From ec8ba320d17653ac619a284dd6dd62e104531270 Mon Sep 17 00:00:00 2001
From: Bob Gilligan <gilligan@vyatta.com>
Date: Mon, 6 Apr 2009 16:38:48 -0700
Subject: Bugfix 2387: Don't list interfaces in ipsec config file.

The "interfaces=..." entry in the /etc/ipsec.conf file needs to list
the actual interfaces we are using only if the underlying kernel IPsec
support is provided by KLIPS.  In our case, we are using NETKEY, so
we don't need to list our interfaces there.  Not listing them makes
ipsec startup a bit more robust.
---
 scripts/vpn-config.pl | 45 +++++++++++++++++++++++++++++----------------
 1 file changed, 29 insertions(+), 16 deletions(-)

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index bff9005..b6cecaa 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -54,6 +54,10 @@ my $error = 0;
 my $genout;
 my $genout_secrets;
 
+# Set $using_klips to 1 if kernel IPsec support is provided by KLIPS.
+# Set it to 0 us using NETKEY.
+my $using_klips = 0;
+
 $genout .= "# generated by $0\n\n";
 $genout_secrets .= "# generated by $0\n\n";
 
@@ -224,25 +228,34 @@ if ($vcVPN->exists('ipsec')) {
 	$error = 1;
 	print STDERR "VPN configuration error.  No IPSEC interfaces specified.\n";
     } else {
-	$genout .= "\tinterfaces=\"";
-	my $counter = 0;
-	foreach my $interface (@interfaces) {
-	    if (!(-d "/sys/class/net/$interface")) {
-		next;
-	    }
-	    if ($counter > 0) {
-		$genout .= ' ';
+	# We need to generate an "interfaces=..." entry in the setup section
+	# only if the underlying IPsec kernel code we are using is KLIPS.
+	# If we are using NETKEY, the "interfaces=..." entry is essentially
+	# not used, though we do need to include the line and the keyword
+	# "%none" to keep the IPsec setup code from defaulting the entry.
+	if ($using_klips) {
+	    $genout .= "\tinterfaces=\"";
+	    my $counter = 0;
+	    foreach my $interface (@interfaces) {
+		if (!(-d "/sys/class/net/$interface")) {
+		    next;
+		}
+		if ($counter > 0) {
+		    $genout .= ' ';
+		}
+		$genout .= "ipsec$counter=$interface";
+		++$counter;
 	    }
-	    $genout .= "ipsec$counter=$interface";
-	    ++$counter;
-	}
-	if (hasLocalWildcard($vcVPN, 0)) {
-	    if ($counter > 0) {
-		$genout .= ' ';
+	    if (hasLocalWildcard($vcVPN, 0)) {
+		if ($counter > 0) {
+		    $genout .= ' ';
+		}
+		$genout .= '%defaultroute';
 	    }
-	    $genout .= '%defaultroute';
+	    $genout .= "\"\n";
+	} else {
+	    $genout .= "\tinterfaces=\"%none\"\n";
 	}
-	$genout .= "\"\n";
     }
     
     #
-- 
cgit v1.2.3