diff options
| author | Bill Nottingham <notting@redhat.com> | 2003-07-03 02:27:34 +0000 |
|---|---|---|
| committer | Bill Nottingham <notting@redhat.com> | 2003-07-03 02:27:34 +0000 |
| commit | ce4f8820c3f76adaef073f77f31882a336da5846 (patch) | |
| tree | f66f60e2f5f603e4b1a6170ae47c8f9ed0ba0ea7 | |
| parent | d773cca9ae39f4b0fa5556d791cdf24c053966ec (diff) | |
| download | initscripts-ce4f8820c3f76adaef073f77f31882a336da5846.tar initscripts-ce4f8820c3f76adaef073f77f31882a336da5846.tar.gz initscripts-ce4f8820c3f76adaef073f77f31882a336da5846.tar.bz2 initscripts-ce4f8820c3f76adaef073f77f31882a336da5846.tar.xz initscripts-ce4f8820c3f76adaef073f77f31882a336da5846.zip | |
- nuke RSA support, since we're not doing it right now
- switch md5 -> sha1
- clarify some docs
| -rwxr-xr-x | sysconfig/network-scripts/ifup-ipsec | 27 |
1 files changed, 8 insertions, 19 deletions
diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec index 68be5c82..124938fd 100755 --- a/sysconfig/network-scripts/ifup-ipsec +++ b/sysconfig/network-scripts/ifup-ipsec @@ -13,30 +13,28 @@ # # Manual keying: # -# AH_PROTO{_IN,_OUT} = protocol to use for AH (defaults to HMAC-MD5) +# AH_PROTO{_IN,_OUT} = protocol to use for AH (defaults to HMAC-SHA1) # ESP_PROTO{_IN,_OUT} = protocol to use for ESP (defaults to 3DES) # KEY_AH{_IN,_OUT} = AH key # KEY_ESP{_IN,_OUT} = ESP key # SPI_{EH,AH_{IN,OUT}} = SPIs to use # # _IN and _OUT specifiers are for using different keys or protocols for inccoming -# and outgoing packets. If neither _IN or _OUT variants are set, the same keys -# or protocols will be used for both. +# and outgoing packets. If neither _IN or _OUT variants are set for protocols or +# keys, the same will be used for both. # # Automatic keying: # -# IKE_METHOD=PSK|X509|RSA|GSSAPI +# IKE_METHOD=PSK|X509|GSSAPI # PSK = preshared keys (shared secret) # X509 = X.509 certificates -# RSA = RSA host keys in DNS (not yet implemented) # GSSAPI = GSSAPI authentication # IKE_PSK = preshared key for this connection -# IKE_CERTFILE = our certificate file name for X509 IKE +# IKE_CERTFILE = our certificate file name for X509 IKE # IKE_PEER_CERTFILE = peer public cert filename for X509 IKE # IKE_DNSSEC = retrieve peer public certs from DNS # (otherwise uses certificate information sent over IKE) -# IKE_RSA_KEY = RSA key for RSA IKE -# + . /etc/init.d/functions cd /etc/sysconfig/network-scripts @@ -86,12 +84,6 @@ if [ -n "$IKE_DNSSEC" ]; then IKE_METHOD=X509 fi - -if [ -n "$RSA_KEY" ]; then - KEYING=automatic - IKE_METHOD=RSA -fi - if [ -n "$SRCNET" -o -n "$DSTNET" ]; then MODE=tunnel else @@ -108,7 +100,7 @@ fi if [ "$KEYING" = "manual" ]; then - [ -z "$AH_PROTO" ] && AH_PROTO=hmac-md5 + [ -z "$AH_PROTO" ] && AH_PROTO=hmac-sha1 [ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc if [ "$MODE" = "host" ]; then @@ -173,7 +165,7 @@ EOF fi if [ "$KEYING" = "automatic" ]; then - [ -z "$AH_PROTO" ] && AH_PROTO=md5 + [ -z "$AH_PROTO" ] && AH_PROTO=sha1 [ -z "$ESP_PROTO" ] && ESP_PROTO=3des if [ "$MODE" = "host" ]; then @@ -258,9 +250,6 @@ EOF } EOF ;; - RSA) - # not supported yet, only in freeswan - ;; GSSAPI) cat >> /etc/racoon/$DST.conf << EOF my_identifier address; |