From 0a455db685d74bb061eae0d3dc33ef5e5531bc3f Mon Sep 17 00:00:00 2001 From: root Date: Sat, 29 Dec 2018 19:53:37 +0100 Subject: [PATCH] committing changes in /etc after apt run Package changes: +libcharon-standard-plugins 5.6.2-1ubuntu2.3 amd64 +libstrongswan 5.6.2-1ubuntu2.3 amd64 +libstrongswan-standard-plugins 5.6.2-1ubuntu2.3 amd64 +strongswan 5.6.2-1ubuntu2.3 all +strongswan-charon 5.6.2-1ubuntu2.3 amd64 +strongswan-libcharon 5.6.2-1ubuntu2.3 amd64 +strongswan-starter 5.6.2-1ubuntu2.3 amd64 --- .etckeeper | 75 ++++ apparmor.d/local/usr.lib.ipsec.charon | 0 apparmor.d/local/usr.lib.ipsec.stroke | 0 apparmor.d/usr.lib.ipsec.charon | 76 ++++ apparmor.d/usr.lib.ipsec.stroke | 28 ++ init.d/ipsec | 151 ++++++++ ipsec.conf | 28 ++ ipsec.secrets | 5 + passwd | 1 + passwd- | 2 + shadow | 1 + shadow- | 2 + strongswan.conf | 14 + strongswan.d/charon-logging.conf | 67 ++++ strongswan.d/charon.conf | 366 ++++++++++++++++++ strongswan.d/charon/aes.conf | 8 + strongswan.d/charon/aesni.conf | 8 + strongswan.d/charon/agent.conf | 8 + strongswan.d/charon/attr.conf | 14 + strongswan.d/charon/bypass-lan.conf | 17 + strongswan.d/charon/connmark.conf | 8 + strongswan.d/charon/constraints.conf | 8 + strongswan.d/charon/counters.conf | 8 + strongswan.d/charon/dnskey.conf | 8 + strongswan.d/charon/eap-mschapv2.conf | 8 + strongswan.d/charon/fips-prf.conf | 8 + strongswan.d/charon/gcm.conf | 8 + strongswan.d/charon/gmp.conf | 8 + strongswan.d/charon/hmac.conf | 8 + strongswan.d/charon/kernel-netlink.conf | 87 +++++ strongswan.d/charon/md4.conf | 8 + strongswan.d/charon/md5.conf | 8 + strongswan.d/charon/mgf1.conf | 8 + strongswan.d/charon/nonce.conf | 8 + strongswan.d/charon/openssl.conf | 14 + strongswan.d/charon/pem.conf | 8 + strongswan.d/charon/pgp.conf | 8 + strongswan.d/charon/pkcs1.conf | 8 + strongswan.d/charon/pkcs12.conf | 8 + strongswan.d/charon/pkcs7.conf | 8 + strongswan.d/charon/pkcs8.conf | 8 + strongswan.d/charon/pubkey.conf | 8 + strongswan.d/charon/random.conf | 18 + strongswan.d/charon/rc2.conf | 8 + strongswan.d/charon/resolve.conf | 18 + strongswan.d/charon/revocation.conf | 14 + strongswan.d/charon/sha1.conf | 8 + strongswan.d/charon/sha2.conf | 8 + strongswan.d/charon/socket-default.conf | 23 ++ strongswan.d/charon/sshkey.conf | 8 + strongswan.d/charon/stroke.conf | 32 ++ strongswan.d/charon/updown.conf | 12 + strongswan.d/charon/x509.conf | 8 + strongswan.d/charon/xauth-generic.conf | 8 + strongswan.d/charon/xcbc.conf | 8 + strongswan.d/pool.conf | 12 + strongswan.d/starter.conf | 10 + .../strongswan.service | 1 + 58 files changed, 1328 insertions(+) create mode 100644 apparmor.d/local/usr.lib.ipsec.charon create mode 100644 apparmor.d/local/usr.lib.ipsec.stroke create mode 100644 apparmor.d/usr.lib.ipsec.charon create mode 100644 apparmor.d/usr.lib.ipsec.stroke create mode 100755 init.d/ipsec create mode 100644 ipsec.conf create mode 100644 ipsec.secrets create mode 100644 strongswan.conf create mode 100644 strongswan.d/charon-logging.conf create mode 100644 strongswan.d/charon.conf create mode 100644 strongswan.d/charon/aes.conf create mode 100644 strongswan.d/charon/aesni.conf create mode 100644 strongswan.d/charon/agent.conf create mode 100644 strongswan.d/charon/attr.conf create mode 100644 strongswan.d/charon/bypass-lan.conf create mode 100644 strongswan.d/charon/connmark.conf create mode 100644 strongswan.d/charon/constraints.conf create mode 100644 strongswan.d/charon/counters.conf create mode 100644 strongswan.d/charon/dnskey.conf create mode 100644 strongswan.d/charon/eap-mschapv2.conf create mode 100644 strongswan.d/charon/fips-prf.conf create mode 100644 strongswan.d/charon/gcm.conf create mode 100644 strongswan.d/charon/gmp.conf create mode 100644 strongswan.d/charon/hmac.conf create mode 100644 strongswan.d/charon/kernel-netlink.conf create mode 100644 strongswan.d/charon/md4.conf create mode 100644 strongswan.d/charon/md5.conf create mode 100644 strongswan.d/charon/mgf1.conf create mode 100644 strongswan.d/charon/nonce.conf create mode 100644 strongswan.d/charon/openssl.conf create mode 100644 strongswan.d/charon/pem.conf create mode 100644 strongswan.d/charon/pgp.conf create mode 100644 strongswan.d/charon/pkcs1.conf create mode 100644 strongswan.d/charon/pkcs12.conf create mode 100644 strongswan.d/charon/pkcs7.conf create mode 100644 strongswan.d/charon/pkcs8.conf create mode 100644 strongswan.d/charon/pubkey.conf create mode 100644 strongswan.d/charon/random.conf create mode 100644 strongswan.d/charon/rc2.conf create mode 100644 strongswan.d/charon/resolve.conf create mode 100644 strongswan.d/charon/revocation.conf create mode 100644 strongswan.d/charon/sha1.conf create mode 100644 strongswan.d/charon/sha2.conf create mode 100644 strongswan.d/charon/socket-default.conf create mode 100644 strongswan.d/charon/sshkey.conf create mode 100644 strongswan.d/charon/stroke.conf create mode 100644 strongswan.d/charon/updown.conf create mode 100644 strongswan.d/charon/x509.conf create mode 100644 strongswan.d/charon/xauth-generic.conf create mode 100644 strongswan.d/charon/xcbc.conf create mode 100644 strongswan.d/pool.conf create mode 100644 strongswan.d/starter.conf create mode 120000 systemd/system/multi-user.target.wants/strongswan.service diff --git a/.etckeeper b/.etckeeper index 7fc15e818..ad3c45cf4 100755 --- a/.etckeeper +++ b/.etckeeper @@ -22,10 +22,20 @@ mkdir -p './initramfs-tools/scripts/nfs-bottom' mkdir -p './initramfs-tools/scripts/nfs-premount' mkdir -p './initramfs-tools/scripts/nfs-top' mkdir -p './initramfs-tools/scripts/panic' +mkdir -p './ipsec.d/aacerts' +mkdir -p './ipsec.d/acerts' +mkdir -p './ipsec.d/cacerts' +mkdir -p './ipsec.d/certs' +mkdir -p './ipsec.d/crls' +mkdir -p './ipsec.d/ocspcerts' +mkdir -p './ipsec.d/policies' +mkdir -p './ipsec.d/private' +mkdir -p './ipsec.d/reqs' mkdir -p './kernel/install.d' mkdir -p './letsencrypt/renewal-hooks/deploy' mkdir -p './letsencrypt/renewal-hooks/post' mkdir -p './letsencrypt/renewal-hooks/pre' +mkdir -p './logcheck/violations.ignore.d' mkdir -p './monit/conf-available' mkdir -p './networkd-dispatcher/dormant.d' mkdir -p './networkd-dispatcher/no-carrier.d' @@ -385,6 +395,8 @@ maybe chmod 0755 'apparmor.d/local' maybe chmod 0644 'apparmor.d/local/README' maybe chmod 0644 'apparmor.d/local/sbin.dhclient' maybe chmod 0644 'apparmor.d/local/usr.bin.man' +maybe chmod 0644 'apparmor.d/local/usr.lib.ipsec.charon' +maybe chmod 0644 'apparmor.d/local/usr.lib.ipsec.stroke' maybe chmod 0644 'apparmor.d/local/usr.sbin.mysqld' maybe chmod 0644 'apparmor.d/local/usr.sbin.named' maybe chmod 0644 'apparmor.d/local/usr.sbin.rsyslogd' @@ -410,6 +422,8 @@ maybe chmod 0644 'apparmor.d/tunables/xdg-user-dirs' maybe chmod 0755 'apparmor.d/tunables/xdg-user-dirs.d' maybe chmod 0644 'apparmor.d/tunables/xdg-user-dirs.d/site.local' maybe chmod 0644 'apparmor.d/usr.bin.man' +maybe chmod 0644 'apparmor.d/usr.lib.ipsec.charon' +maybe chmod 0644 'apparmor.d/usr.lib.ipsec.stroke' maybe chmod 0644 'apparmor.d/usr.sbin.mysqld' maybe chmod 0644 'apparmor.d/usr.sbin.named' maybe chmod 0644 'apparmor.d/usr.sbin.rsyslogd' @@ -946,6 +960,7 @@ maybe chmod 0755 'init.d/dovecot' maybe chmod 0755 'init.d/fail2ban' maybe chmod 0755 'init.d/grub-common' maybe chmod 0755 'init.d/hwclock.sh' +maybe chmod 0755 'init.d/ipsec' maybe chmod 0755 'init.d/irqbalance' maybe chmod 0755 'init.d/keyboard-setup.sh' maybe chmod 0755 'init.d/kmod' @@ -1004,6 +1019,18 @@ maybe chmod 0644 'iproute2/rt_scopes' maybe chmod 0644 'iproute2/rt_tables' maybe chmod 0755 'iproute2/rt_tables.d' maybe chmod 0644 'iproute2/rt_tables.d/README' +maybe chmod 0644 'ipsec.conf' +maybe chmod 0755 'ipsec.d' +maybe chmod 0755 'ipsec.d/aacerts' +maybe chmod 0755 'ipsec.d/acerts' +maybe chmod 0755 'ipsec.d/cacerts' +maybe chmod 0755 'ipsec.d/certs' +maybe chmod 0755 'ipsec.d/crls' +maybe chmod 0755 'ipsec.d/ocspcerts' +maybe chmod 0755 'ipsec.d/policies' +maybe chmod 0700 'ipsec.d/private' +maybe chmod 0755 'ipsec.d/reqs' +maybe chmod 0600 'ipsec.secrets' maybe chmod 0644 'issue' maybe chmod 0644 'issue.net' maybe chmod 0755 'kernel' @@ -1250,6 +1277,7 @@ maybe chmod 0644 'logcheck/ignore.d.server/razor' maybe chmod 0644 'logcheck/ignore.d.server/rsyslog' maybe chmod 0755 'logcheck/ignore.d.workstation' maybe chmod 0644 'logcheck/ignore.d.workstation/mysql-server-5_7' +maybe chmod 0755 'logcheck/violations.ignore.d' maybe chmod 0644 'login.defs' maybe chmod 0644 'logrotate.conf' maybe chmod 0755 'logrotate.d' @@ -1589,6 +1617,53 @@ maybe chgrp 'ssl-cert' 'ssl/private' maybe chmod 0710 'ssl/private' maybe chgrp 'ssl-cert' 'ssl/private/ssl-cert-snakeoil.key' maybe chmod 0640 'ssl/private/ssl-cert-snakeoil.key' +maybe chmod 0644 'strongswan.conf' +maybe chmod 0755 'strongswan.d' +maybe chmod 0755 'strongswan.d/charon' +maybe chmod 0644 'strongswan.d/charon-logging.conf' +maybe chmod 0644 'strongswan.d/charon.conf' +maybe chmod 0644 'strongswan.d/charon/aes.conf' +maybe chmod 0644 'strongswan.d/charon/aesni.conf' +maybe chmod 0644 'strongswan.d/charon/agent.conf' +maybe chmod 0644 'strongswan.d/charon/attr.conf' +maybe chmod 0644 'strongswan.d/charon/bypass-lan.conf' +maybe chmod 0644 'strongswan.d/charon/connmark.conf' +maybe chmod 0644 'strongswan.d/charon/constraints.conf' +maybe chmod 0644 'strongswan.d/charon/counters.conf' +maybe chmod 0644 'strongswan.d/charon/dnskey.conf' +maybe chmod 0644 'strongswan.d/charon/eap-mschapv2.conf' +maybe chmod 0644 'strongswan.d/charon/fips-prf.conf' +maybe chmod 0644 'strongswan.d/charon/gcm.conf' +maybe chmod 0644 'strongswan.d/charon/gmp.conf' +maybe chmod 0644 'strongswan.d/charon/hmac.conf' +maybe chmod 0644 'strongswan.d/charon/kernel-netlink.conf' +maybe chmod 0644 'strongswan.d/charon/md4.conf' +maybe chmod 0644 'strongswan.d/charon/md5.conf' +maybe chmod 0644 'strongswan.d/charon/mgf1.conf' +maybe chmod 0644 'strongswan.d/charon/nonce.conf' +maybe chmod 0644 'strongswan.d/charon/openssl.conf' +maybe chmod 0644 'strongswan.d/charon/pem.conf' +maybe chmod 0644 'strongswan.d/charon/pgp.conf' +maybe chmod 0644 'strongswan.d/charon/pkcs1.conf' +maybe chmod 0644 'strongswan.d/charon/pkcs12.conf' +maybe chmod 0644 'strongswan.d/charon/pkcs7.conf' +maybe chmod 0644 'strongswan.d/charon/pkcs8.conf' +maybe chmod 0644 'strongswan.d/charon/pubkey.conf' +maybe chmod 0644 'strongswan.d/charon/random.conf' +maybe chmod 0644 'strongswan.d/charon/rc2.conf' +maybe chmod 0644 'strongswan.d/charon/resolve.conf' +maybe chmod 0644 'strongswan.d/charon/revocation.conf' +maybe chmod 0644 'strongswan.d/charon/sha1.conf' +maybe chmod 0644 'strongswan.d/charon/sha2.conf' +maybe chmod 0644 'strongswan.d/charon/socket-default.conf' +maybe chmod 0644 'strongswan.d/charon/sshkey.conf' +maybe chmod 0644 'strongswan.d/charon/stroke.conf' +maybe chmod 0644 'strongswan.d/charon/updown.conf' +maybe chmod 0644 'strongswan.d/charon/x509.conf' +maybe chmod 0644 'strongswan.d/charon/xauth-generic.conf' +maybe chmod 0644 'strongswan.d/charon/xcbc.conf' +maybe chmod 0644 'strongswan.d/pool.conf' +maybe chmod 0644 'strongswan.d/starter.conf' maybe chmod 0644 'subgid' maybe chmod 0644 'subgid-' maybe chmod 0644 'subuid' diff --git a/apparmor.d/local/usr.lib.ipsec.charon b/apparmor.d/local/usr.lib.ipsec.charon new file mode 100644 index 000000000..e69de29bb diff --git a/apparmor.d/local/usr.lib.ipsec.stroke b/apparmor.d/local/usr.lib.ipsec.stroke new file mode 100644 index 000000000..e69de29bb diff --git a/apparmor.d/usr.lib.ipsec.charon b/apparmor.d/usr.lib.ipsec.charon new file mode 100644 index 000000000..9e24c744d --- /dev/null +++ b/apparmor.d/usr.lib.ipsec.charon @@ -0,0 +1,76 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2016 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Author: Jonathan Davies +# Ryan Harper +# +# ------------------------------------------------------------------ + +#include + +/usr/lib/ipsec/charon flags=(attach_disconnected) { + #include + #include + #include + #include + #include + + capability ipc_lock, + capability net_admin, + capability net_raw, + + # allow priv dropping (LP: #1333655) + capability chown, + capability setgid, + capability setuid, + + # libcharon-extra-plugins: xauth-pam + capability audit_write, + + # libstrongswan-standard-plugins: agent + capability dac_override, + + capability net_admin, + capability net_raw, + + network, + network raw, + + /bin/dash rmPUx, + + # libchron-extra-plugins: kernel-libipsec + /dev/net/tun rw, + + /etc/ipsec.conf r, + /etc/ipsec.secrets r, + /etc/ipsec.*.secrets r, + /etc/ipsec.d/ r, + /etc/ipsec.d/** r, + /etc/ipsec.d/crls/* rw, + /etc/opensc/opensc.conf r, + /etc/strongswan.conf r, + /etc/strongswan.d/ r, + /etc/strongswan.d/** r, + /etc/tnc_config r, + + /proc/sys/net/core/xfrm_acq_expires w, + + /run/charon.* rw, + /run/pcscd/pcscd.comm rw, + + /usr/lib/ipsec/charon rmix, + /usr/lib/ipsec/imcvs/ r, + /usr/lib/ipsec/imcvs/** rm, + + /usr/lib/*/opensc-pkcs11.so rm, + + /var/lib/strongswan/* r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.lib.ipsec.stroke b/apparmor.d/usr.lib.ipsec.stroke new file mode 100644 index 000000000..9d20ee7c9 --- /dev/null +++ b/apparmor.d/usr.lib.ipsec.stroke @@ -0,0 +1,28 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2014 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# Author: Jonathan Davies +# +# ------------------------------------------------------------------ + +#include + +/usr/lib/ipsec/stroke flags=(attach_disconnected) { + #include + + capability dac_override, + + /etc/strongswan.conf r, + /etc/strongswan.d/ r, + /etc/strongswan.d/** r, + + /run/charon.ctl rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/init.d/ipsec b/init.d/ipsec new file mode 100755 index 000000000..e90f0e731 --- /dev/null +++ b/init.d/ipsec @@ -0,0 +1,151 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: ipsec +# Required-Start: $network $remote_fs +# Required-Stop: $network $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Strongswan IPsec services +### END INIT INFO + +# Author: Rene Mayrhofer + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="strongswan IPsec services" +NAME=ipsec +STARTER=/usr/sbin/$NAME +PIDFILE=/var/run/charon.pid +CHARON=/usr/lib/ipsec/charon +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$STARTER" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. +. /lib/lsb/init-functions + +# Create lock dir +mkdir -p /var/lock/subsys + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + + # test if charon is currently running + if [ -e $CHARON ]; then + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $CHARON --test > /dev/null \ + || return 1 + fi + + $STARTER start || return 2 +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + # give the proper signal to stop + $STARTER stop || return 2 + + RETVAL=0 + # but kill if that didn't work + if [ -e $PIDFILE ]; then + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + fi + + # Wait for children to finish too if this is a daemon that forks + # and if the daemon is only ever run from this initscript. + # If the above conditions are not satisfied then add some other code + # that waits for the process to drop all resources that could be + # needed by services started subsequently. A last resort is to + # sleep for some time. + if [ -e $CHARON ]; then + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $CHARON + [ "$?" = 2 ] && return 2 + fi + + # strongswan is known to leave PID files behind when something goes wrong, cleanup here + rm -f $PIDFILE + # and just to make sure they are really really dead at this point... + killall -9 $CHARON 2>/dev/null + + return "$RETVAL" +} + +do_reload() { + $STARTER reload + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + $STARTER status || exit $? + ;; + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg $? + ;; + restart) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/ipsec.conf b/ipsec.conf new file mode 100644 index 000000000..a33d68c0a --- /dev/null +++ b/ipsec.conf @@ -0,0 +1,28 @@ +# ipsec.conf - strongSwan IPsec configuration file + +# basic configuration + +config setup + # strictcrlpolicy=yes + # uniqueids = no + +# Add connections here. + +# Sample VPN connections + +#conn sample-self-signed +# leftsubnet=10.1.0.0/16 +# leftcert=selfCert.der +# leftsendcert=never +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightcert=peerCert.der +# auto=start + +#conn sample-with-ca-cert +# leftsubnet=10.1.0.0/16 +# leftcert=myCert.pem +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightid="C=CH, O=Linux strongSwan CN=peer name" +# auto=start diff --git a/ipsec.secrets b/ipsec.secrets new file mode 100644 index 000000000..309e3fc28 --- /dev/null +++ b/ipsec.secrets @@ -0,0 +1,5 @@ +# This file holds shared secrets or RSA private keys for authentication. + +# RSA private key for this host, authenticating it to any other host +# which knows the public part. + diff --git a/passwd b/passwd index bb4c01fa1..64b876e05 100644 --- a/passwd +++ b/passwd @@ -36,3 +36,4 @@ debian-spamd:x:115:121::/var/lib/spamassassin:/bin/sh bind:x:116:122::/var/cache/bind:/usr/sbin/nologin opendmarc:x:117:123::/var/run/opendmarc:/usr/sbin/nologin serverbackup:x:1001:1001:backup:/home/serverbackup:/bin/bash +strongswan:x:118:65534::/var/lib/strongswan:/usr/sbin/nologin diff --git a/passwd- b/passwd- index 9a8f1f05a..64b876e05 100644 --- a/passwd- +++ b/passwd- @@ -35,3 +35,5 @@ amavis:x:114:120:AMaViS system user,,,:/var/lib/amavis:/bin/sh debian-spamd:x:115:121::/var/lib/spamassassin:/bin/sh bind:x:116:122::/var/cache/bind:/usr/sbin/nologin opendmarc:x:117:123::/var/run/opendmarc:/usr/sbin/nologin +serverbackup:x:1001:1001:backup:/home/serverbackup:/bin/bash +strongswan:x:118:65534::/var/lib/strongswan:/usr/sbin/nologin diff --git a/shadow b/shadow index 8b9466ce6..ade361f79 100644 --- a/shadow +++ b/shadow @@ -36,3 +36,4 @@ debian-spamd:*:17840:0:99999:7::: bind:*:17844:0:99999:7::: opendmarc:*:17846:0:99999:7::: serverbackup:!:17884:0:99999:7::: +strongswan:*:17894:0:99999:7::: diff --git a/shadow- b/shadow- index 05d4a54d8..ade361f79 100644 --- a/shadow- +++ b/shadow- @@ -35,3 +35,5 @@ amavis:*:17840:0:99999:7::: debian-spamd:*:17840:0:99999:7::: bind:*:17844:0:99999:7::: opendmarc:*:17846:0:99999:7::: +serverbackup:!:17884:0:99999:7::: +strongswan:*:17894:0:99999:7::: diff --git a/strongswan.conf b/strongswan.conf new file mode 100644 index 000000000..d90672861 --- /dev/null +++ b/strongswan.conf @@ -0,0 +1,14 @@ +# strongswan.conf - strongSwan configuration file +# +# Refer to the strongswan.conf(5) manpage for details +# +# Configuration changes should be made in the included files + +charon { + load_modular = yes + plugins { + include strongswan.d/charon/*.conf + } +} + +include strongswan.d/*.conf diff --git a/strongswan.d/charon-logging.conf b/strongswan.d/charon-logging.conf new file mode 100644 index 000000000..454405985 --- /dev/null +++ b/strongswan.d/charon-logging.conf @@ -0,0 +1,67 @@ +charon { + + # Section to define file loggers, see LOGGER CONFIGURATION in + # strongswan.conf(5). + filelog { + + # is the full path to the log file. + # { + + # Loglevel for a specific subsystem. + # = + + # If this option is enabled log entries are appended to the existing + # file. + # append = yes + + # Default loglevel. + # default = 1 + + # Enabling this option disables block buffering and enables line + # buffering. + # flush_line = no + + # Prefix each log entry with the connection name and a unique + # numerical identifier for each IKE_SA. + # ike_name = no + + # Adds the milliseconds within the current second after the + # timestamp (separated by a dot, so time_format should end with %S + # or %T). + # time_add_ms = no + + # Prefix each log entry with a timestamp. The option accepts a + # format string as passed to strftime(3). + # time_format = + + # } + + } + + # Section to define syslog loggers, see LOGGER CONFIGURATION in + # strongswan.conf(5). + syslog { + + # Identifier for use with openlog(3). + # identifier = + + # is one of the supported syslog facilities, see LOGGER + # CONFIGURATION in strongswan.conf(5). + # { + + # Loglevel for a specific subsystem. + # = + + # Default loglevel. + # default = 1 + + # Prefix each log entry with the connection name and a unique + # numerical identifier for each IKE_SA. + # ike_name = no + + # } + + } + +} + diff --git a/strongswan.d/charon.conf b/strongswan.d/charon.conf new file mode 100644 index 000000000..93dff172d --- /dev/null +++ b/strongswan.d/charon.conf @@ -0,0 +1,366 @@ +# Options for the charon IKE daemon. +charon { + + # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + # accept_unencrypted_mainmode_messages = no + + # Maximum number of half-open IKE_SAs for a single peer IP. + # block_threshold = 5 + + # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP + # should be saved under a unique file name derived from the public key of + # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or + # /etc/swanctl/x509crl (vici), respectively. + # cache_crls = no + + # Whether relations in validated certificate chains should be cached in + # memory. + # cert_cache = yes + + # Send Cisco Unity vendor ID payload (IKEv1 only). + # cisco_unity = no + + # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + # close_ike_on_child_failure = no + + # Number of half-open IKE_SAs that activate the cookie mechanism. + # cookie_threshold = 10 + + # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). + # delete_rekeyed = no + + # Delay in seconds until inbound IPsec SAs are deleted after rekeyings + # (IKEv2 only). + # delete_rekeyed_delay = 5 + + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + # strength. + # dh_exponent_ansi_x9_42 = yes + + # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal + # missing symbols immediately. + # dlopen_use_rtld_now = no + + # DNS server assigned to peer via configuration payload (CP). + # dns1 = + + # DNS server assigned to peer via configuration payload (CP). + # dns2 = + + # Enable Denial of Service protection using cookies and aggressiveness + # checks. + # dos_protection = yes + + # Compliance with the errata for RFC 4753. + # ecp_x_coordinate_only = yes + + # Free objects during authentication (might conflict with plugins). + # flush_auth_cfg = no + + # Whether to follow IKEv2 redirects (RFC 5685). + # follow_redirects = yes + + # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment + # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults + # to 1280 (use 0 for address family specific default values, which uses a + # lower value for IPv4). If specified this limit is used for both IPv4 and + # IPv6. + # fragment_size = 1280 + + # Name of the group the daemon changes to after startup. + # group = + + # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + # half_open_timeout = 30 + + # Enable hash and URL support. + # hash_and_url = no + + # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + # i_dont_care_about_security_and_use_aggressive_mode_psk = no + + # Whether to ignore the traffic selectors from the kernel's acquire events + # for IKEv2 connections (they are not used for IKEv1). + # ignore_acquire_ts = no + + # A space-separated list of routing tables to be excluded from route + # lookups. + # ignore_routing_tables = + + # Maximum number of IKE_SAs that can be established at the same time before + # new connection attempts are blocked. + # ikesa_limit = 0 + + # Number of exclusively locked segments in the hash table. + # ikesa_table_segments = 1 + + # Size of the IKE_SA hash table. + # ikesa_table_size = 1 + + # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + # inactivity_close_ike = no + + # Limit new connections based on the current number of half open IKE_SAs, + # see IKE_SA_INIT DROPPING in strongswan.conf(5). + # init_limit_half_open = 0 + + # Limit new connections based on the number of queued jobs. + # init_limit_job_load = 0 + + # Causes charon daemon to ignore IKE initiation requests. + # initiator_only = no + + # Install routes into a separate routing table for established IPsec + # tunnels. + # install_routes = yes + + # Install virtual IP addresses. + # install_virtual_ip = yes + + # The name of the interface on which virtual IP addresses should be + # installed. + # install_virtual_ip_on = + + # Check daemon, libstrongswan and plugin integrity at startup. + # integrity_test = no + + # A comma-separated list of network interfaces that should be ignored, if + # interfaces_use is specified this option has no effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces that should be used by + # charon. All other interfaces are ignored. + # interfaces_use = + + # NAT keep alive interval. + # keep_alive = 20s + + # Plugins to load in the IKE daemon charon. + # load = + + # Determine plugins to load via each plugin's load option. + # load_modular = no + + # Initiate IKEv2 reauthentication with a make-before-break scheme. + # make_before_break = no + + # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about + # and track concurrently. + # max_ikev1_exchanges = 3 + + # Maximum packet size accepted by charon. + # max_packet = 10000 + + # Enable multiple authentication exchanges (RFC 4739). + # multiple_authentication = yes + + # WINS servers assigned to peer via configuration payload (CP). + # nbns1 = + + # WINS servers assigned to peer via configuration payload (CP). + # nbns2 = + + # UDP port used locally. If set to 0 a random port will be allocated. + # port = 500 + + # UDP port used locally in case of NAT-T. If set to 0 a random port will be + # allocated. Has to be different from charon.port, otherwise a random port + # will be allocated. + # port_nat_t = 4500 + + # Whether to prefer updating SAs to the path with the best route. + # prefer_best_path = no + + # Prefer locally configured proposals for IKE/IPsec over supplied ones as + # responder (disabling this can avoid keying retries due to + # INVALID_KE_PAYLOAD notifies). + # prefer_configured_proposals = yes + + # By default public IPv6 addresses are preferred over temporary ones (RFC + # 4941), to make connections more stable. Enable this option to reverse + # this. + # prefer_temporary_addrs = no + + # Process RTM_NEWROUTE and RTM_DELROUTE events. + # process_route = yes + + # Delay in ms for receiving packets, to simulate larger RTT. + # receive_delay = 0 + + # Delay request messages. + # receive_delay_request = yes + + # Delay response messages. + # receive_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # receive_delay_type = 0 + + # Size of the AH/ESP replay window, in packets. + # replay_window = 32 + + # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + # in strongswan.conf(5). + # retransmit_base = 1.8 + + # Maximum jitter in percent to apply randomly to calculated retransmission + # timeout (0 to disable). + # retransmit_jitter = 0 + + # Upper limit in seconds for calculated retransmission timeout (0 to + # disable). + # retransmit_limit = 0 + + # Timeout in seconds before sending first retransmit. + # retransmit_timeout = 4.0 + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 5 + + # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if + # DNS resolution failed), 0 to disable retries. + # retry_initiate_interval = 0 + + # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). + # reuse_ikesa = yes + + # Numerical routing table to install routes to. + # routing_table = + + # Priority of the routing table. + # routing_table_prio = + + # Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + # rsa_pss = no + + # Delay in ms for sending packets, to simulate larger RTT. + # send_delay = 0 + + # Delay request messages. + # send_delay_request = yes + + # Delay response messages. + # send_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # send_delay_type = 0 + + # Send strongSwan vendor ID payload + # send_vendor_id = no + + # Whether to enable Signature Authentication as per RFC 7427. + # signature_authentication = yes + + # Whether to enable constraints against IKEv2 signature schemes. + # signature_authentication_constraints = yes + + # The upper limit for SPIs requested from the kernel for IPsec SAs. + # spi_max = 0xcfffffff + + # The lower limit for SPIs requested from the kernel for IPsec SAs. + # spi_min = 0xc0000000 + + # Number of worker threads in charon. + # threads = 16 + + # Name of the user the daemon changes to after startup. + # user = + + crypto_test { + + # Benchmark crypto algorithms and order them by efficiency. + # bench = no + + # Buffer size used for crypto benchmark. + # bench_size = 1024 + + # Number of iterations to test each algorithm. + # bench_time = 50 + + # Test crypto algorithms during registration (requires test vectors + # provided by the test-vectors plugin). + # on_add = no + + # Test crypto algorithms on each crypto primitive instantiation. + # on_create = no + + # Strictly require at least one test vector to enable an algorithm. + # required = no + + # Whether to test RNG with TRUE quality; requires a lot of entropy. + # rng_true = no + + } + + host_resolver { + + # Maximum number of concurrent resolver threads (they are terminated if + # unused). + # max_threads = 3 + + # Minimum number of resolver threads to keep around. + # min_threads = 0 + + } + + leak_detective { + + # Includes source file names and line numbers in leak detective output. + # detailed = yes + + # Threshold in bytes for leaks to be reported (0 to report all). + # usage_threshold = 10240 + + # Threshold in number of allocations for leaks to be reported (0 to + # report all). + # usage_threshold_count = 0 + + } + + processor { + + # Section to configure the number of reserved threads per priority class + # see JOB PRIORITY MANAGEMENT in strongswan.conf(5). + priority_threads { + + } + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is started. + start-scripts { + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is terminated. + stop-scripts { + + } + + tls { + + # List of TLS encryption ciphers. + # cipher = + + # List of TLS key exchange methods. + # key_exchange = + + # List of TLS MAC algorithms. + # mac = + + # List of TLS cipher suites. + # suites = + + } + + x509 { + + # Discard certificates with unsupported or unknown critical extensions. + # enforce_critical = yes + + } + +} + diff --git a/strongswan.d/charon/aes.conf b/strongswan.d/charon/aes.conf new file mode 100644 index 000000000..ae5c7fd29 --- /dev/null +++ b/strongswan.d/charon/aes.conf @@ -0,0 +1,8 @@ +aes { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/aesni.conf b/strongswan.d/charon/aesni.conf new file mode 100644 index 000000000..a872b2659 --- /dev/null +++ b/strongswan.d/charon/aesni.conf @@ -0,0 +1,8 @@ +aesni { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/agent.conf b/strongswan.d/charon/agent.conf new file mode 100644 index 000000000..47d8aef63 --- /dev/null +++ b/strongswan.d/charon/agent.conf @@ -0,0 +1,8 @@ +agent { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/attr.conf b/strongswan.d/charon/attr.conf new file mode 100644 index 000000000..7a3645b79 --- /dev/null +++ b/strongswan.d/charon/attr.conf @@ -0,0 +1,14 @@ +# Section to specify arbitrary attributes that are assigned to a peer via +# configuration payload (CP). +attr { + + # is an attribute name or an integer, values can be an IP address, + # subnet or arbitrary value. + # = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/bypass-lan.conf b/strongswan.d/charon/bypass-lan.conf new file mode 100644 index 000000000..e470ce68e --- /dev/null +++ b/strongswan.d/charon/bypass-lan.conf @@ -0,0 +1,17 @@ +bypass-lan { + + # A comma-separated list of network interfaces for which connected subnets + # should be ignored, if interfaces_use is specified this option has no + # effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces for which connected subnets + # should be considered. All other interfaces are ignored. + # interfaces_use = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = no + +} + diff --git a/strongswan.d/charon/connmark.conf b/strongswan.d/charon/connmark.conf new file mode 100644 index 000000000..5f54a81f2 --- /dev/null +++ b/strongswan.d/charon/connmark.conf @@ -0,0 +1,8 @@ +connmark { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/constraints.conf b/strongswan.d/charon/constraints.conf new file mode 100644 index 000000000..e5f06ffb2 --- /dev/null +++ b/strongswan.d/charon/constraints.conf @@ -0,0 +1,8 @@ +constraints { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/counters.conf b/strongswan.d/charon/counters.conf new file mode 100644 index 000000000..21f20e4a5 --- /dev/null +++ b/strongswan.d/charon/counters.conf @@ -0,0 +1,8 @@ +counters { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/dnskey.conf b/strongswan.d/charon/dnskey.conf new file mode 100644 index 000000000..957efd5f5 --- /dev/null +++ b/strongswan.d/charon/dnskey.conf @@ -0,0 +1,8 @@ +dnskey { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/eap-mschapv2.conf b/strongswan.d/charon/eap-mschapv2.conf new file mode 100644 index 000000000..863686fb5 --- /dev/null +++ b/strongswan.d/charon/eap-mschapv2.conf @@ -0,0 +1,8 @@ +eap-mschapv2 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/fips-prf.conf b/strongswan.d/charon/fips-prf.conf new file mode 100644 index 000000000..a13c602fd --- /dev/null +++ b/strongswan.d/charon/fips-prf.conf @@ -0,0 +1,8 @@ +fips-prf { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/gcm.conf b/strongswan.d/charon/gcm.conf new file mode 100644 index 000000000..eef474956 --- /dev/null +++ b/strongswan.d/charon/gcm.conf @@ -0,0 +1,8 @@ +gcm { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/gmp.conf b/strongswan.d/charon/gmp.conf new file mode 100644 index 000000000..b1275efaf --- /dev/null +++ b/strongswan.d/charon/gmp.conf @@ -0,0 +1,8 @@ +gmp { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/hmac.conf b/strongswan.d/charon/hmac.conf new file mode 100644 index 000000000..225910a96 --- /dev/null +++ b/strongswan.d/charon/hmac.conf @@ -0,0 +1,8 @@ +hmac { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/kernel-netlink.conf b/strongswan.d/charon/kernel-netlink.conf new file mode 100644 index 000000000..9827b2282 --- /dev/null +++ b/strongswan.d/charon/kernel-netlink.conf @@ -0,0 +1,87 @@ +kernel-netlink { + + # Buffer size for received Netlink messages. + # buflen = + + # Force maximum Netlink receive buffer on Netlink socket. + # force_receive_buffer_size = no + + # Firewall mark to set on the routing rule that directs traffic to our + # routing table. + # fwmark = + + # Whether to ignore errors potentially resulting from a retransmission. + # ignore_retransmit_errors = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # MSS to set on installed routes, 0 to disable. + # mss = 0 + + # MTU to set on installed routes, 0 to disable. + # mtu = 0 + + # Whether to perform concurrent Netlink ROUTE queries on a single socket. + # parallel_route = no + + # Whether to perform concurrent Netlink XFRM queries on a single socket. + # parallel_xfrm = no + + # Whether to always use XFRM_MSG_UPDPOLICY to install policies. + # policy_update = no + + # Whether to use port or socket based IKE XFRM bypass policies. + # port_bypass = no + + # Whether to process changes in routing rules to trigger roam events. + # process_rules = no + + # Maximum Netlink socket receive buffer in bytes. + # receive_buffer_size = 0 + + # Number of Netlink message retransmissions to send on timeout. + # retries = 0 + + # Whether to trigger roam events when interfaces, addresses or routes + # change. + # roam_events = yes + + # Whether to set protocol and ports in the selector installed on transport + # mode IPsec SAs in the kernel. + # set_proto_port_transport_sa = no + + # Netlink message retransmission timeout, 0 to disable retransmissions. + # timeout = 0 + + # Lifetime of XFRM acquire state and allocated SPIs in kernel. + # xfrm_acq_expires = 165 + + # XFRM policy hashing threshold configuration for IPv4 and IPv6. + spdh_thresh { + + ipv4 { + + # Local subnet XFRM policy hashing threshold for IPv4. + # lbits = 32 + + # Remote subnet XFRM policy hashing threshold for IPv4. + # rbits = 32 + + } + + ipv6 { + + # Local subnet XFRM policy hashing threshold for IPv6. + # lbits = 128 + + # Remote subnet XFRM policy hashing threshold for IPv6. + # rbits = 128 + + } + + } + +} + diff --git a/strongswan.d/charon/md4.conf b/strongswan.d/charon/md4.conf new file mode 100644 index 000000000..91598b3f9 --- /dev/null +++ b/strongswan.d/charon/md4.conf @@ -0,0 +1,8 @@ +md4 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/md5.conf b/strongswan.d/charon/md5.conf new file mode 100644 index 000000000..a022fc414 --- /dev/null +++ b/strongswan.d/charon/md5.conf @@ -0,0 +1,8 @@ +md5 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/mgf1.conf b/strongswan.d/charon/mgf1.conf new file mode 100644 index 000000000..b7d8615fa --- /dev/null +++ b/strongswan.d/charon/mgf1.conf @@ -0,0 +1,8 @@ +mgf1 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/nonce.conf b/strongswan.d/charon/nonce.conf new file mode 100644 index 000000000..52fd112e3 --- /dev/null +++ b/strongswan.d/charon/nonce.conf @@ -0,0 +1,8 @@ +nonce { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/openssl.conf b/strongswan.d/charon/openssl.conf new file mode 100644 index 000000000..08ed7592b --- /dev/null +++ b/strongswan.d/charon/openssl.conf @@ -0,0 +1,14 @@ +openssl { + + # ENGINE ID to use in the OpenSSL plugin. + # engine_id = pkcs11 + + # Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2). + # fips_mode = 0 + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/pem.conf b/strongswan.d/charon/pem.conf new file mode 100644 index 000000000..d1802d5c9 --- /dev/null +++ b/strongswan.d/charon/pem.conf @@ -0,0 +1,8 @@ +pem { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/pgp.conf b/strongswan.d/charon/pgp.conf new file mode 100644 index 000000000..f6bd1c23a --- /dev/null +++ b/strongswan.d/charon/pgp.conf @@ -0,0 +1,8 @@ +pgp { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/pkcs1.conf b/strongswan.d/charon/pkcs1.conf new file mode 100644 index 000000000..67a42b737 --- /dev/null +++ b/strongswan.d/charon/pkcs1.conf @@ -0,0 +1,8 @@ +pkcs1 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/pkcs12.conf b/strongswan.d/charon/pkcs12.conf new file mode 100644 index 000000000..30483c217 --- /dev/null +++ b/strongswan.d/charon/pkcs12.conf @@ -0,0 +1,8 @@ +pkcs12 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/pkcs7.conf b/strongswan.d/charon/pkcs7.conf new file mode 100644 index 000000000..5cf504faa --- /dev/null +++ b/strongswan.d/charon/pkcs7.conf @@ -0,0 +1,8 @@ +pkcs7 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/pkcs8.conf b/strongswan.d/charon/pkcs8.conf new file mode 100644 index 000000000..348beda5d --- /dev/null +++ b/strongswan.d/charon/pkcs8.conf @@ -0,0 +1,8 @@ +pkcs8 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/pubkey.conf b/strongswan.d/charon/pubkey.conf new file mode 100644 index 000000000..390bf6768 --- /dev/null +++ b/strongswan.d/charon/pubkey.conf @@ -0,0 +1,8 @@ +pubkey { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/random.conf b/strongswan.d/charon/random.conf new file mode 100644 index 000000000..e0af75fd7 --- /dev/null +++ b/strongswan.d/charon/random.conf @@ -0,0 +1,18 @@ +random { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # File to read random bytes from. + # random = ${random_device} + + # If set to yes the RNG_STRONG class reads random bytes from the same source + # as the RNG_TRUE class. + # strong_equals_true = no + + # File to read pseudo random bytes from. + # urandom = ${urandom_device} + +} + diff --git a/strongswan.d/charon/rc2.conf b/strongswan.d/charon/rc2.conf new file mode 100644 index 000000000..1ab4b00ab --- /dev/null +++ b/strongswan.d/charon/rc2.conf @@ -0,0 +1,8 @@ +rc2 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/resolve.conf b/strongswan.d/charon/resolve.conf new file mode 100644 index 000000000..5d9ca72de --- /dev/null +++ b/strongswan.d/charon/resolve.conf @@ -0,0 +1,18 @@ +resolve { + + # File where to add DNS server entries. + # file = /etc/resolv.conf + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + resolvconf { + + # Prefix used for interface names sent to resolvconf(8). + # iface_prefix = lo.inet.ipsec. + + } + +} + diff --git a/strongswan.d/charon/revocation.conf b/strongswan.d/charon/revocation.conf new file mode 100644 index 000000000..ca24a640d --- /dev/null +++ b/strongswan.d/charon/revocation.conf @@ -0,0 +1,14 @@ +revocation { + + # Whether CRL validation should be enabled. + # enable_crl = yes + + # Whether OCSP validation should be enabled. + # enable_ocsp = yes + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/sha1.conf b/strongswan.d/charon/sha1.conf new file mode 100644 index 000000000..324dbff47 --- /dev/null +++ b/strongswan.d/charon/sha1.conf @@ -0,0 +1,8 @@ +sha1 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/sha2.conf b/strongswan.d/charon/sha2.conf new file mode 100644 index 000000000..f8fb2f9a3 --- /dev/null +++ b/strongswan.d/charon/sha2.conf @@ -0,0 +1,8 @@ +sha2 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/socket-default.conf b/strongswan.d/charon/socket-default.conf new file mode 100644 index 000000000..abf4650ed --- /dev/null +++ b/strongswan.d/charon/socket-default.conf @@ -0,0 +1,23 @@ +socket-default { + + # Firewall mark to set on outbound packets. + # fwmark = + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Set source address on outbound packets, if possible. + # set_source = yes + + # Force sending interface on outbound packets, if possible. + # set_sourceif = no + + # Listen on IPv4, if possible. + # use_ipv4 = yes + + # Listen on IPv6, if possible. + # use_ipv6 = yes + +} + diff --git a/strongswan.d/charon/sshkey.conf b/strongswan.d/charon/sshkey.conf new file mode 100644 index 000000000..24d47f22e --- /dev/null +++ b/strongswan.d/charon/sshkey.conf @@ -0,0 +1,8 @@ +sshkey { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/stroke.conf b/strongswan.d/charon/stroke.conf new file mode 100644 index 000000000..ea6d87b14 --- /dev/null +++ b/strongswan.d/charon/stroke.conf @@ -0,0 +1,32 @@ +stroke { + + # Analyze addresses/hostnames in left|right to detect which side is local + # and swap configuration options if necessary. If disabled left is always + # local. + # allow_swap = yes + + # Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA + # certificates even if they don't contain a CA basic constraint. + # ignore_missing_ca_basic_constraint = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + + # Maximum number of stroke messages handled concurrently. + # max_concurrent = 4 + + # If enabled log level changes via stroke socket are not allowed. + # prevent_loglevel_changes = no + + # Location of the ipsec.secrets file + # secrets_file = ${sysconfdir}/ipsec.secrets + + # Socket provided by the stroke plugin. + # socket = unix://${piddir}/charon.ctl + + # Timeout in ms for any stroke command. Use 0 to disable the timeout. + # timeout = 0 + +} + diff --git a/strongswan.d/charon/updown.conf b/strongswan.d/charon/updown.conf new file mode 100644 index 000000000..8bcd330a8 --- /dev/null +++ b/strongswan.d/charon/updown.conf @@ -0,0 +1,12 @@ +updown { + + # Whether the updown script should handle assigned DNS servers (if enabled + # they can't be handled by other plugins, like resolve). + # dns_handler = no + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/x509.conf b/strongswan.d/charon/x509.conf new file mode 100644 index 000000000..dcb2f9452 --- /dev/null +++ b/strongswan.d/charon/x509.conf @@ -0,0 +1,8 @@ +x509 { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/xauth-generic.conf b/strongswan.d/charon/xauth-generic.conf new file mode 100644 index 000000000..578ec3d8e --- /dev/null +++ b/strongswan.d/charon/xauth-generic.conf @@ -0,0 +1,8 @@ +xauth-generic { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/charon/xcbc.conf b/strongswan.d/charon/xcbc.conf new file mode 100644 index 000000000..456e0ff42 --- /dev/null +++ b/strongswan.d/charon/xcbc.conf @@ -0,0 +1,8 @@ +xcbc { + + # Whether to load the plugin. Can also be an integer to increase the + # priority of this plugin. + load = yes + +} + diff --git a/strongswan.d/pool.conf b/strongswan.d/pool.conf new file mode 100644 index 000000000..297c0f8cf --- /dev/null +++ b/strongswan.d/pool.conf @@ -0,0 +1,12 @@ +pool { + + # Database URI for the database that stores IP pools and configuration + # attributes. If it contains a password, make sure to adjust the + # permissions of the config file accordingly. + # database = + + # Plugins to load in ipsec pool tool. + # load = + +} + diff --git a/strongswan.d/starter.conf b/strongswan.d/starter.conf new file mode 100644 index 000000000..5cdcbfdd2 --- /dev/null +++ b/strongswan.d/starter.conf @@ -0,0 +1,10 @@ +starter { + + # Location of the ipsec.conf file + # config_file = ${sysconfdir}/ipsec.conf + + # Disable charon plugin load option warning. + # load_warning = yes + +} + diff --git a/systemd/system/multi-user.target.wants/strongswan.service b/systemd/system/multi-user.target.wants/strongswan.service new file mode 120000 index 000000000..73556bb28 --- /dev/null +++ b/systemd/system/multi-user.target.wants/strongswan.service @@ -0,0 +1 @@ +/lib/systemd/system/strongswan.service \ No newline at end of file -- 2.43.0