aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2010-10-22 10:19:34 +0300
committerTimo Teräs <timo.teras@iki.fi>2010-10-22 10:19:34 +0300
commitd96c2a55451cc8e60574558a6abd0afc145b8983 (patch)
treea82e5497c96ab709b6e190a417c1de4a08a375ea
parent10871b20a181603ab11e60535accfbc8bf40fb79 (diff)
downloadaports-d96c2a55451cc8e60574558a6abd0afc145b8983.tar.bz2
aports-d96c2a55451cc8e60574558a6abd0afc145b8983.tar.xz
testing/ipsec-tools: experimental build of new ipsec-tools
latest snapshot of ipsec-tools upstream CVS repository, with couple of additional patches (and one upstream revert to make it compile with uclibc)
-rw-r--r--testing/ipsec-tools/10-revert-utmpx.patch81
-rw-r--r--testing/ipsec-tools/50-reverse-connect.patch207
-rw-r--r--testing/ipsec-tools/70-rcvbuf-size.patch33
-rw-r--r--testing/ipsec-tools/75-racoonctl-rcvbuf.patch33
-rw-r--r--testing/ipsec-tools/90-dpd-window-fix.patch85
-rw-r--r--testing/ipsec-tools/APKBUILD66
-rw-r--r--testing/ipsec-tools/racoon.confd20
-rw-r--r--testing/ipsec-tools/racoon.initd60
8 files changed, 585 insertions, 0 deletions
diff --git a/testing/ipsec-tools/10-revert-utmpx.patch b/testing/ipsec-tools/10-revert-utmpx.patch
new file mode 100644
index 0000000000..388fa71d0b
--- /dev/null
+++ b/testing/ipsec-tools/10-revert-utmpx.patch
@@ -0,0 +1,81 @@
+Index: src/racoon/isakmp_cfg.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c,v
+retrieving revision 1.24
+retrieving revision 1.23
+diff -u -r1.24 -r1.23
+--- a/src/racoon/isakmp_cfg.c 21 Sep 2010 13:14:17 -0000 1.24
++++ b/src/racoon/isakmp_cfg.c 4 Aug 2010 09:16:58 -0000 1.23
+@@ -1,4 +1,4 @@
+-/* $NetBSD: isakmp_cfg.c,v 1.24 2010/09/21 13:14:17 vanhu Exp $ */
++/* $NetBSD: isakmp_cfg.c,v 1.23 2010/08/04 09:16:58 vanhu Exp $ */
+
+ /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
+
+@@ -38,7 +38,7 @@
+ #include <sys/socket.h>
+ #include <sys/queue.h>
+
+-#include <utmpx.h>
++#include <utmp.h>
+ #if defined(__APPLE__) && defined(__MACH__)
+ #include <util.h>
+ #endif
+@@ -1661,7 +1661,8 @@
+ int inout;
+ {
+ int error = 0;
+- struct utmpx ut;
++ struct utmp ut;
++ char term[UT_LINESIZE];
+ char addr[NI_MAXHOST];
+
+ if (usr == NULL || usr[0]=='\0') {
+@@ -1670,33 +1671,36 @@
+ return -1;
+ }
+
+- memset(&ut, 0, sizeof ut);
+- gettimeofday((struct timeval *)&ut.ut_tv, NULL);
+- snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port);
++ sprintf(term, TERMSPEC, port);
+
+ switch (inout) {
+ case ISAKMP_CFG_LOGIN:
+- ut.ut_type = USER_PROCESS;
+- strncpy(ut.ut_user, usr, sizeof ut.ut_user);
++ strncpy(ut.ut_name, usr, UT_NAMESIZE);
++ ut.ut_name[UT_NAMESIZE - 1] = '\0';
++
++ strncpy(ut.ut_line, term, UT_LINESIZE);
++ ut.ut_line[UT_LINESIZE - 1] = '\0';
+
+ GETNAMEINFO_NULL(raddr, addr);
+- strncpy(ut.ut_host, addr, sizeof ut.ut_host);
++ strncpy(ut.ut_host, addr, UT_HOSTSIZE);
++ ut.ut_host[UT_HOSTSIZE - 1] = '\0';
+
++ ut.ut_time = time(NULL);
++
+ plog(LLV_INFO, LOCATION, NULL,
+ "Accounting : '%s' logging on '%s' from %s.\n",
+- ut.ut_user, ut.ut_id, addr);
++ ut.ut_name, ut.ut_line, ut.ut_host);
+
+- pututxline(&ut);
++ login(&ut);
+
+ break;
+ case ISAKMP_CFG_LOGOUT:
+- ut.ut_type = DEAD_PROCESS;
+
+ plog(LLV_INFO, LOCATION, NULL,
+ "Accounting : '%s' unlogging from '%s'.\n",
+- usr, ut.ut_id);
++ usr, term);
+
+- pututxline(&ut);
++ logout(term);
+
+ break;
+ default:
diff --git a/testing/ipsec-tools/50-reverse-connect.patch b/testing/ipsec-tools/50-reverse-connect.patch
new file mode 100644
index 0000000000..f29c3d5091
--- /dev/null
+++ b/testing/ipsec-tools/50-reverse-connect.patch
@@ -0,0 +1,207 @@
+When new ISAKMP is required, allow incoming reverse connection to take
+
+From: Timo Teras <timo.teras@iki.fi>
+
+over pending phase1:s. Useful when the other party is firewalled or NATted.
+---
+
+ src/racoon/admin.c | 12 ++++++++++++
+ src/racoon/evt.c | 13 +++++++++++++
+ src/racoon/evt.h | 3 +++
+ src/racoon/handler.c | 28 +++++++++++++++++++++-------
+ src/racoon/isakmp.c | 39 ++++++++++++++++++++++++++++++++++-----
+ 5 files changed, 83 insertions(+), 12 deletions(-)
+
+
+diff --git a/src/racoon/admin.c b/src/racoon/admin.c
+index b67e545..710c9bf 100644
+--- a/src/racoon/admin.c
++++ b/src/racoon/admin.c
+@@ -414,11 +414,23 @@ admin_process(so2, combuf)
+ struct sockaddr *dst;
+ struct sockaddr *src;
+ char *name = NULL;
++ char *loc, *rem;
+
+ ndx = (struct admin_com_indexes *) ((caddr_t)com + sizeof(*com));
+ src = (struct sockaddr *) &ndx->src;
+ dst = (struct sockaddr *) &ndx->dst;
+
++ loc = racoon_strdup(saddr2str(src));
++ rem = racoon_strdup(saddr2str(dst));
++ STRDUP_FATAL(loc);
++ STRDUP_FATAL(rem);
++
++ plog(LLV_INFO, LOCATION, NULL,
++ "admin establish-sa %x %s %s\n",
++ com->ac_proto, loc, rem);
++ racoon_free(loc);
++ racoon_free(rem);
++
+ if (com->ac_cmd == ADMIN_ESTABLISH_SA &&
+ com->ac_len > sizeof(*com) + sizeof(*ndx))
+ name = (char *) ((caddr_t) ndx + sizeof(*ndx));
+diff --git a/src/racoon/evt.c b/src/racoon/evt.c
+index 4ce1334..000c1f8 100644
+--- a/src/racoon/evt.c
++++ b/src/racoon/evt.c
+@@ -396,4 +396,17 @@ evt_list_cleanup(list)
+ evt_unsubscribe(LIST_FIRST(list));
+ }
+
++void
++evt_list_move(from, to)
++ struct evt_listener_list *from, *to;
++{
++ struct evt_listener *l;
++
++ while (!LIST_EMPTY(from)) {
++ l = LIST_FIRST(from);
++ LIST_REMOVE(l, ll_chain);
++ LIST_INSERT_HEAD(to, l, ll_chain);
++ }
++}
++
+ #endif /* ENABLE_ADMINPORT */
+diff --git a/src/racoon/evt.h b/src/racoon/evt.h
+index 0ce65bd..ba7fb57 100644
+--- a/src/racoon/evt.h
++++ b/src/racoon/evt.h
+@@ -124,6 +124,8 @@ void evt_phase2 __P((const struct ph2handle *ph2, int type, vchar_t *optdata));
+ vchar_t *evt_dump __P((void));
+
+ int evt_subscribe __P((struct evt_listener_list *list, int fd));
++void evt_list_move __P((struct evt_listener_list *from,
++ struct evt_listener_list *to));
+ void evt_list_init __P((struct evt_listener_list *list));
+ void evt_list_cleanup __P((struct evt_listener_list *list));
+
+@@ -136,6 +138,7 @@ void evt_list_cleanup __P((struct evt_listener_list *list));
+ #define evt_phase2(ph2, type, optdata) ;
+
+ #define evt_subscribe(eventlist, fd) ;
++#deifne evt_list_move(from, to) ;
+ #define evt_list_init(eventlist) ;
+ #define evt_list_cleanup(eventlist) ;
+ #define evt_get_fdmask(nfds, fdset) nfds
+diff --git a/src/racoon/handler.c b/src/racoon/handler.c
+index b33986f..9fd3817 100644
+--- a/src/racoon/handler.c
++++ b/src/racoon/handler.c
+@@ -269,26 +269,40 @@ migrate_ph12(old_iph1, new_iph1)
+ }
+
+ /*
+- * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1
++ * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1.
+ */
+ void migrate_dying_ph12(iph1)
+ struct ph1handle *iph1;
+ {
+- struct ph1handle *p;
++ struct ph1handle *p, *next;
+
+- LIST_FOREACH(p, &ph1tree, chain) {
++ for (p = LIST_FIRST(&ph1tree); p; p = next) {
++ next = LIST_NEXT(p, chain);
+ if (p == iph1)
+ continue;
+- if (p->status < PHASE1ST_DYING)
++
++ /* Same remote? */
++ if (cmpsaddr(iph1->local, p->local) > CMPSADDR_WOP_MATCH ||
++ cmpsaddr(iph1->remote, p->remote) > CMPSADDR_WOP_MATCH ||
++ iph1->rmconf != p->rmconf)
+ continue;
+
+- if (cmpsaddr(iph1->local, p->local) == 0
+- && cmpsaddr(iph1->remote, p->remote) == 0)
++ /* migrate phase2:s from expiring entries */
++ if (p->status >= PHASE1ST_DYING)
+ migrate_ph12(p, iph1);
++
++ /* and allow reverse connections to release
++ * pending connections that do not work due
++ * to firewall or nat */
++ if (iph1->side == RESPONDER && p->side == INITIATOR &&
++ p->status < PHASE1ST_MSG3RECEIVED) {
++ /* Do not delete ph1, since if the node is not NATted,
++ * and we delete it we might get phase2's lost */
++ evt_list_move(&p->evt_listeners, &iph1->evt_listeners);
++ }
+ }
+ }
+
+-
+ /*
+ * dump isakmp-sa
+ */
+diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
+index 0de16d1..2dfda2f 100644
+--- a/src/racoon/isakmp.c
++++ b/src/racoon/isakmp.c
+@@ -2138,13 +2138,33 @@ isakmp_ph2delete(iph2)
+
+ remph2(iph2);
+ delph2(iph2);
+-
+- return;
+ }
+
+ /* %%%
+ * Interface between PF_KEYv2 and ISAKMP
+ */
++
++static void
++isakmp_chkph2there(p)
++ struct sched *p;
++{
++ struct ph2handle *iph2 = container_of(p, struct ph2handle, sce);
++ struct ph2handle *tmp;
++
++ /* Check if a similar phase2 appared meanwhile */
++ remph2(iph2);
++ tmp = getph2byid(iph2->src, iph2->dst, iph2->spid);
++ if (tmp == NULL) {
++ /* Nope, lets start this then */
++ insph2(iph2);
++ isakmp_chkph1there(iph2);
++ } else {
++ /* Yes, delete this initiation attempt as redundant */
++ evt_phase2(iph2, EVT_PHASE2_UP, NULL);
++ delph2(iph2);
++ }
++}
++
+ /*
+ * receive ACQUIRE from kernel, and begin either phase1 or phase2.
+ * if phase1 has been finished, begin phase2.
+@@ -2220,8 +2240,14 @@ isakmp_post_acquire(iph2)
+ /*NOTREACHED*/
+ }
+
+- /* found established ISAKMP-SA */
+- /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
++ /* found established ISAKMP-SA, if this is a RESPONDER ISAKMP-SA
++ * add a small delay; this will make sure the initiator gets
++ * an first attempt at rekeying, and usually avoids duplicate ph2:s */
++ if (iph1->side == RESPONDER) {
++ iph2->retry_checkph1 = 1;
++ sched_schedule(&iph2->sce, 1, isakmp_chkph2there);
++ return 0;
++ }
+
+ /* found ISAKMP-SA. */
+ plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
+@@ -2388,7 +2414,10 @@ isakmp_chkph1there(iph2)
+ plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
+
+ /* begin quick mode */
+- (void)isakmp_ph2begin_i(iph1, iph2);
++ if (isakmp_ph2begin_i(iph1, iph2)) {
++ remph2(iph2);
++ delph2(iph2);
++ }
+ return;
+ }
+
diff --git a/testing/ipsec-tools/70-rcvbuf-size.patch b/testing/ipsec-tools/70-rcvbuf-size.patch
new file mode 100644
index 0000000000..34e295decf
--- /dev/null
+++ b/testing/ipsec-tools/70-rcvbuf-size.patch
@@ -0,0 +1,33 @@
+Index: src/racoon/isakmp.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
+retrieving revision 1.60
+diff -u -r1.60 isakmp.c
+--- a/src/racoon/isakmp.c 3 Sep 2009 09:29:07 -0000 1.60
++++ b/src/racoon/isakmp.c 20 Aug 2010 11:59:20 -0000
+@@ -1579,6 +1579,7 @@
+ #ifdef ENABLE_NATT
+ int option = -1;
+ #endif
++ int rcvSize = 16384;
+
+ /* warn if wildcard address - should we forbid this? */
+ switch (addr->sa_family) {
+@@ -1706,6 +1707,17 @@
+ goto err;
+ }
+
++ /* set receive buffer size - shouldn't be too large otherwise
++ * we can acommodate too long backbuffer of packets and not
++ * able to handle any packets in real time */
++ if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF,
++ (void*) &rcvSize, sizeof(rcvSize)) < 0) {
++ plog(LLV_ERROR, LOCATION, NULL,
++ "failed to set SO_RCVBUF size (%s).\n",
++ strerror(errno));
++ /* soft-error, continue even if this failed */
++ }
++
+ if (setsockopt_bypass(fd, addr->sa_family) < 0)
+ goto err;
+
diff --git a/testing/ipsec-tools/75-racoonctl-rcvbuf.patch b/testing/ipsec-tools/75-racoonctl-rcvbuf.patch
new file mode 100644
index 0000000000..3a68bfc2ae
--- /dev/null
+++ b/testing/ipsec-tools/75-racoonctl-rcvbuf.patch
@@ -0,0 +1,33 @@
+Index: src/racoon/kmpstat.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c,v
+retrieving revision 1.6
+diff -u -r1.6 kmpstat.c
+--- a/src/racoon/kmpstat.c 2 Oct 2007 09:47:45 -0000 1.6
++++ b/src/racoon/kmpstat.c 14 Oct 2010 12:48:22 -0000
+@@ -99,6 +99,7 @@
+ com_init()
+ {
+ struct sockaddr_un name;
++ int rcvSize;
+
+ memset(&name, 0, sizeof(name));
+ name.sun_family = AF_UNIX;
+@@ -114,6 +115,17 @@
+ return -1;
+ }
+
++ /* set receive buffer size - should be relative large:
++ * racoon daemon will try to send all info in one go, if
++ * it does not fit we'll miss stuff */
++ rcvSize = 1024 * 1024;
++ if (setsockopt(so, SOL_SOCKET, SO_RCVBUF,
++ (void*) &rcvSize, sizeof(rcvSize)) < 0) {
++ rcvSize = 512 * 1024;
++ (void) setsockopt(so, SOL_SOCKET, SO_RCVBUF,
++ (void*) &rcvSize, sizeof(rcvSize));
++ }
++
+ return 0;
+ }
+
diff --git a/testing/ipsec-tools/90-dpd-window-fix.patch b/testing/ipsec-tools/90-dpd-window-fix.patch
new file mode 100644
index 0000000000..d3ac9a9aa2
--- /dev/null
+++ b/testing/ipsec-tools/90-dpd-window-fix.patch
@@ -0,0 +1,85 @@
+Index: src/racoon/isakmp_inf.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c,v
+retrieving revision 1.41
+diff -u -r1.41 isakmp_inf.c
+--- a/src/racoon/isakmp_inf.c 3 Jul 2009 06:41:46 -0000 1.41
++++ b/src/racoon/isakmp_inf.c 5 May 2010 15:56:38 -0000
+@@ -1450,17 +1450,16 @@
+ struct isakmp_pl_ru *ru;
+ u_int32_t msgid;
+ {
++ u_int32_t seq;
+
+ plog(LLV_DEBUG, LOCATION, iph1->remote,
+ "DPD R-U-There-Ack received\n");
+
+- /* XXX Maintain window of acceptable sequence numbers ?
+- * => ru->data <= iph2->dpd_seq &&
+- * ru->data >= iph2->dpd_seq - iph2->dpd_fails ? */
+- if (ntohl(ru->data) != iph1->dpd_seq-1) {
++ seq = ntohl(ru->data);
++ if (seq <= iph1->dpd_last_ack || seq > iph1->dpd_seq) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+- "Wrong DPD sequence number (%d, %d expected).\n",
+- ntohl(ru->data), iph1->dpd_seq-1);
++ "Wrong DPD sequence number (%d; last_ack=%d, seq=%d).\n",
++ seq, iph1->dpd_last_ack, iph1->dpd_seq);
+ return 0;
+ }
+
+@@ -1472,6 +1471,7 @@
+ }
+
+ iph1->dpd_fails = 0;
++ iph1->dpd_last_ack = seq;
+ sched_cancel(&iph1->dpd_r_u);
+ isakmp_sched_r_u(iph1, 0);
+
+@@ -1535,12 +1535,13 @@
+ memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t));
+ memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t));
+
+- if (iph1->dpd_seq == 0){
++ if (iph1->dpd_seq == 0) {
+ /* generate a random seq which is not too big */
+- srand(time(NULL));
+- iph1->dpd_seq = rand() & 0x0fff;
++ iph1->dpd_seq = iph1->dpd_last_ack = rand() & 0x0fff;
+ }
+
++ iph1->dpd_seq++;
++ iph1->dpd_fails++;
+ ru->data = htonl(iph1->dpd_seq);
+
+ error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
+@@ -1549,12 +1550,6 @@
+ plog(LLV_DEBUG, LOCATION, iph1->remote,
+ "DPD R-U-There sent (%d)\n", error);
+
+- /* will be decreased if ACK received... */
+- iph1->dpd_fails++;
+-
+- /* XXX should be increased only when ACKed ? */
+- iph1->dpd_seq++;
+-
+ /* Reschedule the r_u_there with a short delay,
+ * will be deleted/rescheduled if ACK received before */
+ isakmp_sched_r_u(iph1, 1);
+Index: src/racoon/handler.h
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v
+retrieving revision 1.22
+diff -u -r1.22 handler.h
+--- a/src/racoon/handler.h 3 Sep 2009 09:29:07 -0000 1.22
++++ b/src/racoon/handler.h 5 May 2010 15:56:39 -0000
+@@ -202,7 +202,8 @@
+
+ #ifdef ENABLE_DPD
+ int dpd_support; /* Does remote supports DPD ? */
+- u_int16_t dpd_seq; /* DPD seq number to receive */
++ u_int32_t dpd_last_ack;
++ u_int32_t dpd_seq; /* DPD seq number to receive */
+ u_int8_t dpd_fails; /* number of failures */
+ struct sched dpd_r_u;
+ #endif
diff --git a/testing/ipsec-tools/APKBUILD b/testing/ipsec-tools/APKBUILD
new file mode 100644
index 0000000000..274802d5f7
--- /dev/null
+++ b/testing/ipsec-tools/APKBUILD
@@ -0,0 +1,66 @@
+# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
+pkgname=ipsec-tools
+pkgver=0.8_alpha20101022
+_myver=0.8-alpha20101022
+pkgrel=0
+pkgdesc="User-space IPsec tools for various IPsec implementations"
+url="http://ipsec-tools.sourceforge.net/"
+license="BSD"
+depends=""
+makedepends="openssl-dev bison flex"
+subpackages="$pkgname-doc $pkgname-dev"
+source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
+ racoon.initd
+ racoon.confd
+ 10-revert-utmpx.patch
+ 50-reverse-connect.patch
+ 70-rcvbuf-size.patch
+ 75-racoonctl-rcvbuf.patch
+ 90-dpd-window-fix.patch
+ "
+
+_builddir="$srcdir"/$pkgname-$_myver
+prepare() {
+ cd "$_builddir"
+ for i in ../*.patch; do
+ msg "Applying $i..."
+ patch -p1 -i $i || return 1
+ done
+
+ sed -i 's:-Werror::g' configure
+}
+
+build() {
+ cd "$_builddir"
+ ./configure --prefix=/usr \
+ --sysconfdir=/etc \
+ --mandir=/usr/share/man \
+ --infodir=/usr/share/info \
+ --localstatedir=/var/lib \
+ --with-kernel-headers=/usr/include \
+ --disable-security-context \
+ --enable-adminport \
+ --enable-dpd \
+ --enable-frag \
+ --enable-hybrid \
+ --enable-ipv6 \
+ --enable-natt
+ make || return 1
+}
+
+package() {
+ cd "$_builddir"
+ make DESTDIR="$pkgdir" install
+
+ install -D -m755 ../racoon.initd "$pkgdir"/etc/init.d/racoon
+ install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon
+}
+
+md5sums="1492b83edc944b5d32d2eff51e33399e ipsec-tools-0.8-alpha20101022.tar.gz
+74f12ed04ed273a738229c0bfbf829cc racoon.initd
+2d00250cf72da7f2f559c91b65a48747 racoon.confd
+90b629020b95bca6824cefde244fa6b2 10-revert-utmpx.patch
+13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch
+f40c78e4ca4b92d2bf74e4fcf3a8d91f 70-rcvbuf-size.patch
+2d5d24c4a3684a38584f88720f71c7d6 75-racoonctl-rcvbuf.patch
+0391a6967ad19673588302bc8b17e0e2 90-dpd-window-fix.patch"
diff --git a/testing/ipsec-tools/racoon.confd b/testing/ipsec-tools/racoon.confd
new file mode 100644
index 0000000000..bf9926c5b5
--- /dev/null
+++ b/testing/ipsec-tools/racoon.confd
@@ -0,0 +1,20 @@
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/ipsec-tools/files/racoon.conf.d,v 1.3 2004/07/14 23:29:57 agriffis Exp $
+
+# Config file for /etc/init.d/racoon
+
+# See the manual pages for racoon or run `racoon --help`
+# for valid command-line options
+
+RACOON_OPTS="-4"
+SETKEY_OPTS=""
+
+RACOON_CONF="/etc/racoon/racoon.conf"
+RACOON_PSK_FILE="/etc/racoon/psk.txt"
+SETKEY_CONF="/etc/ipsec.conf"
+
+# Comment or remove the following if you don't want the policy tables
+# to be flushed when racoon is stopped.
+
+RACOON_RESET_TABLES="true"
diff --git a/testing/ipsec-tools/racoon.initd b/testing/ipsec-tools/racoon.initd
new file mode 100644
index 0000000000..724eee0237
--- /dev/null
+++ b/testing/ipsec-tools/racoon.initd
@@ -0,0 +1,60 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+depend() {
+ before netmount
+ use net
+ after firewall ntp-client
+ provide ipsec
+}
+
+checkconfig() {
+ if [ ! -e ${SETKEY_CONF} ] ; then
+ eerror "You need to configure setkey before starting racoon."
+ return 1
+ fi
+ if [ ! -e ${RACOON_CONF} ] ; then
+ eerror "You need a configuration file to start racoon."
+ return 1
+ fi
+ if [ ! -z ${RACOON_PSK_FILE} ] ; then
+ if [ ! -f ${RACOON_PSK_FILE} ] ; then
+ eerror "PSK file not found as specified."
+ eerror "Set RACOON_PSK_FILE in /etc/conf.d/racoon."
+ return 1
+ fi
+ case "`ls -Lldn ${RACOON_PSK_FILE}`" in
+ -r--------*)
+ ;;
+ *)
+ eerror "Your defined PSK file should be mode 400 for security!"
+ return 1
+ ;;
+ esac
+ fi
+}
+
+start() {
+ checkconfig || return 1
+ einfo "Loading ipsec policies from ${SETKEY_CONF}."
+ /usr/sbin/setkey ${SETKEY_OPTS} -f ${SETKEY_CONF}
+ if [ $? -eq 1 ] ; then
+ eerror "Error while loading ipsec policies"
+ fi
+ ebegin "Starting racoon"
+ start-stop-daemon -S -x /usr/sbin/racoon -- -f ${RACOON_CONF} ${RACOON_OPTS}
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping racoon"
+ start-stop-daemon -K -p /var/run/racoon.pid
+ eend $?
+ if [ -n "${RACOON_RESET_TABLES}" ]; then
+ ebegin "Flushing policy entries"
+ /usr/sbin/setkey -F
+ /usr/sbin/setkey -FP
+ eend $?
+ fi
+}