1 | #!/bin/bash |
---|
2 | PATH=/sbin:/usr/sbin/:/bin:/usr/bin |
---|
3 | |
---|
4 | cd /etc/sysconfig/network-scripts |
---|
5 | . /etc/sysconfig/network-scripts/network-functions |
---|
6 | |
---|
7 | CONFIG=$1 |
---|
8 | [ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} |
---|
9 | source_config |
---|
10 | |
---|
11 | if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then |
---|
12 | KEYING=manual |
---|
13 | fi |
---|
14 | |
---|
15 | |
---|
16 | if [ -n "$IKE_PSK" ]; then |
---|
17 | KEYING=automatic |
---|
18 | IKE_METHOD=PSK |
---|
19 | fi |
---|
20 | |
---|
21 | if [ -n "$IKE_CERTFILE" ]; then |
---|
22 | KEYING=automatic |
---|
23 | IKE_METHOD=X509 |
---|
24 | fi |
---|
25 | |
---|
26 | if [ -n "$IKE_PEER_CERTFILE" ]; then |
---|
27 | KEYING=automatic |
---|
28 | IKE_METHOD=X509 |
---|
29 | fi |
---|
30 | |
---|
31 | if [ -n "$IKE_DNSSEC" ]; then |
---|
32 | KEYING=automatic |
---|
33 | IKE_METHOD=X509 |
---|
34 | fi |
---|
35 | if [ -n "$RSA_KEY" ]; then |
---|
36 | KEYING=automatic |
---|
37 | IKE_METHOD=RSA |
---|
38 | fi |
---|
39 | |
---|
40 | [ -n "$IKE_METHOD" ] && KEYING=automatic |
---|
41 | [ -z "$KEYING" ] && KEYING=manual |
---|
42 | |
---|
43 | if [ -z "$SRC" ]; then |
---|
44 | SRC=`ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|"` |
---|
45 | fi |
---|
46 | |
---|
47 | if [ -n "$SRCNET" -o -n "$DSTNET" ]; then |
---|
48 | MODE=tunnel |
---|
49 | [ -z "$SRCNET" ] && SRCNET="$SRC/32" |
---|
50 | [ -z "$DSTNET" ] && DSTNET="$DST/32" |
---|
51 | SPD_SRC=$SRCNET |
---|
52 | SPD_DST=$DSTNET |
---|
53 | # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication |
---|
54 | if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \ |
---|
55 | && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \ |
---|
56 | = "NETWORK=${DSTNET%%/*}" ]; then |
---|
57 | EXCLUDE_SRCNET=yes |
---|
58 | fi |
---|
59 | [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"` |
---|
60 | ip route del to $DSTNET via $SRCGW src $SRCGW |
---|
61 | else |
---|
62 | MODE=transport |
---|
63 | SPD_SRC=$SRC |
---|
64 | SPD_DST=$DST |
---|
65 | unset EXCLUDE_SRCNET |
---|
66 | fi |
---|
67 | |
---|
68 | setkey -c << EOF |
---|
69 | ${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} |
---|
70 | ${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} |
---|
71 | ${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;} |
---|
72 | ${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;} |
---|
73 | spddelete $SPD_SRC $SPD_DST any -P out; |
---|
74 | spddelete $SPD_DST $SPD_SRC any -P in; |
---|
75 | ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} |
---|
76 | ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} |
---|
77 | EOF |
---|
78 | |
---|
79 | if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then |
---|
80 | racoontmp=`mktemp /etc/racoon/racoon.XXXXXX` |
---|
81 | grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp |
---|
82 | mv -f $racoontmp /etc/racoon/racoon.conf |
---|
83 | pidof -x /usr/sbin/racoon > /dev/null 2>&1 && killall -HUP /usr/sbin/racoon |
---|
84 | fi |
---|
85 | |
---|
86 | /etc/sysconfig/network-scripts/ifdown-post $CONFIG |
---|