gen-ipsec-for-mt/generate_ipsec_config.rb

#!/usr/bin/env ruby

require 'cgi'
require 'ipaddr' # Load the IPAddr library

cgi = CGI.new
params = cgi.params

errors = []

# Phase 1 data (with validation)
phase1_profile_name = params['phase1_profile_name'][0]
errors << "Phase 1 profile name is required." if phase1_profile_name.nil? || phase1_profile_name.empty?

remote_gateway = params['phase1_remote_gateway'][0]
begin
  IPAddr.new(remote_gateway)
rescue IPAddr::InvalidAddressError
  errors << "Invalid remote gateway IP address."
end

local_address = params['phase1_local_address'][0] || '' # Optional
if !local_address.empty?
  begin
    IPAddr.new(local_address) # Check if it's a valid IP address
    errors << "Invalid local address (must be a single IP)." if IPAddr.new(local_address).prefix != 32
  rescue IPAddr::InvalidAddressError
    errors << "Invalid local address."
  end
end

ike_version = params['phase1_ike_version'][0]
auth_method = params['phase1_auth_method'][0]
pre_shared_key = (auth_method == 'psk') ? params['phase1_pre_shared_key'][0] : nil
errors << "Pre-shared key is required for PSK authentication." if auth_method == 'psk' && (pre_shared_key.nil? || pre_shared_key.empty?)
encryption_algorithms = params['phase1_encryption_algorithm'] || []
hash_algorithms = params['phase1_hash_algorithm'] || []
dh_group = params['phase1_dh_group'][0]
phase1_lifetime = params['phase1_lifetime'][0]
remote_id = params['phase1_remote_id'][0] || '' # Optional

# Phase 2 data (with validation)
phase2_profile_name = params['phase2_profile_name'][0]
errors << "Phase 2 profile name is required." if phase2_profile_name.nil? || phase2_profile_name.empty?
phase2_encryption_algorithms = params['phase2_encryption_algorithm'] || []
phase2_hash_algorithms = params['phase2_hash_algorithm'] || []
pfs_group = params['phase2_pfs_group'][0] || '' 
phase2_lifetime = params['phase2_lifetime'][0]
phase2_local_address = params['phase2_local_address'][0]
begin
  IPAddr.new(phase2_local_address) # Check if it's a valid IP address or CIDR
rescue IPAddr::InvalidAddressError
  errors << "Invalid phase 2 local address or subnet."
end

remote_address = params['phase2_remote_address'][0]
begin
  IPAddr.new(remote_address) # Check if it's a valid IP address or CIDR
rescue IPAddr::InvalidAddressError
  errors << "Invalid phase 2 remote address or subnet."
end


# Handle errors
if errors.any?
  cgi.header('type' => 'text/plain')
  puts "Errors:\n#{errors.join("\n")}" 
  exit
end

# Generate MikroTik CLI configuration commands
config = ""

# Phase 1
config << "/ip ipsec profile\nadd name=\"#{phase1_profile_name}\" dh-group=#{dh_group} enc-algorithm=\"#{encryption_algorithms.join(',')}\" hash-algorithm=\"#{hash_algorithms.join(',')}\" nat-traversal=no\n\n"
config << "/ip ipsec peer\nadd address=#{remote_gateway} "
config << "local-address=#{local_address} " unless local_address.empty?
config << "disabled=yes name=#{phase1_profile_name} passive=yes profile=#{phase1_profile_name}\n\n"

# Move pre-shared key to /ip ipsec identity
config << "/ip ipsec identity\nadd peer=#{phase1_profile_name} secret=\"#{pre_shared_key}\"\n\n"

# Phase 2
config << "/ip ipsec proposal\nadd name=\"#{phase2_profile_name}\" auth-algorithms=\"#{phase2_hash_algorithms.join(',')}\" enc-algorithms=\"#{phase2_encryption_algorithms.join(',')}\" pfs-group=#{pfs_group}\n\n"
config << "/ip ipsec policy\nadd disabled=yes dst-address=#{remote_address} peer=#{phase1_profile_name} proposal=#{phase2_profile_name} src-address=#{phase2_local_address} tunnel=yes\n\n"

puts "Content-Type: text/plain"
puts
puts config
1 2024-06-22 23:37:24 +03:00			`#!/usr/bin/env ruby`

			`require 'cgi'`
			`require 'ipaddr' # Load the IPAddr library`

			`cgi = CGI.new`
			`params = cgi.params`

			`errors = []`

			`# Phase 1 data (with validation)`
			`phase1_profile_name = params['phase1_profile_name'][0]`
			`errors << "Phase 1 profile name is required." if phase1_profile_name.nil? \|\| phase1_profile_name.empty?`

			`remote_gateway = params['phase1_remote_gateway'][0]`
			`begin`
			`IPAddr.new(remote_gateway)`
			`rescue IPAddr::InvalidAddressError`
			`errors << "Invalid remote gateway IP address."`
			`end`

			`local_address = params['phase1_local_address'][0] \|\| '' # Optional`
			`if !local_address.empty?`
			`begin`
			`IPAddr.new(local_address) # Check if it's a valid IP address`
			`errors << "Invalid local address (must be a single IP)." if IPAddr.new(local_address).prefix != 32`
			`rescue IPAddr::InvalidAddressError`
			`errors << "Invalid local address."`
			`end`
			`end`

			`ike_version = params['phase1_ike_version'][0]`
			`auth_method = params['phase1_auth_method'][0]`
			`pre_shared_key = (auth_method == 'psk') ? params['phase1_pre_shared_key'][0] : nil`
			`errors << "Pre-shared key is required for PSK authentication." if auth_method == 'psk' && (pre_shared_key.nil? \|\| pre_shared_key.empty?)`
			`encryption_algorithms = params['phase1_encryption_algorithm'] \|\| []`
			`hash_algorithms = params['phase1_hash_algorithm'] \|\| []`
			`dh_group = params['phase1_dh_group'][0]`
			`phase1_lifetime = params['phase1_lifetime'][0]`
			`remote_id = params['phase1_remote_id'][0] \|\| '' # Optional`

			`# Phase 2 data (with validation)`
			`phase2_profile_name = params['phase2_profile_name'][0]`
			`errors << "Phase 2 profile name is required." if phase2_profile_name.nil? \|\| phase2_profile_name.empty?`
			`phase2_encryption_algorithms = params['phase2_encryption_algorithm'] \|\| []`
			`phase2_hash_algorithms = params['phase2_hash_algorithm'] \|\| []`
			`pfs_group = params['phase2_pfs_group'][0] \|\| ''`
			`phase2_lifetime = params['phase2_lifetime'][0]`
			`phase2_local_address = params['phase2_local_address'][0]`
			`begin`
			`IPAddr.new(phase2_local_address) # Check if it's a valid IP address or CIDR`
			`rescue IPAddr::InvalidAddressError`
			`errors << "Invalid phase 2 local address or subnet."`
			`end`

			`remote_address = params['phase2_remote_address'][0]`
			`begin`
			`IPAddr.new(remote_address) # Check if it's a valid IP address or CIDR`
			`rescue IPAddr::InvalidAddressError`
			`errors << "Invalid phase 2 remote address or subnet."`
			`end`


			`# Handle errors`
			`if errors.any?`
			`cgi.header('type' => 'text/plain')`
			`puts "Errors:\n#{errors.join("\n")}"`
			`exit`
			`end`

			`# Generate MikroTik CLI configuration commands`
			`config = ""`

			`# Phase 1`
			`config << "/ip ipsec profile\nadd name=\"#{phase1_profile_name}\" dh-group=#{dh_group} enc-algorithm=\"#{encryption_algorithms.join(',')}\" hash-algorithm=\"#{hash_algorithms.join(',')}\" nat-traversal=no\n\n"`
			`config << "/ip ipsec peer\nadd address=#{remote_gateway} "`
			`config << "local-address=#{local_address} " unless local_address.empty?`
			`config << "disabled=yes name=#{phase1_profile_name} passive=yes profile=#{phase1_profile_name}\n\n"`

			`# Move pre-shared key to /ip ipsec identity`
			`config << "/ip ipsec identity\nadd peer=#{phase1_profile_name} secret=\"#{pre_shared_key}\"\n\n"`

			`# Phase 2`
			`config << "/ip ipsec proposal\nadd name=\"#{phase2_profile_name}\" auth-algorithms=\"#{phase2_hash_algorithms.join(',')}\" enc-algorithms=\"#{phase2_encryption_algorithms.join(',')}\" pfs-group=#{pfs_group}\n\n"`
			`config << "/ip ipsec policy\nadd disabled=yes dst-address=#{remote_address} peer=#{phase1_profile_name} proposal=#{phase2_profile_name} src-address=#{phase2_local_address} tunnel=yes\n\n"`

2 2024-06-22 23:41:53 +03:00			`puts "Content-Type: text/plain"`
1 2024-06-22 23:37:24 +03:00			`puts`
			`puts config`