ASR_BASE
Change-Id: Icf3719cc0afe3eeb3edc7fa80a2eb5199ca9dda1
diff --git a/external/subpack/net/strongswan/files/ipsec.init b/external/subpack/net/strongswan/files/ipsec.init
new file mode 100644
index 0000000..bbfa573
--- /dev/null
+++ b/external/subpack/net/strongswan/files/ipsec.init
@@ -0,0 +1,372 @@
+#!/bin/sh /etc/rc.common
+
+START=90
+STOP=10
+
+USE_PROCD=1
+PROG=/usr/lib/ipsec/starter
+
+. $IPKG_INSTROOT/lib/functions.sh
+. $IPKG_INSTROOT/lib/functions/network.sh
+
+IPSEC_SECRETS_FILE=/etc/ipsec.secrets
+IPSEC_CONN_FILE=/etc/ipsec.conf
+STRONGSWAN_CONF_FILE=/etc/strongswan.conf
+
+IPSEC_VAR_SECRETS_FILE=/var/ipsec/ipsec.secrets
+IPSEC_VAR_CONN_FILE=/var/ipsec/ipsec.conf
+STRONGSWAN_VAR_CONF_FILE=/var/ipsec/strongswan.conf
+
+WAIT_FOR_INTF=0
+
+file_reset() {
+ : > "$1"
+}
+
+xappend() {
+ local file="$1"
+ shift
+
+ echo "$@" >> "$file"
+}
+
+ipsec_reset() {
+ file_reset "$IPSEC_VAR_CONN_FILE"
+}
+
+ipsec_xappend() {
+ xappend "$IPSEC_VAR_CONN_FILE" "$@"
+}
+
+swan_reset() {
+ file_reset "$STRONGSWAN_VAR_CONF_FILE"
+}
+
+swan_xappend() {
+ xappend "$STRONGSWAN_VAR_CONF_FILE" "$@"
+}
+
+secret_reset() {
+ file_reset "$IPSEC_VAR_SECRETS_FILE"
+}
+
+secret_xappend() {
+ xappend "$IPSEC_VAR_SECRETS_FILE" "$@"
+}
+
+warning() {
+ echo "WARNING: $@" >&2
+}
+
+add_crypto_proposal() {
+ local encryption_algorithm
+ local hash_algorithm
+ local dh_group
+
+ config_get encryption_algorithm "$1" encryption_algorithm
+ config_get hash_algorithm "$1" hash_algorithm
+ config_get dh_group "$1" dh_group
+
+ [ -n "${encryption_algorithm}" ] && \
+ crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
+}
+
+set_crypto_proposal() {
+ local conf="$1"
+ local proposal
+
+ crypto=""
+
+ config_get crypto_proposal "$conf" crypto_proposal ""
+ for proposal in $crypto_proposal; do
+ add_crypto_proposal "$proposal"
+ done
+
+ [ -n "${crypto}" ] && {
+ local force_crypto_proposal
+
+ config_get_bool force_crypto_proposal "$conf" force_crypto_proposal
+
+ [ "${force_crypto_proposal}" = "1" ] && crypto="${crypto}!"
+ }
+
+ crypto_proposal="${crypto}"
+}
+
+config_conn() {
+ # Generic ipsec conn section shared by tunnel and transport
+ local mode
+ local local_subnet
+ local local_nat
+ local local_sourceip
+ local local_leftip
+ local local_updown
+ local local_firewall
+ local remote_subnet
+ local remote_sourceip
+ local remote_updown
+ local remote_firewall
+ local ikelifetime
+ local lifetime
+ local margintime
+ local keyingtries
+ local dpdaction
+ local dpddelay
+ local inactivity
+ local keyexchange
+ local reqid
+ local packet_marker
+
+ config_get mode "$1" mode "route"
+ config_get local_subnet "$1" local_subnet ""
+ config_get local_nat "$1" local_nat ""
+ config_get local_sourceip "$1" local_sourceip ""
+ config_get local_leftip "$1" local_leftip "%any"
+ config_get local_updown "$1" local_updown ""
+ config_get local_firewall "$1" local_firewall ""
+ config_get remote_subnet "$1" remote_subnet ""
+ config_get remote_sourceip "$1" remote_sourceip ""
+ config_get remote_updown "$1" remote_updown ""
+ config_get remote_firewall "$1" remote_firewall ""
+ config_get ikelifetime "$1" ikelifetime "3h"
+ config_get lifetime "$1" lifetime "1h"
+ config_get margintime "$1" margintime "9m"
+ config_get keyingtries "$1" keyingtries "3"
+ config_get dpdaction "$1" dpdaction "none"
+ config_get dpddelay "$1" dpddelay "30s"
+ config_get inactivity "$1" inactivity
+ config_get keyexchange "$1" keyexchange "ikev2"
+ config_get reqid "$1" reqid
+ config_get packet_marker "$1" packet_marker
+
+ [ -n "$local_nat" ] && local_subnet=$local_nat
+
+ ipsec_xappend "conn $config_name-$1"
+ ipsec_xappend " left=$local_leftip"
+ ipsec_xappend " right=$remote_gateway"
+
+ [ -n "$local_sourceip" ] && ipsec_xappend " leftsourceip=$local_sourceip"
+ [ -n "$local_subnet" ] && ipsec_xappend " leftsubnet=$local_subnet"
+
+ [ -n "$local_firewall" ] && ipsec_xappend " leftfirewall=$local_firewall"
+ [ -n "$remote_firewall" ] && ipsec_xappend " rightfirewall=$remote_firewall"
+
+ ipsec_xappend " ikelifetime=$ikelifetime"
+ ipsec_xappend " lifetime=$lifetime"
+ ipsec_xappend " margintime=$margintime"
+ ipsec_xappend " keyingtries=$keyingtries"
+ ipsec_xappend " dpdaction=$dpdaction"
+ ipsec_xappend " dpddelay=$dpddelay"
+
+ [ -n "$inactivity" ] && ipsec_xappend " inactivity=$inactivity"
+ [ -n "$reqid" ] && ipsec_xappend " reqid=$reqid"
+
+ if [ "$auth_method" = "psk" ]; then
+ ipsec_xappend " leftauth=psk"
+ ipsec_xappend " rightauth=psk"
+
+ [ "$remote_sourceip" != "" ] && ipsec_xappend " rightsourceip=$remote_sourceip"
+ [ "$remote_subnet" != "" ] && ipsec_xappend " rightsubnet=$remote_subnet"
+
+ ipsec_xappend " auto=$mode"
+ else
+ warning "AuthenticationMethod $auth_method not supported"
+ fi
+
+ [ -n "$local_identifier" ] && ipsec_xappend " leftid=$local_identifier"
+ [ -n "$remote_identifier" ] && ipsec_xappend " rightid=$remote_identifier"
+ [ -n "$local_updown" ] && ipsec_xappend " leftupdown=$local_updown"
+ [ -n "$remote_updown" ] && ipsec_xappend " rightupdown=$remote_updown"
+ [ -n "$packet_marker" ] && ipsec_xappend " mark=$packet_marker"
+ ipsec_xappend " keyexchange=$keyexchange"
+
+ set_crypto_proposal "$1"
+ [ -n "${crypto_proposal}" ] && ipsec_xappend " esp=$crypto_proposal"
+ [ -n "${ike_proposal}" ] && ipsec_xappend " ike=$ike_proposal"
+}
+
+config_tunnel() {
+ config_conn "$1"
+
+ # Specific for the tunnel part
+ ipsec_xappend " type=tunnel"
+}
+
+config_transport() {
+ config_conn "$1"
+
+ # Specific for the transport part
+ ipsec_xappend " type=transport"
+}
+
+config_remote() {
+ local enabled
+ local gateway
+ local pre_shared_key
+ local auth_method
+
+ config_name=$1
+
+ config_get_bool enabled "$1" enabled 0
+ [ $enabled -eq 0 ] && return
+
+ config_get gateway "$1" gateway
+ config_get pre_shared_key "$1" pre_shared_key
+ config_get auth_method "$1" authentication_method
+ config_get local_identifier "$1" local_identifier ""
+ config_get remote_identifier "$1" remote_identifier ""
+
+ [ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"
+
+ [ -z "$local_identifier" ] && {
+ local ipdest
+
+ [ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
+ local_gateway=$(ip -o route get "$ipdest" | awk '/ src / { print gensub(/^.* src ([^ ]*) .*$/, "\\1", "g"); }')
+ }
+
+ [ -n "$local_identifier" ] && secret_xappend -n "$local_identifier " || secret_xappend -n "$local_gateway "
+ [ -n "$remote_identifier" ] && secret_xappend -n "$remote_identifier " || secret_xappend -n "$remote_gateway "
+
+ secret_xappend ": PSK \"$pre_shared_key\""
+
+ set_crypto_proposal "$1"
+ ike_proposal="$crypto_proposal"
+
+ config_list_foreach "$1" tunnel config_tunnel
+
+ config_list_foreach "$1" transport config_transport
+
+ ipsec_xappend ""
+}
+
+do_preamble() {
+ ipsec_xappend "# generated by /etc/init.d/ipsec"
+ ipsec_xappend "version 2"
+ ipsec_xappend ""
+
+ secret_xappend "# generated by /etc/init.d/ipsec"
+}
+
+config_ipsec() {
+ local debug
+ local rtinstall_enabled
+ local routing_tables_ignored
+ local routing_table
+ local routing_table_id
+ local interface
+ local device_list
+
+ ipsec_reset
+ secret_reset
+ swan_reset
+
+ do_preamble
+
+ config_get debug "$1" debug 0
+ config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
+ [ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no
+
+ # prepare extra charon config option ignore_routing_tables
+ for routing_table in $(config_get "$1" "ignore_routing_tables"); do
+ if [ "$routing_table" -ge 0 ] 2>/dev/null; then
+ routing_table_id=$routing_table
+ else
+ routing_table_id=$(sed -n '/[ \t]*[0-9]\+[ \t]\+'$routing_table'[ \t]*$/s/[ \t]*\([0-9]\+\).*/\1/p' /etc/iproute2/rt_tables)
+ fi
+
+ [ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
+ done
+
+ local interface_list=$(config_get "$1" "interface")
+ if [ -z "$interface_list" ]; then
+ WAIT_FOR_INTF=0
+ else
+ for interface in $interface_list; do
+ network_get_device device $interface
+ [ -n "$device" ] && append device_list "$device" ","
+ done
+ [ -n "$device_list" ] && WAIT_FOR_INTF=0 || WAIT_FOR_INTF=1
+ fi
+
+ swan_xappend "# generated by /etc/init.d/ipsec"
+ swan_xappend "charon {"
+ swan_xappend " load_modular = yes"
+ swan_xappend " install_routes = $install_routes"
+ [ -n "$routing_tables_ignored" ] && swan_xappend " ignore_routing_tables = $routing_tables_ignored"
+ [ -n "$device_list" ] && swan_xappend " interfaces_use = $device_list"
+ swan_xappend " plugins {"
+ swan_xappend " include /etc/strongswan.d/charon/*.conf"
+ swan_xappend " }"
+ swan_xappend " syslog {"
+ swan_xappend " identifier = ipsec"
+ swan_xappend " daemon {"
+ swan_xappend " default = $debug"
+ swan_xappend " }"
+ swan_xappend " }"
+ swan_xappend "}"
+}
+
+prepare_env() {
+ mkdir -p /var/ipsec
+ config_load ipsec
+ config_foreach config_ipsec ipsec
+ config_foreach config_remote remote
+}
+
+service_running() {
+ ipsec status > /dev/null 2>&1
+}
+
+reload_service() {
+ running && {
+ prepare_env
+ [ $WAIT_FOR_INTF -eq 0 ] && {
+ ipsec rereadall
+ ipsec reload
+ return
+ }
+ }
+
+ start
+}
+
+stop_service() {
+ ipsec_reset
+ swan_reset
+ secret_reset
+}
+
+check_ipsec_interface() {
+ local intf
+
+ for intf in $(config_get "$1" interface); do
+ procd_add_interface_trigger "interface.*" "$intf" /etc/init.d/ipsec reload
+ done
+}
+
+service_triggers() {
+ procd_add_reload_trigger "ipsec"
+ config load "ipsec"
+ config_foreach check_ipsec_interface ipsec
+}
+
+start_service() {
+ prepare_env
+
+ [ $WAIT_FOR_INTF -eq 1 ] && return
+
+ procd_open_instance
+
+ procd_set_param command $PROG --daemon charon --nofork
+
+ procd_set_param file $IPSEC_CONN_FILE
+ procd_append_param file $IPSEC_SECRETS_FILE
+ procd_append_param file $STRONGSWAN_CONF_FILE
+ procd_append_param file /etc/strongswan.d/*.conf
+ procd_append_param file /etc/strongswan.d/charon/*.conf
+
+ procd_set_param respawn
+
+ procd_close_instance
+}