diff options
author | Timo Teräs <timo.teras@iki.fi> | 2010-10-22 10:19:34 +0300 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2010-10-22 10:19:34 +0300 |
commit | d96c2a55451cc8e60574558a6abd0afc145b8983 (patch) | |
tree | a82e5497c96ab709b6e190a417c1de4a08a375ea | |
parent | 10871b20a181603ab11e60535accfbc8bf40fb79 (diff) | |
download | aports-d96c2a55451cc8e60574558a6abd0afc145b8983.tar.bz2 aports-d96c2a55451cc8e60574558a6abd0afc145b8983.tar.xz |
testing/ipsec-tools: experimental build of new ipsec-tools
latest snapshot of ipsec-tools upstream CVS repository, with
couple of additional patches (and one upstream revert to make
it compile with uclibc)
-rw-r--r-- | testing/ipsec-tools/10-revert-utmpx.patch | 81 | ||||
-rw-r--r-- | testing/ipsec-tools/50-reverse-connect.patch | 207 | ||||
-rw-r--r-- | testing/ipsec-tools/70-rcvbuf-size.patch | 33 | ||||
-rw-r--r-- | testing/ipsec-tools/75-racoonctl-rcvbuf.patch | 33 | ||||
-rw-r--r-- | testing/ipsec-tools/90-dpd-window-fix.patch | 85 | ||||
-rw-r--r-- | testing/ipsec-tools/APKBUILD | 66 | ||||
-rw-r--r-- | testing/ipsec-tools/racoon.confd | 20 | ||||
-rw-r--r-- | testing/ipsec-tools/racoon.initd | 60 |
8 files changed, 585 insertions, 0 deletions
diff --git a/testing/ipsec-tools/10-revert-utmpx.patch b/testing/ipsec-tools/10-revert-utmpx.patch new file mode 100644 index 0000000000..388fa71d0b --- /dev/null +++ b/testing/ipsec-tools/10-revert-utmpx.patch @@ -0,0 +1,81 @@ +Index: src/racoon/isakmp_cfg.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_cfg.c,v +retrieving revision 1.24 +retrieving revision 1.23 +diff -u -r1.24 -r1.23 +--- a/src/racoon/isakmp_cfg.c 21 Sep 2010 13:14:17 -0000 1.24 ++++ b/src/racoon/isakmp_cfg.c 4 Aug 2010 09:16:58 -0000 1.23 +@@ -1,4 +1,4 @@ +-/* $NetBSD: isakmp_cfg.c,v 1.24 2010/09/21 13:14:17 vanhu Exp $ */ ++/* $NetBSD: isakmp_cfg.c,v 1.23 2010/08/04 09:16:58 vanhu Exp $ */ + + /* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */ + +@@ -38,7 +38,7 @@ + #include <sys/socket.h> + #include <sys/queue.h> + +-#include <utmpx.h> ++#include <utmp.h> + #if defined(__APPLE__) && defined(__MACH__) + #include <util.h> + #endif +@@ -1661,7 +1661,8 @@ + int inout; + { + int error = 0; +- struct utmpx ut; ++ struct utmp ut; ++ char term[UT_LINESIZE]; + char addr[NI_MAXHOST]; + + if (usr == NULL || usr[0]=='\0') { +@@ -1670,33 +1671,36 @@ + return -1; + } + +- memset(&ut, 0, sizeof ut); +- gettimeofday((struct timeval *)&ut.ut_tv, NULL); +- snprintf(ut.ut_id, sizeof ut.ut_id, TERMSPEC, port); ++ sprintf(term, TERMSPEC, port); + + switch (inout) { + case ISAKMP_CFG_LOGIN: +- ut.ut_type = USER_PROCESS; +- strncpy(ut.ut_user, usr, sizeof ut.ut_user); ++ strncpy(ut.ut_name, usr, UT_NAMESIZE); ++ ut.ut_name[UT_NAMESIZE - 1] = '\0'; ++ ++ strncpy(ut.ut_line, term, UT_LINESIZE); ++ ut.ut_line[UT_LINESIZE - 1] = '\0'; + + GETNAMEINFO_NULL(raddr, addr); +- strncpy(ut.ut_host, addr, sizeof ut.ut_host); ++ strncpy(ut.ut_host, addr, UT_HOSTSIZE); ++ ut.ut_host[UT_HOSTSIZE - 1] = '\0'; + ++ ut.ut_time = time(NULL); ++ + plog(LLV_INFO, LOCATION, NULL, + "Accounting : '%s' logging on '%s' from %s.\n", +- ut.ut_user, ut.ut_id, addr); ++ ut.ut_name, ut.ut_line, ut.ut_host); + +- pututxline(&ut); ++ login(&ut); + + break; + case ISAKMP_CFG_LOGOUT: +- ut.ut_type = DEAD_PROCESS; + + plog(LLV_INFO, LOCATION, NULL, + "Accounting : '%s' unlogging from '%s'.\n", +- usr, ut.ut_id); ++ usr, term); + +- pututxline(&ut); ++ logout(term); + + break; + default: diff --git a/testing/ipsec-tools/50-reverse-connect.patch b/testing/ipsec-tools/50-reverse-connect.patch new file mode 100644 index 0000000000..f29c3d5091 --- /dev/null +++ b/testing/ipsec-tools/50-reverse-connect.patch @@ -0,0 +1,207 @@ +When new ISAKMP is required, allow incoming reverse connection to take + +From: Timo Teras <timo.teras@iki.fi> + +over pending phase1:s. Useful when the other party is firewalled or NATted. +--- + + src/racoon/admin.c | 12 ++++++++++++ + src/racoon/evt.c | 13 +++++++++++++ + src/racoon/evt.h | 3 +++ + src/racoon/handler.c | 28 +++++++++++++++++++++------- + src/racoon/isakmp.c | 39 ++++++++++++++++++++++++++++++++++----- + 5 files changed, 83 insertions(+), 12 deletions(-) + + +diff --git a/src/racoon/admin.c b/src/racoon/admin.c +index b67e545..710c9bf 100644 +--- a/src/racoon/admin.c ++++ b/src/racoon/admin.c +@@ -414,11 +414,23 @@ admin_process(so2, combuf) + struct sockaddr *dst; + struct sockaddr *src; + char *name = NULL; ++ char *loc, *rem; + + ndx = (struct admin_com_indexes *) ((caddr_t)com + sizeof(*com)); + src = (struct sockaddr *) &ndx->src; + dst = (struct sockaddr *) &ndx->dst; + ++ loc = racoon_strdup(saddr2str(src)); ++ rem = racoon_strdup(saddr2str(dst)); ++ STRDUP_FATAL(loc); ++ STRDUP_FATAL(rem); ++ ++ plog(LLV_INFO, LOCATION, NULL, ++ "admin establish-sa %x %s %s\n", ++ com->ac_proto, loc, rem); ++ racoon_free(loc); ++ racoon_free(rem); ++ + if (com->ac_cmd == ADMIN_ESTABLISH_SA && + com->ac_len > sizeof(*com) + sizeof(*ndx)) + name = (char *) ((caddr_t) ndx + sizeof(*ndx)); +diff --git a/src/racoon/evt.c b/src/racoon/evt.c +index 4ce1334..000c1f8 100644 +--- a/src/racoon/evt.c ++++ b/src/racoon/evt.c +@@ -396,4 +396,17 @@ evt_list_cleanup(list) + evt_unsubscribe(LIST_FIRST(list)); + } + ++void ++evt_list_move(from, to) ++ struct evt_listener_list *from, *to; ++{ ++ struct evt_listener *l; ++ ++ while (!LIST_EMPTY(from)) { ++ l = LIST_FIRST(from); ++ LIST_REMOVE(l, ll_chain); ++ LIST_INSERT_HEAD(to, l, ll_chain); ++ } ++} ++ + #endif /* ENABLE_ADMINPORT */ +diff --git a/src/racoon/evt.h b/src/racoon/evt.h +index 0ce65bd..ba7fb57 100644 +--- a/src/racoon/evt.h ++++ b/src/racoon/evt.h +@@ -124,6 +124,8 @@ void evt_phase2 __P((const struct ph2handle *ph2, int type, vchar_t *optdata)); + vchar_t *evt_dump __P((void)); + + int evt_subscribe __P((struct evt_listener_list *list, int fd)); ++void evt_list_move __P((struct evt_listener_list *from, ++ struct evt_listener_list *to)); + void evt_list_init __P((struct evt_listener_list *list)); + void evt_list_cleanup __P((struct evt_listener_list *list)); + +@@ -136,6 +138,7 @@ void evt_list_cleanup __P((struct evt_listener_list *list)); + #define evt_phase2(ph2, type, optdata) ; + + #define evt_subscribe(eventlist, fd) ; ++#deifne evt_list_move(from, to) ; + #define evt_list_init(eventlist) ; + #define evt_list_cleanup(eventlist) ; + #define evt_get_fdmask(nfds, fdset) nfds +diff --git a/src/racoon/handler.c b/src/racoon/handler.c +index b33986f..9fd3817 100644 +--- a/src/racoon/handler.c ++++ b/src/racoon/handler.c +@@ -269,26 +269,40 @@ migrate_ph12(old_iph1, new_iph1) + } + + /* +- * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1 ++ * the iph1 is new, migrate all phase2s that belong to a dying or dead ph1. + */ + void migrate_dying_ph12(iph1) + struct ph1handle *iph1; + { +- struct ph1handle *p; ++ struct ph1handle *p, *next; + +- LIST_FOREACH(p, &ph1tree, chain) { ++ for (p = LIST_FIRST(&ph1tree); p; p = next) { ++ next = LIST_NEXT(p, chain); + if (p == iph1) + continue; +- if (p->status < PHASE1ST_DYING) ++ ++ /* Same remote? */ ++ if (cmpsaddr(iph1->local, p->local) > CMPSADDR_WOP_MATCH || ++ cmpsaddr(iph1->remote, p->remote) > CMPSADDR_WOP_MATCH || ++ iph1->rmconf != p->rmconf) + continue; + +- if (cmpsaddr(iph1->local, p->local) == 0 +- && cmpsaddr(iph1->remote, p->remote) == 0) ++ /* migrate phase2:s from expiring entries */ ++ if (p->status >= PHASE1ST_DYING) + migrate_ph12(p, iph1); ++ ++ /* and allow reverse connections to release ++ * pending connections that do not work due ++ * to firewall or nat */ ++ if (iph1->side == RESPONDER && p->side == INITIATOR && ++ p->status < PHASE1ST_MSG3RECEIVED) { ++ /* Do not delete ph1, since if the node is not NATted, ++ * and we delete it we might get phase2's lost */ ++ evt_list_move(&p->evt_listeners, &iph1->evt_listeners); ++ } + } + } + +- + /* + * dump isakmp-sa + */ +diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c +index 0de16d1..2dfda2f 100644 +--- a/src/racoon/isakmp.c ++++ b/src/racoon/isakmp.c +@@ -2138,13 +2138,33 @@ isakmp_ph2delete(iph2) + + remph2(iph2); + delph2(iph2); +- +- return; + } + + /* %%% + * Interface between PF_KEYv2 and ISAKMP + */ ++ ++static void ++isakmp_chkph2there(p) ++ struct sched *p; ++{ ++ struct ph2handle *iph2 = container_of(p, struct ph2handle, sce); ++ struct ph2handle *tmp; ++ ++ /* Check if a similar phase2 appared meanwhile */ ++ remph2(iph2); ++ tmp = getph2byid(iph2->src, iph2->dst, iph2->spid); ++ if (tmp == NULL) { ++ /* Nope, lets start this then */ ++ insph2(iph2); ++ isakmp_chkph1there(iph2); ++ } else { ++ /* Yes, delete this initiation attempt as redundant */ ++ evt_phase2(iph2, EVT_PHASE2_UP, NULL); ++ delph2(iph2); ++ } ++} ++ + /* + * receive ACQUIRE from kernel, and begin either phase1 or phase2. + * if phase1 has been finished, begin phase2. +@@ -2220,8 +2240,14 @@ isakmp_post_acquire(iph2) + /*NOTREACHED*/ + } + +- /* found established ISAKMP-SA */ +- /* i.e. iph1->status == PHASE1ST_ESTABLISHED */ ++ /* found established ISAKMP-SA, if this is a RESPONDER ISAKMP-SA ++ * add a small delay; this will make sure the initiator gets ++ * an first attempt at rekeying, and usually avoids duplicate ph2:s */ ++ if (iph1->side == RESPONDER) { ++ iph2->retry_checkph1 = 1; ++ sched_schedule(&iph2->sce, 1, isakmp_chkph2there); ++ return 0; ++ } + + /* found ISAKMP-SA. */ + plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); +@@ -2388,7 +2414,10 @@ isakmp_chkph1there(iph2) + plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst)); + + /* begin quick mode */ +- (void)isakmp_ph2begin_i(iph1, iph2); ++ if (isakmp_ph2begin_i(iph1, iph2)) { ++ remph2(iph2); ++ delph2(iph2); ++ } + return; + } + diff --git a/testing/ipsec-tools/70-rcvbuf-size.patch b/testing/ipsec-tools/70-rcvbuf-size.patch new file mode 100644 index 0000000000..34e295decf --- /dev/null +++ b/testing/ipsec-tools/70-rcvbuf-size.patch @@ -0,0 +1,33 @@ +Index: src/racoon/isakmp.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c,v +retrieving revision 1.60 +diff -u -r1.60 isakmp.c +--- a/src/racoon/isakmp.c 3 Sep 2009 09:29:07 -0000 1.60 ++++ b/src/racoon/isakmp.c 20 Aug 2010 11:59:20 -0000 +@@ -1579,6 +1579,7 @@ + #ifdef ENABLE_NATT + int option = -1; + #endif ++ int rcvSize = 16384; + + /* warn if wildcard address - should we forbid this? */ + switch (addr->sa_family) { +@@ -1706,6 +1707,17 @@ + goto err; + } + ++ /* set receive buffer size - shouldn't be too large otherwise ++ * we can acommodate too long backbuffer of packets and not ++ * able to handle any packets in real time */ ++ if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, ++ (void*) &rcvSize, sizeof(rcvSize)) < 0) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "failed to set SO_RCVBUF size (%s).\n", ++ strerror(errno)); ++ /* soft-error, continue even if this failed */ ++ } ++ + if (setsockopt_bypass(fd, addr->sa_family) < 0) + goto err; + diff --git a/testing/ipsec-tools/75-racoonctl-rcvbuf.patch b/testing/ipsec-tools/75-racoonctl-rcvbuf.patch new file mode 100644 index 0000000000..3a68bfc2ae --- /dev/null +++ b/testing/ipsec-tools/75-racoonctl-rcvbuf.patch @@ -0,0 +1,33 @@ +Index: src/racoon/kmpstat.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/kmpstat.c,v +retrieving revision 1.6 +diff -u -r1.6 kmpstat.c +--- a/src/racoon/kmpstat.c 2 Oct 2007 09:47:45 -0000 1.6 ++++ b/src/racoon/kmpstat.c 14 Oct 2010 12:48:22 -0000 +@@ -99,6 +99,7 @@ + com_init() + { + struct sockaddr_un name; ++ int rcvSize; + + memset(&name, 0, sizeof(name)); + name.sun_family = AF_UNIX; +@@ -114,6 +115,17 @@ + return -1; + } + ++ /* set receive buffer size - should be relative large: ++ * racoon daemon will try to send all info in one go, if ++ * it does not fit we'll miss stuff */ ++ rcvSize = 1024 * 1024; ++ if (setsockopt(so, SOL_SOCKET, SO_RCVBUF, ++ (void*) &rcvSize, sizeof(rcvSize)) < 0) { ++ rcvSize = 512 * 1024; ++ (void) setsockopt(so, SOL_SOCKET, SO_RCVBUF, ++ (void*) &rcvSize, sizeof(rcvSize)); ++ } ++ + return 0; + } + diff --git a/testing/ipsec-tools/90-dpd-window-fix.patch b/testing/ipsec-tools/90-dpd-window-fix.patch new file mode 100644 index 0000000000..d3ac9a9aa2 --- /dev/null +++ b/testing/ipsec-tools/90-dpd-window-fix.patch @@ -0,0 +1,85 @@ +Index: src/racoon/isakmp_inf.c +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c,v +retrieving revision 1.41 +diff -u -r1.41 isakmp_inf.c +--- a/src/racoon/isakmp_inf.c 3 Jul 2009 06:41:46 -0000 1.41 ++++ b/src/racoon/isakmp_inf.c 5 May 2010 15:56:38 -0000 +@@ -1450,17 +1450,16 @@ + struct isakmp_pl_ru *ru; + u_int32_t msgid; + { ++ u_int32_t seq; + + plog(LLV_DEBUG, LOCATION, iph1->remote, + "DPD R-U-There-Ack received\n"); + +- /* XXX Maintain window of acceptable sequence numbers ? +- * => ru->data <= iph2->dpd_seq && +- * ru->data >= iph2->dpd_seq - iph2->dpd_fails ? */ +- if (ntohl(ru->data) != iph1->dpd_seq-1) { ++ seq = ntohl(ru->data); ++ if (seq <= iph1->dpd_last_ack || seq > iph1->dpd_seq) { + plog(LLV_ERROR, LOCATION, iph1->remote, +- "Wrong DPD sequence number (%d, %d expected).\n", +- ntohl(ru->data), iph1->dpd_seq-1); ++ "Wrong DPD sequence number (%d; last_ack=%d, seq=%d).\n", ++ seq, iph1->dpd_last_ack, iph1->dpd_seq); + return 0; + } + +@@ -1472,6 +1471,7 @@ + } + + iph1->dpd_fails = 0; ++ iph1->dpd_last_ack = seq; + sched_cancel(&iph1->dpd_r_u); + isakmp_sched_r_u(iph1, 0); + +@@ -1535,12 +1535,13 @@ + memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)); + memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t)); + +- if (iph1->dpd_seq == 0){ ++ if (iph1->dpd_seq == 0) { + /* generate a random seq which is not too big */ +- srand(time(NULL)); +- iph1->dpd_seq = rand() & 0x0fff; ++ iph1->dpd_seq = iph1->dpd_last_ack = rand() & 0x0fff; + } + ++ iph1->dpd_seq++; ++ iph1->dpd_fails++; + ru->data = htonl(iph1->dpd_seq); + + error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0); +@@ -1549,12 +1550,6 @@ + plog(LLV_DEBUG, LOCATION, iph1->remote, + "DPD R-U-There sent (%d)\n", error); + +- /* will be decreased if ACK received... */ +- iph1->dpd_fails++; +- +- /* XXX should be increased only when ACKed ? */ +- iph1->dpd_seq++; +- + /* Reschedule the r_u_there with a short delay, + * will be deleted/rescheduled if ACK received before */ + isakmp_sched_r_u(iph1, 1); +Index: src/racoon/handler.h +=================================================================== +RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/handler.h,v +retrieving revision 1.22 +diff -u -r1.22 handler.h +--- a/src/racoon/handler.h 3 Sep 2009 09:29:07 -0000 1.22 ++++ b/src/racoon/handler.h 5 May 2010 15:56:39 -0000 +@@ -202,7 +202,8 @@ + + #ifdef ENABLE_DPD + int dpd_support; /* Does remote supports DPD ? */ +- u_int16_t dpd_seq; /* DPD seq number to receive */ ++ u_int32_t dpd_last_ack; ++ u_int32_t dpd_seq; /* DPD seq number to receive */ + u_int8_t dpd_fails; /* number of failures */ + struct sched dpd_r_u; + #endif diff --git a/testing/ipsec-tools/APKBUILD b/testing/ipsec-tools/APKBUILD new file mode 100644 index 0000000000..274802d5f7 --- /dev/null +++ b/testing/ipsec-tools/APKBUILD @@ -0,0 +1,66 @@ +# Maintainer: Natanael Copa <ncopa@alpinelinux.org> +pkgname=ipsec-tools +pkgver=0.8_alpha20101022 +_myver=0.8-alpha20101022 +pkgrel=0 +pkgdesc="User-space IPsec tools for various IPsec implementations" +url="http://ipsec-tools.sourceforge.net/" +license="BSD" +depends="" +makedepends="openssl-dev bison flex" +subpackages="$pkgname-doc $pkgname-dev" +source="http://downloads.sourceforge.net/$pkgname/$pkgname-$_myver.tar.gz + racoon.initd + racoon.confd + 10-revert-utmpx.patch + 50-reverse-connect.patch + 70-rcvbuf-size.patch + 75-racoonctl-rcvbuf.patch + 90-dpd-window-fix.patch + " + +_builddir="$srcdir"/$pkgname-$_myver +prepare() { + cd "$_builddir" + for i in ../*.patch; do + msg "Applying $i..." + patch -p1 -i $i || return 1 + done + + sed -i 's:-Werror::g' configure +} + +build() { + cd "$_builddir" + ./configure --prefix=/usr \ + --sysconfdir=/etc \ + --mandir=/usr/share/man \ + --infodir=/usr/share/info \ + --localstatedir=/var/lib \ + --with-kernel-headers=/usr/include \ + --disable-security-context \ + --enable-adminport \ + --enable-dpd \ + --enable-frag \ + --enable-hybrid \ + --enable-ipv6 \ + --enable-natt + make || return 1 +} + +package() { + cd "$_builddir" + make DESTDIR="$pkgdir" install + + install -D -m755 ../racoon.initd "$pkgdir"/etc/init.d/racoon + install -D -m644 ../racoon.confd "$pkgdir"/etc/conf.d/racoon +} + +md5sums="1492b83edc944b5d32d2eff51e33399e ipsec-tools-0.8-alpha20101022.tar.gz +74f12ed04ed273a738229c0bfbf829cc racoon.initd +2d00250cf72da7f2f559c91b65a48747 racoon.confd +90b629020b95bca6824cefde244fa6b2 10-revert-utmpx.patch +13bda94a598aabf593280e04ea16065d 50-reverse-connect.patch +f40c78e4ca4b92d2bf74e4fcf3a8d91f 70-rcvbuf-size.patch +2d5d24c4a3684a38584f88720f71c7d6 75-racoonctl-rcvbuf.patch +0391a6967ad19673588302bc8b17e0e2 90-dpd-window-fix.patch" diff --git a/testing/ipsec-tools/racoon.confd b/testing/ipsec-tools/racoon.confd new file mode 100644 index 0000000000..bf9926c5b5 --- /dev/null +++ b/testing/ipsec-tools/racoon.confd @@ -0,0 +1,20 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/ipsec-tools/files/racoon.conf.d,v 1.3 2004/07/14 23:29:57 agriffis Exp $ + +# Config file for /etc/init.d/racoon + +# See the manual pages for racoon or run `racoon --help` +# for valid command-line options + +RACOON_OPTS="-4" +SETKEY_OPTS="" + +RACOON_CONF="/etc/racoon/racoon.conf" +RACOON_PSK_FILE="/etc/racoon/psk.txt" +SETKEY_CONF="/etc/ipsec.conf" + +# Comment or remove the following if you don't want the policy tables +# to be flushed when racoon is stopped. + +RACOON_RESET_TABLES="true" diff --git a/testing/ipsec-tools/racoon.initd b/testing/ipsec-tools/racoon.initd new file mode 100644 index 0000000000..724eee0237 --- /dev/null +++ b/testing/ipsec-tools/racoon.initd @@ -0,0 +1,60 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +depend() { + before netmount + use net + after firewall ntp-client + provide ipsec +} + +checkconfig() { + if [ ! -e ${SETKEY_CONF} ] ; then + eerror "You need to configure setkey before starting racoon." + return 1 + fi + if [ ! -e ${RACOON_CONF} ] ; then + eerror "You need a configuration file to start racoon." + return 1 + fi + if [ ! -z ${RACOON_PSK_FILE} ] ; then + if [ ! -f ${RACOON_PSK_FILE} ] ; then + eerror "PSK file not found as specified." + eerror "Set RACOON_PSK_FILE in /etc/conf.d/racoon." + return 1 + fi + case "`ls -Lldn ${RACOON_PSK_FILE}`" in + -r--------*) + ;; + *) + eerror "Your defined PSK file should be mode 400 for security!" + return 1 + ;; + esac + fi +} + +start() { + checkconfig || return 1 + einfo "Loading ipsec policies from ${SETKEY_CONF}." + /usr/sbin/setkey ${SETKEY_OPTS} -f ${SETKEY_CONF} + if [ $? -eq 1 ] ; then + eerror "Error while loading ipsec policies" + fi + ebegin "Starting racoon" + start-stop-daemon -S -x /usr/sbin/racoon -- -f ${RACOON_CONF} ${RACOON_OPTS} + eend $? +} + +stop() { + ebegin "Stopping racoon" + start-stop-daemon -K -p /var/run/racoon.pid + eend $? + if [ -n "${RACOON_RESET_TABLES}" ]; then + ebegin "Flushing policy entries" + /usr/sbin/setkey -F + /usr/sbin/setkey -FP + eend $? + fi +} |