Import initial strongswan 2.7.0 version into SVN.

author: Rene Mayrhofer <rene@mayrhofer.eu.org> 2006-05-22 05:12:18 +0000
committer: Rene Mayrhofer <rene@mayrhofer.eu.org> 2006-05-22 05:12:18 +0000
commit: aa0f5b38aec14428b4b80e06f90ff781f8bca5f1 (patch)
tree: 95f3d0c8cb0d59d88900dbbd72110d7ab6e15b2a /testing/hosts/dave
parent: 7c383bc22113b23718be89fe18eeb251942d7356 (diff)
download: vyos-strongswan-aa0f5b38aec14428b4b80e06f90ff781f8bca5f1.tar.gz
vyos-strongswan-aa0f5b38aec14428b4b80e06f90ff781f8bca5f1.zip
10 files changed, 817 insertions, 0 deletions
diff --git a/testing/hosts/dave/etc/conf.d/hostname b/testing/hosts/dave/etc/conf.d/hostname
new file mode 100644
index 000000000..c3fabf331
--- /dev/null
+++ b/testing/hosts/dave/etc/conf.d/hostname
@@ -0,0 +1 @@
+HOSTNAME=dave
diff --git a/testing/hosts/dave/etc/conf.d/net b/testing/hosts/dave/etc/conf.d/net
new file mode 100644
index 000000000..db3753fb0
--- /dev/null
+++ b/testing/hosts/dave/etc/conf.d/net
@@ -0,0 +1,10 @@
+# /etc/conf.d/net:
+
+# This is basically the ifconfig argument without the ifconfig $iface
+#
+iface_lo="127.0.0.1 netmask 255.0.0.0"
+iface_eth0="PH_IP_DAVE broadcast 192.168.0.255 netmask 255.255.255.0"
+
+# For setting the default gateway
+#
+gateway="eth0/192.168.0.254"
diff --git a/testing/hosts/dave/etc/init.d/iptables b/testing/hosts/dave/etc/init.d/iptables
new file mode 100755
index 000000000..cd7ba23ff
--- /dev/null
+++ b/testing/hosts/dave/etc/init.d/iptables
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/hosts/dave/etc/init.d/net.eth0 b/testing/hosts/dave/etc/init.d/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/dave/etc/init.d/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
diff --git a/testing/hosts/dave/etc/ipsec.conf b/testing/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..76623491c
--- /dev/null
+++ b/testing/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..0de3b268d
--- /dev/null
+++ b/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u
+Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y
+X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f
+FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc
+4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/
+7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5
+gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr
+K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud
+DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw
+ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/
+lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n
++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE
+UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy
+0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy
+gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..abd1554e5
--- /dev/null
+++ b/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
+bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx
+2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2
+LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE
+RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF
+UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/
+98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB
+ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq
++Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
+ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy
+8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9
+Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR
+P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV
+UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt
+0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT
+5qILUTmI
+-----END CERTIFICATE-----
diff --git a/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..1cbaa183f
--- /dev/null
+++ b/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxmwplGOop4q+9f+kVnm3oHC1E5g0sUaqUTjQ8diEVBLhEuRC
+nO6rI0c+OV6Ko4ssAkEY2Ft931BBGOq+35x5O9AslJ1nmcq+7+A/9i4wTd7JgxOv
+2Wa88T8fsaYZVIoGDhf77eIFIltXTmea3J8Rvfnja0i+oFjTYNYrhEX5Uk25h1ek
+1ZhlNjxnXShmel36ln3QPuojotvqMqsOmh+LuIX14ScjEThDoS3QBVL81PVIsxF0
+qrJhDkqHUvb8qVSUWE22XMe9HvUO4NjIIR77UGOplYAcwMGpAwQrf/fJQJSg3l1z
+kKj3KgGUnNlYxvIBJpK9XbpvMLCcPAtpYihkRQIDAQABAoIBAQCQP7nKotjNVFSX
+Sg4Sv9H61XUOlaxY5GKVQZTE/P7WkBMIROEYbXoE35og4tYvJtILoX+KapkLa7Cn
+iKDSt1J7ZU/DitryNy6v/HsDYXjEY55jqEBC8CmTyKwl3fa0OtNEE7OWsKXC4FyM
+J02x7gJb9fqa1/udXnXtBEYGl0g1x/vDmuhLgKyq6eliTm/orAyjGK2KfRxu06eS
+YUZObr25wC7yDLHCBsWHGNVC7ZyxQoxcPOu9WNwlWYu92ZJMdf3+rIgZSeXxCn3U
+3CWAC9tL1HnKC/twbyWEc2Gy0lZaQSgTJzaRtKOlqBTc5Szb4l1ibmyeAA7NanXK
+wnUYfiZRAoGBAOWW0+4lzZhWOxK/cYwM5+eoI66MhPECFVK2sL8iC34BKGFRCrSd
+YS/nugWiAu30knIBrw8z9BN0gYEfiE/EZyP5TbjtabKDN28xQa1+bw9Sr+5g5TcR
+HFvZRkJWSYGoIuVO22eXUh+1hwx3KZP/UX6pwkrc2dxQLxNk0mo/BexPAoGBAN0/
+geik9GNIjbKwSPLvIIwcmO4TZja2RJy9NCTJOrJZFpCII6HvOiO0eYx3+So+KblG
+n4AUxrhi4jq1/mAA+VUt4B9ywKH8xzGwhno78dJ1lvydpuzXSTHOEgsWh9Kme05P
+syt/t1C0ZkWqOKsBGk1f7dU9IOWuOkpVUbbMX10rAoGBALp0S5lUyiu1nDQVljmP
+IadZPeE77ZttfbO2+sO++mZSumCOWItmZM9q+gApGwf1YBmGlI1cPBSwwZwD58gg
+UUM97IkLBpQbTKHY9uXXkIp5NLf7qSuXkdhmFFE7kmbiDbT83eK7Wc62tf7Bp9qx
+t5WOeGQkCCqMVC8D6n6uwDixAoGABV4jErfdzgLWnT01p98xVPTkqPIDitRFOeBF
+QZc4O1d5+quy4ZziNjeMs2G9w86aSIp0GDFo2NRdVLtRnpande+U/m5UShnN42C7
+AoAtz8NWlG5mvFxExFaRjX9QcEXlu/KnECkbE3Qs/wewNEXkk3f+VywSfkAJ3f/P
+6bVvot0CgYBA1B9SXYhclR3KNZJPRuTn9OQ/TqLmcCMN62dIhPW4WZo2ixZH3YdS
+PE/bYmYfZUPt7MnOSNSnuLKineIf1Dipz0gjuSyFGAs5DE+N+8GWYo00n+0e3TLL
+pcBj4nOdIVPTZ31IFeVbi06dCYmzLPAGDeLe1M1Z7fakNky1Wv+Sdg==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/dave/etc/ipsec.secrets b/testing/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..3fa796491
--- /dev/null
+++ b/testing/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA daveKey.pem
+
+
+
+
diff --git a/testing/hosts/dave/etc/runlevels/default/net.eth0 b/testing/hosts/dave/etc/runlevels/default/net.eth0
new file mode 100755
index 000000000..fa1200242
--- /dev/null
+++ b/testing/hosts/dave/etc/runlevels/default/net.eth0
@@ -0,0 +1,314 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+#NB: Config is in /etc/conf.d/net
+
+if [[ -n $NET_DEBUG ]]; then
+	set -x
+	devnull=/dev/stderr
+else
+	devnull=/dev/null
+fi
+
+# For pcmcia users. note that pcmcia must be added to the same
+# runlevel as the net.* script that needs it.
+depend() {
+	use hotplug pcmcia
+}
+
+checkconfig() {
+	if [[ -z "${ifconfig_IFACE}" ]]; then
+		eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set"
+		eerror "(or \$iface_$IFACE for old-style configuration)"
+		return 1
+	fi
+	if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then
+		eerror "For VLAN (802.1q) support, emerge net-misc/vconfig"
+		return 1
+	fi
+}
+
+# Fix bug 50039 (init.d/net.eth0 localization)
+# Some other commands in this script might need to be wrapped, but
+# we'll get them one-by-one.  Note that LC_ALL trumps LC_anything_else
+# according to locale(7)
+ifconfig() {
+	LC_ALL=C /sbin/ifconfig "$@"
+}
+
+# setup_vars: setup variables based on $1 and content of /etc/conf.d/net
+# The following variables are set, which should be declared local by
+# the calling routine.
+#	status_IFACE			(up or '')
+#	vlans_IFACE				(space-separated list)
+#	ifconfig_IFACE			(array of ifconfig lines, replaces iface_IFACE)
+#	dhcpcd_IFACE			(command-line args for dhcpcd)
+#	routes_IFACE			(array of route lines)
+#	inet6_IFACE				(array of inet6 lines)
+#	ifconfig_fallback_IFACE	(fallback ifconfig if dhcp fails)
+setup_vars() {
+	local i iface="${1//\./_}"
+
+	status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')"
+	eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\"
+	eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" )
+	eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\"
+	eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" )
+	eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" )
+	eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" )
+
+	# BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array
+	# if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0)
+	eval local iface_IFACE=\"\$\{iface_$iface\}\"
+	if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then
+		# Make sure these get evaluated as arrays
+		local -a aliases broadcasts netmasks
+
+		# Start with the primary interface
+		ifconfig_IFACE=( "${iface_IFACE}" )
+
+		# ..then add aliases
+		eval aliases=( \$\{alias_$iface\} )
+		eval broadcasts=( \$\{broadcast_$iface\} )
+		eval netmasks=( \$\{netmask_$iface\} )
+		for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do
+			ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}"
+		done
+	fi
+
+	# BACKWARD COMPATIBILITY: check for space-separated inet6 addresses
+	if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then
+		inet6_IFACE=( ${inet6_IFACE} )
+	fi
+}
+
+iface_start() {
+	local IFACE=${1} i x retval
+	checkconfig || return 1
+
+	if [[ ${ifconfig_IFACE} != dhcp ]]; then
+		# Show the address, but catch if this interface will be inet6 only
+		i=${ifconfig_IFACE%% *}
+		if [[ ${i} == *.*.*.* ]]; then
+			ebegin "Bringing ${IFACE} up (${i})"
+		else
+			ebegin "Bringing ${IFACE} up"
+		fi
+		# ifconfig does not always return failure ..
+		ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \
+		ifconfig ${IFACE} up &>${devnull}
+		eend $? || return $?
+	else
+		# Check that eth0 was not brought up by the kernel ...
+		if [[ ${status_IFACE} == up ]]; then
+			einfo "Keeping kernel configuration for ${IFACE}"
+		else
+			ebegin "Bringing ${IFACE} up via DHCP"
+			/sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE}
+			retval=$?
+			eend $retval
+			if [[ $retval == 0 ]]; then
+				# DHCP succeeded, show address retrieved
+				i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | 
+					cut -d: -f2)
+				[[ -n ${i} ]] && einfo "  ${IFACE} received address ${i}"
+			elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then
+				# DHCP failed, try fallback.
+				# Show the address, but catch if this interface will be inet6 only
+				i=${ifconfig_fallback_IFACE%% *}
+				if [[ ${i} == *.*.*.* ]]; then
+					ebegin "Using fallback configuration (${i}) for ${IFACE}"
+				else
+					ebegin "Using fallback configuration for ${IFACE}"
+				fi
+				ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \
+				ifconfig ${IFACE} up &>${devnull}
+				eend $? || return $?
+			else
+				return $retval
+			fi
+		fi
+	fi
+
+	if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then
+		einfo "  Adding aliases"
+		for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})"
+			ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	if [[ -n ${inet6_IFACE} ]]; then
+		einfo "  Adding inet6 addresses"
+		for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${IFACE} inet6 add ${inet6_IFACE[i]}"
+			ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull}
+			eend $?
+		done
+	fi
+
+	# Set static routes
+	if [[ -n ${routes_IFACE} ]]; then
+		einfo "  Adding routes"
+		for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do
+			ebegin "    ${routes_IFACE[i]}"
+			/sbin/route add ${routes_IFACE[i]}
+			eend $?
+		done
+	fi
+
+	# Set default route if applicable to this interface
+	if [[ ${gateway} == ${IFACE}/* ]]; then
+		local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}')
+		local gw=${gateway#*/}
+		if [[ ${ogw} != ${gw} ]]; then
+			ebegin "  Setting default gateway ($gw)"
+
+			# First delete any existing route if it was setup by kernel...
+			/sbin/route del default dev ${IFACE} &>${devnull}
+
+			# Second delete old gateway if it was set...
+			/sbin/route del default gw ${ogw} &>${devnull}
+
+			# Third add our new default gateway
+			/sbin/route add default gw ${gw} >${devnull}
+			eend $? || {
+				true # need to have some command in here
+				# Note: This originally called stop, which is obviously
+				# wrong since it's calling with a local version of IFACE.
+				# The below code works correctly to abort configuration of
+				# the interface, but is commented because we're assuming
+				# that default route failure should not cause the interface
+				# to be unconfigured.
+				#local error=$?
+				#ewarn "Aborting configuration of ${IFACE}"
+				#iface_stop ${IFACE}
+				#return ${error}
+			}
+		fi
+	fi
+
+	# Enabling rp_filter causes wacky packets to be auto-dropped by
+	# the kernel.  Note that we only do this if it is not set via
+	# /etc/sysctl.conf ...
+	if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \
+			-z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then
+		echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter
+	fi
+}
+
+# iface_stop: bring down an interface.  Don't trust information in
+# /etc/conf.d/net since the configuration might have changed since
+# iface_start ran.  Instead query for current configuration and bring
+# down the interface.
+iface_stop() {
+	local IFACE=${1} i x aliases inet6 count
+
+	# Try to do a simple down (no aliases, no inet6, no dhcp)
+	aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)"
+	inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')"
+	if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then
+		ebegin "Bringing ${IFACE} down"
+		ifconfig ${IFACE} down &>/dev/null
+		eend 0
+		return 0
+	fi
+
+	einfo "Bringing ${IFACE} down"
+
+	# Stop aliases before primary interface.
+	# Note this must be done in reverse order, since ifconfig eth0:1 
+	# will remove eth0:2, etc.  It might be sufficient to simply remove 
+	# the base interface but we're being safe here.
+	for i in ${aliases} ${IFACE}; do
+
+		# Delete all the inet6 addresses for this interface
+		inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')"
+		if [[ -n ${inet6} ]]; then
+			einfo "  Removing inet6 addresses"
+			for x in ${inet6}; do 
+				ebegin "    ${IFACE} inet6 del ${x}"
+				ifconfig ${i} inet6 del ${x}
+				eend $?
+			done
+		fi
+
+		# Stop DHCP (should be N/A for aliases)
+		# Don't trust current configuration... investigate ourselves
+		if /sbin/dhcpcd -z ${i} &>${devnull}; then
+			ebegin "  Releasing DHCP lease for ${IFACE}"
+			for ((count = 0; count < 9; count = count + 1)); do
+				/sbin/dhcpcd -z ${i} &>${devnull} || break
+				sleep 1
+			done
+			[[ ${count} -lt 9 ]]
+			eend $? "Timed out"
+		fi
+		ebegin "  Stopping ${i}"
+		ifconfig ${i} down &>${devnull}
+		eend 0
+	done
+
+	return 0
+}
+
+start() {
+	# These variables are set by setup_vars
+	local status_IFACE vlans_IFACE dhcpcd_IFACE 
+	local -a ifconfig_IFACE routes_IFACE inet6_IFACE
+
+	# Call user-defined preup function if it exists
+	if [[ $(type -t preup) == function ]]; then
+		einfo "Running preup function"
+		preup ${IFACE} || {
+			eerror "preup ${IFACE} failed"
+			return 1
+		}
+	fi
+
+	# Start the primary interface and aliases
+	setup_vars ${IFACE}
+	iface_start ${IFACE} || return 1
+
+	# Start vlans
+	local vlan
+	for vlan in ${vlans_IFACE}; do
+		/sbin/vconfig add ${IFACE} ${vlan} >${devnull}
+		setup_vars ${IFACE}.${vlan}
+		iface_start ${IFACE}.${vlan}
+	done
+
+	# Call user-defined postup function if it exists
+	if [[ $(type -t postup) == function ]]; then
+		einfo "Running postup function"
+		postup ${IFACE}
+	fi
+}
+
+stop() {
+	# Call user-defined predown function if it exists
+	if [[ $(type -t predown) == function ]]; then
+		einfo "Running predown function"
+		predown ${IFACE}
+	fi
+
+	# Don't depend on setup_vars since configuration might have changed.
+	# Investigate current configuration instead.
+	local vlan
+	for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do
+		iface_stop ${vlan}
+		/sbin/vconfig rem ${vlan} >${devnull}
+	done
+
+	iface_stop ${IFACE} || return 1  # always succeeds, btw
+
+	# Call user-defined postdown function if it exists
+	if [[ $(type -t postdown) == function ]]; then
+		einfo "Running postdown function"
+		postdown ${IFACE}
+	fi
+}
+
+# vim:ts=4
author	Rene Mayrhofer <rene@mayrhofer.eu.org>	2006-05-22 05:12:18 +0000
committer	Rene Mayrhofer <rene@mayrhofer.eu.org>	2006-05-22 05:12:18 +0000
commit	aa0f5b38aec14428b4b80e06f90ff781f8bca5f1 (patch)
tree	95f3d0c8cb0d59d88900dbbd72110d7ab6e15b2a /testing/hosts/dave
parent	7c383bc22113b23718be89fe18eeb251942d7356 (diff)
download	vyos-strongswan-aa0f5b38aec14428b4b80e06f90ff781f8bca5f1.tar.gz vyos-strongswan-aa0f5b38aec14428b4b80e06f90ff781f8bca5f1.zip