AETHER-918 Initial commit of strongSwan role
Change-Id: I090832bd211f9f053fecc7abda851bf9edc696b1
diff --git a/files/ipsec-vti.sh b/files/ipsec-vti.sh
new file mode 100644
index 0000000..0d9022e
--- /dev/null
+++ b/files/ipsec-vti.sh
@@ -0,0 +1,103 @@
+#!/bin/bash
+#
+# strongswan files/ipsec-vti.sh - Ansible managed: Do NOT edit this file manually!
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+set -o nounset
+set -o errexit
+
+echo "${PLUTO_VERB}" >> /tmp/yoyo
+while [[ $# -gt 1 ]]; do
+ case ${1} in
+ -ln|--link-name)
+ TUNNEL_NAME="${2}"
+ TUNNEL_PHY_INTERFACE="${PLUTO_INTERFACE}"
+ shift
+ ;;
+ -ll|--link-local)
+ TUNNEL_LOCAL_ADDRESS="${2}"
+ TUNNEL_LOCAL_ENDPOINT="${PLUTO_ME}"
+ shift
+ ;;
+ -lr|--link-remote)
+ TUNNEL_REMOTE_ADDRESS="${2}"
+ TUNNEL_REMOTE_ENDPOINT="${PLUTO_PEER}"
+ shift
+ ;;
+ -m|--mark)
+ TUNNEL_MARK="${2}"
+ shift
+ ;;
+ -r|--static-route)
+ TUNNEL_STATIC_ROUTE="${2}"
+ shift
+ ;;
+ *)
+ echo "${0}: Unknown argument \"${1}\"" >&2
+ ;;
+ esac
+ shift
+done
+
+command_exists() {
+ type "$1" >&2 2>&2
+}
+
+create_interface() {
+ {
+ echo "ip link add ${TUNNEL_NAME} type vti local ${TUNNEL_LOCAL_ENDPOINT} remote ${TUNNEL_REMOTE_ENDPOINT} key ${TUNNEL_MARK}"
+ echo "ip addr add ${TUNNEL_LOCAL_ADDRESS} remote ${TUNNEL_REMOTE_ADDRESS} dev ${TUNNEL_NAME}"
+ echo "ip link set ${TUNNEL_NAME} up mtu 1387"
+ } >> /tmp/yoyo
+ ip link add "${TUNNEL_NAME}" type vti local "${TUNNEL_LOCAL_ENDPOINT}" remote "${TUNNEL_REMOTE_ENDPOINT}" key "${TUNNEL_MARK}"
+ ip addr add "${TUNNEL_LOCAL_ADDRESS}" remote "${TUNNEL_REMOTE_ADDRESS}" dev "${TUNNEL_NAME}"
+ ip link set "${TUNNEL_NAME}" up mtu 1387
+}
+
+configure_sysctl() {
+ sysctl -w net.ipv4.ip_forward=1
+ sysctl -w net.ipv4.conf."${TUNNEL_NAME}".rp_filter=2
+ sysctl -w net.ipv4.conf."${TUNNEL_NAME}".disable_policy=1
+ sysctl -w net.ipv4.conf."${TUNNEL_PHY_INTERFACE}".disable_xfrm=1
+ sysctl -w net.ipv4.conf."${TUNNEL_PHY_INTERFACE}".disable_policy=1
+}
+
+add_route() {
+ IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}"
+ for i in "${route[@]}"; do
+ ip route add "${i}" dev "${TUNNEL_NAME}" metric "${TUNNEL_MARK}"
+ done
+}
+
+cleanup() {
+ IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}"
+ for i in "${route[@]}"; do
+ ip route del "${i}" dev "${TUNNEL_NAME}" metric "${TUNNEL_MARK}"
+ done
+}
+
+delete_interface() {
+ ip link set "${TUNNEL_NAME}" down
+ ip link del "${TUNNEL_NAME}"
+}
+
+# main execution starts here
+
+command_exists ip || echo "ERROR: ip command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2
+command_exists iptables || echo "ERROR: iptables command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2
+command_exists sysctl || echo "ERROR: sysctl command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2
+
+case "${PLUTO_VERB}" in
+ up-client)
+ create_interface
+ configure_sysctl
+ add_route
+ echo "A"
+ ;;
+ down-client)
+ cleanup
+ delete_interface
+ ;;
+esac