From 8d26e0b6c9ca1be97918dc9d0b169ccd8b16be82 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sun, 25 Jul 2021 20:55:40 -0500
Subject: [PATCH] Update IKEv2 script

- Improve checking for MOBIKE support. Linux kernels on QNAP systems
  do not support MOBIKE.
  Ref: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/247
- Switch to use /etc/ipsec.d/.vpnconfig to store generated password
  for IKEv2 client config files, instead of vpnclient.p12.password.
  Migrate to use .vpnconfig if the older config file is found.
  Ref: 45ee41d
---
 extras/ikev2setup.sh | 33 +++++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh
index 4cb9242..239aa72 100755
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@@ -581,6 +581,9 @@ check_mobike_support() {
       mobike_support=0
     fi
   fi
+  if uname -a | grep -qi qnap; then
+    mobike_support=0
+  fi
   if [ "$mobike_support" = "1" ]; then
     bigecho2 "Checking for MOBIKE support... available"
   else
@@ -685,20 +688,26 @@ create_client_cert() {
 }
 
 create_p12_password() {
-  p12_password_file="${export_dir}vpnclient.p12.password"
-  if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$p12_password_file"; then
-    . "$p12_password_file"
+  config_file="/etc/ipsec.d/.vpnconfig"
+  config_file_old="${export_dir}vpnclient.p12.password"
+  update_config=0
+  if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then
+    . "$config_file"
     p12_password="$IKEV2_CONFIG_PASSWORD"
+  elif grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file_old"; then
+    . "$config_file_old"
+    p12_password="$IKEV2_CONFIG_PASSWORD"
+    /bin/rm -f "$config_file_old"
+    update_config=1
   else
     p12_password=$(LC_CTYPE=C tr -dc 'A-HJ-NPR-Za-km-z2-9' </dev/urandom 2>/dev/null | head -c 18)
     [ -z "$p12_password" ] && exiterr "Could not generate a random password for .p12 file."
-    if [ ! -f "$p12_password_file" ]; then
-      printf '%s\n' "IKEV2_CONFIG_PASSWORD=$p12_password" > "$p12_password_file"
-      if [ "$export_to_home_dir" = "1" ]; then
-        chown "$SUDO_USER:$SUDO_USER" "$p12_password_file"
-      fi
-      chmod 600 "$p12_password_file"
-    fi
+    update_config=1
+  fi
+  if [ "$update_config" = "1" ]; then
+    mkdir -p /etc/ipsec.d
+    printf '%s\n' "IKEV2_CONFIG_PASSWORD='$p12_password'" >> "$config_file"
+    chmod 600 "$config_file"
   fi
 }
 
@@ -1244,6 +1253,10 @@ delete_certificates() {
   crlutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null
   certutil -F -d sql:/etc/ipsec.d -n "IKEv2 VPN CA"
   certutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null
+  config_file="/etc/ipsec.d/.vpnconfig"
+  if grep -qs '^IKEV2_CONFIG_PASSWORD=.\+' "$config_file"; then
+    sed -i '/IKEV2_CONFIG_PASSWORD=/d' "$config_file"
+  fi
 }
 
 print_ikev2_removed() {