#!/usr/bin/perl # # author Florin Grad (florin@mandrakesoft.com) # # Copyright 2006 Mandriva # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2, as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # # i18n: IMPORTANT: to get correct namespace (drakx-net instead of libDrakX) BEGIN { unshift @::textdomains, 'drakx-net' } use lib qw(/usr/lib/libDrakX); use standalone; #- warning, standalone must be loaded very first, for 'explanations' use common; use detect_devices; use interactive; use network::network; use log; use c; use network::netconnect; use network::shorewall; use network::ipsec; use Data::Dumper; $::isInstall and die "Not supported during install.\n"; require_root_capability(); local $_ = join '', @ARGV; $::Wizard_pix_up = "drakvpn"; $ugtk3::wm_icon = "drakvpn"; my $direct = /-direct/; my $tunnels_file = "/etc/shorewall/tunnels"; my $ipsec_conf = ""; my $racoon_conf = "/etc/racoon/racoon.conf"; my $ipsec_package = ""; my $in = interactive->vnew; my $shorewall = network::shorewall::read($in); my @section_names; $ipsec_conf = "/etc/ipsec.conf"; my $ipsec = network::ipsec::read_ipsec_conf($ipsec_conf); my $racoon = network::ipsec::read_racoon_conf($racoon_conf); #print network::ipsec::display_ipsec_conf($ipsec_conf,$ipsec); $::Wizard_title = N("DrakVPN"); $in->isa('interactive::gtk') and $::isWizard = 1; my $wait_configuring; sub fatal_quit ($) { log::l("[drakvpn] FATAL: $_[0]"); undef $wait_configuring; $in->ask_warn('', $_[0]); quit_global($in, -1); } begin: #- ********************************** #- * 0th step: verify if we are already set up if ($shorewall && any { !/^\s*(?:#|\n)/ } cat_($tunnels_file)) { $::Wizard_no_previous = 1; if (!$shorewall->{disabled}) { my $r = $in->ask_from_list_(N("The VPN connection is enabled."), N("The setup of a VPN connection has already been done. It's currently enabled. What would you like to do?"), [ N_("disable"), N_("reconfigure"), N_("dismiss") ]) or quit_global($in, 0); # FIXME: reconfigure is not handled if ($r eq "disable") { if (!$::testing) { my $_wait_disabl = $in->wait_message(N("Please wait"), N("Disabling VPN...")); network::ipsec::stop_daemons(); } foreach ($ipsec_conf, $tunnels_file) { if (-f $_) { rename($_, "$_.drakvpndisable") or die "Could not rename $_ to $_.drakvpndisable" } } network::ipsec::sys("/etc/init.d/shorewall restart >/dev/null"); log::l("[drakvpn] Disabled"); $::Wizard_finished = 1; $in->ask_okcancel('', N("The VPN connection is now disabled.")); quit_global($in, 0); } if ($r eq "dismiss") { quit_global($in, 0); } } else { my $r = $in->ask_from_list_(N("VPN connection currently disabled"), N("The setup of a VPN connection has already been done. It's currently disabled. What would you like to do?"), [ N_("enable"), N_("reconfigure"), N_("dismiss") ]); # FIXME: reconfigure is not handled if ($r eq "enable") { foreach ($ipsec_conf, $tunnels_file) { rename($_, "$_.old") if -f $_; rename("$_.drakvpndisable", $_) or die "Could not find configuration. Please reconfigure."; } { my $_wait_enabl = $in->wait_message(N("Please wait"), N("Enabling VPN...")); network::ipsec::start_daemons(); } log::l("[drakvpn] Enabled"); } $::Wizard_finished = 1; $in->ask_okcancel('', N("The VPN connection is now enabled.")); quit_global($in, 0); if ($r eq "dismiss") { quit_global($in, 0); } } } #- ********************************** #- * 1st step: detect/setup step_ask_confirm: $::Wizard_no_previous = 1; $direct or $in->ask_okcancel(N("Simple VPN setup."), N("You are about to configure your computer to use a VPN connection. With this feature, computers on your local private network and computers on some other remote private networks, can share resources, through their respective firewalls, over the Internet, in a secure manner. The communication over the Internet is encrypted. The local and remote computers look as if they were on the same network. Make sure you have configured your Network/Internet access using drakconnect before going any further."), 1) or goto begin; undef $::Wizard_no_previous; $ipsec_package = "ipsec-tools"; $direct or $in->ask_okcancel(N("Simple VPN setup."), N("VPN connection. This program is based on the following projects: - FreeSwan: \t\t\thttp://www.freeswan.org/ - Super-FreeSwan: \t\thttp://www.freeswan.ca/ - ipsec-tools: \t\t\thttp://ipsec-tools.sourceforge.net/ - ipsec-howto: \t\thttp://www.ipsec-howto.org - the docs and man pages coming with the %s package Please read AT LEAST the ipsec-howto docs before going any further.",$ipsec_package)) or goto begin; step_detectsetup: #my @configured_devices = map { /ifcfg-(\S+)/ } glob('/etc/sysconfig/network-scripts/ifcfg*'); my %aliased_devices; /^\s*alias\s+(eth[0-9])\s+(\S+)/ and $aliased_devices{$1} = $2 foreach cat_("/etc/modules.conf"); #- ********************************** #- * 2nd step: configure #$wait_configuring = $in->wait_message(N("Configuring..."), # N("Configuring scripts, installing software, starting servers...")); #- install and setup the RPM packages, if needed my %rpm2file; log::l("[drakvpn] install the $ipsec_package and the shorewall rpm packages"); %rpm2file = ($ipsec_package => '/sbin/setkey', shorewall => '/sbin/shorewall'); #- first: try to install all in one step, if needed if (!-e "/sbin/setkey") { my @needed_to_install = grep { !-e $rpm2file{$_} } keys %rpm2file; @needed_to_install and $in->do_pkgs->install(@needed_to_install) if !$::testing; #- second: try one by one if failure detected if (!$::testing && any { !-e $rpm2file{$_} } keys %rpm2file) { foreach (keys %rpm2file) { -e $rpm2file{$_} or $in->do_pkgs->install($_); -PHPBB3-10946
Diffstat (limited to 'phpBB/includes/diff/diff.php')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.1 (git 2.21.0) at 2025-11-24 01:07:12 +0000
ges ], format => sub { $messages{$_[0]} } } ]) or goto step_detectsetup; #------------------------------------------------------------------- #---------------------- configure ipsec_conf ----------------------- #------------------------------------------------------------------- if ($c eq "ipsec" || $c eq "configure") { step_configure_ipsec_conf: @section_names = network::ipsec::get_section_names_ipsec_conf($ipsec) if $ipsec; my $choice = $section_names[0]; my $d = $in->ask_from_list_(N("%s entries", $ipsec_conf), N("The %s file contents is divided into sections.\n You can now:\n - display, add, edit, or remove sections, then - commit the changes What would you like to do?\n", $ipsec_conf), [ N_("_:display here is a verb\nDisplay"), N_("Add"), N_("Edit"), N_("Remove"), N_("Commit") ]) or goto step_configuration; #my $existing_section = ""; #- display $ipsec_conf ------------------------- step_display_ipsec_conf: if ($d eq "display $ipsec_conf" || $d eq "_:display here is a verb\nDisplay") { my $ipsec_exists = 0; foreach my $key (keys %$ipsec) { $ipsec_exists = 1 if $ipsec->{$key}; } if ($ipsec_exists) { $in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"), network::ipsec::display_ipsec_conf($ipsec)); goto step_configure_ipsec_conf; } else { $in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"), N("The %s file does not exist.\n This must be a new configuration.\n You'll have to go back and choose 'add'.\n", $ipsec_conf)); goto step_configure_ipsec_conf; } #- add --------------------- } elsif ($d eq "Add") { step_add_section: #- add ---- kernel 2.6 part ------------------------------- my $section = { command => 'spdadd', src_range => 'src_network_address', dst_range => 'dest_network_address', upperspec => 'any', flag => '-P', direction => 'in or out', ipsec => 'ipsec', protocol => 'esp', mode => 'tunnel', src_dest => 'source-destination', level => 'require' }; step_add_section_ipsec_conf_k26: ask_info3('', N("Add a Security Policy.\n You can now add a Security Policy.\n Choose continue when you are done to write the data.\n"), $section) or goto step_configure_ipsec_conf; # $existing_section = network::ipsec::already_existing_section_ipsec_conf($section->{src_dest}, $ipsec); # # if ($existing_section eq "already existing") { #$in->ask_okcancel(N("Exists!"), #N("A section with this name already exists. #The section names have to be unique.\n #You'll have to go back and add another section #or change the name of the section.\n")); # goto step_add_section_ipsec_conf_k26; #}; if (!$ipsec->{1}) { put_in_hash($ipsec, { max(keys %$ipsec) + 1 => "#!/sbin/setkey -f" }); put_in_hash($ipsec, { max(keys %$ipsec) + 1 => "flush;" }); put_in_hash($ipsec, { max(keys %$ipsec) + 1 => "spdflush;" }); } network::ipsec::add_section_ipsec_conf($section, $ipsec); @section_names = network::ipsec::get_section_names_ipsec_conf($ipsec); goto step_configure_ipsec_conf; #- edit --------------------- } elsif ($d eq "Edit") { step_edit_ipsec_conf: $in->ask_from(N("Edit section"), N("Your %s file has several sections or connections.\n You can choose here below the one you want to edit and then click on next.\n", $ipsec_conf), [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]) or goto step_configure_ipsec_conf; my $number = network::ipsec::matched_section_key_number_ipsec_conf($choice,$ipsec); ask_info3('', N("Edit a Security Policy.\n You can now edit a Security Policy.\n Choose continue when you are done to write the data.\n"), $ipsec->{$number}) or goto step_configure_ipsec_conf; goto step_configure_ipsec_conf; #- remove --------------------- } elsif ($d eq "Remove") { $in->ask_from(N("Remove section"), N("Your %s file has several sections or connections.\n You can choose here below the one you want to remove and then click on next.\n", $ipsec_conf), [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]); network::ipsec::remove_section_ipsec_conf($choice,$ipsec); @section_names = network::ipsec::get_section_names_ipsec_conf($ipsec) if $ipsec; goto step_configure_ipsec_conf; #- continue and write --------------------- } elsif ($d eq "Commit") { log::l("[drakvpn] Modify the $ipsec_conf file"); network::ipsec::write_ipsec_conf($ipsec_conf, $ipsec); } #------------------------------------------------------------------- #---------------------- configure racoon_conf ----------------------- #------------------------------------------------------------------- } elsif ($c eq "racoon") { step_configure_racoon_conf: @section_names = network::ipsec::get_section_names_racoon_conf($racoon) if $racoon; my $choice = $section_names[0]; my $d = $in->ask_from_list_(N("%s entries", $racoon_conf), N("The racoon.conf file configuration.\n The contents of this file is divided into sections. You can now: - display \t\t (display the file contents) - add \t\t (add one section) - edit \t\t\t (modify parameters of an existing section) - remove \t\t (remove an existing section) - commit \t\t (writes the changes to the real file)"), [ N_("_:display here is a verb\nDisplay"), N_("Add"), N_("Edit"), N_("Remove"), N_("Commit") ]) or goto step_configuration; #- display $racoon_conf ------------------------- step_display_racoon_conf: if ($d eq "_:display here is a verb\nDisplay") { my $racoon_exists = 0; foreach my $key (keys %$racoon) { $racoon_exists = 1 if $racoon->{$key}; } if ($racoon_exists) { $in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"), network::ipsec::display_racoon_conf($racoon)); goto step_configure_racoon_conf; } else { $in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"), N("The %s file does not exist\n This must be a new configuration.\n You'll have to go back and choose configure.\n", $racoon_conf)); goto step_configure_racoon_conf; } #- add $racoon_conf ------------------------------ } elsif ($d eq "Add") { step_add_section_racoon: #my $existing_section = ""; my $e = $in->ask_from_list_(N("racoon.conf entries"), N("The 'add' sections step.\n Here below is the racoon.conf file skeleton: \t'path' \t'remote' \t'sainfo' \n Choose the section you would like to add.\n"), [ N_("path"), N_("remote"), N_("sainfo"), N_("dismiss") ]) or goto step_configure_racoon_conf; if ($e eq "path") { my $path_section = { 1 => [ 'path', 'path_type', '"/etc/racoon/certs"' ], }; $in->ask_from('', N("The 'add path' section step.\n The path sections have to be on top of your racoon.conf file.\n Put your mouse over the certificate entry to obtain online help."), [ { label => N("path type"), val => \$path_section->{1}[1], list => [ 'certificate', 'pre_shared_key', 'include' ], help => N("path include path: specifies a path to include a file. See File Inclusion. Example: path include '/etc/racoon' path pre_shared_key file: specifies a file containing pre-shared key(s) for various ID(s). See Pre-shared key File. Example: path pre_shared_key '/etc/racoon/psk.txt' ; path certificate path: racoon(8) will search this directory if a certificate or certificate request is received. Example: path certificate '/etc/cert' ; File Inclusion: include file other configuration files can be included. Example: include \"remote.conf\" ; Pre-shared key File: Pre-shared key file defines a pair of the identifier and the shared secret key which are used at Pre-shared key authentication method in phase 1."), }, { label => N("real file"), val => \$path_section->{1}[2], type => 'entry' }, ] ) or goto step_configure_racoon_conf; network::ipsec::add_section_racoon_conf($path_section, $racoon); } elsif ($e eq "remote") { my $main_remote_section = { 1 => [ 'remote', 'address' ], 2 => [ 'exchange_mode', 'aggressive,main' ], 3 => [ 'generate_policy', 'on' ], 4 => [ 'passive', 'on' ], 5 => [ 'certificate_type', 'x509', '"my_certificate.pem"', '"my_private_key.pem"' ], 6 => [ 'peers_certfile', '"remote.public"' ], 7 => [ 'verify_cert', 'on' ], 8 => [ 'my_identifier', 'asn1dn' ], 9 => [ 'peers_identifier', 'asn1dn' ] }; my $proposal_remote_section = { 1 => [ 'proposal' ], 2 => [ 'encryption_algorithm', '3des' ], 3 => [ 'hash_algorithm', 'md5' ], 4 => [ 'authentication_method', 'rsasig' ], 5 => [ 'dh_group', 'modp1024' ] }; ask_info2('', N("Make sure you already have the path sections on the top of your racoon.conf file. You can now choose the remote settings. Choose continue or previous when you are done.\n"), $main_remote_section, $proposal_remote_section) or goto step_configure_racoon_conf; network::ipsec::add_section_racoon_conf($main_remote_section, $racoon); network::ipsec::add_section_racoon_conf($proposal_remote_section, $racoon); } elsif ($e eq "sainfo") { my $sainfo_section = { 1 => [ 'sainfo', 'address', '192.168.100.2', 'any', 'address', '10.0.0.2', 'any' ], 2 => [ 'pfs_group', '1' ], 3 => [ 'lifetime', 'time', '30', 'sec' ], 4 => [ 'encryption_algorithm', '3des' ], 5 => [ 'authentication_algorithm', 'hmac_sha1' ], 6 => [ 'compression_algorithm', 'deflate' ], }; ask_info('', N("Make sure you already have the path sections on the top of your %s file. You can now choose the sainfo settings. Choose continue or previous when you are done.\n", $racoon_conf), $sainfo_section) or goto step_configure_racoon_conf; network::ipsec::add_section_racoon_conf($sainfo_section, $racoon); } @section_names = network::ipsec::get_section_names_racoon_conf($racoon) if $racoon; goto step_configure_racoon_conf; #- edit $racoon_conf ----------------------------- } elsif ($d eq "Edit") { $in->ask_from(N("Edit section"), N("Your %s file has several sections or connections. You can choose here in the list below the one you want to edit and then click on next.\n", $racoon_conf), [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]) or goto step_configure_racoon_conf; my $number = network::ipsec::matched_section_key_number_racoon_conf($choice,$racoon); if ($choice =~ /^remote/) { ask_info2('', N("Your %s file has several sections.\n You can now edit the remote section entries. Choose continue when you are done to write the data.\n", $racoon_conf), $racoon->{$number}, $racoon->{$number+2}) or goto step_configure_racoon_conf; } elsif ($choice =~ /^sainfo/) { ask_info('', N("Your %s file has several sections. You can now edit the sainfo section entries. Choose continue when you are done to write the data.", $racoon_conf), $racoon->{$number}) or goto step_configure_racoon_conf; } elsif ($choice =~ /^path/) { $in->ask_from('', N("This section has to be on top of your %s file.\n Make sure all other sections follow these path sections.\n You can now edit the path entries. Choose continue or previous when you are done.\n", $racoon_conf), [ { label => N("path_type"), val => \$racoon->{$number}{1}[1], list => [ 'certificate', 'pre_shared_key', 'include' ] }, { label => N("real file"), val => \$racoon->{$number}{1}[2], type => 'entry' }, ] ) or goto step_configure_racoon_conf; } goto step_configure_racoon_conf; #- remove $racoon_conf --------------------------- } elsif ($d eq "Remove") { $in->ask_from(N("Remove section"), N("Your %s file has several sections or connections.\n You can choose here below the one you want to remove and then click on next.\n", $racoon_conf), [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]); my $number = network::ipsec::matched_section_key_number_racoon_conf($choice,$racoon); network::ipsec::remove_section_racoon_conf($choice,$racoon,$number); @section_names = network::ipsec::get_section_names_racoon_conf($racoon) if $racoon; goto step_configure_racoon_conf; #- write $racoon_conf and continue --------------- } elsif ($d eq "Commit") { log::l("[drakvpn] Modify the $racoon_conf file"); network::ipsec::write_racoon_conf($racoon_conf, $racoon); } } #- start the daemons network::ipsec::start_daemons(); #- bye-bye message undef $wait_configuring; $::Wizard_no_previous = 1; $::Wizard_finished = 1; $in->ask_okcancel(N("Congratulations!"), N("Everything has been configured.\n You may now share resources through the Internet, in a secure way, using a VPN connection. You should make sure that the tunnels shorewall section is configured.")); log::l("[drakvpn] Installation complete, exiting"); quit_global($in, 0); sub quit_global { my ($in, $exitcode) = @_; $in->exit($exitcode); goto begin; } sub ask_info { my ($title, $text, $data) = @_; $in->ask_from($title, $text, [ { label => N("Sainfo source address"), val => \$data->{1}[2], type => 'entry', help => N("sainfo (source_id destination_id | anonymous) { statements } defines the parameters of the IKE phase 2 (IPsec-SA establishment). source_id and destination_id are constructed like: address address [/ prefix] [[port]] ul_proto Examples: \n sainfo anonymous (accepts connections from anywhere) leave blank this entry if you want anonymous sainfo address 203.178.141.209 any address 203.178.141.218 any 203.178.141.209 is the source address sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any 172.16.1.0/24 is the source address") }, { label => N("Sainfo source protocol"), val => \$data->{1}[3], type => 'entry', help => N("sainfo (source_id destination_id | anonymous) { statements } defines the parameters of the IKE phase 2 (IPsec-SA establishment). source_id and destination_id are constructed like: address address [/ prefix] [[port]] ul_proto Examples: \n sainfo anonymous (accepts connections from anywhere) leave blank this entry if you want anonymous sainfo address 203.178.141.209 any address 203.178.141.218 any the first 'any' allows any protocol for the source") }, { label => N("Sainfo destination address"), val => \$data->{1}[5], type => 'entry', help => N("sainfo (source_id destination_id | anonymous) { statements } defines the parameters of the IKE phase 2 (IPsec-SA establishment). source_id and destination_id are constructed like: address address [/ prefix] [[port]] ul_proto Examples: \n sainfo anonymous (accepts connections from anywhere) leave blank this entry if you want anonymous sainfo address 203.178.141.209 any address 203.178.141.218 any 203.178.141.218 is the destination address sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any 172.16.2.0/24 is the destination address") }, { label => N("Sainfo destination protocol"), val => \$data->{1}[6], type => 'entry', help => N("sainfo (source_id destination_id | anonymous) { statements } defines the parameters of the IKE phase 2 (IPsec-SA establishment). source_id and destination_id are constructed like: address address [/ prefix] [[port]] ul_proto Examples: \n sainfo anonymous (accepts connections from anywhere) leave blank this entry if you want anonymous sainfo address 203.178.141.209 any address 203.178.141.218 any the last 'any' allows any protocol for the destination") }, { label => N("PFS group"), val => \$data->{2}[1], list => [ qw(modp768 modp1024 modp1536 1 2 5) ], help => N("define the group of Diffie-Hellman exponentiations. If you do not require PFS then you can omit this directive. Any proposal will be accepted if you do not specify one. group is one of the following: modp768, modp1024, modp1536. Or you can define 1, 2, or 5 as the DH group number.") }, { label => N("Lifetime number"), val => \$data->{3}[2], type => 'entry', help => N("define a lifetime of a certain time which will be pro- posed in the phase 1 negotiations. Any proposal will be accepted, and the attribute(s) will not be proposed to the peer if you do not specify it(them). They can be individually specified in each proposal. Examples: \n lifetime time 1 min; # sec,min,hour lifetime time 1 min; # sec,min,hour lifetime time 30 sec; lifetime time 30 sec; lifetime time 60 sec; lifetime time 12 hour; So, here, the lifetime numbers are 1, 1, 30, 30, 60 and 12. ") }, { label => N("Lifetime unit"), val => \$data->{3}[3], list => [ qw(sec min hour) ], help => N("define a lifetime of a certain time which will be pro- posed in the phase 1 negotiations. Any proposal will be accepted, and the attribute(s) will not be proposed to the peer if you do not specify it(them). They can be individually specified in each proposal. Examples: \n lifetime time 1 min; # sec,min,hour lifetime time 1 min; # sec,min,hour lifetime time 30 sec; lifetime time 30 sec; lifetime time 60 sec; lifetime time 12 hour; So, here, the lifetime units are 'min', 'min', 'sec', 'sec', 'sec' and 'hour'. ") }, { label => N("Encryption algorithm"), val => \$data->{4}[1], list => [ qw(des 3des des_iv64 des_iv32 rc5 rc4 idea 3idea cast128 blowfish null_enc twofish rijndae) ] }, { label => N("Authentication algorithm"), val => \$data->{5}[1], list => [ qw(des 3des des_iv64 des_iv32 hmac_md5 hmac_sha1 non_auth) ] }, { label => N("Compression algorithm"), val => \$data->{6}[1], list => [ N_("deflate") ], format => \&translate, allow_empty_list => 1 } ]) } sub ask_info2 { my ($title, $text, $main_remote_section, $proposal_remote_section) = @_; $in->ask_from($title, $text,, [ { label => N("Remote"), val => \$main_remote_section->{1}[1], type => 'entry', help => N("remote (address | anonymous) [[port]] { statements } specifies the parameters for IKE phase 1 for each remote node. The default port is 500. If anonymous is specified, the state- ments apply to all peers which do not match any other remote directive.\n Examples: \n remote anonymous remote ::1 [8000]") }, { label => N("Exchange mode"), val => \$main_remote_section->{2}[1], list => [ qw(main,agressive agressive,main) ], help => N("defines the exchange mode for phase 1 when racoon is the initiator. Also it means the acceptable exchange mode when racoon is responder. More than one mode can be specified by separating them with a comma. All of the modes are acceptable. The first exchange mode is what racoon uses when it is the initiator.\n") }, { label => N("Generate policy"), val => \$main_remote_section->{3}[1], list => [ N_("off"), N_("on") ], format => \&translate, help => N("This directive is for the responder. Therefore you should set passive on in order that racoon(8) only becomes a responder. If the responder does not have any policy in SPD during phase 2 negotiation, and the direc- tive is set on, then racoon(8) will choose the first pro- posal in the SA payload from the initiator, and generate policy entries from the proposal. It is useful to nego- tiate with the client which is allocated IP address dynamically. Note that inappropriate policy might be installed into the responder's SPD by the initiator. So that other communication might fail if such policies installed due to some policy mismatches between the ini- tiator and the responder. This directive is ignored in the initiator case. The default value is off.") }, { label => N("Passive"), val => \$main_remote_section->{4}[1], list => [ N_("off"), N_("on") ], format => \&translate, help => N("If you do not want to initiate the negotiation, set this to on. The default value is off. It is useful for a server.") }, { label => N("Certificate type"), val => \$main_remote_section->{5}[1], list => [ 'x509' ], allow_empty_list => 1 }, { label => N("My certfile"), val => \$main_remote_section->{5}[2], type => 'entry', help => N("Name of the certificate") }, { label => N("My private key"), val => \$main_remote_section->{5}[3], type => 'entry', help => N("Name of the private key") }, { label => N("Peers certfile"), val => \$main_remote_section->{6}[1], type => 'entry', help => N("Name of the peers certificate") }, { label => N("Verify cert"), val => \$main_remote_section->{7}[1], list => [ N_("off"), N_("on") ], format => \&translate, help => N("If you do not want to verify the peer's certificate for some reason, set this to off. The default is on.") }, { label => N("My identifier"), val => \$main_remote_section->{8}[1], type => 'entry', help => N("specifies the identifier sent to the remote host and the type to use in the phase 1 negotiation. address, FQDN, user_fqdn, keyid and asn1dn can be used as an idtype. they are used like: my_identifier address [address]; the type is the IP address. This is the default type if you do not specify an identifier to use. my_identifier user_fqdn string; the type is a USER_FQDN (user fully-qualified domain name). my_identifier FQDN string; the type is a FQDN (fully-qualified domain name). my_identifier keyid file; the type is a KEY_ID. my_identifier asn1dn [string]; the type is an ASN.1 distinguished name. If string is omitted, racoon(8) will get DN from Subject field in the certificate.\n Examples: \n my_identifier user_fqdn \"myemail\@mydomain.com\"") }, { label => N("Peers identifier"), val => \$main_remote_section->{9}[1], type => 'entry' }, { label => N("Proposal"), val => \$proposal_remote_section->{1}[0], list => [ 'proposal' ], allow_empty_list => 1 }, { label => N("Encryption algorithm"), val => \$proposal_remote_section->{2}[1], list => [ qw(des 3des blowfish cast128) ], help => N("specify the encryption algorithm used for the phase 1 negotiation. This directive must be defined. algorithm is one of the following: DES, 3DES, blowfish, cast128 for oakley. For other transforms, this statement should not be used.") }, { label => N("Hash algorithm"), val => \$proposal_remote_section->{3}[1], type => 'entry' }, { label => N("Authentication method"), val => \$proposal_remote_section->{4}[1], type => 'entry' }, { label => N("DH group"), val => \$proposal_remote_section->{5}[1], list => [ qw(modp768 modp1024 modp1536 1 2 5) ], }, ]); } sub ask_info3 { my ($title, $text, $section) = @_; $in->ask_from($title, $text,, [ { label => N("Command"), val => \$section->{command}, list => [ 'spdadd' ], allow_empty_list => 1 }, { label => N("Source IP range"), val => \$section->{src_range}, type => 'entry' }, { label => N("Destination IP range"), val => \$section->{dst_range}, type => 'entry' }, { label => N("Upper-layer protocol"), val => \$section->{upperspec}, list => [ N_("any") ], format => \&translate, allow_empty_list => 1 }, { label => N("Flag"), val => \$section->{flag}, list => [ '-P' ], allow_empty_list => 1 }, { label => N("Direction"), val => \$section->{direction}, list => [ 'in', 'out' ] }, { label => N("IPsec policy"), val => \$section->{ipsec}, list => [ N_("ipsec"), N_("discard"), N_("none") ], format => \&translate }, { label => N("Protocol"), val => \$section->{protocol}, list => [ 'esp', 'ah', 'ipcomp' ] }, { label => N("Mode"), val => \$section->{mode}, list => [ N_("tunnel"), N_("transport"), N_("any") ], format => \&translate }, { label => N("Source/destination"), val => \$section->{src_dest}, type => 'entry' }, { label => N("Level"), val => \$section->{level}, list => [ N_("require"), N_("default"), N_("use"), N_("unique") ], format => \&translate }, ]); }