diff options
-rw-r--r-- | sysconfig.txt | 2 | ||||
-rwxr-xr-x | sysconfig/network-scripts/ifup-ipsec | 73 |
2 files changed, 57 insertions, 18 deletions
diff --git a/sysconfig.txt b/sysconfig.txt index 538a9e3d..c4183785 100644 --- a/sysconfig.txt +++ b/sysconfig.txt @@ -881,6 +881,8 @@ Files in /etc/sysconfig/network-scripts/ PSK=preshared keys (shared secret) X509=X.509 certificates GSSPI=GSSAPI authentication + IKE_AUTH=protocol to use for Phase 1 of SA (defaults to sha1) + IKE_ENC=protocol to use for Phase 1 of SA (defaults to 3des) IKE_PSK=preshared key for this connection IKE_CERTFILE=our certificate file name for X509 IKE IKE_PEER_CERTFILE=peer public cert filename for X509 IKE diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec index ab5298e3..9998762c 100755 --- a/sysconfig/network-scripts/ifup-ipsec +++ b/sysconfig/network-scripts/ifup-ipsec @@ -105,6 +105,10 @@ else [ -z "$IKE_DHGROUP" ] && IKE_DHGROUP=2 [ -z "$AH_PROTO" ] && AH_PROTO=sha1 [ -z "$ESP_PROTO" ] && ESP_PROTO=3des + [ -z "$IKE_AUTH" ] && IKE_AUTH=$AH_PROTO + [ -z "$IKE_ENC" ] && IKE_ENC=$ESP_PROTO + [ "$IKE_AUTH" = "none" ] && IKE_AUTH=sha1 + [ "$IKE_ENC" = "none" ] && IKE_ENC=3des SPD_AH_IN=yes SPD_AH_OUT=yes @@ -114,11 +118,9 @@ fi if [ "$AH_PROTO" = "none" ]; then unset SPI_AH_IN SPI_AH_OUT KEY_AH_IN KEY_AH_OUT SPD_AH_IN SPD_AH_OUT - AH_PROTO=sha1 # To silence racoon fi if [ "$ESP_PROTO" = "none" ]; then unset SPI_ESP_IN SPI_ESP_OUT KEY_ESP_IN KEY_ESP_OUT SPD_ESP_IN SPD_ESP_OUT - ESP_PROTO=3des # To silence racoon fi /sbin/setkey -c >/dev/null 2>&1 << EOF @@ -130,24 +132,38 @@ spddelete $SPD_SRC $SPD_DST any -P out; spddelete $SPD_DST $SPD_SRC any -P in; ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} +EOF # ESP -${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} \ --E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN \ -${KEY_AESP_IN:+-A ${AESP_PROTO_IN:-$AESP_PROTO} $KEY_AESP_IN} -;} -${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} \ --E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT \ -${KEY_AESP_OUT:+-A ${AESP_PROTO_OUT:-$AESP_PROTO} $KEY_AESP_OUT} -;} +if [ "$ESP_PROTO" != "none" ]; then + /sbin/setkey -c >/dev/null 2>&1 << EOF + ${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} \ + -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN \ + ${KEY_AESP_IN:+-A ${AESP_PROTO_IN:-$AESP_PROTO} $KEY_AESP_IN} + ;} + ${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} \ + -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT \ + ${KEY_AESP_OUT:+-A ${AESP_PROTO_OUT:-$AESP_PROTO} $KEY_AESP_OUT} + ;} +EOF +fi # AH -${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} -${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} +if [ "$AH_PROTO" != "none" ]; then + /sbin/setkey -c >/dev/null 2>&1 << EOF + ${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} + ${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} +EOF +fi +/sbin/setkey -c >/dev/null 2>&1 << EOF ${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P out none;} ${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P in none;} +EOF +# This looks weird but if you use both ESP and AH you need to configure them together, not seperately. +if [ "$ESP_PROTO" != "none" ] && [ "$AH_PROTO" != "none" ]; then +/sbin/setkey -c >/dev/null 2>&1 << EOF spdadd $SPD_SRC $SPD_DST any -P out ipsec ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} @@ -158,6 +174,27 @@ spdadd $SPD_DST $SPD_SRC any -P in ipsec ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} ; EOF +elif [ "$AH_PROTO" = "none" ]; then +/sbin/setkey -c >/dev/null 2>&1 << EOF +spdadd $SPD_SRC $SPD_DST any -P out ipsec + ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} + ; + +spdadd $SPD_DST $SPD_SRC any -P in ipsec + ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} + ; +EOF +elif [ "$ESP_PROTO" = "none" ]; then +/sbin/setkey -c >/dev/null 2>&1 << EOF +spdadd $SPD_SRC $SPD_DST any -P out ipsec + ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} + ; + +spdadd $SPD_DST $SPD_SRC any -P in ipsec + ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} + ; +EOF +fi if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then if [ "$IKE_METHOD" = "PSK" ]; then @@ -185,8 +222,8 @@ EOF cat >> /etc/racoon/$DST.conf << EOF my_identifier $MYID; proposal { - encryption_algorithm $ESP_PROTO; - hash_algorithm $AH_PROTO; + encryption_algorithm $IKE_ENC; + hash_algorithm $IKE_AUTH; authentication_method pre_shared_key; dh_group $IKE_DHGROUP; } @@ -207,8 +244,8 @@ EOF fi cat >> /etc/racoon/$DST.conf << EOF proposal { - encryption_algorithm $ESP_PROTO; - hash_algorithm $AH_PROTO; + encryption_algorithm $IKE_ENC; + hash_algorithm $IKE_AUTH; authentication_method rsasig; dh_group $IKE_DHGROUP; } @@ -219,8 +256,8 @@ EOF cat >> /etc/racoon/$DST.conf << EOF my_identifier address; proposal { - encryption_algorithm $ESP_PROTO; - hash_algorithm $AH_PROTO; + encryption_algorithm $IKE_ENC; + hash_algorithm $IKE_AUTH; authentication_method gssapi_krb; dh_group $IKE_DHGROUP; } |