diff options
Diffstat (limited to 'programs/ipsec')
| -rw-r--r-- | programs/ipsec/.cvsignore | 1 | ||||
| -rw-r--r-- | programs/ipsec/Makefile | 28 | ||||
| -rw-r--r-- | programs/ipsec/distro.txt | 1 | ||||
| -rw-r--r-- | programs/ipsec/ipsec.8 | 336 | ||||
| -rwxr-xr-x | programs/ipsec/ipsec.in | 244 |
5 files changed, 610 insertions, 0 deletions
diff --git a/programs/ipsec/.cvsignore b/programs/ipsec/.cvsignore new file mode 100644 index 000000000..70025a7f8 --- /dev/null +++ b/programs/ipsec/.cvsignore @@ -0,0 +1 @@ +ipsec diff --git a/programs/ipsec/Makefile b/programs/ipsec/Makefile new file mode 100644 index 000000000..fdff3728a --- /dev/null +++ b/programs/ipsec/Makefile @@ -0,0 +1,28 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.2 2006/02/10 11:27:31 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=ipsec +PROGRAMDIR=${SBINDIR} +MANPROGPREFIX:=./ +LIBFILES:=$(wildcard distro.txt) + +include ../Makefile.program + +install:: ipsec + @$(INSTALL) $(INSTBINFLAGS) ipsec $(RCDIR)/ipsec + diff --git a/programs/ipsec/distro.txt b/programs/ipsec/distro.txt new file mode 100644 index 000000000..80f4192a4 --- /dev/null +++ b/programs/ipsec/distro.txt @@ -0,0 +1 @@ +distributed by Andreas Steffen <andreas.steffen@strongswan.org> diff --git a/programs/ipsec/ipsec.8 b/programs/ipsec/ipsec.8 new file mode 100644 index 000000000..823289372 --- /dev/null +++ b/programs/ipsec/ipsec.8 @@ -0,0 +1,336 @@ +.TH IPSEC 8 "9 February 2006" +.\" RCSID $Id: ipsec.8,v 1.3 2006/02/09 19:47:38 as Exp $ +.SH NAME +ipsec \- invoke IPsec utilities +.SH SYNOPSIS +.B ipsec +command [ argument ...] +.sp +.B ipsec start|update|reload|restart|stop +.sp +.B ipsec up|down|route|unroute +\fIconnectionname\fP +.sp +.B ipsec status|statusall +[ +\fIconnectionname\fP +] +.sp +.B ipsec listalgs|listpubkeys|listcerts +[ +.B \-\-utc +] +.br +.B ipsec listcacerts|listaacerts|listocspcerts +[ +.B \-\-utc +] +.br +.B ipsec listacerts|listgroups|listcainfos +[ +.B \-\-utc +] +.br +.B ipsec listcrls|listocsp|listcards|listall +[ +.B \-\-utc +] +.sp +.B ipsec rereadsecrets|rereadgroups +.br +.B ipsec rereadcacerts|rereadaacerts|rereadocspcerts +.br +.B ipsec rereadacerts|rereadcrls|rereadall +.sp +.B ipsec purgeocsp +.sp +.B ipsec +[ +.B \-\-help +] [ +.B \-\-version +] [ +.B \-\-versioncode +] [ +.B \-\-copyright +] +.br +.B ipsec +[ +.B \-\-directory +] [ +.B \-\-confdir +] +.SH DESCRIPTION +.I Ipsec +invokes any of several utilities involved in controlling the IPsec +encryption/authentication system, +running the specified +.I command +with the specified +.IR argument s +as if it had been invoked directly. +This largely eliminates possible name collisions with other software, +and also permits some centralized services. +.PP +The commands +.BR start , +.BR update , +.BR reload , +.BR restart , +and +.BR stop +are built-in and are used to control the +.BR "ipsec starter" +utility, an extremely fast replacement for the traditional +.BR ipsec +.BR setup +script. +.PP +The commands +.BR up, +.BR down, +.BR route, +.BR unroute, +.BR status, +.BR statusall, +.BR listalgs, +.BR listpubkeys, +.BR listcerts, +.BR listcacerts, +.BR listaacerts, +.BR listocspcerts, +.BR listacerts, +.BR listgroups, +.BR listcainfos, +.BR listcrls, +.BR listocsp, +.BR listcards, +.BR listall, +.BR rereadsecrets, +.BR rereadgroups, +.BR rereadcacerts, +.BR rereadaacerts, +.BR rereadocspcerts, +.BR rereadacerts, +.BR rereadcrls, +and +.BR rereadall +are also built-in and completely replace the corresponding +.BR "ipsec auto" +\-\-\fIoperation\fP" +commands. Communication with the pluto daemon happens via the +.BR "ipsec whack" +socket interface. +.PP +In particular, +.I ipsec +supplies the invoked +.I command +with a suitable PATH environment variable, +and also provides IPSEC_DIR, +IPSEC_CONFS, and IPSEC_VERSION environment variables, +containing respectively +the full pathname of the directory where the IPsec utilities are stored, +the full pathname of the directory where the configuration files live, +and the IPsec version number. +.PP +.B "ipsec start" +calls +.BR "ipsec starter" +which in turn starts \fIpluto\fR. +.PP +.B "ipsec update" +sends a \fIHUP\fR signal to +.BR "ipsec starter" +which in turn determines any changes in \fIipsec.conf\fR +and updates the configuration on the running \fIpluto\fR daemon, correspondingly. +.PP +.B "ipsec reload" +sends a \fIUSR1\fR signal to +.BR "ipsec starter" +which in turn reloads the whole configuration on the running \fIpluto\fR daemon +based on the actual \fIipsec.conf\fR. +.PP +.B "ipsec restart" +executes +.B "ipsec stop" +followed by +.BR "ipsec start". +.PP +.B "ipsec stop" +stops \fIipsec\fR by sending a \fITERM\fR signal to +.BR "ipsec starter". +.PP +.B "ipsec up" +\fIname\fP tells the \fIpluto\fP daemon to start up connection \fIname\fP. +.PP +.B "ipsec down" +\fIname\fP tells the \fIpluto\fP daemon to take down connection \fIname\fP. +.PP +.B "ipsec route" +\fIname\fP tells the \fIpluto\fP daemon to install a route for connection +\fIname\fP. +.PP +.B "ipsec unroute" +\fIname\fP tells the \fIpluto\fP daemon to take down the route for connection +\fIname\fP. +.PP +.B "ipsec status" +[ \fIname\fP ] gives concise status information either on connection +\fIname\fP or if the \fIname\fP argument is lacking, on all connections. +.PP +.B "ipsec statusall" +[ \fIname\fP ] gives detailed status information either on connection +\fIname\fP or if the \fIname\fP argument is lacking, on all connections. +.PP +.B "ipsec listalgs" +returns a list all supported IKE encryption and hash algorithms, the available +Diffie-Hellman groups, as well as all supported ESP encryption and authentication +algorithms. +.PP +.B "ipsec listpubkeys" +returns a list of RSA public keys that were either loaded in raw key format +or extracted from X.509 and|or OpenPGP certificates. +.PP +.B "ipsec listcerts" +returns a list of X.509 and|or OpenPGP certificates that were loaded locally +by the \fIpluto\fP daemon. +.PP +.B "ipsec listcacerts" +returns a list of X.509 Certification Authority (CA) certificates that were +loaded locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/cacerts/\fP +directory or received in PKCS#7-wrapped certificate payloads via the IKE +protocol. +.PP +.B "ipsec listaacerts" +returns a list of X.509 Authorization Authority (AA) certificates that were +loaded locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/aacerts/\fP +directory. +.PP +.B "ipsec listocspcerts" +returns a list of X.509 OCSP Signer certificates that were either loaded +locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/ocspcerts/\fP +directory or were sent by an OCSP server. +.PP +.B "ipsec listacerts" +returns a list of X.509 Attribute certificates that were loaded locally by +the \fIpluto\fP daemon from the \fI/etc/ipsec.d/acerts/\fP directory. +.PP +.B "ipsec listgroups" +returns a list of groups that are used to define user authorization profiles. +.PP +.B "ipsec listcainfos" +returns certification authority information (CRL distribution points, OCSP URIs, +LDAP servers) that were defined by +.BR ca +sections in \fIipsec.conf\fP. +.PP +.B "ipsec listcrls" +returns a list of Certificate Revocation Lists (CRLs). +.PP +.B "ipsec listocsp" +returns revocation information fetched from OCSP servers. +.PP +.B "ipsec listcards" +returns a list of certificates residing on smartcards. +.PP +.B "ipsec listall" +returns all information generated by the list commands above. Each list command +can be called with the +\-\-url +option which displays all dates in UTC instead of local time. +.PP +.B "ipsec rereadsecrets" +flushes and rereads all secrets defined in \fIipsec.conf\fP. +.PP +.B "ipsec rereadcacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP +directory and adds them to \fIpluto\fP's list of Certification Authority (CA) certificates. +.PP +.B "ipsec rereadaacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP +directory and adds them to \fIpluto\fP's list of Authorization Authority (AA) certificates. +.PP +.B "ipsec rereadocspcerts" +reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP +directory and adds them to \fIpluto\fP's list of OCSP signer certificates. +.PP +.B "ipsec rereadacerts" +operation reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP +directory and adds them to \fIpluto\fP's list of attribute certificates. +.PP +.B "ipsec rereadcrls" +reads all Certificate Revocation Lists (CRLs) contained in the +\fI/etc/ipsec.d/crls/\fP directory and adds them to \fIpluto\fP's list of CRLs. +.PP +.B "ipsec rereadall" +is equivalent to the execution of \fBrereadsecrets\fP, +\fBrereadcacerts\fP, \fBrereadaacerts\fP, \fBrereadocspcerts\fP, +\fBrereadacerts\fP, and \fBrereadcrls\fP. +.PP +.B "ipsec \-\-help" +lists the available commands. +Most have their own manual pages, e.g. +.IR ipsec_auto (8) +for +.IR auto . +.PP +.B "ipsec \-\-version" +outputs version information about Linux strongSwan. +A version code of the form ``U\fIxxx\fR/K\fIyyy\fR'' +indicates that the user-level utilities are version \fIxxx\fR +but the kernel portion appears to be version \fIyyy\fR +(this form is used only if the two disagree). +.PP +.B "ipsec \-\-versioncode" +outputs \fIjust\fR the version code, +with none of +.BR \-\-version 's +supporting information, +for use by scripts. +.PP +.B "ipsec \-\-copyright" +supplies boring copyright details. +.PP +.B "ipsec \-\-directory" +reports where +.I ipsec +thinks the IPsec utilities are stored. +.PP +.B "ipsec \-\-confdir" +reports where +.I ipsec +thinks the IPsec configuration files are stored. +.SH FILES +/usr/local/lib/ipsec usual utilities directory +.SH ENVIRONMENT +.PP +The following environment variables control where strongSwan finds its +components. +The +.B ipsec +command sets them if they are not already set. +.nf +.na +IPSEC_EXECDIR directory containing published commands +IPSEC_LIBDIR directory containing internal executables +IPSEC_SBINDIR directory containing \fBipsec\fP command +IPSEC_CONFS directory containing configuration files +.ad +.fi +.SH SEE ALSO +.hy 0 +.na +ipsec.conf(5), ipsec.secrets(5), +ipsec_barf(8), +.ad +.hy +.PP +.SH HISTORY +Written for Linux FreeS/WAN +<http://www.freeswan.org> +by Henry Spencer. +Updated and extended for Linux strongSwan +<http://www.strongswan.org> +by Andreas Steffen. diff --git a/programs/ipsec/ipsec.in b/programs/ipsec/ipsec.in new file mode 100755 index 000000000..0616561d8 --- /dev/null +++ b/programs/ipsec/ipsec.in @@ -0,0 +1,244 @@ +#! /bin/sh +# prefix command to run stuff from our programs directory +# Copyright (C) 1998-2002 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: ipsec.in,v 1.13 2006/03/09 20:09:33 as Exp $ + +IPSEC_NAME=strongSwan + +# where the private directory and the config files are +IPSEC_EXECDIR="${IPSEC_EXECDIR-@IPSEC_EXECDIR@}" +IPSEC_LIBDIR="${IPSEC_LIBDIR-@IPSEC_LIBDIR@}" +IPSEC_SBINDIR="${IPSEC_SBINDIR-@IPSEC_SBINDIR@}" +IPSEC_CONFS="${IPSEC_CONFS-@IPSEC_CONFS@}" + +IPSEC_DIR="$IPSEC_LIBDIR" +export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR + +IPSEC_STARTER_PID="/var/run/starter.pid" + +# standardize PATH, and export it for everything else's benefit +PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin +export PATH + +# things not to be listed in --help command list +DONTMENTION='^(ipsec|_.*|.*\.old|.*~)$' + +# version numbering (details filled in by build) +# Possibly should call a C program to invoke the version_code() function +# instead, but for performance's sake, we inline it here (and only here). +version="xxx" + +# export the version information +IPSEC_VERSION="$version" +export IPSEC_VERSION + +# function for the funky user/kernel version stuff +fixversion() { + if test -f /proc/net/ipsec_version + then + stack=" (KLIPS)" + kv="`awk '{print $NF}' /proc/net/ipsec_version`" + else + if test -f /proc/net/pfkey + then + stack=" (native)" + kv="`uname -r`" + else + kv="(no kernel code presently loaded)" + fi + fi + if test " $kv" != " $version" + then + version="U$version/K$kv" + fi + version="$version$stack" +} + +case "$1" in +'') + echo "Usage: ipsec command argument ..." + echo "Use --help for list of commands, or see ipsec(8) manual page" + echo "or the $IPSEC_NAME documentation for names of the common ones." + echo "Most have their own manual pages, e.g. ipsec_auto(8)." + echo "See <http://www.strongswan.org> for more general info." + exit 0 + ;; +--help) + echo "Usage: ipsec command argument ..." + echo "where command is one of:" + echo " start|restart arguments..." + echo " update|reload|stop" + echo " up|down|route|unroute <connectionname>" + echo " status|statusall [<connectionname>]" + echo " ready" + echo " listalgs|listpubkeys|listcerts [--utc]" + echo " listcacerts|listaacerts|listocspcerts [--utc]" + echo " listacerts|listgroups|listcainfos [--utc]" + echo " listcrls|listocsp|listcards|listall [--utc]" + echo " rereadsecrets|rereadgroups" + echo " rereadcacerts|rereadaacerts|rereadocspcerts" + echo " rereadacerts|rereadcrls|rereadall" + echo " purgeocsp" + echo " scencrypt|scdecrypt <value> [--inbase <base>] [--outbase <base>] [--keyid <id>]" + echo " barf" + echo " openac" + echo " pluto" + echo " scepclient" + echo " secrets" + echo " starter" + echo " version" + echo " whack" + echo + echo "Some of these functions have their own manual pages, e.g. ipsec_scepclient(8)." + exit 0 + ;; +--versioncode) + fixversion + echo "$version" + exit 0 + ;; +--copyright) + set _copyright + # and fall through, invoking "ipsec _copyright" + ;; +--directory) + echo "$IPSEC_DIR" + exit 0 + ;; +--confdir) + echo "$IPSEC_CONFS" + exit 0 + ;; +down) + shift + $IPSEC_EXECDIR/whack --name "$1" --terminate + exit 0 + ;; +listalgs|listpubkeys|listcerts|listcacerts|\ +listaacerts|listocspcerts|listacerts|listgroups|\ +listcainfos|listcrls|listocsp|listcards|\ +listall|purgeocsp|rereadsecrets|rereadgroups|\ +rereadcacerts|rereadaacerts|rereadocspcerts|\ +rereadacerts|rereadcrls|rereadall) + op="$1" + shift + $IPSEC_EXECDIR/whack "$@" "--$op" + exit 0 + ;; +ready) + shift + $IPSEC_EXECDIR/whack --listen + exit 0 + ;; +reload) + if test -e $IPSEC_STARTER_PID + then + echo "Reloading strongSwan IPsec configuration..." >&2 + kill -s USR1 `cat $IPSEC_STARTER_PID` + else + echo "ipsec starter is not running" >&2 + fi + exit 0 + ;; +restart) + $IPSEC_SBINDIR/ipsec stop + sleep 2 + shift + $IPSEC_SBINDIR/ipsec start "$@" + exit 0 + ;; +route|unroute) + op="$1" + shift + $IPSEC_EXECDIR/whack --name "$1" "--$op" + exit 0 + ;; +scencrypt|scdecrypt) + op="$1" + shift + $IPSEC_EXECDIR/whack "--$op" "$@" + exit 0 + ;; +start) + shift + exec $IPSEC_EXECDIR/starter "$@" + ;; +status|statusall) + op="$1" + shift + if test $# -eq 0 + then + $IPSEC_EXECDIR/whack "--$op" + else + $IPSEC_EXECDIR/whack --name "$1" "--$op" + fi + exit 0 + ;; +stop) + if test -e $IPSEC_STARTER_PID + then + echo "Stopping strongSwan IPsec..." >&2 + kill `cat $IPSEC_STARTER_PID` + else + echo "ipsec starter is not running" >&2 + fi + exit 0 + ;; +up) + shift + $IPSEC_EXECDIR/whack --name "$1" --initiate + exit 0 + ;; +update) + if test -e $IPSEC_STARTER_PID + then + echo "Updating strongSwan IPsec configuration..." >&2 + kill -s HUP `cat $IPSEC_STARTER_PID` + else + echo "ipsec starter is not running" >&2 + fi + exit 0 + ;; +version|--version) + fixversion + echo "Linux $IPSEC_NAME $version" + echo "See \`ipsec --copyright' for copyright information." + if [ -f $IPSEC_LIBDIR/distro.txt ] + then + cat $IPSEC_LIBDIR/distro.txt + fi + exit 0 + ;; +--*) + echo "$0: unknown option \`$1' (perhaps command name was omitted?)" >&2 + exit 1 + ;; +esac + +cmd="$1" +shift + +path="$IPSEC_EXECDIR/$cmd" + +if test ! -x "$path" +then + path="$IPSEC_LIBDIR/$cmd" + if test ! -x "$path" + then + echo "$0: unknown IPsec command \`$cmd' (\`ipsec --help' for list)" >&2 + exit 1 + fi +fi + +exec $path "$@" |