From 96916cdd2cf4031dff4be16cc22d8e034d7735ec Mon Sep 17 00:00:00 2001
From: Bill Nottingham <notting@redhat.com>
Date: Tue, 1 Jul 2003 06:46:19 +0000
Subject: initial stuff. may not work. may not even parse.

---
 sysconfig/network-scripts/ifup-ipsec | 112 +++++++++++++++++++++++++++++++++++
 1 file changed, 112 insertions(+)
 create mode 100755 sysconfig/network-scripts/ifup-ipsec

diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
new file mode 100755
index 00000000..0d882e74
--- /dev/null
+++ b/sysconfig/network-scripts/ifup-ipsec
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# ifup-ipsec
+#
+# Brings up ipsec interfaces
+#
+# Configuration parameters
+#
+#   Manual keying:
+#
+#     SRC = source address. Not required.
+#     DST = destination address
+#     SRCNET = source net (for tunneling)
+#     DSTNET = destination network (for tunneling)
+#     AH_PROTO = protocol to use for AH (defaults to HMAC-MD5)
+#     ESP_PROTO = protocol to use for ESP (defaults to 3DES)
+#     KEY_AH = AH key
+#     KEY_ESP = ESP key
+#     SPI[1..4] = SPIs to use
+#
+#
+
+if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then
+  KEYING=manual
+fi
+
+if [ -n "$IKE_PSK" ]; then
+  KEYING=automatic
+  IKE_METHOD=PSK
+fi
+
+if [ -n "$CERT_NAME" ]; then
+  KEYING=automatic
+  IKE_METHOD=X509
+fi
+
+if [ -n "$RSA_KEY" ]; then
+  KEYING=automatic
+  IKE_METHOD=RSA
+fi
+
+if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
+  MODE=tunnel
+else
+  MODE=host
+fi
+
+if [ "$KEYING" = "manual" ]; then
+    # Get source address
+    if [ -n "$SRC" ]; then
+      SRC=`ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|"`
+    fi
+    
+    [ -z "$AH_PROTO" ] && AH_PROTO=hmac-md5
+    [ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc
+    
+    if [ "$MODE" = "host" ]; then
+    
+      /sbin/setkey -c << EOF
+deleteall $SRC $DST ah;
+deleteall $DST $SRC ah;
+deleteall $SRC $DST esp;
+deleteall $DST $SRC esp;
+spddelete $SRC $DST any -P out;
+spddelete $DST $SRC any -P in;
+
+# ESP
+add $DST $SRC esp $SPI3 -E $ESP_PROTO $KEY_ESP;
+add $SRC $DST esp $SPI4 -E $ESP_PROTO $KEY_ESP;
+
+# AH
+add $DST $SRC ah $SPI1 -A $AH_PROTO $KEY_AH;
+add $SRC $DST ah $SPI2 -A $AH_PROTO $KEY_AH;
+
+spdadd $SRC $DST any -P out ipsec
+           esp/transport//require
+           ah/transport//require;
+		      
+spdadd $DST $SRC any -P in ipsec
+	    esp/transport//require
+	    ah/transport//require;
+EOF    
+    else
+      [ -n "$SRCNET" ] && SRCNET="$SRC/32"
+      [ -n "$DSTNET" ] && DSTNET="$DST/32"
+      
+      /sbin/setkey -c << EOF
+deleteall $SRC $DST ah;
+deleteall $DST $SRC ah;
+deleteall $SRC $DST esp;
+deleteall $DST $SRC esp;
+spddelete $SRCNET $DSTNET any -P out;
+spddelete $DSTNET $SRCNET any -P in;
+
+# ESP
+add $DST $SRC esp $SPI3 -m tunnel -E $ESP_PROTO $KEY_ESP;
+add $SRC $DST esp $SPI4 -m tunnel -E $ESP_PROTO $KEY_ESP;
+
+# AH
+add $DST $SRC ah $SPI1 -m tunnel -A $AH_PROTO $KEY_AH;
+add $SRC $DST ah $SPI2 -m tunnel -A $AH_PROTO $KEY_AH;
+
+spdadd $SRCNET $DSTNET any -P out ipsec
+           esp/tunnel/$SRC-$DEST/require
+           ah/tunnel/$SRC-$DEST/require;
+		      
+spdadd $DSTNET $SRCNET any -P in ipsec
+	    esp/tunnel/$DEST-$SRC/require
+	    ah/tunnel/$DEST-$SRC/require;
+EOF    
+    fi
+fi
-- 
cgit v1.2.1