adding swanctl draft config. not yet used but wanna eventually switch to it

2018-10-28 20:45:20 +01:00 · 2018-10-28 20:45:20 +01:00 · 3f2238a090
parent 467548f6e8
commit 3f2238a090
3 changed files with 62 additions and 2 deletions
--- a/debian/wit-network-config.install
+++ b/debian/wit-network-config.install
@ -12,3 +12,4 @@ files/qemu-ifup etc/libvirt/hooks
 files/firewall etc/init.d
 files/frr.conf.wit etc/frr
 files/ipsec.conf.wit etc
 swanctl-wit.conf.wit etc/swanctl/conf.d
--- a/debian/wit-network-config.postinst
+++ b/debian/wit-network-config.postinst
@ -25,6 +25,7 @@ case "$1" in
        UDEVCONFIG="/etc/udev/rules.d/70-persistent-net.rules"
        FRRCONFIG="/etc/frr/frr.conf.wit"
        IPSECCONFIG="/etc/ipsec.conf.wit"
        SWANCTLCONFIG="/etc/swanctl/conf.d/swanctl-wit.conf"
     ## START gather all the info from the box and generate the variabels
@ -303,13 +304,16 @@ case "$1" in
      # set ipsec config
-        sed -i \
+        for IPSECCONFIGFILE in $IPSECCONFIG $SWANCTLCONFIG
 	  do
            sed -i \
                -e "s/FQHOSTNAME/${HOSTNAME}/" \
                -e "s/LOOPBACKv4/${LOOPBACKv4}\/32/" \
                -e "s/LOOPBACKv6/${LOOPBACKv6}\/128/" \
                -e "s/IPSEC_IPV4_SUBNETS/$IPSEC_IPV4_SUBNETS/" \
                -e "s/IPSEC_IPV6_SUBNETS/$IPSEC_IPV6_SUBNETS/" \
-                $IPSECCONFIG
+                $IPSECCONFIGFILE
        done
        echo ": RSA ${HOSTNAME}.key" >/etc/ipsec.secrets
--- a/files/swanctl-wit.conf.wit
+++ b/files/swanctl-wit.conf.wit
@ -0,0 +1,55 @@
 connections {
    loopback4 {
        version = 1
        local_addrs = LOOPBACKv4
        remote_addrs = %any4
        proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
        local {
            auth = pubkey
            certs = FQHOSTNAME.crt
            id = "C=US, O=Wit, CN=FQHOSTNAME"
        }
        remote {
            auth = pubkey
            id = "C=US, O=Wit, CN=*"
        }
        children {
            loopback4 {
                remote_ts = IPSEC_IPV4_SUBNETS
                local_ts = LOOPBACKv4
                mode = transport
                start_action = trap
                esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
            }
        }
    }
    loopback6 {
        version = 1
        local_addrs = LOOPBACKv6
        remote_addrs = %any6
        proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
        local {
            auth = pubkey
            certs = FQHOSTNAME.crt
            id = "C=US, O=Wit, CN=FQHOSTNAME"
        }
        remote {
            auth = pubkey
            id = "C=US, O=Wit, CN=*"
        }
        children {
            loopback6 {
                remote_ts = IPSEC_IPV6_SUBNETS
                local_ts = LOOPBACKv6
                mode = transport
                start_action = trap
                esp_proposals = aes256-sha512-modp4096,aes128-sha1-modp2048
            }
        }
    }
 }