Table of Contents

UCI

# lister tous les paramètres (ou une section)
uci show [section]
# afficher la valeur d'un paramètre
uci get <paramètre>
# modifier un paramètre
uci set ipsec.CORP_c.forceencaps='yes'
# modifier une liste (= un paramètre multi-valeurs)
uci add_list add_list wireless.@wifi-iface[0].maclist=11:11:11:11:11:11
# voir les modifications encore non-appliqués:
uci changes
# annuler les modifications non-appliquées:
uci revert [section]
# enregistrer les changements (tous ou seulement pour une section spécifique)
uci commit [section]
# recharger la configuration
luci-reload
 
# lancer le mode batch pour ne pas encore à préfixer les commandes par "uci"
uci batch
 
# importer/exporter la configuration
uci import <config>
uci export <config>

IPSec

Configuration en CLI avec UCI : se connecter en SSH root@routeur, puis :

uci show ipsec
ipsec.@ipsec[0].rtinstall_enabled='1'
ipsec.CORP=remote
ipsec.CORP.crypto_proposal='CORP_ph1'
ipsec.CORP.gateway='10.0.128.14'
ipsec.CORP.authentication_method='psk'
ipsec.CORP.tunnel='CORP_c'
ipsec.CORP.force_crypto_proposal='0'
ipsec.CORP.enabled='1'
ipsec.CORP.pre_shared_key='secret PSK'
ipsec.CORP_c=connection
ipsec.CORP_c.crypto_proposal='CORP_ph2'
ipsec.CORP_c.mode='start'
ipsec.CORP_c.type='tunnel'
ipsec.CORP_c.defaultroute='0'
ipsec.CORP_c.forceencaps='no'
ipsec.CORP_c.remote_firewall='no'
ipsec.CORP_c.ikelifetime='86000'
ipsec.CORP_c.force_crypto_proposal='0'
ipsec.CORP_c.keyexchange='ikev1'
ipsec.CORP_c.lifetime='43200'
ipsec.CORP_c.local_firewall='yes'
ipsec.CORP_c.local_subnet='10.144.1.0/24'
ipsec.CORP_c.remote_subnet='10.192.0.0/29'
ipsec.CORP_ph1=proposal
ipsec.CORP_ph1.encryption_algorithm='aes256'
ipsec.CORP_ph1.hash_algorithm='sha1'
ipsec.CORP_ph1.dh_group='modp2048'
ipsec.CORP_ph2=proposal
ipsec.CORP_ph2.encryption_algorithm='aes256'
ipsec.CORP_ph2.hash_algorithm='sha1'
ipsec.CORP_ph2.dh_group='modp2048'
 
# modifier un paramètre :
uci set ipsec.CORP_c.local_subnet='10.144.1.0/24'
 
# sauver et appliquer les modifs :
uci commit ipsec
/etc/init.d/ipsec restart

Vérif du status du tunnel :

ipsec status
Security Associations (1 up, 0 connecting):
CORP-CORP_c[1]: ESTABLISHED 15 hours ago, 10.229.16.74[10.229.16.74]...10.0.128.14[10.0.128.14]
CORP-CORP_c{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c02723a1_i b7484c0d_o
CORP-CORP_c{2}:   10.144.1.0/24 === 10.192.0.0/29

Refs