diff options
-rw-r--r-- | sysconfig.txt | 49 | ||||
-rwxr-xr-x | sysconfig/network-scripts/ifdown-ipsec | 86 | ||||
-rwxr-xr-x | sysconfig/network-scripts/ifup-ipsec | 279 |
3 files changed, 0 insertions, 414 deletions
diff --git a/sysconfig.txt b/sysconfig.txt index 582fb4d9..81610a35 100644 --- a/sysconfig.txt +++ b/sysconfig.txt @@ -856,55 +856,6 @@ Files in /etc/sysconfig/network-scripts/ SPYIPS=<list of IP addresses to monitor for link quality> IWPRIV=<iwpriv(8) commands> - IPSEC specific items - SRC=source address. Not required. - DST=destination address - TYPE=IPSEC - SRCNET=source net (for tunneling) - DSTNET=destination network (for tunneling) - - Manual keying: - - AH_PROTO{,_IN,_OUT}=protocol to use for AH (defaults to hmac-sha1) - ESP_PROTO{,_IN,_OUT}=protocol to use for ESP (defaults to 3des-cbc) - AESP_PROTO{,_IN,_OUT}=protocol to use for ESP authentication (defaults to - hmac-sha1) - KEY_AH{,_IN,_OUT}=AH key - KEY_ESP{,_IN,_OUT}=ESP encryption key - KEY_AESP{,_IN,_OUT}=ESP authentication key (optional) - SPI_{ESP,AH}_{IN,OUT}=SPIs to use - - _IN and _OUT specifiers are for using different keys or protocols for - incoming and outgoing packets. If neither _IN or _OUT variants are set for - protocols or keys, the same will be used for both. Hexadecimal keys need to - be prefixed with "0x". - - Automatic keying: - - IKE_DHGROUP=<number> (defaults to 2) - IKE_METHOD=PSK|X509|GSSAPI - PSK=preshared keys (shared secret) - X509=X.509 certificates - GSSPI=GSSAPI authentication - IKE_AUTH=protocol to use for Phase 1 of SA (defaults to sha1) - IKE_ENC=protocol to use for Phase 1 of SA (defaults to 3des) - IKE_PSK=preshared key for this connection - IKE_CERTFILE=our certificate file name for X509 IKE - IKE_PEER_CERTFILE=peer public cert filename for X509 IKE - IKE_DNSSEC=retrieve peer public certs from DNS - (otherwise uses certificate information sent over IKE) - - To manage the racoon configuration manually (e.g. when there is more than - one IPSEC configuration with the same DST), set KEYING=automatic and leave - all IKE_* parameters unspecified. - - To override the identifier to use with a preshared key: - - MYID_TYPE=address|fqdn|user_fqdn - MYID_VALUE=fqdn or user_fqdn string for this connection - - Usage of AH or ESP may be disabled by setting {AH,ESP}_PROTO to "none". - Bonding-specific items SLAVE=yes diff --git a/sysconfig/network-scripts/ifdown-ipsec b/sysconfig/network-scripts/ifdown-ipsec deleted file mode 100755 index 3167fa63..00000000 --- a/sysconfig/network-scripts/ifdown-ipsec +++ /dev/null @@ -1,86 +0,0 @@ -#!/bin/bash -PATH=/sbin:/usr/sbin/:/bin:/usr/bin - -cd /etc/sysconfig/network-scripts -. ./network-functions - -CONFIG=$1 -[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} -source_config - -if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then - KEYING=manual -fi - - -if [ -n "$IKE_PSK" ]; then - KEYING=automatic - IKE_METHOD=PSK -fi - -if [ -n "$IKE_CERTFILE" ]; then - KEYING=automatic - IKE_METHOD=X509 -fi - -if [ -n "$IKE_PEER_CERTFILE" ]; then - KEYING=automatic - IKE_METHOD=X509 -fi - -if [ -n "$IKE_DNSSEC" ]; then - KEYING=automatic - IKE_METHOD=X509 -fi -if [ -n "$RSA_KEY" ]; then - KEYING=automatic - IKE_METHOD=RSA -fi - -[ -n "$IKE_METHOD" ] && KEYING=automatic -[ -z "$KEYING" ] && KEYING=manual - -if [ -z "$SRC" ]; then - SRC=$(ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|") -fi - -if [ -n "$SRCNET" -o -n "$DSTNET" ]; then - MODE=tunnel - [ -z "$SRCNET" ] && SRCNET="$SRC/32" - [ -z "$DSTNET" ] && DSTNET="$DST/32" - SPD_SRC=$SRCNET - SPD_DST=$DSTNET - # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication - if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \ - && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \ - = "NETWORK=${DSTNET%%/*}" ]; then - EXCLUDE_SRCNET=yes - fi - [ -z "$SRCGW" ] && SRCGW=$(ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|") - ip route del to $DSTNET via $SRCGW src $SRCGW -else - MODE=transport - SPD_SRC=$SRC - SPD_DST=$DST - unset EXCLUDE_SRCNET -fi - -setkey -c << EOF -${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} -${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} -${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;} -${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;} -spddelete $SPD_SRC $SPD_DST any -P out; -spddelete $SPD_DST $SPD_SRC any -P in; -${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} -${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} -EOF - -if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then - racoontmp=$(mktemp /etc/racoon/racoon.XXXXXX) - grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp - mv -f $racoontmp /etc/racoon/racoon.conf - pidof -x /usr/sbin/racoon > /dev/null 2>&1 && killall -HUP /usr/sbin/racoon -fi - -/etc/sysconfig/network-scripts/ifdown-post $CONFIG diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec deleted file mode 100755 index 4411451c..00000000 --- a/sysconfig/network-scripts/ifup-ipsec +++ /dev/null @@ -1,279 +0,0 @@ -#!/bin/sh -# -# ifup-ipsec -# -# Brings up ipsec interfaces - -handle_keys() { - [ -z "$KEY_AH_IN" -a -n "$KEY_AH" ] && KEY_AH_IN=$KEY_AH - [ -z "$KEY_AH_OUT" -a -n "$KEY_AH" ] && KEY_AH_OUT=$KEY_AH - [ -z "$KEY_ESP_IN" -a -n "$KEY_ESP" ] && KEY_ESP_IN=$KEY_ESP - [ -z "$KEY_ESP_OUT" -a -n "$KEY_ESP" ] && KEY_ESP_OUT=$KEY_ESP - [ -z "$KEY_AESP_IN" -a -n "$KEY_AESP" ] && KEY_AESP_IN=$KEY_AESP - [ -z "$KEY_AESP_OUT" -a -n "$KEY_AESP" ] && KEY_AESP_OUT=$KEY_AESP - - [ -n "$KEY_AH_IN" -a "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] \ - && KEY_AH_IN=\"$KEY_AH_IN\" - [ -n "$KEY_AH_OUT" -a "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] \ - && KEY_AH_OUT=\"$KEY_AH_OUT\" - [ -n "$KEY_ESP_IN" -a "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] \ - && KEY_ESP_IN=\"$KEY_ESP_IN\" - [ -n "$KEY_ESP_OUT" -a "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] \ - && KEY_ESP_OUT=\"$KEY_ESP_OUT\" - [ -n "$KEY_AESP_IN" -a "$KEY_AESP_IN" = "${KEY_AESP_IN##0x}" ] \ - && KEY_AESP_IN=\"$KEY_AESP_IN\" - [ -n "$KEY_AESP_OUT" -a "$KEY_AESP_OUT" = "${KEY_AESP_OUT##0x}" ] \ - && KEY_AESP_OUT=\"$KEY_AESP_OUT\" -} - -. /etc/init.d/functions -cd /etc/sysconfig/network-scripts -. ./network-functions - -CONFIG=$1 -[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} -source_config - -handle_keys - -if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then - KEYING=manual -fi - - -if [ -n "$IKE_PSK" ]; then - KEYING=automatic - IKE_METHOD=PSK -fi - -if [ -n "$IKE_CERTFILE" ]; then - KEYING=automatic - IKE_METHOD=X509 -fi - -if [ -n "$IKE_PEER_CERTFILE" ]; then - KEYING=automatic - IKE_METHOD=X509 -fi - -if [ -n "$IKE_DNSSEC" ]; then - KEYING=automatic - IKE_METHOD=X509 -fi - -[ -n "$IKE_METHOD" ] && KEYING=automatic -[ -z "$KEYING" ] && KEYING=manual - -if [ -z "$SRC" ]; then - SRC=$(ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|") -fi - -if [ -n "$SRCNET" -o -n "$DSTNET" ]; then - TUNNEL_MODE=yes - MODE=tunnel - [ -z "$SRCNET" ] && SRCNET="$SRC/32" - [ -z "$DSTNET" ] && DSTNET="$DST/32" - SPD_SRC=$SRCNET - SPD_DST=$DSTNET - # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication - if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \ - && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \ - = "NETWORK=${DSTNET%%/*}" ]; then - EXCLUDE_SRCNET=yes - fi - [ -z "$SRCGW" ] && SRCGW=$(ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|") - ip route add to $DSTNET via $SRCGW src $SRCGW -else - unset TUNNEL_MODE - MODE=transport - SPD_SRC=$SRC - SPD_DST=$DST - unset EXCLUDE_SRCNET -fi - -unset SPD_AH_IN SPD_AH_OUT SPD_ESP_IN SPD_ESP_OUT -if [ "$KEYING" = "manual" ]; then - [ -z "$AH_PROTO" ] && AH_PROTO=hmac-sha1 - [ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc - [ -z "$AESP_PROTO" ] && AESP_PROTO=hmac-sha1 - - [ -n "$KEY_AH_IN" ] && SPD_AH_IN=yes - [ -n "$KEY_AH_OUT" ] && SPD_AH_OUT=yes - [ -n "$KEY_ESP_IN" ] && SPD_ESP_IN=yes - [ -n "$KEY_ESP_OUT" ] && SPD_ESP_OUT=yes -else - [ -z "$IKE_DHGROUP" ] && IKE_DHGROUP=2 - [ -z "$AH_PROTO" ] && AH_PROTO=sha1 - [ -z "$ESP_PROTO" ] && ESP_PROTO=3des - [ -z "$IKE_AUTH" ] && IKE_AUTH=$AH_PROTO - [ -z "$IKE_ENC" ] && IKE_ENC=$ESP_PROTO - [ "$IKE_AUTH" = "none" ] && IKE_AUTH=sha1 - [ "$IKE_ENC" = "none" ] && IKE_ENC=3des - - SPD_AH_IN=yes - SPD_AH_OUT=yes - SPD_ESP_IN=yes - SPD_ESP_OUT=yes -fi - -if [ "$AH_PROTO" = "none" ]; then - unset SPI_AH_IN SPI_AH_OUT KEY_AH_IN KEY_AH_OUT SPD_AH_IN SPD_AH_OUT -fi -if [ "$ESP_PROTO" = "none" ]; then - unset SPI_ESP_IN SPI_ESP_OUT KEY_ESP_IN KEY_ESP_OUT SPD_ESP_IN SPD_ESP_OUT -fi - -/sbin/setkey -c >/dev/null 2>&1 << EOF -${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} -${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} -${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;} -${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;} -spddelete $SPD_SRC $SPD_DST any -P out; -spddelete $SPD_DST $SPD_SRC any -P in; -${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} -${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} -EOF - -# ESP -if [ "$ESP_PROTO" != "none" ]; then - /sbin/setkey -c >/dev/null 2>&1 << EOF - ${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} \ - -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN \ - ${KEY_AESP_IN:+-A ${AESP_PROTO_IN:-$AESP_PROTO} $KEY_AESP_IN} - ;} - ${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} \ - -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT \ - ${KEY_AESP_OUT:+-A ${AESP_PROTO_OUT:-$AESP_PROTO} $KEY_AESP_OUT} - ;} -EOF -fi - -# AH -if [ "$AH_PROTO" != "none" ]; then - /sbin/setkey -c >/dev/null 2>&1 << EOF - ${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} - ${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} -EOF -fi - -/sbin/setkey -c >/dev/null 2>&1 << EOF -${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P out none;} -${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P in none;} -EOF - -# This looks weird but if you use both ESP and AH you need to configure them together, not seperately. -if [ "$ESP_PROTO" != "none" ] && [ "$AH_PROTO" != "none" ]; then -/sbin/setkey -c >/dev/null 2>&1 << EOF -spdadd $SPD_SRC $SPD_DST any -P out ipsec - ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} - ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} - ; - -spdadd $SPD_DST $SPD_SRC any -P in ipsec - ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} - ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} - ; -EOF -elif [ "$AH_PROTO" = "none" ]; then -/sbin/setkey -c >/dev/null 2>&1 << EOF -spdadd $SPD_SRC $SPD_DST any -P out ipsec - ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} - ; - -spdadd $SPD_DST $SPD_SRC any -P in ipsec - ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} - ; -EOF -elif [ "$ESP_PROTO" = "none" ]; then -/sbin/setkey -c >/dev/null 2>&1 << EOF -spdadd $SPD_SRC $SPD_DST any -P out ipsec - ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} - ; - -spdadd $SPD_DST $SPD_SRC any -P in ipsec - ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} - ; -EOF -fi - -if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then - if [ "$IKE_METHOD" = "PSK" ]; then - MYID=address - if [ -n "$MYID_TYPE" ]; then - case "$MYID_TYPE" in - *fqdn*) - MYID="$MYID_TYPE \"$MYID_VALUE\"" - ;; - esac - fi - tmpfile=$(mktemp /etc/racoon/psk.XXXXXX) - grep -v "^$DST " /etc/racoon/psk.txt > $tmpfile - echo "$DST $IKE_PSK" >> $tmpfile - mv -f $tmpfile /etc/racoon/psk.txt - fi - if [ ! -f /etc/racoon/$DST.conf -o /etc/racoon/$DST.conf -ot $1 ] ; then - cat > /etc/racoon/$DST.conf << EOF -remote $DST -{ - exchange_mode aggressive, main; -EOF - case "$IKE_METHOD" in - PSK) - cat >> /etc/racoon/$DST.conf << EOF - my_identifier $MYID; - proposal { - encryption_algorithm $IKE_ENC; - hash_algorithm $IKE_AUTH; - authentication_method pre_shared_key; - dh_group $IKE_DHGROUP; - } -} -EOF - ;; - X509) - cat >> /etc/racoon/$DST.conf << EOF - my_identifier asn1dn; - peers_identifier asn1dn; - certificate_type x509 "$IKE_CERTFILE.public" "$IKE_CERTFILE.private"; -EOF - if [ -n "$IKE_DNSSEC" ]; then - echo " peers_certfile dnssec;" >> /etc/racoon/$DST.conf - fi - if [ -n "$IKE_PEER_CERTFILE" ]; then - echo " peers_certfile x509 \"$IKE_PEER_CERTFILE.public\";" >> /etc/racoon/$DST.conf - fi - cat >> /etc/racoon/$DST.conf << EOF - proposal { - encryption_algorithm $IKE_ENC; - hash_algorithm $IKE_AUTH; - authentication_method rsasig; - dh_group $IKE_DHGROUP; - } -} -EOF - ;; - GSSAPI) - cat >> /etc/racoon/$DST.conf << EOF - my_identifier address; - proposal { - encryption_algorithm $IKE_ENC; - hash_algorithm $IKE_AUTH; - authentication_method gssapi_krb; - dh_group $IKE_DHGROUP; - } -} -EOF - esac - fi - racoontmp=$(mktemp /etc/racoon/racoon.XXXXXX) - grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp - echo "include \"/etc/racoon/$DST.conf\";" >> $racoontmp - mv -f $racoontmp /etc/racoon/racoon.conf -fi -if [ "$KEYING" = "automatic" ]; then - if ! pidof -x /usr/sbin/racoon > /dev/null 2>&1 ; then - /usr/sbin/racoon - elif [ -n "$IKE_METHOD" ]; then - killall -HUP /usr/sbin/racoon - fi -fi |