Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Annotate
Revision Log

ifup-ipsec @ 2576

Revision 2576, 7.0 KB checked in by daisuke, 13 years ago (diff)
tagging as initscripts-8.91.0

Line
1	#!/bin/sh
2	#
3	# ifup-ipsec
4	#
5	# Brings up ipsec interfaces
6
7	handle_keys() {
8	[ -z "$KEY_AH_IN" -a -n "$KEY_AH" ] && KEY_AH_IN=$KEY_AH
9	[ -z "$KEY_AH_OUT" -a -n "$KEY_AH" ] && KEY_AH_OUT=$KEY_AH
10	[ -z "$KEY_ESP_IN" -a -n "$KEY_ESP" ] && KEY_ESP_IN=$KEY_ESP
11	[ -z "$KEY_ESP_OUT" -a -n "$KEY_ESP" ] && KEY_ESP_OUT=$KEY_ESP
12	[ -z "$KEY_AESP_IN" -a -n "$KEY_AESP" ] && KEY_AESP_IN=$KEY_AESP
13	[ -z "$KEY_AESP_OUT" -a -n "$KEY_AESP" ] && KEY_AESP_OUT=$KEY_AESP
14
15	[ -n "$KEY_AH_IN" -a "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] \
16	&& KEY_AH_IN=\"$KEY_AH_IN\"
17	[ -n "$KEY_AH_OUT" -a "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] \
18	&& KEY_AH_OUT=\"$KEY_AH_OUT\"
19	[ -n "$KEY_ESP_IN" -a "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] \
20	&& KEY_ESP_IN=\"$KEY_ESP_IN\"
21	[ -n "$KEY_ESP_OUT" -a "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] \
22	&& KEY_ESP_OUT=\"$KEY_ESP_OUT\"
23	[ -n "$KEY_AESP_IN" -a "$KEY_AESP_IN" = "${KEY_AESP_IN##0x}" ] \
24	&& KEY_AESP_IN=\"$KEY_AESP_IN\"
25	[ -n "$KEY_AESP_OUT" -a "$KEY_AESP_OUT" = "${KEY_AESP_OUT##0x}" ] \
26	&& KEY_AESP_OUT=\"$KEY_AESP_OUT\"
27	}
28
29	. /etc/init.d/functions
30	cd /etc/sysconfig/network-scripts
31	. /etc/sysconfig/network-scripts/network-functions
32
33	CONFIG=$1
34	[ -f "${CONFIG}" ] \|\| CONFIG=ifcfg-${1}
35	source_config
36
37	handle_keys
38
39	if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then
40	KEYING=manual
41	fi
42
43
44	if [ -n "$IKE_PSK" ]; then
45	KEYING=automatic
46	IKE_METHOD=PSK
47	fi
48
49	if [ -n "$IKE_CERTFILE" ]; then
50	KEYING=automatic
51	IKE_METHOD=X509
52	fi
53
54	if [ -n "$IKE_PEER_CERTFILE" ]; then
55	KEYING=automatic
56	IKE_METHOD=X509
57	fi
58
59	if [ -n "$IKE_DNSSEC" ]; then
60	KEYING=automatic
61	IKE_METHOD=X509
62	fi
63
64	[ -n "$IKE_METHOD" ] && KEYING=automatic
65	[ -z "$KEYING" ] && KEYING=manual
66
67	if [ -z "$SRC" ]; then
68	SRC=`ip -o route get to $DST \| sed "s\|.src $[^ ]$.*\|\1\|"`
69	fi
70
71	if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
72	TUNNEL_MODE=yes
73	MODE=tunnel
74	[ -z "$SRCNET" ] && SRCNET="$SRC/32"
75	[ -z "$DSTNET" ] && DSTNET="$DST/32"
76	SPD_SRC=$SRCNET
77	SPD_DST=$DSTNET
78	# If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication
79	if [ "${SRCNET##/}" -gt "${DSTNET##/}" ] \
80	&& [ "$(ipcalc -n "${SRCNET%%/}/${DSTNET##/}")" \
81	= "NETWORK=${DSTNET%%/*}" ]; then
82	EXCLUDE_SRCNET=yes
83	fi
84	[ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET \| sed "s\|.src $[^ ]$.*\|\1\|"`
85	ip route add to $DSTNET via $SRCGW src $SRCGW
86	else
87	unset TUNNEL_MODE
88	MODE=transport
89	SPD_SRC=$SRC
90	SPD_DST=$DST
91	unset EXCLUDE_SRCNET
92	fi
93
94	unset SPD_AH_IN SPD_AH_OUT SPD_ESP_IN SPD_ESP_OUT
95	if [ "$KEYING" = "manual" ]; then
96	[ -z "$AH_PROTO" ] && AH_PROTO=hmac-sha1
97	[ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc
98	[ -z "$AESP_PROTO" ] && AESP_PROTO=hmac-sha1
99
100	[ -n "$KEY_AH_IN" ] && SPD_AH_IN=yes
101	[ -n "$KEY_AH_OUT" ] && SPD_AH_OUT=yes
102	[ -n "$KEY_ESP_IN" ] && SPD_ESP_IN=yes
103	[ -n "$KEY_ESP_OUT" ] && SPD_ESP_OUT=yes
104	else
105	[ -z "$IKE_DHGROUP" ] && IKE_DHGROUP=2
106	[ -z "$AH_PROTO" ] && AH_PROTO=sha1
107	[ -z "$ESP_PROTO" ] && ESP_PROTO=3des
108
109	SPD_AH_IN=yes
110	SPD_AH_OUT=yes
111	SPD_ESP_IN=yes
112	SPD_ESP_OUT=yes
113	fi
114
115	if [ "$AH_PROTO" = "none" ]; then
116	unset SPI_AH_IN SPI_AH_OUT KEY_AH_IN KEY_AH_OUT SPD_AH_IN SPD_AH_OUT
117	AH_PROTO=sha1 # To silence racoon
118	fi
119	if [ "$ESP_PROTO" = "none" ]; then
120	unset SPI_ESP_IN SPI_ESP_OUT KEY_ESP_IN KEY_ESP_OUT SPD_ESP_IN SPD_ESP_OUT
121	ESP_PROTO=3des # To silence racoon
122	fi
123
124	/sbin/setkey -c >/dev/null 2>&1 << EOF
125	${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;}
126	${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;}
127	${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;}
128	${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;}
129	spddelete $SPD_SRC $SPD_DST any -P out;
130	spddelete $SPD_DST $SPD_SRC any -P in;
131	${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;}
132	${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;}
133
134	# ESP
135	${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} \
136	-E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN \
137	${KEY_AESP_IN:+-A ${AESP_PROTO_IN:-$AESP_PROTO} $KEY_AESP_IN}
138	;}
139	${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} \
140	-E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT \
141	${KEY_AESP_OUT:+-A ${AESP_PROTO_OUT:-$AESP_PROTO} $KEY_AESP_OUT}
142	;}
143
144	# AH
145	${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;}
146	${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;}
147
148	${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P out none;}
149	${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P in none;}
150
151	spdadd $SPD_SRC $SPD_DST any -P out ipsec
152	${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require}
153	${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require}
154	;
155
156	spdadd $SPD_DST $SPD_SRC any -P in ipsec
157	${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require}
158	${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require}
159	;
160	EOF
161
162	if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then
163	if [ "$IKE_METHOD" = "PSK" ]; then
164	MYID=address
165	if [ -n "$MYID_TYPE" ]; then
166	case "$MYID_TYPE" in
167	fqdn)
168	MYID="$MYID_TYPE \"$MYID_VALUE\""
169	;;
170	esac
171	fi
172	tmpfile=`mktemp /etc/racoon/psk.XXXXXX`
173	grep -v "^$DST " /etc/racoon/psk.txt > $tmpfile
174	echo "$DST $IKE_PSK" >> $tmpfile
175	mv -f $tmpfile /etc/racoon/psk.txt
176	fi
177	if [ ! -f /etc/racoon/$DST.conf -o /etc/racoon/$DST.conf -ot $1 ] ; then
178	cat > /etc/racoon/$DST.conf << EOF
179	remote $DST
180	{
181	exchange_mode aggressive, main;
182	EOF
183	case "$IKE_METHOD" in
184	PSK)
185	cat >> /etc/racoon/$DST.conf << EOF
186	my_identifier $MYID;
187	proposal {
188	encryption_algorithm $ESP_PROTO;
189	hash_algorithm $AH_PROTO;
190	authentication_method pre_shared_key;
191	dh_group $IKE_DHGROUP;
192	}
193	}
194	EOF
195	;;
196	X509)
197	cat >> /etc/racoon/$DST.conf << EOF
198	my_identifier asn1dn;
199	peers_identifier asn1dn;
200	certificate_type x509 "$IKE_CERTFILE.public" "$IKE_CERTFILE.private";
201	EOF
202	if [ -n "$IKE_DNSSEC" ]; then
203	echo " peers_certfile dnssec;" >> /etc/racoon/$DST.conf
204	fi
205	if [ -n "$IKE_PEER_CERTFILE" ]; then
206	echo " peers_certfile x509 \"$IKE_PEER_CERTFILE.public\";" >> /etc/racoon/$DST.conf
207	fi
208	cat >> /etc/racoon/$DST.conf << EOF
209	proposal {
210	encryption_algorithm $ESP_PROTO;
211	hash_algorithm $AH_PROTO;
212	authentication_method rsasig;
213	dh_group $IKE_DHGROUP;
214	}
215	}
216	EOF
217	;;
218	GSSAPI)
219	cat >> /etc/racoon/$DST.conf << EOF
220	my_identifier address;
221	proposal {
222	encryption_algorithm $ESP_PROTO;
223	hash_algorithm $AH_PROTO;
224	authentication_method gssapi_krb;
225	dh_group $IKE_DHGROUP;
226	}
227	}
228	EOF
229	esac
230	fi
231	racoontmp=`mktemp /etc/racoon/racoon.XXXXXX`
232	grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp
233	echo "include \"/etc/racoon/$DST.conf\";" >> $racoontmp
234	mv -f $racoontmp /etc/racoon/racoon.conf
235	fi
236	if [ "$KEYING" = "automatic" ]; then
237	if ! pidof -x /usr/sbin/racoon > /dev/null 2>&1 ; then
238	/usr/sbin/racoon
239	elif [ -n "$IKE_METHOD" ]; then
240	killall -HUP /usr/sbin/racoon
241	fi
242	fi

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: projects/initscripts/tags/initscripts-8.91.0/sysconfig/network-scripts/ifup-ipsec @ 2576

Download in other formats: