diff options
| -rw-r--r-- | sysconfig.txt | 21 | ||||
| -rwxr-xr-x | sysconfig/network-scripts/ifup-ipsec | 42 |
2 files changed, 21 insertions, 42 deletions
diff --git a/sysconfig.txt b/sysconfig.txt index 725001ae..b01a4e1a 100644 --- a/sysconfig.txt +++ b/sysconfig.txt @@ -832,15 +832,16 @@ Files in /etc/sysconfig/network-scripts/ Manual keying: - AH_PROTO{_IN,_OUT}=protocol to use for AH (defaults to HMAC-SHA1) - ESP_PROTO{_IN,_OUT}=protocol to use for ESP (defaults to 3DES) - KEY_AH{_IN,_OUT}=AH key - KEY_ESP{_IN,_OUT}=ESP key - SPI_{ESP,AH_{IN,OUT}}=SPIs to use + AH_PROTO{,_IN,_OUT}=protocol to use for AH (defaults to hmac-sha1) + ESP_PROTO{,_IN,_OUT}=protocol to use for ESP (defaults to 3des-cbc) + KEY_AH{,_IN,_OUT}=AH key + KEY_ESP{,_IN,_OUT}=ESP key + SPI_{ESP,AH}_{IN,OUT}=SPIs to use - _IN and _OUT specifiers are for using different keys or protocols for incoming - and outgoing packets. If neither _IN or _OUT variants are set for protocols or - keys, the same will be used for both. + _IN and _OUT specifiers are for using different keys or protocols for + incoming and outgoing packets. If neither _IN or _OUT variants are set for + protocols or keys, the same will be used for both. Hexadecimal keys need to + be prefixed with "0x". Automatic keying: @@ -849,11 +850,13 @@ Files in /etc/sysconfig/network-scripts/ X509=X.509 certificates GSSAPI=GSSAPI authentication IKE_PSK=preshared key for this connection - IKE_CERTFILE=our certificate file name for X509 IKE + IKE_CERTFILE=our certificate file name for X509 IKE IKE_PEER_CERTFILE=peer public cert filename for X509 IKE IKE_DNSSEC=retrieve peer public certs from DNS (otherwise uses certificate information sent over IKE) + Usage of AH or ESP may be disabled by setting {AH,ESP}_PROTO to "none". + Bonding-specific items SLAVE=yes diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec index 81101c06..0a4b2381 100755 --- a/sysconfig/network-scripts/ifup-ipsec +++ b/sysconfig/network-scripts/ifup-ipsec @@ -3,39 +3,6 @@ # ifup-ipsec # # Brings up ipsec interfaces -# -# Configuration parameters -# -# SRC = source address. Not required. -# DST = destination address -# TYPE = IPSEC -# SRCNET = source net (for tunneling) -# DSTNET = destination network (for tunneling) -# -# Manual keying: -# -# AH_PROTO{_IN,_OUT} = protocol to use for AH (defaults to HMAC-SHA1) -# ESP_PROTO{_IN,_OUT} = protocol to use for ESP (defaults to 3DES) -# KEY_AH{_IN,_OUT} = AH key -# KEY_ESP{_IN,_OUT} = ESP key -# SPI_{ESP,AH_{IN,OUT}} = SPIs to use -# -# _IN and _OUT specifiers are for using different keys or protocols for inccoming -# and outgoing packets. If neither _IN or _OUT variants are set for protocols or -# keys, the same will be used for both. Hexadecimal keys need to be prefixed with -# "0x". -# -# Automatic keying: -# -# IKE_METHOD=PSK|X509|GSSAPI -# PSK = preshared keys (shared secret) -# X509 = X.509 certificates -# GSSAPI = GSSAPI authentication -# IKE_PSK = preshared key for this connection -# IKE_CERTFILE = our certificate file name for X509 IKE -# IKE_PEER_CERTFILE = peer public cert filename for X509 IKE -# IKE_DNSSEC = retrieve peer public certs from DNS -# (otherwise uses certificate information sent over IKE) handle_keys() { if [ -z "$KEY_AH_IN" -a -n "$KEY_AH" ]; then @@ -148,6 +115,15 @@ else SPD_ESP_OUT=yes fi +if [ "$AH_PROTO" = "none" ]; then + unset SPI_AH_IN SPI_AH_OUT KEY_AH_IN KEY_AH_OUT SPD_AH_IN SPD_AH_OUT + AH_PROTO=sha1 # To silence racoon +fi +if [ "$ESP_PROTO" = "none" ]; then + unset SPI_ESP_IN SPI_ESP_OUT KEY_ESP_IN KEY_ESP_OUT SPD_ESP_IN SPD_ESP_OUT + ESP_PROTO=3des # To silence racoon +fi + /sbin/setkey -c >/dev/null 2>&1 << EOF ${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} ${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} |