[1108] | 1 | #!/bin/sh |
---|
| 2 | # |
---|
| 3 | # ifup-ipsec |
---|
| 4 | # |
---|
| 5 | # Brings up ipsec interfaces |
---|
| 6 | |
---|
| 7 | handle_keys() { |
---|
| 8 | [ -z "$KEY_AH_IN" -a -n "$KEY_AH" ] && KEY_AH_IN=$KEY_AH |
---|
| 9 | [ -z "$KEY_AH_OUT" -a -n "$KEY_AH" ] && KEY_AH_OUT=$KEY_AH |
---|
| 10 | [ -z "$KEY_ESP_IN" -a -n "$KEY_ESP" ] && KEY_ESP_IN=$KEY_ESP |
---|
| 11 | [ -z "$KEY_ESP_OUT" -a -n "$KEY_ESP" ] && KEY_ESP_OUT=$KEY_ESP |
---|
| 12 | [ -z "$KEY_AESP_IN" -a -n "$KEY_AESP" ] && KEY_AESP_IN=$KEY_AESP |
---|
| 13 | [ -z "$KEY_AESP_OUT" -a -n "$KEY_AESP" ] && KEY_AESP_OUT=$KEY_AESP |
---|
| 14 | |
---|
| 15 | [ -n "$KEY_AH_IN" -a "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] \ |
---|
| 16 | && KEY_AH_IN=\"$KEY_AH_IN\" |
---|
| 17 | [ -n "$KEY_AH_OUT" -a "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] \ |
---|
| 18 | && KEY_AH_OUT=\"$KEY_AH_OUT\" |
---|
| 19 | [ -n "$KEY_ESP_IN" -a "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] \ |
---|
| 20 | && KEY_ESP_IN=\"$KEY_ESP_IN\" |
---|
| 21 | [ -n "$KEY_ESP_OUT" -a "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] \ |
---|
| 22 | && KEY_ESP_OUT=\"$KEY_ESP_OUT\" |
---|
| 23 | [ -n "$KEY_AESP_IN" -a "$KEY_AESP_IN" = "${KEY_AESP_IN##0x}" ] \ |
---|
| 24 | && KEY_AESP_IN=\"$KEY_AESP_IN\" |
---|
| 25 | [ -n "$KEY_AESP_OUT" -a "$KEY_AESP_OUT" = "${KEY_AESP_OUT##0x}" ] \ |
---|
| 26 | && KEY_AESP_OUT=\"$KEY_AESP_OUT\" |
---|
| 27 | } |
---|
| 28 | |
---|
| 29 | . /etc/init.d/functions |
---|
| 30 | cd /etc/sysconfig/network-scripts |
---|
[2573] | 31 | . /etc/sysconfig/network-scripts/network-functions |
---|
[1108] | 32 | |
---|
| 33 | CONFIG=$1 |
---|
| 34 | [ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} |
---|
| 35 | source_config |
---|
| 36 | |
---|
| 37 | handle_keys |
---|
| 38 | |
---|
| 39 | if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then |
---|
| 40 | KEYING=manual |
---|
| 41 | fi |
---|
| 42 | |
---|
| 43 | |
---|
| 44 | if [ -n "$IKE_PSK" ]; then |
---|
| 45 | KEYING=automatic |
---|
| 46 | IKE_METHOD=PSK |
---|
| 47 | fi |
---|
| 48 | |
---|
| 49 | if [ -n "$IKE_CERTFILE" ]; then |
---|
| 50 | KEYING=automatic |
---|
| 51 | IKE_METHOD=X509 |
---|
| 52 | fi |
---|
| 53 | |
---|
| 54 | if [ -n "$IKE_PEER_CERTFILE" ]; then |
---|
| 55 | KEYING=automatic |
---|
| 56 | IKE_METHOD=X509 |
---|
| 57 | fi |
---|
| 58 | |
---|
| 59 | if [ -n "$IKE_DNSSEC" ]; then |
---|
| 60 | KEYING=automatic |
---|
| 61 | IKE_METHOD=X509 |
---|
| 62 | fi |
---|
| 63 | |
---|
| 64 | [ -n "$IKE_METHOD" ] && KEYING=automatic |
---|
| 65 | [ -z "$KEYING" ] && KEYING=manual |
---|
| 66 | |
---|
| 67 | if [ -z "$SRC" ]; then |
---|
| 68 | SRC=`ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|"` |
---|
| 69 | fi |
---|
| 70 | |
---|
| 71 | if [ -n "$SRCNET" -o -n "$DSTNET" ]; then |
---|
| 72 | TUNNEL_MODE=yes |
---|
| 73 | MODE=tunnel |
---|
| 74 | [ -z "$SRCNET" ] && SRCNET="$SRC/32" |
---|
| 75 | [ -z "$DSTNET" ] && DSTNET="$DST/32" |
---|
| 76 | SPD_SRC=$SRCNET |
---|
| 77 | SPD_DST=$DSTNET |
---|
| 78 | # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication |
---|
| 79 | if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \ |
---|
| 80 | && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \ |
---|
| 81 | = "NETWORK=${DSTNET%%/*}" ]; then |
---|
| 82 | EXCLUDE_SRCNET=yes |
---|
| 83 | fi |
---|
| 84 | [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"` |
---|
| 85 | ip route add to $DSTNET via $SRCGW src $SRCGW |
---|
| 86 | else |
---|
| 87 | unset TUNNEL_MODE |
---|
| 88 | MODE=transport |
---|
| 89 | SPD_SRC=$SRC |
---|
| 90 | SPD_DST=$DST |
---|
| 91 | unset EXCLUDE_SRCNET |
---|
| 92 | fi |
---|
| 93 | |
---|
| 94 | unset SPD_AH_IN SPD_AH_OUT SPD_ESP_IN SPD_ESP_OUT |
---|
| 95 | if [ "$KEYING" = "manual" ]; then |
---|
| 96 | [ -z "$AH_PROTO" ] && AH_PROTO=hmac-sha1 |
---|
| 97 | [ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc |
---|
| 98 | [ -z "$AESP_PROTO" ] && AESP_PROTO=hmac-sha1 |
---|
| 99 | |
---|
| 100 | [ -n "$KEY_AH_IN" ] && SPD_AH_IN=yes |
---|
| 101 | [ -n "$KEY_AH_OUT" ] && SPD_AH_OUT=yes |
---|
| 102 | [ -n "$KEY_ESP_IN" ] && SPD_ESP_IN=yes |
---|
| 103 | [ -n "$KEY_ESP_OUT" ] && SPD_ESP_OUT=yes |
---|
| 104 | else |
---|
| 105 | [ -z "$IKE_DHGROUP" ] && IKE_DHGROUP=2 |
---|
| 106 | [ -z "$AH_PROTO" ] && AH_PROTO=sha1 |
---|
| 107 | [ -z "$ESP_PROTO" ] && ESP_PROTO=3des |
---|
| 108 | |
---|
| 109 | SPD_AH_IN=yes |
---|
| 110 | SPD_AH_OUT=yes |
---|
| 111 | SPD_ESP_IN=yes |
---|
| 112 | SPD_ESP_OUT=yes |
---|
| 113 | fi |
---|
| 114 | |
---|
| 115 | if [ "$AH_PROTO" = "none" ]; then |
---|
| 116 | unset SPI_AH_IN SPI_AH_OUT KEY_AH_IN KEY_AH_OUT SPD_AH_IN SPD_AH_OUT |
---|
| 117 | AH_PROTO=sha1 # To silence racoon |
---|
| 118 | fi |
---|
| 119 | if [ "$ESP_PROTO" = "none" ]; then |
---|
| 120 | unset SPI_ESP_IN SPI_ESP_OUT KEY_ESP_IN KEY_ESP_OUT SPD_ESP_IN SPD_ESP_OUT |
---|
| 121 | ESP_PROTO=3des # To silence racoon |
---|
| 122 | fi |
---|
| 123 | |
---|
| 124 | /sbin/setkey -c >/dev/null 2>&1 << EOF |
---|
| 125 | ${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} |
---|
| 126 | ${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} |
---|
| 127 | ${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;} |
---|
| 128 | ${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;} |
---|
| 129 | spddelete $SPD_SRC $SPD_DST any -P out; |
---|
| 130 | spddelete $SPD_DST $SPD_SRC any -P in; |
---|
| 131 | ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} |
---|
| 132 | ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} |
---|
| 133 | |
---|
| 134 | # ESP |
---|
| 135 | ${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} \ |
---|
| 136 | -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN \ |
---|
| 137 | ${KEY_AESP_IN:+-A ${AESP_PROTO_IN:-$AESP_PROTO} $KEY_AESP_IN} |
---|
| 138 | ;} |
---|
| 139 | ${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} \ |
---|
| 140 | -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT \ |
---|
| 141 | ${KEY_AESP_OUT:+-A ${AESP_PROTO_OUT:-$AESP_PROTO} $KEY_AESP_OUT} |
---|
| 142 | ;} |
---|
| 143 | |
---|
| 144 | # AH |
---|
| 145 | ${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} |
---|
| 146 | ${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} |
---|
| 147 | |
---|
| 148 | ${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P out none;} |
---|
| 149 | ${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P in none;} |
---|
| 150 | |
---|
| 151 | spdadd $SPD_SRC $SPD_DST any -P out ipsec |
---|
| 152 | ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} |
---|
| 153 | ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} |
---|
| 154 | ; |
---|
| 155 | |
---|
| 156 | spdadd $SPD_DST $SPD_SRC any -P in ipsec |
---|
| 157 | ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} |
---|
| 158 | ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} |
---|
| 159 | ; |
---|
| 160 | EOF |
---|
| 161 | |
---|
| 162 | if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then |
---|
| 163 | if [ "$IKE_METHOD" = "PSK" ]; then |
---|
| 164 | MYID=address |
---|
| 165 | if [ -n "$MYID_TYPE" ]; then |
---|
| 166 | case "$MYID_TYPE" in |
---|
| 167 | *fqdn*) |
---|
| 168 | MYID="$MYID_TYPE \"$MYID_VALUE\"" |
---|
| 169 | ;; |
---|
| 170 | esac |
---|
| 171 | fi |
---|
| 172 | tmpfile=`mktemp /etc/racoon/psk.XXXXXX` |
---|
| 173 | grep -v "^$DST " /etc/racoon/psk.txt > $tmpfile |
---|
| 174 | echo "$DST $IKE_PSK" >> $tmpfile |
---|
| 175 | mv -f $tmpfile /etc/racoon/psk.txt |
---|
| 176 | fi |
---|
| 177 | if [ ! -f /etc/racoon/$DST.conf -o /etc/racoon/$DST.conf -ot $1 ] ; then |
---|
| 178 | cat > /etc/racoon/$DST.conf << EOF |
---|
| 179 | remote $DST |
---|
| 180 | { |
---|
| 181 | exchange_mode aggressive, main; |
---|
| 182 | EOF |
---|
| 183 | case "$IKE_METHOD" in |
---|
| 184 | PSK) |
---|
| 185 | cat >> /etc/racoon/$DST.conf << EOF |
---|
| 186 | my_identifier $MYID; |
---|
| 187 | proposal { |
---|
| 188 | encryption_algorithm $ESP_PROTO; |
---|
| 189 | hash_algorithm $AH_PROTO; |
---|
| 190 | authentication_method pre_shared_key; |
---|
| 191 | dh_group $IKE_DHGROUP; |
---|
| 192 | } |
---|
| 193 | } |
---|
| 194 | EOF |
---|
| 195 | ;; |
---|
| 196 | X509) |
---|
| 197 | cat >> /etc/racoon/$DST.conf << EOF |
---|
| 198 | my_identifier asn1dn; |
---|
| 199 | peers_identifier asn1dn; |
---|
| 200 | certificate_type x509 "$IKE_CERTFILE.public" "$IKE_CERTFILE.private"; |
---|
| 201 | EOF |
---|
| 202 | if [ -n "$IKE_DNSSEC" ]; then |
---|
| 203 | echo " peers_certfile dnssec;" >> /etc/racoon/$DST.conf |
---|
| 204 | fi |
---|
| 205 | if [ -n "$IKE_PEER_CERTFILE" ]; then |
---|
| 206 | echo " peers_certfile x509 \"$IKE_PEER_CERTFILE.public\";" >> /etc/racoon/$DST.conf |
---|
| 207 | fi |
---|
| 208 | cat >> /etc/racoon/$DST.conf << EOF |
---|
| 209 | proposal { |
---|
| 210 | encryption_algorithm $ESP_PROTO; |
---|
| 211 | hash_algorithm $AH_PROTO; |
---|
| 212 | authentication_method rsasig; |
---|
| 213 | dh_group $IKE_DHGROUP; |
---|
| 214 | } |
---|
| 215 | } |
---|
| 216 | EOF |
---|
| 217 | ;; |
---|
| 218 | GSSAPI) |
---|
| 219 | cat >> /etc/racoon/$DST.conf << EOF |
---|
| 220 | my_identifier address; |
---|
| 221 | proposal { |
---|
| 222 | encryption_algorithm $ESP_PROTO; |
---|
| 223 | hash_algorithm $AH_PROTO; |
---|
| 224 | authentication_method gssapi_krb; |
---|
| 225 | dh_group $IKE_DHGROUP; |
---|
| 226 | } |
---|
| 227 | } |
---|
| 228 | EOF |
---|
| 229 | esac |
---|
| 230 | fi |
---|
| 231 | racoontmp=`mktemp /etc/racoon/racoon.XXXXXX` |
---|
| 232 | grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp |
---|
| 233 | echo "include \"/etc/racoon/$DST.conf\";" >> $racoontmp |
---|
| 234 | mv -f $racoontmp /etc/racoon/racoon.conf |
---|
| 235 | fi |
---|
| 236 | if [ "$KEYING" = "automatic" ]; then |
---|
| 237 | if ! pidof -x /usr/sbin/racoon > /dev/null 2>&1 ; then |
---|
| 238 | /usr/sbin/racoon |
---|
| 239 | elif [ -n "$IKE_METHOD" ]; then |
---|
| 240 | killall -HUP /usr/sbin/racoon |
---|
| 241 | fi |
---|
| 242 | fi |
---|