for OpenWrt

ipsec-updown.sh

#!/bin/sh
# file: ipsec-updown.sh
# date: 2018-04-06
# license: GPLv3 https://www.gnu.org/licenses/gpl-3.0.txt
# author: nanpuyue <[email protected]> https://blog.nanpuyue.com

VERBOSE=1
RETRY=10
TIMEOUT=40
CHECK_INT=30
PING_COUNT=4
LOGFILE="/var/log/ipsec-check.log"
PIDFILE="/var/run/ipsec-check.pid"
SETNAME="ipsec-vpn telegram"

iptables(){
    case $* in
        *-A*|*-I*)
            if command iptables $(echo $@|sed -r 's/(-A)|(-I)/-C/') 2>/dev/null; then
                return 0
            else
                [ ${VERBOSE}x = 1x ] && echo iptables $@
                command iptables $@
            fi
        ;;
        *-D*)
            if command iptables $(echo $@|sed -r 's/-D/-C/') 2>/dev/null; then
                [ ${VERBOSE}x = 1x ] && echo iptables $@
                command iptables $@
            else
                return 0
            fi
       ;;
       *)
           [ ${VERBOSE}x = 1x ] && echo iptables $@
           command iptables $@
       ;;
    esac
}

clean_snat_rules(){
    for i in ${SETNAME}; do
        if rules=$(command iptables -t nat -L POSTROUTING --line-numbers|grep "match-set ${i}"); then
            for n in $(echo ${rules}|awk '{print $1}'); do
                command iptables -t nat -D POSTROUTING ${n}
            done
        fi
    done
}

set_snat_rules(){
    for i in ${SETNAME}; do
        iptables -t nat -I POSTROUTING -m set --match-set ${i} dst -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    done
    iptables -t nat -A bind9 -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
}

unset_snat_rules(){
    for i in ${SETNAME}; do
        iptables -t nat -D POSTROUTING -m set --match-set ${i} dst -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
    done
    iptables -t nat -D bind9 -j SNAT --to-source ${PLUTO_MY_SOURCEIP}
}

ipsec_check(){
    script=/tmp/ipsec-check
    cat > ${script} << EOF1
#!/bin/sh

ipsec_status(){
    script=/tmp/ipsec-status
    cat > \${script} << EOF2
#!/bin/sh

RETRY=0; OLD_TIMEOUT=0; TIMEOUT=${TIMEOUT}
while [ \\\${RETRY} -lt ${RETRY} ]; do
    let RETRY++
    let OLD_TIMEOUT=\\\${TIMEOUT}
    let TIMEOUT=\\\${TIMEOUT}+\\\${OLD_TIMEOUT}

    while (sleep 5); do
        if (ipsec status ${PLUTO_CONNECTION}|grep -e '^\s*none$'); then
            date "+%Y-%m-%d %H:%M:%S: up ${PLUTO_CONNECTION}" >> ${LOGFILE}
            ipsec up ${PLUTO_CONNECTION}
        else
            break
        fi
    done

    if (sleep ${TIMEOUT}) &&\\\\
    (ipsec status ${PLUTO_CONNECTION}|grep ESTABLISHED); then
        exit
    else
        date "+%Y-%m-%d %H:%M:%S: stop" >> ${LOGFILE}
        ipsec stop
        if [ \\\${RETRY} -lt ${RETRY} ]; then
            date "+%Y-%m-%d %H:%M:%S: start after \\\${TIMEOUT} sec" >> ${LOGFILE}
            sleep \\\${TIMEOUT}
            ipsec start
        fi
    fi
done
EOF2
    chmod +x \${script}
    start-stop-daemon -Sbqx \${script}
}

while (sleep ${CHECK_INT}); do
    if ! (ping -I ${PLUTO_MY_SOURCEIP} -c ${PING_COUNT} ${PLUTO_PEER}) &&\\
    (ping -c ${PING_COUNT} ${PLUTO_PEER}); then
        date "+%Y-%m-%d %H:%M:%S: restart" >> ${LOGFILE}
        ipsec_status
        ipsec restart
        exit
    fi
done
EOF1
    chmod +x ${script}
    start-stop-daemon -Kp ${PIDFILE} -s SIGKILL 2>/dev/null
    echo "start service: ${script}"
    start-stop-daemon -Sbqmp ${PIDFILE} -x ${script}
}

echo $0: ${PLUTO_VERB}

case ${PLUTO_VERB} in
    up-client)
        clean_snat_rules
        set_snat_rules
        iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
        ip rule del pref 220
        ipsec_check
    ;;
    down-client)
        unset_snat_rules
        iptables -t nat -D POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
        start-stop-daemon -Kp ${PIDFILE} -s SIGKILL
    ;;
esac