#!/bin/sh -x
#
# ifup-ipsec
#
# Brings up ipsec interfaces
#
# Configuration parameters
#
#     SRC = source address. Not required.
#     DST = destination address
#     SRCNET = source net (for tunneling)
#     DSTNET = destination network (for tunneling)
#
#   Manual keying:
#
#     AH_PROTO{_IN,_OUT} = protocol to use for AH (defaults to HMAC-MD5)
#     ESP_PROTO{_IN,_OUT} = protocol to use for ESP (defaults to 3DES)
#     KEY_AH{_IN,_OUT} = AH key
#     KEY_ESP{_IN,_OUT} = ESP key
#     SPI_{EH,AH_{IN,OUT}} = SPIs to use
#
#   _IN and _OUT specifiers are for using different keys or protocols for inccoming
#   and outgoing packets. If neither _IN or _OUT variants are set, the same keys
#   or protocols will be used for both.
#
#   Automatic keying:
#
#     IKE_METHOD=PSK|X509|RSA|GSSAPI
#         PSK = preshared keys (shared secret)
#         X509 = X.509 certificates
#         RSA = RSA host keys in DNS (not yet implemented)
#         GSSAPI = GSSAPI authentication
#     IKE_PSK = preshared key for this connection
#     IKE_CERTFILE = our certificate file name for X509 IKE
#       IKE_PEER_CERTFILE = peer public cert filename for X509 IKE
#       IKE_DNSSEC = retrieve peer public certs from DNS
#     (otherwise uses certificate information sent over IKE)
#     IKE_RSA_KEY = RSA key for RSA IKE
#

. /etc/init.d/functions
cd /etc/sysconfig/network-scripts
. network-functions

CONFIG=$1
[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1}
source_config

if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then
  KEYING=manual
fi

if [ -z "$KEY_AH_IN" -a -n "$KEY_AH" ]; then
  KEY_AH_IN=$KEY_AH
fi

if [ -z "$KEY_AH_OUT" -a -n "$KEY_AH" ]; then
  KEY_AH_OUT=$KEY_AH
fi

if [ -z "$KEY_ESP_IN" -a -n "$KEY_ESP" ]; then
  KEY_ESP_IN=$KEY_ESP
fi

if [ -z "$KEY_ESP_OUT" -a -n "$KEY_ESP" ]; then
  KEY_ESP_OUT=$KEY_ESP
fi

if [ -n "$IKE_PSK" ]; then
  KEYING=automatic
  IKE_METHOD=PSK
fi

if [ -n "$IKE_CERTFILE" ]; then
  KEYING=automatic
  IKE_METHOD=X509
fi

if [ -n "$IKE_PEER_CERTFILE" ]; then
  KEYING=automatic
  IKE_METHOD=X509
fi

if [ -n "$IKE_DNSSEC" ]; then
  KEYING=automatic
  IKE_METHOD=X509
fi


if [ -n "$RSA_KEY" ]; then
  KEYING=automatic
  IKE_METHOD=RSA
fi

if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
  MODE=tunnel
else
  MODE=host
fi

[ -z "$KEYING" ] && KEYING=manual

# Get source address
if [ -z "$SRC" ]; then
    SRC=`ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|"`
fi


if [ "$KEYING" = "manual" ]; then
    
    [ -z "$AH_PROTO" ] && AH_PROTO=hmac-md5
    [ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc
    
    if [ "$MODE" = "host" ]; then
    
        setkey -c << EOF
delete $SRC $DST ah $SPI_AH_OUT;
delete $DST $SRC ah $SPI_AH_IN;
delete $SRC $DST esp $SPI_ESP_OUT;
delete $DST $SRC esp $SPI_ESP_IN;
spddelete $SRC $DST any -P out;
spddelete $DST $SRC any -P in;

# ESP
${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -E ${ESP_PROTO_IN:-$ESP_PROTO} $(echo '"')$KEY_ESP_IN$(echo '"');}
${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -E ${ESP_PROTO_OUT:-$ESP_PROTO} $(echo '"')$KEY_ESP_OUT$(echo '"');}

# AH
${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -A ${AH_PROTO_IN:-$AH_PROTO} $(echo '"')$KEY_AH_IN$(echo '"');}
${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -A ${AH_PROTO_OUT:-$AH_PROTO} $(echo '"')$KEY_AH_OUT$(echo '"');}

spdadd $SRC $DST any -P out ipsec
            ${KEY_ESP_OUT:+esp/transport//require}
            ${KEY_AH_OUT:+ah/transport//require}
	    ;
		      
spdadd $DST $SRC any -P in ipsec
	    ${KEY_ESP_IN:+esp/transport//require}
	    ${KEY_AH_IN:+ah/transport//require}
	    ;
EOF
    else
      [ -n "$SRCNET" ] && SRCNET="$SRC/32"
      [ -n "$DSTNET" ] && DSTNET="$DST/32"
      
      /sbin/setkey -c << EOF
delete $SRC $DST ah $SPI_AH_OUT;
delete $DST $SRC ah $SPI_AH_IN;
delete $SRC $DST esp $SPI_ESP_OUT;
delete $DST $SRC esp $SPI_ESP_IN;
spddelete $SRCNET $DSTNET any -P out;
spddelete $DSTNET $SRCNET any -P in;

# ESP
${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN -m tunnel -E ${ESP_PROTO_IN:-$ESP_PROTO} $(echo '"')$KEY_ESP_IN$(echo '"');}
${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT -m tunnel -E ${ESP_PROTO_OUT:-$ESP_PROTO} $(echo '"')$KEY_ESP_OUT$(echo '"');}

# AH
${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN -m tunnel -A ${AH_PROTO_IN:-$AH_PROTO} $(echo '"')$KEY_AH_IN$(echo '"');}
${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT -m tunnel -A ${AH_PROTO_OUT:-$AH_PROTO} $(echo '"')$KEY_AH_OUT$(echo '"');}

spdadd $SRCNET $DSTNET any -P out ipsec
            ${KEY_ESP_OUT:+esp/tunnel/$SRC-$DEST/require}
            ${KEY_AH_OUT:+ah/tunnel/$SRC-$DEST/require}
	    ;
		      
spdadd $DSTNET $SRCNET any -P in ipsec
	    ${KEY_ESP_IN:+esp/tunnel/$DEST-$SRC/require}
	    ${KEY_AH_IN:+ah/tunnel/$DEST-$SRC/require}
	    ;
EOF
    fi
fi

if [ "$KEYING" = "automatic" ]; then
    [ -z "$AH_PROTO" ] && AH_PROTO=md5
    [ -z "$ESP_PROTO" ] && ESP_PROTO=3des
    
    if [ "$MODE" = "host" ]; then
      /sbin/setkey -c << EOF
spddelete $SRC $DST any -P out;
spddelete $DST $SRC any -P in;

spdadd $SRC $DST any -P out ipsec
	    esp/transport//require
	    ah/transport//require
	    ;
		      
spdadd $DST $SRC any -P in ipsec
	    esp/transport//require
	    ah/transport//require
	    ;
EOF
    else
      [ -n "$SRCNET" ] && SRCNET="$SRC/32"
      [ -n "$DSTNET" ] && DSTNET="$DST/32"
      
      /sbin/setkey -c << EOF
spddelete $SRCNET $DSTNET any -P out;
spddelete $DSTNET $SRCNET any -P in;

spdadd $SRCNET $DSTNET any -P out ipsec
	    esp/tunnel/$SRC-$DEST/require
	    ah/tunnel/$SRC-$DEST/require
	    ;
		      
spdadd $DSTNET $SRCNET any -P in ipsec
	    esp/tunnel/$DEST-$SRC/require
	    ah/tunnel/$DEST-$SRC/require
	    ;
EOF
    fi
    if [ "$IKE_METHOD" = "PSK" ]; then
       tmpfile=`mktemp /etc/racoon/psk.XXXXXX`
       grep -v "^$DST" /etc/racoon/psk.txt > $tmpfile
       echo "$DST  $IKE_PSK" >> $tmpfile
       mv -f $tmpfile /etc/racoon/psk.txt
    fi
    if [ ! -f /etc/racoon/$DST.conf -o /etc/racoon/$DST.conf -ot $1 ] ; then
        cat > /etc/racoon/$DST.conf << EOF
remote $DST
{
	exchange_mode aggressive, main;
EOF
        case "$IKE_METHOD" in
           PSK)
	      cat >> /etc/racoon/$DST.conf << EOF
	my_identifier address;
	proposal {
	        encryption_algorithm $ESP_PROTO;
		hash_algorithm $AH_PROTO;
		authentication_method pre_shared_key;
		dh_group 2 ;
	}
}
EOF
              ;;
           X509)
	      cat >> /etc/racoon/$DST.conf << EOF
	my_identifier asn1dn;
	peers_identifier asn1dn;
	certificate_type x509 "$IKE_CERTFILE.public" "$IKE_CERTFILE.private";
EOF
	      if [ -n "$IKE_DNSSEC" ]; then
	          echo "        peers_certfile dnssec;" >> /etc/racoon/$DST.conf
	      fi
	      if [ -n "$IKE_PEER_CERTFILE" ]; then
	          echo "        peers_certfile $IKE_PEER_CERTFILE;" >> /etc/racoon/$DST.conf
	      fi
	      cat >> /etc/racoon/$DST.conf << EOF
        proposal {
		encryption_algorithm $ESP_PROTO;
		hash_algorithm $AH_PROTO;
		authentication_method rsasig;
		dh_group 2;
	}
}
EOF
              ;;
           RSA)
	      # not supported yet, only in freeswan
              ;;
	   GSSAPI)
	      cat >> /etc/racoon/$DST.conf << EOF
	my_identifier address;
	proposal {
	        encryption_algorithm $ESP_PROTO;
		hash_algorithm $AH_PROTO;
		authentication_method gssapi_krb;
		dh_group 2 ;
	}
}
EOF
         esac
	 racoontmp=`mktemp /etc/racoon/racoon.XXXXXX`
	 grep -v "^include /etc/racoon/$DST.conf" /etc/racoon/racoon.conf >> $racoontmp
	 echo "include /etc/racoon/$DST.conf" >> $racoontmp
	 mv -f $racoontmp /etc/racoon/racoon.conf
	 pidof -x /usr/sbin/racoon > /dev/null 2>&1 && killall -HUP /usr/sbin/racoon
    fi
    pidof -x /usr/sbin/racoon || /usr/sbin/racoon
fi