aboutsummaryrefslogtreecommitdiffstats
path: root/sysconfig
diff options
context:
space:
mode:
Diffstat (limited to 'sysconfig')
-rwxr-xr-xsysconfig/network-scripts/ifup-ipsec58
1 files changed, 34 insertions, 24 deletions
diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
index 0314f71a..c4e2974c 100755
--- a/sysconfig/network-scripts/ifup-ipsec
+++ b/sysconfig/network-scripts/ifup-ipsec
@@ -22,7 +22,8 @@
#
# _IN and _OUT specifiers are for using different keys or protocols for inccoming
# and outgoing packets. If neither _IN or _OUT variants are set for protocols or
-# keys, the same will be used for both.
+# keys, the same will be used for both. Hexadecimal keys need to be prefixed with
+# "0x".
#
# Automatic keying:
#
@@ -36,6 +37,28 @@
# IKE_DNSSEC = retrieve peer public certs from DNS
# (otherwise uses certificate information sent over IKE)
+handle_keys() {
+ if [ -z "$KEY_AH_IN" -a -n "$KEY_AH" ]; then
+ KEY_AH_IN=$KEY_AH
+ fi
+
+ if [ -z "$KEY_AH_OUT" -a -n "$KEY_AH" ]; then
+ KEY_AH_OUT=$KEY_AH
+ fi
+
+ if [ -z "$KEY_ESP_IN" -a -n "$KEY_ESP" ]; then
+ KEY_ESP_IN=$KEY_ESP
+ fi
+
+ if [ -z "$KEY_ESP_OUT" -a -n "$KEY_ESP" ]; then
+ KEY_ESP_OUT=$KEY_ESP
+ fi
+
+ [ "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] && KEY_AH_IN=\"$KEY_AH_IN\"
+ [ "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] && KEY_AH_OUT=\"$KEY_AH_OUT\"
+ [ "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] && KEY_ESP_IN=\"$KEY_ESP_IN\"
+ [ "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] && KEY_ESP_OUT=\"$KEY_ESP_OUT\"
+}
. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
@@ -45,25 +68,12 @@ CONFIG=$1
[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1}
source_config
+handle_keys
+
if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then
KEYING=manual
fi
-if [ -z "$KEY_AH_IN" -a -n "$KEY_AH" ]; then
- KEY_AH_IN=$KEY_AH
-fi
-
-if [ -z "$KEY_AH_OUT" -a -n "$KEY_AH" ]; then
- KEY_AH_OUT=$KEY_AH
-fi
-
-if [ -z "$KEY_ESP_IN" -a -n "$KEY_ESP" ]; then
- KEY_ESP_IN=$KEY_ESP
-fi
-
-if [ -z "$KEY_ESP_OUT" -a -n "$KEY_ESP" ]; then
- KEY_ESP_OUT=$KEY_ESP
-fi
if [ -n "$IKE_PSK" ]; then
KEYING=automatic
@@ -116,12 +126,12 @@ spddelete $SRC $DST any -P out;
spddelete $DST $SRC any -P in;
# ESP
-${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -E ${ESP_PROTO_IN:-$ESP_PROTO} $(echo '"')$KEY_ESP_IN$(echo '"');}
-${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -E ${ESP_PROTO_OUT:-$ESP_PROTO} $(echo '"')$KEY_ESP_OUT$(echo '"');}
+${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN;}
+${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT;}
# AH
-${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -A ${AH_PROTO_IN:-$AH_PROTO} $(echo '"')$KEY_AH_IN$(echo '"');}
-${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -A ${AH_PROTO_OUT:-$AH_PROTO} $(echo '"')$KEY_AH_OUT$(echo '"');}
+${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;}
+${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;}
spdadd $SRC $DST any -P out ipsec
${KEY_ESP_OUT:+esp/transport//require}
@@ -149,12 +159,12 @@ spddelete $SRCNET $DSTNET any -P out;
spddelete $DSTNET $SRCNET any -P in;
# ESP
-${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -m tunnel -E ${ESP_PROTO_IN:-$ESP_PROTO} $(echo '"')$KEY_ESP_IN$(echo '"');}
-${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -m tunnel -E ${ESP_PROTO_OUT:-$ESP_PROTO} $(echo '"')$KEY_ESP_OUT$(echo '"');}
+${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -m tunnel -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN;}
+${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -m tunnel -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT;}
# AH
-${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -m tunnel -A ${AH_PROTO_IN:-$AH_PROTO} $(echo '"')$KEY_AH_IN$(echo '"');}
-${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -m tunnel -A ${AH_PROTO_OUT:-$AH_PROTO} $(echo '"')$KEY_AH_OUT$(echo '"');}
+${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -m tunnel -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;}
+${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -m tunnel -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;}
spdadd $SRCNET $DSTNET any -P out ipsec
${KEY_ESP_OUT:+esp/tunnel/$SRC-$DST/require}