diff options
-rw-r--r-- | sysconfig.txt | 4 | ||||
-rwxr-xr-x | sysconfig/network-scripts/ifdown-ipsec | 2 | ||||
-rwxr-xr-x | sysconfig/network-scripts/ifup-ipsec | 10 |
3 files changed, 11 insertions, 5 deletions
diff --git a/sysconfig.txt b/sysconfig.txt index 82a6eb2f..571dd1dc 100644 --- a/sysconfig.txt +++ b/sysconfig.txt @@ -864,6 +864,10 @@ Files in /etc/sysconfig/network-scripts/ IKE_DNSSEC=retrieve peer public certs from DNS (otherwise uses certificate information sent over IKE) + To manage the racoon configuration manually (e.g. when there is more than + one IPSEC configuration with the same DST), set KEYING=automatic and leave + all IKE_* parameters unspecified. + Usage of AH or ESP may be disabled by setting {AH,ESP}_PROTO to "none". Bonding-specific items diff --git a/sysconfig/network-scripts/ifdown-ipsec b/sysconfig/network-scripts/ifdown-ipsec index 82a71a9a..56b31c43 100755 --- a/sysconfig/network-scripts/ifdown-ipsec +++ b/sysconfig/network-scripts/ifdown-ipsec @@ -76,7 +76,7 @@ ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} EOF -if [ "$KEYING" = "automatic" ]; then +if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then racoontmp=`mktemp /etc/racoon/racoon.XXXXXX` grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp mv -f $racoontmp /etc/racoon/racoon.conf diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec index ebad848c..882722fd 100755 --- a/sysconfig/network-scripts/ifup-ipsec +++ b/sysconfig/network-scripts/ifup-ipsec @@ -158,7 +158,7 @@ spdadd $SPD_DST $SPD_SRC any -P in ipsec ; EOF -if [ "$KEYING" = "automatic" ]; then +if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then if [ "$IKE_METHOD" = "PSK" ]; then tmpfile=`mktemp /etc/racoon/psk.XXXXXX` grep -v "^$DST" /etc/racoon/psk.txt > $tmpfile @@ -223,9 +223,11 @@ EOF grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp echo "include \"/etc/racoon/$DST.conf\";" >> $racoontmp mv -f $racoontmp /etc/racoon/racoon.conf - if pidof -x /usr/sbin/racoon > /dev/null 2>&1 ; then - killall -HUP /usr/sbin/racoon - else +fi +if [ "$KEYING" = "automatic" ]; then + if ! pidof -x /usr/sbin/racoon > /dev/null 2>&1 ; then /usr/sbin/racoon + elif [ -n "$IKE_METHOD" ]; then + killall -HUP /usr/sbin/racoon fi fi |