From 2dbdee12877f26645c5cf56db8f1bfa20f30bada Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Mon, 16 Jan 2017 12:30:37 -0600
Subject: [PATCH] Upgrade to Libreswan 3.19

- Upgrade to new Libreswan version 3.19
- Some changes are required in the VPN config files
- Ref:
  https://lists.libreswan.org/pipermail/swan-announce/2017/000023.html
---
 extras/vpnupgrade.sh        | 26 ++++++++++++++++++++++++--
 extras/vpnupgrade_centos.sh | 26 ++++++++++++++++++++++++--
 vpnsetup.sh                 |  7 +++----
 vpnsetup_centos.sh          |  7 +++----
 4 files changed, 54 insertions(+), 12 deletions(-)

diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index 737e409..3387012 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -11,7 +11,7 @@
 # know how you have improved it!
 
 # Check https://libreswan.org for the latest version
-swan_ver=3.18
+swan_ver=3.19
 
 ### DO NOT edit below this line ###
 
@@ -68,7 +68,26 @@ Welcome! This script will build and install Libreswan $swan_ver on your server.
 Additional packages required for Libreswan compilation will also be installed.
 
 This is intended for use on servers running an older version of Libreswan.
-Your existing VPN configuration files will NOT be modified.
+
+EOF
+
+cat <<'EOF'
+!!! IMPORTANT NOTE !!!
+
+The new Libreswan version 3.19 requires some configuration changes.
+This script will make the following changes to your /etc/ipsec.conf:
+
+Replace this line:
+  auth=esp
+with the following:
+  phase2=esp
+
+Replace this line:
+  forceencaps=yes
+with the following:
+  encapsulation=yes
+
+Your other VPN configuration files will not be modified.
 
 EOF
 
@@ -134,6 +153,9 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$swan_ver"; then
   exiterr "Libreswan $swan_ver failed to build."
 fi
 
+# Update ipsec.conf options
+sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
+
 # Restart IPsec service
 service ipsec restart
 
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index 98eabbf..4590dc3 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -11,7 +11,7 @@
 # know how you have improved it!
 
 # Check https://libreswan.org for the latest version
-swan_ver=3.18
+swan_ver=3.19
 
 ### DO NOT edit below this line ###
 
@@ -64,7 +64,26 @@ Welcome! This script will build and install Libreswan $swan_ver on your server.
 Additional packages required for Libreswan compilation will also be installed.
 
 This is intended for use on servers running an older version of Libreswan.
-Your existing VPN configuration files will NOT be modified.
+
+EOF
+
+cat <<'EOF'
+!!! IMPORTANT NOTE !!!
+
+The new Libreswan version 3.19 requires some configuration changes.
+This script will make the following changes to your /etc/ipsec.conf:
+
+Replace this line:
+  auth=esp
+with the following:
+  phase2=esp
+
+Replace this line:
+  forceencaps=yes
+with the following:
+  encapsulation=yes
+
+Your other VPN configuration files will not be modified.
 
 EOF
 
@@ -131,6 +150,9 @@ restorecon /etc/ipsec.d/*db 2>/dev/null
 restorecon /usr/local/sbin -Rv 2>/dev/null
 restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
+# Update ipsec.conf options
+sed -i.old -e "s/auth=esp/phase2=esp/" -e "s/forceencaps=yes/encapsulation=yes/" /etc/ipsec.conf
+
 # Restart IPsec service
 service ipsec restart
 
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 64d05a9..2f3c111 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -170,7 +170,7 @@ apt-get -yq install fail2ban || exiterr2
 
 print_status "Compiling and installing Libreswan..."
 
-swan_ver=3.18
+swan_ver=3.19
 swan_file="libreswan-$swan_ver.tar.gz"
 swan_url1="https://download.libreswan.org/$swan_file"
 swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
@@ -201,7 +201,6 @@ cat > /etc/ipsec.conf <<EOF
 version 2.0
 
 config setup
-  nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/23
   protostack=netkey
   nhelpers=0
@@ -212,7 +211,7 @@ conn shared
   left=$PRIVATE_IP
   leftid=$PUBLIC_IP
   right=%any
-  forceencaps=yes
+  encapsulation=yes
   authby=secret
   pfs=no
   rekey=no
@@ -231,7 +230,7 @@ conn l2tp-psk
   leftprotoport=17/1701
   rightprotoport=17/%any
   type=transport
-  auth=esp
+  phase2=esp
   also=shared
 
 conn xauth-psk
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index a07c0e0..80b83aa 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -160,7 +160,7 @@ yum -y install fail2ban || exiterr2
 
 print_status "Compiling and installing Libreswan..."
 
-swan_ver=3.18
+swan_ver=3.19
 swan_file="libreswan-$swan_ver.tar.gz"
 swan_url1="https://download.libreswan.org/$swan_file"
 swan_url2="https://github.com/libreswan/libreswan/archive/v$swan_ver.tar.gz"
@@ -188,7 +188,6 @@ cat > /etc/ipsec.conf <<EOF
 version 2.0
 
 config setup
-  nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/23
   protostack=netkey
   nhelpers=0
@@ -199,7 +198,7 @@ conn shared
   left=$PRIVATE_IP
   leftid=$PUBLIC_IP
   right=%any
-  forceencaps=yes
+  encapsulation=yes
   authby=secret
   pfs=no
   rekey=no
@@ -218,7 +217,7 @@ conn l2tp-psk
   leftprotoport=17/1701
   rightprotoport=17/%any
   type=transport
-  auth=esp
+  phase2=esp
   also=shared
 
 conn xauth-psk