From e404916e033ff354844fe7ac92fd395247d46cc4 Mon Sep 17 00:00:00 2001
From: Bill Nottingham <notting@redhat.com>
Date: Thu, 9 Aug 2007 15:10:46 +0000
Subject: add support for overriding IKE dh group (#251506,
 <stijn.tintel@x-tend.be>)

---
 sysconfig/network-scripts/ifup-ipsec | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'sysconfig/network-scripts/ifup-ipsec')

diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
index fc650daf..caef52d0 100755
--- a/sysconfig/network-scripts/ifup-ipsec
+++ b/sysconfig/network-scripts/ifup-ipsec
@@ -102,6 +102,7 @@ if [ "$KEYING" = "manual" ]; then
     [ -n "$KEY_ESP_IN" ] && SPD_ESP_IN=yes
     [ -n "$KEY_ESP_OUT" ] && SPD_ESP_OUT=yes
 else
+    [ -z "$IKE_DHGROUP" ] && IKE_DH=2
     [ -z "$AH_PROTO" ] && AH_PROTO=sha1
     [ -z "$ESP_PROTO" ] && ESP_PROTO=3des
 
@@ -187,7 +188,7 @@ EOF
 	        encryption_algorithm $ESP_PROTO;
 		hash_algorithm $AH_PROTO;
 		authentication_method pre_shared_key;
-		dh_group 2 ;
+		dh_group $IKE_DHGROUP;
 	}
 }
 EOF
@@ -209,7 +210,7 @@ EOF
 		encryption_algorithm $ESP_PROTO;
 		hash_algorithm $AH_PROTO;
 		authentication_method rsasig;
-		dh_group 2;
+		dh_group $IKE_DHGROUP;
 	}
 }
 EOF
@@ -221,7 +222,7 @@ EOF
 	        encryption_algorithm $ESP_PROTO;
 		hash_algorithm $AH_PROTO;
 		authentication_method gssapi_krb;
-		dh_group 2 ;
+		dh_group $IKE_DHGROUP;
 	}
 }
 EOF
-- 
cgit v1.2.1