#!/bin/sh

if [ -f /etc/racoon/racoon.conf ]; then
    logger "IPsec: racoon needs to be started"
else
    logger "IPsec: racoon no config"
    exit 1
fi

chmod 0600 /etc/racoon/psk.txt

start_phase1()
{
    ! rm /tmp/racoonctl.conf

    cat /etc/racoon/racoon.conf | grep "peers_identifier address" | awk '{ print $3 }' | sed 's/;$//' > /tmp/racoonctl.conf

    while read peer_ip; do
        phase1_up="$(/usr/sbin/racoonctl -l show-sa isakmp | grep -c "$peer_ip")"
        if [ "$phase1_up" -eq "0" ]; then
            policy_count="$(/usr/sbin/setkey -DP | grep -c "$peer_ip")"
            logger "IPsec: start phase 1 for $peer_ip, number of policies:$policy_count"
            /usr/sbin/racoonctl vpn-connect "$peer_ip"
        fi
    done < /tmp/racoonctl.conf

    ! rm /tmp/racoonctl.conf
}

while true
do

    COUNT_RACOON="$(ps auxww | grep -c "racoon -f /etc/racoon/racoon.conf")"
    if [ "$COUNT_RACOON" -le "1" ]; then

        busybox killall -9 racoon

        logger "IPsec: racoon error, restarting"
        /usr/sbin/racoon -f /etc/racoon/racoon.conf

        # Flush old SA's and SP's
        /usr/sbin/racoonctl flush-sa ipsec
        /usr/sbin/racoonctl flush-sa isakmp

        # Give time for the peer to init connections first.
        # Time to detect old SA's and SP's
        sleep 360
    fi

    # As a last resort start phase 1 if it isn't started, broken DPD or peer is passive.
    start_phase1

    sleep 360
done

