ipsecctl

#!/bin/bash

function load_var {
  eval $(cat ${1} <( echo -e '\nset -o posix;set\n') | env - bash --noprofile --norc --posix  | sed 's/^/'$2'_/')
  if [ -n "$IF_IPSEC6" ]; then
    PEER_ENDPOINT=$PEER_ENDPOINT6
    SELF_ENDPOINT=$SELF_ENDPOINT6
  fi
}

function do_clear {
  $ip xfrm state del dst $PEER_ENDPOINT src $SELF_ENDPOINT proto esp spi $SELF_SPI
  $ip xfrm state del src $PEER_ENDPOINT dst $SELF_ENDPOINT proto esp spi $PEER_SPI
  $ip xfrm policy del dst $PEER_ENDPOINT src $SELF_ENDPOINT proto ipencap dir out
  $ip xfrm policy del src $PEER_ENDPOINT dst $SELF_ENDPOINT proto ipencap dir in
}

function do_addxfrm {
  $ip xfrm state add dst $PEER_ENDPOINT src $SELF_ENDPOINT proto esp spi $SELF_SPI reqid $SELF_REQID mode transport auth sha256 $SELF_AUTH_KEY enc aes $SELF_ENC_KEY
  $ip xfrm state add src $PEER_ENDPOINT dst $SELF_ENDPOINT proto esp spi $PEER_SPI reqid $PEER_REQID mode transport auth sha256 $PEER_AUTH_KEY enc aes $PEER_ENC_KEY
  $ip xfrm policy add dst $PEER_ENDPOINT src $SELF_ENDPOINT proto ipencap dir out tmpl proto esp reqid $SELF_REQID mode transport
  $ip xfrm policy add src $PEER_ENDPOINT dst $SELF_ENDPOINT proto ipencap dir in  tmpl proto esp reqid $PEER_REQID mode transport
}

if [ -z "$IF_IPSEC_PEER_NAME" ]; then
  exit 0;
fi

ip=ip

if [ -n "$IF_IPSEC6" ]; then
  ip=$ip" -6"
fi

if [ -z "$IF_IPSEC_SELF_NAME" ]; then
  IF_IPSEC_SELF_NAME=self
fi

cd /etc/ipsec-tunnels

load_var $IF_IPSEC_PEER_NAME PEER
load_var $IF_IPSEC_SELF_NAME SELF

case $PHASE in
  pre-up)
    if [ -n "$IF_IPSEC6" ]; then
      mode=ipip6
    else
      mode=ipip
    fi
    exec $ip tunnel add $IFACE mode $mode remote $PEER_ENDPOINT local $SELF_ENDPOINT ttl 64
    ;;
  post-up)
    do_clear
    do_addxfrm
    ;;
  pre-down)
    do_clear
    ;;
  post-down)
    exec $ip link del $IFACE
    ;;
esac