centos
elif [ "$os_type" = "amzn" ]; then
update_url=vpnupgrade-amzn
fi
- echo " wget https://git.io/$update_url -O vpnupgrade.sh"
- echo " sudo sh vpnupgrade.sh"
+ echo " wget https://git.io/$update_url -O vpnupgrade.sh"
+ echo " sudo sh vpnupgrade.sh"
else
- echo "To update this Docker image, see: https://git.io/updatedockervpn"
+ echo " To update this Docker image, see: https://git.io/updatedockervpn"
fi
echo
printf "Do you want to continue anyway? [y/N] "
@@ -1038,21 +1039,22 @@ EOF
show_swan_update_info() {
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
- && [ "$swan_ver" != "$swan_ver_latest" ]; then
+ && [ "$swan_ver" != "$swan_ver_latest" ] \
+ && printf '%s\n%s' "$swan_ver" "$swan_ver_latest" | sort -C -V; then
echo
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
if [ "$in_container" = "0" ]; then
- echo "To update to the new version, run:"
+ echo " To update, run:"
update_url=vpnupgrade
if [ "$os_type" = "centos" ] || [ "$os_type" = "rhel" ]; then
update_url=vpnupgrade-centos
elif [ "$os_type" = "amzn" ]; then
update_url=vpnupgrade-amzn
fi
- echo " wget https://git.io/$update_url -O vpnupgrade.sh"
- echo " sudo sh vpnupgrade.sh"
+ echo " wget https://git.io/$update_url -O vpnupgrade.sh"
+ echo " sudo sh vpnupgrade.sh"
else
- echo "To update this Docker image, see: https://git.io/updatedockervpn"
+ echo " To update this Docker image, see: https://git.io/updatedockervpn"
fi
fi
}
diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index 8262545..72e93c4 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -14,7 +14,7 @@
# know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=4.1
+SWAN_VER=4.2
### DO NOT edit below this line ###
@@ -59,14 +59,14 @@ if [ "$(id -u)" != 0 ]; then
fi
case $SWAN_VER in
- 3.2[679]|3.3[12]|4.1)
+ 3.32|4.[12])
/bin/true
;;
*)
cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported.
- This script can install one of the following versions:
- 3.26-3.27, 3.29, 3.31-3.32 or 4.1
+ This script can install one of these versions:
+ 3.32, 4.1 or 4.2
EOF
exit 1
;;
@@ -78,20 +78,21 @@ swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed.
- See: https://github.com/hwdsl2/setup-ipsec-vpn
+ See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
-swan_ver_cur=4.1
+swan_ver_cur=4.2
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
- && [ "$swan_ver_cur" != "$swan_ver_latest" ]; then
+ && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
+ && printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
- echo "To update to the new version, exit the script and run:"
- echo " wget https://git.io/vpnupgrade -O vpnupgrade.sh"
- echo " sudo sh vpnupgrade.sh"
+ echo " To update to the new version, exit this script and run:"
+ echo " wget https://git.io/vpnupgrade -O vpnupgrade.sh"
+ echo " sudo sh vpnupgrade.sh"
echo
printf "Do you want to continue anyway? [y/N] "
read -r response
@@ -137,19 +138,19 @@ Version to install: Libreswan $SWAN_VER
EOF
cat <<'EOF'
-NOTE: This script will make the following changes to your VPN configuration:
- - Fix obsolete ipsec.conf and/or ikev2.conf options
- - Optimize VPN ciphers
+Note: This script will make the following changes to your VPN configuration:
+ - Fix obsolete ipsec.conf and/or ikev2.conf options
+ - Optimize VPN ciphers
- Your other VPN config files will not be modified.
+ Your other VPN config files will not be modified.
EOF
-if [ "$SWAN_VER" != "4.1" ]; then
+if [ "$SWAN_VER" != "4.2" ]; then
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
- See https://libreswan.org/security/ for more information.
- Are you sure you want to install an older version?
+ See https://libreswan.org/security/ for more information.
+ Are you sure you want to install an older version?
EOF
fi
@@ -179,7 +180,7 @@ apt-get -yq update || exiterr "'apt-get update' failed."
# Install necessary packages
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
- libcurl4-nss-dev libnss3-tools libevent-dev \
+ libcurl4-nss-dev libnss3-tools libevent-dev libsystemd-dev \
flex bison gcc make wget sed || exiterr2
# Compile and install Libreswan
@@ -192,19 +193,12 @@ fi
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
-[ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk
-[ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c
-if [ "$SWAN_VER" = "3.31" ]; then
- sed -i '916iif (!st->st_seen_fragvid) { return FALSE; }' programs/pluto/ikev2.c
- sed -i '1033s/if (/if (LIN(POLICY_IKE_FRAG_ALLOW, sk->ike->sa.st_connection->policy) \&\& sk->ike->sa.st_seen_fragvid \&\& /' \
- programs/pluto/ikev2_message.c
-fi
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w
USE_DNSSEC=false
EOF
-if [ "$SWAN_VER" != "4.1" ] || ! grep -qs 'VERSION_CODENAME=' /etc/os-release; then
+if [ "$SWAN_VER" = "3.32" ] || ! grep -qs 'VERSION_CODENAME=' /etc/os-release; then
cat >> Makefile.inc.local <<'EOF'
USE_DH31=false
USE_NSS_AVA_COPY=true
@@ -212,19 +206,14 @@ USE_NSS_IPSEC_PROFILE=false
USE_GLIBC_KERN_FLIP_HEADERS=true
EOF
fi
-if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
- echo "USE_DH2=true" >> Makefile.inc.local
- if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
- echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
- fi
+echo "USE_DH2=true" >> Makefile.inc.local
+if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
+ echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi
-if [ "$SWAN_VER" = "4.1" ]; then
+if [ "$SWAN_VER" != "3.32" ]; then
echo "USE_NSS_KDF=false" >> Makefile.inc.local
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
fi
-if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
- apt-get -yq install libsystemd-dev || exiterr2
-fi
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
@@ -269,12 +258,8 @@ elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
-case $SWAN_VER in
- 3.29|3.3[12]|4.1)
- sed -i "/ikev2=never/d" /etc/ipsec.conf
- sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
- ;;
-esac
+sed -i "/ikev2=never/d" /etc/ipsec.conf
+sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
@@ -297,15 +282,15 @@ EOF
if [ "$dns_state" = "3" ]; then
cat <<'EOF'
-IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
- and replace all occurrences of these two lines:
- modecfgdns1=DNS_SERVER_1
- modecfgdns2=DNS_SERVER_2
+IMPORTANT: You must edit /etc/ipsec.conf and replace
+ all occurrences of these two lines:
+ modecfgdns1=DNS_SERVER_1
+ modecfgdns2=DNS_SERVER_2
- with a single line like this:
- modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
+ with a single line like this:
+ modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
- Then run "sudo service ipsec restart".
+ Then run "sudo service ipsec restart".
EOF
fi
diff --git a/extras/vpnupgrade_amzn.sh b/extras/vpnupgrade_amzn.sh
index 61000f7..ffe448c 100644
--- a/extras/vpnupgrade_amzn.sh
+++ b/extras/vpnupgrade_amzn.sh
@@ -14,7 +14,7 @@
# know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=4.1
+SWAN_VER=4.2
### DO NOT edit below this line ###
@@ -38,14 +38,14 @@ if [ "$(id -u)" != 0 ]; then
fi
case $SWAN_VER in
- 3.2[679]|3.3[12]|4.1)
+ 3.32|4.[12])
/bin/true
;;
*)
cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported.
- This script can install one of the following versions:
- 3.26-3.27, 3.29, 3.31-3.32 or 4.1
+ This script can install one of these versions:
+ 3.32, 4.1 or 4.2
EOF
exit 1
;;
@@ -57,20 +57,21 @@ swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed.
- See: https://github.com/hwdsl2/setup-ipsec-vpn
+ See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
-swan_ver_cur=4.1
+swan_ver_cur=4.2
swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
- && [ "$swan_ver_cur" != "$swan_ver_latest" ]; then
+ && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
+ && printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
- echo "To update to the new version, exit the script and run:"
- echo " wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh"
- echo " sudo sh vpnupgrade.sh"
+ echo " To update to the new version, exit this script and run:"
+ echo " wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh"
+ echo " sudo sh vpnupgrade.sh"
echo
printf "Do you want to continue anyway? [y/N] "
read -r response
@@ -116,19 +117,19 @@ Version to install: Libreswan $SWAN_VER
EOF
cat <<'EOF'
-NOTE: This script will make the following changes to your VPN configuration:
- - Fix obsolete ipsec.conf and/or ikev2.conf options
- - Optimize VPN ciphers
+Note: This script will make the following changes to your VPN configuration:
+ - Fix obsolete ipsec.conf and/or ikev2.conf options
+ - Optimize VPN ciphers
- Your other VPN config files will not be modified.
+ Your other VPN config files will not be modified.
EOF
-if [ "$SWAN_VER" != "4.1" ]; then
+if [ "$SWAN_VER" != "4.2" ]; then
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
- See https://libreswan.org/security/ for more information.
- Are you sure you want to install an older version?
+ See https://libreswan.org/security/ for more information.
+ Are you sure you want to install an older version?
EOF
fi
@@ -170,25 +171,16 @@ fi
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
-[ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk
-[ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c
-if [ "$SWAN_VER" = "3.31" ]; then
- sed -i '916iif (!st->st_seen_fragvid) { return FALSE; }' programs/pluto/ikev2.c
- sed -i '1033s/if (/if (LIN(POLICY_IKE_FRAG_ALLOW, sk->ike->sa.st_connection->policy) \&\& sk->ike->sa.st_seen_fragvid \&\& /' \
- programs/pluto/ikev2_message.c
-fi
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w
USE_DNSSEC=false
EOF
-if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
- echo "USE_DH2=true" >> Makefile.inc.local
- if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
- echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
- fi
+echo "USE_DH2=true" >> Makefile.inc.local
+if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
+ echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi
-if [ "$SWAN_VER" = "4.1" ]; then
+if [ "$SWAN_VER" != "3.32" ]; then
echo "USE_NSS_KDF=false" >> Makefile.inc.local
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
fi
@@ -235,12 +227,8 @@ elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
-case $SWAN_VER in
- 3.29|3.3[12]|4.1)
- sed -i "/ikev2=never/d" /etc/ipsec.conf
- sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
- ;;
-esac
+sed -i "/ikev2=never/d" /etc/ipsec.conf
+sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
@@ -263,15 +251,15 @@ EOF
if [ "$dns_state" = "3" ]; then
cat <<'EOF'
-IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
- and replace all occurrences of these two lines:
- modecfgdns1=DNS_SERVER_1
- modecfgdns2=DNS_SERVER_2
+IMPORTANT: You must edit /etc/ipsec.conf and replace
+ all occurrences of these two lines:
+ modecfgdns1=DNS_SERVER_1
+ modecfgdns2=DNS_SERVER_2
- with a single line like this:
- modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
+ with a single line like this:
+ modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
- Then run "sudo service ipsec restart".
+ Then run "sudo service ipsec restart".
EOF
fi
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index 49d4139..7d791f6 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -14,7 +14,7 @@
# know how you have improved it!
# Specify which Libreswan version to install. See: https://libreswan.org
-SWAN_VER=4.1
+SWAN_VER=4.2
### DO NOT edit below this line ###
@@ -50,14 +50,14 @@ if [ "$(id -u)" != 0 ]; then
fi
case $SWAN_VER in
- 3.2[679]|3.3[12]|4.1)
+ 3.32|4.[12])
/bin/true
;;
*)
cat 1>&2 <<EOF
Error: Libreswan version '$SWAN_VER' is not supported.
- This script can install one of the following versions:
- 3.26-3.27, 3.29, 3.31-3.32 or 4.1
+ This script can install one of these versions:
+ 3.32, 4.1 or 4.2
EOF
exit 1
;;
@@ -69,20 +69,21 @@ swan_ver_old=$(printf '%s' "$ipsec_ver_short" | sed -e 's/Libreswan //')
if ! printf '%s' "$ipsec_ver" | grep -q "Libreswan"; then
cat 1>&2 <<'EOF'
Error: This script requires Libreswan already installed.
- See: https://github.com/hwdsl2/setup-ipsec-vpn
+ See: https://github.com/hwdsl2/setup-ipsec-vpn
EOF
exit 1
fi
-swan_ver_cur=4.1
+swan_ver_cur=4.2
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanverupg?arch=$os_arch&ver1=$swan_ver_old&ver2=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
- && [ "$swan_ver_cur" != "$swan_ver_latest" ]; then
+ && [ "$swan_ver_cur" != "$swan_ver_latest" ] \
+ && printf '%s\n%s' "$swan_ver_cur" "$swan_ver_latest" | sort -C -V; then
echo "Note: A newer version of Libreswan ($swan_ver_latest) is available."
- echo "To update to the new version, exit the script and run:"
- echo " wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh"
- echo " sudo sh vpnupgrade.sh"
+ echo " To update to the new version, exit this script and run:"
+ echo " wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh"
+ echo " sudo sh vpnupgrade.sh"
echo
printf "Do you want to continue anyway? [y/N] "
read -r response
@@ -128,19 +129,19 @@ Version to install: Libreswan $SWAN_VER
EOF
cat <<'EOF'
-NOTE: This script will make the following changes to your VPN configuration:
- - Fix obsolete ipsec.conf and/or ikev2.conf options
- - Optimize VPN ciphers
+Note: This script will make the following changes to your VPN configuration:
+ - Fix obsolete ipsec.conf and/or ikev2.conf options
+ - Optimize VPN ciphers
- Your other VPN config files will not be modified.
+ Your other VPN config files will not be modified.
EOF
-if [ "$SWAN_VER" != "4.1" ]; then
+if [ "$SWAN_VER" != "4.2" ]; then
cat <<'EOF'
WARNING: Older versions of Libreswan could contain known security vulnerabilities.
- See https://libreswan.org/security/ for more information.
- Are you sure you want to install an older version?
+ See https://libreswan.org/security/ for more information.
+ Are you sure you want to install an older version?
EOF
fi
@@ -194,25 +195,16 @@ fi
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
-[ "$SWAN_VER" = "3.26" ] && sed -i 's/-lfreebl //' mk/config.mk
-[ "$SWAN_VER" = "3.26" ] && sed -i '/blapi\.h/d' programs/pluto/keys.c
-if [ "$SWAN_VER" = "3.31" ]; then
- sed -i '916iif (!st->st_seen_fragvid) { return FALSE; }' programs/pluto/ikev2.c
- sed -i '1033s/if (/if (LIN(POLICY_IKE_FRAG_ALLOW, sk->ike->sa.st_connection->policy) \&\& sk->ike->sa.st_seen_fragvid \&\& /' \
- programs/pluto/ikev2_message.c
-fi
[ "$SWAN_VER" = "4.1" ] && sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w
USE_DNSSEC=false
EOF
-if [ "$SWAN_VER" = "3.31" ] || [ "$SWAN_VER" = "3.32" ] || [ "$SWAN_VER" = "4.1" ]; then
- echo "USE_DH2=true" >> Makefile.inc.local
- if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
- echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
- fi
+echo "USE_DH2=true" >> Makefile.inc.local
+if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
+ echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi
-if [ "$SWAN_VER" = "4.1" ]; then
+if [ "$SWAN_VER" != "3.32" ]; then
echo "USE_NSS_KDF=false" >> Makefile.inc.local
echo "FINALNSSDIR=/etc/ipsec.d" >> Makefile.inc.local
fi
@@ -259,12 +251,8 @@ elif [ "$dns_state" = "2" ]; then
sed -i "s/^[[:space:]]\+modecfgdns1=.\+/ modecfgdns=$DNS_SRV1/" /etc/ipsec.conf
fi
-case $SWAN_VER in
- 3.29|3.3[12]|4.1)
- sed -i "/ikev2=never/d" /etc/ipsec.conf
- sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
- ;;
-esac
+sed -i "/ikev2=never/d" /etc/ipsec.conf
+sed -i "/conn shared/a \ ikev2=never" /etc/ipsec.conf
if grep -qs ike-frag /etc/ipsec.d/ikev2.conf; then
sed -i 's/^[[:space:]]\+ike-frag=/ fragmentation=/' /etc/ipsec.d/ikev2.conf
@@ -287,15 +275,15 @@ EOF
if [ "$dns_state" = "3" ]; then
cat <<'EOF'
-IMPORTANT: Users upgrading to Libreswan 3.23 or newer must edit /etc/ipsec.conf
- and replace all occurrences of these two lines:
- modecfgdns1=DNS_SERVER_1
- modecfgdns2=DNS_SERVER_2
+IMPORTANT: You must edit /etc/ipsec.conf and replace
+ all occurrences of these two lines:
+ modecfgdns1=DNS_SERVER_1
+ modecfgdns2=DNS_SERVER_2
- with a single line like this:
- modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
+ with a single line like this:
+ modecfgdns="DNS_SERVER_1 DNS_SERVER_2"
- Then run "sudo service ipsec restart".
+ Then run "sudo service ipsec restart".
EOF
fi
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 25cc048..66ad956 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -187,7 +187,7 @@ bigecho "Installing packages required for the VPN..."
apt-get -yq install libnss3-dev libnspr4-dev pkg-config \
libpam0g-dev libcap-ng-dev libcap-ng-utils libselinux1-dev \
libcurl4-nss-dev flex bison gcc make libnss3-tools \
- libevent-dev ppp xl2tpd || exiterr2
+ libevent-dev libsystemd-dev ppp xl2tpd || exiterr2
bigecho "Installing Fail2Ban to protect SSH..."
@@ -195,7 +195,7 @@ apt-get -yq install fail2ban || exiterr2
bigecho "Compiling and installing Libreswan..."
-SWAN_VER=4.1
+SWAN_VER=4.2
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
@@ -205,7 +205,6 @@ fi
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
-sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w
USE_DNSSEC=false
@@ -224,9 +223,6 @@ fi
if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
fi
-if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
- apt-get -yq install libsystemd-dev || exiterr2
-fi
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base
@@ -514,12 +510,14 @@ service xl2tpd restart 2>/dev/null
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanver?arch=$os_arch&ver=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
- && [ "$SWAN_VER" != "$swan_ver_latest" ]; then
+ && [ "$SWAN_VER" != "$swan_ver_latest" ] \
+ && printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
cat <<EOF
-Note: A newer version of Libreswan ($swan_ver_latest) is available. To update, run:
- wget https://git.io/vpnupgrade -O vpnupgrade.sh
- sudo sh vpnupgrade.sh
+Note: A newer version of Libreswan ($swan_ver_latest) is available.
+ To update, run:
+ wget https://git.io/vpnupgrade -O vpnupgrade.sh
+ sudo sh vpnupgrade.sh
EOF
fi
diff --git a/vpnsetup_amzn.sh b/vpnsetup_amzn.sh
index d3c336d..1bbac8a 100644
--- a/vpnsetup_amzn.sh
+++ b/vpnsetup_amzn.sh
@@ -156,7 +156,7 @@ yum "$REPO1" -y install fail2ban || exiterr2
bigecho "Compiling and installing Libreswan..."
-SWAN_VER=4.1
+SWAN_VER=4.2
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
@@ -166,7 +166,6 @@ fi
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
-sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w
USE_DNSSEC=false
@@ -432,12 +431,14 @@ service xl2tpd restart 2>/dev/null
swan_ver_url="https://dl.ls20.com/v1/amzn/2/swanver?arch=$os_arch&ver=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
- && [ "$SWAN_VER" != "$swan_ver_latest" ]; then
+ && [ "$SWAN_VER" != "$swan_ver_latest" ] \
+ && printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
cat <<EOF
-Note: A newer version of Libreswan ($swan_ver_latest) is available. To update, run:
- wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh
- sudo sh vpnupgrade.sh
+Note: A newer version of Libreswan ($swan_ver_latest) is available.
+ To update, run:
+ wget https://git.io/vpnupgrade-amzn -O vpnupgrade.sh
+ sudo sh vpnupgrade.sh
EOF
fi
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 01ef177..cd2045f 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -187,7 +187,7 @@ yum "$REPO1" -y install fail2ban || exiterr2
bigecho "Compiling and installing Libreswan..."
-SWAN_VER=4.1
+SWAN_VER=4.2
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
@@ -197,7 +197,6 @@ fi
/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
cd "libreswan-$SWAN_VER" || exit 1
-sed -i 's/ sysv )/ sysvinit )/' programs/setup/setup.in
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS=-w
USE_DNSSEC=false
@@ -500,12 +499,14 @@ service xl2tpd restart 2>/dev/null
swan_ver_url="https://dl.ls20.com/v1/$os_type/$os_ver/swanver?arch=$os_arch&ver=$SWAN_VER"
swan_ver_latest=$(wget -t 3 -T 15 -qO- "$swan_ver_url")
if printf '%s' "$swan_ver_latest" | grep -Eq '^([3-9]|[1-9][0-9])\.([0-9]|[1-9][0-9])$' \
- && [ "$SWAN_VER" != "$swan_ver_latest" ]; then
+ && [ "$SWAN_VER" != "$swan_ver_latest" ] \
+ && printf '%s\n%s' "$SWAN_VER" "$swan_ver_latest" | sort -C -V; then
cat <<EOF
-Note: A newer version of Libreswan ($swan_ver_latest) is available. To update, run:
- wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh
- sudo sh vpnupgrade.sh
+Note: A newer version of Libreswan ($swan_ver_latest) is available.
+ To update, run:
+ wget https://git.io/vpnupgrade-centos -O vpnupgrade.sh
+ sudo sh vpnupgrade.sh
EOF
fi