Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/bin/bash
function load_var {
eval $(cat ${1} <( echo -e '\nset -o posix;set\n') | env - bash --noprofile --norc --posix | sed 's/^/'$2'_/')
if [ -n "$IF_IPSEC6" ]; then
PEER_ENDPOINT=$PEER_ENDPOINT6
SELF_ENDPOINT=$SELF_ENDPOINT6
fi
}
function do_clear {
$ip xfrm state del dst $PEER_ENDPOINT src $SELF_ENDPOINT proto esp spi $SELF_SPI
$ip xfrm state del src $PEER_ENDPOINT dst $SELF_ENDPOINT proto esp spi $PEER_SPI
$ip xfrm policy del dst $PEER_ENDPOINT src $SELF_ENDPOINT proto ipencap dir out
$ip xfrm policy del src $PEER_ENDPOINT dst $SELF_ENDPOINT proto ipencap dir in
}
function do_addxfrm {
$ip xfrm state add dst $PEER_ENDPOINT src $SELF_ENDPOINT proto esp spi $SELF_SPI reqid $SELF_REQID mode transport auth sha256 $SELF_AUTH_KEY enc aes $SELF_ENC_KEY
$ip xfrm state add src $PEER_ENDPOINT dst $SELF_ENDPOINT proto esp spi $PEER_SPI reqid $PEER_REQID mode transport auth sha256 $PEER_AUTH_KEY enc aes $PEER_ENC_KEY
$ip xfrm policy add dst $PEER_ENDPOINT src $SELF_ENDPOINT proto ipencap dir out tmpl proto esp reqid $SELF_REQID mode transport
$ip xfrm policy add src $PEER_ENDPOINT dst $SELF_ENDPOINT proto ipencap dir in tmpl proto esp reqid $PEER_REQID mode transport
}
if [ -z "$IF_IPSEC_PEER_NAME" ]; then
exit 0;
fi
ip=ip
if [ -n "$IF_IPSEC6" ]; then
ip=$ip" -6"
fi
if [ -z "$IF_IPSEC_SELF_NAME" ]; then
IF_IPSEC_SELF_NAME=self
fi
cd /etc/ipsec-tunnels
load_var $IF_IPSEC_PEER_NAME PEER
load_var $IF_IPSEC_SELF_NAME SELF
case $PHASE in
pre-up)
if [ -n "$IF_IPSEC6" ]; then
mode=ipip6
else
mode=ipip
fi
exec $ip tunnel add $IFACE mode $mode remote $PEER_ENDPOINT local $SELF_ENDPOINT ttl 64
;;
post-up)
do_clear
do_addxfrm
;;
pre-down)
do_clear
;;
post-down)
exec $ip link del $IFACE
;;
esac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment