1 | #!/bin/sh |
---|
2 | # |
---|
3 | # ifup-ipsec |
---|
4 | # |
---|
5 | # Brings up ipsec interfaces |
---|
6 | |
---|
7 | handle_keys() { |
---|
8 | [ -z "$KEY_AH_IN" -a -n "$KEY_AH" ] && KEY_AH_IN=$KEY_AH |
---|
9 | [ -z "$KEY_AH_OUT" -a -n "$KEY_AH" ] && KEY_AH_OUT=$KEY_AH |
---|
10 | [ -z "$KEY_ESP_IN" -a -n "$KEY_ESP" ] && KEY_ESP_IN=$KEY_ESP |
---|
11 | [ -z "$KEY_ESP_OUT" -a -n "$KEY_ESP" ] && KEY_ESP_OUT=$KEY_ESP |
---|
12 | [ -z "$KEY_AESP_IN" -a -n "$KEY_AESP" ] && KEY_AESP_IN=$KEY_AESP |
---|
13 | [ -z "$KEY_AESP_OUT" -a -n "$KEY_AESP" ] && KEY_AESP_OUT=$KEY_AESP |
---|
14 | |
---|
15 | [ -n "$KEY_AH_IN" -a "$KEY_AH_IN" = "${KEY_AH_IN##0x}" ] \ |
---|
16 | && KEY_AH_IN=\"$KEY_AH_IN\" |
---|
17 | [ -n "$KEY_AH_OUT" -a "$KEY_AH_OUT" = "${KEY_AH_OUT##0x}" ] \ |
---|
18 | && KEY_AH_OUT=\"$KEY_AH_OUT\" |
---|
19 | [ -n "$KEY_ESP_IN" -a "$KEY_ESP_IN" = "${KEY_ESP_IN##0x}" ] \ |
---|
20 | && KEY_ESP_IN=\"$KEY_ESP_IN\" |
---|
21 | [ -n "$KEY_ESP_OUT" -a "$KEY_ESP_OUT" = "${KEY_ESP_OUT##0x}" ] \ |
---|
22 | && KEY_ESP_OUT=\"$KEY_ESP_OUT\" |
---|
23 | [ -n "$KEY_AESP_IN" -a "$KEY_AESP_IN" = "${KEY_AESP_IN##0x}" ] \ |
---|
24 | && KEY_AESP_IN=\"$KEY_AESP_IN\" |
---|
25 | [ -n "$KEY_AESP_OUT" -a "$KEY_AESP_OUT" = "${KEY_AESP_OUT##0x}" ] \ |
---|
26 | && KEY_AESP_OUT=\"$KEY_AESP_OUT\" |
---|
27 | } |
---|
28 | |
---|
29 | . /etc/init.d/functions |
---|
30 | cd /etc/sysconfig/network-scripts |
---|
31 | . /etc/sysconfig/network-scripts/network-functions |
---|
32 | |
---|
33 | CONFIG=$1 |
---|
34 | [ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} |
---|
35 | source_config |
---|
36 | |
---|
37 | handle_keys |
---|
38 | |
---|
39 | if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then |
---|
40 | KEYING=manual |
---|
41 | fi |
---|
42 | |
---|
43 | |
---|
44 | if [ -n "$IKE_PSK" ]; then |
---|
45 | KEYING=automatic |
---|
46 | IKE_METHOD=PSK |
---|
47 | fi |
---|
48 | |
---|
49 | if [ -n "$IKE_CERTFILE" ]; then |
---|
50 | KEYING=automatic |
---|
51 | IKE_METHOD=X509 |
---|
52 | fi |
---|
53 | |
---|
54 | if [ -n "$IKE_PEER_CERTFILE" ]; then |
---|
55 | KEYING=automatic |
---|
56 | IKE_METHOD=X509 |
---|
57 | fi |
---|
58 | |
---|
59 | if [ -n "$IKE_DNSSEC" ]; then |
---|
60 | KEYING=automatic |
---|
61 | IKE_METHOD=X509 |
---|
62 | fi |
---|
63 | |
---|
64 | [ -n "$IKE_METHOD" ] && KEYING=automatic |
---|
65 | [ -z "$KEYING" ] && KEYING=manual |
---|
66 | |
---|
67 | if [ -z "$SRC" ]; then |
---|
68 | SRC=`ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|"` |
---|
69 | fi |
---|
70 | |
---|
71 | if [ -n "$SRCNET" -o -n "$DSTNET" ]; then |
---|
72 | TUNNEL_MODE=yes |
---|
73 | MODE=tunnel |
---|
74 | [ -z "$SRCNET" ] && SRCNET="$SRC/32" |
---|
75 | [ -z "$DSTNET" ] && DSTNET="$DST/32" |
---|
76 | SPD_SRC=$SRCNET |
---|
77 | SPD_DST=$DSTNET |
---|
78 | # If SRCNET is a subnet of DSTNET, exclude SRCNET<->SRCNET communication |
---|
79 | if [ "${SRCNET##*/}" -gt "${DSTNET##*/}" ] \ |
---|
80 | && [ "$(ipcalc -n "${SRCNET%%/*}/${DSTNET##*/}")" \ |
---|
81 | = "NETWORK=${DSTNET%%/*}" ]; then |
---|
82 | EXCLUDE_SRCNET=yes |
---|
83 | fi |
---|
84 | [ -z "$SRCGW" ] && SRCGW=`ip -o route get to $SRCNET | sed "s|.*src \([^ ]*\).*|\1|"` |
---|
85 | ip route add to $DSTNET via $SRCGW src $SRCGW |
---|
86 | else |
---|
87 | unset TUNNEL_MODE |
---|
88 | MODE=transport |
---|
89 | SPD_SRC=$SRC |
---|
90 | SPD_DST=$DST |
---|
91 | unset EXCLUDE_SRCNET |
---|
92 | fi |
---|
93 | |
---|
94 | unset SPD_AH_IN SPD_AH_OUT SPD_ESP_IN SPD_ESP_OUT |
---|
95 | if [ "$KEYING" = "manual" ]; then |
---|
96 | [ -z "$AH_PROTO" ] && AH_PROTO=hmac-sha1 |
---|
97 | [ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc |
---|
98 | [ -z "$AESP_PROTO" ] && AESP_PROTO=hmac-sha1 |
---|
99 | |
---|
100 | [ -n "$KEY_AH_IN" ] && SPD_AH_IN=yes |
---|
101 | [ -n "$KEY_AH_OUT" ] && SPD_AH_OUT=yes |
---|
102 | [ -n "$KEY_ESP_IN" ] && SPD_ESP_IN=yes |
---|
103 | [ -n "$KEY_ESP_OUT" ] && SPD_ESP_OUT=yes |
---|
104 | else |
---|
105 | [ -z "$IKE_DHGROUP" ] && IKE_DHGROUP=2 |
---|
106 | [ -z "$AH_PROTO" ] && AH_PROTO=sha1 |
---|
107 | [ -z "$ESP_PROTO" ] && ESP_PROTO=3des |
---|
108 | |
---|
109 | SPD_AH_IN=yes |
---|
110 | SPD_AH_OUT=yes |
---|
111 | SPD_ESP_IN=yes |
---|
112 | SPD_ESP_OUT=yes |
---|
113 | fi |
---|
114 | |
---|
115 | if [ "$AH_PROTO" = "none" ]; then |
---|
116 | unset SPI_AH_IN SPI_AH_OUT KEY_AH_IN KEY_AH_OUT SPD_AH_IN SPD_AH_OUT |
---|
117 | AH_PROTO=sha1 # To silence racoon |
---|
118 | fi |
---|
119 | if [ "$ESP_PROTO" = "none" ]; then |
---|
120 | unset SPI_ESP_IN SPI_ESP_OUT KEY_ESP_IN KEY_ESP_OUT SPD_ESP_IN SPD_ESP_OUT |
---|
121 | ESP_PROTO=3des # To silence racoon |
---|
122 | fi |
---|
123 | |
---|
124 | /sbin/setkey -c >/dev/null 2>&1 << EOF |
---|
125 | ${SPI_AH_OUT:+delete $SRC $DST ah $SPI_AH_OUT;} |
---|
126 | ${SPI_AH_IN:+delete $DST $SRC ah $SPI_AH_IN;} |
---|
127 | ${SPI_ESP_OUT:+delete $SRC $DST esp $SPI_ESP_OUT;} |
---|
128 | ${SPI_ESP_IN:+delete $DST $SRC esp $SPI_ESP_IN;} |
---|
129 | spddelete $SPD_SRC $SPD_DST any -P out; |
---|
130 | spddelete $SPD_DST $SPD_SRC any -P in; |
---|
131 | ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P out;} |
---|
132 | ${EXCLUDE_SRCNET:+spddelete $SPD_SRC $SPD_SRC any -P in;} |
---|
133 | |
---|
134 | # ESP |
---|
135 | ${KEY_ESP_IN:+add $DST $SRC esp $SPI_ESP_IN ${TUNNEL_MODE:+-m tunnel} \ |
---|
136 | -E ${ESP_PROTO_IN:-$ESP_PROTO} $KEY_ESP_IN \ |
---|
137 | ${KEY_AESP_IN:+-A ${AESP_PROTO_IN:-$AESP_PROTO} $KEY_AESP_IN} |
---|
138 | ;} |
---|
139 | ${KEY_ESP_OUT:+add $SRC $DST esp $SPI_ESP_OUT ${TUNNEL_MODE:+-m tunnel} \ |
---|
140 | -E ${ESP_PROTO_OUT:-$ESP_PROTO} $KEY_ESP_OUT \ |
---|
141 | ${KEY_AESP_OUT:+-A ${AESP_PROTO_OUT:-$AESP_PROTO} $KEY_AESP_OUT} |
---|
142 | ;} |
---|
143 | |
---|
144 | # AH |
---|
145 | ${KEY_AH_IN:+add $DST $SRC ah $SPI_AH_IN ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_IN:-$AH_PROTO} $KEY_AH_IN;} |
---|
146 | ${KEY_AH_OUT:+add $SRC $DST ah $SPI_AH_OUT ${TUNNEL_MODE:+-m tunnel} -A ${AH_PROTO_OUT:-$AH_PROTO} $KEY_AH_OUT;} |
---|
147 | |
---|
148 | ${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P out none;} |
---|
149 | ${EXCLUDE_SRCNET:+spdadd $SPD_SRC $SPD_SRC any -P in none;} |
---|
150 | |
---|
151 | spdadd $SPD_SRC $SPD_DST any -P out ipsec |
---|
152 | ${SPD_ESP_OUT:+esp/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} |
---|
153 | ${SPD_AH_OUT:+ah/$MODE/${TUNNEL_MODE:+$SRC-$DST}/require} |
---|
154 | ; |
---|
155 | |
---|
156 | spdadd $SPD_DST $SPD_SRC any -P in ipsec |
---|
157 | ${SPD_ESP_IN:+esp/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} |
---|
158 | ${SPD_AH_IN:+ah/$MODE/${TUNNEL_MODE:+$DST-$SRC}/require} |
---|
159 | ; |
---|
160 | EOF |
---|
161 | |
---|
162 | if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then |
---|
163 | if [ "$IKE_METHOD" = "PSK" ]; then |
---|
164 | MYID=address |
---|
165 | if [ -n "$MYID_TYPE" ]; then |
---|
166 | case "$MYID_TYPE" in |
---|
167 | *fqdn*) |
---|
168 | MYID="$MYID_TYPE \"$MYID_VALUE\"" |
---|
169 | ;; |
---|
170 | esac |
---|
171 | fi |
---|
172 | tmpfile=`mktemp /etc/racoon/psk.XXXXXX` |
---|
173 | grep -v "^$DST " /etc/racoon/psk.txt > $tmpfile |
---|
174 | echo "$DST $IKE_PSK" >> $tmpfile |
---|
175 | mv -f $tmpfile /etc/racoon/psk.txt |
---|
176 | fi |
---|
177 | if [ ! -f /etc/racoon/$DST.conf -o /etc/racoon/$DST.conf -ot $1 ] ; then |
---|
178 | cat > /etc/racoon/$DST.conf << EOF |
---|
179 | remote $DST |
---|
180 | { |
---|
181 | exchange_mode aggressive, main; |
---|
182 | EOF |
---|
183 | case "$IKE_METHOD" in |
---|
184 | PSK) |
---|
185 | cat >> /etc/racoon/$DST.conf << EOF |
---|
186 | my_identifier $MYID; |
---|
187 | proposal { |
---|
188 | encryption_algorithm $ESP_PROTO; |
---|
189 | hash_algorithm $AH_PROTO; |
---|
190 | authentication_method pre_shared_key; |
---|
191 | dh_group $IKE_DHGROUP; |
---|
192 | } |
---|
193 | } |
---|
194 | EOF |
---|
195 | ;; |
---|
196 | X509) |
---|
197 | cat >> /etc/racoon/$DST.conf << EOF |
---|
198 | my_identifier asn1dn; |
---|
199 | peers_identifier asn1dn; |
---|
200 | certificate_type x509 "$IKE_CERTFILE.public" "$IKE_CERTFILE.private"; |
---|
201 | EOF |
---|
202 | if [ -n "$IKE_DNSSEC" ]; then |
---|
203 | echo " peers_certfile dnssec;" >> /etc/racoon/$DST.conf |
---|
204 | fi |
---|
205 | if [ -n "$IKE_PEER_CERTFILE" ]; then |
---|
206 | echo " peers_certfile x509 \"$IKE_PEER_CERTFILE.public\";" >> /etc/racoon/$DST.conf |
---|
207 | fi |
---|
208 | cat >> /etc/racoon/$DST.conf << EOF |
---|
209 | proposal { |
---|
210 | encryption_algorithm $ESP_PROTO; |
---|
211 | hash_algorithm $AH_PROTO; |
---|
212 | authentication_method rsasig; |
---|
213 | dh_group $IKE_DHGROUP; |
---|
214 | } |
---|
215 | } |
---|
216 | EOF |
---|
217 | ;; |
---|
218 | GSSAPI) |
---|
219 | cat >> /etc/racoon/$DST.conf << EOF |
---|
220 | my_identifier address; |
---|
221 | proposal { |
---|
222 | encryption_algorithm $ESP_PROTO; |
---|
223 | hash_algorithm $AH_PROTO; |
---|
224 | authentication_method gssapi_krb; |
---|
225 | dh_group $IKE_DHGROUP; |
---|
226 | } |
---|
227 | } |
---|
228 | EOF |
---|
229 | esac |
---|
230 | fi |
---|
231 | racoontmp=`mktemp /etc/racoon/racoon.XXXXXX` |
---|
232 | grep -v "^include \"/etc/racoon/$DST.conf\";" /etc/racoon/racoon.conf >> $racoontmp |
---|
233 | echo "include \"/etc/racoon/$DST.conf\";" >> $racoontmp |
---|
234 | mv -f $racoontmp /etc/racoon/racoon.conf |
---|
235 | fi |
---|
236 | if [ "$KEYING" = "automatic" ]; then |
---|
237 | if ! pidof -x /usr/sbin/racoon > /dev/null 2>&1 ; then |
---|
238 | /usr/sbin/racoon |
---|
239 | elif [ -n "$IKE_METHOD" ]; then |
---|
240 | killall -HUP /usr/sbin/racoon |
---|
241 | fi |
---|
242 | fi |
---|