summaryrefslogtreecommitdiffstats
path: root/bin
diff options
context:
space:
mode:
authorOlivier Blin <oblin@mandriva.com>2008-08-04 08:28:00 +0000
committerOlivier Blin <oblin@mandriva.com>2008-08-04 08:28:00 +0000
commit5045998aeebe938a903be37e50ddc2c4b45562e7 (patch)
tree94353bd4a74280e6d5d14165f68036276b9576a8 /bin
parenta7bed91569e90862ed2f484628951f136fcc1dad (diff)
downloaddrakx-net-5045998aeebe938a903be37e50ddc2c4b45562e7.tar
drakx-net-5045998aeebe938a903be37e50ddc2c4b45562e7.tar.gz
drakx-net-5045998aeebe938a903be37e50ddc2c4b45562e7.tar.bz2
drakx-net-5045998aeebe938a903be37e50ddc2c4b45562e7.tar.xz
drakx-net-5045998aeebe938a903be37e50ddc2c4b45562e7.zip
move drakvpn-old in an old subdir (so that it is not included in pot)
Diffstat (limited to 'bin')
-rwxr-xr-xbin/drakvpn-old847
1 files changed, 0 insertions, 847 deletions
diff --git a/bin/drakvpn-old b/bin/drakvpn-old
deleted file mode 100755
index 3f247a9..0000000
--- a/bin/drakvpn-old
+++ /dev/null
@@ -1,847 +0,0 @@
-#!/usr/bin/perl
-
-#
-# author Florin Grad (florin@mandrakesoft.com)
-#
-# Copyright 2006 Mandriva
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2, as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-
-
-# i18n: IMPORTANT: to get correct namespace (drakx-net instead of libDrakX)
-BEGIN { unshift @::textdomains, 'drakx-net' }
-use lib qw(/usr/lib/libDrakX);
-
-use standalone; #- warning, standalone must be loaded very first, for 'explanations'
-
-use common;
-use detect_devices;
-use interactive;
-use network::network;
-use log;
-use c;
-use network::netconnect;
-use network::shorewall;
-use network::ipsec;
-use Data::Dumper;
-
-$::isInstall and die "Not supported during install.\n";
-
-
-local $_ = join '', @ARGV;
-
-$::Wizard_pix_up = "drakvpn";
-$ugtk2::wm_icon = "drakvpn";
-
-my $direct = /-direct/;
-
-my $tunnels_file = "/etc/shorewall/tunnels";
-my $ipsec_conf = "";
-my $racoon_conf = "/etc/racoon/racoon.conf";
-my $ipsec_package = "";
-
-my $in = interactive->vnew('su');
-my $shorewall = network::shorewall::read($in);
-my @section_names;
-
- $ipsec_conf = "/etc/ipsec.conf";
-my $ipsec = network::ipsec::read_ipsec_conf($ipsec_conf);
-my $racoon = network::ipsec::read_racoon_conf($racoon_conf);
-
-#print network::ipsec::display_ipsec_conf($ipsec_conf,$ipsec);
-
-$::Wizard_title = N("DrakVPN");
-
-$in->isa('interactive::gtk') and $::isWizard = 1;
-
-my $wait_configuring;
-
-sub fatal_quit ($) {
- log::l("[drakvpn] FATAL: $_[0]");
- undef $wait_configuring;
- $in->ask_warn('', $_[0]);
- quit_global($in, -1);
-}
-
-begin:
-
-#- **********************************
-#- * 0th step: verify if we are already set up
-
-if ($shorewall && any { !/^\s*(?:#|\n)/ } cat_($tunnels_file)) {
- $::Wizard_no_previous = 1;
-
- if (!$shorewall->{disabled}) {
- my $r = $in->ask_from_list_(N("The VPN connection is enabled."),
-N("The setup of a VPN connection has already been done.
-
-It's currently enabled.
-
-What would you like to do?"),
- [ N_("disable"), N_("reconfigure"), N_("dismiss") ]) or quit_global($in, 0);
- # FIXME: reconfigure is not handled
- if ($r eq "disable") {
- if (!$::testing) {
- my $_wait_disabl = $in->wait_message(N("Please wait"), N("Disabling VPN..."));
- network::ipsec::stop_daemons();
- }
- foreach ($ipsec_conf, $tunnels_file) {
- if (-f $_) { rename($_, "$_.drakvpndisable") or die "Could not rename $_ to $_.drakvpndisable" }
- }
- network::ipsec::sys("/etc/init.d/shorewall restart >/dev/null");
- log::l("[drakvpn] Disabled");
- $::Wizard_finished = 1;
- $in->ask_okcancel('', N("The VPN connection is now disabled."));
- quit_global($in, 0);
- }
- if ($r eq "dismiss") {
- quit_global($in, 0);
- }
- } else {
- my $r = $in->ask_from_list_(N("VPN connection currently disabled"),
-N("The setup of a VPN connection has already been done.
-
-It's currently disabled.
-
-What would you like to do?"),
- [ N_("enable"), N_("reconfigure"), N_("dismiss") ]);
- # FIXME: reconfigure is not handled
- if ($r eq "enable") {
- foreach ($ipsec_conf, $tunnels_file) {
- rename($_, "$_.old") if -f $_;
- rename("$_.drakvpndisable", $_) or die "Could not find configuration. Please reconfigure.";
- }
- {
- my $_wait_enabl = $in->wait_message(N("Please wait"), N("Enabling VPN..."));
- network::ipsec::start_daemons();
- }
- log::l("[drakvpn] Enabled");
- }
- $::Wizard_finished = 1;
- $in->ask_okcancel('', N("The VPN connection is now enabled."));
- quit_global($in, 0);
- if ($r eq "dismiss") {
- quit_global($in, 0);
- }
- }
- }
-
-#- **********************************
-#- * 1st step: detect/setup
-step_ask_confirm:
-
-$::Wizard_no_previous = 1;
-
-$direct or $in->ask_okcancel(N("Simple VPN setup."),
-N("You are about to configure your computer to use a VPN connection.
-
-With this feature, computers on your local private network and computers
-on some other remote private networks, can share resources, through
-their respective firewalls, over the Internet, in a secure manner.
-
-The communication over the Internet is encrypted. The local and remote
-computers look as if they were on the same network.
-
-Make sure you have configured your Network/Internet access using
-drakconnect before going any further."), 1) or goto begin;
-
-undef $::Wizard_no_previous;
-
- $ipsec_package = "ipsec-tools";
-
-$direct or $in->ask_okcancel(N("Simple VPN setup."),
-N("VPN connection.
-
-This program is based on the following projects:
- - FreeSwan: \t\t\thttp://www.freeswan.org/
- - Super-FreeSwan: \t\thttp://www.freeswan.ca/
- - ipsec-tools: \t\t\thttp://ipsec-tools.sourceforge.net/
- - ipsec-howto: \t\thttp://www.ipsec-howto.org
- - the docs and man pages coming with the %s package
-
-Please read AT LEAST the ipsec-howto docs
-before going any further.",$ipsec_package)) or goto begin;
-
-step_detectsetup:
-
-#my @configured_devices = map { /ifcfg-(\S+)/ } glob('/etc/sysconfig/network-scripts/ifcfg*');
-
-my %aliased_devices;
-/^\s*alias\s+(eth[0-9])\s+(\S+)/ and $aliased_devices{$1} = $2 foreach cat_("/etc/modules.conf");
-
-#- **********************************
-#- * 2nd step: configure
-
-#$wait_configuring = $in->wait_message(N("Configuring..."),
-# N("Configuring scripts, installing software, starting servers..."));
-
-
-
-#- install and setup the RPM packages, if needed
-
-my %rpm2file;
-log::l("[drakvpn] install the $ipsec_package and the shorewall rpm packages");
- %rpm2file = ($ipsec_package => '/sbin/setkey',
- shorewall => '/sbin/shorewall');
-
-#- first: try to install all in one step, if needed
-if (!-e "/sbin/setkey") {
-
- my @needed_to_install = grep { !-e $rpm2file{$_} } keys %rpm2file;
- @needed_to_install and $in->do_pkgs->install(@needed_to_install) if !$::testing;
- #- second: try one by one if failure detected
- if (!$::testing && any { !-e $rpm2file{$_} } keys %rpm2file) {
- foreach (keys %rpm2file) {
- -e $rpm2file{$_} or $in->do_pkgs->install($_);
- -e $rpm2file{$_} or fatal_quit(N("Problems installing package %s", $_));
- }
- }
-}
-
-undef $wait_configuring;
-
-#- configure the $ipsec_conf file
-#- Add, Remove config|conn entries
-
-step_configuration:
-
-my $c;
-
-my %messages = (ipsec => N("Security Policies"), racoon => N("IKE daemon racoon"));
-
- $in->ask_from(N("Configuration file"),
-N("Configuration step!
-
-You need to define the Security Policies and then to
-configure the automatic key exchange (IKE) daemon.
-The KAME IKE daemon we're using is called 'racoon'.
-
-What would you like to configure?\n"),
- [ { val => \$c, type => "list", list => [ keys %messages ], format => sub { $messages{$_[0]} } } ]) or goto step_detectsetup;
-
-#-------------------------------------------------------------------
-#---------------------- configure ipsec_conf -----------------------
-#-------------------------------------------------------------------
-
-if ($c eq "ipsec" || $c eq "configure") {
-
-step_configure_ipsec_conf:
-
-@section_names = network::ipsec::get_section_names_ipsec_conf($ipsec) if $ipsec;
-
-my $choice = $section_names[0];
-my $d = $in->ask_from_list_(N("%s entries", $ipsec_conf),
-N("The %s file contents
-is divided into sections.\n
-You can now:\n
- - display, add, edit, or remove sections, then
- - commit the changes
-
-What would you like to do?\n", $ipsec_conf),
- [ N_("_:display here is a verb\nDisplay"), N_("Add"), N_("Edit"), N_("Remove"), N_("Commit") ]) or goto step_configuration;
-
-#my $existing_section = "";
-
-#- display $ipsec_conf -------------------------
-
-step_display_ipsec_conf:
-
-if ($d eq "display $ipsec_conf" || $d eq "_:display here is a verb\nDisplay") {
- my $ipsec_exists = 0;
- foreach my $key (keys %$ipsec) {
- $ipsec_exists = 1 if $ipsec->{$key};
- }
- if ($ipsec_exists) {
- $in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"),
- network::ipsec::display_ipsec_conf($ipsec));
- goto step_configure_ipsec_conf;
- } else {
-$in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"),
-N("The %s file does not exist.\n
-This must be a new configuration.\n
-You'll have to go back and choose 'add'.\n", $ipsec_conf));
- goto step_configure_ipsec_conf;
- }
-
-#- add ---------------------
-
-} elsif ($d eq "Add") {
-
-step_add_section:
-
-#- add ---- kernel 2.6 part -------------------------------
-
- my $section = { command => 'spdadd',
- src_range => 'src_network_address',
- dst_range => 'dest_network_address',
- upperspec => 'any',
- flag => '-P',
- direction => 'in or out',
- ipsec => 'ipsec',
- protocol => 'esp',
- mode => 'tunnel',
- src_dest => 'source-destination',
- level => 'require' };
-
-step_add_section_ipsec_conf_k26:
-
- ask_info3('',
-N("Add a Security Policy.\n
-You can now add a Security Policy.\n
-Choose continue when you are done to write the data.\n"), $section) or goto step_configure_ipsec_conf;
-
-# $existing_section = network::ipsec::already_existing_section_ipsec_conf($section->{src_dest}, $ipsec);
-#
-# if ($existing_section eq "already existing") {
-#$in->ask_okcancel(N("Exists!"),
-#N("A section with this name already exists.
-#The section names have to be unique.\n
-#You'll have to go back and add another section
-#or change the name of the section.\n"));
-# goto step_add_section_ipsec_conf_k26;
-#};
-
- if (!$ipsec->{1}) {
- put_in_hash($ipsec, { max(keys %$ipsec) + 1 => "#!/sbin/setkey -f" });
- put_in_hash($ipsec, { max(keys %$ipsec) + 1 => "flush;" });
- put_in_hash($ipsec, { max(keys %$ipsec) + 1 => "spdflush;" });
- }
-
- network::ipsec::add_section_ipsec_conf($section, $ipsec);
-
- @section_names = network::ipsec::get_section_names_ipsec_conf($ipsec);
-
- goto step_configure_ipsec_conf;
-
-#- edit ---------------------
-
-} elsif ($d eq "Edit") {
-
-step_edit_ipsec_conf:
-$in->ask_from(N("Edit section"),
-N("Your %s file has several sections or connections.\n
-You can choose here below the one you want to edit
-and then click on next.\n", $ipsec_conf),
- [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ])
- or goto step_configure_ipsec_conf;
-
-my $number = network::ipsec::matched_section_key_number_ipsec_conf($choice,$ipsec);
-
-
- ask_info3('',
-N("Edit a Security Policy.\n
-You can now edit a Security Policy.\n
-Choose continue when you are done to write the data.\n"), $ipsec->{$number}) or goto step_configure_ipsec_conf;
-
-goto step_configure_ipsec_conf;
-
-#- remove ---------------------
-
-} elsif ($d eq "Remove") {
-$in->ask_from(N("Remove section"),
-N("Your %s file has several sections or connections.\n
-You can choose here below the one you want to remove
-and then click on next.\n", $ipsec_conf),
- [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]);
-
- network::ipsec::remove_section_ipsec_conf($choice,$ipsec);
-
- @section_names = network::ipsec::get_section_names_ipsec_conf($ipsec) if $ipsec;
-
- goto step_configure_ipsec_conf;
-
-#- continue and write ---------------------
-
-} elsif ($d eq "Commit") {
- log::l("[drakvpn] Modify the $ipsec_conf file");
- network::ipsec::write_ipsec_conf($ipsec_conf, $ipsec);
- }
-#-------------------------------------------------------------------
-#---------------------- configure racoon_conf -----------------------
-#-------------------------------------------------------------------
-
-} elsif ($c eq "racoon") {
-
-step_configure_racoon_conf:
-
-@section_names = network::ipsec::get_section_names_racoon_conf($racoon) if $racoon;
-
-my $choice = $section_names[0];
-my $d = $in->ask_from_list_(N("%s entries", $racoon_conf),
-N("The racoon.conf file configuration.\n
-The contents of this file is divided into sections.
-You can now:
- - display \t\t (display the file contents)
- - add \t\t (add one section)
- - edit \t\t\t (modify parameters of an existing section)
- - remove \t\t (remove an existing section)
- - commit \t\t (writes the changes to the real file)"),
- [ N_("_:display here is a verb\nDisplay"), N_("Add"), N_("Edit"), N_("Remove"), N_("Commit") ]) or goto step_configuration;
-
-
-#- display $racoon_conf -------------------------
-
-step_display_racoon_conf:
-
-if ($d eq "_:display here is a verb\nDisplay") {
-
- my $racoon_exists = 0;
- foreach my $key (keys %$racoon) {
- $racoon_exists = 1 if $racoon->{$key};
- }
-
- if ($racoon_exists) {
- $in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"),
- network::ipsec::display_racoon_conf($racoon));
- goto step_configure_racoon_conf;
- } else {
-$in->ask_okcancel(N("_:display here is a verb\nDisplay configuration"),
-N("The %s file does not exist\n
-This must be a new configuration.\n
-You'll have to go back and choose configure.\n", $racoon_conf));
- goto step_configure_racoon_conf;
- }
-
-#- add $racoon_conf ------------------------------
-
-} elsif ($d eq "Add") {
-
-step_add_section_racoon:
-
-#my $existing_section = "";
-
-my $e = $in->ask_from_list_(N("racoon.conf entries"),
-N("The 'add' sections step.\n
-Here below is the racoon.conf file skeleton:
-\t'path'
-\t'remote'
-\t'sainfo' \n
-Choose the section you would like to add.\n"),
- [ N_("path"), N_("remote"), N_("sainfo"), N_("dismiss") ]) or goto step_configure_racoon_conf;
-if ($e eq "path") {
-
- my $path_section = {
- 1 => [ 'path', 'path_type', '"/etc/racoon/certs"' ],
- };
-
- $in->ask_from('',
-N("The 'add path' section step.\n
-The path sections have to be on top of your racoon.conf file.\n
-Put your mouse over the certificate entry to obtain online help."),
- [ { label => N("path type"),
- val => \$path_section->{1}[1],
- list => [ 'certificate', 'pre_shared_key', 'include' ],
- help =>
-N("path include path: specifies a path to include
-a file. See File Inclusion.
- Example: path include '/etc/racoon'
-
-path pre_shared_key file: specifies a file containing
-pre-shared key(s) for various ID(s). See Pre-shared key File.
- Example: path pre_shared_key '/etc/racoon/psk.txt' ;
-
-path certificate path: racoon(8) will search this directory
-if a certificate or certificate request is received.
- Example: path certificate '/etc/cert' ;
-
-File Inclusion: include file
-other configuration files can be included.
- Example: include \"remote.conf\" ;
-
-Pre-shared key File: Pre-shared key file defines a pair
-of the identifier and the shared secret key which are used at
-Pre-shared key authentication method in phase 1."),
-},
- { label => N("real file"), val => \$path_section->{1}[2], type => 'entry' },
- ]
-) or goto step_configure_racoon_conf;
-
-network::ipsec::add_section_racoon_conf($path_section, $racoon);
-} elsif ($e eq "remote") {
- my $main_remote_section = { 1 => [ 'remote', 'address' ],
- 2 => [ 'exchange_mode', 'aggressive,main' ],
- 3 => [ 'generate_policy', 'on' ],
- 4 => [ 'passive', 'on' ],
- 5 => [ 'certificate_type', 'x509', '"my_certificate.pem"', '"my_private_key.pem"' ],
- 6 => [ 'peers_certfile', '"remote.public"' ],
- 7 => [ 'verify_cert', 'on' ],
- 8 => [ 'my_identifier', 'asn1dn' ],
- 9 => [ 'peers_identifier', 'asn1dn' ]
- };
- my $proposal_remote_section = { 1 => [ 'proposal' ],
- 2 => [ 'encryption_algorithm', '3des' ],
- 3 => [ 'hash_algorithm', 'md5' ],
- 4 => [ 'authentication_method', 'rsasig' ],
- 5 => [ 'dh_group', 'modp1024' ]
- };
- ask_info2('',
-N("Make sure you already have the path sections
-on the top of your racoon.conf file.
-
-You can now choose the remote settings.
-Choose continue or previous when you are done.\n"), $main_remote_section, $proposal_remote_section) or goto step_configure_racoon_conf;
-
-network::ipsec::add_section_racoon_conf($main_remote_section, $racoon);
-network::ipsec::add_section_racoon_conf($proposal_remote_section, $racoon);
-} elsif ($e eq "sainfo") {
- my $sainfo_section = { 1 => [ 'sainfo', 'address', '192.168.100.2', 'any', 'address', '10.0.0.2', 'any' ],
- 2 => [ 'pfs_group', '1' ],
- 3 => [ 'lifetime', 'time', '30', 'sec' ],
- 4 => [ 'encryption_algorithm', '3des' ],
- 5 => [ 'authentication_algorithm', 'hmac_sha1' ],
- 6 => [ 'compression_algorithm', 'deflate' ],
- };
- ask_info('',
-N("Make sure you already have the path sections
-on the top of your %s file.
-
-You can now choose the sainfo settings.
-Choose continue or previous when you are done.\n", $racoon_conf), $sainfo_section) or goto step_configure_racoon_conf;
-
-network::ipsec::add_section_racoon_conf($sainfo_section, $racoon);
-}
-
-@section_names = network::ipsec::get_section_names_racoon_conf($racoon) if $racoon;
-
-goto step_configure_racoon_conf;
-
-#- edit $racoon_conf -----------------------------
-
-} elsif ($d eq "Edit") {
-$in->ask_from(N("Edit section"),
-N("Your %s file has several sections or connections.
-
-You can choose here in the list below the one you want
-to edit and then click on next.\n", $racoon_conf),
- [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ])
- or goto step_configure_racoon_conf;
-
-my $number = network::ipsec::matched_section_key_number_racoon_conf($choice,$racoon);
-
-if ($choice =~ /^remote/) {
- ask_info2('',
-N("Your %s file has several sections.\n
-
-You can now edit the remote section entries.
-
-Choose continue when you are done to write the data.\n", $racoon_conf), $racoon->{$number}, $racoon->{$number+2})
- or goto step_configure_racoon_conf;
-
-} elsif ($choice =~ /^sainfo/) {
- ask_info('',
-N("Your %s file has several sections.
-
-You can now edit the sainfo section entries.
-
-Choose continue when you are done to write the data.", $racoon_conf), $racoon->{$number}) or goto step_configure_racoon_conf;
-
-} elsif ($choice =~ /^path/) {
- $in->ask_from('',
-N("This section has to be on top of your
-%s file.\n
-Make sure all other sections follow these path
-sections.\n
-You can now edit the path entries.
-
-Choose continue or previous when you are done.\n", $racoon_conf),
- [ { label => N("path_type"), val => \$racoon->{$number}{1}[1], list => [ 'certificate', 'pre_shared_key', 'include' ] },
- { label => N("real file"), val => \$racoon->{$number}{1}[2], type => 'entry' },
- ]
-) or goto step_configure_racoon_conf;
-}
-
-goto step_configure_racoon_conf;
-
-#- remove $racoon_conf ---------------------------
-
-} elsif ($d eq "Remove") {
-$in->ask_from(N("Remove section"),
-N("Your %s file has several sections or connections.\n
-You can choose here below the one you want to remove
-and then click on next.\n", $racoon_conf),
- [ { val => \$choice, list => \@section_names, label => N("Section names"), sort => 0, not_edit => 0 } ]);
-
-my $number = network::ipsec::matched_section_key_number_racoon_conf($choice,$racoon);
-network::ipsec::remove_section_racoon_conf($choice,$racoon,$number);
- @section_names = network::ipsec::get_section_names_racoon_conf($racoon) if $racoon;
-
- goto step_configure_racoon_conf;
-
-#- write $racoon_conf and continue ---------------
-} elsif ($d eq "Commit") {
- log::l("[drakvpn] Modify the $racoon_conf file");
- network::ipsec::write_racoon_conf($racoon_conf, $racoon);
-}
-}
-
-#- start the daemons
-network::ipsec::start_daemons();
-
-#- bye-bye message
-
-undef $wait_configuring;
-
-$::Wizard_no_previous = 1;
-$::Wizard_finished = 1;
-
-$in->ask_okcancel(N("Congratulations!"),
-N("Everything has been configured.\n
-You may now share resources through the Internet,
-in a secure way, using a VPN connection.
-
-You should make sure that the tunnels shorewall
-section is configured."));
-
-log::l("[drakvpn] Installation complete, exiting");
-quit_global($in, 0);
-
-sub quit_global {
- my ($in, $exitcode) = @_;
- $in->exit($exitcode);
- goto begin;
-}
-
-
-sub ask_info {
- my ($title, $text, $data) = @_;
- $in->ask_from($title, $text,
- [ { label => N("Sainfo source address"), val => \$data->{1}[2], type => 'entry',
- help => N("sainfo (source_id destination_id | anonymous) { statements }
-defines the parameters of the IKE phase 2
-(IPsec-SA establishment).
-
-source_id and destination_id are constructed like:
-
- address address [/ prefix] [[port]] ul_proto
-
-Examples: \n
-sainfo anonymous (accepts connections from anywhere)
- leave blank this entry if you want anonymous
-
-sainfo address 203.178.141.209 any address 203.178.141.218 any
- 203.178.141.209 is the source address
-
-sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any
- 172.16.1.0/24 is the source address") },
- { label => N("Sainfo source protocol"), val => \$data->{1}[3], type => 'entry',
- help => N("sainfo (source_id destination_id | anonymous) { statements }
-defines the parameters of the IKE phase 2
-(IPsec-SA establishment).
-
-source_id and destination_id are constructed like:
-
- address address [/ prefix] [[port]] ul_proto
-
-Examples: \n
-sainfo anonymous (accepts connections from anywhere)
- leave blank this entry if you want anonymous
-
-sainfo address 203.178.141.209 any address 203.178.141.218 any
- the first 'any' allows any protocol for the source") },
- { label => N("Sainfo destination address"), val => \$data->{1}[5], type => 'entry',
- help => N("sainfo (source_id destination_id | anonymous) { statements }
-defines the parameters of the IKE phase 2
-(IPsec-SA establishment).
-
-source_id and destination_id are constructed like:
-
- address address [/ prefix] [[port]] ul_proto
-
-Examples: \n
-sainfo anonymous (accepts connections from anywhere)
- leave blank this entry if you want anonymous
-
-sainfo address 203.178.141.209 any address 203.178.141.218 any
- 203.178.141.218 is the destination address
-
-sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any
- 172.16.2.0/24 is the destination address") },
- { label => N("Sainfo destination protocol"), val => \$data->{1}[6], type => 'entry',
- help => N("sainfo (source_id destination_id | anonymous) { statements }
-defines the parameters of the IKE phase 2
-(IPsec-SA establishment).
-
-source_id and destination_id are constructed like:
-
- address address [/ prefix] [[port]] ul_proto
-
-Examples: \n
-sainfo anonymous (accepts connections from anywhere)
- leave blank this entry if you want anonymous
-
-sainfo address 203.178.141.209 any address 203.178.141.218 any
- the last 'any' allows any protocol for the destination") },
- { label => N("PFS group"), val => \$data->{2}[1],
- list => [ qw(modp768 modp1024 modp1536 1 2 5) ],
- help => N("define the group of Diffie-Hellman exponentiations.
-If you do not require PFS then you can omit this directive.
-Any proposal will be accepted if you do not specify one.
-group is one of the following: modp768, modp1024, modp1536.
-Or you can define 1, 2, or 5 as the DH group number.") },
- { label => N("Lifetime number"), val => \$data->{3}[2], type => 'entry',
- help => N("define a lifetime of a certain time which will be pro-
-posed in the phase 1 negotiations. Any proposal will be
-accepted, and the attribute(s) will not be proposed to
-the peer if you do not specify it(them). They can be
-individually specified in each proposal.
-
-Examples: \n
- lifetime time 1 min; # sec,min,hour
- lifetime time 1 min; # sec,min,hour
- lifetime time 30 sec;
- lifetime time 30 sec;
- lifetime time 60 sec;
- lifetime time 12 hour;
-
-So, here, the lifetime numbers are 1, 1, 30, 30, 60 and 12.
-") },
- { label => N("Lifetime unit"), val => \$data->{3}[3],
- list => [ qw(sec min hour) ],
- help => N("define a lifetime of a certain time which will be pro-
-posed in the phase 1 negotiations. Any proposal will be
-accepted, and the attribute(s) will not be proposed to
-the peer if you do not specify it(them). They can be
-individually specified in each proposal.
-
-Examples: \n
- lifetime time 1 min; # sec,min,hour
- lifetime time 1 min; # sec,min,hour
- lifetime time 30 sec;
- lifetime time 30 sec;
- lifetime time 60 sec;
- lifetime time 12 hour;
-
-So, here, the lifetime units are 'min', 'min', 'sec', 'sec', 'sec' and 'hour'.
-") },
- { label => N("Encryption algorithm"), val => \$data->{4}[1],
- list => [ qw(des 3des des_iv64 des_iv32 rc5 rc4 idea 3idea cast128 blowfish null_enc twofish rijndae) ] },
- { label => N("Authentication algorithm"), val => \$data->{5}[1],
- list => [ qw(des 3des des_iv64 des_iv32 hmac_md5 hmac_sha1 non_auth) ] },
- { label => N("Compression algorithm"), val => \$data->{6}[1],
- list => [ N_("deflate") ], format => \&translate, allow_empty_list => 1 }
-
-]) }
-
-sub ask_info2 {
- my ($title, $text, $main_remote_section, $proposal_remote_section) = @_;
- $in->ask_from($title, $text,,
- [ { label => N("Remote"), val => \$main_remote_section->{1}[1], type => 'entry',
- help => N("remote (address | anonymous) [[port]] { statements }
-specifies the parameters for IKE phase 1 for each remote node.
-The default port is 500. If anonymous is specified, the state-
-ments apply to all peers which do not match any other remote
-directive.\n
-Examples: \n
-remote anonymous
-remote ::1 [8000]") },
- { label => N("Exchange mode"), val => \$main_remote_section->{2}[1],
- list => [ qw(main,agressive agressive,main) ],
- help => N("defines the exchange mode for phase 1 when racoon is the
-initiator. Also it means the acceptable exchange mode
-when racoon is responder. More than one mode can be
-specified by separating them with a comma. All of the
-modes are acceptable. The first exchange mode is what
-racoon uses when it is the initiator.\n") },
- { label => N("Generate policy"), val => \$main_remote_section->{3}[1],
- list => [ N_("off"), N_("on") ], format => \&translate,
- help => N("This directive is for the responder. Therefore you
-should set passive on in order that racoon(8) only
-becomes a responder. If the responder does not have any
-policy in SPD during phase 2 negotiation, and the direc-
-tive is set on, then racoon(8) will choose the first pro-
-posal in the SA payload from the initiator, and generate
-policy entries from the proposal. It is useful to nego-
-tiate with the client which is allocated IP address
-dynamically. Note that inappropriate policy might be
-installed into the responder's SPD by the initiator. So
-that other communication might fail if such policies
-installed due to some policy mismatches between the ini-
-tiator and the responder. This directive is ignored in
-the initiator case. The default value is off.") },
- { label => N("Passive"), val => \$main_remote_section->{4}[1],
- list => [ N_("off"), N_("on") ], format => \&translate,
- help => N("If you do not want to initiate the negotiation, set this
-to on. The default value is off. It is useful for a
-server.") },
- { label => N("Certificate type"), val => \$main_remote_section->{5}[1],
- list => [ 'x509' ], allow_empty_list => 1 },
- { label => N("My certfile"), val => \$main_remote_section->{5}[2], type => 'entry',
- help => N("Name of the certificate") },
- { label => N("My private key"), val => \$main_remote_section->{5}[3], type => 'entry',
- help => N("Name of the private key") },
- { label => N("Peers certfile"), val => \$main_remote_section->{6}[1], type => 'entry',
- help => N("Name of the peers certificate") },
- { label => N("Verify cert"), val => \$main_remote_section->{7}[1],
- list => [ N_("off"), N_("on") ], format => \&translate,
- help => N("If you do not want to verify the peer's certificate for
-some reason, set this to off. The default is on.") },
- { label => N("My identifier"), val => \$main_remote_section->{8}[1], type => 'entry',
- help => N("specifies the identifier sent to the remote host and the
-type to use in the phase 1 negotiation. address, FQDN,
-user_fqdn, keyid and asn1dn can be used as an idtype.
-they are used like:
- my_identifier address [address];
- the type is the IP address. This is the default
- type if you do not specify an identifier to use.
- my_identifier user_fqdn string;
- the type is a USER_FQDN (user fully-qualified
- domain name).
- my_identifier FQDN string;
- the type is a FQDN (fully-qualified domain name).
- my_identifier keyid file;
- the type is a KEY_ID.
- my_identifier asn1dn [string];
- the type is an ASN.1 distinguished name. If
- string is omitted, racoon(8) will get DN from
- Subject field in the certificate.\n
-Examples: \n
-my_identifier user_fqdn \"myemail\@mydomain.com\"") },
- { label => N("Peers identifier"), val => \$main_remote_section->{9}[1], type => 'entry' },
- { label => N("Proposal"), val => \$proposal_remote_section->{1}[0], list => [ 'proposal' ], allow_empty_list => 1 },
- { label => N("Encryption algorithm"), val => \$proposal_remote_section->{2}[1], list => [ qw(des 3des blowfish cast128) ],
- help => N("specify the encryption algorithm used for the
-phase 1 negotiation. This directive must be defined.
-algorithm is one of the following:
-
-DES, 3DES, blowfish, cast128 for oakley.
-
-For other transforms, this statement should not be used.") },
- { label => N("Hash algorithm"), val => \$proposal_remote_section->{3}[1], type => 'entry' },
- { label => N("Authentication method"), val => \$proposal_remote_section->{4}[1], type => 'entry' },
- { label => N("DH group"), val => \$proposal_remote_section->{5}[1], list => [ qw(modp768 modp1024 modp1536 1 2 5) ], },
- ]);
-}
-
-sub ask_info3 {
- my ($title, $text, $section) = @_;
- $in->ask_from($title, $text,,
- [ { label => N("Command"), val => \$section->{command}, list => [ 'spdadd' ], allow_empty_list => 1 },
- { label => N("Source IP range"), val => \$section->{src_range}, type => 'entry' },
- { label => N("Destination IP range"), val => \$section->{dst_range}, type => 'entry' },
- { label => N("Upper-layer protocol"), val => \$section->{upperspec}, list => [ N_("any") ],
- format => \&translate, allow_empty_list => 1 },
- { label => N("Flag"), val => \$section->{flag}, list => [ '-P' ], allow_empty_list => 1 },
- { label => N("Direction"), val => \$section->{direction}, list => [ 'in', 'out' ] },
- { label => N("IPsec policy"), val => \$section->{ipsec}, list => [ N_("ipsec"), N_("discard"), N_("none") ],
- format => \&translate },
- { label => N("Protocol"), val => \$section->{protocol}, list => [ 'esp', 'ah', 'ipcomp' ] },
- { label => N("Mode"), val => \$section->{mode}, list => [ N_("tunnel"), N_("transport"), N_("any") ],
- format => \&translate },
- { label => N("Source/destination"), val => \$section->{src_dest}, type => 'entry' },
- { label => N("Level"), val => \$section->{level}, list => [ N_("require"), N_("default"), N_("use"), N_("unique") ],
- format => \&translate },
- ]);
-}
-