From 7c0d08442ed3fa244a9211d4682040e8fb139db4 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Mon, 14 Feb 2022 03:46:06 -0600
Subject: [PATCH] Update IKEv2 script

- Improve backward compatibility: Protect IKEv2 client config files
  using a password if one was previously generated.
- Ref: dbc3527
---
 extras/ikev2setup.sh | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh
index 8425331..87adb23 100755
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@@ -577,23 +577,35 @@ EOF
   fi
 }
 
+check_config_password() {
+  config_file="/etc/ipsec.d/.vpnconfig"
+  if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then
+    use_config_password=1
+  else
+    use_config_password=0
+  fi
+}
+
 select_config_password() {
+  if [ "$use_config_password" = "0" ]; then
 cat <<'EOF'
 
 IKEv2 client config files contain the client certificate, private key and CA certificate.
 This script can optionally generate a random password to protect these files.
+Future client config files will also be protected using the same password.
 
 EOF
-  printf "Protect client config files using a password? [y/N] "
-  read -r response
-  case $response in
-    [yY][eE][sS]|[yY])
-      use_config_password=1
-      ;;
-    *)
-      use_config_password=0
-      ;;
-  esac
+    printf "Protect client config files using a password? [y/N] "
+    read -r response
+    case $response in
+      [yY][eE][sS]|[yY])
+        use_config_password=1
+        ;;
+      *)
+        use_config_password=0
+        ;;
+    esac
+  fi
 }
 
 select_menu_option() {
@@ -1273,7 +1285,6 @@ ikev2setup() {
   check_utils_exist
 
   use_defaults=0
-  use_config_password=0
   add_client=0
   export_client=0
   list_clients=0
@@ -1321,6 +1332,7 @@ ikev2setup() {
   done
 
   check_arguments
+  check_config_password
   get_export_dir
 
   if [ "$add_client" = "1" ]; then