testing/ipsec-tools: experimental build of new ipsec-tools

latest snapshot of ipsec-tools upstream CVS repository, with
couple of additional patches (and one upstream revert to make
it compile with uclibc)

8 files changed, 585 insertions, 0 deletions

diff --git a/testing/ipsec-tools/10-revert-utmpx.patch b/testing/ipsec-tools/10-revert-utmpx.patch
new file mode 100644
index 0000000000..388fa71d0b
--- /dev/null
+++ b/testing/ipsec-tools/10-revert-utmpx.patch
@@ -0,0 +1,81 @@
+Index: src/racoon/isakmp_cfg.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c,v
+retrieving revision 1.24
+retrieving revision 1.23
+diff -u -r1.24 -r1.23
+--- a/src/racoon/isakmp_cfg.c	21 Sep 2010 13:14:17 -0000	1.24
++++ b/src/racoon/isakmp_cfg.c	4 Aug 2010 09:16:58 -0000	1.23
+@@ -1,4 +1,4 @@
+-/*	$NetBSD: isakmp_cfg.c,v 1.24 2010/09/21 13:14:17 vanhu Exp $	*/
++/*	$NetBSD: isakmp_cfg.c,v 1.23 2010/08/04 09:16:58 vanhu Exp $	*/
+ 
+ /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
+ 
+@@ -38,7 +38,7 @@
+ #include <sys/socket.h>
+ #include <sys/queue.h>
+ 
+-#include <utmpx.h>
++#include <utmp.h>
+ #if defined(__APPLE__) && defined(__MACH__)
+ #include <util.h>
+ #endif
+@@ -1661,7 +1661,8 @@
+ 	int inout;
+ {
+ 	int error = 0;
+-	struct utmpx ut;
++	struct utmp ut;
++	char term[UT_LINESIZE];
+ 	char addr[NI_MAXHOST];
+ 	
+ 	if (usr == NULL || usr[0]=='\0') {
+@@ -1670,33 +1671,36 @@
+ 		return -1;
+ 	}
+ 
+-	memset(&ut, 0, sizeof ut);
+-	gettimeofday((struct timeval *)&ut.ut_tv, NULL);
+-	snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port);
++	sprintf(term, TERMSPEC, port);
+ 
+ 	switch (inout) {
+ 	case ISAKMP_CFG_LOGIN:
+-		ut.ut_type = USER_PROCESS;
+-		strncpy(ut.ut_user, usr, sizeof ut.ut_user);
++		strncpy(ut.ut_name, usr, UT_NAMESIZE);
++		ut.ut_name[UT_NAMESIZE - 1] = '\0';
++
++		strncpy(ut.ut_line, term, UT_LINESIZE);
++		ut.ut_line[UT_LINESIZE - 1] = '\0';
+ 
+ 		GETNAMEINFO_NULL(raddr, addr);
+-		strncpy(ut.ut_host, addr, sizeof ut.ut_host);
++		strncpy(ut.ut_host, addr, UT_HOSTSIZE);
++		ut.ut_host[UT_HOSTSIZE - 1] = '\0';
+ 
++		ut.ut_time = time(NULL);
++ 
+ 		plog(LLV_INFO, LOCATION, NULL,
+ 			"Accounting : '%s' logging on '%s' from %s.\n",
+-			ut.ut_user, ut.ut_id, addr);
++			ut.ut_name, ut.ut_line, ut.ut_host);
+ 
+-		pututxline(&ut);
++		login(&ut);
+ 
+ 		break;
+ 	case ISAKMP_CFG_LOGOUT:	
+-		ut.ut_type = DEAD_PROCESS;
+ 
+ 		plog(LLV_INFO, LOCATION, NULL,
+ 			"Accounting : '%s' unlogging from '%s'.\n",
+-			usr, ut.ut_id);
++			usr, term);
+ 
+-		pututxline(&ut);
++		logout(term);
+ 
+ 		break;
+ 	default:
diff --git a/testing/ipsec-tools/50-reverse-connect.patch b/testing/ipsec-tools/50-reverse-connect.patch
new file mode 100644
index 0000000000..f29c3d5091
--- /dev/null
+++ b/testing/ipsec-tools/50-reverse-connect.patch
@@ -0,0 +1,207 @@
+When new ISAKMP is required, allow incoming reverse connection to take
+
+From: Timo Teras <timo.teras@iki.fi>
+
+over pending phase1:s. Useful when the other party is firewalled or NATted.
+---
+
+ src/racoon/admin.c   |   12 ++++++++++++
+ src/racoon/evt.c     |   13 +++++++++++++
+ src/racoon/evt.h     |    3 +++
+ src/racoon/handler.c |   28 +++++++++++++++++++++-------
+ src/racoon/isakmp.c  |   39 ++++++++++++++++++++++++++++++++++-----
+ 5 files changed, 83 insertions(+), 12 deletions(-)
+
+
+diff --git a/src/racoon/admin.c b/src/racoon/admin.c
+index b67e545..710c9bf 100644
+--- a/src/racoon/admin.c
++++ b/src/racoon/admin.c
+@@ -414,11 +414,23 @@ admin_process(so2, combuf)
+ 		struct sockaddr *dst;
+ 		struct sockaddr *src;
+ 		char *name = NULL;
++		char *loc, *rem;
+ 
+ 		ndx = (struct admin_com_indexes *) ((caddr_t)com + sizeof(*com));
+ 		src = (struct sockaddr *) &ndx->src;
+ 		dst = (struct sockaddr *) &ndx->dst;
+ 
++		loc = racoon_strdup(saddr2str(src));
++		rem = racoon_strdup(saddr2str(dst));
++		STRDUP_FATAL(loc);
++		STRDUP_FATAL(rem);
++
++		plog(LLV_INFO, LOCATION, NULL,
++			"admin establish-sa %x %s %s\n",
++			com->ac_proto, loc, rem);
++		racoon_free(loc);
++		racoon_free(rem);
++
+ 		if (com->ac_cmd == ADMIN_ESTABLISH_SA &&
+ 		    com->ac_len > sizeof(*com) + sizeof(*ndx))
+ 			name = (char *) ((caddr_t) ndx + sizeof(*ndx));
+diff --git a/src/racoon/evt.c b/src/racoon/evt.c
+index 4ce1334..000c1f8 100644
+--- a/src/racoon/evt.c
++++ b/src/racoon/evt.c
+@@ -396,4 +396,17 @@ evt_list_cleanup(list)
+ 		evt_unsubscribe(LIST_FIRST(list));
+ }
+ 
++void
++evt_list_move(from, to)
++	struct evt_listener_list *from, *to;
++{
++	struct evt_listener *l;
++
++	while (!LIST_EMPTY(from)) {
++		l = LIST_FIRST(from);
++		LIST_REMOVE(l, ll_chain);
++		LIST_INSERT_HEAD(to, l, ll_chain);
++	}
++}
++
+ #endif /* ENABLE_ADMINPORT */
+diff --git a/src/racoon/evt.h b/src/racoon/evt.h
+index 0ce65bd..ba7fb57 100644
+--- a/src/racoon/evt.h
++++ b/src/racoon/evt.h
+@@ -124,6 +124,8 @@ void evt_phase2 __P((const struct ph2handle *ph2, int type, vchar_t *optdata));
+ vchar_t *evt_dump __P((void));
+ 
+ int  evt_subscribe __P((struct evt_listener_list *list, int fd));
++void evt_list_move __P((struct evt_listener_list *from,
++			struct evt_listener_list *to));
+ void evt_list_init __P((struct evt_listener_list *list));
+ void evt_list_cleanup __P((struct evt_listener_list *list));
+ 
+@@ -136,6 +138,7 @@ void evt_list_cleanup __P((struct evt_listener_list *list));
+ #define evt_phase2(ph2, type, optdata) ;
+ 
+ #define evt_subscribe(eventlist, fd) ;
++#deifne evt_list_move(from, to) ;
+ #define evt_list_init(eventlist) ;
+ #define evt_list_cleanup(eventlist) ;
+ #define evt_get_fdmask(nfds, fdset) nfds
+diff --git a/src/racoon/handler.c b/src/racoon/handler.c
+index b33986f..9fd3817 100644
+--- a/src/racoon/handler.c
++++ b/src/racoon/handler.c
+@@ -269,26 +269,40 @@ migrate_ph12(old_iph1, new_iph1)
+ }
+ 
+ /*
+- * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1
++ * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1.
+  */
+ void migrate_dying_ph12(iph1)
+ 	struct ph1handle *iph1;
+ {
+-	struct ph1handle *p;
++	struct ph1handle *p, *next;
+ 
+-	LIST_FOREACH(p, &ph1tree, chain) {
++	for (p = LIST_FIRST(&ph1tree); p; p = next) {
++		next = LIST_NEXT(p, chain);
+ 		if (p == iph1)
+ 			continue;
+-		if (p->status < PHASE1ST_DYING)
++
++		/* Same remote? */
++		if (cmpsaddr(iph1->local, p->local) > CMPSADDR_WOP_MATCH ||
++		    cmpsaddr(iph1->remote, p->remote) > CMPSADDR_WOP_MATCH ||
++		    iph1->rmconf != p->rmconf)
+ 			continue;
+ 
+-		if (cmpsaddr(iph1->local, p->local) == 0
+-		 && cmpsaddr(iph1->remote, p->remote) == 0)
++		/* migrate phase2:s from expiring entries */
++		if (p->status >= PHASE1ST_DYING)
+ 			migrate_ph12(p, iph1);
++
++		/* and allow reverse connections to release
++		 * pending connections that do not work due
++		 * to firewall or nat */
++		if (iph1->side == RESPONDER && p->side == INITIATOR &&
++		    p->status < PHASE1ST_MSG3RECEIVED) {
++			/* Do not delete ph1, since if the node is not NATted,
++			 * and we delete it we might get phase2's lost */
++			evt_list_move(&p->evt_listeners, &iph1->evt_listeners);
++		}
+ 	}
+ }
+ 
+-
+ /*
+  * dump isakmp-sa
+  */
+diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
+index 0de16d1..2dfda2f 100644
+--- a/src/racoon/isakmp.c
++++ b/src/racoon/isakmp.c
+@@ -2138,13 +2138,33 @@ isakmp_ph2delete(iph2)
+ 
+ 	remph2(iph2);
+ 	delph2(iph2);
+-
+-	return;
+ }
+ 
+ /* %%%
+  * Interface between PF_KEYv2 and ISAKMP
+  */
++
++static void
++isakmp_chkph2there(p)
++	struct sched *p;
++{
++	struct ph2handle *iph2 = container_of(p, struct ph2handle, sce);
++	struct ph2handle *tmp;
++
++	/* Check if a similar phase2 appared meanwhile */
++	remph2(iph2);
++	tmp = getph2byid(iph2->src, iph2->dst, iph2->spid);
++	if (tmp == NULL) {
++		/* Nope, lets start this then */
++		insph2(iph2);
++		isakmp_chkph1there(iph2);
++	} else {
++		/* Yes, delete this initiation attempt as redundant */
++		evt_phase2(iph2, EVT_PHASE2_UP, NULL);
++		delph2(iph2);
++	}
++}
++
+ /*
+  * receive ACQUIRE from kernel, and begin either phase1 or phase2.
+  * if phase1 has been finished, begin phase2.
+@@ -2220,8 +2240,14 @@ isakmp_post_acquire(iph2)
+ 		/*NOTREACHED*/
+ 	}
+ 
+-	/* found established ISAKMP-SA */
+-	/* i.e. iph1->status == PHASE1ST_ESTABLISHED */
++	/* found established ISAKMP-SA, if this is a RESPONDER ISAKMP-SA
++	 * add a small delay; this will make sure the initiator gets
++	 * an first attempt at rekeying, and usually avoids duplicate ph2:s */
++	if (iph1->side == RESPONDER) {
++		iph2->retry_checkph1 = 1;
++		sched_schedule(&iph2->sce, 1, isakmp_chkph2there);
++		return 0;
++	}
+ 
+ 	/* found ISAKMP-SA. */
+ 	plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
+@@ -2388,7 +2414,10 @@ isakmp_chkph1there(iph2)
+ 		plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
+ 
+ 		/* begin quick mode */
+-		(void)isakmp_ph2begin_i(iph1, iph2);
++		if (isakmp_ph2begin_i(iph1, iph2)) {
++			remph2(iph2);
++			delph2(iph2);
++		}
+ 		return;
+ 	}
+ 
diff --git a/testing/ipsec-tools/70-rcvbuf-size.patch b/testing/ipsec-tools/70-rcvbuf-size.patch
new file mode 100644
index 0000000000..34e295decf
--- /dev/null
+++ b/testing/ipsec-tools/70-rcvbuf-size.patch
@@ -0,0 +1,33 @@
+Index: src/racoon/isakmp.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v
+retrieving revision 1.60
+diff -u -r1.60 isakmp.c
+--- a/src/racoon/isakmp.c	3 Sep 2009 09:29:07 -0000	1.60
++++ b/src/racoon/isakmp.c	20 Aug 2010 11:59:20 -0000
+@@ -1579,6 +1579,7 @@
+ #ifdef ENABLE_NATT
+ 	int option = -1;
+ #endif
++        int rcvSize = 16384;
+ 
+ 	/* warn if wildcard address - should we forbid this? */
+ 	switch (addr->sa_family) {
+@@ -1706,6 +1707,17 @@
+ 		goto err;
+ 	}
+ 
++	/* set receive buffer size - shouldn't be too large otherwise
++	 * we can acommodate too long backbuffer of packets and not
++	 * able to handle any packets in real time */
++	if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF,
++	                (void*) &rcvSize, sizeof(rcvSize)) < 0) {
++                plog(LLV_ERROR, LOCATION, NULL,
++                     "failed to set SO_RCVBUF size (%s).\n",
++                     strerror(errno));
++                /* soft-error, continue even if this failed */
++        }
++
+ 	if (setsockopt_bypass(fd, addr->sa_family) < 0)
+ 		goto err;
+ 
diff --git a/testing/ipsec-tools/75-racoonctl-rcvbuf.patch b/testing/ipsec-tools/75-racoonctl-rcvbuf.patch
new file mode 100644
index 0000000000..3a68bfc2ae
--- /dev/null
+++ b/testing/ipsec-tools/75-racoonctl-rcvbuf.patch
@@ -0,0 +1,33 @@
+Index: src/racoon/kmpstat.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c,v
+retrieving revision 1.6
+diff -u -r1.6 kmpstat.c
+--- a/src/racoon/kmpstat.c	2 Oct 2007 09:47:45 -0000	1.6
++++ b/src/racoon/kmpstat.c	14 Oct 2010 12:48:22 -0000
+@@ -99,6 +99,7 @@
+ com_init()
+ {
+ 	struct sockaddr_un name;
++	int rcvSize;
+ 
+ 	memset(&name, 0, sizeof(name));
+ 	name.sun_family = AF_UNIX;
+@@ -114,6 +115,17 @@
+ 		return -1;
+ 	}
+ 
++        /* set receive buffer size - should be relative large:
++         * racoon daemon will try to send all info in one go, if
++         * it does not fit we'll miss stuff */
++	rcvSize = 1024 * 1024;
++	if (setsockopt(so, SOL_SOCKET, SO_RCVBUF,
++		       (void*) &rcvSize, sizeof(rcvSize)) < 0) {
++		rcvSize = 512 * 1024;
++		(void) setsockopt(so, SOL_SOCKET, SO_RCVBUF,
++				  (void*) &rcvSize, sizeof(rcvSize));
++	}
++
+ 	return 0;
+ }
+ 
diff --git a/testing/ipsec-tools/90-dpd-window-fix.patch b/testing/ipsec-tools/90-dpd-window-fix.patch
new file mode 100644
index 0000000000..d3ac9a9aa2
--- /dev/null
+++ b/testing/ipsec-tools/90-dpd-window-fix.patch
@@ -0,0 +1,85 @@
+Index: src/racoon/isakmp_inf.c
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c,v
+retrieving revision 1.41
+diff -u -r1.41 isakmp_inf.c
+--- a/src/racoon/isakmp_inf.c	3 Jul 2009 06:41:46 -0000	1.41
++++ b/src/racoon/isakmp_inf.c	5 May 2010 15:56:38 -0000
+@@ -1450,17 +1450,16 @@
+ 	struct isakmp_pl_ru *ru;
+ 	u_int32_t msgid;
+ {
++	u_int32_t seq;
+ 
+ 	plog(LLV_DEBUG, LOCATION, iph1->remote,
+ 		 "DPD R-U-There-Ack received\n");
+ 
+-	/* XXX Maintain window of acceptable sequence numbers ?
+-	 * => ru->data <= iph2->dpd_seq &&
+-	 *    ru->data >= iph2->dpd_seq - iph2->dpd_fails ? */
+-	if (ntohl(ru->data) != iph1->dpd_seq-1) {
++	seq = ntohl(ru->data);
++	if (seq <= iph1->dpd_last_ack || seq > iph1->dpd_seq) {
+ 		plog(LLV_ERROR, LOCATION, iph1->remote,
+-			 "Wrong DPD sequence number (%d, %d expected).\n", 
+-			 ntohl(ru->data), iph1->dpd_seq-1);
++			 "Wrong DPD sequence number (%d; last_ack=%d, seq=%d).\n", 
++			 seq, iph1->dpd_last_ack, iph1->dpd_seq);
+ 		return 0;
+ 	}
+ 
+@@ -1472,6 +1471,7 @@
+ 	}
+ 
+ 	iph1->dpd_fails = 0;
++	iph1->dpd_last_ack = seq;
+ 	sched_cancel(&iph1->dpd_r_u);
+ 	isakmp_sched_r_u(iph1, 0);
+ 
+@@ -1535,12 +1535,13 @@
+ 	memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t));
+ 	memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t));
+ 
+-	if (iph1->dpd_seq == 0){
++	if (iph1->dpd_seq == 0) {
+ 		/* generate a random seq which is not too big */
+-		srand(time(NULL));
+-		iph1->dpd_seq = rand() & 0x0fff;
++		iph1->dpd_seq = iph1->dpd_last_ack = rand() & 0x0fff;
+ 	}
+ 
++	iph1->dpd_seq++;
++	iph1->dpd_fails++;
+ 	ru->data = htonl(iph1->dpd_seq);
+ 
+ 	error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
+@@ -1549,12 +1550,6 @@
+ 	plog(LLV_DEBUG, LOCATION, iph1->remote,
+ 		 "DPD R-U-There sent (%d)\n", error);
+ 
+-	/* will be decreased if ACK received... */
+-	iph1->dpd_fails++;
+-
+-	/* XXX should be increased only when ACKed ? */
+-	iph1->dpd_seq++;
+-
+ 	/* Reschedule the r_u_there with a short delay,
+ 	 * will be deleted/rescheduled if ACK received before */
+ 	isakmp_sched_r_u(iph1, 1);
+Index: src/racoon/handler.h
+===================================================================
+RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v
+retrieving revision 1.22
+diff -u -r1.22 handler.h
+--- a/src/racoon/handler.h	3 Sep 2009 09:29:07 -0000	1.22
++++ b/src/racoon/handler.h	5 May 2010 15:56:39 -0000
+@@ -202,7 +202,8 @@
+ 
+ #ifdef ENABLE_DPD
+ 	int		dpd_support;	/* Does remote supports DPD ? */
+-	u_int16_t	dpd_seq;		/* DPD seq number to receive */
++	u_int32_t	dpd_last_ack;
++	u_int32_t	dpd_seq;		/* DPD seq number to receive */
+ 	u_int8_t	dpd_fails;		/* number of failures */
+ 	struct sched	dpd_r_u;
+ #endif
diff --git a/testing/ipsec-tools/APKBUILD b/testing/ipsec-tools/APKBUILD
new file mode 100644
index 0000000000..274802d5f7
--- /dev/null
+++ b/testing/ipsec-tools/APKBUILD
@@ -0,0 +1,66 @@
+# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
+pkgname=ipsec-tools
+pkgver=0.8_alpha20101022
+_myver=0.8-alpha20101022
+pkgrel=0
+pkgdesc="User-space IPsec tools for various IPsec implementations"
+url="http://ipsec-tools.sourceforge.net/"
+license="BSD"
+depends=""
+makedepends="openssl-dev bison flex"
+subpackages="$pkgname-doc $pkgname-dev"
+source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz
+	racoon.initd
+	racoon.confd
+	10-revert-utmpx.patch
+	50-reverse-connect.patch
+	70-rcvbuf-size.patch
+	75-racoonctl-rcvbuf.patch
+	90-dpd-window-fix.patch
+	"
+
+_builddir="$srcdir"/$pkgname-$_myver
+prepare() {
+	cd "$_builddir"
+	for i in ../*.patch; do
+		msg "Applying $i..."
+		patch -p1 -i $i || return 1
+	done
+
+	sed -i 's:-Werror::g' configure
+}
+
+build() {
+	cd "$_builddir"
+	./configure --prefix=/usr \
+		--sysconfdir=/etc \
+		--mandir=/usr/share/man \
+		--infodir=/usr/share/info \
+		--localstatedir=/var/lib \
+		--with-kernel-headers=/usr/include \
+		--disable-security-context \
+		--enable-adminport \
+		--enable-dpd \
+		--enable-frag \
+		--enable-hybrid \
+		--enable-ipv6 \
+		--enable-natt
+	make || return 1
+}
+
+package() {
+	cd "$_builddir"
+	make DESTDIR="$pkgdir" install
+	
+	install -D -m755 ../racoon.initd "$pkgdir"/etc/init.d/racoon
+	install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon
+}
+
+md5sums="1492b83edc944b5d32d2eff51e33399e  ipsec-tools-0.8-alpha20101022.tar.gz
+74f12ed04ed273a738229c0bfbf829cc  racoon.initd
+2d00250cf72da7f2f559c91b65a48747  racoon.confd
+90b629020b95bca6824cefde244fa6b2  10-revert-utmpx.patch
+13bda94a598aabf593280e04ea16065d  50-reverse-connect.patch
+f40c78e4ca4b92d2bf74e4fcf3a8d91f  70-rcvbuf-size.patch
+2d5d24c4a3684a38584f88720f71c7d6  75-racoonctl-rcvbuf.patch
+0391a6967ad19673588302bc8b17e0e2  90-dpd-window-fix.patch"
diff --git a/testing/ipsec-tools/racoon.confd b/testing/ipsec-tools/racoon.confd
new file mode 100644
index 0000000000..bf9926c5b5
--- /dev/null
+++ b/testing/ipsec-tools/racoon.confd
@@ -0,0 +1,20 @@
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/ipsec-tools/files/racoon.conf.d,v 1.3 2004/07/14 23:29:57 agriffis Exp $
+
+# Config file for /etc/init.d/racoon
+
+# See the manual pages for racoon or run `racoon --help`
+# for valid command-line options
+
+RACOON_OPTS="-4"
+SETKEY_OPTS=""
+
+RACOON_CONF="/etc/racoon/racoon.conf"
+RACOON_PSK_FILE="/etc/racoon/psk.txt"
+SETKEY_CONF="/etc/ipsec.conf"
+
+# Comment or remove the following if you don't want the policy tables
+# to be flushed when racoon is stopped.
+
+RACOON_RESET_TABLES="true"
diff --git a/testing/ipsec-tools/racoon.initd b/testing/ipsec-tools/racoon.initd
new file mode 100644
index 0000000000..724eee0237
--- /dev/null
+++ b/testing/ipsec-tools/racoon.initd
@@ -0,0 +1,60 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+depend() {
+	before netmount
+	use net
+	after firewall ntp-client
+	provide ipsec
+}
+
+checkconfig() {
+	if [ ! -e ${SETKEY_CONF} ] ; then
+		eerror "You need to configure setkey before starting racoon."
+		return 1
+	fi
+	if [ ! -e ${RACOON_CONF} ] ; then
+		eerror "You need a configuration file to start racoon."
+		return 1
+	fi
+	if [ ! -z ${RACOON_PSK_FILE} ] ; then
+		if [ ! -f ${RACOON_PSK_FILE} ] ; then
+			eerror "PSK file not found as specified."
+			eerror "Set RACOON_PSK_FILE in /etc/conf.d/racoon."
+			return 1
+		fi
+		case "`ls -Lldn ${RACOON_PSK_FILE}`" in
+			-r--------*)
+				;;
+			*)
+				eerror "Your defined PSK file should be mode 400 for security!"
+				return 1
+				;;
+		esac
+	fi
+}
+
+start() {
+	checkconfig || return 1
+	einfo "Loading ipsec policies from ${SETKEY_CONF}."
+	/usr/sbin/setkey ${SETKEY_OPTS} -f ${SETKEY_CONF}
+	if [ $? -eq 1 ] ; then
+		eerror "Error while loading ipsec policies"
+	fi
+	ebegin "Starting racoon"
+	start-stop-daemon -S -x /usr/sbin/racoon -- -f ${RACOON_CONF} ${RACOON_OPTS}
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping racoon"
+	start-stop-daemon -K -p /var/run/racoon.pid
+	eend $?
+	if [ -n "${RACOON_RESET_TABLES}" ]; then
+		ebegin "Flushing policy entries"
+		/usr/sbin/setkey -F
+		/usr/sbin/setkey -FP
+		eend $?
+	fi
+}