parent
15a9b61bbd
commit
c3521420dc
17 changed files with 1468 additions and 0 deletions
96
package/strongswan/Makefile
Normal file
96
package/strongswan/Makefile
Normal file
|
@ -0,0 +1,96 @@
|
||||||
|
#
|
||||||
|
# Copyright (C) 2006 OpenWrt.org
|
||||||
|
#
|
||||||
|
# This is free software, licensed under the GNU General Public License v2.
|
||||||
|
# See /LICENSE for more information.
|
||||||
|
#
|
||||||
|
# $Id: Makefile $
|
||||||
|
|
||||||
|
include $(TOPDIR)/rules.mk
|
||||||
|
include $(INCLUDE_DIR)/kernel.mk
|
||||||
|
|
||||||
|
PKG_NAME:=strongswan
|
||||||
|
PKG_VERSION:=2.8.2
|
||||||
|
PKG_RELEASE:=1
|
||||||
|
|
||||||
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||||
|
PKG_SOURCE_URL:=http://download.strongswan.org/
|
||||||
|
PKG_MD5SUM:=57427f5b48123851a73b10d78dd4f8d6
|
||||||
|
PKG_CAT:=bzcat
|
||||||
|
|
||||||
|
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
|
||||||
|
PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install
|
||||||
|
|
||||||
|
include $(INCLUDE_DIR)/package.mk
|
||||||
|
|
||||||
|
define Package/strongswan/Default
|
||||||
|
TITLE:=strongSwan
|
||||||
|
DESCRIPTION:=\
|
||||||
|
strongSwan is an IPsec implementation for Linux.
|
||||||
|
URL:=http://www.strongswan.org/
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/strongswan
|
||||||
|
$(call Package/strongswan/Default)
|
||||||
|
SECTION:=net
|
||||||
|
CATEGORY:=Network
|
||||||
|
DEPENDS:=+kmod-strongswan +libgmp @LINUX_2_4
|
||||||
|
TITLE+= (daemon)
|
||||||
|
DESCRIPTION+=\\\
|
||||||
|
\\\
|
||||||
|
This package contains the strongSwan user-land daemon.
|
||||||
|
URL:=http://www.strongswan.org/
|
||||||
|
endef
|
||||||
|
|
||||||
|
define KernelPackage/strongswan
|
||||||
|
SUBMENU:=Network Support
|
||||||
|
$(call Package/strongswan/Default)
|
||||||
|
TITLE+= (kernel module)
|
||||||
|
DESCRIPTION+=\\\
|
||||||
|
\\\
|
||||||
|
This package contains the strongSwan kernel module.
|
||||||
|
VERSION:=$(LINUX_VERSION)+$(PKG_VERSION)-$(BOARD)-$(PKG_RELEASE)
|
||||||
|
FILES:=$(PKG_BUILD_DIR)/linux/net/ipsec/ipsec.$(LINUX_KMOD_SUFFIX)
|
||||||
|
AUTOLOAD:=$(call AutoLoad,50,ipsec)
|
||||||
|
endef
|
||||||
|
|
||||||
|
PKG_MAKE_OPTS:= \
|
||||||
|
LINUX_RELEASE="$(LINUX_RELEASE)" \
|
||||||
|
KERNELSRC="$(LINUX_DIR)" \
|
||||||
|
ARCH="$(LINUX_KARCH)" \
|
||||||
|
CROSS_COMPILE="$(TARGET_CROSS)" \
|
||||||
|
USERCOMPILE="$(TARGET_CFLAGS) -I./linux/include -I$(STAGING_DIR)/usr/include -L$(STAGING_DIR)/usr/lib" \
|
||||||
|
IPSECDIR="/usr/lib/ipsec" \
|
||||||
|
INC_USRLOCAL="/usr" \
|
||||||
|
|
||||||
|
define Build/Compile
|
||||||
|
$(MAKE) -C $(PKG_BUILD_DIR) \
|
||||||
|
$(TARGET_CONFIGURE_OPTS) \
|
||||||
|
$(PKG_MAKE_OPTS) \
|
||||||
|
LDFLAGS="-L$(STAGING_DIR)/usr/lib -L$(STAGING_DIR)/lib" \
|
||||||
|
DESTDIR="$(PKG_INSTALL_DIR)" \
|
||||||
|
programs module install
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/strongswan/install
|
||||||
|
$(CP) $(PKG_INSTALL_DIR)/* $(1)
|
||||||
|
$(INSTALL_DIR) $(1)/etc/init.d
|
||||||
|
$(INSTALL_DIR) $(1)/etc/config
|
||||||
|
$(INSTALL_DIR) $(1)/etc/cron.tick
|
||||||
|
$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
|
||||||
|
$(INSTALL_DIR) $(1)/etc/hotplug.d/button
|
||||||
|
$(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
|
||||||
|
$(INSTALL_BIN) ./files/ipsec.cron $(1)/etc/cron.tick/ipsec-wakeup
|
||||||
|
$(INSTALL_BIN) ./files/ipsec.iface $(1)/etc/hotplug.d/iface/65-ipsec
|
||||||
|
$(INSTALL_BIN) ./files/ipsec.button $(1)/etc/hotplug.d/button/65-ipsec
|
||||||
|
$(INSTALL_DATA) ./files/ipsec.config $(1)/etc/config/ipsec
|
||||||
|
$(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf
|
||||||
|
rm -rf $(1)/usr/share
|
||||||
|
rm -rf $(1)/usr/man
|
||||||
|
rm -rf $(1)/var
|
||||||
|
rm -rf $(1)/etc/rc.d
|
||||||
|
find $(1) -name \*.old | xargs rm -rf
|
||||||
|
endef
|
||||||
|
|
||||||
|
$(eval $(call BuildPackage,strongswan))
|
||||||
|
$(eval $(call KernelPackage,strongswan))
|
34
package/strongswan/files/ipsec.button
Normal file
34
package/strongswan/files/ipsec.button
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# snarf the code that loads the config values
|
||||||
|
# since we also load the functions, might as well save the shell calls
|
||||||
|
. /etc/init.d/ipsec
|
||||||
|
|
||||||
|
[ -n "$IPSEC_RESET_BUTTON" -a "$BUTTON" = "$IPSEC_RESET_BUTTON" ] || exit
|
||||||
|
|
||||||
|
if [ ! -e /var/run/pluto.pid ] ; then
|
||||||
|
|
||||||
|
[ "$ACTION" = "pressed" ] && start
|
||||||
|
|
||||||
|
else
|
||||||
|
|
||||||
|
if [ "$ACTION" = "pressed" ] ; then
|
||||||
|
|
||||||
|
stop
|
||||||
|
|
||||||
|
elif [ "$ACTION" = "released" ] ; then
|
||||||
|
|
||||||
|
while [ -e /var/run/pluto.pid ] ; do
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
|
||||||
|
while ps auxww | grep ipsec | grep -v grep ; do
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
|
||||||
|
start
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
34
package/strongswan/files/ipsec.conf
Normal file
34
package/strongswan/files/ipsec.conf
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
|
||||||
|
version 2.0
|
||||||
|
|
||||||
|
config setup
|
||||||
|
interfaces=%defaultroute
|
||||||
|
nat_traversal=yes # required on both ends
|
||||||
|
uniqueids=yes # makes sense on client, not server
|
||||||
|
hidetos=no
|
||||||
|
|
||||||
|
conn %default
|
||||||
|
authby=rsasig
|
||||||
|
keyingtries=3
|
||||||
|
keyexchange=ike
|
||||||
|
left=%defaultroute
|
||||||
|
leftrsasigkey=%cert
|
||||||
|
rightrsasigkey=%cert
|
||||||
|
dpdtimeout=30 # keepalive must arrive within
|
||||||
|
dpddelay=5 # secs before keepalives start
|
||||||
|
compress=no # breaks double nat installations
|
||||||
|
pfs=yes
|
||||||
|
|
||||||
|
conn sample
|
||||||
|
leftca=%same
|
||||||
|
leftcert=my.certificate.crt
|
||||||
|
leftsourceip=192.168.10.1
|
||||||
|
leftsubnet=192.168.10.0/24
|
||||||
|
right=my.vpn.concentrator.net.
|
||||||
|
rightca=%same
|
||||||
|
rightid="C=??, ST=??, O=??, OU=??, CN=my.vpn.concentrator.net, E=root@concentrator.net"
|
||||||
|
rightsourceip=192.168.11.1
|
||||||
|
rightsubnet=192.168.11.0/24
|
||||||
|
dpdaction=hold
|
||||||
|
auto=start
|
||||||
|
|
21
package/strongswan/files/ipsec.config
Normal file
21
package/strongswan/files/ipsec.config
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
|
||||||
|
# Configure button/light behavior here.
|
||||||
|
config device
|
||||||
|
option reset_button ses
|
||||||
|
option status_start ses_orange
|
||||||
|
option status_valid ses_white
|
||||||
|
|
||||||
|
# iptables setup for traffic to/from this host
|
||||||
|
config filter
|
||||||
|
option rule_in input_rule
|
||||||
|
option dest_in ACCEPT
|
||||||
|
option rule_out output_rule
|
||||||
|
option dest_out ACCEPT
|
||||||
|
|
||||||
|
# iptables setup for traffic to/from another host
|
||||||
|
config forward
|
||||||
|
option rule_in forwarding_rule
|
||||||
|
option dest_in forwarding_vpn_in
|
||||||
|
option rule_out forwarding_rule
|
||||||
|
option dest_out forwarding_vpn_out
|
||||||
|
|
2
package/strongswan/files/ipsec.cron
Normal file
2
package/strongswan/files/ipsec.cron
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
#!/bin/sh
|
||||||
|
/usr/sbin/ipsec wakeup
|
8
package/strongswan/files/ipsec.iface
Normal file
8
package/strongswan/files/ipsec.iface
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
NAME=ipsec
|
||||||
|
CTLFILE="/var/run/pluto.ctl"
|
||||||
|
|
||||||
|
[ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] || exit
|
||||||
|
|
||||||
|
[ -e "$CTLFILE" ] || exit
|
||||||
|
|
||||||
|
/etc/init.d/ipsec restart
|
101
package/strongswan/files/ipsec.init
Normal file
101
package/strongswan/files/ipsec.init
Normal file
|
@ -0,0 +1,101 @@
|
||||||
|
#!/bin/sh /etc/rc.common
|
||||||
|
|
||||||
|
START=65
|
||||||
|
|
||||||
|
config_cb() {
|
||||||
|
local cfg="$CONFIG_SECTION"
|
||||||
|
local cfgt
|
||||||
|
config_get cfgt "$cfg" TYPE
|
||||||
|
|
||||||
|
case "$cfgt" in
|
||||||
|
device)
|
||||||
|
config_get IPSEC_RESET_BUTTON $cfg reset_button
|
||||||
|
config_get IPSEC_STATUS_LED_START $cfg status_start
|
||||||
|
config_get IPSEC_STATUS_LED_VALID $cfg status_valid
|
||||||
|
;;
|
||||||
|
filter)
|
||||||
|
config_get IPSEC_UPDOWN_RULE_IN $cfg rule_in
|
||||||
|
config_get IPSEC_UPDOWN_DEST_IN $cfg dest_in
|
||||||
|
config_get IPSEC_UPDOWN_RULE_OUT $cfg rule_out
|
||||||
|
config_get IPSEC_UPDOWN_DEST_OUT $cfg dest_out
|
||||||
|
;;
|
||||||
|
forward)
|
||||||
|
config_get IPSEC_UPDOWN_FWD_RULE_IN $cfg rule_in
|
||||||
|
config_get IPSEC_UPDOWN_FWD_DEST_IN $cfg dest_in
|
||||||
|
config_get IPSEC_UPDOWN_FWD_RULE_OUT $cfg rule_out
|
||||||
|
config_get IPSEC_UPDOWN_FWD_DEST_OUT $cfg dest_out
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
config_load ipsec
|
||||||
|
|
||||||
|
export IPSEC_RESET_BUTTON
|
||||||
|
export IPSEC_STATUS_LED_START
|
||||||
|
export IPSEC_STATUS_LED_VALID
|
||||||
|
|
||||||
|
export IPSEC_UPDOWN_RULE_IN
|
||||||
|
export IPSEC_UPDOWN_DEST_IN
|
||||||
|
export IPSEC_UPDOWN_RULE_OUT
|
||||||
|
export IPSEC_UPDOWN_DEST_OUT
|
||||||
|
|
||||||
|
export IPSEC_UPDOWN_FWD_RULE_IN
|
||||||
|
export IPSEC_UPDOWN_FWD_DEST_IN
|
||||||
|
export IPSEC_UPDOWN_FWD_RULE_OUT
|
||||||
|
export IPSEC_UPDOWN_FWD_DEST_OUT
|
||||||
|
|
||||||
|
|
||||||
|
start() {
|
||||||
|
|
||||||
|
[ -f /etc/ipsec.conf ] || exit
|
||||||
|
[ -e /var/run/starter.pid ] && exit
|
||||||
|
|
||||||
|
/usr/sbin/ipsec _showstatus start
|
||||||
|
|
||||||
|
# stuff the dnsmasq cache in case dns is on our own subnet
|
||||||
|
for peer in `grep left= /etc/ipsec.conf | \
|
||||||
|
cut -f 1 -d% | cut -f 2 -d=` ; do
|
||||||
|
ping -c 1 $peer > /dev/null 2>&1
|
||||||
|
done
|
||||||
|
|
||||||
|
/usr/sbin/ipsec start || exit
|
||||||
|
|
||||||
|
# work around broken routing behavior:
|
||||||
|
# a route to the local wan segment will appear
|
||||||
|
# the need was removed in the patched _updown script
|
||||||
|
|
||||||
|
while ! route -n | grep -q ipsec ; do sleep 1 ; done
|
||||||
|
|
||||||
|
defint=`route -n | awk '/^0.0.0.0/{print $8}'`
|
||||||
|
defnet=`route -n | grep $defint | awk '!/^0.0.0.0/{print $1}'`
|
||||||
|
dnmask=`route -n | grep $defint | awk '!/^0.0.0.0/{print $3}'`
|
||||||
|
tundev=`route -n | grep $defnet | awk '/ipsec/{print $8}'`
|
||||||
|
|
||||||
|
route del -net $defnet netmask $dnmask dev $tundev
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
stop() {
|
||||||
|
|
||||||
|
/usr/sbin/ipsec stop 2> /dev/null
|
||||||
|
|
||||||
|
# wait until the shutdown actually happens
|
||||||
|
while [ -e /var/run/starter.pid ] ; do
|
||||||
|
if [ -d /proc/`cat /var/run/starter.pid` ] ; then
|
||||||
|
sleep 1
|
||||||
|
else
|
||||||
|
rm /var/run/starter.pid
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# kill any lingering processes
|
||||||
|
while ps auxww | grep -q ipsec | grep -v init.d; do
|
||||||
|
kill `ps auxww | grep -v init.d | awk '/\/ipsec\//{print $1}'` 2> /dev/null
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
|
||||||
|
ipsec _showstatus stop
|
||||||
|
}
|
||||||
|
|
76
package/strongswan/patches/100-ar-fixes.patch
Normal file
76
package/strongswan/patches/100-ar-fixes.patch
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libaes/Makefile strongswan-2.8.1/lib/libcrypto/libaes/Makefile
|
||||||
|
--- strongswan-2.8.1-orig/lib/libcrypto/libaes/Makefile 2004-03-22 16:53:16.000000000 -0500
|
||||||
|
+++ strongswan-2.8.1/lib/libcrypto/libaes/Makefile 2007-01-17 00:48:52.260789653 -0500
|
||||||
|
@@ -25,10 +25,8 @@
|
||||||
|
|
||||||
|
$(BLIB): $(LIBOBJ)
|
||||||
|
/bin/rm -f $(BLIB)
|
||||||
|
- ar cr $(BLIB) $(LIBOBJ)
|
||||||
|
- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
|
||||||
|
- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
|
||||||
|
- else exit 0; fi; fi
|
||||||
|
+ $(AR) cr $(BLIB) $(LIBOBJ)
|
||||||
|
+ $(RANLIB) $(BLIB)
|
||||||
|
|
||||||
|
testx: test_main_mac.o $(BLIB)
|
||||||
|
$(CC) -o $@ $^
|
||||||
|
diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libblowfish/Makefile strongswan-2.8.1/lib/libcrypto/libblowfish/Makefile
|
||||||
|
--- strongswan-2.8.1-orig/lib/libcrypto/libblowfish/Makefile 2004-03-22 16:53:16.000000000 -0500
|
||||||
|
+++ strongswan-2.8.1/lib/libcrypto/libblowfish/Makefile 2007-01-17 01:40:41.716879761 -0500
|
||||||
|
@@ -58,7 +58,7 @@
|
||||||
|
lib: $(LIB)
|
||||||
|
|
||||||
|
$(LIB): $(LIBOBJ)
|
||||||
|
- $(AR) $(LIB) $(LIBOBJ)
|
||||||
|
+ $(AR) -r $(LIB) $(LIBOBJ)
|
||||||
|
$(RANLIB) $(LIB)
|
||||||
|
|
||||||
|
# elf
|
||||||
|
diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libserpent/Makefile strongswan-2.8.1/lib/libcrypto/libserpent/Makefile
|
||||||
|
--- strongswan-2.8.1-orig/lib/libcrypto/libserpent/Makefile 2004-03-22 16:53:16.000000000 -0500
|
||||||
|
+++ strongswan-2.8.1/lib/libcrypto/libserpent/Makefile 2007-01-17 00:50:37.692571031 -0500
|
||||||
|
@@ -8,10 +8,8 @@
|
||||||
|
|
||||||
|
$(BLIB): $(LIBOBJ)
|
||||||
|
/bin/rm -f $(BLIB)
|
||||||
|
- ar cr $(BLIB) $(LIBOBJ)
|
||||||
|
- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
|
||||||
|
- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
|
||||||
|
- else exit 0; fi; fi
|
||||||
|
+ $(AR) cr $(BLIB) $(LIBOBJ)
|
||||||
|
+ $(RANLIB) $(BLIB)
|
||||||
|
|
||||||
|
test: test_main.o $(BLIB)
|
||||||
|
$(CC) -o $@ $^
|
||||||
|
diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libsha2/Makefile strongswan-2.8.1/lib/libcrypto/libsha2/Makefile
|
||||||
|
--- strongswan-2.8.1-orig/lib/libcrypto/libsha2/Makefile 2004-03-22 16:53:16.000000000 -0500
|
||||||
|
+++ strongswan-2.8.1/lib/libcrypto/libsha2/Makefile 2007-01-17 00:50:46.050791555 -0500
|
||||||
|
@@ -9,10 +9,8 @@
|
||||||
|
|
||||||
|
$(BLIB): $(LIBOBJ)
|
||||||
|
/bin/rm -f $(BLIB)
|
||||||
|
- ar cr $(BLIB) $(LIBOBJ)
|
||||||
|
- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
|
||||||
|
- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
|
||||||
|
- else exit 0; fi; fi
|
||||||
|
+ $(AR) cr $(BLIB) $(LIBOBJ)
|
||||||
|
+ $(RANLIB) $(BLIB)
|
||||||
|
|
||||||
|
test: test_main.o $(BLIB)
|
||||||
|
$(CC) -o $@ $^
|
||||||
|
diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libtwofish/Makefile strongswan-2.8.1/lib/libcrypto/libtwofish/Makefile
|
||||||
|
--- strongswan-2.8.1-orig/lib/libcrypto/libtwofish/Makefile 2004-03-22 16:53:17.000000000 -0500
|
||||||
|
+++ strongswan-2.8.1/lib/libcrypto/libtwofish/Makefile 2007-01-17 00:50:53.533988997 -0500
|
||||||
|
@@ -9,10 +9,8 @@
|
||||||
|
|
||||||
|
$(BLIB): $(LIBOBJ)
|
||||||
|
/bin/rm -f $(BLIB)
|
||||||
|
- ar cr $(BLIB) $(LIBOBJ)
|
||||||
|
- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
|
||||||
|
- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
|
||||||
|
- else exit 0; fi; fi
|
||||||
|
+ $(AR) cr $(BLIB) $(LIBOBJ)
|
||||||
|
+ $(RANLIB) $(BLIB)
|
||||||
|
|
||||||
|
test: test_main.o $(BLIB)
|
||||||
|
$(CC) -o $@ $^
|
10
package/strongswan/patches/110-make-ipsec.patch
Normal file
10
package/strongswan/patches/110-make-ipsec.patch
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
diff -ruN strongswan-2.8.1-orig/programs/ipsec/Makefile strongswan-2.8.1/programs/ipsec/Makefile
|
||||||
|
--- strongswan-2.8.1-orig/programs/ipsec/Makefile 2006-02-10 06:27:31.000000000 -0500
|
||||||
|
+++ strongswan-2.8.1/programs/ipsec/Makefile 2007-01-17 02:46:06.027124968 -0500
|
||||||
|
@@ -24,5 +24,5 @@
|
||||||
|
include ../Makefile.program
|
||||||
|
|
||||||
|
install:: ipsec
|
||||||
|
- @$(INSTALL) $(INSTBINFLAGS) ipsec $(RCDIR)/ipsec
|
||||||
|
+ @$(INSTALL) $(INSTBINFLAGS) -D ipsec $(RCDIR)/ipsec
|
||||||
|
|
12
package/strongswan/patches/120-make-pluto.patch
Normal file
12
package/strongswan/patches/120-make-pluto.patch
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
diff -ruN strongswan-2.8.1-orig/programs/pluto/alg/Makefile strongswan-2.8.1/programs/pluto/alg/Makefile
|
||||||
|
--- strongswan-2.8.1-orig/programs/pluto/alg/Makefile 2004-06-23 00:45:20.000000000 -0400
|
||||||
|
+++ strongswan-2.8.1/programs/pluto/alg/Makefile 2007-01-17 00:19:58.249033414 -0500
|
||||||
|
@@ -20,7 +20,7 @@
|
||||||
|
include Config.ike_alg
|
||||||
|
|
||||||
|
LIBCRYPTO:=../../../lib/libcrypto
|
||||||
|
-ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I- -I ../../../linux/include -I $(LIBCRYPTO)
|
||||||
|
+ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I- -I ../../../linux/include -I $(LIBCRYPTO) $(USERCOMPILE)
|
||||||
|
LIBALG := libalg.o
|
||||||
|
|
||||||
|
all : $(LIBALG)
|
20
package/strongswan/patches/130-make-starter.patch
Normal file
20
package/strongswan/patches/130-make-starter.patch
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
diff -ruN strongswan-2.8.1-orig/programs/starter/Makefile strongswan-2.8.1/programs/starter/Makefile
|
||||||
|
--- strongswan-2.8.1-orig/programs/starter/Makefile 2006-02-17 14:34:02.000000000 -0500
|
||||||
|
+++ strongswan-2.8.1/programs/starter/Makefile 2007-01-17 16:15:30.740490094 -0500
|
||||||
|
@@ -16,7 +16,6 @@
|
||||||
|
FREESWANSRCDIR?=$(shell cd ../..; pwd)
|
||||||
|
include ${FREESWANSRCDIR}/Makefile.inc
|
||||||
|
|
||||||
|
-LD=$(CC)
|
||||||
|
RM=rm
|
||||||
|
LEX=flex
|
||||||
|
BISON=bison
|
||||||
|
@@ -59,7 +58,7 @@
|
||||||
|
all: starter
|
||||||
|
|
||||||
|
starter: $(OBJS) $(FREESWANLIB)
|
||||||
|
- $(LD) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
|
||||||
|
+ $(CC) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
|
||||||
|
|
||||||
|
lex.yy.c: parser.tab.c parser.l parser.y parser.h
|
||||||
|
$(LEX) parser.l
|
227
package/strongswan/patches/200-wakeup-showstatus.patch
Normal file
227
package/strongswan/patches/200-wakeup-showstatus.patch
Normal file
|
@ -0,0 +1,227 @@
|
||||||
|
diff -ruN strongswan-2.8.2-orig/programs/Makefile strongswan-2.8.2/programs/Makefile
|
||||||
|
--- strongswan-2.8.2-orig/programs/Makefile 2006-08-28 07:12:36.000000000 -0400
|
||||||
|
+++ strongswan-2.8.2/programs/Makefile 2007-02-05 00:27:47.214280563 -0500
|
||||||
|
@@ -22,7 +22,7 @@
|
||||||
|
SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
|
||||||
|
SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
|
||||||
|
SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
|
||||||
|
-SUBDIRS+=ikeping examples openac scepclient
|
||||||
|
+SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup
|
||||||
|
|
||||||
|
ifeq ($(USE_LWRES),true)
|
||||||
|
SUBDIRS+=lwdnsq
|
||||||
|
diff -ruN strongswan-2.8.2-orig/programs/_showstatus/Makefile strongswan-2.8.2/programs/_showstatus/Makefile
|
||||||
|
--- strongswan-2.8.2-orig/programs/_showstatus/Makefile 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ strongswan-2.8.2/programs/_showstatus/Makefile 2007-02-05 00:31:11.380714322 -0500
|
||||||
|
@@ -0,0 +1,22 @@
|
||||||
|
+# Makefile for miscelaneous programs
|
||||||
|
+# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
|
||||||
|
+#
|
||||||
|
+# This program is free software; you can redistribute it and/or modify it
|
||||||
|
+# under the terms of the GNU General Public License as published by the
|
||||||
|
+# Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful, but
|
||||||
|
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||||
|
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
+# for more details.
|
||||||
|
+#
|
||||||
|
+# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
|
||||||
|
+
|
||||||
|
+FREESWANSRCDIR=../..
|
||||||
|
+include ${FREESWANSRCDIR}/Makefile.inc
|
||||||
|
+
|
||||||
|
+PROGRAM=_showstatus
|
||||||
|
+PROGRAMDIR=${LIBDIR}
|
||||||
|
+
|
||||||
|
+include ../Makefile.program
|
||||||
|
diff -ruN strongswan-2.8.2-orig/programs/_showstatus/_showstatus.8 strongswan-2.8.2/programs/_showstatus/_showstatus.8
|
||||||
|
--- strongswan-2.8.2-orig/programs/_showstatus/_showstatus.8 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ strongswan-2.8.2/programs/_showstatus/_showstatus.8 2007-02-05 00:36:00.650410824 -0500
|
||||||
|
@@ -0,0 +1,23 @@
|
||||||
|
+.TH _showstatus 8 "03 Feb 2007"
|
||||||
|
+.\"
|
||||||
|
+.\" RCSID $Id: _showstatus.8
|
||||||
|
+.\"
|
||||||
|
+.SH NAME
|
||||||
|
+ipsec _showstatus \- give state feedback via led or other method
|
||||||
|
+.SH SYNOPSIS
|
||||||
|
+.I _showstatus
|
||||||
|
+is invoked by _updown to trigger led's, or other distribution
|
||||||
|
+or platform specific behavior. Presently, the SES button is
|
||||||
|
+supported as a status light on OpenWRT platforms. The button
|
||||||
|
+is configurable by environment variable:
|
||||||
|
+-B IPSEC_STATUS_LED_START
|
||||||
|
+defaults to ses_orange, and
|
||||||
|
+-B IPSEC_STATUS_LED_VALID
|
||||||
|
+defaults to ses_white.
|
||||||
|
+.SH "SEE ALSO"
|
||||||
|
+ipsec(8), ipsec_updown(8).
|
||||||
|
+.SH HISTORY
|
||||||
|
+Man page written for the Linux strongSwan project <http://www.strongswan.org/>
|
||||||
|
+by Kevin Cody Jr. Original manpage for _updown by Michael Richardson.
|
||||||
|
+Original program written by Henry Spencer. Extended for the Linux strongSwan
|
||||||
|
+project <http://www.strongswan.org/> by Andreas Steffen.
|
||||||
|
diff -ruN strongswan-2.8.2-orig/programs/_showstatus/_showstatus.in strongswan-2.8.2/programs/_showstatus/_showstatus.in
|
||||||
|
--- strongswan-2.8.2-orig/programs/_showstatus/_showstatus.in 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ strongswan-2.8.2/programs/_showstatus/_showstatus.in 2007-02-05 00:55:56.563116192 -0500
|
||||||
|
@@ -0,0 +1,70 @@
|
||||||
|
+#! /bin/sh
|
||||||
|
+#
|
||||||
|
+# Copyright (C) 2007 Kevin Cody Jr. <kcody@vegaresearch.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software; you can redistribute it and/or modify it
|
||||||
|
+# under the terms of the GNU General Public License as published by the
|
||||||
|
+# Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful, but
|
||||||
|
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||||
|
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
+# for more details.
|
||||||
|
+#
|
||||||
|
+# RCSID $Id: _showstatus.in
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+LED_START=$IPSEC_STATUS_LED_START
|
||||||
|
+LED_VALID=$IPSEC_STATUS_LED_VALID
|
||||||
|
+
|
||||||
|
+[ -z "$LED_START" ] && LED_START="ses_orange"
|
||||||
|
+[ -z "$LED_VALID" ] && LED_VALID="ses_white"
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+setled() {
|
||||||
|
+ led=$1
|
||||||
|
+ st=$2
|
||||||
|
+
|
||||||
|
+ [ -n "$led" -a -n "$st" ] || return
|
||||||
|
+
|
||||||
|
+ if [ -w "/proc/diag/led/$led" ] ; then
|
||||||
|
+ echo "$st" > "/proc/diag/led/$led"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ # integrate other led control methods here
|
||||||
|
+
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+case "$1" in
|
||||||
|
+ 'start')
|
||||||
|
+ [ -n "$LED_VALID" ] && setled "$LED_START" 1
|
||||||
|
+ [ -z "$LED_VALID" ] && setled "$LED_START" f
|
||||||
|
+ setled "$LED_VALID" 0
|
||||||
|
+ ;;
|
||||||
|
+ 'stop')
|
||||||
|
+ setled "$LED_START" 0
|
||||||
|
+ setled "$LED_VALID" 0
|
||||||
|
+ ;;
|
||||||
|
+ 'valid')
|
||||||
|
+ setled "$LED_VALID" 1
|
||||||
|
+ ;;
|
||||||
|
+ 'invalid')
|
||||||
|
+ setled "$LED_VALID" 0
|
||||||
|
+ ;;
|
||||||
|
+ 'up')
|
||||||
|
+ [ -n "$LED_VALID" ] && setled "$LED_START" 0
|
||||||
|
+ [ -z "$LED_VALID" ] && setled "$LED_START" 1
|
||||||
|
+ setled "$LED_VALID" 1
|
||||||
|
+ ;;
|
||||||
|
+ 'down')
|
||||||
|
+ [ -n "$LED_VALID" ] && setled "$LED_START" 1
|
||||||
|
+ [ -z "$LED_VALID" ] && setled "$LED_START" f
|
||||||
|
+ setled "$LED_VALID" f
|
||||||
|
+ ;;
|
||||||
|
+ *)
|
||||||
|
+ echo "$0: unknown status $status" >&2
|
||||||
|
+ ;;
|
||||||
|
+esac
|
||||||
|
+
|
||||||
|
diff -ruN strongswan-2.8.2-orig/programs/wakeup/Makefile strongswan-2.8.2/programs/wakeup/Makefile
|
||||||
|
--- strongswan-2.8.2-orig/programs/wakeup/Makefile 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ strongswan-2.8.2/programs/wakeup/Makefile 2007-02-05 00:28:03.960726309 -0500
|
||||||
|
@@ -0,0 +1,22 @@
|
||||||
|
+# Makefile for miscelaneous programs
|
||||||
|
+# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
|
||||||
|
+#
|
||||||
|
+# This program is free software; you can redistribute it and/or modify it
|
||||||
|
+# under the terms of the GNU General Public License as published by the
|
||||||
|
+# Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful, but
|
||||||
|
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||||
|
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
+# for more details.
|
||||||
|
+#
|
||||||
|
+# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
|
||||||
|
+
|
||||||
|
+FREESWANSRCDIR=../..
|
||||||
|
+include ${FREESWANSRCDIR}/Makefile.inc
|
||||||
|
+
|
||||||
|
+PROGRAM=wakeup
|
||||||
|
+PROGRAMDIR=${LIBDIR}
|
||||||
|
+
|
||||||
|
+include ../Makefile.program
|
||||||
|
diff -ruN strongswan-2.8.2-orig/programs/wakeup/wakeup.8 strongswan-2.8.2/programs/wakeup/wakeup.8
|
||||||
|
--- strongswan-2.8.2-orig/programs/wakeup/wakeup.8 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ strongswan-2.8.2/programs/wakeup/wakeup.8 2007-02-05 00:36:34.029298760 -0500
|
||||||
|
@@ -0,0 +1,16 @@
|
||||||
|
+.TH wakeup 8 "03 Feb 2007"
|
||||||
|
+.\"
|
||||||
|
+.\" RCSID $Id: wakeup.8
|
||||||
|
+.\"
|
||||||
|
+.SH NAME
|
||||||
|
+ipsec wakeup \- stalled and down connection detection
|
||||||
|
+.SH SYNOPSIS
|
||||||
|
+.I wakeup
|
||||||
|
+is invoked by cron and checks ipsec status, whacking as necessary.
|
||||||
|
+.SH "SEE ALSO"
|
||||||
|
+ipsec(8), ipsec_whack(8).
|
||||||
|
+.SH HISTORY
|
||||||
|
+Man page written for the Linux strongSwan project <http://www.strongswan.org/>
|
||||||
|
+by Kevin Cody Jr. Original manpage for _updown by Michael Richardson.
|
||||||
|
+Original program written by Henry Spencer. Extended for the Linux strongSwan
|
||||||
|
+project <http://www.strongswan.org/> by Andreas Steffen.
|
||||||
|
diff -ruN strongswan-2.8.2-orig/programs/wakeup/wakeup.in strongswan-2.8.2/programs/wakeup/wakeup.in
|
||||||
|
--- strongswan-2.8.2-orig/programs/wakeup/wakeup.in 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ strongswan-2.8.2/programs/wakeup/wakeup.in 2007-02-05 00:28:03.961726336 -0500
|
||||||
|
@@ -0,0 +1,38 @@
|
||||||
|
+#! /bin/sh
|
||||||
|
+# wakeup script
|
||||||
|
+#
|
||||||
|
+# Copyright (C) 2007 Kevin Cody Jr. <kcody@vegaresearch.com>
|
||||||
|
+#
|
||||||
|
+# This program is free software; you can redistribute it and/or modify it
|
||||||
|
+# under the terms of the GNU General Public License as published by the
|
||||||
|
+# Free Software Foundation; either version 2 of the License, or (at your
|
||||||
|
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful, but
|
||||||
|
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||||
|
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
+# for more details.
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+# only applicable when ipsec is running
|
||||||
|
+[ -e /var/run/pluto.pid ] || exit
|
||||||
|
+
|
||||||
|
+# loop through any erouted tunnels in the HOLD state
|
||||||
|
+for f in `ipsec status | awk '/erouted HOLD/{ print $2 }' | cut -f1 -d\: | cut -f2 -d\"` ; do
|
||||||
|
+
|
||||||
|
+ # only whack if no pending events at all exists
|
||||||
|
+ ipsec status | grep STATE | grep -q $f ||
|
||||||
|
+ ipsec whack --name $f --initiate --asynchronous
|
||||||
|
+
|
||||||
|
+done
|
||||||
|
+
|
||||||
|
+# loop through any tunnels that don't quite exist
|
||||||
|
+for f in `ipsec status | awk '/prospective erouted/{ print $2 }' | cut -f1 -d: | grep -v \# | cut -f2 -d\"` ; do
|
||||||
|
+
|
||||||
|
+ ipsec status | grep STATE_QUICK | grep -q $f || {
|
||||||
|
+ ipsec status | grep STATE_MAIN | grep -q $f && ipsec down $f
|
||||||
|
+ ipsec up $f
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+done
|
||||||
|
+
|
660
package/strongswan/patches/210-updown.patch
Normal file
660
package/strongswan/patches/210-updown.patch
Normal file
|
@ -0,0 +1,660 @@
|
||||||
|
diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.8 strongswan-2.8.2/programs/_updown/_updown.8
|
||||||
|
--- strongswan-2.8.2-orig/programs/_updown/_updown.8 2006-04-17 02:48:49.000000000 -0400
|
||||||
|
+++ strongswan-2.8.2/programs/_updown/_updown.8 2007-02-05 02:13:05.252612099 -0500
|
||||||
|
@@ -8,8 +8,23 @@
|
||||||
|
.I _updown
|
||||||
|
is invoked by pluto when it has brought up a new connection. This script
|
||||||
|
is used to insert the appropriate routing entries for IPsec operation.
|
||||||
|
-It can also be used to insert and delete dynamic iptables firewall rules.
|
||||||
|
-The interface to the script is documented in the pluto man page.
|
||||||
|
+It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
|
||||||
|
+By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
|
||||||
|
+tables. Most distributions will want to change that to provide more
|
||||||
|
+flexibility in their firewall configuration.
|
||||||
|
+The script looks for the environment variables
|
||||||
|
+.B IPSEC_UPDOWN_RULE_IN
|
||||||
|
+for the iptables table it should insert into,
|
||||||
|
+.B IPSEC_UPDOWN_DEST_IN
|
||||||
|
+for where the rule should -j jump to,
|
||||||
|
+.B IPSEC_UPDOWN_RULE_OUT
|
||||||
|
+.B IPSEC_UPDOWN_DEST_OUT
|
||||||
|
+for the same on outgoing packets, and
|
||||||
|
+.B IPSEC_UPDOWN_FWD_RULE_IN
|
||||||
|
+.B IPSEC_UPDOWN_FWD_DEST_IN
|
||||||
|
+.B IPSEC_UPDOWN_FWD_RULE_OUT
|
||||||
|
+.B IPSEC_UPDOWN_FWD_DEST_OUT
|
||||||
|
+respectively for packets being forwarded to/from the local networks.
|
||||||
|
.SH "SEE ALSO"
|
||||||
|
ipsec(8), ipsec_pluto(8).
|
||||||
|
.SH HISTORY
|
||||||
|
diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.in strongswan-2.8.2/programs/_updown/_updown.in
|
||||||
|
--- strongswan-2.8.2-orig/programs/_updown/_updown.in 2006-04-17 11:06:29.000000000 -0400
|
||||||
|
+++ strongswan-2.8.2/programs/_updown/_updown.in 2007-02-05 02:08:24.969100428 -0500
|
||||||
|
@@ -5,6 +5,7 @@
|
||||||
|
# Copyright (C) 2003-2004 Tuomo Soini
|
||||||
|
# Copyright (C) 2002-2004 Michael Richardson
|
||||||
|
# Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
|
||||||
|
+# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com>
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify it
|
||||||
|
# under the terms of the GNU General Public License as published by the
|
||||||
|
@@ -118,20 +119,61 @@
|
||||||
|
# restricted on the peer side.
|
||||||
|
#
|
||||||
|
|
||||||
|
-# uncomment to log VPN connections
|
||||||
|
-VPN_LOGGING=1
|
||||||
|
-#
|
||||||
|
+# set to /bin/true to silence log messages
|
||||||
|
+LOGGER=logger
|
||||||
|
+
|
||||||
|
# tag put in front of each log entry:
|
||||||
|
TAG=vpn
|
||||||
|
-#
|
||||||
|
+
|
||||||
|
# syslog facility and priority used:
|
||||||
|
-FAC_PRIO=local0.notice
|
||||||
|
-#
|
||||||
|
-# to create a special vpn logging file, put the following line into
|
||||||
|
-# the syslog configuration file /etc/syslog.conf:
|
||||||
|
-#
|
||||||
|
-# local0.notice -/var/log/vpn
|
||||||
|
-#
|
||||||
|
+FAC_PRIO=authpriv.info
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
|
||||||
|
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
|
||||||
|
+ IPSEC_POLICY_IN=""
|
||||||
|
+ IPSEC_POLICY_OUT=""
|
||||||
|
+else
|
||||||
|
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
|
||||||
|
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
|
||||||
|
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+# are there port numbers?
|
||||||
|
+if [ "$PLUTO_MY_PORT" != 0 ] ; then
|
||||||
|
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
|
||||||
|
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if [ "$PLUTO_PEER_PORT" != 0 ] ; then
|
||||||
|
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
|
||||||
|
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+# import firewall behavior
|
||||||
|
+IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
|
||||||
|
+IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
|
||||||
|
+IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
|
||||||
|
+IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
|
||||||
|
+
|
||||||
|
+# import forwarding behavior
|
||||||
|
+FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
|
||||||
|
+FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
|
||||||
|
+FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
|
||||||
|
+FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
|
||||||
|
+
|
||||||
|
+# default firewall behavior
|
||||||
|
+[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT
|
||||||
|
+[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT
|
||||||
|
+[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
|
||||||
|
+[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
|
||||||
|
+
|
||||||
|
+# default forwarding behavior
|
||||||
|
+[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD
|
||||||
|
+[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT
|
||||||
|
+[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
|
||||||
|
+[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
|
||||||
|
+
|
||||||
|
|
||||||
|
# check interface version
|
||||||
|
case "$PLUTO_VERSION" in
|
||||||
|
@@ -150,8 +192,6 @@
|
||||||
|
case "$1:$*" in
|
||||||
|
':') # no parameters
|
||||||
|
;;
|
||||||
|
-iptables:iptables) # due to (left/right)firewall; for default script only
|
||||||
|
- ;;
|
||||||
|
custom:*) # custom parameters (see above CAUTION comment)
|
||||||
|
;;
|
||||||
|
*) echo "$0: unknown parameters \`$*'" >&2
|
||||||
|
@@ -159,345 +199,307 @@
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
+
|
||||||
|
# utility functions for route manipulation
|
||||||
|
# Meddling with this stuff should not be necessary and requires great care.
|
||||||
|
+
|
||||||
|
uproute() {
|
||||||
|
doroute add
|
||||||
|
ip route flush cache
|
||||||
|
}
|
||||||
|
+
|
||||||
|
downroute() {
|
||||||
|
doroute delete
|
||||||
|
ip route flush cache
|
||||||
|
}
|
||||||
|
|
||||||
|
+upfirewall() {
|
||||||
|
+ in_rule=$1
|
||||||
|
+ in_dest=$2
|
||||||
|
+ out_rule=$3
|
||||||
|
+ out_dest=$4
|
||||||
|
+
|
||||||
|
+ [ -n "$in_rule" -a -n "$in_dest" ] && \
|
||||||
|
+ iptables -I $in_rule 1 \
|
||||||
|
+ -i $PLUTO_INTERFACE \
|
||||||
|
+ -p $PLUTO_MY_PROTOCOL \
|
||||||
|
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
||||||
|
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
|
||||||
|
+ $IPSEC_POLICY_IN \
|
||||||
|
+ -j $in_dest
|
||||||
|
+
|
||||||
|
+ [ -n "$out_rule" -a -n "$out_dest" ] && \
|
||||||
|
+ iptables -I $out_rule 1 \
|
||||||
|
+ -o $PLUTO_INTERFACE \
|
||||||
|
+ -p $PLUTO_PEER_PROTOCOL \
|
||||||
|
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
|
||||||
|
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
|
||||||
|
+ $IPSEC_POLICY_OUT \
|
||||||
|
+ -j $out_dest
|
||||||
|
+
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+downfirewall() {
|
||||||
|
+ in_rule=$1
|
||||||
|
+ in_dest=$2
|
||||||
|
+ out_rule=$3
|
||||||
|
+ out_dest=$4
|
||||||
|
+
|
||||||
|
+ [ -n "$in_rule" -a -n "$in_dest" ] && \
|
||||||
|
+ iptables -D $in_rule \
|
||||||
|
+ -i $PLUTO_INTERFACE \
|
||||||
|
+ -p $PLUTO_MY_PROTOCOL \
|
||||||
|
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
|
||||||
|
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
|
||||||
|
+ $IPSEC_POLICY_IN \
|
||||||
|
+ -j $in_dest
|
||||||
|
+
|
||||||
|
+ [ -n "$out_rule" -a -n "$out_dest" ] && \
|
||||||
|
+ iptables -D $out_rule \
|
||||||
|
+ -o $PLUTO_INTERFACE \
|
||||||
|
+ -p $PLUTO_PEER_PROTOCOL \
|
||||||
|
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
|
||||||
|
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
|
||||||
|
+ $IPSEC_POLICY_OUT \
|
||||||
|
+ -j $out_dest
|
||||||
|
+
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
addsource() {
|
||||||
|
st=0
|
||||||
|
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
|
||||||
|
- then
|
||||||
|
+
|
||||||
|
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
|
||||||
|
+
|
||||||
|
it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
|
||||||
|
oops="`eval $it 2>&1`"
|
||||||
|
st=$?
|
||||||
|
- if test " $oops" = " " -a " $st" != " 0"
|
||||||
|
- then
|
||||||
|
+
|
||||||
|
+ if [ " $oops" = " " -a " $st" != " 0" ] ; then
|
||||||
|
oops="silent error, exit status $st"
|
||||||
|
fi
|
||||||
|
- if test " $oops" != " " -o " $st" != " 0"
|
||||||
|
- then
|
||||||
|
+
|
||||||
|
+ if [ " $oops" != " " -o " $st" != " 0" ] ; then
|
||||||
|
echo "$0: addsource \`$it' failed ($oops)" >&2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
+
|
||||||
|
return $st
|
||||||
|
}
|
||||||
|
|
||||||
|
doroute() {
|
||||||
|
st=0
|
||||||
|
parms="$PLUTO_PEER_CLIENT"
|
||||||
|
+ parms2="dev $PLUTO_INTERFACE"
|
||||||
|
|
||||||
|
- parms2=
|
||||||
|
- if [ -n "$PLUTO_NEXT_HOP" ]
|
||||||
|
- then
|
||||||
|
- parms2="via $PLUTO_NEXT_HOP"
|
||||||
|
- fi
|
||||||
|
- parms2="$parms2 dev $PLUTO_INTERFACE"
|
||||||
|
-
|
||||||
|
- if [ -z "$PLUTO_MY_SOURCEIP" ]
|
||||||
|
- then
|
||||||
|
- if [ -f /etc/sysconfig/defaultsource ]
|
||||||
|
- then
|
||||||
|
- . /etc/sysconfig/defaultsource
|
||||||
|
- fi
|
||||||
|
+ if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
|
||||||
|
|
||||||
|
- if [ -f /etc/conf.d/defaultsource ]
|
||||||
|
- then
|
||||||
|
- . /etc/conf.d/defaultsource
|
||||||
|
- fi
|
||||||
|
+ [ -f /etc/sysconfig/defaultsource ] && \
|
||||||
|
+ . /etc/sysconfig/defaultsource
|
||||||
|
+
|
||||||
|
+ [ -f /etc/conf.d/defaultsource ] && \
|
||||||
|
+ . /etc/conf.d/defaultsource
|
||||||
|
+
|
||||||
|
+ [ -n "$DEFAULTSOURCE" ] && \
|
||||||
|
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
|
||||||
|
|
||||||
|
- if [ -n "$DEFAULTSOURCE" ]
|
||||||
|
- then
|
||||||
|
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
|
||||||
|
- fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
parms3=
|
||||||
|
- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
|
||||||
|
- then
|
||||||
|
+ if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
|
||||||
|
addsource
|
||||||
|
parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
|
||||||
|
- "0.0.0.0/0.0.0.0")
|
||||||
|
+ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
|
||||||
|
+ "0.0.0.0/0.0.0.0" ] ; then
|
||||||
|
# opportunistic encryption work around
|
||||||
|
# need to provide route that eclipses default, without
|
||||||
|
# replacing it.
|
||||||
|
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
|
||||||
|
- ip route $1 128.0.0.0/1 $parms2 $parms3"
|
||||||
|
- ;;
|
||||||
|
- *) it="ip route $1 $parms $parms2 $parms3"
|
||||||
|
- ;;
|
||||||
|
- esac
|
||||||
|
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
|
||||||
|
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
|
||||||
|
+ else
|
||||||
|
+ it="ip route $1 $parms $parms2 $parms3"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
oops="`eval $it 2>&1`"
|
||||||
|
st=$?
|
||||||
|
- if test " $oops" = " " -a " $st" != " 0"
|
||||||
|
- then
|
||||||
|
- oops="silent error, exit status $st"
|
||||||
|
- fi
|
||||||
|
- if test " $oops" != " " -o " $st" != " 0"
|
||||||
|
- then
|
||||||
|
- echo "$0: doroute \`$it' failed ($oops)" >&2
|
||||||
|
+
|
||||||
|
+ if [ " $oops" = " " -a " $st" != " 0" ] ; then
|
||||||
|
+ oops="silent error, exit status $st"
|
||||||
|
fi
|
||||||
|
+
|
||||||
|
+ if [ " $oops" != " " -o " $st" != " 0" ] ; then
|
||||||
|
+ echo "$0: doroute \`$it' failed ($oops)" >&2
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
return $st
|
||||||
|
}
|
||||||
|
-
|
||||||
|
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
|
||||||
|
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
|
||||||
|
-then
|
||||||
|
- IPSEC_POLICY_IN=""
|
||||||
|
- IPSEC_POLICY_OUT=""
|
||||||
|
-else
|
||||||
|
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
|
||||||
|
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
|
||||||
|
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
|
||||||
|
-fi
|
||||||
|
|
||||||
|
-# are there port numbers?
|
||||||
|
-if [ "$PLUTO_MY_PORT" != 0 ]
|
||||||
|
-then
|
||||||
|
- S_MY_PORT="--sport $PLUTO_MY_PORT"
|
||||||
|
- D_MY_PORT="--dport $PLUTO_MY_PORT"
|
||||||
|
-fi
|
||||||
|
-if [ "$PLUTO_PEER_PORT" != 0 ]
|
||||||
|
-then
|
||||||
|
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
|
||||||
|
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
|
||||||
|
-fi
|
||||||
|
+dologentry() {
|
||||||
|
+ action=$1
|
||||||
|
+
|
||||||
|
+ if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
|
||||||
|
+ rem="$PLUTO_PEER"
|
||||||
|
+ else
|
||||||
|
+ rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
|
||||||
|
+ loc="$PLUTO_ME"
|
||||||
|
+ else
|
||||||
|
+ loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
|
||||||
|
# the big choice
|
||||||
|
+
|
||||||
|
case "$PLUTO_VERB:$1" in
|
||||||
|
prepare-host:*|prepare-client:*)
|
||||||
|
# delete possibly-existing route (preliminary to adding a route)
|
||||||
|
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
|
||||||
|
- "0.0.0.0/0.0.0.0")
|
||||||
|
- # need to provide route that eclipses default, without
|
||||||
|
+
|
||||||
|
+ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
|
||||||
|
+ "0.0.0.0/0.0.0.0" ] ; then
|
||||||
|
+ # need to remove the route that eclipses default, without
|
||||||
|
# replacing it.
|
||||||
|
- parms1="0.0.0.0/1"
|
||||||
|
- parms2="128.0.0.0/1"
|
||||||
|
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
|
||||||
|
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
|
||||||
|
- ;;
|
||||||
|
- *)
|
||||||
|
- parms="$PLUTO_PEER_CLIENT"
|
||||||
|
- it="ip route delete $parms 2>&1"
|
||||||
|
- oops="`ip route delete $parms 2>&1`"
|
||||||
|
- ;;
|
||||||
|
- esac
|
||||||
|
- status="$?"
|
||||||
|
- if test " $oops" = " " -a " $status" != " 0"
|
||||||
|
- then
|
||||||
|
- oops="silent error, exit status $status"
|
||||||
|
+ it="( ip route delete 0.0.0.0/1 ;
|
||||||
|
+ ip route delete 128.0.0.0/1 )"
|
||||||
|
+ else
|
||||||
|
+ it="ip route delete $PLUTO_PEER_CLIENT"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ oops="`$it 2>&1`"
|
||||||
|
+ st="$?"
|
||||||
|
+
|
||||||
|
+ if [ " $oops" = " " -a " $st" != " 0" ] ; then
|
||||||
|
+ oops="silent error, exit status $st"
|
||||||
|
fi
|
||||||
|
+
|
||||||
|
case "$oops" in
|
||||||
|
*'RTNETLINK answers: No such process'*)
|
||||||
|
# This is what route (currently -- not documented!) gives
|
||||||
|
# for "could not find such a route".
|
||||||
|
oops=
|
||||||
|
- status=0
|
||||||
|
+ st=0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
- if test " $oops" != " " -o " $status" != " 0"
|
||||||
|
- then
|
||||||
|
+
|
||||||
|
+ if [ " $oops" != " " -o " $st" != " 0" ] ; then
|
||||||
|
echo "$0: \`$it' failed ($oops)" >&2
|
||||||
|
fi
|
||||||
|
- exit $status
|
||||||
|
+
|
||||||
|
+ exit $st
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
route-host:*|route-client:*)
|
||||||
|
# connection to me or my client subnet being routed
|
||||||
|
+
|
||||||
|
+ ipsec _showstatus valid
|
||||||
|
uproute
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
unroute-host:*|unroute-client:*)
|
||||||
|
# connection to me or my client subnet being unrouted
|
||||||
|
+
|
||||||
|
+ ipsec _showstatus invalid
|
||||||
|
downroute
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
-up-host:)
|
||||||
|
+up-host:*)
|
||||||
|
# connection to me coming up
|
||||||
|
- # If you are doing a custom version, firewall commands go here.
|
||||||
|
+
|
||||||
|
+ ipsec _showstatus up
|
||||||
|
+ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
|
||||||
|
+ dologentry "VPN-UP"
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
-down-host:)
|
||||||
|
+down-host:*)
|
||||||
|
# connection to me going down
|
||||||
|
- # If you are doing a custom version, firewall commands go here.
|
||||||
|
- ;;
|
||||||
|
-up-client:)
|
||||||
|
- # connection to my client subnet coming up
|
||||||
|
- # If you are doing a custom version, firewall commands go here.
|
||||||
|
- ;;
|
||||||
|
-down-client:)
|
||||||
|
- # connection to my client subnet going down
|
||||||
|
- # If you are doing a custom version, firewall commands go here.
|
||||||
|
+
|
||||||
|
+ ipsec _showstatus down
|
||||||
|
+ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
|
||||||
|
+ dologentry "VPN-DN"
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
-up-host:iptables)
|
||||||
|
- # connection to me, with (left/right)firewall=yes, coming up
|
||||||
|
- # This is used only by the default updown script, not by your custom
|
||||||
|
- # ones, so do not mess with it; see CAUTION comment up at top.
|
||||||
|
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
||||||
|
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
|
||||||
|
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
||||||
|
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
||||||
|
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
||||||
|
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
|
||||||
|
- #
|
||||||
|
- # log IPsec host connection setup
|
||||||
|
- if [ $VPN_LOGGING ]
|
||||||
|
- then
|
||||||
|
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
|
||||||
|
- then
|
||||||
|
- logger -t $TAG -p $FAC_PRIO \
|
||||||
|
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
|
||||||
|
- else
|
||||||
|
- logger -t $TAG -p $FAC_PRIO \
|
||||||
|
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
|
||||||
|
- fi
|
||||||
|
- fi
|
||||||
|
- ;;
|
||||||
|
-down-host:iptables)
|
||||||
|
- # connection to me, with (left/right)firewall=yes, going down
|
||||||
|
- # This is used only by the default updown script, not by your custom
|
||||||
|
- # ones, so do not mess with it; see CAUTION comment up at top.
|
||||||
|
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
||||||
|
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
|
||||||
|
- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
|
||||||
|
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
||||||
|
- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
|
||||||
|
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
|
||||||
|
- #
|
||||||
|
- # log IPsec host connection teardown
|
||||||
|
- if [ $VPN_LOGGING ]
|
||||||
|
- then
|
||||||
|
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
|
||||||
|
- then
|
||||||
|
- logger -t $TAG -p $FAC_PRIO -- \
|
||||||
|
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
|
||||||
|
- else
|
||||||
|
- logger -t $TAG -p $FAC_PRIO -- \
|
||||||
|
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
|
||||||
|
- fi
|
||||||
|
- fi
|
||||||
|
- ;;
|
||||||
|
-up-client:iptables)
|
||||||
|
- # connection to client subnet, with (left/right)firewall=yes, coming up
|
||||||
|
- # This is used only by the default updown script, not by your custom
|
||||||
|
- # ones, so do not mess with it; see CAUTION comment up at top.
|
||||||
|
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
|
||||||
|
- then
|
||||||
|
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
||||||
|
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
|
||||||
|
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
|
||||||
|
- $IPSEC_POLICY_OUT -j ACCEPT
|
||||||
|
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
||||||
|
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
|
||||||
|
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
|
||||||
|
- $IPSEC_POLICY_IN -j ACCEPT
|
||||||
|
+up-client:*)
|
||||||
|
+ # connection to client subnet coming up
|
||||||
|
+
|
||||||
|
+ ipsec _showstatus up
|
||||||
|
+
|
||||||
|
+ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
|
||||||
|
+ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
|
||||||
|
+ upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
|
||||||
|
fi
|
||||||
|
- #
|
||||||
|
+
|
||||||
|
# a virtual IP requires an INPUT and OUTPUT rule on the host
|
||||||
|
# or sometimes host access via the internal IP is needed
|
||||||
|
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
|
||||||
|
- then
|
||||||
|
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
||||||
|
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
|
||||||
|
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
|
||||||
|
- $IPSEC_POLICY_IN -j ACCEPT
|
||||||
|
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
||||||
|
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
|
||||||
|
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
|
||||||
|
- $IPSEC_POLICY_OUT -j ACCEPT
|
||||||
|
- fi
|
||||||
|
- #
|
||||||
|
- # log IPsec client connection setup
|
||||||
|
- if [ $VPN_LOGGING ]
|
||||||
|
- then
|
||||||
|
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
|
||||||
|
- then
|
||||||
|
- logger -t $TAG -p $FAC_PRIO \
|
||||||
|
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
|
||||||
|
- else
|
||||||
|
- logger -t $TAG -p $FAC_PRIO \
|
||||||
|
- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
|
||||||
|
- fi
|
||||||
|
- fi
|
||||||
|
- ;;
|
||||||
|
-down-client:iptables)
|
||||||
|
- # connection to client subnet, with (left/right)firewall=yes, going down
|
||||||
|
- # This is used only by the default updown script, not by your custom
|
||||||
|
- # ones, so do not mess with it; see CAUTION comment up at top.
|
||||||
|
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
|
||||||
|
- then
|
||||||
|
- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
||||||
|
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
|
||||||
|
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
|
||||||
|
- $IPSEC_POLICY_OUT -j ACCEPT
|
||||||
|
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
||||||
|
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
|
||||||
|
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
|
||||||
|
- $IPSEC_POLICY_IN -j ACCEPT
|
||||||
|
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
|
||||||
|
+ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ dologentry "VPN-UP"
|
||||||
|
+
|
||||||
|
+ ;;
|
||||||
|
+down-client:*)
|
||||||
|
+ # connection to client subnet going down
|
||||||
|
+
|
||||||
|
+ ipsec _showstatus down
|
||||||
|
+
|
||||||
|
+ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
|
||||||
|
+ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
|
||||||
|
+ downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
|
||||||
|
fi
|
||||||
|
- #
|
||||||
|
+
|
||||||
|
# a virtual IP requires an INPUT and OUTPUT rule on the host
|
||||||
|
# or sometimes host access via the internal IP is needed
|
||||||
|
- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
|
||||||
|
- then
|
||||||
|
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
|
||||||
|
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
|
||||||
|
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
|
||||||
|
- $IPSEC_POLICY_IN -j ACCEPT
|
||||||
|
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
|
||||||
|
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
|
||||||
|
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
|
||||||
|
- $IPSEC_POLICY_OUT -j ACCEPT
|
||||||
|
- fi
|
||||||
|
- #
|
||||||
|
- # log IPsec client connection teardown
|
||||||
|
- if [ $VPN_LOGGING ]
|
||||||
|
- then
|
||||||
|
- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
|
||||||
|
- then
|
||||||
|
- logger -t $TAG -p $FAC_PRIO -- \
|
||||||
|
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
|
||||||
|
- else
|
||||||
|
- logger -t $TAG -p $FAC_PRIO -- \
|
||||||
|
- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
|
||||||
|
- fi
|
||||||
|
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
|
||||||
|
+ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
|
||||||
|
fi
|
||||||
|
+
|
||||||
|
+ dologentry "VPN-DN"
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
-#
|
||||||
|
-# IPv6
|
||||||
|
-#
|
||||||
|
prepare-host-v6:*|prepare-client-v6:*)
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
route-host-v6:*|route-client-v6:*)
|
||||||
|
# connection to me or my client subnet being routed
|
||||||
|
+
|
||||||
|
#uproute_v6
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
unroute-host-v6:*|unroute-client-v6:*)
|
||||||
|
# connection to me or my client subnet being unrouted
|
||||||
|
+
|
||||||
|
#downroute_v6
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
up-host-v6:*)
|
||||||
|
# connection to me coming up
|
||||||
|
# If you are doing a custom version, firewall commands go here.
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
down-host-v6:*)
|
||||||
|
# connection to me going down
|
||||||
|
# If you are doing a custom version, firewall commands go here.
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
up-client-v6:)
|
||||||
|
# connection to my client subnet coming up
|
||||||
|
# If you are doing a custom version, firewall commands go here.
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
down-client-v6:)
|
||||||
|
# connection to my client subnet going down
|
||||||
|
# If you are doing a custom version, firewall commands go here.
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
|
||||||
|
+*)
|
||||||
|
+ echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
|
||||||
|
exit 1
|
||||||
|
+
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
+
|
24
package/strongswan/patches/300-openwrt.patch
Normal file
24
package/strongswan/patches/300-openwrt.patch
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
diff -ruN strongswan-2.8.1-orig/Makefile.inc strongswan-2.8.1/Makefile.inc
|
||||||
|
--- strongswan-2.8.1-orig/Makefile.inc 2007-01-11 16:42:11.000000000 -0500
|
||||||
|
+++ strongswan-2.8.1/Makefile.inc 2007-01-17 02:42:25.961297797 -0500
|
||||||
|
@@ -123,7 +123,7 @@
|
||||||
|
# With a non-null DESTDIR, INC_RCDEFAULT will be used unless one of the
|
||||||
|
# INC_RCDIRS directories has been pre-created under DESTDIR.
|
||||||
|
INC_RCDIRS=/etc/rc.d/init.d /etc/rc.d /etc/init.d /sbin/init.d
|
||||||
|
-INC_RCDEFAULT=/etc/rc.d/init.d
|
||||||
|
+INC_RCDEFAULT=/etc/init.d
|
||||||
|
|
||||||
|
# RCDIR is where boot/shutdown scripts go; FINALRCDIR is where they think
|
||||||
|
# will finally be (so utils/Makefile can create a symlink in BINDIR to the
|
||||||
|
diff -ruN strongswan-2.8.1-orig/programs/showhostkey/showhostkey.in strongswan-2.8.1/programs/showhostkey/showhostkey.in
|
||||||
|
--- strongswan-2.8.1-orig/programs/showhostkey/showhostkey.in 2004-03-15 15:35:31.000000000 -0500
|
||||||
|
+++ strongswan-2.8.1/programs/showhostkey/showhostkey.in 2007-01-17 00:02:35.433150839 -0500
|
||||||
|
@@ -62,7 +62,7 @@
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
-host="`hostname --fqdn`"
|
||||||
|
+host="`cat /proc/sys/kernel/hostname`"
|
||||||
|
|
||||||
|
awk ' BEGIN {
|
||||||
|
inkey = 0
|
18
package/strongswan/patches/310-make-ipsec-alg.patch
Normal file
18
package/strongswan/patches/310-make-ipsec-alg.patch
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
diff -ruN strongswan-2.8.1-orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi strongswan-2.8.1/linux/net/ipsec/alg/Makefile.alg_cryptoapi
|
||||||
|
--- strongswan-2.8.1-orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi 2004-03-22 16:53:19.000000000 -0500
|
||||||
|
+++ strongswan-2.8.1/linux/net/ipsec/alg/Makefile.alg_cryptoapi 2007-01-17 02:28:26.835241726 -0500
|
||||||
|
@@ -1,10 +1,10 @@
|
||||||
|
MOD_CRYPTOAPI := ipsec_cryptoapi.o
|
||||||
|
|
||||||
|
ifneq ($(wildcard $(TOPDIR)/include/linux/crypto.h),)
|
||||||
|
-ALG_MODULES += $(MOD_CRYPTOAPI)
|
||||||
|
-obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
|
||||||
|
-static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
|
||||||
|
-alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
|
||||||
|
+#ALG_MODULES += $(MOD_CRYPTOAPI)
|
||||||
|
+#obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
|
||||||
|
+#static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
|
||||||
|
+#alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
|
||||||
|
else
|
||||||
|
$(warning "Linux CryptoAPI (2.4.22+ or 2.6.x) not found, not building ipsec_cryptoapi.o")
|
||||||
|
endif
|
105
package/strongswan/patches/320-no-modprobe.patch
Normal file
105
package/strongswan/patches/320-no-modprobe.patch
Normal file
|
@ -0,0 +1,105 @@
|
||||||
|
diff -ruN strongswan-2.8.1-orig/programs/starter/klips.c strongswan-2.8.1/programs/starter/klips.c
|
||||||
|
--- strongswan-2.8.1-orig/programs/starter/klips.c 2006-02-15 13:33:57.000000000 -0500
|
||||||
|
+++ strongswan-2.8.1/programs/starter/klips.c 2007-01-16 23:57:19.107972109 -0500
|
||||||
|
@@ -44,7 +44,7 @@
|
||||||
|
unsetenv("MODPATH");
|
||||||
|
unsetenv("MODULECONF");
|
||||||
|
system("depmod -a >/dev/null 2>&1");
|
||||||
|
- system("modprobe -qv ipsec");
|
||||||
|
+ system("insmod -qv ipsec");
|
||||||
|
}
|
||||||
|
if (stat(PROC_IPSECVERSION, &stb) == 0)
|
||||||
|
{
|
||||||
|
@@ -62,11 +62,11 @@
|
||||||
|
/* make sure that all available crypto algorithms are loaded */
|
||||||
|
if (stat(PROC_MODULES, &stb) == 0)
|
||||||
|
{
|
||||||
|
- system("modprobe -qv ipsec_aes");
|
||||||
|
- system("modprobe -qv ipsec_serpent");
|
||||||
|
- system("modprobe -qv ipsec_twofish");
|
||||||
|
- system("modprobe -qv ipsec_blowfish");
|
||||||
|
- system("modprobe -qv ipsec_sha2");
|
||||||
|
+ system("insmod -qv ipsec_aes");
|
||||||
|
+ system("insmod -qv ipsec_serpent");
|
||||||
|
+ system("insmod -qv ipsec_twofish");
|
||||||
|
+ system("insmod -qv ipsec_blowfish");
|
||||||
|
+ system("insmod -qv ipsec_sha2");
|
||||||
|
}
|
||||||
|
|
||||||
|
starter_klips_clear();
|
||||||
|
diff -ruN strongswan-2.8.1-orig/programs/starter/netkey.c strongswan-2.8.1/programs/starter/netkey.c
|
||||||
|
--- strongswan-2.8.1-orig/programs/starter/netkey.c 2006-02-15 13:33:57.000000000 -0500
|
||||||
|
+++ strongswan-2.8.1/programs/starter/netkey.c 2007-01-16 23:57:28.094204186 -0500
|
||||||
|
@@ -36,7 +36,7 @@
|
||||||
|
/* af_key module makes the netkey proc interface visible */
|
||||||
|
if (stat(PROC_MODULES, &stb) == 0)
|
||||||
|
{
|
||||||
|
- system("modprobe -qv af_key");
|
||||||
|
+ system("insmod -qv af_key");
|
||||||
|
}
|
||||||
|
|
||||||
|
/* now test again */
|
||||||
|
@@ -52,11 +52,11 @@
|
||||||
|
/* make sure that all required IPsec modules are loaded */
|
||||||
|
if (stat(PROC_MODULES, &stb) == 0)
|
||||||
|
{
|
||||||
|
- system("modprobe -qv ah4");
|
||||||
|
- system("modprobe -qv esp4");
|
||||||
|
- system("modprobe -qv ipcomp");
|
||||||
|
- system("modprobe -qv xfrm4_tunnel");
|
||||||
|
- system("modprobe -qv xfrm_user");
|
||||||
|
+ system("insmod -qv ah4");
|
||||||
|
+ system("insmod -qv esp4");
|
||||||
|
+ system("insmod -qv ipcomp");
|
||||||
|
+ system("insmod -qv xfrm4_tunnel");
|
||||||
|
+ system("insmod -qv xfrm_user");
|
||||||
|
}
|
||||||
|
|
||||||
|
DBG(DBG_CONTROL,
|
||||||
|
diff -ruN strongswan-2.8.1-orig/programs/_startklips/_startklips.in strongswan-2.8.1/programs/_startklips/_startklips.in
|
||||||
|
--- strongswan-2.8.1-orig/programs/_startklips/_startklips.in 2005-05-06 18:11:33.000000000 -0400
|
||||||
|
+++ strongswan-2.8.1/programs/_startklips/_startklips.in 2007-01-17 00:04:11.189627735 -0500
|
||||||
|
@@ -249,7 +249,7 @@
|
||||||
|
|
||||||
|
if test ! -f $ipsecversion && test ! -f $netkey
|
||||||
|
then
|
||||||
|
- modprobe -v af_key
|
||||||
|
+ insmod -v af_key
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test -f $netkey
|
||||||
|
@@ -257,11 +257,11 @@
|
||||||
|
klips=false
|
||||||
|
if test -f $modules
|
||||||
|
then
|
||||||
|
- modprobe -qv ah4
|
||||||
|
- modprobe -qv esp4
|
||||||
|
- modprobe -qv ipcomp
|
||||||
|
- modprobe -qv xfrm4_tunnel
|
||||||
|
- modprobe -qv xfrm_user
|
||||||
|
+ insmod -qv ah4
|
||||||
|
+ insmod -qv esp4
|
||||||
|
+ insmod -qv ipcomp
|
||||||
|
+ insmod -qv xfrm4_tunnel
|
||||||
|
+ insmod -qv xfrm_user
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
@@ -272,7 +272,7 @@
|
||||||
|
setmodule
|
||||||
|
unset MODPATH MODULECONF # no user overrides!
|
||||||
|
depmod -a >/dev/null 2>&1
|
||||||
|
- modprobe -v ipsec
|
||||||
|
+ insmod -v ipsec
|
||||||
|
fi
|
||||||
|
if test ! -f $ipsecversion
|
||||||
|
then
|
||||||
|
@@ -288,7 +288,7 @@
|
||||||
|
do
|
||||||
|
if test -f $moduleinstplace/alg/ipsec_$alg.o
|
||||||
|
then
|
||||||
|
- modprobe ipsec_$alg
|
||||||
|
+ insmod ipsec_$alg
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
20
package/strongswan/patches/350-make-programs.patch
Normal file
20
package/strongswan/patches/350-make-programs.patch
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
diff -ruN strongswan-2.8.2-orig/programs/Makefile strongswan-2.8.2/programs/Makefile
|
||||||
|
--- strongswan-2.8.2-orig/programs/Makefile 2006-08-28 07:12:36.000000000 -0400
|
||||||
|
+++ strongswan-2.8.2/programs/Makefile 2007-02-04 01:24:18.751598552 -0500
|
||||||
|
@@ -17,12 +17,10 @@
|
||||||
|
FREESWANSRCDIR=..
|
||||||
|
include ${FREESWANSRCDIR}/Makefile.inc
|
||||||
|
|
||||||
|
-SUBDIRS=spi eroute spigrp tncfg klipsdebug pf_key proc pluto
|
||||||
|
-SUBDIRS+=_confread _copyright _include _keycensor _plutoload _plutorun
|
||||||
|
-SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
|
||||||
|
-SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
|
||||||
|
-SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
|
||||||
|
-SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup
|
||||||
|
+SUBDIRS=_copyright _updown _showstatus wakeup examples
|
||||||
|
+SUBDIRS+=barf calcgoo eroute ikeping klipsdebug look mailkey manual
|
||||||
|
+SUBDIRS+=openac pf_key pluto proc ranbits rsasigkey scepclient secrets
|
||||||
|
+SUBDIRS+=showdefaults showhostkey spi spigrp starter tncfg ipsec
|
||||||
|
|
||||||
|
ifeq ($(USE_LWRES),true)
|
||||||
|
SUBDIRS+=lwdnsq
|
Loading…
Reference in a new issue