aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--sysconfig.txt5
-rwxr-xr-xsysconfig/network-scripts/ifup-ipsec54
2 files changed, 32 insertions, 27 deletions
diff --git a/sysconfig.txt b/sysconfig.txt
index b01a4e1a..29fbf172 100644
--- a/sysconfig.txt
+++ b/sysconfig.txt
@@ -834,8 +834,11 @@ Files in /etc/sysconfig/network-scripts/
AH_PROTO{,_IN,_OUT}=protocol to use for AH (defaults to hmac-sha1)
ESP_PROTO{,_IN,_OUT}=protocol to use for ESP (defaults to 3des-cbc)
+ AESP_PROTO{,_IN,_OUT}=protocol to use for ESP authentication (defaults to
+ hmac-sha1)
KEY_AH{,_IN,_OUT}=AH key
- KEY_ESP{,_IN,_OUT}=ESP key
+ KEY_ESP{,_IN,_OUT}=ESP encryption key
+ KEY_AESP{,_IN,_OUT}=ESP authentication key (optional)
SPI_{ESP,AH}_{IN,OUT}=SPIs to use
_IN and _OUT specifiers are for using different keys or protocols for
diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
index a2901218..ab10237c 100755
--- a/sysconfig/network-scripts/ifup-ipsec
+++ b/sysconfig/network-scripts/ifup-ipsec
@@ -5,30 +5,25 @@
# Brings up ipsec interfaces
handle_keys() {
- if [ -z "$KEY_AH_IN" -a -n "$KEY_AH" ]; then
- KEY_AH_IN=$KEY_AH
- fi
-
- if [ -z "$KEY_AH_OUT" -a -n "$KEY_AH" ]; then
- KEY_AH_OUT=$KEY_AH
- fi
-
- if [ -z "$KEY_ESP_IN" -a -n "$KEY_ESP" ]; then
- KEY_ESP_IN=$KEY_ESP
- fi
-
- if [ -z "$KEY_ESP_OUT" -a -n "$KEY_ESP" ]; then
- KEY_ESP_OUT=$KEY_ESP
- fi
-
- [ -n "$KEY_AH_IN" -a "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] \
- && KEY_AH_IN=\"$KEY_AH_IN\"
- [ -n "$KEY_AH_OUT" -a "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] \
- && KEY_AH_OUT=\"$KEY_AH_OUT\"
- [ -n "$KEY_ESP_IN" -a "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] \
- && KEY_ESP_IN=\"$KEY_ESP_IN\"
- [ -n "$KEY_ESP_OUT" -a "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] \
- && KEY_ESP_OUT=\"$KEY_ESP_OUT\"
+ [ -z "$KEY_AH_IN" -a -n "$KEY_AH" ] && KEY_AH_IN=$KEY_AH
+ [ -z "$KEY_AH_OUT" -a -n "$KEY_AH" ] && KEY_AH_OUT=$KEY_AH
+ [ -z "$KEY_ESP_IN" -a -n "$KEY_ESP" ] && KEY_ESP_IN=$KEY_ESP
+ [ -z "$KEY_ESP_OUT" -a -n "$KEY_ESP" ] && KEY_ESP_OUT=$KEY_ESP
+ [ -z "$KEY_AESP_IN" -a -n "$KEY_AESP" ] && KEY_AESP_IN=$KEY_AESP
+ [ -z "$KEY_AESP_OUT" -a -n "$KEY_AESP" ] && KEY_AESP_OUT=$KEY_AESP
+
+ [ -n "$KEY_AH_IN" -a "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] \
+ && KEY_AH_IN=\"$KEY_AH_IN\"
+ [ -n "$KEY_AH_OUT" -a "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] \
+ && KEY_AH_OUT=\"$KEY_AH_OUT\"
+ [ -n "$KEY_ESP_IN" -a "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] \
+ && KEY_ESP_IN=\"$KEY_ESP_IN\"
+ [ -n "$KEY_ESP_OUT" -a "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] \
+ && KEY_ESP_OUT=\"$KEY_ESP_OUT\"
+ [ -n "$KEY_AESP_IN" -a "$KEY_AESP_IN" = "${KEY_AESP_IN##0x}" ] \
+ && KEY_AESP_IN=\"$KEY_AESP_IN\"
+ [ -n "$KEY_AESP_OUT" -a "$KEY_AESP_OUT" = "${KEY_AESP_OUT##0x}" ] \
+ && KEY_AESP_OUT=\"$KEY_AESP_OUT\"
}
. /etc/init.d/functions
@@ -100,6 +95,7 @@ unset SPD_AH_IN SPD_AH_OUT SPD_ESP_IN SPD_ESP_OUT
if [ "$KEYING" = "manual" ]; then
[ -z "$AH_PROTO" ] && AH_PROTO=hmac-sha1
[ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc
+ [ -z "$AESP_PROTO" ] && AESP_PROTO=hmac-sha1
[ -n "$KEY_AH_IN" ] && SPD_AH_IN=yes
[ -n "$KEY_AH_OUT" ] && SPD_AH_OUT=yes
@@ -135,8 +131,14 @@ ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;}
${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;}
# ESP
-${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN;}
-${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT;}
+${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} \
+-E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN \
+${KEY_AESP_IN:+-A ${AESP_PROTO_IN:-$AESP_PROTO} $KEY_AESP_IN}
+;}
+${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} \
+-E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT \
+${KEY_AESP_OUT:+-A ${AESP_PROTO_OUT:-$AESP_PROTO} $KEY_AESP_OUT}
+;}
# AH
${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;}