Global: Replace OpenSWAN with StrongSWAN (yay!)

README

 IPSec-L2TP support for NetworkManager
 =====================================
 
-Uses xl2tpd and (optional) openswan.
+Uses xl2tpd and (optional) strongswan.
 
 Build
 =====
@@ -26,4 +26,4 @@ so you have to give ./configure every path manually.
 
 You'll need at least the following installed:
 
-  sudo apt-get install xl2tpd openswan
+  sudo apt-get install xl2tpd strongswan

src/nm-ipsec-l2tp-service.c

@@ -855,31 +855,32 @@ free_args (GPtrArray *args)
 static void
 nm_ipsec_l2tp_stop_ipsec(void)
 {
-	const char *ipsec_binary;
 	char session_name[128];
-	GPtrArray *whack_argv;
+	char cmdbuf[256];
+	int sys = 0;
 
-	g_message("ipsec prepare for shut down");
-	if (!(ipsec_binary=nm_find_ipsec())) return;
+	g_message("IPSec prepare for shut down");
 
 	sprintf(session_name, "nm-ipsec-l2tp-%d", getpid());
-	whack_argv = g_ptr_array_new ();
-	g_ptr_array_add (whack_argv, (gpointer) g_strdup (ipsec_binary));
-	g_ptr_array_add (whack_argv, (gpointer) g_strdup ("whack"));
-	g_ptr_array_add (whack_argv, (gpointer) g_strdup ("--delete"));
-	g_ptr_array_add (whack_argv, (gpointer) g_strdup ("--name"));
-	g_ptr_array_add (whack_argv, (gpointer) g_strdup (session_name));
-	g_ptr_array_add (whack_argv, NULL);
-
-	if (!g_spawn_sync (NULL, (char **) whack_argv->pdata, NULL,
-	                    0, NULL, NULL,
-			    NULL,NULL,
-			    NULL, NULL)) {
-		free_args (whack_argv);
+	sprintf(cmdbuf, PATH_PREFIX " ipsec down '%s'", session_name);
+	sys = system(cmdbuf);
+	if (sys) {
+		return;
+	}
+
+	sys = system(PATH_PREFIX " ipsec stop");
+	if (sys) {
 		return;
 	}
+	sleep(1);
+
+	sys = system(PATH_PREFIX " ipsec start");
+	if (sys) {
+		return;
+	}
+	sleep(1);
 
-	g_message("ipsec shut down");
+	g_message("IPSec shut down");
 }
 
 static gboolean
@@ -899,31 +900,21 @@ nm_ipsec_l2tp_start_ipsec(NMIPSecL2tpPlugin *plugin,
 	gboolean rc = FALSE;
 
 	if (!(ipsec_binary=nm_find_ipsec())) {
-		return nm_ipsec_l2tp_error(error, "Could not find the ipsec binary. Is OpenSWAN installed?");
+		return nm_ipsec_l2tp_error(error, "Could not find the ipsec binary. Is StrongSWAN installed?");
 	}
 
 	sprintf(session_name, "nm-ipsec-l2tp-%d", getpid());
 
-	sys = system("test -e /var/run/pluto/ipsec.info && . /var/run/pluto/ipsec.info;"
-			PATH_PREFIX "; export PATH;"
-			"if [ \"x$defaultrouteaddr\" = \"x\" ]; then ipsec setup restart; fi");
-	if (sys) {
-		return nm_ipsec_l2tp_error(error, "Could not restart the ipsec service.");
-	}
-
-	/* Give pluto time to start up */
-	sleep(1);
-
-	sys = system(PATH_PREFIX " ipsec whack --listen");
+	sys = system(PATH_PREFIX " ipsec version");
 	if (sys) {
 		return nm_ipsec_l2tp_error(error, "Could not talk to IPsec key exchange service.");
 	}
 
 	/* the way this works is sadly very messy
 	   we replace the user's /etc/ipsec.secrets file
-	   we ask openswan to reload the secrets,
+	   we ask strongswan to reload the secrets,
 	   we whack in our connection,
-	   we then replace the secrets and ask openswan to reload them
+	   we then replace the secrets and ask strongswan to reload them
 	*/
 	sprintf(tmp_secrets, "/etc/ipsec.secrets.%d",getpid());
 	if(-1==rename("/etc/ipsec.secrets", tmp_secrets) && errno != EEXIST) {
@@ -967,33 +958,33 @@ nm_ipsec_l2tp_start_ipsec(NMIPSecL2tpPlugin *plugin,
 	/* Wait a sec */
 	sleep(1);
 
-	sys = system(PATH_PREFIX " ipsec secrets");
+	sys = system(PATH_PREFIX " ipsec stop");
+	if (sys) {
+		return nm_ipsec_l2tp_error(error, "Could not stop the ipsec service.");
+	}
+	sleep(1);
+
+	sprintf(cmdbuf, PATH_PREFIX " ipsec starter "
+			" --conf /var/run/nm-ipsec-l2tp.%d/ipsec.conf", getpid());
+	sys = system(cmdbuf);
 	if (!sys) {
-		sprintf(cmdbuf, PATH_PREFIX " ipsec auto "
-				" --config /var/run/nm-ipsec-l2tp.%d/ipsec.conf --verbose"
-				" --add '%s'", getpid(),session_name);
+		sleep(1);
+		sprintf(cmdbuf, PATH_PREFIX " ipsec up '%s'", session_name);
 		sys = system(cmdbuf);
 		if (!sys) {
-			sprintf(cmdbuf, PATH_PREFIX " ipsec auto "
-					" --config /var/run/nm-ipsec-l2tp.%d/ipsec.conf --verbose"
-					" --up '%s'",getpid(),session_name);
-			sys = system(cmdbuf);
-			if (!sys) {
-				rc = TRUE;
-				g_message(_("ipsec ready for action"));
-			} else {
-				rename(tmp_secrets, "/etc/ipsec.secrets");
-				return nm_ipsec_l2tp_error(error, "Could not establish IPsec tunnel.");
-			}
+			rc = TRUE;
+			g_message(_("IPsec ready for action"));
 		} else {
 			rename(tmp_secrets, "/etc/ipsec.secrets");
-			return nm_ipsec_l2tp_error(error, "Could not configure IPsec tunnel.");
+			return nm_ipsec_l2tp_error(error, "Could not establish IPsec tunnel.");
 		}
 	} else {
 		rename(tmp_secrets, "/etc/ipsec.secrets");
-		return nm_ipsec_l2tp_error(error, "Could not load new IPsec secret.");
+		sleep(1);
+		return nm_ipsec_l2tp_error(error, "Could not configure IPsec tunnel.");
 	}
 
+
 	if (rename(tmp_secrets, "/etc/ipsec.secrets") ||
 			system(PATH_PREFIX " ipsec secrets")) {
 		g_warning(_("Could not restore saved /etc/ipsec.secrets from %s."), _(tmp_secrets));
@@ -1158,13 +1149,9 @@ nm_ipsec_l2tp_config_write (NMIPSecL2tpPlugin *plugin,
 		return nm_ipsec_l2tp_error(error, "Could not write ipsec config.");
 	}
 
-	write_config_option (ipsec_fd, "version	2.0\n\n");
+	write_config_option (ipsec_fd, "version 2.0\n\n");
 	write_config_option (ipsec_fd, "config setup\n"
-		"  plutodebug=none\n"
-		"  strictcrlpolicy=no\n"
-		"  interfaces=%%defaultroute\n"
-		"  oe=off\n"
-		"  protostack=netkey\n\n");
+		"  strictcrlpolicy=no\n\n");
 	write_config_option (ipsec_fd, "conn %%default\n"
 		"  keyingtries=3\n"
 		"  rekey=yes\n"
@@ -1172,8 +1159,11 @@ nm_ipsec_l2tp_config_write (NMIPSecL2tpPlugin *plugin,
 		"  left=%%defaultroute\n"
 		"  leftprotoport=17/1701\n"
 		"  rightprotoport=17/1701\n\n");
+
 	write_config_option (ipsec_fd, "conn nm-ipsec-l2tp-%d\n", pid);
 	write_config_option (ipsec_fd,
+		"  keyexchange=ikev1\n"
+		"  ike=aes128-sha1-modp1024,3des-sha1-modp1024\n"
 		"  authby=rsasig\n");
 	value = nm_setting_vpn_get_data_item (s_vpn, NM_IPSEC_L2TP_KEY_IPSEC_RSA);
 	if(value) write_config_option (ipsec_fd, "  leftcert=\"%s\"\n", value);
@@ -1184,7 +1174,6 @@ nm_ipsec_l2tp_config_write (NMIPSecL2tpPlugin *plugin,
 	write_config_option (ipsec_fd,
 		"  auto=add\n\n");
 
-
 	filename = g_strdup_printf ("/var/run/nm-ipsec-xl2tpd.conf.%d", pid);
 	conf_fd = open (filename, O_RDWR|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR);
 	g_free (filename);