aboutsummaryrefslogtreecommitdiffstats
path: root/sysconfig/network-scripts/ifdown-ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'sysconfig/network-scripts/ifdown-ipsec')
-rwxr-xr-xsysconfig/network-scripts/ifdown-ipsec44
1 files changed, 20 insertions, 24 deletions
diff --git a/sysconfig/network-scripts/ifdown-ipsec b/sysconfig/network-scripts/ifdown-ipsec
index a960144f..7c7de7fa 100755
--- a/sysconfig/network-scripts/ifdown-ipsec
+++ b/sysconfig/network-scripts/ifdown-ipsec
@@ -8,16 +8,21 @@ CONFIG=$1
[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1}
source_config
+if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then
+ KEYING=manual
+fi
+
+
if [ -n "$IKE_PSK" ]; then
KEYING=automatic
IKE_METHOD=PSK
fi
-
+
if [ -n "$IKE_CERTFILE" ]; then
KEYING=automatic
IKE_METHOD=X509
fi
-
+
if [ -n "$IKE_PEER_CERTFILE" ]; then
KEYING=automatic
IKE_METHOD=X509
@@ -43,42 +48,33 @@ if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
MODE=tunnel
[ -z "$SRCNET" ] && SRCNET="$SRC/32"
[ -z "$DSTNET" ] && DSTNET="$DST/32"
+ SPD_SRC=$SRCNET
+ SPD_DST=$DSTNET
# If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication
if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \
&& [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \
= "NETWORK=${DSTNET%%/*}" ]; then
EXCLUDE_SRCNET=yes
fi
+ [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
+ ip route del to $DSTNET via $SRCGW src $SRCGW
else
- MODE=host
+ MODE=transport
+ SPD_SRC=$SRC
+ SPD_DST=$DST
+ unset EXCLUDE_SRCNET
fi
-if [ "$KEYING" = "manual" ]; then
- setkey -c << EOF
+setkey -c << EOF
${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;}
${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;}
${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;}
${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;}
+spddelete $SPD_SRC $SPD_DST any -P out;
+spddelete $SPD_DST $SPD_SRC any -P in;
+${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;}
+${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;}
EOF
-fi
-
-if [ "$MODE" = "host" ]; then
- setkey -c << EOF
- spddelete $SRC $DST any -P out;
- spddelete $DST $SRC any -P in;
-EOF
-else
- [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"`
- ip route del to $DSTNET via $SRCGW src $SRCGW
-
- /sbin/setkey -c >/dev/null 2>&1 << EOF
- spddelete $SRCNET $DSTNET any -P out;
- spddelete $DSTNET $SRCNET any -P in;
- ${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P out;}
- ${EXCLUDE_SRCNET:+spddelete $SRCNET $SRCNET any -P in;}
-EOF
-fi
-
if [ "$KEYING" = "automatic" ]; then
racoontmp=`mktemp /etc/racoon/racoon.XXXXXX`
generated by cgit v1.2.1 (git 2.21.0) at 2024-11-25 11:23:53 +0000