aboutsummaryrefslogtreecommitdiffstats
path: root/sysconfig
diff options
context:
space:
mode:
authorBill Nottingham <notting@redhat.com>2003-07-02 23:05:30 +0000
committerBill Nottingham <notting@redhat.com>2003-07-02 23:05:30 +0000
commit478722157f6238c189c102bd960ca906935fb8dd (patch)
treeec5cb0dd834f098ea9e640bb517e6a52f7b7e079 /sysconfig
parent6b78527ef407b08b4e2c26f0709375b366e66283 (diff)
downloadinitscripts-478722157f6238c189c102bd960ca906935fb8dd.tar
initscripts-478722157f6238c189c102bd960ca906935fb8dd.tar.gz
initscripts-478722157f6238c189c102bd960ca906935fb8dd.tar.bz2
initscripts-478722157f6238c189c102bd960ca906935fb8dd.tar.xz
initscripts-478722157f6238c189c102bd960ca906935fb8dd.zip
first batch of automatic keying fixes. notably, I can't type.
Diffstat (limited to 'sysconfig')
-rwxr-xr-xsysconfig/network-scripts/ifup-ipsec41
1 files changed, 23 insertions, 18 deletions
diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
index 2eb38e60..b46d7e2a 100755
--- a/sysconfig/network-scripts/ifup-ipsec
+++ b/sysconfig/network-scripts/ifup-ipsec
@@ -29,7 +29,7 @@
# PSK = preshared keys (shared secret)
# X509 = X.509 certificates
# RSA = RSA host keys in DNS (not yet implemented)
-# GSSAPI = GSSAPI authentication
+# GSSAPI = GSSAPI authentication
# IKE_PSK = preshared key for this connection
# IKE_CERTFILE = our certificate file name for X509 IKE
# IKE_PEER_CERTFILE = peer public cert filename for X509 IKE
@@ -100,11 +100,13 @@ fi
[ -z "$KEYING" ] && KEYING=manual
+# Get source address
+if [ -z "$SRC" ]; then
+ SRC=`ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|"`
+fi
+
+
if [ "$KEYING" = "manual" ]; then
- # Get source address
- if [ -z "$SRC" ]; then
- SRC=`ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|"`
- fi
[ -z "$AH_PROTO" ] && AH_PROTO=hmac-md5
[ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc
@@ -171,19 +173,22 @@ EOF
fi
if [ "$KEYING" = "automatic" ]; then
+ [ -z "$AH_PROTO" ] && AH_PROTO=md5
+ [ -z "$ESP_PROTO" ] && ESP_PROTO=3des
+
if [ "$MODE" = "host" ]; then
/sbin/setkey -c << EOF
spddelete $SRC $DST any -P out;
spddelete $DST $SRC any -P in;
spdadd $SRC $DST any -P out ipsec
- ${KEY_ESP_OUT:+esp/transport//require}
- ${KEY_AH_OUT:+ah/transport//require}
+ esp/transport//require
+ ah/transport//require
;
spdadd $DST $SRC any -P in ipsec
- ${KEY_ESP_IN:+esp/transport//require}
- ${KEY_AH_IN:+ah/transport//require}
+ esp/transport//require
+ ah/transport//require
;
EOF
else
@@ -195,13 +200,13 @@ spddelete $SRCNET $DSTNET any -P out;
spddelete $DSTNET $SRCNET any -P in;
spdadd $SRCNET $DSTNET any -P out ipsec
- ${KEY_ESP_OUT:+esp/tunnel/$SRC-$DEST/require}
- ${KEY_AH_OUT:+ah/tunnel/$SRC-$DEST/require}
+ esp/tunnel/$SRC-$DEST/require
+ ah/tunnel/$SRC-$DEST/require
;
spdadd $DSTNET $SRCNET any -P in ipsec
- ${KEY_ESP_IN:+esp/tunnel/$DEST-$SRC/require}
- ${KEY_AH_IN:+ah/tunnel/$DEST-$SRC/require}
+ esp/tunnel/$DEST-$SRC/require
+ ah/tunnel/$DEST-$SRC/require
;
EOF
fi
@@ -215,7 +220,7 @@ EOF
cat > /etc/racoon/$DST.conf << EOF
remote $DST
{
- exchange_mode agressive, main;
+ exchange_mode aggressive, main;
EOF
case "$IKE_METHOD" in
PSK)
@@ -223,7 +228,7 @@ EOF
my_identifier address;
proposal {
encryption_algorithm $ESP_PROTO;
- hash_alogirtihm $AH_PROTO;
+ hash_algorithm $AH_PROTO;
authentication_method pre_shared_key;
dh_group 2 ;
}
@@ -260,7 +265,7 @@ EOF
my_identifier address;
proposal {
encryption_algorithm $ESP_PROTO;
- hash_alogirtihm $AH_PROTO;
+ hash_algorithm $AH_PROTO;
authentication_method gssapi_krb;
dh_group 2 ;
}
@@ -268,8 +273,8 @@ EOF
EOF
esac
racoontmp=`mktemp /etc/racoon/racoon.XXXXXX`
- grep -v "^include $DST.conf" /etc/racoon/racoon.conf >> $racoontmp
- echo "include $DST.conf" >> $racoontmp
+ grep -v "^include /etc/racoon/$DST.conf" /etc/racoon/racoon.conf >> $racoontmp
+ echo "include /etc/racoon/$DST.conf" >> $racoontmp
mv -f $racoontmp /etc/racoon/racoon.conf
pidof -x /usr/sbin/racoon > /dev/null 2>&1 && killall -HUP /usr/sbin/racoon
fi