11#! /bin/bash
22set -x
33set -e
4- [ -f /root/strongswan-config ] && . /root/strongswan-config
5- ETC=${ETC:=/ etc/ strongswan
4+ [ -f /root/strongswan-config ] && . /root/strongswan-config || :
5+ ETC=${ETC:=/ etc/ strongswan}
66SWAND=" $ETC /strongswan.d"
77IPSECD=" $ETC /ipsec.d"
88SWANC=" $ETC /swanctl"
@@ -18,6 +18,47 @@ WAN_IP=${WAN_IP:=10.1.99.1}
1818WAN_CONCENTRATOR_IP=${WAN_CONCENTRATOR_IP:= 10.1.99.1}
1919XIF_IP=${XIF_IP:= 10.9.99.1}
2020
21+ function initialize_vrf() {
22+ local WANDEV=$WAN_IF
23+ local VRFID=$1
24+ local VRFDEV=vrf$VRFID
25+ local XFRMDEV=xfrm$VRFID
26+
27+ # do you need this?
28+ # sysctl -w net.ipv4.ip_forward=1
29+ # sysctl -w net.ipv4.conf.all.rp_filter=0
30+
31+ # setup vrf
32+ ip link add $VRFDEV type vrf table $VRFID
33+ ip link set dev $VRFDEV up
34+ ip route add unreachable default metric 4278198272 vrf $VRFDEV
35+
36+ # create tunnel device
37+ ip li del $XFRMDEV > /dev/null 2>&1
38+ $SWAN_LIBX /xfrmi -n $XFRMDEV -i $VRFID -d $WANDEV
39+ ip li set dev $XFRMDEV up
40+ ip li set dev $XFRMDEV master $VRFDEV
41+ ip add add 169.254.24.201/32 dev $XFRMDEV scope link
42+ ip ro add default dev $XFRMDEV vrf $VRFDEV
43+ ip -6 ro add default dev $XFRMDEV vrf $VRFDEV
44+ }
45+
46+ function initialize_fake_client_netns() {
47+ local VRFID=$1
48+ sysctl net.ipv4.conf.all.rp_filter=0
49+ sysctl net.ipv4.conf.default.rp_filter=0
50+ ip netns add ts-vrf-${VRFID}
51+ ip netns exec ts-vrf-${VRFID} ip li set dev lo up
52+ ip li del ts-vrf-${VRFID} a
53+ ip link add ts-vrf-${VRFID} a type veth peer name ts-vrf-${VRFID} b netns ts-vrf-${VRFID}
54+ ip netns exec ts-vrf-${VRFID} ip link set dev ts-vrf-${VRFID} b up
55+ ip netns exec ts-vrf-${VRFID} ip add add dev ts-vrf-${VRFID} b 10.0.201.2/24
56+ ip netns exec ts-vrf-${VRFID} ip ro add default via 10.0.201.1
57+ ip li set dev ts-vrf-${VRFID} a up
58+ ip li set dev ts-vrf-${VRFID} a master vrf${VRFID}
59+ ip add add 10.0.201.1/24 dev ts-vrf-${VRFID} a
60+ }
61+
2162function initialize() {
2263 [ -d " $SWANC /peers-available" || mkdir " $SWANC /peers-available"
2364 [ -d " $SWANC /peers-enabled" || mkdir " $SWANC /peers-enabled"
@@ -30,6 +71,10 @@ function initialize() {
3071 }
3172}
3273
74+ function vrf_ping() {
75+ local vrfid=$1
76+ ip netns exec ts-vrf-$vrfid ping 10.0.201.2
77+ }
3378
3479
3580function backup_keys() {
@@ -136,13 +181,13 @@ function get_vrf_for_if() {
136181function enable_ipsec_if() {
137182 vrfnum=$( get_vrf_for_if $WAN_IF )
138183 xif=" xfrm${vrfnum} "
139- $SWAN_LIBX /xfrmi -n $xif -i ${vrfnum} -d $WAN_IF
184+ $SWAN_LIBX /xfrmi -n $xif -i ${vrfnum} -d $WAN_IF || :
140185
141- ip link set dev $xif up
142- ip link set dev $xif master vrf${vrfnum}
143- ip address add $XIF_IP /32 dev $xif scope link
144- ip route add default dev $xif vrf $vrfnum
145- ip route add 10.0.0.0/8 dev $xif vrf $vrfnum
186+ ip link set dev $xif up || :
187+ ip link set dev $xif master vrf${vrfnum} || :
188+ ip address add $XIF_IP /32 dev $xif scope link || :
189+ ip route add default dev $xif vrf $vrfnum || :
190+ ip route add 10.0.0.0/8 dev $xif vrf $vrfnum || :
146191}
147192
148193function check_arg() {
@@ -156,12 +201,25 @@ function check_arg() {
156201 }
157202}
158203
204+ function activate_all() {
205+ local f
206+ for f in $SWANC /* .conf; do
207+ echo " CONF $f "
208+ f=` basename $f `
209+ [[ $f = secrets.conf ]] && continue || :
210+ [[ $f = swanctl.conf ]] && continue || :
211+ [[ $f = * .conf ]] && f=${f% .conf}
212+ echo " f now $f "
213+ activate_peer $f
214+ done
215+ }
216+
159217# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
160218# M A I N
161219# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
162220
163221
164- while getopts " ibc :a:d:" ; do
222+ while getopts " ibec :a:d:" ; do
165223 case $arg in
166224 i)
167225 initialize
@@ -187,6 +245,9 @@ while getopts "ibc:a:d:" arg; do
187245 b)
188246 enable_ipsec_if $WLAN_IF
189247 ;;
248+ e)
249+ activate_all
250+ ;;
190251 * ) echo " Unknown option: $arg "
191252 esac
192253done
0 commit comments