aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--sysconfig.txt4
-rwxr-xr-xsysconfig/network-scripts/ifdown-ipsec2
-rwxr-xr-xsysconfig/network-scripts/ifup-ipsec10
3 files changed, 11 insertions, 5 deletions
diff --git a/sysconfig.txt b/sysconfig.txt
index 82a6eb2f..571dd1dc 100644
--- a/sysconfig.txt
+++ b/sysconfig.txt
@@ -864,6 +864,10 @@ Files in /etc/sysconfig/network-scripts/
IKE_DNSSEC=retrieve peer public certs from DNS
(otherwise uses certificate information sent over IKE)
+ To manage the racoon configuration manually (e.g. when there is more than
+ one IPSEC configuration with the same DST), set KEYING=automatic and leave
+ all IKE_* parameters unspecified.
+
Usage of AH or ESP may be disabled by setting {AH,ESP}_PROTO to "none".
Bonding-specific items
diff --git a/sysconfig/network-scripts/ifdown-ipsec b/sysconfig/network-scripts/ifdown-ipsec
index 82a71a9a..56b31c43 100755
--- a/sysconfig/network-scripts/ifdown-ipsec
+++ b/sysconfig/network-scripts/ifdown-ipsec
@@ -76,7 +76,7 @@ ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;}
${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;}
EOF
-if [ "$KEYING" = "automatic" ]; then
+if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then
racoontmp=`mktemp /etc/racoon/racoon.XXXXXX`
grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp
mv -f $racoontmp /etc/racoon/racoon.conf
diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
index ebad848c..882722fd 100755
--- a/sysconfig/network-scripts/ifup-ipsec
+++ b/sysconfig/network-scripts/ifup-ipsec
@@ -158,7 +158,7 @@ spdadd $SPD_DST $SPD_SRC any -P in ipsec
;
EOF
-if [ "$KEYING" = "automatic" ]; then
+if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then
if [ "$IKE_METHOD" = "PSK" ]; then
tmpfile=`mktemp /etc/racoon/psk.XXXXXX`
grep -v "^$DST" /etc/racoon/psk.txt > $tmpfile
@@ -223,9 +223,11 @@ EOF
grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp
echo "include \"/etc/racoon/$DST.conf\";" >> $racoontmp
mv -f $racoontmp /etc/racoon/racoon.conf
- if pidof -x /usr/sbin/racoon > /dev/null 2>&1 ; then
- killall -HUP /usr/sbin/racoon
- else
+fi
+if [ "$KEYING" = "automatic" ]; then
+ if ! pidof -x /usr/sbin/racoon > /dev/null 2>&1 ; then
/usr/sbin/racoon
+ elif [ -n "$IKE_METHOD" ]; then
+ killall -HUP /usr/sbin/racoon
fi
fi