diff options
author | Florin Grad <florin@mandriva.com> | 2004-02-11 11:51:42 +0000 |
---|---|---|
committer | Florin Grad <florin@mandriva.com> | 2004-02-11 11:51:42 +0000 |
commit | 4335f0383ba80433ae2af924f21694342c4f9a68 (patch) | |
tree | c3a3e8e1dbc379635c08ca93d44bc53b3fada7cf /perl-install/standalone | |
parent | 27c367a1cf665746b87748956343dba3133b1061 (diff) | |
download | drakx-4335f0383ba80433ae2af924f21694342c4f9a68.tar drakx-4335f0383ba80433ae2af924f21694342c4f9a68.tar.gz drakx-4335f0383ba80433ae2af924f21694342c4f9a68.tar.bz2 drakx-4335f0383ba80433ae2af924f21694342c4f9a68.tar.xz drakx-4335f0383ba80433ae2af924f21694342c4f9a68.zip |
first shy attempt
Diffstat (limited to 'perl-install/standalone')
-rw-r--r-- | perl-install/standalone/drakvpn | 943 |
1 files changed, 943 insertions, 0 deletions
diff --git a/perl-install/standalone/drakvpn b/perl-install/standalone/drakvpn new file mode 100644 index 000000000..f3d4a703f --- /dev/null +++ b/perl-install/standalone/drakvpn @@ -0,0 +1,943 @@ +#!/usr/bin/perl + +# +# author Florin Grad (florin@mandrakesoft.com) +# +# Copyright 2004 MandrakeSoft +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2, as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# + + +use lib qw(/usr/lib/libDrakX); + +use standalone; #- warning, standalone must be loaded very first, for 'explanations' + +use common; +use detect_devices; +use interactive; +use network::network; +use log; +use c; +use network::netconnect; +use network::shorewall; +use network::ipsec; +use Data::Dumper; + +$::isInstall and die "Not supported during install.\n"; + + +local $_ = join '', @ARGV; + +$::Wizard_pix_up = "wiz_drakgw.png"; +$::direct = /-direct/; + +my ($kernel_version) = c::kernel_version() =~ /(...)/; +log::l("[drakvpn] kernel_version $kernel_version"); + +$kernel_version >= 2.4 or fatal_quit(N("Sorry, we support only 2.4 and above kernels.")); + +my $tunnels_file = "/etc/shorewall/tunnels"; +my $ipsec_conf = ""; +my $racoon_conf = "/etc/racoon/racoon.conf"; +my $proc_version = ""; +my $ipsec_package = ""; + +my $in = interactive->vnew('su'); +my $shorewall = network::shorewall::read($in, 'silent'); +my @section_names; + +if ($kernel_version > 2.5) { + $ipsec_conf = "/etc/ipsec.conf"; +} else { + $ipsec_conf = "/etc/freeswan/ipsec.conf"; +}; +my $ipsec = network::ipsec::read_ipsec_conf($ipsec_conf,$kernel_version); +my $racoon = network::ipsec::read_racoon_conf($racoon_conf); + +$::Wizard_title = N("DrakVPN"); + +$in->isa('interactive::gtk') and $::isWizard = 1; + +my $wait_configuring; + +sub fatal_quit ($) { + log::l("[drakvpn] FATAL: $_[0]"); + undef $wait_configuring; + $in->ask_warn('', $_[0]); + quit_global($in, -1); +} + +begin: + +#- ********************************** +#- * 0th step: verify if we are already set up + +if ($shorewall && -f "/etc/shorewall/tunnels") { + $::Wizard_no_previous = 1; + + if (!$shorewall->{disabled}) { + my $r = $in->ask_from_list_(N("The VPN connection is enabled."), +N("The setup of a VPN connection has already been done. + +It's currently enabled. + +What would you like to do ?"), + [ N_("disable"), N_("reconfigure"), N_("dismiss") ]) or quit_global($in, 0); + if ($r eq "disable") { + if (!$::testing) { + my $_wait_disabl = $in->wait_message('', N("Disabling VPN...")); + network::ipsec::stop_daemons(); + } + foreach ($ipsec_conf, $tunnels_file) { + if (-f $_) { rename($_, "$_.drakvpndisable") or die "Could not rename $_ to $_.drakvpndisable" }; + } + network::ipsec::sys("/etc/init.d/shorewall restart >/dev/null"); + log::l("[drakvpn] Disabled"); + $::Wizard_finished = 1; + $in->ask_okcancel('', N("The VPN connection is now disabled.")); + quit_global($in, 0); + } + if ($r eq "dismiss") { + quit_global($in, 0); + } + } else { + my $r = $in->ask_from_list_(N("VPN connection currently disabled"), +N("The setup of a VPN connection has already been done. + +It's currently disabled. + +What would you like to do ?"), + [ N_("enable"), N_("reconfigure"), N_("dismiss") ]); + if ($r eq "enable") { + foreach ($ipsec_conf, $tunnels_file) { + rename($_, "$_.old") if -f $_; + rename("$_.drakvpndisable", $_) or die "Could not find configuration. Please reconfigure."; + }; + { + my $_wait_enabl = $in->wait_message('', N("Enabling VPN...")); + network::ipsec::start_daemons(); + } + log::l("[drakvpn] Enabled"); + } + $::Wizard_finished = 1; + $in->ask_okcancel('', N("The VPN connection is now enabled.")); + quit_global($in, 0); + if ($r eq "dismiss") { + quit_global($in, 0); + } + } + } + +#- ********************************** +#- * 1st step: detect/setup +step_ask_confirm: + +undef $::Wizard_no_previous; + +$::direct or $in->ask_okcancel(N("Simple VPN setup."), +N("You are about to configure your computer to use a VPN connection. + +With this feature, computers on your local private network and computers +on some other remote private networks, can share ressources, through +their respective firewalls, over the Internet, in a secure manner. + +The communication over the Internet is encrypted. The local and remote +computers look as if they were on the same network. + +Make sure you have configured your Network/Internet access using +drakconnect before going any further."), 1) or goto begin; + +$::direct or $in->ask_okcancel(N("Simple VPN setup."), +N("VPN connection. + +This program is based on the following projects: + + - FreeSwan: http://www.freeswan.org/ + - Super-FreeSwan: http://www.freeswan.ca/ + - ipsec-tools: http://ipsec-tools.sourceforge.net/ + - ipsec-howto: http://www.ipsec-howto.org + +Please read the at lest the ipsec-howto docs before +going any further."), 1) or goto begin; + +if ($kernel_version < 2.5) { + system("/sbin/modprobe ipsec") if -e "/sbin/modprobe"; + $proc_version = cat_("/proc/net/ipsec_version") if -e "/proc/net/ipsec_version"; + if ($proc_version =~ /super/i) { + $ipsec_package = "super-freeswan"; + } else { + $ipsec_package = "freeswan"; + } +} else { + $ipsec_package = "ipsec-tools"; + $proc_version = "ipsec native"; +} + +$::direct or $in->ask_okcancel(N("Kernel module."), +N("The running kernel need to have ipsec support.\n +The kernels 2.4 until 2.5 need to be compiled with +Freeswan or Super/FreeSwan. +The kernels 2.5 and above have native ipsec support.\n +The running kernel version is %s and it has support for: +%s", $kernel_version, $proc_version)) or goto begin; + +step_detectsetup: + +#my @configured_devices = map { /ifcfg-(\S+)/ } glob('/etc/sysconfig/network-scripts/ifcfg*'); + +my %aliased_devices; +/^\s*alias\s+(eth[0-9])\s+(\S+)/ and $aliased_devices{$1} = $2 foreach cat_("/etc/modules.conf"); + +my $card_netconnect = network::netconnect::get_net_device() || "eth0"; +defined $card_netconnect and log::l("[drakvpn] Information from netconnect: ignore card $card_netconnect"); + + $in->ask_from('', + N("Please enter the name of the interface connected to the internet. + +Examples: + ppp+ for modem or DSL connections, + eth0, or eth1 for cable connection, + ippp+ for a isdn connection. +"), + [ { label => N("Net Device"), val => \$card_netconnect, list => [ detect_devices::getNet() ], not_edit => 0 } ]) + or goto step_ask_confirm; + +#- ********************************** +#- * 2nd step: configure + +$wait_configuring = $in->wait_message(N("Configuring..."), + N("Configuring scripts, installing software, starting servers...")); + +#- if the kernel has super-freeswan support, remove the freeswan package +#- and vice-versa +#- if you're using e kernel 2.5 and above with native ipsec support, remove +#- both freeswan and super-freeswan packages + +if (!$::testing && $ipsec_package =~ /super/i && $kernel_version < 2.5) { + log::l("[drakvpn] removing the freeswan package"); + $in->do_pkgs->remove("freeswan") if -e "/etc/freeswan/ipsec.d/policies/clear"; + log::l("[drakvpn] removing the ipsec-tools package"); + $in->do_pkgs->remove("ipsec-tools") if -e "/sbin/setkey"; + $in->do_pkgs->remove("libipsec-tools0") if -e "/lib/libipsec.so.0"; +} elsif (!$::testing && $kernel_version < 2.5) { + log::l("[drakvpn] removing the $ipsec_package package"); + $in->do_pkgs->remove("super-freeswan") if -e "/usr/lib/ipsec/auto.advroute"; + log::l("[drakvpn] removing the ipsec-tools package"); + $in->do_pkgs->remove("ipsec-tools") if -e "/sbin/setkey"; + $in->do_pkgs->remove("libipsec-tools0") if -e "/sbin/setkey"; +} else { + log::l("[drakvpn] removing the freeswan AND the super-freeswan packages"); + $in->do_pkgs->remove("freeswan") if -e "/etc/freeswan/ipsec.d/policies/clear"; + $in->do_pkgs->remove("super-freeswan-doc") if -e "/usr/sbin/ipsec"; + $in->do_pkgs->remove("super-freeswan") if -e "/usr/lib/ipsec/auto.advroute"; +}; + + +#- install and setup the RPM packages, if needed + +my %rpm2file; +log::l("[drakvpn] install the $ipsec_package and the shorewall rpm packages"); +if (!$::testing && $ipsec_package =~ /ipsec-tools/i) { + %rpm2file = ($ipsec_package => '/sbin/setkey', + shorewall => '/sbin/shorewall'); +} else { + %rpm2file = ($ipsec_package => '/usr/sbin/ipsec', + shorewall => '/sbin/shorewall'); +}; + +#- first: try to install all in one step, if needed +if (! ($ipsec_package =~ /super/i && -e "/usr/lib/ipsec/auto.advroute" || + $ipsec_package =~ /^freeswan/i && -e "/etc/freeswan/ipsec.d/policies/clear" || + $ipsec_package =~ /ipsec-tools/i && -e "/sbin/setkey")) { + + my @needed_to_install = grep { !-e $rpm2file{$_} } keys %rpm2file; + @needed_to_install and $in->do_pkgs->install(@needed_to_install) if !$::testing; + #- second: try one by one if failure detected + if (!$::testing && any { !-e $rpm2file{$_} } keys %rpm2file) { + foreach (keys %rpm2file) { + -e $rpm2file{$_} or $in->do_pkgs->install($_); + -e $rpm2file{$_} or fatal_quit(N("Problems installing package %s", $_)); + } + } +} + +undef $wait_configuring; + +#- configure the $ipsec_conf file +#- Add, Remove config|conn entries + +step_configuration: + +my $c; + +if ($kernel_version > 2.5) { + $c = $in->ask_from_list_(N("Configuration file"), +N("Welcome to the +%s and %s +files configuration step. + +You can now configure the sections of these files. + +Which file would you like to configure ?\n", $ipsec_conf, $racoon_conf), + [ N("configure %s", $ipsec_conf), N("configure %s", $racoon_conf) ]) or goto step_detectsetup; + +} else { +$in->ask_okcancel(N("Configuration file"), +N("Next, we will configure the %s file.\n + +Simply click on Next.\n", $ipsec_conf)) or goto step_detectsetup; + + $c = "configure"; +}; + +#------------------------------------------------------------------- +#---------------------- configure ipsec_conf ----------------------- +#------------------------------------------------------------------- + +if ($c eq "configure $ipsec_conf" || $c eq "configure") { + +step_configure_ipsec_conf: + +@section_names = network::ipsec::get_section_names_ipsec_conf($ipsec_conf,$ipsec,$kernel_version) if -e $ipsec_conf; + +my $choice = $section_names[0] if $section_names[0]; +my $d = $in->ask_from_list_(N("%s entries", $ipsec_conf), +N("The %s file contents +is divided into sections.\n +You can now :\n +- display, add, edit, or remove sections, then +- commit the changes\n + +What would you like to do ?\n", $ipsec_conf), + [ N_("display"), N_("add"), N_("edit"), N_("remove"), N_("commit") ]) or goto step_configuration; + +my $existing_section = ""; + +#- display $ipsec_conf ------------------------- + +step_display_ipsec_conf: + +if ($d eq "display $ipsec_conf" || $d eq "display") { + if (-e $ipsec_conf) { + $in->ask_okcancel(N("Display configuration"), + network::ipsec::display_ipsec_conf($ipsec_conf,$ipsec,$kernel_version)); + goto step_configure_ipsec_conf; + } else { +$in->ask_okcancel(N("Display configuration"), +N("The %s file does not exist\n +This must be a new configuration.\n +You'll have to go back and choose configure.\n", $ipsec_conf)); + goto step_configure_ipsec_conf; + } + +#- add --------------------- + +} elsif ($d eq "add") { + +step_add_section: + +if ($kernel_version < 2.5) { + +#- add ---- kernel 2.4 part ------------------------------- + +my $e = $in->ask_from_list_(N("ipsec.conf entries"), +N("The %s file contains different sections.\n +Here is its skeleton : 'config setup' + 'conn default' + 'normal1' + 'normal2' \n +You can now add one of these sections.\n +Choose the section you would like to add.\n", $ipsec_conf), + [ N_("config setup"), N_("conn %default"), N_("normal conn"), N_("dismiss") ]) or goto step_configure_ipsec_conf; + if ($e eq "config setup") { + + $existing_section = network::ipsec::already_existing_section_ipsec_conf("config setup", $ipsec, $kernel_version); + + if ($existing_section eq "already existing") { +$in->ask_okcancel(N("Exists !"), +N("A section with this name already exists. +The section names have to be unique.\n +You'll have to go back and add another section +or change its name.\n")); + goto step_add_section; +}; + + my $config_setup = { + 1 => [ "config", "setup" ], + 2 => [ "interfaces", "%defaultroute" ], + 3 => [ "klipsdebug", "none" ], + 4 => [ "plutodebug", "none" ], + 5 => [ "plutoload", "%search" ], + 6 => [ "plutostart", "%search" ], + 7 => [ "uniqueids", "yes" ], + }; + $in->ask_from('', +N("This section has to be on top of your +%s file.\n +Make sure all other section follow this config +setup section.\n +Choose continue or previous when you are done.\n", $ipsec_conf), + [ { label => N("interfaces="), val => \$config_setup->{2}[1], type => 'entry' }, + { label => N("klipsdebug="), val => \$config_setup->{3}[1], type => 'entry' }, + { label => N("plutodebug="), val => \$config_setup->{4}[1], type => 'entry' }, + { label => N("plutoload="), val => \$config_setup->{5}[1], type => 'entry' }, + { label => N("plutostart="), val => \$config_setup->{6}[1], type => 'entry' }, + { label => N("uniqueids="), val => \$config_setup->{7}[1], type => 'entry' }, + ] +) or goto step_configure_ipsec_conf; + + network::ipsec::add_section_ipsec_conf($config_setup, $ipsec); + + goto step_configure_ipsec_conf; + + } elsif ($e eq "conn %default") { + + $existing_section = network::ipsec::already_existing_section_ipsec_conf("conn %default", $ipsec, $kernel_version); + + if ($existing_section eq "already existing") { +$in->ask_okcancel(N("Exists !"), +N("A section with this name already exists. +The section names have to be unique.\n +You'll have to go back and add another section +or change its name.\n")); + goto step_add_section; +}; + + my $conn_default = { + 1 => [ "conn", "%default" ], + 2 => [ "pfs", "yes" ], + 3 => [ "keyingtries", "1" ], + 4 => [ "compress", "yes" ], + 5 => [ "disablearrivalcheck", "no" ], + 6 => [ "left", "" ], + 7 => [ "leftcert", "" ], + 8 => [ "leftrsasigkey", "%cert" ], + 9 => [ "leftsubnet", "" ], + 10 => [ "leftnexthop", "" ], + }; + $in->ask_from('', +N("This is the first section after the config +setup one.\n +Here you define the default settings. +All the other sections will follow this one. +The left settings are optional. If don't define +them here, globally, you can define them in each +section.\n",), + [ { label => N("pfs="), val => \$conn_default->{2}[1], type => 'entry' }, + { label => N("keyingtries="), val => \$conn_default->{3}[1], type => 'entry' }, + { label => N("compress="), val => \$conn_default->{4}[1], type => 'entry' }, + { label => N("disablearrivalcheck="), val => \$conn_default->{5}[1], type => 'entry' }, + { label => N("left="), val => \$conn_default->{6}[1], type => 'entry' }, + { label => N("leftcert="), val => \$conn_default->{7}[1], type => 'entry' }, + { label => N("leftrsasigkey="), val => \$conn_default->{8}[1], type => 'entry' }, + { label => N("leftsubnet="), val => \$conn_default->{9}[1], type => 'entry' }, + { label => N("leftnexthop="), val => \$conn_default->{10}[1], type => 'entry' }, + ] +) or goto step_configure_ipsec_conf; + + network::ipsec::add_section_ipsec_conf($conn_default, $ipsec); + + goto step_configure_ipsec_conf; + + } elsif ($e eq "normal conn") { + + + my $normal_conn = { + 1 => [ "conn", "my-connection" ], + 2 => [ "authby", "rsasig" ], + 3 => [ "auto", "start" ], + 4 => [ "left", "" ], + 5 => [ "leftcert", "" ], + 6 => [ "leftrsasigkey", "%cert" ], + 7 => [ "leftsubnet", "" ], + 8 => [ "leftnexthop", "" ], + 9 => [ "right", "" ], + 10 => [ "rightcert", "" ], + 11 => [ "rightrsasigkey", "%cert" ], + 12 => [ "rightsubnet", "" ], + 13 => [ "rightnexthop", "" ], + }; + +step_add_normal_conn: + $in->ask_from('', +N("Your %s file has several sections, or connections.\n +You can now add a new section. +Choose continue when you are done to write the data.\n", $ipsec_conf), + [ { label => N("section name"), val => \$normal_conn->{1}[1], type => 'entry' }, + { label => N("authby"), val => \$normal_conn->{2}[1], type => 'entry' }, + { label => N("auto="), val => \$normal_conn->{3}[1], type => 'entry' }, + { label => N("left="), val => \$normal_conn->{4}[1], type => 'entry' }, + { label => N("leftcert="), val => \$normal_conn->{5}[1], type => 'entry' }, + { label => N("leftrsasigkey="), val => \$normal_conn->{6}[1], type => 'entry' }, + { label => N("leftsubnet="), val => \$normal_conn->{7}[1], type => 'entry' }, + { label => N("leftnexthop="), val => \$normal_conn->{8}[1], type => 'entry' }, + { label => N("right="), val => \$normal_conn->{9}[1], type => 'entry' }, + { label => N("rightcert="), val => \$normal_conn->{10}[1], type => 'entry' }, + { label => N("rightrsasigkey="), val => \$normal_conn->{11}[1], type => 'entry' }, + { label => N("rightsubnet="), val => \$normal_conn->{12}[1], type => 'entry' }, + { label => N("rightnexthop="), val => \$normal_conn->{13}[1], type => 'entry' }, + ] +) or goto step_configure_ipsec_conf; + + $existing_section = network::ipsec::already_existing_section_ipsec_conf($normal_conn->{1}[0]." ".$normal_conn->{1}[1], $ipsec, $kernel_version); + + if ($existing_section eq "already existing") { +$in->ask_okcancel(N("Exists !"), +N("A section with this name already exists. +The section names have to be unique.\n +You'll have to go back and add another section +or change the name of the section.\n")); + goto step_add_normal_conn; +}; + + network::ipsec::add_section_ipsec_conf($normal_conn, $ipsec); + + goto step_configure_ipsec_conf; + + } + +} else { + +#- add ---- kernel 2.6 part ------------------------------- + + my $section = { secure_policy => 'spdadd', + src_range => 'src_network_address', + dst_range => 'dest_network_address', + upperspec => 'any', + flag => '-P', + direction => 'in or out', + ipsec => 'ipsec', + protocol => 'esp', + mode => 'tunnel', + src_dest => 'source-destination', + level => 'require' }; + +step_add_section_ipsec_conf_k26: + + $in->ask_from('', +N("Your %s file has several sections, or connections.\n +You can now add a new section. +Choose continue when you are done to write the data.\n", $ipsec_conf), + [ { label => N("secure_policy = "), val => \$section->{secure_policy}, list => [ 'spdadd', 'spdadd' ] }, + { label => N("src_range = "), val => \$section->{src_range}, type => 'entry' }, + { label => N("dst_range = "), val => \$section->{dst_range}, type => 'entry' }, + { label => N("upperspec = "), val => \$section->{upperspec}, list => [ 'any', 'any' ] }, + { label => N("flag = "), val => \$section->{flag}, list => [ '-P', '-P' ] }, + { label => N("direction = "), val => \$section->{direction}, list => [ 'in', 'out' ] }, + { label => N("ipsec = "), val => \$section->{ipsec}, list => [ 'ipsec', 'discard', 'none' ] }, + { label => N("protocol = "), val => \$section->{protocol}, list => [ 'esp', 'ah', 'ipcomp' ] }, + { label => N("mode = "), val => \$section->{mode}, list => [ 'tunnel', 'transport', 'any' ] }, + { label => N("src_dest = "), val => \$section->{src_dest}, type => 'entry' }, + { label => N("level = "), val => \$section->{level}, list => [ 'required', 'default', 'use', 'unique' ] }, + ] +) or goto step_configure_ipsec_conf; + + $existing_section = network::ipsec::already_existing_section_ipsec_conf($section->{src_dest}, $ipsec, $kernel_version); + + if ($existing_section eq "already existing") { +$in->ask_okcancel(N("Exists !"), +N("A section with this name already exists. +The section names have to be unique.\n +You'll have to go back and add another section +or change the name of the section.\n")); + goto step_add_section_ipsec_conf_k26; +}; + + network::ipsec::add_section_ipsec_conf($section, $ipsec); + + goto step_configure_ipsec_conf; + + +}; + +#- edit --------------------- + +} elsif ($d eq "edit") { + +step_edit_ipsec_conf: +$in->ask_from(N("Edit section"), +N("Your %s file has several sections or connections.\n +You can choose here below the one you want to edit +and then click on next.\n", $ipsec_conf), + [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]) + or goto step_configure_ipsec_conf; + +my $number = network::ipsec::matched_section_key_number_ipsec_conf($choice,$ipsec,$kernel_version); + +#- edit ---- kernel 2.4 part ------------------------------- + +if ($kernel_version < 2.5) { +if ($choice =~ /^version|block|private|clear|packet/) { + +$in->ask_okcancel(N("Can't edit !"), +N("You cannot edit this section.\n +This section is mandatory for Freswan 2.X. +One has to specify version 2.0 on the top +of the %s file, and eventually, disable or +enable the oportunistic ecryption.\n",$ipsec_conf)); + goto step_edit_ipsec_conf; + +} elsif ($choice =~ /^config setup/) { + $in->ask_from('', +N("Your %s file has several sctions.\n +You can now edit the config setup section entries. +Choose continue when you are done to write the data.\n", $ipsec_conf), + +[ network::ipsec::dynamic_list($number, $ipsec) ] + +) or goto step_configure_ipsec_conf; + + goto step_configure_ipsec_conf; +} elsif ($choice =~ /^conn %default/) { + $in->ask_from('', +N("Your %s file has several sections or connections.\n +You can now edit the default section entries. +Choose continue when you are done to write the data.\n", $ipsec_conf), + +[ network::ipsec::dynamic_list($number, $ipsec) ] + +) or goto step_configure_ipsec_conf; + + goto step_configure_ipsec_conf; + +} elsif ($choice =~ /^conn/) { + + $in->ask_from('', +N("Your %s file has several sections or connections.\n +You can now edit the normal section entries.\n +Choose continue when you are done to write the data.\n", $ipsec_conf), + +[ network::ipsec::dynamic_list($number, $ipsec) ] + +) or goto step_configure_ipsec_conf; + + goto step_configure_ipsec_conf; + +} else { + + goto step_configure_ipsec_conf; + +}; + +#- edit ---- kernel 2.6 part ------------------------------- + +} else { + + $in->ask_from('', +N("Your %s file has several sections, or connections.\n +You can now edit the chosen section. +Choose continue when you are done to write the data.\n", $ipsec_conf), + [ { label => N("secure_policy = "), val => \$ipsec->{$number}{secure_policy}, list => [ 'spdadd', 'spdadd' ] }, + { label => N("src_range = "), val => \$ipsec->{$number}{src_range}, type => 'entry' }, + { label => N("dst_range = "), val => \$ipsec->{$number}{dst_range}, type => 'entry' }, + { label => N("upperspec = "), val => \$ipsec->{$number}{upperspec}, list => [ 'any', 'any' ] }, + { label => N("flag = "), val => \$ipsec->{$number}{flag}, list => [ '-P', '-P' ] }, + { label => N("direction = "), val => \$ipsec->{$number}{direction}, list => [ 'in', 'out' ] }, + { label => N("ipsec = "), val => \$ipsec->{$number}{ipsec}, list => [ 'ipsec', 'discard', 'none' ] }, + { label => N("protocol = "), val => \$ipsec->{$number}{protocol}, list => [ 'esp', 'ah', 'ipcomp' ] }, + { label => N("mode = "), val => \$ipsec->{$number}{mode}, list => [ 'tunnel', 'transport', 'any' ] }, + { label => N("src_dest = "), val => \$ipsec->{$number}{src_dest}, type => 'entry' }, + { label => N("level = "), val => \$ipsec->{$number}{level}, list => [ 'required', 'default', 'use', 'unique' ] }, + ] +) or goto step_configure_ipsec_conf; + +goto step_configure_ipsec_conf; + +}; + +#- remove --------------------- + +} elsif ($d eq "remove") { +$in->ask_from(N("Remove section"), +N("Your %s file has several or sections or connections.\n +You can choose here below the one you want to remove +and then click on next.\n", $ipsec_conf), + [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]); + + network::ipsec::remove_section_ipsec_conf($choice,$ipsec,$kernel_version); + + @section_names = network::ipsec::get_section_names_ipsec_conf($ipsec_conf,$ipsec,$kernel_version) if -e $ipsec_conf; + + goto step_configure_ipsec_conf; + +#- continue and write --------------------- + +} elsif ($d eq "commit") { + log::l("[drakvpn] Modify the $ipsec_conf file"); + network::ipsec::write_ipsec_conf($ipsec_conf, $ipsec,$kernel_version); + } +#------------------------------------------------------------------- +#---------------------- configure racoon_conf ----------------------- +#------------------------------------------------------------------- + +} elsif ($c eq "configure $racoon_conf") { + +step_configure_racoon_conf: + +@section_names = network::ipsec::get_section_names_racoon_conf($racoon_conf,$racoon) if -e $racoon_conf; + +#print Dumper($racoon)."\n"; + +my $choice = $section_names[0] if $section_names[0]; +my $d = $in->ask_from_list_(N("%s entries", $racoon_conf), +N("The %s file contents +is divided into sections.\n +You can now :\n +- display, add, edit, or remove sections, then +- commit the changes\n + +What would you like to do ?\n", $racoon_conf), + [ N_("display"), N_("add"), N_("edit"), N_("remove"), N_("commit") ]) or goto step_configuration; + +#my $existing_section = ""; + +#- display $racoon_conf ------------------------- + +step_display_racoon_conf: + +if ($d eq "display") { + if (-e $racoon_conf) { + $in->ask_okcancel(N("Display configuration"), + network::ipsec::display_racoon_conf($racoon)); +#print Dumper($racoon)."\n"; + goto step_configure_racoon_conf; + } else { +$in->ask_okcancel(N("Display configuration"), +N("The %s file does not exist\n +This must be a new configuration.\n +You'll have to go back and choose configure.\n", $racoon_conf)); + goto step_configure_racoon_conf; + } + +#- add $racoon_conf ------------------------------ + +} elsif ($d eq "add") { + +step_add_section_racoon: + +#my $existing_section = ""; + +my $e = $in->ask_from_list_(N("racoonf.conf entries"), +N("The %s file contains different sections.\n +Here is its skeleton : 'path' + 'remote' + 'sainfo' \n +You can now add one of these sections.\n +Choose the section you would like to add.\n", $racoon_conf), + [ N_("path"), N_("remote"), N_("sainfo"), N_("dismiss") ]) or goto step_configure_racoon_conf; +if ($e eq "path") { + + my $path_section = { + 1 => [ 'path', 'path_type', '"/etc/racoon/certs"' ], + }; + + $in->ask_from('', +N("This section has to be on top of your +%s file.\n +Make sure all other section follow these path +sections.\n +Choose continue or previous when you are done.\n", $racoon_conf), + [ { label => N("path_type ="), val => \$path_section->{1}[1], list => [ 'certificate', 'pre_shared_key', 'include' ] }, + { label => N("real_file ="), val => \$path_section->{1}[2], type => 'entry' }, + ] +) or goto step_configure_racoon_conf; + +network::ipsec::add_section_racoon_conf($path_section, $racoon); +} elsif ($e eq "remote") { + my $main_remote_section = { 1 => [ 'remote', 'address' ], + 2 => [ 'exchange_mode', 'aggressive,main' ], + 3 => [ 'generate_policy', 'on' ], + 4 => [ 'passive', 'on' ], + 5 => [ 'certificate_type', 'x509', '"my_certificate.pem"', '"my_private_key.pem"' ], + 6 => [ 'peers_certfile', '"remote.public"' ], + 7 => [ 'verify_cert', 'on' ], + 8 => [ 'my_identifier', 'asn1dn' ], + 9 => [ 'peers_identifier', 'asn1dn' ] + }; + my $proposal_remote_section = { 1 => [ 'proposal' ], + 2 => [ 'encryption_algorithm', '3des' ], + 3 => [ 'hash_algorithm', 'md5' ], + 4 => [ 'authentication_method', 'rsasig' ], + 5 => [ 'dh_group', 'modp1024' ] + }; + $in->ask_from('', +N("Make sure you already have the path sections +on the top of your %s file.\n + +You can now choose the remote settings. +Choose continue or previous when you are done.\n", $racoon_conf), + [ { label => N("remote ="), val => \$main_remote_section->{1}[1], type => 'entry' }, + { label => N("exchange_mode ="), val => \$main_remote_section->{2}[1], type => 'entry' }, + { label => N("generate_policy ="), val => \$main_remote_section->{3}[1], type => 'entry' }, + { label => N("passive ="), val => \$main_remote_section->{4}[1], type => 'entry' }, + { label => N("certificate_type ="), val => \$main_remote_section->{5}[1], type => 'entry' }, + { label => N("my_certfile ="), val => \$main_remote_section->{5}[2], type => 'entry' }, + { label => N("my_private_key ="), val => \$main_remote_section->{5}[3], type => 'entry' }, + { label => N("peers_certfile ="), val => \$main_remote_section->{6}[1], type => 'entry' }, + { label => N("verify_cert ="), val => \$main_remote_section->{7}[1], type => 'entry' }, + { label => N("my_identifier ="), val => \$main_remote_section->{8}[1], type => 'entry' }, + { label => N("peers_identifier ="), val => \$main_remote_section->{9}[1], type => 'entry' }, + { label => N("proposal ="), val => \$proposal_remote_section->{1}[0], type => 'entry' }, + { label => N("encryption_algorithm ="), val => \$proposal_remote_section->{2}[1], type => 'entry' }, + { label => N("hash_algorithm ="), val => \$proposal_remote_section->{3}[1], type => 'entry' }, + { label => N("authentication_method ="), val => \$proposal_remote_section->{4}[1], type => 'entry' }, + { label => N("dh_group ="), val => \$proposal_remote_section->{5}[1], type => 'entry' }, + ] +) or goto step_configure_racoon_conf; + +network::ipsec::add_section_racoon_conf($main_remote_section, $racoon); +network::ipsec::add_section_racoon_conf($proposal_remote_section, $racoon); +} elsif ($e eq "sainfo") { + my $sainfo_section = { 1 => [ 'sainfo', 'address', '192.168.100.2', 'any', 'address', '10.0.0.2', 'any' ], + 2 => [ 'pfs_group', '1' ], + 3 => [ 'lifetime', 'time', '30', 'sec' ], + 4 => [ 'encryption_algorithm', '3des' ], + 5 => [ 'authentication_algorithm', 'hmac_sha1' ], + 6 => [ 'compression_algorithm', 'deflate' ], + }; + $in->ask_from('', +N("Make sure you already have the path sections +on the top of your %s file.\n + +You can now choose the sainfo settings. +Choose continue or previous when you are done.\n", $racoon_conf), + [ { label => N("sainfo_source_address ="), val => \$sainfo_section->{1}[2], type => 'entry' }, + { label => N("sainfo_source_proto ="), val => \$sainfo_section->{1}[3], type => 'entry' }, + { label => N("sainfo_dest_address ="), val => \$sainfo_section->{1}[5], type => 'entry' }, + { label => N("sainfo_dest_proto ="), val => \$sainfo_section->{1}[6], type => 'entry' }, + { label => N("pfs_group ="), val => \$sainfo_section->{2}[1], type => 'entry' }, + { label => N("lifetime_number ="), val => \$sainfo_section->{3}[2], type => 'entry' }, + { label => N("lifetime_unit ="), val => \$sainfo_section->{3}[3], type => 'entry' }, + { label => N("encryption_algorithm ="), val => \$sainfo_section->{4}[1], type => 'entry' }, + { label => N("authentication_algorithm ="), val => \$sainfo_section->{5}[1], type => 'entry' }, + { label => N("compression_algorithm ="), val => \$sainfo_section->{6}[1], type => 'entry' }, + ] +) or goto step_configure_racoon_conf; + +network::ipsec::add_section_racoon_conf($sainfo_section, $racoon); +} + +goto step_configure_racoon_conf; + +#- edit $racoon_conf ----------------------------- + +} elsif ($d eq "edit") { +$in->ask_from(N("Edit section"), +N("Your %s file has several sections or connections.\n +You can choose here below the one you want to edit +and then click on next.\n", $racoon_conf), + [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]) + or goto step_configure_racoon_conf; + +my $number = network::ipsec::matched_section_key_number_racoon_conf($choice,$racoon); + +print Dumper($racoon)."\n"; + +if ($choice =~ /^remote/) { + $in->ask_from('', +N("Your %s file has several sctions.\n +You can now edit the remote section entries. +Choose continue when you are done to write the data.\n", $racoon_conf), + [ { label => N("remote ="), val => \$racoon->{$number}{1}[1], type => 'entry' }, + { label => N("exchange_mode ="), val => \$racoon->{$number}{2}[1], type => 'entry' }, + { label => N("generate_policy ="), val => \$racoon->{$number}{3}[1], type => 'entry' }, + { label => N("passive ="), val => \$racoon->{$number}{4}[1], type => 'entry' }, + { label => N("certificate_type ="), val => \$racoon->{$number}{5}[1], type => 'entry' }, + { label => N("my_certfile ="), val => \$racoon->{$number}{5}[2], type => 'entry' }, + { label => N("my_private_key ="), val => \$racoon->{$number}{5}[3], type => 'entry' }, + { label => N("peers_certfile ="), val => \$racoon->{$number}{6}[1], type => 'entry' }, + { label => N("verify_cert ="), val => \$racoon->{$number}{7}[1], type => 'entry' }, + { label => N("my_identifier ="), val => \$racoon->{$number}{8}[1], type => 'entry' }, + { label => N("peers_identifier ="), val => \$racoon->{$number}{9}[1], type => 'entry' }, + { label => N("proposal ="), val => \$racoon->{$number+1}{1}[0], type => 'entry' }, + { label => N("encryption_algorithm ="), val => \$racoon->{$number+1}{2}[1], type => 'entry' }, + { label => N("hash_algorithm ="), val => \$racoon->{$number+1}{3}[1], type => 'entry' }, + { label => N("authentication_method ="), val => \$racoon->{$number+1}{4}[1], type => 'entry' }, + { label => N("dh_group ="), val => \$racoon->{$number+1}{5}[1], type => 'entry' }, + ] +) or goto step_configure_racoon_conf; + +} elsif ($choice =~ /^sainfo/) { + $in->ask_from('', +N("Your %s file has several sctions.\n +You can now edit the sainfo section entries. +Choose continue when you are done to write the data.\n", $racoon_conf), + [ { label => N("sainfo_source_address ="), val => \$racoon->{$number}{1}[2], type => 'entry' }, + { label => N("sainfo_source_proto ="), val => \$racoon->{$number}{1}[3], type => 'entry' }, + { label => N("sainfo_dest_address ="), val => \$racoon->{$number}{1}[5], type => 'entry' }, + { label => N("sainfo_dest_proto ="), val => \$racoon->{$number}{1}[6], type => 'entry' }, + { label => N("pfs_group ="), val => \$racoon->{$number}{2}[1], type => 'entry' }, + { label => N("lifetime_number ="), val => \$racoon->{$number}{3}[2], type => 'entry' }, + { label => N("lifetime_unit ="), val => \$racoon->{$number}{3}[3], type => 'entry' }, + { label => N("encryption_algorithm ="), val => \$racoon->{$number}{4}[1], type => 'entry' }, + { label => N("authentication_algorithm ="), val => \$racoon->{$number}{5}[1], type => 'entry' }, + { label => N("compression_algorithm ="), val => \$racoon->{$number}{6}[1], type => 'entry' }, + ] + +) or goto step_configure_racoon_conf; +} + +goto step_configure_racoon_conf; + +#- remove $racoon_conf --------------------------- + +} elsif ($d eq "remove") { +$in->ask_from(N("Remove section"), +N("Your %s file has several or sections or connections.\n +You can choose here below the one you want to remove +and then click on next.\n", $racoon_conf), + [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]); + +#print Dumper($racoon)."\n"; +my $number = network::ipsec::matched_section_key_number_racoon_conf($choice,$racoon); +network::ipsec::remove_section_racoon_conf($choice,$racoon,$number); +#print Dumper($racoon)."\n"; + @section_names = network::ipsec::get_section_names_racoon_conf($racoon_conf,$racoon) if -e $racoon_conf; + + goto step_configure_racoon_conf; + +#- write $racoon_conf and continue --------------- +} elsif ($d eq "commit") { + log::l("[drakvpn] Modify the $racoon_conf file"); + network::ipsec::write_racoon_conf($racoon_conf, $racoon); +} +} + +#- start the daemons +network::ipsec::start_daemons(); + +#- bye-bye message + +undef $wait_configuring; + +$::Wizard_no_previous = 1; +$::Wizard_finished = 1; + +$in->ask_okcancel(N("Congratulations!"), +N("Everything has been configured.\n +You may now share ressources through the Internet, +in a secure way, using a VPN connection.\n + +You should make sure that that the tunnels shorewall +section is configured.")); + +log::l("[drakvpn] Installation complete, exiting"); +quit_global($in, 0); + +sub quit_global { + my ($in, $exitcode) = @_; + $in->exit($exitcode); + goto begin +} |