--- /dev/null
+#
+# Copyright (C) 2019 Lucian Cristian <lucian.cristian@gmail.com>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=libreswan
+PKG_VERSION:=3.27
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://download.libreswan.org/
+PKG_HASH:=ead07dd701116094b483dc57e54e2a5ee9a06d3982bb142260bcbf3d1faf7b82
+
+PKG_LICENSE:=GPL-2.0
+PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com>
+
+PKG_BUILD_PARALLEL:=1
+PKG_INSTALL:=1
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+define Package/libreswan/Default
+ TITLE:=Libreswan
+ URL:=https://libreswan.org/
+endef
+
+define Package/libreswan/Default/description
+ Libreswan is a free software implementation of the most widely supported and
+ standardized VPN protocol based on ("IPsec") and the Internet Key Exchange
+ ("IKE"). These standards are produced and maintained by the Internet
+ Engineering Task Force ("IETF").
+endef
+
+define Package/libreswan
+$(call Package/libreswan/Default)
+ SUBMENU:=VPN
+ SECTION:=net
+ CATEGORY:=Network
+ DEPENDS:= +kmod-libreswan +libnss +librt +libevent2 +libevent2-pthreads \
+ +ip-full
+ PROVIDES:=openswan
+ CONFLICTS:=strongswan
+ TITLE+= IPsec Server
+endef
+
+define Package/libreswan/description
+$(call Package/libreswan/Default/description)
+ Libreswan is a free software implementation of the most widely supported and
+ standardized VPN protocol based on ("IPsec") and the Internet Key Exchange
+ ("IKE"). These standards are produced and maintained by the Internet
+ Engineering Task Force ("IETF").
+endef
+
+define KernelPackage/libreswan
+$(call Package/libreswan/Default)
+ SUBMENU:=Network Support
+ TITLE+= (kernel module)
+ FILES:=$(PKG_BUILD_DIR)/modobj*/ipsec.$(LINUX_KMOD_SUFFIX)
+ DEPENDS:= +kmod-crypto-authenc +kmod-crypto-hash +kmod-ipt-ipsec +iptables-mod-ipsec \
+ +kmod-ipsec +kmod-ipsec4 +kmod-crypto-rng +IPV6:kmod-ipsec6
+endef
+
+define KernelPackage/libreswan/description
+$(call Package/libreswan/Default/description)
+ This package contains the Libreswan kernel module.
+endef
+
+define Package/libreswan/conffiles
+/etc/ipsec.d
+/etc/ipsec.conf
+/etc/ipsec.secrets
+endef
+
+TARGET_CFLAGS+= -Wno-error=format-nonliteral
+MAKE_FLAGS+= \
+ WERROR_CFLAGS=" " \
+ USE_DNSSEC=false \
+ USE_LINUX_AUDIT=false \
+ USE_LABELED_IPSEC=false \
+ USE_NM=false \
+ USE_LIBCURL=false \
+ USE_GLIBC_KERN_FLIP_HEADERS=true \
+ USE_XAUTHPAM=false \
+ USE_FIPSCHECK=false \
+ USE_LIBCAP_NG=false \
+ USE_SYSTEMD_WATCHDOG=false \
+ INC_USRLOCAL="/usr" \
+ FINALRUNDIR="/var/run/pluto" \
+ KERNELSRC="$(LINUX_DIR)"
+
+define Build/Prepare
+ $(call Build/Prepare/Default)
+ $(SED) 's,include $$$$(top_srcdir)/mk/manpages.mk,,g' \
+ $(PKG_BUILD_DIR)/mk/program.mk
+endef
+
+define Build/Compile
+ $(call Build/Compile/Default,base)
+ $(call Build/Compile/Default,module)
+endef
+
+define Package/libreswan/install
+ $(INSTALL_DIR) \
+ $(1)/etc/init.d \
+ $(1)/etc/ipsec.d/policies \
+ $(1)/usr/libexec/ipsec \
+ $(1)/usr/sbin
+
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec \
+ $(1)/usr/sbin/ipsec
+ $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
+ $(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf
+ $(INSTALL_DATA) ./files/ipsec.secrets $(1)/etc/ipsec.secrets
+ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ipsec.d/policies/* \
+ $(1)/etc/ipsec.d/policies/
+ $(CP) $(PKG_INSTALL_DIR)/usr/libexec/ipsec/* \
+ $(1)/usr/libexec/ipsec/
+endef
+
+$(eval $(call BuildPackage,libreswan))
+$(eval $(call KernelPackage,libreswan))
--- /dev/null
+# /etc/ipsec.conf - Libreswan IPsec configuration file
+#
+# see 'man ipsec.conf' and 'man pluto' for more information
+#
+# For example configurations and documentation, see https://libreswan.org/wiki/
+
+config setup
+ # Normally, pluto logs via syslog.
+ #logfile=/var/log/pluto.log
+ #
+ # Do not enable debug options to debug configuration issues!
+ #
+ # plutodebug="control parsing"
+ # plutodebug="all crypt"
+ plutodebug=none
+ #
+ # NAT-TRAVERSAL support
+ # exclude networks used on server side by adding %v4:!a.b.c.0/24
+ # It seems that T-Mobile in the US and Rogers/Fido in Canada are
+ # using 25/8 as "private" address space on their wireless networks.
+ # This range has never been announced via BGP (at least up to 2015)
+ virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
+
+# if it exists, include system wide crypto-policy defaults
+# include /etc/crypto-policies/back-ends/libreswan.config
+
+# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
+
+conn L2TP-PSK-NAT
+ rightsubnet=vhost:%priv
+ also=L2TP-PSK-noNAT
+
+conn L2TP-PSK-noNAT
+ authby=secret
+ pfs=no
+ auto=add
+ keyingtries=8
+ ikelifetime=8h
+ keylife=1h
+ type=transport
+ left=A.B.C.D
+ leftprotoport=17/1701
+ right=%any
+ rightprotoport=17/%any
+
+include /etc/ipsec.d/*.conf
\ No newline at end of file
--- /dev/null
+#!/bin/sh /etc/rc.common
+
+START=90
+STOP=10
+
+#USE_PROCD=1
+
+. $IPKG_INSTROOT/lib/functions.sh
+
+EXTRA_COMMANDS=status
+EXTRA_HELP=" status Show the status of the service"
+
+# Check that networking is up.
+[ "${NETWORKING}" = "no" ] && exit 6
+
+if [ $(id -u) -ne 0 ]; then
+ echo "permission denied (must be superuser)" | \
+ logger -s -p daemon.error -t ipsec_setup 2>&1
+ exit 4
+fi
+
+# where the private directory and the config files are
+IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
+IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
+IPSEC_CONF="${IPSEC_CONF-/etc/ipsec.conf}"
+unset PLUTO_OPTIONS
+
+rundir=/var/run/pluto
+plutopid=${rundir}/pluto.pid
+plutoctl=${rundir}/pluto.ctl
+lockdir=/var/lock
+lockfile=${lockdir}/ipsec
+ipsecversion=/proc/net/ipsec_version
+kamepfkey=/proc/net/pfkey
+
+# /etc/resolv.conf related paths
+LIBRESWAN_RESOLV_CONF=${rundir}/libreswan-resolv-conf-backup
+ORIG_RESOLV_CONF=/etc/resolv.conf
+
+# misc setup
+umask 022
+
+# standardize PATH, and export it for everything else's benefit
+PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
+export PATH
+
+mkdir -p ${rundir}
+chmod 700 ${rundir}
+
+verify_config() {
+ [ -f ${IPSEC_CONF} ] || exit 6
+ config_error=$(ipsec addconn --config ${IPSEC_CONF} --checkconfig 2>&1)
+ RETVAL=$?
+ if [ ${RETVAL} -gt 0 ]; then
+ echo "Configuration error - the following error occurred:"
+ echo ${config_error}
+ echo "IKE daemon status was not modified"
+ exit ${RETVAL}
+ fi
+}
+
+start() {
+ echo -n "Starting pluto IKE daemon for IPsec: "
+ ipsec _stackmanager start
+ # pluto searches the current directory, so this is required for making it selinux compliant
+ cd /
+ # Create nss db or convert from old format to new sql format
+ ipsec --checknss
+ # Enable nflog if configured
+ ipsec --checknflog > /dev/null
+ # This script will enter an endless loop to ensure pluto restarts on crash
+ ipsec _plutorun --config ${IPSEC_CONF} --nofork ${PLUTO_OPTIONS} & [ -d ${lockdir} ] || mkdir -p ${lockdir}
+ touch ${lockfile}
+ # Because _plutorun starts pluto at background we need to make sure pluto is started
+ # before we know if start was successful or not
+ for waitsec in 1 2 3 4 5; do
+ if status >/dev/null; then
+ RETVAL=0
+ break
+ else
+ echo -n "."
+ sleep 1
+ RETVAL=1
+ fi
+ done
+ if [ ${RETVAL} -ge 1 ]; then
+ rm -f ${lockfile}
+ fi
+ echo
+ return ${RETVAL}
+}
+
+stop() {
+ if [ -e ${plutoctl} ]; then
+ echo "Shutting down pluto IKE daemon"
+ ipsec whack --shutdown 2>/dev/null
+ # don't use seq, might not exist on embedded
+ for waitsec in 1 2 3 4 5 6 7 8 9 10; do
+ if [ -s ${plutopid} ]; then
+ echo -n "."
+ sleep 1
+ else
+ break
+ fi
+ done
+ echo
+ rm -f ${plutoctl} # we won't be using this anymore
+ fi
+ if [ -s ${plutopid} ]; then
+ # pluto did not die peacefully
+ pid=$(cat ${plutopid})
+ if [ -d /proc/${pid} ]; then
+ kill -TERM ${pid}
+ RETVAL=$?
+ sleep 5;
+ if [ -d /proc/${pid} ]; then
+ kill -KILL ${pid}
+ RETVAL=$?
+ fi
+ if [ ${RETVAL} -ne 0 ]; then
+ echo "Kill failed - removing orphaned ${plutopid}"
+ fi
+ else
+ echo "Removing orphaned ${plutopid}"
+ fi
+ rm -f ${plutopid}
+ fi
+
+ ipsec _stackmanager stop
+ ipsec --stopnflog > /dev/null
+
+ # cleaning up backup resolv.conf
+ if [ -e ${LIBRESWAN_RESOLV_CONF} ]; then
+ if grep 'Libreswan' ${ORIG_RESOLV_CONF} > /dev/null 2>&1; then
+ cp ${LIBRESWAN_RESOLV_CONF} ${ORIG_RESOLV_CONF}
+ fi
+ rm -f ${LIBRESWAN_RESOLV_CONF}
+ fi
+
+ rm -f ${lockfile}
+ return ${RETVAL}
+}
+
+restart() {
+ verify_config
+ stop
+ start
+ return $?
+}
+
+status() {
+ local RC
+ if [ -f ${plutopid} ]; then
+ if [ -r ${plutopid} ]; then
+ pid=$(cat ${plutopid})
+ if [ -n "$pid" -a -d /proc/${pid} ]; then
+ RC=0 # running
+ else
+ RC=1 # not running but pid exists
+ fi
+ else
+ RC=4 # insufficient privileges
+ fi
+ fi
+ if [ -z "${RC}" ]; then
+ if [ -f ${lockfile} ]; then
+ RC=2
+ else
+ RC=3
+ fi
+ fi
+ case "${RC}" in
+ 0)
+ echo "ipsec: pluto (pid ${pid}) is running..."
+ return 0
+ ;;
+ 1)
+ echo "ipsec: pluto dead but pid file exits"
+ return 1
+ ;;
+ 2)
+ echo "ipsec: pluto dead but subsys locked"
+ return 2
+ ;;
+ 4)
+ echo "ipsec: pluto status unknown due to insufficient privileges."
+ return 4
+ ;;
+ esac
+ echo "ipsec: pluto is stopped"
+ return 3
+}
+
+condrestart() {
+ verify_config
+ RETVAL=$?
+ if [ -f ${lockfile} ]; then
+ restart
+ RETVAL=$?
+ fi
+ return ${RETVAL}
+}
+
+version() {
+ ipsec version
+ return $?
+}
--- /dev/null
+# This file holds shared secrets (PSK) and XAUTH user passwords used for
+# authentication. See pluto(8) manpage or the libreswan website.
+
+# Unlike older openswan, this file does NOT contain any X.509 related
+# information such as private key :RSA statements as these now reside
+# in the NSS database. See:
+#
+# https://libreswan.org/wiki/Using_NSS_with_libreswan
+# https://libreswan.org/wiki/Migrating_from_Openswan
+#
+# The preferred method for adding secrets is to create a new file in
+# the /etc/ipsec.d/ directory, so it will be included via the include
+# line below
+
+#A.B.C.D %any : PSK "SsEeCcRrEeTt"
+
+include /etc/ipsec.d/*.secrets
projects / feed / packages.git / commitdiff