Add in rsasig support

ipsecDB.Notes

@@ -36,12 +36,18 @@ workToVoip=ipsec
 
 Config Defaults
 
-config set ipsec service status disabled connectiontype tunnel left %defaultroute ikelifetime 28800s keylife 3600s dpdaction restart dpddelay 30 dpdtimeout 10 pfs yes auto start
+config set ipsec service status disabled connectiontype tunnel left %defaultroute ikelifetime 28800s keylife 3600s dpdaction restart dpddelay 30 dpdtimeout 10 pfs yes auto start security secret salifetime 28800s
 
 Additional db entries
 
 Set mtu as in Config or ipsec connections if required
 
+Add rsasigs
+
+set
+security rsasig
+certname "Your cert nickname" - find with  'certutil -d . -L |grep u,u,u'
+
 https://libreswan.org/man/ipsec.conf.5.html
 
 ike = Some examples are ike=3des-sha1,aes-sha1, ike=aes, ike=aes128-md5;modp2048, ike=aes128-sha1;dh22, ike=3des-md5;modp1024,aes-sha1;modp1536 or ike=modp1536

smeserver-libreswan.spec

@@ -19,10 +19,11 @@ AutoReqProv: no
 %description
 Libreswan is a free software implementation of the most widely supported and standarized VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE")
 
-* Fri May 22 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-4
+* Wed May 27 2015 John Crisp <jcrisp@safeandsoundit.co.uk> 0.5-4
 - set dpd actions off if ipsec is 'add'
 - add salifetime key and rename ikelifetime and keylife
 - change defaults for salifetime and ikelifetime
+- add in rsasig support
 
 
 %changelog

smeserver-libreswan/root/etc/e-smith/db/configuration/defaults/ipsec/salifetime

@@ -0,0 +1 @@
+28800s

smeserver-libreswan/root/etc/e-smith/db/configuration/defaults/ipsec/security

@@ -0,0 +1 @@
+secret

smeserver-libreswan/root/etc/e-smith/templates/etc/ipsec.d/ipsec.conf/10Connection

@@ -48,9 +48,25 @@
 # Not templated this - maybe later with L2TPD
 # We currently use a password file but this could be integrated with other authent later
 
-          my $auth = $configDB->get_prop( $dbKey, 'authentication' )
-            || 'secret';
-          $OUT .= "    authby=$auth\n";
+# Lazy - assume that it is security (password by default) - option is rsasig
+
+    my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' ) || 'secret';
+    my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || '';
+
+    if ( $security = "rsasig" )
+    {
+    my $leftid = $ipsecDB->get_prop( "$ipsecprop", 'leftid' ) || '';
+    $OUT .= "    authby=$security\n";
+    $OUT .= "    leftid=\"CN=$certname\"\n";
+    $OUT .= "    leftcert=$certname\n";
+    $OUT .= "    leftrsasigkey=\%cert\n";
+
+    } else
+    {
+    $OUT .= "    authby=$security\n";
+    }
+
+
 
         # Use connection value if it exists, if not use generic db value
           my $auto =

smeserver-libreswan/root/etc/e-smith/templates/etc/ipsec.d/ipsec.secrets/10Passwords

@@ -39,9 +39,20 @@
    if ( $ipsecstatus eq "enabled" )
    {
     my $right  = $ipsecDB->get_prop( "$ipsecprop", 'right' )  || '';
+    my $security = $ipsecDB->get_prop( "$ipsecprop", 'security' ) || 'secret';
+    my $certname = $ipsecDB->get_prop( "$ipsecprop", 'certname' ) || '';
     my $passwd = $ipsecDB->get_prop( "$ipsecprop", 'passwd' ) || '';
+
     $OUT .= "# $ipsecprop is enabled\n";
+
+    if ( $security eq "secret" )
+    {
     $OUT .= "$ExternalIP $right \: PSK \"$passwd\"";
+    }
+    if ( $security eq "rsasig" )
+    {
+    $OUT .= "$ExternalIP $right \: RSA \"$certname\"";
+    }
     $OUT .= "\n";
    }