[strongSwan] Use charon instead of pluto variables in startup script?
red 888
fakemailred888 at gmail.com
Mon Oct 8 20:13:46 CEST 2018
Im using this wiki but using a newer version of strongswan:
https://docs.openvpn.net/configuration/extending-vpn-connectivity-to-amazon-aws-vpc-using-aws-vpc-vpn-gateway-service/
My version uses charon. but the wiki seems to be using pluto (looking at
the startup script they are using). Im assuming variables like PLUTO_CONNECTION
are not valid when using charon?
How do I change this script to use charon instead of pluto for routing
stuff: https://docs.openvpn.net/wp-content/uploads/ipsec.sh
#!/bin/bash
# OpenVPN Access Server Appliance AWS VPC VPN Strongswan updown Script
if [[ $PLUTO_VERB == "up-client" ]]; then
if [[ $PLUTO_CONNECTION == "VPC-CUST-GW1" ]]; then
iptables -t mangle -I PREROUTING -s $PLUTO_PEER -p esp
-j MARK --set-mark 0xfffe
ip xfrm policy add dir in src $PLUTO_PEER_CLIENT dst
0.0.0.0/0 proto any tmpl src $PLUTO_PEER dst $PLUTO_ME proto esp mode
tunnel reqid $PLUTO_REQID level required priority 1500 mark 0xfffe
ip xfrm policy add dir fwd src $PLUTO_PEER_CLIENT dst
0.0.0.0/0 proto any tmpl src $PLUTO_PEER dst $PLUTO_ME proto esp mode
tunnel reqid $PLUTO_REQID level required priority 1500
ip xfrm policy add dir out src 0.0.0.0/0 dst
$PLUTO_PEER_CLIENT proto any tmpl src $PLUTO_ME dst $PLUTO_PEER proto
esp mode tunnel reqid $PLUTO_REQID level required priority 1500
fi
if [[ $PLUTO_CONNECTION == "VPC-CUST-GW2" ]]; then
iptables -t mangle -I PREROUTING -s $PLUTO_PEER -p esp
-j MARK --set-mark 0xffff
ip xfrm policy add dir in src $PLUTO_PEER_CLIENT dst
0.0.0.0/0 proto any tmpl src $PLUTO_PEER dst $PLUTO_ME proto esp mode
tunnel reqid $PLUTO_REQID level required priority 1500 mark 0xffff
ip xfrm policy add dir fwd src $PLUTO_PEER_CLIENT dst
0.0.0.0/1 proto any tmpl src $PLUTO_PEER dst $PLUTO_ME proto esp mode
tunnel reqid $PLUTO_REQID level required priority 1500
ip xfrm policy add dir out src 0.0.0.0/1 dst
$PLUTO_PEER_CLIENT proto any tmpl src $PLUTO_ME dst $PLUTO_PEER proto
esp mode tunnel reqid $PLUTO_REQID level required priority 1500
ip xfrm policy add dir fwd src $PLUTO_PEER_CLIENT dst
128.0.0.0/1 proto any tmpl src $PLUTO_PEER dst $PLUTO_ME proto esp
mode tunnel reqid $PLUTO_REQID level required priority 1500
ip xfrm policy add dir out src 128.0.0.0/1 dst
$PLUTO_PEER_CLIENT proto any tmpl src $PLUTO_ME dst $PLUTO_PEER proto
esp mode tunnel reqid $PLUTO_REQID level required priority 1500
fi
elif [[ $PLUTO_VERB == "down-client" ]]; then
if [[ $PLUTO_CONNECTION == "VPC-CUST-GW1" ]]; then
iptables -t mangle -D PREROUTING -s $PLUTO_PEER -p esp
-j MARK --set-mark 0xfffe
ip xfrm policy del dir in src $PLUTO_PEER_CLIENT dst
0.0.0.0/0 mark 0xfffe
ip xfrm policy del dir fwd src $PLUTO_PEER_CLIENT dst 0.0.0.0/0
ip xfrm policy del dir out src 0.0.0.0/0 dst $PLUTO_PEER_CLIENT
fi
if [[ $PLUTO_CONNECTION == "VPC-CUST-GW2" ]]; then
iptables -t mangle -D PREROUTING -s $PLUTO_PEER -p esp
-j MARK --set-mark 0xffff
ip xfrm policy del dir in src $PLUTO_PEER_CLIENT dst
0.0.0.0/0 mark 0xffff
ip xfrm policy del dir fwd src $PLUTO_PEER_CLIENT dst 0.0.0.0/1
ip xfrm policy del dir out src 0.0.0.0/1 dst $PLUTO_PEER_CLIENT
ip xfrm policy del dir fwd src $PLUTO_PEER_CLIENT dst
128.0.0.0/1
ip xfrm policy del dir out src 128.0.0.0/1 dst
$PLUTO_PEER_CLIENT
fi
fi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181008/86b5614b/attachment.html>
More information about the Users
mailing list