aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--sysconfig.txt49
-rwxr-xr-xsysconfig/network-scripts/ifdown-ipsec86
-rwxr-xr-xsysconfig/network-scripts/ifup-ipsec279
3 files changed, 0 insertions, 414 deletions
diff --git a/sysconfig.txt b/sysconfig.txt
index 582fb4d9..81610a35 100644
--- a/sysconfig.txt
+++ b/sysconfig.txt
@@ -856,55 +856,6 @@ Files in /etc/sysconfig/network-scripts/
SPYIPS=<list of IP addresses to monitor for link quality>
IWPRIV=<iwpriv(8) commands>
- IPSEC specific items
- SRC=source address. Not required.
- DST=destination address
- TYPE=IPSEC
- SRCNET=source net (for tunneling)
- DSTNET=destination network (for tunneling)
-
- Manual keying:
-
- AH_PROTO{,_IN,_OUT}=protocol to use for AH (defaults to hmac-sha1)
- ESP_PROTO{,_IN,_OUT}=protocol to use for ESP (defaults to 3des-cbc)
- AESP_PROTO{,_IN,_OUT}=protocol to use for ESP authentication (defaults to
- hmac-sha1)
- KEY_AH{,_IN,_OUT}=AH key
- KEY_ESP{,_IN,_OUT}=ESP encryption key
- KEY_AESP{,_IN,_OUT}=ESP authentication key (optional)
- SPI_{ESP,AH}_{IN,OUT}=SPIs to use
-
- _IN and _OUT specifiers are for using different keys or protocols for
- incoming and outgoing packets. If neither _IN or _OUT variants are set for
- protocols or keys, the same will be used for both. Hexadecimal keys need to
- be prefixed with "0x".
-
- Automatic keying:
-
- IKE_DHGROUP=<number> (defaults to 2)
- IKE_METHOD=PSK|X509|GSSAPI
- PSK=preshared keys (shared secret)
- X509=X.509 certificates
- GSSPI=GSSAPI authentication
- IKE_AUTH=protocol to use for Phase 1 of SA (defaults to sha1)
- IKE_ENC=protocol to use for Phase 1 of SA (defaults to 3des)
- IKE_PSK=preshared key for this connection
- IKE_CERTFILE=our certificate file name for X509 IKE
- IKE_PEER_CERTFILE=peer public cert filename for X509 IKE
- IKE_DNSSEC=retrieve peer public certs from DNS
- (otherwise uses certificate information sent over IKE)
-
- To manage the racoon configuration manually (e.g. when there is more than
- one IPSEC configuration with the same DST), set KEYING=automatic and leave
- all IKE_* parameters unspecified.
-
- To override the identifier to use with a preshared key:
-
- MYID_TYPE=address|fqdn|user_fqdn
- MYID_VALUE=fqdn or user_fqdn string for this connection
-
- Usage of AH or ESP may be disabled by setting {AH,ESP}_PROTO to "none".
-
Bonding-specific items
SLAVE=yes
diff --git a/sysconfig/network-scripts/ifdown-ipsec b/sysconfig/network-scripts/ifdown-ipsec
deleted file mode 100755
index 3167fa63..00000000
--- a/sysconfig/network-scripts/ifdown-ipsec
+++ /dev/null
@@ -1,86 +0,0 @@
-#!/bin/bash
-PATH=/sbin:/usr/sbin/:/bin:/usr/bin
-
-cd /etc/sysconfig/network-scripts
-. ./network-functions
-
-CONFIG=$1
-[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1}
-source_config
-
-if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then
- KEYING=manual
-fi
-
-
-if [ -n "$IKE_PSK" ]; then
- KEYING=automatic
- IKE_METHOD=PSK
-fi
-
-if [ -n "$IKE_CERTFILE" ]; then
- KEYING=automatic
- IKE_METHOD=X509
-fi
-
-if [ -n "$IKE_PEER_CERTFILE" ]; then
- KEYING=automatic
- IKE_METHOD=X509
-fi
-
-if [ -n "$IKE_DNSSEC" ]; then
- KEYING=automatic
- IKE_METHOD=X509
-fi
-if [ -n "$RSA_KEY" ]; then
- KEYING=automatic
- IKE_METHOD=RSA
-fi
-
-[ -n "$IKE_METHOD" ] && KEYING=automatic
-[ -z "$KEYING" ] && KEYING=manual
-
-if [ -z "$SRC" ]; then
- SRC=$(ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|")
-fi
-
-if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
- MODE=tunnel
- [ -z "$SRCNET" ] && SRCNET="$SRC/32"
- [ -z "$DSTNET" ] && DSTNET="$DST/32"
- SPD_SRC=$SRCNET
- SPD_DST=$DSTNET
- # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication
- if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \
- && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \
- = "NETWORK=${DSTNET%%/*}" ]; then
- EXCLUDE_SRCNET=yes
- fi
- [ -z "$SRCGW" ] && SRCGW=$(ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|")
- ip route del to $DSTNET via $SRCGW src $SRCGW
-else
- MODE=transport
- SPD_SRC=$SRC
- SPD_DST=$DST
- unset EXCLUDE_SRCNET
-fi
-
-setkey -c << EOF
-${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;}
-${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;}
-${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;}
-${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;}
-spddelete $SPD_SRC $SPD_DST any -P out;
-spddelete $SPD_DST $SPD_SRC any -P in;
-${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;}
-${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;}
-EOF
-
-if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then
- racoontmp=$(mktemp /etc/racoon/racoon.XXXXXX)
- grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp
- mv -f $racoontmp /etc/racoon/racoon.conf
- pidof -x /usr/sbin/racoon > /dev/null 2>&1 && killall -HUP /usr/sbin/racoon
-fi
-
-/etc/sysconfig/network-scripts/ifdown-post $CONFIG
diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
deleted file mode 100755
index 4411451c..00000000
--- a/sysconfig/network-scripts/ifup-ipsec
+++ /dev/null
@@ -1,279 +0,0 @@
-#!/bin/sh
-#
-# ifup-ipsec
-#
-# Brings up ipsec interfaces
-
-handle_keys() {
- [ -z "$KEY_AH_IN" -a -n "$KEY_AH" ] && KEY_AH_IN=$KEY_AH
- [ -z "$KEY_AH_OUT" -a -n "$KEY_AH" ] && KEY_AH_OUT=$KEY_AH
- [ -z "$KEY_ESP_IN" -a -n "$KEY_ESP" ] && KEY_ESP_IN=$KEY_ESP
- [ -z "$KEY_ESP_OUT" -a -n "$KEY_ESP" ] && KEY_ESP_OUT=$KEY_ESP
- [ -z "$KEY_AESP_IN" -a -n "$KEY_AESP" ] && KEY_AESP_IN=$KEY_AESP
- [ -z "$KEY_AESP_OUT" -a -n "$KEY_AESP" ] && KEY_AESP_OUT=$KEY_AESP
-
- [ -n "$KEY_AH_IN" -a "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] \
- && KEY_AH_IN=\"$KEY_AH_IN\"
- [ -n "$KEY_AH_OUT" -a "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] \
- && KEY_AH_OUT=\"$KEY_AH_OUT\"
- [ -n "$KEY_ESP_IN" -a "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] \
- && KEY_ESP_IN=\"$KEY_ESP_IN\"
- [ -n "$KEY_ESP_OUT" -a "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] \
- && KEY_ESP_OUT=\"$KEY_ESP_OUT\"
- [ -n "$KEY_AESP_IN" -a "$KEY_AESP_IN" = "${KEY_AESP_IN##0x}" ] \
- && KEY_AESP_IN=\"$KEY_AESP_IN\"
- [ -n "$KEY_AESP_OUT" -a "$KEY_AESP_OUT" = "${KEY_AESP_OUT##0x}" ] \
- && KEY_AESP_OUT=\"$KEY_AESP_OUT\"
-}
-
-. /etc/init.d/functions
-cd /etc/sysconfig/network-scripts
-. ./network-functions
-
-CONFIG=$1
-[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1}
-source_config
-
-handle_keys
-
-if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then
- KEYING=manual
-fi
-
-
-if [ -n "$IKE_PSK" ]; then
- KEYING=automatic
- IKE_METHOD=PSK
-fi
-
-if [ -n "$IKE_CERTFILE" ]; then
- KEYING=automatic
- IKE_METHOD=X509
-fi
-
-if [ -n "$IKE_PEER_CERTFILE" ]; then
- KEYING=automatic
- IKE_METHOD=X509
-fi
-
-if [ -n "$IKE_DNSSEC" ]; then
- KEYING=automatic
- IKE_METHOD=X509
-fi
-
-[ -n "$IKE_METHOD" ] && KEYING=automatic
-[ -z "$KEYING" ] && KEYING=manual
-
-if [ -z "$SRC" ]; then
- SRC=$(ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|")
-fi
-
-if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
- TUNNEL_MODE=yes
- MODE=tunnel
- [ -z "$SRCNET" ] && SRCNET="$SRC/32"
- [ -z "$DSTNET" ] && DSTNET="$DST/32"
- SPD_SRC=$SRCNET
- SPD_DST=$DSTNET
- # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication
- if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \
- && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \
- = "NETWORK=${DSTNET%%/*}" ]; then
- EXCLUDE_SRCNET=yes
- fi
- [ -z "$SRCGW" ] && SRCGW=$(ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|")
- ip route add to $DSTNET via $SRCGW src $SRCGW
-else
- unset TUNNEL_MODE
- MODE=transport
- SPD_SRC=$SRC
- SPD_DST=$DST
- unset EXCLUDE_SRCNET
-fi
-
-unset SPD_AH_IN SPD_AH_OUT SPD_ESP_IN SPD_ESP_OUT
-if [ "$KEYING" = "manual" ]; then
- [ -z "$AH_PROTO" ] && AH_PROTO=hmac-sha1
- [ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc
- [ -z "$AESP_PROTO" ] && AESP_PROTO=hmac-sha1
-
- [ -n "$KEY_AH_IN" ] && SPD_AH_IN=yes
- [ -n "$KEY_AH_OUT" ] && SPD_AH_OUT=yes
- [ -n "$KEY_ESP_IN" ] && SPD_ESP_IN=yes
- [ -n "$KEY_ESP_OUT" ] && SPD_ESP_OUT=yes
-else
- [ -z "$IKE_DHGROUP" ] && IKE_DHGROUP=2
- [ -z "$AH_PROTO" ] && AH_PROTO=sha1
- [ -z "$ESP_PROTO" ] && ESP_PROTO=3des
- [ -z "$IKE_AUTH" ] && IKE_AUTH=$AH_PROTO
- [ -z "$IKE_ENC" ] && IKE_ENC=$ESP_PROTO
- [ "$IKE_AUTH" = "none" ] && IKE_AUTH=sha1
- [ "$IKE_ENC" = "none" ] && IKE_ENC=3des
-
- SPD_AH_IN=yes
- SPD_AH_OUT=yes
- SPD_ESP_IN=yes
- SPD_ESP_OUT=yes
-fi
-
-if [ "$AH_PROTO" = "none" ]; then
- unset SPI_AH_IN SPI_AH_OUT KEY_AH_IN KEY_AH_OUT SPD_AH_IN SPD_AH_OUT
-fi
-if [ "$ESP_PROTO" = "none" ]; then
- unset SPI_ESP_IN SPI_ESP_OUT KEY_ESP_IN KEY_ESP_OUT SPD_ESP_IN SPD_ESP_OUT
-fi
-
-/sbin/setkey -c >/dev/null 2>&1 << EOF
-${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;}
-${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;}
-${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;}
-${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;}
-spddelete $SPD_SRC $SPD_DST any -P out;
-spddelete $SPD_DST $SPD_SRC any -P in;
-${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;}
-${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;}
-EOF
-
-# ESP
-if [ "$ESP_PROTO" != "none" ]; then
- /sbin/setkey -c >/dev/null 2>&1 << EOF
- ${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} \
- -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN \
- ${KEY_AESP_IN:+-A ${AESP_PROTO_IN:-$AESP_PROTO} $KEY_AESP_IN}
- ;}
- ${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} \
- -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT \
- ${KEY_AESP_OUT:+-A ${AESP_PROTO_OUT:-$AESP_PROTO} $KEY_AESP_OUT}
- ;}
-EOF
-fi
-
-# AH
-if [ "$AH_PROTO" != "none" ]; then
- /sbin/setkey -c >/dev/null 2>&1 << EOF
- ${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;}
- ${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;}
-EOF
-fi
-
-/sbin/setkey -c >/dev/null 2>&1 << EOF
-${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P out none;}
-${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P in none;}
-EOF
-
-# This looks weird but if you use both ESP and AH you need to configure them together, not seperately.
-if [ "$ESP_PROTO" != "none" ] && [ "$AH_PROTO" != "none" ]; then
-/sbin/setkey -c >/dev/null 2>&1 << EOF
-spdadd $SPD_SRC $SPD_DST any -P out ipsec
- ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require}
- ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require}
- ;
-
-spdadd $SPD_DST $SPD_SRC any -P in ipsec
- ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require}
- ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require}
- ;
-EOF
-elif [ "$AH_PROTO" = "none" ]; then
-/sbin/setkey -c >/dev/null 2>&1 << EOF
-spdadd $SPD_SRC $SPD_DST any -P out ipsec
- ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require}
- ;
-
-spdadd $SPD_DST $SPD_SRC any -P in ipsec
- ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require}
- ;
-EOF
-elif [ "$ESP_PROTO" = "none" ]; then
-/sbin/setkey -c >/dev/null 2>&1 << EOF
-spdadd $SPD_SRC $SPD_DST any -P out ipsec
- ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require}
- ;
-
-spdadd $SPD_DST $SPD_SRC any -P in ipsec
- ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require}
- ;
-EOF
-fi
-
-if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then
- if [ "$IKE_METHOD" = "PSK" ]; then
- MYID=address
- if [ -n "$MYID_TYPE" ]; then
- case "$MYID_TYPE" in
- *fqdn*)
- MYID="$MYID_TYPE \"$MYID_VALUE\""
- ;;
- esac
- fi
- tmpfile=$(mktemp /etc/racoon/psk.XXXXXX)
- grep -v "^$DST " /etc/racoon/psk.txt > $tmpfile
- echo "$DST $IKE_PSK" >> $tmpfile
- mv -f $tmpfile /etc/racoon/psk.txt
- fi
- if [ ! -f /etc/racoon/$DST.conf -o /etc/racoon/$DST.conf -ot $1 ] ; then
- cat > /etc/racoon/$DST.conf << EOF
-remote $DST
-{
- exchange_mode aggressive, main;
-EOF
- case "$IKE_METHOD" in
- PSK)
- cat >> /etc/racoon/$DST.conf << EOF
- my_identifier $MYID;
- proposal {
- encryption_algorithm $IKE_ENC;
- hash_algorithm $IKE_AUTH;
- authentication_method pre_shared_key;
- dh_group $IKE_DHGROUP;
- }
-}
-EOF
- ;;
- X509)
- cat >> /etc/racoon/$DST.conf << EOF
- my_identifier asn1dn;
- peers_identifier asn1dn;
- certificate_type x509 "$IKE_CERTFILE.public" "$IKE_CERTFILE.private";
-EOF
- if [ -n "$IKE_DNSSEC" ]; then
- echo " peers_certfile dnssec;" >> /etc/racoon/$DST.conf
- fi
- if [ -n "$IKE_PEER_CERTFILE" ]; then
- echo " peers_certfile x509 \"$IKE_PEER_CERTFILE.public\";" >> /etc/racoon/$DST.conf
- fi
- cat >> /etc/racoon/$DST.conf << EOF
- proposal {
- encryption_algorithm $IKE_ENC;
- hash_algorithm $IKE_AUTH;
- authentication_method rsasig;
- dh_group $IKE_DHGROUP;
- }
-}
-EOF
- ;;
- GSSAPI)
- cat >> /etc/racoon/$DST.conf << EOF
- my_identifier address;
- proposal {
- encryption_algorithm $IKE_ENC;
- hash_algorithm $IKE_AUTH;
- authentication_method gssapi_krb;
- dh_group $IKE_DHGROUP;
- }
-}
-EOF
- esac
- fi
- racoontmp=$(mktemp /etc/racoon/racoon.XXXXXX)
- grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp
- echo "include \"/etc/racoon/$DST.conf\";" >> $racoontmp
- mv -f $racoontmp /etc/racoon/racoon.conf
-fi
-if [ "$KEYING" = "automatic" ]; then
- if ! pidof -x /usr/sbin/racoon > /dev/null 2>&1 ; then
- /usr/sbin/racoon
- elif [ -n "$IKE_METHOD" ]; then
- killall -HUP /usr/sbin/racoon
- fi
-fi