From aa0f5b38aec14428b4b80e06f90ff781f8bca5f1 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Mon, 22 May 2006 05:12:18 +0000 Subject: Import initial strongswan 2.7.0 version into SVN. --- programs/Makefile | 46 + programs/Makefile.program | 150 + programs/_confread/.cvsignore | 7 + programs/_confread/Makefile | 27 + programs/_confread/README.conf.V2 | 103 + programs/_confread/_confread.8 | 28 + programs/_confread/_confread.in | 520 +++ programs/_confread/block.in | 8 + programs/_confread/clear-or-private.in | 8 + programs/_confread/clear.in | 7 + programs/_confread/ipsec.conf.5 | 1286 ++++++ programs/_confread/ipsec.conf.in | 44 + programs/_confread/private-or-clear.in | 14 + programs/_confread/private.in | 6 + programs/_confread/randomize | 28 + programs/_copyright/.cvsignore | 1 + programs/_copyright/Makefile | 44 + programs/_copyright/_copyright.8 | 32 + programs/_copyright/_copyright.c | 69 + programs/_include/.cvsignore | 1 + programs/_include/Makefile | 43 + programs/_include/_include.8 | 35 + programs/_include/_include.in | 102 + programs/_keycensor/.cvsignore | 1 + programs/_keycensor/Makefile | 43 + programs/_keycensor/_keycensor.8 | 33 + programs/_keycensor/_keycensor.in | 52 + programs/_plutoload/.cvsignore | 1 + programs/_plutoload/Makefile | 43 + programs/_plutoload/_plutoload.8 | 33 + programs/_plutoload/_plutoload.in | 164 + programs/_plutorun/.cvsignore | 1 + programs/_plutorun/Makefile | 43 + programs/_plutorun/_plutorun.8 | 37 + programs/_plutorun/_plutorun.in | 281 ++ programs/_realsetup/.cvsignore | 1 + programs/_realsetup/Makefile | 43 + programs/_realsetup/_realsetup.8 | 36 + programs/_realsetup/_realsetup.in | 456 +++ programs/_secretcensor/.cvsignore | 1 + programs/_secretcensor/Makefile | 43 + programs/_secretcensor/_secretcensor.8 | 34 + programs/_secretcensor/_secretcensor.in | 75 + programs/_startklips/.cvsignore | 1 + programs/_startklips/Makefile | 43 + programs/_startklips/_startklips.8 | 33 + programs/_startklips/_startklips.in | 367 ++ programs/_updown/.cvsignore | 2 + programs/_updown/Makefile | 22 + programs/_updown/_updown.8 | 19 + programs/_updown/_updown.in | 503 +++ programs/_updown_espmark/Makefile | 22 + programs/_updown_espmark/_updown_espmark.8 | 18 + programs/_updown_espmark/_updown_espmark.in | 452 +++ programs/auto/.cvsignore | 1 + programs/auto/Makefile | 21 + programs/auto/auto.8 | 481 +++ programs/auto/auto.in | 660 +++ programs/barf/.cvsignore | 1 + programs/barf/Makefile | 38 + programs/barf/barf.8 | 84 + programs/barf/barf.in | 296 ++ programs/calcgoo/.cvsignore | 1 + programs/calcgoo/Makefile | 41 + programs/calcgoo/calcgoo.8 | 31 + programs/calcgoo/calcgoo.in | 43 + programs/eroute/.cvsignore | 1 + programs/eroute/Makefile | 52 + programs/eroute/eroute.5 | 272 ++ programs/eroute/eroute.8 | 354 ++ programs/eroute/eroute.c | 1044 +++++ programs/examples/Makefile | 22 + programs/examples/oe.conf.in | 68 + programs/ikeping/.cvsignore | 1 + programs/ikeping/Makefile | 57 + programs/ikeping/ikeping.8 | 71 + programs/ikeping/ikeping.c | 483 +++ programs/ipsec/.cvsignore | 1 + programs/ipsec/Makefile | 28 + programs/ipsec/distro.txt | 1 + programs/ipsec/ipsec.8 | 336 ++ programs/ipsec/ipsec.in | 244 ++ programs/klipsdebug/.cvsignore | 1 + programs/klipsdebug/Makefile | 80 + programs/klipsdebug/klipsdebug.5 | 138 + programs/klipsdebug/klipsdebug.8 | 164 + programs/klipsdebug/klipsdebug.c | 436 ++ programs/look/.cvsignore | 1 + programs/look/Makefile | 38 + programs/look/look.8 | 45 + programs/look/look.in | 87 + programs/lwdnsq/.cvsignore | 4 + programs/lwdnsq/CONTRACT.txt | 106 + programs/lwdnsq/Makefile | 96 + programs/lwdnsq/cmds.c | 351 ++ programs/lwdnsq/lookup.c | 632 +++ programs/lwdnsq/lwdnsq.8 | 250 ++ programs/lwdnsq/lwdnsq.c | 506 +++ programs/lwdnsq/lwdnsq.h | 121 + programs/lwdnsq/lwdnsq.xml.in | 446 ++ programs/lwdnsq/states.fig | 66 + programs/lwdnsq/states.png | Bin 0 -> 6756 bytes programs/mailkey/.cvsignore | 1 + programs/mailkey/Makefile | 41 + programs/mailkey/mailkey.8 | 47 + programs/mailkey/mailkey.in | 241 ++ programs/manual/.cvsignore | 1 + programs/manual/Makefile | 38 + programs/manual/manual.8 | 267 ++ programs/manual/manual.in | 637 +++ programs/openac/Makefile | 154 + programs/openac/build.c | 242 ++ programs/openac/build.h | 47 + programs/openac/loglite.c | 295 ++ programs/openac/openac.8 | 180 + programs/openac/openac.c | 438 ++ programs/pf_key/.cvsignore | 1 + programs/pf_key/Makefile | 49 + programs/pf_key/pf_key.5 | 122 + programs/pf_key/pf_key.8 | 73 + programs/pf_key/pf_key.c | 353 ++ programs/pluto/.cvsignore | 3 + programs/pluto/Makefile | 1090 +++++ programs/pluto/PLUTO-CONVENTIONS | 127 + programs/pluto/TODO | 129 + programs/pluto/ac.c | 1018 +++++ programs/pluto/ac.h | 103 + programs/pluto/adns.c | 615 +++ programs/pluto/adns.h | 75 + programs/pluto/alg/Config.ike_alg | 9 + programs/pluto/alg/Makefile | 93 + programs/pluto/alg/Makefile.ike_alg_aes | 14 + programs/pluto/alg/Makefile.ike_alg_blowfish | 13 + programs/pluto/alg/Makefile.ike_alg_serpent | 13 + programs/pluto/alg/Makefile.ike_alg_sha2 | 13 + programs/pluto/alg/Makefile.ike_alg_twofish | 13 + programs/pluto/alg/ike_alg_aes.c | 68 + programs/pluto/alg/ike_alg_blowfish.c | 52 + programs/pluto/alg/ike_alg_serpent.c | 70 + programs/pluto/alg/ike_alg_sha2.c | 61 + programs/pluto/alg/ike_alg_twofish.c | 85 + programs/pluto/alg_info.c | 1197 ++++++ programs/pluto/alg_info.h | 85 + programs/pluto/asn1.c | 770 ++++ programs/pluto/asn1.h | 141 + programs/pluto/ca.c | 694 ++++ programs/pluto/ca.h | 70 + programs/pluto/certs.c | 287 ++ programs/pluto/certs.h | 80 + programs/pluto/connections.c | 4431 ++++++++++++++++++++ programs/pluto/connections.h | 375 ++ programs/pluto/constants.c | 1271 ++++++ programs/pluto/constants.h | 1184 ++++++ programs/pluto/cookie.c | 67 + programs/pluto/cookie.h | 24 + programs/pluto/crl.c | 763 ++++ programs/pluto/crl.h | 87 + programs/pluto/crypto.c | 261 ++ programs/pluto/crypto.h | 107 + programs/pluto/db_ops.c | 439 ++ programs/pluto/db_ops.h | 56 + programs/pluto/defs.c | 374 ++ programs/pluto/defs.h | 145 + programs/pluto/demux.c | 2411 +++++++++++ programs/pluto/demux.h | 100 + programs/pluto/dnskey.c | 1962 +++++++++ programs/pluto/dnskey.h | 84 + programs/pluto/dsa.c | 476 +++ programs/pluto/dsa.h | 32 + programs/pluto/elgamal.c | 613 +++ programs/pluto/elgamal.h | 35 + programs/pluto/fetch.c | 1081 +++++ programs/pluto/fetch.h | 79 + programs/pluto/foodgroups.c | 462 +++ programs/pluto/foodgroups.h | 24 + programs/pluto/gcryptfix.c | 283 ++ programs/pluto/gcryptfix.h | 111 + programs/pluto/id.c | 509 +++ programs/pluto/id.h | 67 + programs/pluto/ike_alg.c | 459 +++ programs/pluto/ike_alg.h | 73 + programs/pluto/ipsec.secrets.5 | 175 + programs/pluto/ipsec_doi.c | 5649 ++++++++++++++++++++++++++ programs/pluto/ipsec_doi.h | 104 + programs/pluto/kameipsec.h | 47 + programs/pluto/kernel.c | 2997 ++++++++++++++ programs/pluto/kernel.h | 200 + programs/pluto/kernel_alg.c | 775 ++++ programs/pluto/kernel_alg.h | 46 + programs/pluto/kernel_netlink.c | 1221 ++++++ programs/pluto/kernel_netlink.h | 20 + programs/pluto/kernel_noklips.c | 126 + programs/pluto/kernel_noklips.h | 19 + programs/pluto/kernel_pfkey.c | 938 +++++ programs/pluto/kernel_pfkey.h | 23 + programs/pluto/keys.c | 1404 +++++++ programs/pluto/keys.h | 110 + programs/pluto/lex.c | 213 + programs/pluto/lex.h | 52 + programs/pluto/linux26/netlink.h | 90 + programs/pluto/linux26/rtnetlink.h | 562 +++ programs/pluto/linux26/xfrm.h | 233 ++ programs/pluto/log.c | 843 ++++ programs/pluto/log.h | 236 ++ programs/pluto/md2.c | 237 ++ programs/pluto/md2.h | 72 + programs/pluto/md5.c | 385 ++ programs/pluto/md5.h | 75 + programs/pluto/modecfg.c | 798 ++++ programs/pluto/modecfg.h | 33 + programs/pluto/mp_defs.c | 70 + programs/pluto/mp_defs.h | 36 + programs/pluto/nat_traversal.c | 869 ++++ programs/pluto/nat_traversal.h | 154 + programs/pluto/ocsp.c | 1568 +++++++ programs/pluto/ocsp.h | 85 + programs/pluto/oid.c | 197 + programs/pluto/oid.h | 75 + programs/pluto/oid.pl | 123 + programs/pluto/oid.txt | 184 + programs/pluto/packet.c | 1244 ++++++ programs/pluto/packet.h | 655 +++ programs/pluto/pem.c | 463 +++ programs/pluto/pem.h | 18 + programs/pluto/pgp.c | 647 +++ programs/pluto/pgp.h | 54 + programs/pluto/pkcs1.c | 635 +++ programs/pluto/pkcs1.h | 88 + programs/pluto/pkcs7.c | 862 ++++ programs/pluto/pkcs7.h | 51 + programs/pluto/pluto-style.el | 4 + programs/pluto/pluto.8 | 1649 ++++++++ programs/pluto/plutomain.c | 696 ++++ programs/pluto/primegen.c | 593 +++ programs/pluto/rcv_info.c | 308 ++ programs/pluto/rcv_info.h | 18 + programs/pluto/rcv_whack.c | 655 +++ programs/pluto/rcv_whack.h | 17 + programs/pluto/rnd.c | 250 ++ programs/pluto/rnd.h | 21 + programs/pluto/routing.txt | 331 ++ programs/pluto/rsaref/pkcs11.h | 299 ++ programs/pluto/rsaref/pkcs11f.h | 912 +++++ programs/pluto/rsaref/pkcs11t.h | 1685 ++++++++ programs/pluto/rsaref/unix.h | 24 + programs/pluto/server.c | 1064 +++++ programs/pluto/server.h | 60 + programs/pluto/sha1.c | 193 + programs/pluto/sha1.h | 16 + programs/pluto/smallprime.c | 122 + programs/pluto/smartcard.c | 1956 +++++++++ programs/pluto/smartcard.h | 100 + programs/pluto/spdb.c | 2402 +++++++++++ programs/pluto/spdb.h | 113 + programs/pluto/state.c | 1007 +++++ programs/pluto/state.h | 269 ++ programs/pluto/timer.c | 537 +++ programs/pluto/timer.h | 34 + programs/pluto/vendor.c | 493 +++ programs/pluto/vendor.h | 107 + programs/pluto/virtual.c | 338 ++ programs/pluto/virtual.h | 31 + programs/pluto/whack.c | 1911 +++++++++ programs/pluto/whack.h | 318 ++ programs/pluto/x509.c | 2241 ++++++++++ programs/pluto/x509.h | 138 + programs/proc/Makefile | 51 + programs/proc/trap_count.5 | 35 + programs/proc/trap_sendcount.5 | 33 + programs/proc/version.5 | 54 + programs/ranbits/.cvsignore | 1 + programs/ranbits/Makefile | 39 + programs/ranbits/ranbits.8 | 77 + programs/ranbits/ranbits.c | 146 + programs/rsasigkey/.cvsignore | 1 + programs/rsasigkey/Makefile | 39 + programs/rsasigkey/rsasigkey.8 | 259 ++ programs/rsasigkey/rsasigkey.c | 573 +++ programs/scepclient/Makefile | 184 + programs/scepclient/pkcs10.c | 220 + programs/scepclient/pkcs10.h | 57 + programs/scepclient/rsakey.c | 349 ++ programs/scepclient/rsakey.h | 31 + programs/scepclient/scep.c | 598 +++ programs/scepclient/scep.h | 93 + programs/scepclient/scepclient.8 | 288 ++ programs/scepclient/scepclient.c | 1036 +++++ programs/secrets/Makefile | 38 + programs/secrets/secrets.8 | 20 + programs/secrets/secrets.in | 18 + programs/send-pr/.cvsignore | 1 + programs/send-pr/Makefile | 39 + programs/send-pr/ipsec_pr.template | 54 + programs/send-pr/send-pr.8 | 291 ++ programs/send-pr/send-pr.in | 643 +++ programs/setup/.cvsignore | 1 + programs/setup/Makefile | 22 + programs/setup/setup.8 | 142 + programs/setup/setup.in | 162 + programs/showdefaults/.cvsignore | 1 + programs/showdefaults/Makefile | 38 + programs/showdefaults/showdefaults.8 | 34 + programs/showdefaults/showdefaults.in | 33 + programs/showhostkey/.cvsignore | 1 + programs/showhostkey/Makefile | 38 + programs/showhostkey/showhostkey.8 | 168 + programs/showhostkey/showhostkey.in | 180 + programs/showpolicy/.cvsignore | 1 + programs/showpolicy/Makefile | 38 + programs/showpolicy/showpolicy.8 | 41 + programs/showpolicy/showpolicy.c | 251 ++ programs/spi/.cvsignore | 1 + programs/spi/Makefile | 69 + programs/spi/spi.5 | 213 + programs/spi/spi.8 | 525 +++ programs/spi/spi.c | 1689 ++++++++ programs/spigrp/.cvsignore | 1 + programs/spigrp/Makefile | 52 + programs/spigrp/spigrp.5 | 116 + programs/spigrp/spigrp.8 | 174 + programs/spigrp/spigrp.c | 491 +++ programs/starter/Makefile | 182 + programs/starter/README | 104 + programs/starter/args.c | 620 +++ programs/starter/args.h | 34 + programs/starter/cmp.c | 105 + programs/starter/cmp.h | 29 + programs/starter/confread.c | 861 ++++ programs/starter/confread.h | 199 + programs/starter/exec.c | 54 + programs/starter/exec.h | 23 + programs/starter/files.h | 47 + programs/starter/interfaces.c | 595 +++ programs/starter/interfaces.h | 41 + programs/starter/invokepluto.c | 286 ++ programs/starter/invokepluto.h | 28 + programs/starter/keywords.c | 235 ++ programs/starter/keywords.h | 164 + programs/starter/keywords.txt | 105 + programs/starter/klips.c | 134 + programs/starter/klips.h | 26 + programs/starter/lex.yy.c | 1966 +++++++++ programs/starter/netkey.c | 85 + programs/starter/netkey.h | 24 + programs/starter/parser.h | 57 + programs/starter/parser.l | 190 + programs/starter/parser.output | 351 ++ programs/starter/parser.tab.c | 1666 ++++++++ programs/starter/parser.tab.h | 72 + programs/starter/parser.y | 283 ++ programs/starter/starter.8 | 0 programs/starter/starter.c | 571 +++ programs/starter/starterwhack.c | 371 ++ programs/starter/starterwhack.h | 32 + programs/tncfg/.cvsignore | 1 + programs/tncfg/Makefile | 52 + programs/tncfg/tncfg.5 | 109 + programs/tncfg/tncfg.8 | 113 + programs/tncfg/tncfg.c | 393 ++ 359 files changed, 109104 insertions(+) create mode 100644 programs/Makefile create mode 100644 programs/Makefile.program create mode 100644 programs/_confread/.cvsignore create mode 100644 programs/_confread/Makefile create mode 100644 programs/_confread/README.conf.V2 create mode 100644 programs/_confread/_confread.8 create mode 100755 programs/_confread/_confread.in create mode 100644 programs/_confread/block.in create mode 100644 programs/_confread/clear-or-private.in create mode 100644 programs/_confread/clear.in create mode 100644 programs/_confread/ipsec.conf.5 create mode 100644 programs/_confread/ipsec.conf.in create mode 100644 programs/_confread/private-or-clear.in create mode 100644 programs/_confread/private.in create mode 100755 programs/_confread/randomize create mode 100644 programs/_copyright/.cvsignore create mode 100644 programs/_copyright/Makefile create mode 100644 programs/_copyright/_copyright.8 create mode 100644 programs/_copyright/_copyright.c create mode 100644 programs/_include/.cvsignore create mode 100644 programs/_include/Makefile create mode 100644 programs/_include/_include.8 create mode 100755 programs/_include/_include.in create mode 100644 programs/_keycensor/.cvsignore create mode 100644 programs/_keycensor/Makefile create mode 100644 programs/_keycensor/_keycensor.8 create mode 100755 programs/_keycensor/_keycensor.in create mode 100644 programs/_plutoload/.cvsignore create mode 100644 programs/_plutoload/Makefile create mode 100644 programs/_plutoload/_plutoload.8 create mode 100755 programs/_plutoload/_plutoload.in create mode 100644 programs/_plutorun/.cvsignore create mode 100644 programs/_plutorun/Makefile create mode 100644 programs/_plutorun/_plutorun.8 create mode 100755 programs/_plutorun/_plutorun.in create mode 100644 programs/_realsetup/.cvsignore create mode 100644 programs/_realsetup/Makefile create mode 100644 programs/_realsetup/_realsetup.8 create mode 100755 programs/_realsetup/_realsetup.in create mode 100644 programs/_secretcensor/.cvsignore create mode 100644 programs/_secretcensor/Makefile create mode 100644 programs/_secretcensor/_secretcensor.8 create mode 100755 programs/_secretcensor/_secretcensor.in create mode 100644 programs/_startklips/.cvsignore create mode 100644 programs/_startklips/Makefile create mode 100644 programs/_startklips/_startklips.8 create mode 100755 programs/_startklips/_startklips.in create mode 100644 programs/_updown/.cvsignore create mode 100644 programs/_updown/Makefile create mode 100644 programs/_updown/_updown.8 create mode 100755 programs/_updown/_updown.in create mode 100644 programs/_updown_espmark/Makefile create mode 100644 programs/_updown_espmark/_updown_espmark.8 create mode 100644 programs/_updown_espmark/_updown_espmark.in create mode 100644 programs/auto/.cvsignore create mode 100644 programs/auto/Makefile create mode 100644 programs/auto/auto.8 create mode 100755 programs/auto/auto.in create mode 100644 programs/barf/.cvsignore create mode 100644 programs/barf/Makefile create mode 100644 programs/barf/barf.8 create mode 100755 programs/barf/barf.in create mode 100644 programs/calcgoo/.cvsignore create mode 100644 programs/calcgoo/Makefile create mode 100644 programs/calcgoo/calcgoo.8 create mode 100644 programs/calcgoo/calcgoo.in create mode 100644 programs/eroute/.cvsignore create mode 100644 programs/eroute/Makefile create mode 100644 programs/eroute/eroute.5 create mode 100644 programs/eroute/eroute.8 create mode 100644 programs/eroute/eroute.c create mode 100644 programs/examples/Makefile create mode 100644 programs/examples/oe.conf.in create mode 100644 programs/ikeping/.cvsignore create mode 100644 programs/ikeping/Makefile create mode 100644 programs/ikeping/ikeping.8 create mode 100644 programs/ikeping/ikeping.c create mode 100644 programs/ipsec/.cvsignore create mode 100644 programs/ipsec/Makefile create mode 100644 programs/ipsec/distro.txt create mode 100644 programs/ipsec/ipsec.8 create mode 100755 programs/ipsec/ipsec.in create mode 100644 programs/klipsdebug/.cvsignore create mode 100644 programs/klipsdebug/Makefile create mode 100644 programs/klipsdebug/klipsdebug.5 create mode 100644 programs/klipsdebug/klipsdebug.8 create mode 100644 programs/klipsdebug/klipsdebug.c create mode 100644 programs/look/.cvsignore create mode 100644 programs/look/Makefile create mode 100644 programs/look/look.8 create mode 100755 programs/look/look.in create mode 100644 programs/lwdnsq/.cvsignore create mode 100644 programs/lwdnsq/CONTRACT.txt create mode 100644 programs/lwdnsq/Makefile create mode 100644 programs/lwdnsq/cmds.c create mode 100644 programs/lwdnsq/lookup.c create mode 100644 programs/lwdnsq/lwdnsq.8 create mode 100644 programs/lwdnsq/lwdnsq.c create mode 100644 programs/lwdnsq/lwdnsq.h create mode 100644 programs/lwdnsq/lwdnsq.xml.in create mode 100644 programs/lwdnsq/states.fig create mode 100644 programs/lwdnsq/states.png create mode 100644 programs/mailkey/.cvsignore create mode 100644 programs/mailkey/Makefile create mode 100644 programs/mailkey/mailkey.8 create mode 100755 programs/mailkey/mailkey.in create mode 100644 programs/manual/.cvsignore create mode 100644 programs/manual/Makefile create mode 100644 programs/manual/manual.8 create mode 100755 programs/manual/manual.in create mode 100644 programs/openac/Makefile create mode 100644 programs/openac/build.c create mode 100644 programs/openac/build.h create mode 100644 programs/openac/loglite.c create mode 100644 programs/openac/openac.8 create mode 100755 programs/openac/openac.c create mode 100644 programs/pf_key/.cvsignore create mode 100644 programs/pf_key/Makefile create mode 100644 programs/pf_key/pf_key.5 create mode 100644 programs/pf_key/pf_key.8 create mode 100644 programs/pf_key/pf_key.c create mode 100644 programs/pluto/.cvsignore create mode 100644 programs/pluto/Makefile create mode 100644 programs/pluto/PLUTO-CONVENTIONS create mode 100644 programs/pluto/TODO create mode 100644 programs/pluto/ac.c create mode 100644 programs/pluto/ac.h create mode 100644 programs/pluto/adns.c create mode 100644 programs/pluto/adns.h create mode 100644 programs/pluto/alg/Config.ike_alg create mode 100644 programs/pluto/alg/Makefile create mode 100644 programs/pluto/alg/Makefile.ike_alg_aes create mode 100644 programs/pluto/alg/Makefile.ike_alg_blowfish create mode 100644 programs/pluto/alg/Makefile.ike_alg_serpent create mode 100644 programs/pluto/alg/Makefile.ike_alg_sha2 create mode 100644 programs/pluto/alg/Makefile.ike_alg_twofish create mode 100644 programs/pluto/alg/ike_alg_aes.c create mode 100644 programs/pluto/alg/ike_alg_blowfish.c create mode 100644 programs/pluto/alg/ike_alg_serpent.c create mode 100644 programs/pluto/alg/ike_alg_sha2.c create mode 100644 programs/pluto/alg/ike_alg_twofish.c create mode 100644 programs/pluto/alg_info.c create mode 100644 programs/pluto/alg_info.h create mode 100644 programs/pluto/asn1.c create mode 100644 programs/pluto/asn1.h create mode 100644 programs/pluto/ca.c create mode 100644 programs/pluto/ca.h create mode 100644 programs/pluto/certs.c create mode 100644 programs/pluto/certs.h create mode 100644 programs/pluto/connections.c create mode 100644 programs/pluto/connections.h create mode 100644 programs/pluto/constants.c create mode 100644 programs/pluto/constants.h create mode 100644 programs/pluto/cookie.c create mode 100644 programs/pluto/cookie.h create mode 100644 programs/pluto/crl.c create mode 100644 programs/pluto/crl.h create mode 100644 programs/pluto/crypto.c create mode 100644 programs/pluto/crypto.h create mode 100644 programs/pluto/db_ops.c create mode 100644 programs/pluto/db_ops.h create mode 100644 programs/pluto/defs.c create mode 100644 programs/pluto/defs.h create mode 100644 programs/pluto/demux.c create mode 100644 programs/pluto/demux.h create mode 100644 programs/pluto/dnskey.c create mode 100644 programs/pluto/dnskey.h create mode 100644 programs/pluto/dsa.c create mode 100644 programs/pluto/dsa.h create mode 100644 programs/pluto/elgamal.c create mode 100644 programs/pluto/elgamal.h create mode 100644 programs/pluto/fetch.c create mode 100644 programs/pluto/fetch.h create mode 100644 programs/pluto/foodgroups.c create mode 100644 programs/pluto/foodgroups.h create mode 100644 programs/pluto/gcryptfix.c create mode 100644 programs/pluto/gcryptfix.h create mode 100644 programs/pluto/id.c create mode 100644 programs/pluto/id.h create mode 100644 programs/pluto/ike_alg.c create mode 100644 programs/pluto/ike_alg.h create mode 100644 programs/pluto/ipsec.secrets.5 create mode 100644 programs/pluto/ipsec_doi.c create mode 100644 programs/pluto/ipsec_doi.h create mode 100644 programs/pluto/kameipsec.h create mode 100644 programs/pluto/kernel.c create mode 100644 programs/pluto/kernel.h create mode 100644 programs/pluto/kernel_alg.c create mode 100644 programs/pluto/kernel_alg.h create mode 100644 programs/pluto/kernel_netlink.c create mode 100644 programs/pluto/kernel_netlink.h create mode 100644 programs/pluto/kernel_noklips.c create mode 100644 programs/pluto/kernel_noklips.h create mode 100644 programs/pluto/kernel_pfkey.c create mode 100644 programs/pluto/kernel_pfkey.h create mode 100644 programs/pluto/keys.c create mode 100644 programs/pluto/keys.h create mode 100644 programs/pluto/lex.c create mode 100644 programs/pluto/lex.h create mode 100644 programs/pluto/linux26/netlink.h create mode 100644 programs/pluto/linux26/rtnetlink.h create mode 100644 programs/pluto/linux26/xfrm.h create mode 100644 programs/pluto/log.c create mode 100644 programs/pluto/log.h create mode 100644 programs/pluto/md2.c create mode 100644 programs/pluto/md2.h create mode 100644 programs/pluto/md5.c create mode 100644 programs/pluto/md5.h create mode 100644 programs/pluto/modecfg.c create mode 100644 programs/pluto/modecfg.h create mode 100644 programs/pluto/mp_defs.c create mode 100644 programs/pluto/mp_defs.h create mode 100644 programs/pluto/nat_traversal.c create mode 100644 programs/pluto/nat_traversal.h create mode 100644 programs/pluto/ocsp.c create mode 100644 programs/pluto/ocsp.h create mode 100644 programs/pluto/oid.c create mode 100644 programs/pluto/oid.h create mode 100644 programs/pluto/oid.pl create mode 100644 programs/pluto/oid.txt create mode 100644 programs/pluto/packet.c create mode 100644 programs/pluto/packet.h create mode 100644 programs/pluto/pem.c create mode 100644 programs/pluto/pem.h create mode 100644 programs/pluto/pgp.c create mode 100644 programs/pluto/pgp.h create mode 100644 programs/pluto/pkcs1.c create mode 100644 programs/pluto/pkcs1.h create mode 100644 programs/pluto/pkcs7.c create mode 100644 programs/pluto/pkcs7.h create mode 100644 programs/pluto/pluto-style.el create mode 100644 programs/pluto/pluto.8 create mode 100644 programs/pluto/plutomain.c create mode 100644 programs/pluto/primegen.c create mode 100644 programs/pluto/rcv_info.c create mode 100644 programs/pluto/rcv_info.h create mode 100644 programs/pluto/rcv_whack.c create mode 100644 programs/pluto/rcv_whack.h create mode 100644 programs/pluto/rnd.c create mode 100644 programs/pluto/rnd.h create mode 100644 programs/pluto/routing.txt create mode 100644 programs/pluto/rsaref/pkcs11.h create mode 100644 programs/pluto/rsaref/pkcs11f.h create mode 100644 programs/pluto/rsaref/pkcs11t.h create mode 100644 programs/pluto/rsaref/unix.h create mode 100644 programs/pluto/server.c create mode 100644 programs/pluto/server.h create mode 100644 programs/pluto/sha1.c create mode 100644 programs/pluto/sha1.h create mode 100644 programs/pluto/smallprime.c create mode 100644 programs/pluto/smartcard.c create mode 100644 programs/pluto/smartcard.h create mode 100644 programs/pluto/spdb.c create mode 100644 programs/pluto/spdb.h create mode 100644 programs/pluto/state.c create mode 100644 programs/pluto/state.h create mode 100644 programs/pluto/timer.c create mode 100644 programs/pluto/timer.h create mode 100644 programs/pluto/vendor.c create mode 100644 programs/pluto/vendor.h create mode 100644 programs/pluto/virtual.c create mode 100644 programs/pluto/virtual.h create mode 100644 programs/pluto/whack.c create mode 100644 programs/pluto/whack.h create mode 100644 programs/pluto/x509.c create mode 100644 programs/pluto/x509.h create mode 100644 programs/proc/Makefile create mode 100644 programs/proc/trap_count.5 create mode 100644 programs/proc/trap_sendcount.5 create mode 100644 programs/proc/version.5 create mode 100644 programs/ranbits/.cvsignore create mode 100644 programs/ranbits/Makefile create mode 100644 programs/ranbits/ranbits.8 create mode 100644 programs/ranbits/ranbits.c create mode 100644 programs/rsasigkey/.cvsignore create mode 100644 programs/rsasigkey/Makefile create mode 100644 programs/rsasigkey/rsasigkey.8 create mode 100644 programs/rsasigkey/rsasigkey.c create mode 100644 programs/scepclient/Makefile create mode 100644 programs/scepclient/pkcs10.c create mode 100644 programs/scepclient/pkcs10.h create mode 100644 programs/scepclient/rsakey.c create mode 100644 programs/scepclient/rsakey.h create mode 100644 programs/scepclient/scep.c create mode 100644 programs/scepclient/scep.h create mode 100644 programs/scepclient/scepclient.8 create mode 100644 programs/scepclient/scepclient.c create mode 100644 programs/secrets/Makefile create mode 100644 programs/secrets/secrets.8 create mode 100644 programs/secrets/secrets.in create mode 100644 programs/send-pr/.cvsignore create mode 100644 programs/send-pr/Makefile create mode 100644 programs/send-pr/ipsec_pr.template create mode 100644 programs/send-pr/send-pr.8 create mode 100755 programs/send-pr/send-pr.in create mode 100644 programs/setup/.cvsignore create mode 100644 programs/setup/Makefile create mode 100644 programs/setup/setup.8 create mode 100755 programs/setup/setup.in create mode 100644 programs/showdefaults/.cvsignore create mode 100644 programs/showdefaults/Makefile create mode 100644 programs/showdefaults/showdefaults.8 create mode 100755 programs/showdefaults/showdefaults.in create mode 100644 programs/showhostkey/.cvsignore create mode 100644 programs/showhostkey/Makefile create mode 100644 programs/showhostkey/showhostkey.8 create mode 100755 programs/showhostkey/showhostkey.in create mode 100644 programs/showpolicy/.cvsignore create mode 100644 programs/showpolicy/Makefile create mode 100644 programs/showpolicy/showpolicy.8 create mode 100644 programs/showpolicy/showpolicy.c create mode 100644 programs/spi/.cvsignore create mode 100644 programs/spi/Makefile create mode 100644 programs/spi/spi.5 create mode 100644 programs/spi/spi.8 create mode 100644 programs/spi/spi.c create mode 100644 programs/spigrp/.cvsignore create mode 100644 programs/spigrp/Makefile create mode 100644 programs/spigrp/spigrp.5 create mode 100644 programs/spigrp/spigrp.8 create mode 100644 programs/spigrp/spigrp.c create mode 100644 programs/starter/Makefile create mode 100644 programs/starter/README create mode 100644 programs/starter/args.c create mode 100644 programs/starter/args.h create mode 100644 programs/starter/cmp.c create mode 100644 programs/starter/cmp.h create mode 100644 programs/starter/confread.c create mode 100644 programs/starter/confread.h create mode 100644 programs/starter/exec.c create mode 100644 programs/starter/exec.h create mode 100644 programs/starter/files.h create mode 100644 programs/starter/interfaces.c create mode 100644 programs/starter/interfaces.h create mode 100644 programs/starter/invokepluto.c create mode 100644 programs/starter/invokepluto.h create mode 100644 programs/starter/keywords.c create mode 100644 programs/starter/keywords.h create mode 100644 programs/starter/keywords.txt create mode 100644 programs/starter/klips.c create mode 100644 programs/starter/klips.h create mode 100644 programs/starter/lex.yy.c create mode 100644 programs/starter/netkey.c create mode 100644 programs/starter/netkey.h create mode 100644 programs/starter/parser.h create mode 100644 programs/starter/parser.l create mode 100644 programs/starter/parser.output create mode 100644 programs/starter/parser.tab.c create mode 100644 programs/starter/parser.tab.h create mode 100644 programs/starter/parser.y create mode 100644 programs/starter/starter.8 create mode 100644 programs/starter/starter.c create mode 100644 programs/starter/starterwhack.c create mode 100644 programs/starter/starterwhack.h create mode 100644 programs/tncfg/.cvsignore create mode 100644 programs/tncfg/Makefile create mode 100644 programs/tncfg/tncfg.5 create mode 100644 programs/tncfg/tncfg.8 create mode 100644 programs/tncfg/tncfg.c (limited to 'programs') diff --git a/programs/Makefile b/programs/Makefile new file mode 100644 index 000000000..03c9d582a --- /dev/null +++ b/programs/Makefile @@ -0,0 +1,46 @@ +# Makefile for the KLIPS interface utilities +# Copyright (C) 1998, 1999 Henry Spencer. +# Copyright (C) 1999, 2000, 2001 Richard Guy Briggs +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.8 2006/04/17 11:04:45 as Exp $ + +FREESWANSRCDIR=.. +include ${FREESWANSRCDIR}/Makefile.inc + +SUBDIRS=spi eroute spigrp tncfg klipsdebug pf_key proc pluto +SUBDIRS+=_confread _copyright _include _keycensor _plutoload _plutorun +SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark +SUBDIRS+=auto barf ipsec look manual ranbits secrets starter +SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey +SUBDIRS+=ikeping examples openac scepclient + +ifeq ($(USE_LWRES),true) +SUBDIRS+=lwdnsq +endif + +ifeq ($(USE_IPSECPOLICY),true) +SUBDIRS+=showpolicy +endif + +def: + @echo "Please read doc/intro.html or INSTALL before running make" + @false + +# programs + +cleanall distclean mostlyclean realclean install programs checkprograms check clean spotless install_file_list: + @for d in $(SUBDIRS) ; \ + do \ + (cd $$d && $(MAKE) FREESWANSRCDIR=$(FREESWANSRCDIR)/.. $@ ) || exit 1;\ + done; \ + diff --git a/programs/Makefile.program b/programs/Makefile.program new file mode 100644 index 000000000..6868c258a --- /dev/null +++ b/programs/Makefile.program @@ -0,0 +1,150 @@ + +include ${FREESWANSRCDIR}/Makefile.ver + +CFLAGS+=$(USERCOMPILE) -I${KLIPSINC} + +CFLAGS+= -Wall +#CFLAGS+= -Wconversion +#CFLAGS+= -Wmissing-prototypes +CFLAGS+= -Wpointer-arith +CFLAGS+= -Wcast-qual +#CFLAGS+= -Wmissing-declarations +CFLAGS+= -Wstrict-prototypes +#CFLAGS+= -pedantic +#CFLAGS+= -W +#CFLAGS+= -Wwrite-strings +CFLAGS+= -Wbad-function-cast + +# die if there are any warnings +ifndef WERROR +WERROR:= -Werror +endif + +#CFLAGS+= ${WERROR} + +ifneq ($(LD_LIBRARY_PATH),) +LDFLAGS=-L$(LD_LIBRARY_PATH) +endif + +MANDIR8=$(MANTREE)/man8 +MANDIR5=$(MANTREE)/man5 + +ifndef PROGRAMDIR +PROGRAMDIR=${LIBEXECDIR} +endif + +ifndef MANPROGPREFIX +MANPROGPREFIX=ipsec_ +endif + +ifndef CONFDSUBDIR +CONFDSUBDIR=. +endif + +all: $(PROGRAM) + +programs: all + +ifneq ($(PROGRAM),check) +check: $(PROGRAM) +endif + + +ifneq ($(NOINSTALL),true) + +install:: $(PROGRAM) $(CONFFILES) $(EXTRA8MAN) $(EXTRA5MAN) $(EXTRA5PROC) $(LIBFILES) $(CONFDFILES) + @mkdir -p $(PROGRAMDIR) $(MANDIR8) $(MANDIR5) $(LIBDIR) $(CONFDIR) $(CONFDDIR) $(CONFDDIR)/$(CONFDSUBDIR) $(EXAMPLECONFDIR) + @if [ -n "$(PROGRAM)" ]; then $(INSTALL) $(INSTBINFLAGS) $(PROGRAM) $(PROGRAMDIR); fi + @$(foreach f, $(addsuffix .8, $(PROGRAM)), \ + $(INSTALL) $(INSTMANFLAGS) $f $(MANDIR8)/$(MANPROGPREFIX)$f || exit 1; \ + ) + @$(foreach f, $(EXTRA8MAN), \ + $(INSTALL) $(INSTMANFLAGS) $f $(MANDIR8)/ipsec_$f || exit 1; \ + ) + @$(foreach f, $(EXTRA5MAN), \ + $(INSTALL) $(INSTMANFLAGS) $f $(MANDIR5)/$f || exit 1 ;\ + ) + @$(foreach f, $(EXTRA5PROC), \ + $(INSTALL) $(INSTMANFLAGS) $f $(MANDIR5)/ipsec_$f || exit 1 ;\ + ) + @$(foreach f, $(LIBFILES), \ + $(INSTALL) $(INSTCONFFLAGS) $f $(LIBDIR)/$f || exit 1 ;\ + ) + @$(foreach f, $(CONFFILES), \ + if [ ! -f $(CONFDIR)/$f ]; then $(INSTALL) $(INSTCONFFLAGS) $f $(CONFDIR)/$f || exit 1; fi;\ + $(INSTALL) $(INSTCONFFLAGS) $f $(EXAMPLECONFDIR)/$f-sample || exit 1; \ + ) + @$(foreach f, $(CONFDFILES), \ + if [ ! -f $(CONFDDIR)/$(CONFDSUBDIR)/$f ]; then $(INSTALL) $(INSTCONFFLAGS) $f $(CONFDDIR)/$(CONFDSUBDIR)/$f || exit 1; fi;\ + ) + +install_file_list:: + @if [ -n "$(PROGRAM)" ]; then echo $(PROGRAMDIR)/$(PROGRAM); fi + @$(foreach f, $(addsuffix .8, $(PROGRAM)), \ + echo $(MANDIR8)/${MANPROGPREFIX}$f; \ + ) + @$(foreach f, $(EXTRA8MAN), \ + echo $(MANDIR8)/ipsec_$f; \ + ) + @$(foreach f, $(EXTRA5MAN), \ + echo $(MANDIR5)/$f;\ + ) + @$(foreach f, $(EXTRA5PROC), \ + echo $(MANDIR5)/ipsec_$f; \ + ) + @$(foreach f, $(LIBFILES), \ + echo $(LIBDIR)/$f;\ + ) + @$(foreach f, $(CONFFILES), \ + echo $(CONFDIR)/$f;\ + echo $(EXAMPLECONFDIR)/$f-sample;\ + ) + @$(foreach f, $(CONFDFILES), \ + echo $(CONFDDIR)/${CONFDSUBDIR}/$f;\ + ) + +endif + +# cancel the rule that compiles directly +%: %.c + +%: %.o $(OBJS) + $(CC) $(CFLAGS) -o $@ $@.o ${OBJS} $(LDFLAGS) $(LIBS) + +%: %.in ${FREESWANSRCDIR}/Makefile.inc ${FREESWANSRCDIR}/Makefile.ver + cat $< | sed -e "s/xxx/$(IPSECVERSION)/" \ + -e "s:@IPSEC_DIR@:$(FINALBINDIR):" \ + -e "s:@IPSEC_EXECDIR@:$(FINALLIBEXECDIR):" \ + -e "s:@IPSEC_SBINDIR@:$(FINALSBINDIR):" \ + -e "s:@IPSEC_LIBDIR@:$(FINALLIBDIR):" \ + -e "s:@FINALCONFDIR@:$(FINALCONFDIR):" \ + -e "s:@EXAMPLECONFDIR@:$(EXAMPLECONFDIR):" \ + -e "s:@FINALDOCDIR@:$(FINALDOCDIR):" \ + -e "s:@FINALEXAMPLECONFDIR@:$(FINALEXAMPLECONFDIR):" \ + -e "s:@MODULE_GOO_LIST@:$(MODULE_GOO_LIST):" \ + -e "s:@IPSEC_CONFS@:$(FINALCONFDIR):" \ + -e "s:@IPSEC_CONFDDIR@:$(FINALCONFDDIR):" \ + -e "s:@USE_IPROUTE2@:$(USE_IPROUTE2):" \ + -e "s:@IPSEC_FIREWALLTYPE@:$(IPSEC_FIREWALLTYPE):" \ + | cat >$@ + if [ -x $< ]; then chmod +x $@; fi + if [ "${PROGRAM}.in" = $< ]; then chmod +x $@; fi + +cleanall: clean + +distclean: clean + +mostlyclean: clean + +realclean: clean + +clean:: +ifneq ($(strip $(PROGRAM)),) + @if [ -r $(PROGRAM).in ]; then rm -f $(PROGRAM); fi + @if [ -r $(PROGRAM).c ]; then rm -f $(PROGRAM); fi + @if [ -n "$(OBJS)" ]; then rm -f $(PROGRAM); fi +endif + @rm -f *.o + +checkprograms: + diff --git a/programs/_confread/.cvsignore b/programs/_confread/.cvsignore new file mode 100644 index 000000000..405492384 --- /dev/null +++ b/programs/_confread/.cvsignore @@ -0,0 +1,7 @@ +_confread +ipsec.conf +block +clear +private +clear-or-private +private-or-clear diff --git a/programs/_confread/Makefile b/programs/_confread/Makefile new file mode 100644 index 000000000..1bdc9a3f0 --- /dev/null +++ b/programs/_confread/Makefile @@ -0,0 +1,27 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.2 2004/03/31 19:23:00 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=_confread +PROGRAMDIR=${LIBDIR} +EXTRA5MAN=ipsec.conf.5 +CONFFILES=ipsec.conf + +CONFDSUBDIR=policies +CONFDFILES=clear clear-or-private private-or-clear private block + +include ../Makefile.program diff --git a/programs/_confread/README.conf.V2 b/programs/_confread/README.conf.V2 new file mode 100644 index 000000000..244e245c5 --- /dev/null +++ b/programs/_confread/README.conf.V2 @@ -0,0 +1,103 @@ +Subject: [Design] changes to ipsec.conf +# RCSID $Id: README.conf.V2,v 1.1 2004/03/15 20:35:27 as Exp $ + +We are changing ipsec.conf for the 2.0 series of FreeS/WAN. + +OE is enabled by default. This is accomplished by automatically +defining a conn "OEself" UNLESS the sysadmin defines one with the same +name: + +conn OEself + # authby=rsasig # default + left=%defaultroute + leftrsasigkey=%dnsondemand # default + right=%opportunistic + rightrsasigkey=%dnsondemand # default + keyingtries=3 + ikelifetime=1h + keylife=1h # default + rekey=no + # disablearrivalcheck=no # default + auto=route + +This will only work if %defaultroute works. +The leftid will be the resulting IP address (won't work if +you haven't filled in the reverse DNS entry). +Unlike other conns, nothing in this implicit conn is changed by conn %default. + +We'd like a better name. A conn name starting with % cannot be +defined by the sysadmin, so that is out. Names that haven't grabbed +us: OEhost, OElocalhost, OEthishost, OEforself, OE4self. + +There is no requirement to have /etc/ipsec.conf. If you do, the first +significant line (non-blank, non-comment) must be (not indented): +version 2.0 +This signifies that the file was intended for FreeS/WAN version 2.0. + + +The following table shows most changes. "-" means that the option +doesn't exist. "Recent Boilerplate" shows the effect of the "conn +%default" in the automatically installed /etc/ipsec.conf (not +installed if you already had one). + +Option Old Default Recent Boilerplate New Default +====== =========== ================== =========== + +config setup: +interfaces "" %defaultroute %defaultroute +plutoload "" %search - [same as %search] +plutostart "" %search - [same as %search] +uniqueids no yes yes +rp_filter - - 0 +plutowait yes yes no +dump no no - [use dumpdir] +plutobackgroundload ignored ignored - +no_eroute_pass no no - [use packetdefault] + +conn %default: +keyingtries 3 0 %forever [0 means this] +disablearrivalcheck yes no no +authby secret rsasig rsasig +leftrsasigkey "" %dnsondemand %dnsondemand +rightrsasigkey "" %dnsondemand %dnsondemand +lifetime ==keylife ==keylife - [use keylife] +rekeystart ==rekeymargin ==rekeymargin - [use rekeymargin] +rekeytries ==keyingtries ==keyingtries - [use keyingtries] + +====== =========== ================== =========== +Option Old Default Recent Boilerplate New Default + + +The auto= mechanism has been extended to support manual conns. If you +specify auto=manual in a conn, an "ipsec manual" will be performed on +it at startup (ipsec setup start). + + +There is a new config setup option "rp_filter". It controls + /proc/sys/net/ipv4/conf/PHYS/rp_filter +for each PHYSical IP interface used by FreeS/WAN. Settings are: + %unchanged do not touch (but warn if wrong) + 0 set to 0; default; means: no filtering + 1 set to 1; means: loose filter + 2 set to 1; means: strict filter +0 is often necessary for FreeS/WAN to function. Some folks +want other settings. Shutting down FreeS/WAN does not restore +the original value. + +Currently ikelife defaults to 1 hour and keylife defaults to 8 hours. +There have been some rumblings that these are the wrong defaults, but +it isn't clear what would be best. Perhaps both should be closer. +Any thoughts of what these should be? Any Road Warrior or OE conn +should probably have carefully thought-out values explicitly +specified. The settings don't matter much for VPN connections. + +keyingtries=%forever is the new improved notation for keyingtries=0. +Eventually the 0 notation will be eliminated. + +Some options can now be set to %none to signify no setting. Otherwise +there would be no way for the user to override a default setting: + leftrsasigkey, rightrsasigkey [added in 1.98] + interfaces + +Hugh Redelmeier +hugh@mimosa.com voice: +1 416 482-8253 diff --git a/programs/_confread/_confread.8 b/programs/_confread/_confread.8 new file mode 100644 index 000000000..20d92a002 --- /dev/null +++ b/programs/_confread/_confread.8 @@ -0,0 +1,28 @@ +.TH _CONFREAD 8 "25 Apr 2002" +.\" +.\" RCSID $Id: _confread.8,v 1.1 2004/03/15 20:35:27 as Exp $ +.\" +.SH NAME +ipsec _confread \- internal routing to parse config file +.SH DESCRIPTION +.I _confread +is an internal script used for parsing /etc/ipsec.conf into a canonical format. +.SH "SEE ALSO" +ipsec(8), ipsec_conf(8) +.SH HISTORY +Man page written for the Linux FreeS/WAN project +by Michael Richardson. Program written by Henry Spencer. +.\" +.\" $Log: _confread.8,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.3 2002/09/16 01:28:43 dhr +.\" +.\" typo +.\" +.\" Revision 1.2 2002/04/29 22:39:31 mcr +.\" added basic man page for all internal commands. +.\" +.\" +.\" diff --git a/programs/_confread/_confread.in b/programs/_confread/_confread.in new file mode 100755 index 000000000..4561af9fe --- /dev/null +++ b/programs/_confread/_confread.in @@ -0,0 +1,520 @@ +#!/bin/sh +# configuration-file reader utility +# Copyright (C) 1999-2002 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: _confread.in,v 1.15 2006/04/20 04:42:12 as Exp $ +# +# Extract configuration info from /etc/ipsec.conf, repackage as assignments +# to shell variables or tab-delimited fields. Success or failure is reported +# inline, as extra data, due to the vagaries of shell backquote handling. +# In the absence of --varprefix, output is tab-separated fields, like: +# = sectionname +# : parameter value +# ! status (empty for success, else complaint) +# In the presence of (say) "--varprefix IPSEC", output is like: +# IPSEC_confreadsection="sectionname" +# IPSECparameter="value" +# IPSEC_confreadstatus="status" (same empty/complaint convention) +# +# The "--search parametername" option inverts the search: instead of +# yielding the parameters of the specified name(s), it yields the names +# of sections with parameter having (one of) the +# specified value(s). In this case, --varprefix output is a list of +# names in the _confreadnames variable. Search values with +# white space in them are currently not handled properly. +# +# Typical usage: +# eval `ipsec _confread --varprefix IPSEC --type config setup` +# if test " $IPSEC_confreadstatus" != " " +# then +# echo "$0: $IPSEC_confreadstatus -- aborting" 2>&1 +# exit 1 +# fi + +# absent default config file treated as empty +config=${IPSEC_CONFS-@FINALCONFDIR@}/ipsec.conf +if test ! -f "$config" ; then config=/dev/null ; fi + +include=yes +type=conn +fieldfmt=yes +prefix= +search= +export=0 +version= +optional=0 +me="ipsec _confread" + +for dummy +do + case "$1" in + --config) config="$2" ; shift ;; + --noinclude) include= ;; + --type) type="$2" ; shift ;; + --varprefix) fieldfmt= + prefix="$2" + shift ;; + --export) export=1 ;; + --search) search="$2" ; shift ;; + --version) echo "$me $IPSEC_VERSION" ; exit 0 ;; + --optional) optional=1 ;; + --) shift ; break ;; + -*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;; + *) break ;; + esac + shift +done + +if test "$include" +then + ipsec _include --inband $config +else + cat $config +fi | +awk 'BEGIN { + type = "'"$type"'" + names = "'"$*"'" + prefix = "'"$prefix"'" + export = "'"$export"'" + optional = 0 + '"$optional"' + myid = "'"$IPSECmyid"'" + search = "'"$search"'" + searching = 0 + if (search != "") { + searching = 1 + searchpat = search "[ \t]*=[ \t]*" + } + fieldfmt = 0 + if ("'"$fieldfmt"'" == "yes") + fieldfmt = 1 + including = 0 + if ("'"$include"'" == "yes") + including = 1 + filename = "'"$config"'" + lineno = 0 + originalfilename = filename + if (fieldfmt) + bq = eq = "\"" + else + bq = eq = "\\\"" + failed = 0 + insection = 0 + wrongtype = 0 + indefault = 0 + outputting = 0 + sawnondefault = 0 + OFS = "\t" + o_status = "!" + o_parm = ":" + o_section = "=" + o_names = "%" + o_end = "." + n = split(names, na, " ") + if (n == 0) + fail("no section names supplied") + for (i = 1; i <= n; i++) { + if (na[i] in wanted) + fail("section " bq na[i] eq " requested more than once") + wanted[na[i]] = 1 + pending[na[i]] = 1 + if (!searching && na[i] !~ /^[a-zA-Z][a-zA-Z0-9._-]*$/) + fail("invalid section name " bq na[i] eq) + } + + good = "also alsoflip type auto authby _plutodevel" + left = " left leftsubnet leftnexthop leftfirewall lefthostaccess leftupdown" + akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz" + akey = akey " dpdaction dpddelay dpdtimeout" + akey = akey " pfsgroup compress" + akey = akey " keyingtries ikelifetime disablearrivalcheck failureshunt ike" + mkey = " spibase spi esp espenckey espauthkey espreplay_window" + left = left " leftespenckey leftespauthkey leftahkey" + left = left " leftespspi leftahspi leftid leftrsasigkey leftrsasigkey2" + left = left " leftsendcert leftcert leftca leftsubnetwithin leftprotoport" + left = left " leftgroups leftsourceip" + mkey = mkey " ah ahkey ahreplay_window" + right = left + gsub(/left/, "right", right) + n = split(good left right akey mkey, g) + for (i = 1; i <= n; i++) + goodnames["conn:" g[i]] = 1 + + good = "also interfaces forwardcontrol myid" + good = good " syslog klipsdebug plutodebug plutoopts plutostderrlog" + good = good " plutorestartoncrash" + good = good " dumpdir manualstart pluto" + good = good " plutowait prepluto postpluto" + good = good " fragicmp hidetos rp_filter uniqueids" + good = good " overridemtu pkcs11module pkcs11keepstate pkcs11proxy" + good = good " nocrsend strictcrlpolicy crlcheckinterval cachecrls" + good = good " nat_traversal keep_alive force_keepalive" + good = good " disable_port_floating virtual_private" + + n = split(good, g) + for (i = 1; i <= n; i++) + goodnames["config:" g[i]] = 1 + + good = "auto cacert ldaphost ldapbase crluri crluri2 ocspuri" + good = good " strictcrlpolicy" + + n = split(good, g) + for (i = 1; i <= n; i++) + goodnames["ca:" g[i]] = 1 + + goodtypes["conn"] = 1 + goodtypes["config"] = 1 + goodtypes["ca"] = 1 + + badchars = "" + for (i = 1; i < 32; i++) + badchars = badchars sprintf("%c", i) + for (i = 127; i < 128+32; i++) + badchars = badchars sprintf("%c", i) + badchar = "[" badchars "]" + + # if searching, seen is set of sectionnames which match + # if not searching, seen is set of parameter names found + seen[""] = "" + defaults[""] = "" + usesdefault[""] = "" + orientation = 1 +} + + + +function output(code, v1, v2) { + if (code == o_parm) { + if (v2 == "") # suppress empty parameters + return + if (privatename(v1)) # and private ones + return + if (v2 ~ badchar) + fail("parameter value " bq v2 eq " contains unprintable character") + } + + if (fieldfmt) { + print code, v1, v2 + return + } + + if (code == o_status) { + v2 = v1 + v1 = "_confreadstatus" + } else if (code == o_section) { + v2 = v1 + v1 = "_confreadsection" + } else if (code == o_names) { + v2 = v1 + v1 = "_confreadnames" + } else if (code != o_parm) + return # currently no variable version of o_end + + print prefix v1 "=\"" v2 "\"" + if (export) + print "export " prefix v1 +} +function searchfound(sectionname, n, i, reflist) { + # a hit in x is a hit in everybody who refers to x too + n = split(refsto[sectionname], reflist, ";") + for (i = 1; i <= n; i++) + if (reflist[i] in seen) + fail("duplicated parameter " bq search eq) + else + seen[reflist[i]] = 1 + seen[sectionname] = 1 +} +function fail(msg) { + output(o_status, ("(" filename ", line " lineno ") " msg)) + failed = 1 + while ((getline junk) > 0) + continue + exit +} +function badname(n) { + if ((type ":" n) in goodnames) + return 0 + if (privatename(n)) + return 0 + return 1 +} +function privatename(n) { + if (n ~ /^[xX][-_]/) + return 1 + return 0 +} +function orient(n) { + if (orientation == -1) { + if (n ~ /left/) + gsub(/left/, "right", n) + else if (n ~ /right/) + gsub(/right/, "left", n) + } + return n +} +# in searching, referencing is transitive: xyz->from->to +function chainref(from, to, i, reflist, listnum) { + if (from in refsto) { + listnum = split(refsto[from], reflist, ";") + for (i = 1; i <= listnum; i++) + chainref(reflist[i], to) + } + if (to in refsto) + refsto[to] = refsto[to] ";" from + else + refsto[to] = from +} + +# start of rules + +{ + lineno++ + # lineno is now the number of this line + + # we must remember indentation because comment stripping loses it + exdented = $0 !~ /^[ \t]/ + sub(/^[ \t]+/, "") # get rid of leading white space + sub(/[ \t]+$/, "") # get rid of trailing white space +} +including && $0 ~ /^#[<>:]/ { + # _include control line + if ($1 ~ /^#[<>]$/) { + filename = $2 + lineno = $3 - 1 + } else if ($0 ~ /^#:/) { + msg = substr($0, 3) + gsub(/"/, "\\\"", msg) + fail(msg) + } + next +} +exdented { + # any non-leading-white-space line is a section end + ### but not the end of relevant stuff, might be also= sections later + ###if (insection && !indefault && !searching && outputting) + ### output(o_end) + insection = 0 + wrongtype = 0 + indefault = 0 + outputting = 0 +} +/[ \t]#/ { + # strip trailing comments including the leading whitespace + # tricky because we must respect quotes + q = 0 + for (i = 1; i <= NF; i++) { + if ($i ~ /^#/ && q % 2 == 0) { + NF = i - 1; + break + } + # using $i in gsub loses whitespace?!? + junk = $i + q += gsub(/"/, "&", junk) + } +} +$0 == "" || $0 ~ /^#/ { + # empty lines and comments are ignored + next +} +exdented && NF != 2 { + # bad section header + fail("section header " bq $0 eq " has wrong number of fields (" NF ")") +} +exdented && $1 == "version" { + version = $2 + 0 + if (version < 2.0 || 2.0 < version) + fail("we only support version 2.0 ipsec.conf files, not " bq version eq) + next +} +version == "" { + fail("we only support version 2 ipsec.conf files") +} +exdented && !($1 in goodtypes) { + # unknown section type + fail("section type " bq $1 eq " not recognized") +} +exdented && $1 != type { + # section header, but not of the type we want + insection = 1 + wrongtype = 1 + next +} +extented { + # type fits + wrongtype = 0 +} +exdented && $1 == "config" && $2 != "setup" { + fail("unknown config section " bq $2 eq) +} +exdented && $2 != "%default" { + # non-default section header of our type + sawnondefault = 1 +} +exdented && searching && $2 != "%default" { + # section header, during search + insection = 1 + sectionname = $2 + usesdefault[sectionname] = 1 # tentatively + next +} +exdented && !searching && $2 in wanted { + # one of our wanted section headers + if (!($2 in pending)) + fail("duplicate " type " section " bq $2 eq) + delete pending[$2] + tag = bq type " " $2 eq + outputting = 1 + insection = 1 + orientation = wanted[$2] + output(o_section, $2) + next +} +exdented && $2 == "%default" { + # relevant default section header + if (sawnondefault) + fail(bq $1 " %default" eq " sections must precede non-default ones") + tag = bq type " " $2 eq + indefault = 1 + next +} +exdented { + # section header, but not one we want + insection = 1 + next +} +!insection && !indefault { + # starts with white space but not in a section... oops + fail("parameter is not within a section") +} +!wrongtype && searching && $0 ~ searchpat { + # search found the right parameter name + match($0, searchpat) + rest = substr($0, RLENGTH+1) + if (rest ~ /^".*"$/) + rest = substr(rest, 2, length(rest)-2) + if (!indefault) { + if (!usesdefault[sectionname]) + fail("duplicated parameter " bq search eq) + usesdefault[sectionname] = 0 + } else if (search in defaults) + fail("duplicated parameter " bq search eq) + if (rest in wanted) { # a hit + if (indefault) + defaults[search] = rest + else + searchfound(sectionname) + } else { + # rather a kludge, but must check this somewhere + if (search == "auto" && rest !~ /^(add|route|start|ignore|manual)$/) + fail("illegal auto value " bq rest eq) + } + next +} +!searching && !outputting && !indefault { + # uninteresting line + next +} +$0 ~ /"/ && $0 !~ /^[^=]+=[ \t]*"[^"]*"$/ { + if (!searching) + fail("mismatched quotes in parameter value") + else + gsub(/"/, "", $0) +} +$0 !~ /^[a-zA-Z_][a-zA-Z0-9_-]*[ \t]*=/ { + if (searching) + next # just ignore it + fail("syntax error or illegal parameter name") +} +{ + sub(/[ \t]*=[ \t]*/, "=") # get rid of white space around = +} +$0 ~ /^(also|alsoflip)=/ { + v = orientation + if ($0 ~ /^alsoflip/) + v = -v; + if (indefault) + fail("%default section may not contain " bq "also" eq " or " bq "alsoflip" eq " parameter") + sub(/^(also|alsoflip)=/, "") + if ($0 !~ /^[a-zA-Z][a-zA-Z0-9._-]*$/) + fail("invalid section name " bq $0 eq) + if (!searching) { + if ($0 in wanted) + fail("section " bq $0 eq " requested more than once") + wanted[$0] = v + pending[$0] = 1 + } else + chainref(sectionname, $0) + next +} +!outputting && !indefault { + # uninteresting line even for a search + next +} +{ + equal = match($0, /[=]/) + name = substr($0, 1, equal-1) + if (badname(name)) + fail("unknown parameter name " bq name eq) + value = substr($0, equal+1) + if (value ~ /^"/) + value = substr(value, 2, length(value)-2) + else if (value ~ /[ \t]/) + fail("white space within non-quoted parameter " bq name eq) +} +indefault { + if (name in defaults) + fail("duplicated default parameter " bq name eq) + defaults[name] = value + next +} +{ + name = orient(name) + if (name in seen) + fail("duplicated parameter " bq name eq) + seen[name] = 1 + output(o_parm, name, value) +} +END { + if (failed) + exit 1 + + filename = originalfilename + unseen = "" + for (i in pending) + unseen = unseen " " i + if (!optional && !searching && unseen != "") + fail("did not find " type " section(s) " bq substr(unseen, 2) eq) + if (!searching) { + for (name in defaults) + if (!(name in seen)) + output(o_parm, name, defaults[name]) + } else { + if (defaults[search] in wanted) + for (name in usesdefault) + if (usesdefault[name]) + seen[name] = 1 + delete seen[""] + if (fieldfmt) + for (name in seen) + output(o_section, name) + else { + outlist = "" + for (name in seen) + if (outlist == "") + outlist = name + else + outlist = outlist " " name + output(o_names, outlist) + } + } + output(o_status, "") +}' diff --git a/programs/_confread/block.in b/programs/_confread/block.in new file mode 100644 index 000000000..e3a4b2dd5 --- /dev/null +++ b/programs/_confread/block.in @@ -0,0 +1,8 @@ +# This file defines the set of CIDRs (network/mask-length) to which +# communication should never be allowed. +# +# See @FINALDOCDIR@/policygroups.html for details. +# +# $Id: block.in,v 1.1 2004/03/15 20:35:27 as Exp $ +# + diff --git a/programs/_confread/clear-or-private.in b/programs/_confread/clear-or-private.in new file mode 100644 index 000000000..800093d94 --- /dev/null +++ b/programs/_confread/clear-or-private.in @@ -0,0 +1,8 @@ +# This file defines the set of CIDRs (network/mask-length) to which +# we will communicate in the clear, or, if the other side initiates IPSEC, +# using encryption. This behaviour is also called "Opportunistic Responder". +# +# See @FINALDOCDIR@/policygroups.html for details. +# +# $Id: clear-or-private.in,v 1.1 2004/03/15 20:35:27 as Exp $ +# diff --git a/programs/_confread/clear.in b/programs/_confread/clear.in new file mode 100644 index 000000000..46e63388e --- /dev/null +++ b/programs/_confread/clear.in @@ -0,0 +1,7 @@ +# This file defines the set of CIDRs (network/mask-length) to which +# communication should always be in the clear. +# +# See @FINALDOCDIR@/policygroups.html for details. +# +# $Id: clear.in,v 1.1 2004/03/15 20:35:27 as Exp $ +# diff --git a/programs/_confread/ipsec.conf.5 b/programs/_confread/ipsec.conf.5 new file mode 100644 index 000000000..af6fae6bd --- /dev/null +++ b/programs/_confread/ipsec.conf.5 @@ -0,0 +1,1286 @@ +.TH IPSEC.CONF 5 "20 Jan 2006" +.\" RCSID $Id: ipsec.conf.5,v 1.2 2006/01/22 15:33:46 as Exp $ +.SH NAME +ipsec.conf \- IPsec configuration and connections +.SH DESCRIPTION +The optional +.I ipsec.conf +file +specifies most configuration and control information for the +strongSwan IPsec subsystem. +(The major exception is secrets for authentication; +see +.IR ipsec.secrets (5).) +Its contents are not security-sensitive +.I unless +manual keying is being done for more than just testing, +in which case the encryption/authentication keys in the +descriptions for the manually-keyed connections are very sensitive +(and those connection descriptions +are probably best kept in a separate file, +via the include facility described below). +.PP +The file is a text file, consisting of one or more +.IR sections . +White space followed by +.B # +followed by anything to the end of the line +is a comment and is ignored, +as are empty lines which are not within a section. +.PP +A line which contains +.B include +and a file name, separated by white space, +is replaced by the contents of that file, +preceded and followed by empty lines. +If the file name is not a full pathname, +it is considered to be relative to the directory containing the +including file. +Such inclusions can be nested. +Only a single filename may be supplied, and it may not contain white space, +but it may include shell wildcards (see +.IR sh (1)); +for example: +.PP +.B include +.B "ipsec.*.conf" +.PP +The intention of the include facility is mostly to permit keeping +information on connections, or sets of connections, +separate from the main configuration file. +This permits such connection descriptions to be changed, +copied to the other security gateways involved, etc., +without having to constantly extract them from the configuration +file and then insert them back into it. +Note also the +.B also +parameter (described below) which permits splitting a single logical +section (e.g. a connection description) into several actual sections. +.PP +The first significant line of the file must specify the version +of this specification that it conforms to: +.PP +\fBversion 2\fP +.PP +A section +begins with a line of the form: +.PP +.I type +.I name +.PP +where +.I type +indicates what type of section follows, and +.I name +is an arbitrary name which distinguishes the section from others +of the same type. +(Names must start with a letter and may contain only +letters, digits, periods, underscores, and hyphens.) +All subsequent non-empty lines +which begin with white space are part of the section; +comments within a section must begin with white space too. +There may be only one section of a given type with a given name. +.PP +Lines within the section are generally of the form +.PP +\ \ \ \ \ \fIparameter\fB=\fIvalue\fR +.PP +(note the mandatory preceding white space). +There can be white space on either side of the +.BR = . +Parameter names follow the same syntax as section names, +and are specific to a section type. +Unless otherwise explicitly specified, +no parameter name may appear more than once in a section. +.PP +An empty +.I value +stands for the system default value (if any) of the parameter, +i.e. it is roughly equivalent to omitting the parameter line entirely. +A +.I value +may contain white space only if the entire +.I value +is enclosed in double quotes (\fB"\fR); +a +.I value +cannot itself contain a double quote, +nor may it be continued across more than one line. +.PP +Numeric values are specified to be either an ``integer'' +(a sequence of digits) or a ``decimal number'' +(sequence of digits optionally followed by `.' and another sequence of digits). +.PP +There is currently one parameter which is available in any type of +section: +.TP +.B also +the value is a section name; +the parameters of that section are appended to this section, +as if they had been written as part of it. +The specified section must exist, must follow the current one, +and must have the same section type. +(Nesting is permitted, +and there may be more than one +.B also +in a single section, +although it is forbidden to append the same section more than once.) +This allows, for example, keeping the encryption keys +for a connection in a separate file +from the rest of the description, by using both an +.B also +parameter and an +.B include +line. +.PP +Parameter names beginning with +.B x- +(or +.BR X- , +or +.BR x_ , +or +.BR X_ ) +are reserved for user extensions and will never be assigned meanings +by IPsec. +Parameters with such names must still observe the syntax rules +(limits on characters used in the name; +no white space in a non-quoted value; +no newlines or double quotes within the value). +All other as-yet-unused parameter names are reserved for future IPsec +improvements. +.PP +A section with name +.B %default +specifies defaults for sections of the same type. +For each parameter in it, +any section of that type which does not have a parameter of the same name +gets a copy of the one from the +.B %default +section. +There may be multiple +.B %default +sections of a given type, +but only one default may be supplied for any specific parameter name, +and all +.B %default +sections of a given type must precede all non-\c +.B %default +sections of that type. +.B %default +sections may not contain the +.B also +parameter. +.PP +Currently there are three types of sections: +a +.B config +section specifies general configuration information for IPsec, a +.B conn +section specifies an IPsec connection, while a +.B ca +section specifies special properties a certification authority. +.SH "CONN SECTIONS" +A +.B conn +section contains a +.IR "connection specification" , +defining a network connection to be made using IPsec. +The name given is arbitrary, and is used to identify the connection to +.IR ipsec_auto (8) +and +.IR ipsec_manual (8). +Here's a simple example: +.PP +.ne 10 +.nf +.ft B +.ta 1c +conn snt + left=10.11.11.1 + leftsubnet=10.0.1.0/24 + leftnexthop=172.16.55.66 + right=192.168.22.1 + rightsubnet=10.0.2.0/24 + rightnexthop=172.16.88.99 + keyingtries=%forever +.ft +.fi +.PP +A note on terminology... +In automatic keying, there are two kinds of communications going on: +transmission of user IP packets, and gateway-to-gateway negotiations for +keying, rekeying, and general control. +The data path (a set of ``IPsec SAs'') used for user packets is herein +referred to as the ``connection''; +the path used for negotiations (built with ``ISAKMP SAs'') is referred to as +the ``keying channel''. +.PP +To avoid trivial editing of the configuration file to suit it to each system +involved in a connection, +connection specifications are written in terms of +.I left +and +.I right +participants, +rather than in terms of local and remote. +Which participant is considered +.I left +or +.I right +is arbitrary; +IPsec figures out which one it is being run on based on internal information. +This permits using identical connection specifications on both ends. +There are cases where there is no symmetry; a good convention is to +use +.I left +for the local side and +.I right +for the remote side (the first letters are a good mnemonic). +.PP +Many of the parameters relate to one participant or the other; +only the ones for +.I left +are listed here, but every parameter whose name begins with +.B left +has a +.B right +counterpart, +whose description is the same but with +.B left +and +.B right +reversed. +.PP +Parameters are optional unless marked ``(required)''; +a parameter required for manual keying need not be included for +a connection which will use only automatic keying, and vice versa. +.SS "CONN PARAMETERS: GENERAL" +The following parameters are relevant to both automatic and manual keying. +Unless otherwise noted, +for a connection to work, +in general it is necessary for the two ends to agree exactly +on the values of these parameters. +.TP 14 +.B type +the type of the connection; currently the accepted values +are +.B tunnel +(the default) +signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; +.BR transport , +signifying host-to-host transport mode; +.BR passthrough , +signifying that no IPsec processing should be done at all; +.BR drop , +signifying that packets should be discarded; and +.BR reject , +signifying that packets should be discarded and a diagnostic ICMP returned. +.TP +.B left +(required) +the IP address of the left participant's public-network interface, +in any form accepted by +.IR ipsec_ttoaddr (3) +or one of several magic values. +If it is +.BR %defaultroute , +and +the +.B config +.B setup +section's, +.B interfaces +specification contains +.BR %defaultroute, +.B left +will be filled in automatically with the local address +of the default-route interface (as determined at IPsec startup time); +this also overrides any value supplied for +.BR leftnexthop . +(Either +.B left +or +.B right +may be +.BR %defaultroute , +but not both.) +The value +.B %any +signifies an address to be filled in (by automatic keying) during +negotiation. +The value +.B %opportunistic +signifies that both +.B left +and +.B leftnexthop +are to be filled in (by automatic keying) from DNS data for +.BR left 's +client. +The values +.B %group +and +.B %opportunisticgroup +makes this a policy group conn: one that will be instantiated +into a regular or opportunistic conn for each CIDR block listed in the +policy group file with the same name as the conn. +.TP +.B leftsubnet +private subnet behind the left participant, expressed as +\fInetwork\fB/\fInetmask\fR +(actually, any form acceptable to +.IR ipsec_ttosubnet (3)); +if omitted, essentially assumed to be \fIleft\fB/32\fR, +signifying that the left end of the connection goes to the left participant only +.TP +.B leftnexthop +next-hop gateway IP address for the left participant's connection +to the public network; +defaults to +.B %direct +(meaning +.IR right ). +If the value is to be overridden by the +.B left=%defaultroute +method (see above), +an explicit value must +.I not +be given. +If that method is not being used, +but +.B leftnexthop +is +.BR %defaultroute , +and +.B interfaces=%defaultroute +is used in the +.B config +.B setup +section, +the next-hop gateway address of the default-route interface +will be used. +The magic value +.B %direct +signifies a value to be filled in (by automatic keying) +with the peer's address. +Relevant only locally, other end need not agree on it. +.TP +.B leftupdown +what ``updown'' script to run to adjust routing and/or firewalling +when the status of the connection +changes (default +.BR "ipsec _updown" ). +May include positional parameters separated by white space +(although this requires enclosing the whole string in quotes); +including shell metacharacters is unwise. +See +.IR ipsec_pluto (8) +for details. +Relevant only locally, other end need not agree on it. +.TP +.B leftfirewall +whether the left participant is doing forwarding-firewalling +(including masquerading) for traffic from \fIleftsubnet\fR, +which should be turned off (for traffic to the other subnet) +once the connection is established; +acceptable values are +.B yes +and (the default) +.BR no . +May not be used in the same connection description with +.BR leftupdown . +Implemented as a parameter to the default +.I updown +script. +See notes below. +Relevant only locally, other end need not agree on it. +.PP +If one or both security gateways are doing forwarding firewalling +(possibly including masquerading), +and this is specified using the firewall parameters, +tunnels established with IPsec are exempted from it +so that packets can flow unchanged through the tunnels. +(This means that all subnets connected in this manner must have +distinct, non-overlapping subnet address blocks.) +This is done by the default +.I updown +script (see +.IR ipsec_pluto (8)). +.PP +The implementation of this makes certain assumptions about firewall setup, +notably the use of the old +.I ipfwadm +interface to the firewall. +In situations calling for more control, +it may be preferable for the user to supply his own +.I updown +script, +which makes the appropriate adjustments for his system. +.SS "CONN PARAMETERS: AUTOMATIC KEYING" +The following parameters are relevant only to automatic keying, +and are ignored in manual keying. +Unless otherwise noted, +for a connection to work, +in general it is necessary for the two ends to agree exactly +on the values of these parameters. +.TP 14 +.B auto +what operation, if any, should be done automatically at IPsec startup; +currently-accepted values are +.B add +(signifying an +.B ipsec auto +.BR \-\-add ), +.B route +(signifying that plus an +.B ipsec auto +.BR \-\-route ), +.B start +(signifying that plus an +.B ipsec auto +.BR \-\-up ), +.B manual +(signifying an +.B ipsec +.B manual +.BR \-\-up ), +and +.B ignore +(also the default) (signifying no automatic startup operation). +See the +.B config +.B setup +discussion below. +Relevant only locally, other end need not agree on it +(but in general, for an intended-to-be-permanent connection, +both ends should use +.B auto=start +to ensure that any reboot causes immediate renegotiation). +.TP +.B auth +whether authentication should be done as part of +ESP encryption, or separately using the AH protocol; +acceptable values are +.B esp +(the default) and +.BR ah . +.TP +.B authby +how the two security gateways should authenticate each other; +acceptable values are +.B secret +for shared secrets, +.B rsasig +for RSA digital signatures (the default), +.B secret|rsasig +for either, and +.B never +if negotiation is never to be attempted or accepted (useful for shunt-only conns). +Digital signatures are superior in every way to shared secrets. +.TP +.B compress +whether IPComp compression of content is proposed on the connection +(link-level compression does not work on encrypted data, +so to be effective, compression must be done \fIbefore\fR encryption); +acceptable values are +.B yes +and +.B no +(the default). +The two ends need not agree. +A value of +.B yes +causes IPsec to propose both compressed and uncompressed, +and prefer compressed. +A value of +.B no +prevents IPsec from proposing compression; +a proposal to compress will still be accepted. +.TP +.B disablearrivalcheck +whether KLIPS's normal tunnel-exit check +(that a packet emerging from a tunnel has plausible addresses in its header) +should be disabled; +acceptable values are +.B yes +and +.B no +(the default). +Tunnel-exit checks improve security and do not break any normal configuration. +Relevant only locally, other end need not agree on it. +.TP +.B dpdaction +controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where +R_U_THERE IKE notification messages are periodically sent in order to check the +liveliness of the IPsec peer. The default is.. +.B none +which disables the active sending of R_U_THERE notifications. +Nevertheless pluto will always send the DPD Vendor ID during connection set up +in order to signal the readiness to act passively as a responder if the peer +wants to use DPD. The values +.B clear +and +.B hold +both activate DPD. If no activity is detected, all connections with a dead peer +are stopped and unrouted ( +.B clear +) or put in the hold state ( +.B hold +). +.TP +.B dpddelay +defines the period time interval with which R_U_THERE messages are sent to the peer. +.TP +.B dpdtimeout +defines the timeout interval, after which all connections to a peer are deleted +in case of inactivity. +.TP +.B failureshunt +what to do with packets when negotiation fails. +The default is +.BR none : +no shunt; +.BR passthrough , +.BR drop , +and +.B reject +have the obvious meanings. +.TP +.B ikelifetime +how long the keying channel of a connection (buzzphrase: ``ISAKMP SA'') +should last before being renegotiated; +acceptable values as for +.B keyexchange +method of key exchange; +the default and currently the only accepted value is +.B ike +.TP +.B keylife +(default set by +.IR ipsec_pluto (8), +currently +.BR 3h , +maximum +.BR 24h ). +The two-ends-disagree case is similar to that of +.BR keylife . +.TP +.B keyingtries +how many attempts (a whole number or \fB%forever\fP) should be made to +negotiate a connection, or a replacement for one, before giving up +(default +.BR %forever ). +The value \fB%forever\fP +means ``never give up'' (obsolete: this can be written \fB0\fP). +Relevant only locally, other end need not agree on it. +.TP +.B keylife +how long a particular instance of a connection +(a set of encryption/authentication keys for user packets) should last, +from successful negotiation to expiry; +acceptable values are an integer optionally followed by +.BR s +(a time in seconds) +or a decimal number followed by +.BR m , +.BR h , +or +.B d +(a time +in minutes, hours, or days respectively) +(default +.BR 1h , +maximum +.BR 24h ). +Normally, the connection is renegotiated (via the keying channel) +before it expires. +The two ends need not exactly agree on +.BR keylife , +although if they do not, +there will be some clutter of superseded connections on the end +which thinks the lifetime is longer. +.TP +.B leftca +the distinguished name of a certificate authority which is required to +lie in the trust path going from the left participant's certificate up +to the root certification authority. +.TP +.B leftcert +the path to the left participant's X.509 certificate. The file can be coded either in +PEM or DER format. OpenPGP certificates are supported as well. +Both absolute paths or paths relative to +.B /etc/ipsec.d/certs +are accepted. By default +.B leftcert +sets +.B leftid +to the distinguished name of the certificate's subject and +.B leftca +to the distinguished name of the certificate's issuer. +The left participant's ID can be overriden by specifying a +.B leftid +value which must be certified by the certificate, though. +.TP +.B leftgroups +a comma separated list of group names. If the +.B leftgroups +parameter is present then the peer must be a member of at least one +of the groups defined by the parameter. Group membership must be certified +by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts\fP thas has been +issued to the peer by a trusted Authorization Authority stored in +\fI/etc/ipsec.d/aacerts\fP. +.TP +.B leftid +how +the left participant +should be identified for authentication; +defaults to +.BR left . +Can be an IP address (in any +.IR ipsec_ttoaddr (3) +syntax) +or a fully-qualified domain name preceded by +.B @ +(which is used as a literal string and not resolved). +The magic value +.B %myid +stands for the current setting of \fImyid\fP. +This is set in \fBconfig setup\fP or by \fIipsec_whack\fP(8)), or, if not set, +it is the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise +it is the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined. +.TP +.B leftrsasigkey +the left participant's +public key for RSA signature authentication, +in RFC 2537 format using +.IR ipsec_ttodata (3) +encoding. +The magic value +.B %none +means the same as not specifying a value (useful to override a default). +The value +.B %cert +(the default) +means that the key is extracted from a certificate. +The value +.B %dnsondemand +means the key is to be fetched from DNS at the time it is needed. +The value +.B %dnsonload +means the key is to be fetched from DNS at the time +the connection description is read from +.IR ipsec.conf ; +currently this will be treated as +.B %none +if +.B right=%any +or +.BR right=%opportunistic . +The value +.B %dns +is currently treated as +.B %dnsonload +but will change to +.B %dnsondemand +in the future. +The identity used for the left participant +must be a specific host, not +.B %any +or another magic value. +.B Caution: +if two connection descriptions +specify different public keys for the same +.BR leftid , +confusion and madness will ensue. +.TP +.B leftrsasigkey2 +if present, a second public key. +Either key can authenticate the signature, allowing for key rollover. +.TP +.B leftsourceip +.TP +.B leftsubnetwithin +.TP +.B pfs +whether Perfect Forward Secrecy of keys is desired on the connection's +keying channel +(with PFS, penetration of the key-exchange protocol +does not compromise keys negotiated earlier); +acceptable values are +.B yes +(the default) +and +.BR no . +.TP +.B rekey +whether a connection should be renegotiated when it is about to expire; +acceptable values are +.B yes +(the default) +and +.BR no . +The two ends need not agree, +but while a value of +.B no +prevents Pluto from requesting renegotiation, +it does not prevent responding to renegotiation requested from the other end, +so +.B no +will be largely ineffective unless both ends agree on it. +.TP +.B rekeyfuzz +maximum percentage by which +.B rekeymargin +should be randomly increased to randomize rekeying intervals +(important for hosts with many connections); +acceptable values are an integer, +which may exceed 100, +followed by a `%' +(default set by +.IR ipsec_pluto (8), +currently +.BR 100% ). +The value of +.BR rekeymargin , +after this random increase, +must not exceed +.BR keylife . +The value +.B 0% +will suppress time randomization. +Relevant only locally, other end need not agree on it. +.TP +.B rekeymargin +how long before connection expiry or keying-channel expiry +should attempts to +negotiate a replacement +begin; acceptable values as for +.B keylife +(default +.BR 9m ). +Relevant only locally, other end need not agree on it. +.SS "CONN PARAMETERS: MANUAL KEYING" +The following parameters are relevant only to manual keying, +and are ignored in automatic keying. +Unless otherwise noted, +for a connection to work, +in general it is necessary for the two ends to agree exactly +on the values of these parameters. +A manually-keyed +connection must specify at least one of AH or ESP. +.TP 14 +.B spi +(this or +.B spibase +required for manual keying) +the SPI number to be used for the connection (see +.IR ipsec_manual (8)); +must be of the form \fB0x\fIhex\fB\fR, +where +.I hex +is one or more hexadecimal digits +(note, it will generally be necessary to make +.I spi +at least +.B 0x100 +to be acceptable to KLIPS, +and use of SPIs in the range +.BR 0x100 - 0xfff +is recommended) +.TP 14 +.B spibase +(this or +.B spi +required for manual keying) +the base number for the SPIs to be used for the connection (see +.IR ipsec_manual (8)); +must be of the form \fB0x\fIhex\fB0\fR, +where +.I hex +is one or more hexadecimal digits +(note, it will generally be necessary to make +.I spibase +at least +.B 0x100 +for the resulting SPIs +to be acceptable to KLIPS, +and use of numbers in the range +.BR 0x100 - 0xff0 +is recommended) +.TP +.B esp +ESP encryption/authentication algorithm to be used +for the connection, e.g. +.B 3des-md5-96 +(must be suitable as a value of +.IR ipsec_spi (8)'s +.B \-\-esp +option); +default is not to use ESP +.TP +.B espenckey +ESP encryption key +(must be suitable as a value of +.IR ipsec_spi (8)'s +.B \-\-enckey +option) +(may be specified separately for each direction using +.B leftespenckey +(leftward SA) +and +.B rightespenckey +parameters) +.TP +.B espauthkey +ESP authentication key +(must be suitable as a value of +.IR ipsec_spi (8)'s +.B \-\-authkey +option) +(may be specified separately for each direction using +.B leftespauthkey +(leftward SA) +and +.B rightespauthkey +parameters) +.TP +.B espreplay_window +ESP replay-window setting, +an integer from +.B 0 +(the +.IR ipsec_manual +default, which turns off replay protection) to +.BR 64 ; +relevant only if ESP authentication is being used +.TP +.B leftespspi +SPI to be used for the leftward ESP SA, overriding +automatic assignment using +.B spi +or +.BR spibase ; +typically a hexadecimal number beginning with +.B 0x +.TP +.B ah +AH authentication algorithm to be used +for the connection, e.g. +.B hmac-md5-96 +(must be suitable as a value of +.IR ipsec_spi (8)'s +.B \-\-ah +option); +default is not to use AH +.TP +.B ahkey +(required if +.B ah +is present) AH authentication key +(must be suitable as a value of +.IR ipsec_spi (8)'s +.B \-\-authkey +option) +(may be specified separately for each direction using +.B leftahkey +(leftward SA) +and +.B rightahkey +parameters) +.TP +.B ahreplay_window +AH replay-window setting, +an integer from +.B 0 +(the +.I ipsec_manual +default, which turns off replay protection) to +.B 64 +.TP +.B leftahspi +SPI to be used for the leftward AH SA, overriding +automatic assignment using +.B spi +or +.BR spibase ; +typically a hexadecimal number beginning with +.B 0x +.SH "CA SECTIONS" +This are optional sections that can be used to assign special +parameters to a Certification Authority (CA). +.TP 10 +.B auto +currently can have either the value +.B ignore +or +.B add +. +.TP +.B cacert +defines a path to the CA certificate either relative to +\fI/etc/ipsec.d/cacerts\fP or as an absolute path. +.TP +.B crluri +defines a CRL distribution point (ldap, http, or file URI) +.TP +.B crluri2 +defines an alternative CRL distribution point (ldap, http, or file URI) +.TP +.B ldaphost +defines an ldap host. +.TP +.B ocspuri +defines an OCSP URI. +.SH "CONFIG SECTIONS" +At present, the only +.B config +section known to the IPsec software is the one named +.BR setup , +which contains information used when the software is being started +(see +.IR ipsec_setup (8)). +Here's an example: +.PP +.ne 8 +.nf +.ft B +.ta 1c +config setup + interfaces="ipsec0=eth1 ipsec1=ppp0" + klipsdebug=none + plutodebug=all + manualstart= +.ft +.fi +.PP +Parameters are optional unless marked ``(required)''. +The currently-accepted +.I parameter +names in a +.B config +.B setup +section are: +.TP 14 +.B myid +the identity to be used for +.BR %myid . +.B %myid +is used in the implicit policy group conns and can be used as +an identity in explicit conns. +If unspecified, +.B %myid +is set to the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise +the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined. +An explicit value generally starts with ``\fB@\fP''. +.TP +.B interfaces +virtual and physical interfaces for IPsec to use: +a single +\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated +by white space, or +.BR %none . +One of the pairs may be written as +.BR %defaultroute , +which means: find the interface \fId\fR that the default route points to, +and then act as if the value was ``\fBipsec0=\fId\fR''. +.B %defaultroute +is the default; +.B %none +must be used to denote no interfaces. +If +.B %defaultroute +is used (implicitly or explicitly) +information about the default route and its interface is noted for +use by +.IR ipsec_manual (8) +and +.IR ipsec_auto (8).) +.TP +.B forwardcontrol +whether +.I setup +should turn IP forwarding on +(if it's not already on) as IPsec is started, +and turn it off again (if it was off) as IPsec is stopped; +acceptable values are +.B yes +and (the default) +.BR no . +For this to have full effect, forwarding must be +disabled before the hardware interfaces are brought +up (e.g., +.B "net.ipv4.ip_forward\ =\ 0" +in Red Hat 6.x +.IR /etc/sysctl.conf ), +because IPsec doesn't get control early enough to do that. +.TP +.B rp_filter +whether and how +.I setup +should adjust the reverse path filtering mechanism for the +physical devices to be used. +Values are \fB%unchanged\fP (to leave it alone) +or \fB0\fP, \fB1\fP, \fB2\fP (values to set it to). +\fI/proc/sys/net/ipv4/conf/PHYS/rp_filter\fP +is badly documented; it must be \fB0\fP in many cases +for ipsec to function. +The default value for the parameter is \fB0\fP. +.TP +.B syslog +the +.IR syslog (2) +``facility'' name and priority to use for +startup/shutdown log messages, +default +.BR daemon.error . +.TP +.B klipsdebug +how much KLIPS debugging output should be logged. +An empty value, +or the magic value +.BR none , +means no debugging output (the default). +The magic value +.B all +means full output. +Otherwise only the specified types of output +(a quoted list, names separated by white space) are enabled; +for details on available debugging types, see +.IR ipsec_klipsdebug (8). +.TP +.B plutodebug +how much Pluto debugging output should be logged. +An empty value, +or the magic value +.BR none , +means no debugging output (the default). +The magic value +.B all +means full output. +Otherwise only the specified types of output +(a quoted list, names without the +.B \-\-debug\- +prefix, +separated by white space) are enabled; +for details on available debugging types, see +.IR ipsec_pluto (8). +.TP +.B plutoopts +additional options to pass to pluto upon startup. See +.IR ipsec_pluto (8). +.TP +.B plutostderrlog +do not use syslog, but rather log to stderr, and direct stderr to the +argument file. +.TP +.B dumpdir +in what directory should things started by +.I setup +(notably the Pluto daemon) be allowed to +dump core? +The empty value (the default) means they are not +allowed to. +.TP +.B manualstart +which manually-keyed connections to set up at startup +(empty, a name, or a quoted list of names separated by white space); +see +.IR ipsec_manual (8). +Default is none. +.TP +.B pluto +whether to start Pluto or not; +Values are +.B yes +(the default) +or +.B no +(useful only in special circumstances). +.TP +.B plutowait +should Pluto wait for each +negotiation attempt that is part of startup to +finish before proceeding with the next? +Values are +.B yes +or +.BR no +(the default). +.TP +.B prepluto +shell command to run before starting Pluto +(e.g., to decrypt an encrypted copy of the +.I ipsec.secrets +file). +It's run in a very simple way; +complexities like I/O redirection are best hidden within a script. +Any output is redirected for logging, +so running interactive commands is difficult unless they use +.I /dev/tty +or equivalent for their interaction. +Default is none. +.TP +.B postpluto +shell command to run after starting Pluto +(e.g., to remove a decrypted copy of the +.I ipsec.secrets +file). +It's run in a very simple way; +complexities like I/O redirection are best hidden within a script. +Any output is redirected for logging, +so running interactive commands is difficult unless they use +.I /dev/tty +or equivalent for their interaction. +Default is none. +.TP +.B fragicmp +whether a tunnel's need to fragment a packet should be reported +back with an ICMP message, +in an attempt to make the sender lower his PMTU estimate; +acceptable values are +.B yes +(the default) +and +.BR no . +.TP +.B hidetos +whether a tunnel packet's TOS field should be set to +.B 0 +rather than copied from the user packet inside; +acceptable values are +.B yes +(the default) +and +.BR no . +.TP +.B uniqueids +whether a particular participant ID should be kept unique, +with any new (automatically keyed) +connection using an ID from a different IP address +deemed to replace all old ones using that ID; +acceptable values are +.B yes +(the default) +and +.BR no . +Participant IDs normally \fIare\fR unique, +so a new (automatically-keyed) connection using the same ID is +almost invariably intended to replace an old one. +.TP +.B overridemtu +value that the MTU of the ipsec\fIn\fR interface(s) should be set to, +overriding IPsec's (large) default. +This parameter is needed only in special situations. +.TP +.B nat_traversal +.TP +.B crlcheckinterval +.TP +.B strictcrlpolicy +.TP +.B pkcs11module +.TP +.B pkcs11keepstate + +.SH CHOOSING A CONNECTION +.PP +When choosing a connection to apply to an outbound packet caught with a +.BR %trap, +the system prefers the one with the most specific eroute that +includes the packet's source and destination IP addresses. +Source subnets are examined before destination subnets. +For initiating, only routed connections are considered. For responding, +unrouted but added connections are considered. +.PP +When choosing a connection to use to respond to a negotiation which +doesn't match an ordinary conn, an opportunistic connection +may be instantiated. Eventually, its instance will be /32 -> /32, but +for earlier stages of the negotiation, there will not be enough +information about the client subnets to complete the instantiation. +.SH FILES +.nf +/etc/ipsec.conf +/etc/ipsec.d/cacerts +/etc/ipsec.d/certs +/etc/ipsec.d/crls +/etc/ipsec.d/aacerts +/etc/ipsec.d/acerts + +.SH SEE ALSO +ipsec(8), ipsec_ttoaddr(8), ipsec_auto(8), ipsec_manual(8), ipsec_rsasigkey(8) +.SH HISTORY +Written for the FreeS/WAN project + +by Henry Spencer. Extended for the strongSwan project + +by Andreas Steffen. +.SH BUGS +.PP +When +.B type +or +.B failureshunt +is set to +.B drop +or +.BR reject, +strongSwan blocks outbound packets using eroutes, but assumes inbound +blocking is handled by the firewall. strongSwan offers firewall hooks +via an ``updown'' script. However, the default +.B ipsec _updown +provides no help in controlling a modern firewall. +.PP +Including attributes of the keying channel +(authentication methods, +.BR ikelifetime , +etc.) +as an attribute of a connection, +rather than of a participant pair, is dubious and incurs limitations. +.PP +.IR Ipsec_manual +is not nearly as generous about the syntax of subnets, +addresses, etc. as the usual strongSwan user interfaces. +Four-component dotted-decimal must be used for all addresses. +It +.I is +smart enough to translate bit-count netmasks to dotted-decimal form. +.PP +It would be good to have a line-continuation syntax, +especially for the very long lines involved in +RSA signature keys. +.PP +The ability to specify different identities, +.BR authby , +and public keys for different automatic-keyed connections +between the same participants is misleading; +this doesn't work dependably because the identity of the participants +is not known early enough. +This is especially awkward for the ``Road Warrior'' case, +where the remote IP address is specified as +.BR 0.0.0.0 , +and that is considered to be the ``participant'' for such connections. +.PP +In principle it might be necessary to control MTU on an +interface-by-interface basis, +rather than with the single global override that +.B overridemtu +provides. +.PP +A number of features which \fIcould\fR be implemented in +both manual and automatic keying +actually are not yet implemented for manual keying. +This is unlikely to be fixed any time soon. +.PP +If conns are to be added before DNS is available, +\fBleft=\fP\fIFQDN\fP, +\fBleftnextop=\fP\fIFQDN\fP, +and +.B leftrsasigkey=%dnsonload +will fail. +.IR ipsec_pluto (8) +does not actually use the public key for our side of a conn but it +isn't generally known at a add-time which side is ours (Road Warrior +and Opportunistic conns are currently exceptions). +.PP +The \fBmyid\fP option does not affect explicit \fB ipsec auto \-\-add\fP or \fBipsec auto \-\-replace\fP commands for implicit conns. diff --git a/programs/_confread/ipsec.conf.in b/programs/_confread/ipsec.conf.in new file mode 100644 index 000000000..296986459 --- /dev/null +++ b/programs/_confread/ipsec.conf.in @@ -0,0 +1,44 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# RCSID $Id: ipsec.conf.in,v 1.7 2006/01/31 13:09:10 as Exp $ + +# Manual: ipsec.conf.5 +# Help: http://www.strongswan.org/docs/readme.htm + +version 2.0 # conforms to second version of ipsec.conf specification + +# basic configuration + +config setup + # Debug-logging controls: "none" for (almost) none, "all" for lots. + # plutodebug=all + # crlcheckinterval=600 + # strictcrlpolicy=yes + # cachecrls=yes + # nat_traversal=yes + +# Uncomment to activate Opportunistic Encryption (OE) +# include /etc/ipsec.d/examples/oe.conf + +# Add connections here. + +# Sample VPN connections + +#conn sample-self-signed +# left=%defaultroute +# leftsubnet=10.1.0.0/16 +# leftcert=selfCert.der +# leftsendcert=never +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightcert=peerCert.der +# auto=start + +#conn sample-with-ca-cert +# left=%defaultroute +# leftsubnet=10.1.0.0/16 +# leftcert=myCert.pem +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightid="C=CH, O=Linux strongSwan CN=peer name" +# auto=start diff --git a/programs/_confread/private-or-clear.in b/programs/_confread/private-or-clear.in new file mode 100644 index 000000000..c66b1d29f --- /dev/null +++ b/programs/_confread/private-or-clear.in @@ -0,0 +1,14 @@ +# This file defines the set of CIDRs (network/mask-length) to which +# communication should be private, if possible, but in the clear otherwise. +# +# If the target has a TXT (later IPSECKEY) record that specifies +# authentication material, we will require private (i.e. encrypted) +# communications. If no such record is found, communications will be +# in the clear. +# +# See @FINALDOCDIR@/policygroups.html for details. +# +# $Id: private-or-clear.in,v 1.1 2004/03/15 20:35:27 as Exp $ +# + +0.0.0.0/0 diff --git a/programs/_confread/private.in b/programs/_confread/private.in new file mode 100644 index 000000000..9d4bd6c67 --- /dev/null +++ b/programs/_confread/private.in @@ -0,0 +1,6 @@ +# This file defines the set of CIDRs (network/mask-length) to which +# communication should always be private (i.e. encrypted). +# See @FINALDOCDIR@/policygroups.html for details. +# +# $Id: private.in,v 1.1 2004/03/15 20:35:27 as Exp $ +# diff --git a/programs/_confread/randomize b/programs/_confread/randomize new file mode 100755 index 000000000..26d80a8f3 --- /dev/null +++ b/programs/_confread/randomize @@ -0,0 +1,28 @@ +#! /bin/sh +# internal utility for putting random keys into sample configuration file +# Copyright (C) 1998, 1999 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: randomize,v 1.1 2004/03/15 20:35:27 as Exp $ + +awk '/`[0-9]+`/ { + match($0, /`[0-9]+`/) + n = substr($0, RSTART+1, RLENGTH-2) + cmd = "./ranbits --quick " n + cmd | getline key + cmd | getline eof + close(cmd) + sub(/`[0-9]+`/, key, $0) + print + next +} +{ print }' $* diff --git a/programs/_copyright/.cvsignore b/programs/_copyright/.cvsignore new file mode 100644 index 000000000..23ebcb381 --- /dev/null +++ b/programs/_copyright/.cvsignore @@ -0,0 +1 @@ +_copyright diff --git a/programs/_copyright/Makefile b/programs/_copyright/Makefile new file mode 100644 index 000000000..52c594b68 --- /dev/null +++ b/programs/_copyright/Makefile @@ -0,0 +1,44 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=_copyright +PROGRAMDIR=${LIBDIR} +LIBS=${FREESWANLIB} + +include ../Makefile.program + +# +# $Log: Makefile,v $ +# Revision 1.1 2004/03/15 20:35:27 as +# added files from freeswan-2.04-x509-1.5.3 +# +# Revision 1.3 2002/08/02 16:01:07 mcr +# moved user visible programs to $PREFIX/libexec, while moving +# private files to $PREFIX/lib. +# +# Revision 1.2 2002/06/02 22:02:14 mcr +# changed TOPDIR->FREESWANSRCDIR in all Makefiles. +# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the +# kernel sense.) +# +# Revision 1.1 2002/04/24 07:55:32 mcr +# #include patches and Makefiles for post-reorg compilation. +# +# +# + diff --git a/programs/_copyright/_copyright.8 b/programs/_copyright/_copyright.8 new file mode 100644 index 000000000..87e4adc98 --- /dev/null +++ b/programs/_copyright/_copyright.8 @@ -0,0 +1,32 @@ +.TH _COPYRIGHT 8 "25 Apr 2002" +.\" +.\" RCSID $Id: _copyright.8,v 1.1 2004/03/15 20:35:27 as Exp $ +.\" +.SH NAME +ipsec _copyright \- prints FreeSWAN copyright +.SH DESCRIPTION +.I _copyright +outputs the FreeSWAN copyright, and version numbers for "ipsec --copyright" +.SH "SEE ALSO" +ipsec(8) +.SH HISTORY +Man page written for the Linux FreeS/WAN project + +by Michael Richardson. Program written by Henry Spencer. +.\" +.\" $Log: _copyright.8,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.2 2002/04/29 22:39:31 mcr +.\" added basic man page for all internal commands. +.\" +.\" Revision 1.1 2002/04/26 01:21:43 mcr +.\" while tracking down a missing (not installed) /etc/ipsec.conf, +.\" MCR has decided that it is not okay for each program subdir to have +.\" some subset (determined with -f) of possible files. +.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. +.\" Optional PROGRAM.5 files have been added to the makefiles. +.\" +.\" +.\" diff --git a/programs/_copyright/_copyright.c b/programs/_copyright/_copyright.c new file mode 100644 index 000000000..0fb360f40 --- /dev/null +++ b/programs/_copyright/_copyright.c @@ -0,0 +1,69 @@ +/* + * copyright reporter + * (just avoids having the info in more than one place in the source) + * Copyright (C) 2001 Henry Spencer. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: _copyright.c,v 1.1 2004/03/15 20:35:27 as Exp $ + */ + +#include +#include +#include +#include +#include +#include +#include + +char usage[] = "Usage: ipsec _copyright"; +struct option opts[] = { + {"help", 0, NULL, 'h',}, + {"version", 0, NULL, 'v',}, + {0, 0, NULL, 0, }, +}; + +char me[] = "ipsec _copyright"; /* for messages */ + +int +main(int argc, char *argv[]) +{ + int opt; + extern int optind; + int errflg = 0; + const char *version = ipsec_version_code(); + const char **notice = ipsec_copyright_notice(); + const char **co; + + while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF) + switch (opt) { + case 'h': /* help */ + printf("%s\n", usage); + exit(0); + break; + case 'v': /* version */ + printf("%s %s\n", me, version); + exit(0); + break; + case '?': + default: + errflg = 1; + break; + } + if (errflg || optind != argc) { + fprintf(stderr, "%s\n", usage); + exit(2); + } + + for (co = notice; *co != NULL; co++) + printf("%s\n", *co); + exit(0); +} diff --git a/programs/_include/.cvsignore b/programs/_include/.cvsignore new file mode 100644 index 000000000..ab6204115 --- /dev/null +++ b/programs/_include/.cvsignore @@ -0,0 +1 @@ +_include diff --git a/programs/_include/Makefile b/programs/_include/Makefile new file mode 100644 index 000000000..6b5f11682 --- /dev/null +++ b/programs/_include/Makefile @@ -0,0 +1,43 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=_include +PROGRAMDIR=${LIBDIR} + +include ../Makefile.program + +# +# $Log: Makefile,v $ +# Revision 1.1 2004/03/15 20:35:27 as +# added files from freeswan-2.04-x509-1.5.3 +# +# Revision 1.3 2002/08/02 16:01:11 mcr +# moved user visible programs to $PREFIX/libexec, while moving +# private files to $PREFIX/lib. +# +# Revision 1.2 2002/06/02 22:02:14 mcr +# changed TOPDIR->FREESWANSRCDIR in all Makefiles. +# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the +# kernel sense.) +# +# Revision 1.1 2002/04/24 07:55:32 mcr +# #include patches and Makefiles for post-reorg compilation. +# +# +# + diff --git a/programs/_include/_include.8 b/programs/_include/_include.8 new file mode 100644 index 000000000..56ffa0723 --- /dev/null +++ b/programs/_include/_include.8 @@ -0,0 +1,35 @@ +.TH _INCLUDE 8 "25 Apr 2002" +.\" +.\" RCSID $Id: _include.8,v 1.1 2004/03/15 20:35:27 as Exp $ +.\" +.SH NAME +ipsec _include \- internal script to process config files +.SH DESCRIPTION +.I _include +is used by +.I _confread +to process +.B include +directives in /etc/ipsec.conf. +.SH "SEE ALSO" +ipsec(8), ipsec__confread(8) +.SH HISTORY +Man page written for the Linux FreeS/WAN project +by Michael Richardson. Program written by Henry Spencer. +.\" +.\" $Log: _include.8,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.2 2002/04/29 22:39:31 mcr +.\" added basic man page for all internal commands. +.\" +.\" Revision 1.1 2002/04/26 01:21:43 mcr +.\" while tracking down a missing (not installed) /etc/ipsec.conf, +.\" MCR has decided that it is not okay for each program subdir to have +.\" some subset (determined with -f) of possible files. +.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. +.\" Optional PROGRAM.5 files have been added to the makefiles. +.\" +.\" +.\" diff --git a/programs/_include/_include.in b/programs/_include/_include.in new file mode 100755 index 000000000..10a8a49e4 --- /dev/null +++ b/programs/_include/_include.in @@ -0,0 +1,102 @@ +#! /bin/sh +# implements nested file inclusion for control files, including wildcarding +# Copyright (C) 1998, 1999 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: _include.in,v 1.2 2004/03/15 21:03:06 as Exp $ +# +# Output includes marker lines for file changes: +# "#< filename lineno" signals entry into that file +# "#> filename lineno" signals return to that file +# The lineno is the line number of the *next* line. +# +# Errors are reported with a "#:message" line rather than on stderr. +# +# Lines which look like marker and report lines are never passed through. + +IPSEC_NAME="strongSwan" + +usage="Usage: $0 file ..." +me="ipsec _include" + +for dummy +do + case "$1" in + --inband) ;; # back compatibility + --help) echo "$usage" ; exit 0 ;; + --version) echo "$me $IPSEC_VERSION" ; exit 0 ;; + --) shift ; break ;; + -*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;; + *) break ;; + esac + shift +done + +case $# in +0) echo "$usage" >&2 ; exit 2 ;; +esac + +for f +do + if test ! -r "$f" + then + if test ! "$f" = "/etc/ipsec.conf" + then + echo "#:cannot open configuration file \'$f\'" + if test "$f" = "/etc/ipsec.secrets" + then + echo "#:Your secrets file will be created when you start $IPSEC_NAME for the first time." + fi + exit 1 + else + exit 1 + fi + fi +done + +awk 'BEGIN { + wasfile = "" +} +FNR == 1 { + print "" + print "#<", FILENAME, 1 + lineno = 0 + wasfile = FILENAME +} +{ + lineno++ + # lineno is now the number of this line +} +/^#[<>:]/ { + next +} +/^include[ \t]+/ { + orig = $0 + sub(/[ \t]+#.*$/, "") + if (NF != 2) { + msg = "(" FILENAME ", line " lineno ")" + msg = msg " include syntax error in \"" orig "\"" + print "#:" msg + exit 1 + } + newfile = $2 + if (newfile !~ /^\// && FILENAME ~ /\//) { + prefix = FILENAME + sub("[^/]+$", "", prefix) + newfile = prefix newfile + } + system("ipsec _include " newfile) + print "" + print "#>", FILENAME, lineno + 1 + next +} +{ print }' $* diff --git a/programs/_keycensor/.cvsignore b/programs/_keycensor/.cvsignore new file mode 100644 index 000000000..97d0bb2bf --- /dev/null +++ b/programs/_keycensor/.cvsignore @@ -0,0 +1 @@ +_keycensor diff --git a/programs/_keycensor/Makefile b/programs/_keycensor/Makefile new file mode 100644 index 000000000..bc495328f --- /dev/null +++ b/programs/_keycensor/Makefile @@ -0,0 +1,43 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=_keycensor +PROGRAMDIR=${LIBDIR} + +include ../Makefile.program + +# +# $Log: Makefile,v $ +# Revision 1.1 2004/03/15 20:35:27 as +# added files from freeswan-2.04-x509-1.5.3 +# +# Revision 1.3 2002/08/02 16:01:15 mcr +# moved user visible programs to $PREFIX/libexec, while moving +# private files to $PREFIX/lib. +# +# Revision 1.2 2002/06/02 22:02:14 mcr +# changed TOPDIR->FREESWANSRCDIR in all Makefiles. +# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the +# kernel sense.) +# +# Revision 1.1 2002/04/24 07:55:32 mcr +# #include patches and Makefiles for post-reorg compilation. +# +# +# + diff --git a/programs/_keycensor/_keycensor.8 b/programs/_keycensor/_keycensor.8 new file mode 100644 index 000000000..89a97a9f9 --- /dev/null +++ b/programs/_keycensor/_keycensor.8 @@ -0,0 +1,33 @@ +.TH _KEYCENSOR 8 "25 Apr 2002" +.\" +.\" RCSID $Id: _keycensor.8,v 1.1 2004/03/15 20:35:27 as Exp $ +.\" +.SH NAME +ipsec _keycensor \- internal routine to remove sensitive information +.SH DESCRIPTION +.I _keycensor +is used by +.B ipsec barf +to process the /etc/ipsec.secrets file, removing private key info. +.SH "SEE ALSO" +ipsec(8), ipsec_barf(8) +.SH HISTORY +Man page written for the Linux FreeS/WAN project +by Michael Richardson. Original program by Henry Spencer. +.\" +.\" $Log: _keycensor.8,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.2 2002/04/29 22:39:31 mcr +.\" added basic man page for all internal commands. +.\" +.\" Revision 1.1 2002/04/26 01:21:43 mcr +.\" while tracking down a missing (not installed) /etc/ipsec.conf, +.\" MCR has decided that it is not okay for each program subdir to have +.\" some subset (determined with -f) of possible files. +.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. +.\" Optional PROGRAM.5 files have been added to the makefiles. +.\" +.\" +.\" diff --git a/programs/_keycensor/_keycensor.in b/programs/_keycensor/_keycensor.in new file mode 100755 index 000000000..7d6f257e5 --- /dev/null +++ b/programs/_keycensor/_keycensor.in @@ -0,0 +1,52 @@ +#! /bin/sh +# implements key censoring for barf +# Copyright (C) 1999, 2002 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: _keycensor.in,v 1.1 2004/03/15 20:35:27 as Exp $ + +usage="Usage: $0 [file ...]" +me="ipsec _keycensor" + +for dummy +do + case "$1" in + --help) echo "$usage" ; exit 0 ;; + --version) echo "$me $IPSEC_VERSION" ; exit 0 ;; + --) shift ; break ;; + -*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;; + *) break ;; + esac + shift +done + +awk ' /(sig|enc|auth)key[ \t]*=[ \t]*[^%]/ { + i = match($0, /key[ \t]*=[ \t]*/) + i += RLENGTH + cold = substr($0, 1, i-1) + hot = substr($0, i) + sub(/[ \t]+(#.*)?$/, "", hot) + q = "'"'"'" # single quote + if (hot ~ q) + cooled = "[cannot be condensed]" + else if (hot ~ /^0s/) + cooled = "[keyid " substr(hot, 3, 9) "]" + else { + run = "echo " q hot q " | md5sum" + run | getline + close(run) + cooled = "[sums to " substr($1, 1, 4) "...]" + } + print cold cooled + next + } + { print }' $* diff --git a/programs/_plutoload/.cvsignore b/programs/_plutoload/.cvsignore new file mode 100644 index 000000000..cbcf7e699 --- /dev/null +++ b/programs/_plutoload/.cvsignore @@ -0,0 +1 @@ +_plutoload diff --git a/programs/_plutoload/Makefile b/programs/_plutoload/Makefile new file mode 100644 index 000000000..af9ffee18 --- /dev/null +++ b/programs/_plutoload/Makefile @@ -0,0 +1,43 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=_plutoload +PROGRAMDIR=${LIBDIR} + +include ../Makefile.program + +# +# $Log: Makefile,v $ +# Revision 1.1 2004/03/15 20:35:27 as +# added files from freeswan-2.04-x509-1.5.3 +# +# Revision 1.3 2002/08/02 16:01:19 mcr +# moved user visible programs to $PREFIX/libexec, while moving +# private files to $PREFIX/lib. +# +# Revision 1.2 2002/06/02 22:02:14 mcr +# changed TOPDIR->FREESWANSRCDIR in all Makefiles. +# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the +# kernel sense.) +# +# Revision 1.1 2002/04/24 07:55:32 mcr +# #include patches and Makefiles for post-reorg compilation. +# +# +# + diff --git a/programs/_plutoload/_plutoload.8 b/programs/_plutoload/_plutoload.8 new file mode 100644 index 000000000..ba421b6c3 --- /dev/null +++ b/programs/_plutoload/_plutoload.8 @@ -0,0 +1,33 @@ +.TH _PLUTOLOAD 8 "25 Apr 2002" +.\" +.\" RCSID $Id: _plutoload.8,v 1.1 2004/03/15 20:35:27 as Exp $ +.\" +.SH NAME +ipsec _plutoload \- internal script to start pluto +.SH DESCRIPTION +.I _plutoload +is called by +.B _plutorun +to actually start the pluto executable. +.SH "SEE ALSO" +ipsec(8), ipsec_setup(8), ipsec__realsetup(8), ipsec__plutorun(8) +.SH HISTORY +Man page written for the Linux FreeS/WAN project +by Michael Richardson. Original program by Henry Spencer. +.\" +.\" $Log: _plutoload.8,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.2 2002/04/29 22:39:31 mcr +.\" added basic man page for all internal commands. +.\" +.\" Revision 1.1 2002/04/26 01:21:43 mcr +.\" while tracking down a missing (not installed) /etc/ipsec.conf, +.\" MCR has decided that it is not okay for each program subdir to have +.\" some subset (determined with -f) of possible files. +.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. +.\" Optional PROGRAM.5 files have been added to the makefiles. +.\" +.\" +.\" diff --git a/programs/_plutoload/_plutoload.in b/programs/_plutoload/_plutoload.in new file mode 100755 index 000000000..73841197d --- /dev/null +++ b/programs/_plutoload/_plutoload.in @@ -0,0 +1,164 @@ +#!/bin/sh +# Pluto database-loading script +# Copyright (C) 1998, 1999, 2001 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: _plutoload.in,v 1.2 2004/03/31 16:15:10 as Exp $ +# +# exit status is 13 for protocol violation, that of Pluto otherwise + +me='ipsec _plutoload' # for messages + +for dummy +do + case "$1" in + --load) plutoload="$2" ; shift ;; + --start) plutostart="$2" ; shift ;; + --wait) plutowait="$2" ; shift ;; + --post) postpluto="$2" ; shift ;; + --) shift ; break ;; + -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;; + *) break ;; + esac + shift +done + +# load ca information +eval `ipsec _confread --varprefix PLUTO --type ca --search auto add start` +if test " $PLUTO_confreadstatus" != " " +then + echo "auto=add/start search: $PLUTO_confreadstatus" + echo "unable to determine what ca information to add -- adding none" + caload= +else + caload="$PLUTO_confreadnames" +fi + +# searches, if needed +# the way the searches were done ensures plutoload >= plutoroute >= plutostart + +# search for things to "ipsec auto --add": auto in "add" "route" "start" +eval `ipsec _confread --varprefix PLUTO --search auto add route start` +if test " $PLUTO_confreadstatus" != " " +then + echo "auto=add/route/start search: $PLUTO_confreadstatus" + echo "unable to determine what conns to add -- adding none" + plutoload= +else + plutoload="$PLUTO_confreadnames" +fi + +# search for things to "ipsec auto --route": auto in "route" "start" +eval `ipsec _confread --varprefix PLUTO --search auto route start` +if test " $PLUTO_confreadstatus" != " " +then + echo "auto=route/start search: $PLUTO_confreadstatus" + echo "unable to determine what conns to route -- routing none" + plutoroute= +else + plutoroute="$PLUTO_confreadnames" +fi + +# search for things to "ipsec auto --up": auto in "start" +eval `ipsec _confread --varprefix PLUTO --search auto start` +if test " $PLUTO_confreadstatus" != " " +then + echo "auto=start search: $PLUTO_confreadstatus" + echo "unable to determine what conns to start -- starting none" + plutostart= +else + plutostart="$PLUTO_confreadnames" +fi + +# await Pluto's readiness (not likely to be an issue, but...) +eofed=y +while read saying +do + case "$saying" in + 'Pluto initialized') eofed= ; break ;; # NOTE BREAK OUT + *) echo "pluto unexpectedly said \`$saying'" ;; + esac +done +if test "$eofed" +then + echo "pluto died unexpectedly!?!" + exit 13 +fi + +# ca database load +for tu in $caload +do + ipsec auto --type ca --add $tu || + echo "...could not add ca \"$tu\"" +done + +# conn database load +for tu in $plutoload +do + ipsec auto --add $tu || + echo "...could not add conn \"$tu\"" +done + +# enable listening +ipsec auto --ready + +# execute any post-startup cleanup +if test " $postpluto" != " " +then + $postpluto + st=$? + if test " $st" -ne 0 + then + echo "...postpluto command exited with status $st" + fi +fi + +# quickly establish routing +for tu in $plutoroute +do + ipsec auto --route $tu || + echo "...could not route conn \"$tu\"" +done + +# tunnel initiation, which may take a while +async= +if test " $plutowait" = " no" +then + async="--asynchronous" +fi +for tu in $plutostart +do + ipsec auto --up $async $tu || + echo "...could not start conn \"$tu\"" +done + +# report any further utterances, and watch for exit status +eofed=y +while read saying +do + case "$saying" in + exit) eofed= ; break ;; # NOTE BREAK OUT + *) echo "pluto unexpectedly says \`$saying'" ;; + esac +done +if test "$eofed" +then + echo "pluto died without exit status!?!" + exit 13 +fi +if read status +then + exit $status +else + echo "pluto yielded no exit status!?!" + exit 13 +fi diff --git a/programs/_plutorun/.cvsignore b/programs/_plutorun/.cvsignore new file mode 100644 index 000000000..13e0ae1a1 --- /dev/null +++ b/programs/_plutorun/.cvsignore @@ -0,0 +1 @@ +_plutorun diff --git a/programs/_plutorun/Makefile b/programs/_plutorun/Makefile new file mode 100644 index 000000000..b0928797c --- /dev/null +++ b/programs/_plutorun/Makefile @@ -0,0 +1,43 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=_plutorun +PROGRAMDIR=${LIBDIR} + +include ../Makefile.program + +# +# $Log: Makefile,v $ +# Revision 1.1 2004/03/15 20:35:27 as +# added files from freeswan-2.04-x509-1.5.3 +# +# Revision 1.3 2002/08/02 16:01:26 mcr +# moved user visible programs to $PREFIX/libexec, while moving +# private files to $PREFIX/lib. +# +# Revision 1.2 2002/06/02 22:02:14 mcr +# changed TOPDIR->FREESWANSRCDIR in all Makefiles. +# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the +# kernel sense.) +# +# Revision 1.1 2002/04/24 07:55:32 mcr +# #include patches and Makefiles for post-reorg compilation. +# +# +# + diff --git a/programs/_plutorun/_plutorun.8 b/programs/_plutorun/_plutorun.8 new file mode 100644 index 000000000..9de6927dc --- /dev/null +++ b/programs/_plutorun/_plutorun.8 @@ -0,0 +1,37 @@ +.TH _PLUTORUN 8 "25 Apr 2002" +.\" +.\" RCSID $Id: _plutorun.8,v 1.1 2004/03/15 20:35:27 as Exp $ +.\" +.SH NAME +ipsec _plutorun \- internal script to start pluto +.SH DESCRIPTION +.I _plutorun +is called by +.B _realsetup +to configure and bring up +.B ipsec_pluto(8). +It calls +.B _plutoload +to invoke pluto, and watches to makes sure that pluto is restarted if it fails. +.SH "SEE ALSO" +ipsec(8), ipsec_setup(8), ipsec__realsetup(8), ipsec__plutoload(8), ipsec_pluto(8). +.SH HISTORY +Man page written for the Linux FreeS/WAN project +by Michael Richardson. Original program written by Henry Spencer. +.\" +.\" $Log: _plutorun.8,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.2 2002/04/29 22:39:31 mcr +.\" added basic man page for all internal commands. +.\" +.\" Revision 1.1 2002/04/26 01:21:43 mcr +.\" while tracking down a missing (not installed) /etc/ipsec.conf, +.\" MCR has decided that it is not okay for each program subdir to have +.\" some subset (determined with -f) of possible files. +.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. +.\" Optional PROGRAM.5 files have been added to the makefiles. +.\" +.\" +.\" diff --git a/programs/_plutorun/_plutorun.in b/programs/_plutorun/_plutorun.in new file mode 100755 index 000000000..b02afeefb --- /dev/null +++ b/programs/_plutorun/_plutorun.in @@ -0,0 +1,281 @@ +#!/bin/sh +# Pluto control daemon +# Copyright (C) 1998, 1999, 2001 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: _plutorun.in,v 1.9 2005/10/16 13:28:15 as Exp $ + +me='ipsec _plutorun' # for messages + +info=/var/run/ipsec.info + +popts= +stderrlog= +plutorestartoncrash=true + +wherelog=daemon.error +pidfile=/var/run/pluto.pid +verb="Starting" +for dummy +do + case "$1" in + --re) verb="Restarting" ;; + --plutorestartoncrash) plutorestartoncrash="$2"; shift ;; + --debug) plutodebug="$2" ; shift ;; + --uniqueids) uniqueids="$2" ; shift ;; + --nat_traversal) nat_traversal="$2" ; shift ;; + --keep_alive) keep_alive="$2" ; shift ;; + --force_keepalive) force_keepalive="$2" ; shift ;; + --disable_port_floating) disable_port_floating="$2" ; shift ;; + --virtual_private) virtual_private="$2" ; shift ;; + --nocrsend) nocrsend="$2" ; shift ;; + --strictcrlpolicy) strictcrlpolicy="$2" ; shift ;; + --crlcheckinterval) crlcheckinterval="$2"; shift ;; + --cachecrls) cachecrls="$2" ; shift ;; + --pkcs11module) pkcs11module="$2"; shift ;; + --pkcs11keepstate) pkcs11keepstate="$2"; shift ;; + --pkcs11proxy) pkcs11proxy="$2"; shift ;; + --dump) dumpdir="$2" ; shift ;; + --opts) popts="$2" ; shift ;; + --stderrlog) stderrlog="$2" ; shift ;; + --wait) plutowait="$2" ; shift ;; + --pre) prepluto="$2" ; shift ;; + --post) postpluto="$2" ; shift ;; + --log) wherelog="$2" ; shift ;; + --pid) pidfile="$2" ; shift ;; + --) shift ; break ;; + -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;; + *) break ;; + esac + shift +done + +# initially we are in the foreground, with parent looking after logging + +# precautions +if test -f $pidfile +then + echo "pluto appears to be running already (\`$pidfile' exists), will not start another" + exit 1 +fi +if test ! -e /dev/urandom +then + echo "cannot start Pluto, system lacks \`/dev/urandom'!?!" + exit 1 +fi + +# sort out options +for d in $plutodebug +do + popts="$popts --debug-$d" +done +case "$uniqueids" in +yes) popts="$popts --uniqueids" ;; +no|'') ;; +*) echo "unknown uniqueids value (not yes/no) \`$IPSECuniqueids'" ;; +esac +case "$nocrsend" in +yes) popts="$popts --nocrsend" ;; +no|'') ;; +*) echo "unknown nocrsend value (not yes/no) \`$IPSECnocrsend'" ;; +esac +case "$strictcrlpolicy" in +yes) popts="$popts --strictcrlpolicy" ;; +no|'') ;; +*) echo "unknown strictcrlpolicy value (not yes/no) \`$IPSECstrictcrlpolicy'" ;; +esac +case "$cachecrls" in +yes) popts="$popts --cachecrls" ;; +no|'') ;; +*) echo "unknown cachecrls value (not yes/no) \`$IPSECcachecrls'" ;; +esac +case "$nat_traversal" in +yes) popts="$popts --nat_traversal" ;; +no|'') ;; +*) echo "unknown nat_traversal value (not yes/no) \`$IPSECnat_traversal'" ;; +esac +[ -n "$keep_alive" ] && popts="$popts --keep_alive $keep_alive" +case "$force_keepalive" in +yes) popts="$popts --force_keepalive" ;; +no|'') ;; +*) echo "unknown force_keepalive value (not yes/no) \`$IPSECforce_keepalive'" ;; +esac +case "$disable_port_floating" in +yes) popts="$popts --disable_port_floating" ;; +no|'') ;; +*) echo "unknown disable_port_floating (not yes/no) \`$disable_port_floating'" ;; +esac +case "$pkcs11keepstate" in +yes) popts="$popts --pkcs11keepstate" ;; +no|'') ;; +*) echo "unknown pkcs11keepstate value (not yes/no) \`$IPSECpkcs11keepstate'" ;; +esac +case "$pkcs11proxy" in +yes) popts="$popts --pkcs11proxy" ;; +no|'') ;; +*) echo "unknown pkcs11proxy value (not yes/no) \`$IPSECpkcs11proxy'" ;; +esac + +[ -n "$virtual_private" ] && popts="$popts --virtual_private $virtual_private" + +# add crl check interval +if test ${crlcheckinterval:-0} -gt 0 +then + popts="$popts --crlcheckinterval $crlcheckinterval" +fi + +if test -n "$pkcs11module" +then + popts="$popts --pkcs11module $pkcs11module" +fi + +if test -n "$stderrlog" +then + popts="$popts --stderrlog 2>>$stderrlog" + + if test -f $stderrlog + then + if test ! -w $stderrlog + then + echo Cannot write to \"$stderrlog\". + exit 1 + fi + else + if test ! -w "`dirname $stderrlog`" + then + echo Cannot write to directory to create \"$stderrlog\". + exit 1 + fi + fi + + echo "Plutorun started on "`date` >$stderrlog +fi + +# set up dump directory +if test " $dumpdir" = " " +then + ulimit -c 0 # preclude core dumps +elif test ! -d "$dumpdir" +then + echo "dumpdir \`$dumpdir' does not exist, ignored" + ulimit -c 0 # preclude core dumps +elif cd $dumpdir # put them where desired +then + ulimit -c unlimited # permit them +else + echo "cannot cd to dumpdir \`$dumpdir', ignored" + ulimit -c 0 # preclude them +fi + +# execute any preliminaries +if test " $prepluto" != " " +then + $prepluto + st=$? + if test " $st" -ne 0 + then + echo "...prepluto command exited with status $st" + fi +fi + +IPSEC_SECRETS=${IPSEC_CONFS}/ipsec.secrets +if test ! -f "${IPSEC_SECRETS}" +then + ( logger -p authpriv.info -t ipsec__plutorun No file ${IPSEC_SECRETS}, generating key. + ipsec scepclient --out pkcs1 --out cert-self --quiet + echo -e "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n" > ${IPSEC_SECRETS} + chmod 600 ${IPSEC_SECRETS} + echo ": RSA myKey.der" >> ${IPSEC_SECRETS} + + # tell pluto to go re-read the file + ipsec auto --rereadsecrets + ) & +fi + +# +# make sure that the isakmp port is open! +# +if test -f /etc/sysconfig/ipchains +then + if egrep -q 500:500 /etc/sysconfig/ipchains + then + : + else + ipchains -I input 1 -p udp -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 500:500 -j ACCEPT + # if it redhat, then save the rules again. + if [ -f /etc/redhat-release ] + then + sh /etc/rc.d/init.d/ipchains save + fi + fi +fi + +# spin off into the background, with our own logging +echo "$verb Pluto subsystem..." | logger -p authpriv.error -t ipsec__plutorun +execdir=${IPSEC_EXECDIR-@IPSEC_EXECDIR@} +libdir=${IPSEC_LIBDIR-@IPSEC_LIBDIR@} +until ( + if test -s $info + then + . $info + export defaultroutephys defaultroutevirt defaultrouteaddr defaultroutenexthop + fi + # eval allows $popts to contain redirection and other magic + eval $execdir/pluto --nofork --secretsfile "$IPSEC_SECRETS" --policygroupsdir "${IPSEC_CONFS}/ipsec.d/policies" $popts + status=$? + echo "exit" + echo $status + ) | $libdir/_plutoload --wait "$plutowait" --post "$postpluto" +do + status=$? + case "$status" in + 13) echo "internal failure in pluto scripts, impossible to carry on" + exit 1 + ;; + 10) echo "pluto apparently already running (?!?), giving up" + exit 1 + ;; + 137) echo "pluto killed by SIGKILL, terminating without restart or unlock" + exit 0 + ;; + 143) echo "pluto killed by SIGTERM, terminating without restart" + # pluto now does its own unlock for this + exit 0 + ;; + *) st=$status + if $plutorestartoncrash + then + : + else + exit 0 + fi + + if test $st -gt 128 + then + st="$st (signal `expr $st - 128`)" + fi + echo "!pluto failure!: exited with error status $st" + echo "restarting IPsec after pause..." + ( + sleep 10 + ipsec setup _autorestart + ) /dev/null 2>&1 & + exit 1 + ###sleep 10 + ###rm -rf $pidfile + #### and go around the loop again + ;; + esac +done &1 | + logger -s -p $wherelog -t ipsec__plutorun >/dev/null 2>/dev/null & + +exit 0 diff --git a/programs/_realsetup/.cvsignore b/programs/_realsetup/.cvsignore new file mode 100644 index 000000000..54941b8a3 --- /dev/null +++ b/programs/_realsetup/.cvsignore @@ -0,0 +1 @@ +_realsetup diff --git a/programs/_realsetup/Makefile b/programs/_realsetup/Makefile new file mode 100644 index 000000000..c339007e0 --- /dev/null +++ b/programs/_realsetup/Makefile @@ -0,0 +1,43 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=_realsetup +PROGRAMDIR=${LIBDIR} + +include ../Makefile.program + +# +# $Log: Makefile,v $ +# Revision 1.1 2004/03/15 20:35:27 as +# added files from freeswan-2.04-x509-1.5.3 +# +# Revision 1.3 2002/08/02 16:01:34 mcr +# moved user visible programs to $PREFIX/libexec, while moving +# private files to $PREFIX/lib. +# +# Revision 1.2 2002/06/02 22:02:14 mcr +# changed TOPDIR->FREESWANSRCDIR in all Makefiles. +# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the +# kernel sense.) +# +# Revision 1.1 2002/04/24 07:55:32 mcr +# #include patches and Makefiles for post-reorg compilation. +# +# +# + diff --git a/programs/_realsetup/_realsetup.8 b/programs/_realsetup/_realsetup.8 new file mode 100644 index 000000000..51b647115 --- /dev/null +++ b/programs/_realsetup/_realsetup.8 @@ -0,0 +1,36 @@ +.TH _REALSETUP 8 "25 Apr 2002" +.\" +.\" RCSID $Id: _realsetup.8,v 1.1 2004/03/15 20:35:27 as Exp $ +.\" +.SH NAME +ipsec _realsetup \- internal routine to start FreeS/WAN. +.SH DESCRIPTION +.I _realsetup +is called by the system init scripts to start the FreeS/WAN +system. It starts +.B KLIPS +(the kernel component) and +.B pluto +(the userspace keying component). +.SH "SEE ALSO" +ipsec(8), ipsec__klipsstart(8), ipsec__plutorun(8). +.SH HISTORY +Man page written for the Linux FreeS/WAN project +by Michael Richardson. Original program by Henry Spencer. +.\" +.\" $Log: _realsetup.8,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.2 2002/04/29 22:39:31 mcr +.\" added basic man page for all internal commands. +.\" +.\" Revision 1.1 2002/04/26 01:21:43 mcr +.\" while tracking down a missing (not installed) /etc/ipsec.conf, +.\" MCR has decided that it is not okay for each program subdir to have +.\" some subset (determined with -f) of possible files. +.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. +.\" Optional PROGRAM.5 files have been added to the makefiles. +.\" +.\" +.\" diff --git a/programs/_realsetup/_realsetup.in b/programs/_realsetup/_realsetup.in new file mode 100755 index 000000000..91b6e98d3 --- /dev/null +++ b/programs/_realsetup/_realsetup.in @@ -0,0 +1,456 @@ +#!/bin/sh +# IPsec startup and shutdown command +# Copyright (C) 1998, 1999, 2001 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: _realsetup.in,v 1.10 2005/09/25 21:30:52 as Exp $ + +IPSEC_NAME=strongSwan + +me='ipsec setup' # for messages + +# Misc. paths (some of this should perhaps be overrideable from ipsec.conf). +plutopid=/var/run/pluto.pid +subsyslock=/var/lock/subsys/ipsec +lock=/var/run/ipsec_setup.pid +info=/var/run/ipsec.info +sysflags=/proc/sys/net/ipsec +modules=/proc/modules +ipforward=/proc/sys/net/ipv4/ip_forward +ipsecversion=/proc/net/ipsec_version +kamepfkey=/proc/net/pfkey + +# make sure output of (e.g.) ifconfig is in English +unset LANG LANGUAGE LC_ALL LC_MESSAGES + +# check we were called properly +if test " $IPSEC_confreadsection" != " setup" +then + echo "$me: $0 must be called by ipsec_setup" >&2 + exit 1 +fi +# defaults for "config setup" items + +IPSECinterfaces=${IPSECinterfaces:-%defaultroute} + if test " $IPSECinterfaces" = " %none" ; then IPSECinterfaces= ; fi +# IPSECforwardcontrol "no" +# IPSECsyslog "daemon.error" +# IPSECklipsdebug "none" +# IPSECplutodebug "none" +# IPSECdumpdir "" (no dump) +# IPSECmanualstart "" +# IPSECpluto "yes" +IPSECplutowait=${IPSECplutowait:-no} +# IPSECprepluto "" +# IPSECpostpluto "" +# IPSECfragicmp "yes" +# IPSEChidetos "yes" +IPSECrp_filter=${IPSECrp_filter:-0} +IPSECuniqueids=${IPSECuniqueids:-yes} +IPSECcrlcheckinterval=${IPSECcrlcheckinterval:-0} +# IPSECpkcs11module "" +# IPSECoverridemtu "" + +# Shall we trace? +execute="true" +display="false" +for i in $IPSEC_setupflags +do + case "$i" in + "--showonly") execute="false" ; display=true ;; + "--show") display=true ;; + esac +done + +if $display +then + echo " " PATH="$PATH" +fi + +perform() { + if $display + then + echo " " "$*" + fi + + if $execute + then + eval "$*" + fi +} + +# function to set up manually-keyed connections +manualconns() { + if test " $IPSECmanualstart" != " " + then + for tu in $IPSECmanualstart + do + perform ipsec manual --up $tu + done + fi + + # search for things to "ipsec manual --up": auto == "manual" + eval `ipsec _confread --varprefix MANUALSTART --search auto manual` + if test " $MANUALSTART_confreadstatus" != " " + then + echo "auto=manual search: $MANUALSTART_confreadstatus" + echo "unable to determine what conns to manual --up; none done" + elif test " $MANUALSTART_confreadnames" != " " + then + for tu in $MANUALSTART_confreadnames + do + perform ipsec manual --up $tu + done + fi +} + +# for no-stdout logging: +LOGONLY="logger -p $IPSECsyslog -t ipsec_setup" + +# What an ugly string. +# Must be a string, not a function, because it is nested +# within another sequence (for plutorun). +# Luckily there are NO substitutions in it. +KILLKLIPS='ifl=` ifconfig | sed -n -e "/^ipsec/s/ .*//p" ` ; + test "X$ifl" != "X" && + for i in $ifl ; + do + ifconfig $i down ; + ipsec tncfg --detach --virtual $i ; + done ; + test -r /proc/net/ipsec_klipsdebug && ipsec klipsdebug --none ; + ipsec eroute --clear ; + ipsec spi --clear ; + for alg in aes serpent twofish blowfish sha2 ; + do + lsmod 2>&1 | grep "^ipsec_$alg" > /dev/null && rmmod ipsec_$alg ; + done ; + lsmod 2>&1 | grep "^ipsec" > /dev/null && rmmod ipsec' + +if test -f $kamepfkey +then + KILLKLIPS=' + if ip xfrm state > /dev/null 2>&1 ; + then + ip xfrm state flush ; + ip xfrm policy flush ; + elif type setkey > /dev/null 2>&1 ; + then + setkey -F ; + setkey -FP ; + fi' +fi + + + +# do it +case "$1" in + start|--start|_autostart) + # First, does it seem to be going already? + perform test ! -f $lock "||" "{" \ + echo "\"$IPSEC_NAME IPsec apparently already running, start aborted\"" ";" \ + exit 1 ";" \ + "}" + + # announcement + # (Warning, changes to this log message may affect barf.) + version="`ipsec --version | awk 'NR == 1 { print $(3) }' | sed -e 's/^U\(.*\)\/K(.*/\1/'`" + case "$1" in + start|--start) perform echo "\"Starting $IPSEC_NAME IPsec $version...\"" ;; + _autostart) perform echo "\"Restarting $IPSEC_NAME IPsec $version...\"" ;; + esac + + # preliminaries + perform rm -f $lock + + for f in /dev/random /dev/urandom + do + perform test -r $f "||" "{" \ + echo "\"...unable to start $IPSEC_NAME IPsec, no $f!\"" ";" \ + exit 1 ";" \ + "}" + done + + # the meaning of $$ at a different runtime is questionable! + perform echo '$$' ">" $lock + perform test -s $lock "||" "{" \ + echo "\"...unable to create $lock, aborting start!\"" ";" \ + rm -f $lock ";" \ + exit 1 ";" \ + "}" + + perform ">" $info + + # here we go + perform ipsec _startklips \ + --info $info \ + --debug "\"$IPSECklipsdebug\"" \ + --omtu "\"$IPSECoverridemtu\"" \ + --fragicmp "\"$IPSECfragicmp\"" \ + --hidetos "\"$IPSEChidetos\"" \ + --rpfilter "\"$IPSECrp_filter\"" \ + --log "\"$IPSECsyslog\"" \ + $IPSECinterfaces "||" \ + "{" rm -f $lock ";" exit 1 ";" "}" + + perform test -f $ipsecversion "||" \ + test -f $kamepfkey "||" "{" \ + echo "\"OOPS, should have aborted! Broken shell!\"" ";" \ + exit 1 ";" \ + "}" + + # misc pre-Pluto setup + + perform test -d `dirname $subsyslock` "&&" touch $subsyslock + + if test " $IPSECforwardcontrol" = " yes" + then + perform grep '"^0"' $ipforward ">" /dev/null "&&" "{" \ + echo "\"enabling IP forwarding:\"" "|" $LOGONLY ";" \ + echo "\"ipforwardingwas=$fw\"" ">>" $info ";" \ + echo 1 ">" $ipforward ";" \ + "}" + fi + manualconns + + plutorestartoncrash="" + case "$IPSECplutorestartoncrash" in + true|[yY]|yes|restart) plutorestartoncrash="--plutorestartoncrash true";; + false|[nN]|no|die) plutorestartoncrash="--plutorestartoncrash false" ;; + esac + + # Pluto + case "$1" in + start|--start) re= ;; + _autostart) re=--re ;; + esac + if test " $IPSECpluto" != " no" + then + perform ipsec _plutorun $re \ + --debug "\"$IPSECplutodebug\"" \ + --uniqueids "\"$IPSECuniqueids\"" \ + --nocrsend "\"$IPSECnocrsend\"" \ + --strictcrlpolicy "\"$IPSECstrictcrlpolicy\"" \ + --cachecrls "\"$IPSECcachecrls\"" \ + --nat_traversal "\"$IPSECnat_traversal\"" \ + --keep_alive "\"$IPSECkeep_alive\"" \ + --force_keepalive "\"$IPSECforce_keepalive\"" \ + --disable_port_floating "\"$IPSECdisable_port_floating\"" \ + --virtual_private "\"$IPSECvirtual_private\"" \ + --crlcheckinterval "\"$IPSECcrlcheckinterval\"" \ + --pkcs11module "\"$IPSECpkcs11module\"" \ + --pkcs11keepstate "\"$IPSECpkcs11keepstate\"" \ + --pkcs11proxy "\"$IPSECpkcs11proxy\"" \ + --dump "\"$IPSECdumpdir\"" \ + --opts "\"$IPSECplutoopts\"" \ + --stderrlog "\"$IPSECplutostderrlog\"" \ + --wait "\"$IPSECplutowait\"" \ + --pre "\"$IPSECprepluto\"" \ + --post "\"$IPSECpostpluto\"" \ + --log "\"$IPSECsyslog\"" $plutorestartoncrash \ + --pid "\"$plutopid\"" "||" "{" \ + $KILLKLIPS ";" \ + rm -f $lock ";" \ + exit 1 ";" \ + "}" + fi + + # done! + perform echo "\"...$IPSEC_NAME IPsec started\"" "|" $LOGONLY + ;; + + stop|--stop|_autostop) # _autostop is same as stop + # Shut things down. + perform echo "\"Stopping $IPSEC_NAME IPsec...\"" + perform \ + if test -r $lock ";" \ + then \ + status=0 ";" \ + . $info ";" \ + else \ + echo "\"stop ordered, but IPsec does not appear to be running!\"" ";" \ + echo "\"doing cleanup anyway...\"" ";" \ + status=1 ";" \ + fi + if test " $IPSECforwardcontrol" = " yes" + then + perform test "\"X\$ipforwardingwas\"" = "\"X0\"" "&&" "{" \ + echo "\"disabling IP forwarding:\"" "|" $LOGONLY ";" \ + echo 0 ">" $ipforward ";" \ + "}" + fi + + perform test -f $plutopid "&&" "{" \ + if ps -p '`' cat $plutopid '`' ">" /dev/null ";" \ + then \ + ipsec whack --shutdown "|" grep -v "^002" ";" \ + sleep 1 ";" \ + if test -s $plutopid ";" \ + then \ + echo "\"Attempt to shut Pluto down failed! Trying kill:\"" ";" \ + kill '`' cat $plutopid '`' ";" \ + sleep 5 ";" \ + fi ";" \ + else \ + echo "\"Removing orphaned $plutopid:\"" ";" \ + fi ";" \ + rm -f $plutopid ";" \ + "}" + + perform $KILLKLIPS + + perform test -d `dirname $subsyslock` "&&" rm -f $subsyslock + + perform rm -f $info $lock + perform echo "...$IPSEC_NAME IPsec stopped" "|" $LOGONLY + perform exit \$status + ;; + + status|--status) + if test " $IPSEC_setupflags" != " " + then + echo "$me $1 does not support $IPSEC_setupflags" + exit 1 + fi + + if test -f $info + then + hasinfo=yes + fi + + if test -f $lock + then + haslock=yes + fi + + if test -f $subsyslock + then + hassublock=yes + fi + + if test -s $plutopid + then + if ps -p `cat $plutopid` >/dev/null + then + plutokind=normal + elif ps -C pluto >/dev/null + then + plutokind=illicit + fi + elif ps -C pluto >/dev/null + then + plutokind=orphaned + else + plutokind=no + fi + + if test -r /proc/net/ipsec_eroute + then + if test " `wc -l &2 + exit 2 +esac + +exit 0 diff --git a/programs/_secretcensor/.cvsignore b/programs/_secretcensor/.cvsignore new file mode 100644 index 000000000..202d856fe --- /dev/null +++ b/programs/_secretcensor/.cvsignore @@ -0,0 +1 @@ +_secretcensor diff --git a/programs/_secretcensor/Makefile b/programs/_secretcensor/Makefile new file mode 100644 index 000000000..3df15286e --- /dev/null +++ b/programs/_secretcensor/Makefile @@ -0,0 +1,43 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=_secretcensor +PROGRAMDIR=${LIBDIR} + +include ../Makefile.program + +# +# $Log: Makefile,v $ +# Revision 1.1 2004/03/15 20:35:27 as +# added files from freeswan-2.04-x509-1.5.3 +# +# Revision 1.3 2002/08/02 16:01:38 mcr +# moved user visible programs to $PREFIX/libexec, while moving +# private files to $PREFIX/lib. +# +# Revision 1.2 2002/06/02 22:02:14 mcr +# changed TOPDIR->FREESWANSRCDIR in all Makefiles. +# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the +# kernel sense.) +# +# Revision 1.1 2002/04/24 07:55:32 mcr +# #include patches and Makefiles for post-reorg compilation. +# +# +# + diff --git a/programs/_secretcensor/_secretcensor.8 b/programs/_secretcensor/_secretcensor.8 new file mode 100644 index 000000000..d502bbd37 --- /dev/null +++ b/programs/_secretcensor/_secretcensor.8 @@ -0,0 +1,34 @@ +.TH _SECRETCENSOR 8 "25 Apr 2002" +.\" +.\" RCSID $Id: _secretcensor.8,v 1.1 2004/03/15 20:35:27 as Exp $ +.\" +.SH NAME +ipsec _secretcensor \- internal routing to sanitize files +.SH DESCRIPTION +.I _secretcensor +is called by +.B ipsec barf +to process the /etc/ipsec.secrets file to remove the private key components +from the file prior to revealing the contents. +.SH "SEE ALSO" +ipsec(8), ipsec_barf(8). +.SH HISTORY +Man page written for the Linux FreeS/WAN project +by Michael Richardson. Original program by Henry Spencer. +.\" +.\" $Log: _secretcensor.8,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.2 2002/04/29 22:39:31 mcr +.\" added basic man page for all internal commands. +.\" +.\" Revision 1.1 2002/04/26 01:21:43 mcr +.\" while tracking down a missing (not installed) /etc/ipsec.conf, +.\" MCR has decided that it is not okay for each program subdir to have +.\" some subset (determined with -f) of possible files. +.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. +.\" Optional PROGRAM.5 files have been added to the makefiles. +.\" +.\" +.\" diff --git a/programs/_secretcensor/_secretcensor.in b/programs/_secretcensor/_secretcensor.in new file mode 100755 index 000000000..150c13cbc --- /dev/null +++ b/programs/_secretcensor/_secretcensor.in @@ -0,0 +1,75 @@ +#! /bin/sh +# implements secret censoring for barf +# Copyright (C) 1999 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: _secretcensor.in,v 1.1 2004/03/15 20:35:27 as Exp $ + +usage="Usage: $0 [file ...]" +me="ipsec _secretcensor" + +for dummy +do + case "$1" in + --help) echo "$usage" ; exit 0 ;; + --version) echo "$me $IPSEC_VERSION" ; exit 0 ;; + --) shift ; break ;; + -*) echo "$0: unknown option \`$1'" >&2 ; exit 2 ;; + *) break ;; + esac + shift +done + +awk ' function cool(hot, q, cooled, run) { + # warning: may destroy input line! + q = "'"'"'" # single quote + if (hot ~ q) + return "[cannot be summed]" + if (hot ~ /^0s/) + return "[keyid " substr(hot, 3, 9) "]" + run = "echo " q hot q " | md5sum" + run | getline + close(run) + return "[sums to " substr($1, 1, 4) "...]" + } + /"/ { + i = match($0, /"[^"]+"/) + cold1 = substr($0, 1, i) + cold2 = substr($0, i+RLENGTH-1) + hot = substr($0, i+1, RLENGTH-2) + print cold1 cool(hot) cold2 + next + } + /#pubkey=/ { + i = match($0, /^.*#pubkey=/) + i += RLENGTH-1 + cold = substr($0, 1, i) + hot = substr($0, i+1) + print cold cool(hot) + next + } + /#IN KEY / { + i = match($0, /^.*[ \t][^ \t]/) + i += RLENGTH-2 + cold = substr($0, 1, i) + hot = substr($0, i+1) + print cold cool("0s" hot) + next + } + /^[ \t]+(Modulus|P[a-z]+Exponent|Prime[12]|Exponent[12]|Coefficient):/ { + i = match($0, /^[^:]*:[ \t]*/) + i += RLENGTH-1 + cold = substr($0, 1, i) + print cold "[...]" + next + } + { print }' $* diff --git a/programs/_startklips/.cvsignore b/programs/_startklips/.cvsignore new file mode 100644 index 000000000..a206fe65f --- /dev/null +++ b/programs/_startklips/.cvsignore @@ -0,0 +1 @@ +_startklips diff --git a/programs/_startklips/Makefile b/programs/_startklips/Makefile new file mode 100644 index 000000000..9df701b0e --- /dev/null +++ b/programs/_startklips/Makefile @@ -0,0 +1,43 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=_startklips +PROGRAMDIR=${LIBDIR} + +include ../Makefile.program + +# +# $Log: Makefile,v $ +# Revision 1.1 2004/03/15 20:35:27 as +# added files from freeswan-2.04-x509-1.5.3 +# +# Revision 1.3 2002/08/02 16:01:42 mcr +# moved user visible programs to $PREFIX/libexec, while moving +# private files to $PREFIX/lib. +# +# Revision 1.2 2002/06/02 22:02:14 mcr +# changed TOPDIR->FREESWANSRCDIR in all Makefiles. +# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the +# kernel sense.) +# +# Revision 1.1 2002/04/24 07:55:32 mcr +# #include patches and Makefiles for post-reorg compilation. +# +# +# + diff --git a/programs/_startklips/_startklips.8 b/programs/_startklips/_startklips.8 new file mode 100644 index 000000000..066699085 --- /dev/null +++ b/programs/_startklips/_startklips.8 @@ -0,0 +1,33 @@ +.TH _STARTKLIPS 8 "25 Apr 2002" +.\" +.\" RCSID $Id: _startklips.8,v 1.1 2004/03/15 20:35:27 as Exp $ +.\" +.SH NAME +ipsec _startklips \- internal script to bring up kernel components +.SH DESCRIPTION +.I _startklips +brings up the FreeS/WAN kernel component. This involves loading any +required modules, attaching and configuring the ipsecX pseudo-devices and +attaching the pseudo-devices to the physical devices. +.SH "SEE ALSO" +ipsec(8), ipsec_tncfg(8). +.SH HISTORY +Man page written for the Linux FreeS/WAN project +by Michael Richardson. Original program by Henry Spencer. +.\" +.\" $Log: _startklips.8,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.2 2002/04/29 22:39:31 mcr +.\" added basic man page for all internal commands. +.\" +.\" Revision 1.1 2002/04/26 01:21:43 mcr +.\" while tracking down a missing (not installed) /etc/ipsec.conf, +.\" MCR has decided that it is not okay for each program subdir to have +.\" some subset (determined with -f) of possible files. +.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. +.\" Optional PROGRAM.5 files have been added to the makefiles. +.\" +.\" +.\" diff --git a/programs/_startklips/_startklips.in b/programs/_startklips/_startklips.in new file mode 100755 index 000000000..7f85a94de --- /dev/null +++ b/programs/_startklips/_startklips.in @@ -0,0 +1,367 @@ +#!/bin/sh +# KLIPS startup script +# Copyright (C) 1998, 1999, 2001, 2002 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: _startklips.in,v 1.6 2005/05/06 22:11:33 as Exp $ + +me='ipsec _startklips' # for messages + +# KLIPS-related paths +sysflags=/proc/sys/net/ipsec +modules=/proc/modules +# full rp_filter path is $rpfilter1/interface/$rpfilter2 +rpfilter1=/proc/sys/net/ipv4/conf +rpfilter2=rp_filter +# %unchanged or setting (0, 1, or 2) +rpfiltercontrol=0 +ipsecversion=/proc/net/ipsec_version +moduleplace=/lib/modules/`uname -r`/kernel/net/ipsec +bareversion=`uname -r | sed -e 's/^\(2\.[0-9]\.[1-9][0-9]*-[1-9][0-9]*\(\.[0-9][0-9]*\)*\(\.x\)*\).*$/\1/'` +moduleinstplace=/lib/modules/$bareversion/kernel/net/ipsec +modulename=ipsec.o +klips=true +netkey=/proc/net/pfkey + +info=/dev/null +log=daemon.error +for dummy +do + case "$1" in + --log) log="$2" ; shift ;; + --info) info="$2" ; shift ;; + --debug) debug="$2" ; shift ;; + --omtu) omtu="$2" ; shift ;; + --fragicmp) fragicmp="$2" ; shift ;; + --hidetos) hidetos="$2" ; shift ;; + --rpfilter) rpfiltercontrol="$2" ; shift ;; + --) shift ; break ;; + -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;; + *) break ;; + esac + shift +done + + + +# some shell functions, to clarify the actual code + +# set up a system flag based on a variable +# sysflag value shortname default flagname +sysflag() { + case "$1" in + '') v="$3" ;; + *) v="$1" ;; + esac + if test ! -f $sysflags/$4 + then + if test " $v" != " $3" + then + echo "cannot do $2=$v, $sysflags/$4 does not exist" + exit 1 + else + return # can't set, but it's the default anyway + fi + fi + case "$v" in + yes|no) ;; + *) echo "unknown (not yes/no) $2 value \`$1'" + exit 1 + ;; + esac + case "$v" in + yes) echo 1 >$sysflags/$4 ;; + no) echo 0 >$sysflags/$4 ;; + esac +} + +# set up a Klips interface +klipsinterface() { + # pull apart the interface spec + virt=`expr $1 : '\([^=]*\)=.*'` + phys=`expr $1 : '[^=]*=\(.*\)'` + case "$virt" in + ipsec[0-9]) ;; + *) echo "invalid interface \`$virt' in \`$1'" ; exit 1 ;; + esac + + # figure out ifconfig for interface + addr= + eval `ifconfig $phys | + awk '$1 == "inet" && $2 ~ /^addr:/ && $NF ~ /^Mask:/ { + gsub(/:/, " ", $0) + print "addr=" $3 + other = $5 + if ($4 == "Bcast") + print "type=broadcast" + else if ($4 == "P-t-P") + print "type=pointopoint" + else if (NF == 5) { + print "type=" + other = "" + } else + print "type=unknown" + print "otheraddr=" other + print "mask=" $NF + }'` + if test " $addr" = " " + then + echo "unable to determine address of \`$phys'" + exit 1 + fi + if test " $type" = " unknown" + then + echo "\`$phys' is of an unknown type" + exit 1 + fi + if test " $omtu" != " " + then + mtu="mtu $omtu" + else + mtu= + fi + echo "KLIPS $virt on $phys $addr/$mask $type $otheraddr $mtu" | logonly + + if $klips + then + # attach the interface and bring it up + ipsec tncfg --attach --virtual $virt --physical $phys + ifconfig $virt inet $addr $type $otheraddr netmask $mask $mtu + fi + + # if %defaultroute, note the facts + if test " $2" != " " + then + ( + echo "defaultroutephys=$phys" + echo "defaultroutevirt=$virt" + echo "defaultrouteaddr=$addr" + if test " $2" != " 0.0.0.0" + then + echo "defaultroutenexthop=$2" + fi + ) >>$info + else + echo '#dr: no default route' >>$info + fi + + # check for rp_filter trouble + checkif $phys # thought to be a problem only on phys +} + +# check an interface for problems +checkif() { + $klips || return 0 + rpf=$rpfilter1/$1/$rpfilter2 + if test -f $rpf + then + r="`cat $rpf`" + if test " $r" != " 0" + then + case "$r-$rpfiltercontrol" in + 0-%unchanged|0-0|1-1|2-2) + # happy state + ;; + *-%unchanged) + echo "WARNING: $1 has route filtering turned on; KLIPS may not work ($rpf is $r)" + ;; + [012]-[012]) + echo "WARNING: changing route filtering on $1 (changing $rpf from $r to $rpfiltercontrol)" + echo "$rpfiltercontrol" >$rpf + ;; + [012]-*) + echo "ERROR: unknown rpfilter setting: $rpfiltercontrol" + ;; + *) + echo "ERROR: unknown $rpf value $r" + ;; + esac + fi + fi +} + +# interfaces=%defaultroute: put ipsec0 on top of default route's interface +defaultinterface() { + phys=`netstat -nr | + awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $NF }'` + if test " $phys" = " " + then + echo "no default route, %defaultroute cannot cope!!!" + exit 1 + fi + if test `echo " $phys" | wc -l` -gt 1 + then + echo "multiple default routes, %defaultroute cannot cope!!!" + exit 1 + fi + next=`netstat -nr | + awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $2 }'` + klipsinterface "ipsec0=$phys" $next +} + +# log only to syslog, not to stdout/stderr +logonly() { + logger -p $log -t ipsec_setup +} + +# sort out which module is appropriate, changing it if necessary +setmodule() { + wantgoo="`ipsec calcgoo /proc/ksyms`" + module=$moduleplace/$modulename + if test -f $module + then + goo="`nm -ao $module | ipsec calcgoo`" + if test " $wantgoo" = " $goo" + then + return # looks right + fi + fi + if test -f $moduleinstplace/$wantgoo + then + echo "insmod failed, but found matching template module $wantgoo." + echo "Copying $moduleinstplace/$wantgoo to $module." + rm -f $module + mkdir -p $moduleplace + cp -p $moduleinstplace/$wantgoo $module + # "depmod -a" gets done by caller + fi +} + + + +# main line + +# load module if possible +if test ! -f $ipsecversion && test ! -f $netkey +then + # statically compiled KLIPS not found; try to load the module + insmod ipsec +fi + +if test ! -f $ipsecversion && test ! -f $netkey +then + modprobe -v af_key +fi + +if test -f $netkey +then + klips=false + if test -f $modules + then + modprobe -qv ah4 + modprobe -qv esp4 + modprobe -qv ipcomp + modprobe -qv xfrm4_tunnel + modprobe -qv xfrm_user + fi +fi + +if test ! -f $ipsecversion && $klips +then + if test -r $modules # kernel does have modules + then + setmodule + unset MODPATH MODULECONF # no user overrides! + depmod -a >/dev/null 2>&1 + modprobe -v ipsec + fi + if test ! -f $ipsecversion + then + echo "kernel appears to lack KLIPS" + exit 1 + fi +fi + +# load all compiled algo modules +if $klips +then + for alg in aes serpent twofish blowfish sha2 + do + if test -f $moduleinstplace/alg/ipsec_$alg.o + then + modprobe ipsec_$alg + fi + done +fi + +# figure out debugging flags +case "$debug" in +'') debug=none ;; +esac +if test -r /proc/net/ipsec_klipsdebug +then + echo "KLIPS debug \`$debug'" | logonly + case "$debug" in + none) ipsec klipsdebug --none ;; + all) ipsec klipsdebug --all ;; + *) ipsec klipsdebug --none + for d in $debug + do + ipsec klipsdebug --set $d + done + ;; + esac +elif $klips +then + if test " $debug" != " none" + then + echo "klipsdebug=\`$debug' ignored, KLIPS lacks debug facilities" + fi +fi + +# figure out misc. kernel config +if test -d $sysflags +then + sysflag "$fragicmp" "fragicmp" yes icmp + echo 1 >$sysflags/inbound_policy_check # no debate + sysflag no "no_eroute_pass" no no_eroute_pass # obsolete parm + sysflag no "opportunistic" no opportunistic # obsolete parm + sysflag "$hidetos" "hidetos" yes tos +elif $klips +then + echo "WARNING: cannot adjust KLIPS flags, no $sysflags directory!" + # carry on +fi + +if $klips; then + # clear tables out in case dregs have been left over + ipsec eroute --clear + ipsec spi --clear +elif test $netkey +then + if ip xfrm state > /dev/null 2>&1 + then + ip xfrm state flush + ip xfrm policy flush + elif type setkey > /dev/null 2>&1 + then + setkey -F + setkey -FP + else + echo "WARNING: cannot flush state/policy database -- \`$1'" | + logger -s -p $log -t ipsec_setup + fi +fi + +# figure out interfaces +for i +do + case "$i" in + ipsec*=?*) klipsinterface "$i" ;; + %defaultroute) defaultinterface ;; + *) echo "interface \`$i' not understood" + exit 1 + ;; + esac +done + +exit 0 diff --git a/programs/_updown/.cvsignore b/programs/_updown/.cvsignore new file mode 100644 index 000000000..81e2e4f86 --- /dev/null +++ b/programs/_updown/.cvsignore @@ -0,0 +1,2 @@ +_updown +_updown.in diff --git a/programs/_updown/Makefile b/programs/_updown/Makefile new file mode 100644 index 000000000..e0aaab488 --- /dev/null +++ b/programs/_updown/Makefile @@ -0,0 +1,22 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=_updown +PROGRAMDIR=${LIBDIR} + +include ../Makefile.program diff --git a/programs/_updown/_updown.8 b/programs/_updown/_updown.8 new file mode 100644 index 000000000..5107d3694 --- /dev/null +++ b/programs/_updown/_updown.8 @@ -0,0 +1,19 @@ +.TH _UPDOWN 8 "27 Apr 2006" +.\" +.\" RCSID $Id: _updown.8,v 1.2 2006/04/17 06:48:49 as Exp $ +.\" +.SH NAME +ipsec _updown \- route and firewall manipulation script +.SH SYNOPSIS +.I _updown +is invoked by pluto when it has brought up a new connection. This script +is used to insert the appropriate routing entries for IPsec operation. +It can also be used to insert and delete dynamic iptables firewall rules. +The interface to the script is documented in the pluto man page. +.SH "SEE ALSO" +ipsec(8), ipsec_pluto(8). +.SH HISTORY +Man page written for the Linux FreeS/WAN project +by Michael Richardson. Original program written by Henry Spencer. Extended +for the Linux strongSwan project by Andreas +Steffen. diff --git a/programs/_updown/_updown.in b/programs/_updown/_updown.in new file mode 100755 index 000000000..8db74f737 --- /dev/null +++ b/programs/_updown/_updown.in @@ -0,0 +1,503 @@ +#! /bin/sh +# iproute2 version, default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2006 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: _updown.in,v 1.2 2006/04/17 15:06:29 as Exp $ + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica­ +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub­ +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# + +# uncomment to log VPN connections +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn +# + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + parms="$PLUTO_PEER_CLIENT" + + parms2= + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + if [ -f /etc/sysconfig/defaultsource ] + then + . /etc/sysconfig/defaultsource + fi + + if [ -f /etc/conf.d/defaultsource ] + then + . /etc/conf.d/defaultsource + fi + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + parms3= + if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" + then + addsource + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} + +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +then + IPSEC_POLICY_IN="" + IPSEC_POLICY_OUT="" +else + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +fi + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" +fi + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +prepare-host-v6:*|prepare-client-v6:*) + ;; +route-host-v6:*|route-client-v6:*) + # connection to me or my client subnet being routed + #uproute_v6 + ;; +unroute-host-v6:*|unroute-client-v6:*) + # connection to me or my client subnet being unrouted + #downroute_v6 + ;; +up-host-v6:*) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:*) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/programs/_updown_espmark/Makefile b/programs/_updown_espmark/Makefile new file mode 100644 index 000000000..bd9cd38cb --- /dev/null +++ b/programs/_updown_espmark/Makefile @@ -0,0 +1,22 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2005/04/07 21:34:19 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=_updown_espmark +PROGRAMDIR=${LIBDIR} + +include ../Makefile.program diff --git a/programs/_updown_espmark/_updown_espmark.8 b/programs/_updown_espmark/_updown_espmark.8 new file mode 100644 index 000000000..91eaa5cb7 --- /dev/null +++ b/programs/_updown_espmark/_updown_espmark.8 @@ -0,0 +1,18 @@ +.TH _UPDOWN_ESPMARK 8 "7 Apr 2005" +.\" +.\" RCSID $Id: _updown_espmark.8,v 1.1 2005/04/07 21:34:19 as Exp $ +.\" +.SH NAME +ipsec _updown_espmark \- manages routes and firewall rules +.SH SYNOPSIS +.I _updown_espmark +is invoked by pluto when it has brought up a new connection. This script +is used to insert the appropriate routing and iptables firewall entries for +IPsec operation. The incoming ESP traffic must be marked by a static rule +in the mangle table. The default value for the mark is 50. +The interface to the script is documented in the pluto man page. +.SH "SEE ALSO" +ipsec(8), ipsec_pluto(8). +.SH HISTORY +Man page written for the Linux strongSwan project +by Andreas Steffen. Original program written by Henry Spencer. diff --git a/programs/_updown_espmark/_updown_espmark.in b/programs/_updown_espmark/_updown_espmark.in new file mode 100644 index 000000000..3627d470d --- /dev/null +++ b/programs/_updown_espmark/_updown_espmark.in @@ -0,0 +1,452 @@ +#! /bin/sh +# iproute2 version, default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: _updown_espmark.in,v 1.4 2005/09/14 14:33:05 as Exp $ + + + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# FreeS/WAN use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica­ +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub­ +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# + +# logging of VPN connections +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn +# + +# check interface version +case "$PLUTO_VERSION" in +1.[0]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + parms="$PLUTO_PEER_CLIENT" + + parms2= + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + if [ -f /etc/sysconfig/defaultsource ] + then + . /etc/sysconfig/defaultsource + fi + + if [ -f /etc/conf.d/defaultsource ] + then + . /etc/conf.d/defaultsource + fi + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + parms3= + if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" + then + addsource + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} + +# define ESP mark +ESP_MARK=50 + +# add the following static rule to the INPUT chain in the mangle table +# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50 + +# NAT traversal via UDP encapsulation is supported with the rule +# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50 + +# in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +then + CHECK_MARK="" +else + CHECK_MARK="-m mark --mark $ESP_MARK" +fi + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" +fi + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:*) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT + # + if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + ;; +down-host:*) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + # connection to me going down + # If you are doing a custom version, firewall commands go here. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT + # + if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ + $CHECK_MARK -j ACCEPT + # + if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ + $CHECK_MARK -j ACCEPT + # + if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + ;; +up-client:ipfwadm) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ + -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK + ;; +down-client:ipfwadm) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ + -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK + ;; +# +# IPv6 +# +prepare-host-v6:*|prepare-client-v6:*) + ;; +route-host-v6:*|route-client-v6:*) + # connection to me or my client subnet being routed + #uproute_v6 + ;; +unroute-host-v6:*|unroute-client-v6:*) + # connection to me or my client subnet being unrouted + #downroute_v6 + ;; +up-host-v6:*) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:*) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/programs/auto/.cvsignore b/programs/auto/.cvsignore new file mode 100644 index 000000000..865faf10c --- /dev/null +++ b/programs/auto/.cvsignore @@ -0,0 +1 @@ +auto diff --git a/programs/auto/Makefile b/programs/auto/Makefile new file mode 100644 index 000000000..035dbf708 --- /dev/null +++ b/programs/auto/Makefile @@ -0,0 +1,21 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.2 2006/02/10 11:28:38 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=auto + +include ../Makefile.program diff --git a/programs/auto/auto.8 b/programs/auto/auto.8 new file mode 100644 index 000000000..21b5fd11b --- /dev/null +++ b/programs/auto/auto.8 @@ -0,0 +1,481 @@ +.TH IPSEC_AUTO 8 "17 December 2004" +.\" RCSID $Id: auto.8,v 1.6 2004/12/17 22:34:38 as Exp $ +.SH NAME +ipsec auto \- control automatically-keyed IPsec connections +.SH SYNOPSIS +.B ipsec +.B auto +[ +.B \-\-show +] [ +.B \-\-showonly +] [ +.B \-\-asynchronous +] +.br +\ \ \ [ +.B \-\-config +configfile +] [ +.B \-\-verbose +] [ +.B \-\-type conn +] +.br +\ \ \ operation +connection +.sp +.B ipsec +.B auto +[ +.B \-\-show +] [ +.B \-\-showonly +] +.br +\ \ \ [ +.B \-\-config +configfile +] [ +.B \-\-verbose +] +.B \-\-type ca +.br +\ \ \ operation +ca +.sp +.B ipsec +.B auto +[ +.B \-\-show +] [ +.B \-\-showonly +] operation +.SH DESCRIPTION +.I Auto +manipulates automatically-keyed strongSwan IPsec connections, +setting them up and shutting them down +based on the information in the IPsec configuration file. +In the normal usage, +.I connection +is the name of a connection specification in the configuration file; +.I ca +is the name of a Certification Authority (CA) specification in the configuration file; +.I operation +is +.BR \-\-add , +.BR \-\-delete , +.BR \-\-replace , +.BR \-\-up , +.BR \-\-down , +.BR \-\-route , +or +.BR \-\-unroute . +The +.BR \-\-status +and +.BR \-\-statusall +.I operations +may take a +.I connection +name. +The +.BR \-\-ready , +.BR \-\-rereadsecrets , +.BR \-\-rereadgroups , +.BR \-\-rereadcacerts , +.BR \-\-rereadaacerts , +.BR \-\-rereadocspcerts , +.BR \-\-rereadacerts , +.BR \-\-rereadcrls , +.BR \-\-rereadall , +.BR \-\-listalgs , +.BR \-\-listpubkeys , +.BR \-\-listcerts , +.BR \-\-listcacerts , +.BR \-\-listaacerts , +.BR \-\-listocspcerts , +.BR \-\-listacerts , +.BR \-\-listgroups , +.BR \-\-listcainfos , +.BR \-\-listcrls , +.BR \-\-listocsp , +.BR \-\-listcards , +.BR \-\-listall , +and +.BR \-\-purgeocsp +.I operations +do not take a connection name. +.I Auto +generates suitable +commands and feeds them to a shell for execution. +.PP +The +.B \-\-add +operation adds a connection or ca specification to the internal database +within +.IR pluto ; +it will fail if +.I pluto +already has a specification by that name. +The +.B \-\-delete +operation deletes a connection or ca specification from +.IR pluto 's +internal database (also tearing down any connections based on it); +it will fail if the specification does not exist. +The +.B \-\-replace +operation is equivalent to +.B \-\-delete +(if there is already a specification by the given name) +followed by +.BR \-\-add , +and is a convenience for updating +.IR pluto 's +internal specification to match an external one. +(Note that a +.B \-\-rereadsecrets +may also be needed.) +The +.B \-\-rereadgroups +operation causes any changes to the policy group files to take effect +(this is currently a synonym for +.BR \-\-ready , +but that may change). +None of the other operations alters the internal database. +.PP +The +.B \-\-up +operation asks +.I pluto +to establish a connection based on an entry in its internal database. +The +.B \-\-down +operation tells +.I pluto +to tear down such a connection. +.PP +Normally, +.I pluto +establishes a route to the destination specified for a connection as +part of the +.B \-\-up +operation. +However, the route and only the route can be established with the +.B \-\-route +operation. +Until and unless an actual connection is established, +this discards any packets sent there, +which may be preferable to having them sent elsewhere based on a more +general route (e.g., a default route). +.PP +Normally, +.IR pluto 's +route to a destination remains in place when a +.B \-\-down +operation is used to take the connection down +(or if connection setup, or later automatic rekeying, fails). +This permits establishing a new connection (perhaps using a +different specification; the route is altered as necessary) +without having a ``window'' in which packets might go elsewhere +based on a more general route. +Such a route can be removed using the +.B \-\-unroute +operation +(and is implicitly removed by +.BR \-\-delete ). +.PP +The +.B \-\-ready +operation tells +.I pluto +to listen for connection-setup requests from other hosts. +Doing an +.B \-\-up +operation before doing +.B \-\-ready +on both ends is futile and will not work, +although this is now automated as part of IPsec startup and +should not normally be an issue. +.PP +The +.B \-\-status +operation asks +.I pluto +for current connection status either for all connections +(no connection argument) or a for specified +.I connection +name. For more detailed information use +.B \-\-statusall +\. The output format is ad-hoc and likely to change. +.PP +The +.B \-\-rereadsecrets +operation tells +.I pluto +to re-read the +.I /etc/ipsec.secrets +secret-keys file, +which it normally reads only at startup time. +(This is currently a synonym for +.BR \-\-ready , +but that may change.) +.PP +The +.B \-\-rereadcacerts +operation reads all certificate files contained in the +.IR /etc/ipsec.d/cacerts +directory and adds them to +.IR pluto 's +list of Certification Authority (CA) certificates. +.PP +The +.B \-\-rereadaacerts +operation reads all certificate files contained in the +.IR /etc/ipsec.d/aacerts +directory and adds them to +.IR pluto 's +list of Authorization Authority (AA) certificates. +.PP +The +.B \-\-rereadocspcerts +operation reads all certificate files contained in the +.IR /etc/ipsec.d/ocspcerts +directory and adds them to +.IR pluto 's +list of OCSP signer certificates. +.PP +The +.B \-\-rereadacerts +operation reads all certificate files contained in the +.IR /etc/ipsec.d/acerts +directory and adds them to +.IR pluto 's +list of attribute certificates. +.PP +The +.B \-\-rereadcrls +operation reads all certificate revocation list (CRL) files +contained in the +.IR /etc/ipsec.d/crls +directory and adds them to +.IR pluto 's +list of CRLs. +.PP +The +.B \-\-rereadall +operation is equivalent to the execution of +.BR \-\-rereadsecrets , +.BR \-\-rereadcacerts , +.BR \-\-rereadaacerts , +.BR \-\-rereadocspcerts , +.BR \-\-rereadacerts , +and +.BR \-\-rereadcrls . +.PP +The +.B \-\-listalgs +operation lists all registed IKE encryption and hash algorithms, +that are available to +.IR pluto , +as well as the Diffie-Hellman (DH) groups. +.PP +The +.B \-\-listpubkeys +operation lists all RSA public keys either received from peers +via the IKE protocol embedded in authenticated certificate payloads +or loaded locally using the +.BR rightcert \ / +.BR leftcert +or +.BR rightrsasigkey \ / +.BR leftrsasigkey +parameters in +.IR ipsec.conf (5). +.PP +The +.B \-\-listcerts +operation lists all X.509 and OpenPGP certificates loaded locally using the +.BR rightcert +and +.BR leftcert +parameters in +.IR ipsec.conf (5). +.PP +The +.B \-\-listcacerts +operation lists all X.509 CA certificates either loaded locally from the +.IR /etc/ipsec.d/cacerts +directory or received in PKCS#7-wrapped certificate payloads via +the IKE protocol. +.PP +The +.B \-\-listaacerts +operation lists all X.509 AA certificates loaded locally from the +.IR /etc/ipsec.d/aacerts +directory. +.PP +The +.B \-\-listocspcerts +operation lists all OCSP signer certificates either loaded locally from the +.IR /etc/ipsec.d/ocspcerts +directory or received via the Online Certificate Status Protocol +from an OCSP server. +.PP +The +.B \-\-listacerts +operation lists all X.509 attribute certificates loaded locally from the +.IR /etc/ipsec.d/acerts +directory. +.PP +The +.B \-\-listgropus +operation lists all groups that are either used in connection definitions in +.IR ipsec.conf (5) +or are embedded in loaded X.509 attributes certificates. +.PP +The +.B \-\-listcainfos +operation lists the certification authority information specified in the ca +sections of +.IR ipsec.conf (5). +.PP +The +.B \-\-listcrls +operation lists all Certificate Revocation Lists (CRLs) either loaded +locally from the +.IR /etc/ipsec.d/crls +directory or fetched dynamically from an HTTP or LDAP server. +.PP +The +.B \-\-listocsp +operation lists the certicates status information fetched from +OCSP servers. +.PP +The +.B \-\-purgeocsp +operation deletes any cached certificate status information and pending +OCSP fetch requests. +.PP +The +.B \-\-listcards +operation lists information about attached smartcards or crypto tokens. +.PP +The +.B \-\-listall +operation is equivalent to the execution of +.BR \-\-listalgs , +.BR \-\-listpubkeys , +.BR \-\-listcerts , +.BR \-\-listcacerts , +.BR \-\-listaacerts , +.BR \-\-listocspcerts , +.BR \-\-listacerts , +.BR \-\-listgroups , +.BR \-\-listcainfos , +.BR \-\-listcrls , +.BR \-\-listocsp , +and +.BR \-\-listcards . +.PP +The +.B \-\-show +option turns on the +.B \-x +option of the shell used to execute the commands, +so each command is shown as it is executed. +.PP +The +.B \-\-showonly +option causes +.I auto +to show the commands it would run, on standard output, +and not run them. +.PP +The +.B \-\-asynchronous +option, applicable only to the +.B up +operation, +tells +.I pluto +to attempt to establish the connection, +but does not delay to report results. +This is especially useful to start multiple connections in parallel +when network links are slow. +.PP +The +.B \-\-verbose +option instructs +.I auto +to pass through all output from +.IR ipsec_whack (8), +including log output that is normally filtered out as uninteresting. +.PP +The +.B \-\-config +option specifies a non-standard location for the IPsec +configuration file (default +.IR /etc/ipsec.conf ). +.PP +See +.IR ipsec.conf (5) +for details of the configuration file. +Apart from the basic parameters which specify the endpoints and routing +of a connection (\fBleft\fR +and +.BR right , +plus possibly +.BR leftsubnet , +.BR leftnexthop , +.BR leftfirewall , +their +.B right +equivalents, +and perhaps +.BR type ), +an +.I auto +connection almost certainly needs a +.B keyingtries +parameter (since the +.B keyingtries +default is poorly chosen). +.SH FILES +.ta \w'/var/run/ipsec.info'u+4n +/etc/ipsec.conf default IPSEC configuration file +.br +/var/run/ipsec.info \fB%defaultroute\fR information +.SH SEE ALSO +ipsec.conf(5), ipsec(8), ipsec_pluto(8), ipsec_whack(8), ipsec_manual(8) +.SH HISTORY +Written for the FreeS/WAN project + +by Henry Spencer. +Extended for the strongSwan project + +by Andreas Steffen. +.SH BUGS +Although an +.B \-\-up +operation does connection setup on both ends, +.B \-\-down +tears only one end of the connection down +(although the orphaned end will eventually time out). +.PP +There is no support for +.B passthrough +connections. +.PP +A connection description which uses +.B %defaultroute +for one of its +.B nexthop +parameters but not the other may be falsely +rejected as erroneous in some circumstances. +.PP +The exit status of +.B \-\-showonly +does not always reflect errors discovered during processing of the request. +(This is fine for human inspection, but not so good for use in scripts.) diff --git a/programs/auto/auto.in b/programs/auto/auto.in new file mode 100755 index 000000000..05568f9b5 --- /dev/null +++ b/programs/auto/auto.in @@ -0,0 +1,660 @@ +#! /bin/sh +# user interface to automatic keying and Pluto in general +# Copyright (C) 1998, 1999, 2000 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: auto.in,v 1.17 2006/04/20 04:42:12 as Exp $ + +me='ipsec auto' +usage="Usage: + $me [--showonly] [--asynchronous] --up connectionname + $me [--showonly] [-- type conn|ca] --{add|delete|replace|down} name + $me [--showonly] --{route|unroute} connectionname + $me [--showonly] --ready + $me [--showonly] --{status|statusall} [connectionname] + $me [--showonly] --{rereadsecrets|rereadgroups} + $me [--showonly] --{rereadcacerts|rereadaacerts|rereadocspcerts} + $me [--showonly] --{rereadacerts|rereadcrls|rereadall} + $me [--showonly] [--utc] --{listalgs|listpubkeys|listcerts} + $me [--showonly] [--utc] --{listcacerts|listaacerts|listocspcerts} + $me [--showonly] [--utc] --{listacerts|listgroups|listcainfos} + $me [--showonly] [--utc] --{listcrls|listocsp|listcards|listall} + $me [--showonly] --purgeocsp + + other options: [--config ipsecconfigfile] [--verbose] [--show]" + +showonly= +config= +info=/var/run/ipsec.info +shopts= +noinclude= +async= +logfilter='$1 != "002"' +op= +argc= +utc= +type="conn" +name="--name" + +for dummy +do + case "$1" in + --help) echo "$usage" ; exit 0 ;; + --version) echo "$me $IPSEC_VERSION" ; exit 0 ;; + --show) shopts=-x ;; + --showonly) showonly=yes ;; + --utc) utc="$1" ;; + --config) config="--config $2" ; shift ;; + --noinclude) noinclude=--noinclude ;; + --asynchronous) async="--asynchronous" ;; + --verbose) logfilter='1' ;; + --type) type="$2" ; shift ;; + --up|--down|--add|--delete|--replace|--route|--unroute) + if test " $op" != " " + then + echo "$usage" >&2 + exit 2 + fi + op="$1" + argc=1 + if test "$type" = "ca" + then + name="--caname" + case "$op" in + --add|--delete|--replace) ;; + --*) echo "$op option not supported for --type ca"; + exit 3 ;; + esac + fi + ;; + --status|--statusall) + if test " $op" != " " + then + echo "$usage" >&2 + exit 2 + fi + op="$1" + argc=1 + if test $# -eq 1 + then + argc=0; name= + fi + ;; + --ready|--rereadsecrets|--rereadgroups|\ + --rereadcacerts|--rereadaacerts|--rereadocspcerts|\ + --rereadacerts|--rereadcrls|--rereadall|\ + --listalgs|--listpubkeys|--listcerts|\ + --listcacerts|--listaacerts|--listocspcerts|\ + --listacerts|--listgroups|--listcainfos|\ + --listcrls|--listocsp|--listcards|--listall|\ + --purgeocsp) + if test " $op" != " " + then + echo "$usage" >&2 + exit 2 + fi + op="$1" + argc=0 + ;; + --) shift ; break ;; + -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;; + *) break ;; + esac + shift +done + +names= +case "$op" in +--*) if test " $argc" -ne $# + then + echo "$usage" >&2 + exit 2 + fi + names="$*" + ;; +*) echo "$usage" >&2 ; exit 2 ;; +esac + + +runit() { + if test "$showonly" + then + cat + else + ( + echo '(' + cat + echo ')' + echo 'echo = $?' + ) | sh $shopts | + awk "/^= / { exit \$2 } $logfilter { print }" + fi +} + +case "$op" in +--ready) echo "ipsec whack --listen" | runit ; exit ;; +--rereadsecrets) echo "ipsec whack --rereadsecrets" | runit ; exit ;; +--rereadgroups) echo "ipsec whack --listen" | runit ; exit ;; +--rereadcacerts) echo "ipsec whack --rereadcacerts" | runit ; exit ;; +--rereadaacerts) echo "ipsec whack --rereadaacerts" | runit ; exit ;; +--rereadocspcerts) echo "ipsec whack --rereadocspcerts" | runit ; exit ;; +--rereadacerts) echo "ipsec whack --rereadacerts" | runit ; exit ;; +--rereadcrls) echo "ipsec whack --rereadcrls" | runit ; exit ;; +--rereadall) echo "ipsec whack --rereadall" | runit ; exit ;; +--listalgs) echo "ipsec whack --listalgs" | runit ; exit ;; +--listpubkeys) echo "ipsec whack $utc --listpubkeys" | runit ; exit ;; +--listcerts) echo "ipsec whack $utc --listcerts" | runit ; exit ;; +--listcacerts) echo "ipsec whack $utc --listcacerts" | runit ; exit ;; +--listaacerts) echo "ipsec whack $utc --listaacerts" | runit ; exit ;; +--listocspcerts) echo "ipsec whack $utc --listocspcerts" | runit ; exit ;; +--listacerts) echo "ipsec whack $utc --listacerts" | runit ; exit ;; +--listgroups) echo "ipsec whack $utc --listgroups" | runit ; exit ;; +--listcainfos) echo "ipsec whack $utc --listcainfos" | runit ; exit ;; +--listcrls) echo "ipsec whack $utc --listcrls" | runit ; exit ;; +--listocsp) echo "ipsec whack $utc --listocsp" | runit ; exit ;; +--listcards) echo "ipsec whack $utc --listcards" | runit ; exit ;; +--listall) echo "ipsec whack $utc --listall" | runit ; exit ;; +--purgeocsp) echo "ipsec whack $utc --purgeocsp" | runit ; exit ;; +--up) echo "ipsec whack $async --name $names --initiate" | runit ; exit ;; +--down) echo "ipsec whack --name $names --terminate" | runit ; exit ;; +--delete) echo "ipsec whack $name $names --delete" | runit ; exit ;; +--route) echo "ipsec whack --name $names --route" | runit ; exit ;; +--unroute) echo "ipsec whack --name $names --unroute" | runit ; exit ;; +--status) echo "ipsec whack $name $names --status" | runit ; exit ;; +--statusall) echo "ipsec whack $name $names --statusall" | runit ; exit ;; +esac + +if test -s $info +then + . $info +fi + +ipsec _confread $config $noinclude --type $type $names | +awk -v section="$type" ' BEGIN { + FS = "\t" + op = "'"$op"'" + err = "cat >&2" + draddr = "'"$defaultrouteaddr"'" + drnexthop = "'"$defaultroutenexthop"'" + failed = 0 + s[""] = "" + init() + print "PATH=\"'"$PATH"'\"" + print "export PATH" + flip["left"] = "right" + flip["right"] = "left" + } + function init(n) { + for (n in s) + delete s[n] + name = "" + seensome = 0 + } + $1 == ":" { + s[$2] = $3 + seensome = 1 + next + } + $1 == "!" { + if ($2 != "") + fail($2) + next + } + $1 == "=" { + if (name == "") + name = $2 + next + } + $1 == "." { + if (section == "ca") + output_ca() + else + output() + init() + next + } + { + fail("internal error, unknown type code " v($1)) + } + function fail(m) { + print "ipsec_auto: fatal error in " v(name) ": " m |err + failed = 1 + exit + } + function yesno(k) { + if ((k in s) && s[k] != "yes" && s[k] != "no") + fail("parameter " v(k) " must be \"yes\" or \"no\"") + } + function setdefault(k, val) { + if (!(k in s)) + s[k] = val + } + function was(new, old) { + if (!(new in s) && (old in s)) + s[new] = s[old] + } + function need(k) { + if (!(k in s)) + fail("connection has no " v(k) " parameter specified") + if (s[k] == "") + fail("parameter " v(k) " value must be non-empty") + } + function integer(k) { + if (!(k in s)) + return + if (s[k] !~ /^[0-9]+$/) + fail("parameter " v(k) " value must be integer") + } + function duration(k, n, t) { + if (!(k in s)) + return + t = s[k] + n = substr(t, 1, length(t)-1) + if (t ~ /^[0-9]+$/) + s[k] = t + else if (t ~ /^[0-9]+s$/) + s[k] = n + else if (t ~ /^[0-9]+(\.[0-9]+)?m$/) + s[k] = int(n*60) + else if (t ~ /^[0-9]+(\.[0-9]+)?h$/) + s[k] = int(n*3600) + else if (t ~ /^[0-9]+(\.[0-9]+)?d$/) + s[k] = int(n*3600*24) + else + fail("parameter " v(k) " not valid time, must be nnn[smhd]") + } + function nexthopset(dir, val, k) { + k = dir "nexthop" + if (k in s) + fail("non-default value of " k " is being overridden") + if (val != "") + s[k] = val + else if (k in s) + delete s[k] + } + function id(dir, k) { + k = dir "id" + if (!(k in s)) + k = dir + return s[k] + } + function whackkey(dir, which, flag, rk, n) { + if (id(dir) == "%opportunistic") + return + rk = s[dir which] + if (rk == "%dnsondemand") + { + kod="--dnskeyondemand" + return + } + if (rk == "" || rk == "%none" || rk == "%cert" || rk == "0x00") + return + n = "\"\\\"" name "\\\" " dir which"\"" + if (rk == "%dns" || rk == "%dnsonload") + { + if (id(flip[dir]) == "%opportunistic" || s[flip[dir]] == "%any") + return + print "ipsec whack --label", n, flag, + "--keyid", q(id(dir)), "\\" + } + else + { + print "ipsec whack --label", n, flag, + "--keyid", q(id(dir)), + "--pubkeyrsa", q(rk), "\\" + } + print "\t|| exit $?" + } + function q(str) { # quoting for shell + return "\"" str "\"" + } + function qs(k) { # utility abbreviation for q(s[k]) + return q(s[k]) + } + function v(str) { # quoting for human viewing + return "\"" str "\"" + } + function output() { + if (!seensome) + fail("internal error, output called inappropriately") + + setdefault("type", "tunnel") + type_flags = "" + t = s["type"] + if (t == "tunnel") { + # do NOT default subnets to side/32, despite what + # the docs say... + type_flags = "--tunnel" + } else if (t == "transport") { + if ("leftsubnet" in s) + fail("type=transport incompatible with leftsubnet") + if ("rightsubnet" in s) + fail("type=transport incompatible with rightsubnet") + type_flags = "" + } else if (t == "passthrough") { + type_flags = "--pass" + } else if (t == "drop") { + type_flags = "--drop" + } else if (t == "reject") { + type_flags = "--reject" + } else + fail("unknown type " v(t)) + + setdefault("failureshunt", "none") + t = s["failureshunt"] + if (t == "passthrough") + type_flags = type_flags " --failpass"; + else if (t == "drop") + type_flags = type_flags " --faildrop"; + else if (t == "reject") + type_flags = type_flags " --failreject"; + else if (t != "none") + fail("unknown failureshunt value " v(t)) + + need("left") + need("right") + if (s["left"] == "%defaultroute") { + if (s["right"] == "%defaultroute") + fail("left and right cannot both be %defaultroute") + if (draddr == "") + fail("%defaultroute requested but not known") + s["left"] = draddr + nexthopset("left", drnexthop) + } else if (s["right"] == "%defaultroute") { + if (draddr == "") + fail("%defaultroute requested but not known") + s["right"] = draddr + nexthopset("right", drnexthop) + } + + setdefault("keyexchange", "ike") + if (s["keyexchange"] != "ike") + fail("only know how to do keyexchange=ike") + setdefault("auth", "esp") + if (("auth" in s) && s["auth"] != "esp" && s["auth"] != "ah") + fail("only know how to do auth=esp or auth=ah") + yesno("pfs") + + setdefault("pfs", "yes") + duration("dpddelay") + duration("dpdtimeout") + if ("dpdaction" in s) + { + setdefault("dpddelay",30) + setdefault("dpdtimeout",120) + } + yesno("compress") + setdefault("compress", "no") + setdefault("keylife", "1h") + duration("keylife") + yesno("rekey") + setdefault("rekey", "yes") + setdefault("rekeymargin", "9m") + duration("rekeymargin") + setdefault("keyingtries", "%forever") + if (s["keyingtries"] == "%forever") + s["keyingtries"] = 0 + integer("keyingtries") + if ("rekeyfuzz" in s) { + if (s["rekeyfuzz"] !~ /%$/) + fail("rekeyfuzz must be nnn%") + r = s["rekeyfuzz"] + s["rekeyfuzz"] = substr(r, 1, length(r)-1) + integer("rekeyfuzz") + } + duration("ikelifetime") + setdefault("disablearrivalcheck", "no") + + setdefault("leftsendcert", "always") + setdefault("rightsendcert", "always") + + setdefault("leftnexthop", "%direct") + setdefault("rightnexthop", "%direct") + if (s["leftnexthop"] == s["left"]) + fail("left and leftnexthop must not be the same") + if (s["rightnexthop"] == s["right"]) + fail("right and rightnexthop must not be the same") + if (s["leftnexthop"] == "%defaultroute") { + if (drnexthop == "") + fail("%defaultroute requested but not known") + s["leftnexthop"] = drnexthop + } + if (s["rightnexthop"] == "%defaultroute") { + if (drnexthop == "") + fail("%defaultroute requested but not known") + s["rightnexthop"] = drnexthop + } + + if ("leftfirewall" in s && "leftupdown" in s) + fail("cannot have both leftfirewall and leftupdown") + if ("rightfirewall" in s && "rightupdown" in s) + fail("cannot have both rightfirewall and rightupdown") + setdefault("leftupdown", "ipsec _updown") + setdefault("rightupdown", "ipsec _updown") + setdefault("lefthostaccess", "no") + setdefault("righthostaccess", "no") + yesno("lefthostaccess") + yesno("righthostaccess") + lha = "" + if (s["lefthostaccess"] == "yes") + lha = "--hostaccess" + rha = "" + if (s["righthostaccess"] == "yes") + rha = "--hostaccess" + setdefault("leftfirewall", "no") + setdefault("rightfirewall", "no") + yesno("leftfirewall") + yesno("rightfirewall") + if (s["leftfirewall"] == "yes") + s["leftupdown"] = s["leftupdown"] " iptables" + if (s["rightfirewall"] == "yes") + s["rightupdown"] = s["rightupdown"] " iptables" + + setdefault("authby", "rsasig") + t = s["authby"] + if (t == "rsasig" || t == "secret|rsasig" || t == "rsasig|secret") { + authtype = "--rsasig" + type_flags = "--encrypt " type_flags + if (!("leftcert" in s)) { + setdefault("leftrsasigkey", "%cert") + if (id("left") == "%any" && + !(s["leftrsasigkey"] == "%cert" || + s["leftrsasigkey"] == "0x00") ) + fail("ID " v(id("left")) " cannot have RSA key") + } + if (!("rightcert" in s)) { + setdefault("rightrsasigkey", "%cert") + if (id("right") == "%any" && + !(s["rightrsasigkey"] == "%cert" || + s["rightrsasigkey"] == "0x00") ) + fail("ID " v(id("right")) " cannot have RSA key") + } + if (t != "rsasig") + authtype = authtype " --psk" + } else if (t == "secret") { + authtype = "--psk" + type_flags = "--encrypt " type_flags + } else if (t == "never") { + authtype = "" + } else { + fail("unknown authby value " v(t)) + } + + settings = type_flags + setdefault("ike", "3des-sha,3des-md5") + if (s["ike"] != "") + settings = settings " --ike " qs("ike") + setdefault("esp", "3des") + if (s["esp"] != "") + settings = settings " --esp " qs("esp") + if (s["auth"] == "ah") + settings = settings " --authenticate" + if (s["pfs"] == "yes") { + settings = settings " --pfs" + if (s["pfsgroup"] != "") + settings = settings " --pfsgroup " qs("pfsgroup") + } + + if (s["dpdaction"]) + settings = settings " --dpdaction " qs("dpdaction") + if (s["dpddelay"]) + settings = settings " --dpddelay " qs("dpddelay") + if (s["dpdtimeout"]) + settings = settings " --dpdtimeout " qs("dpdtimeout") + + if (s["compress"] == "yes") + settings = settings " --compress" + if (op == "--replace") + settings = settings " --delete" + if ("ikelifetime" in s) + settings = settings " --ikelifetime " qs("ikelifetime") + if (s["disablearrivalcheck"] == "yes") + settings = settings " --disablearrivalcheck" + settings = settings " " authtype + + lc = "" + rc = "" + if ("leftsubnet" in s) + lc = "--client " qs("leftsubnet") + if ("rightsubnet" in s) + rc = "--client " qs("rightsubnet") + if ("leftsubnetwithin" in s) + lc = lc " --clientwithin " qs("leftsubnetwithin") + if ("rightsubnetwithin" in s) + rc = rc " --clientwithin " qs("rightsubnetwithin") + lp = "" + rp = "" + if ("leftprotoport" in s) + lp = "--clientprotoport " qs("leftprotoport") + if ("rightprotoport" in s) + rp = "--clientprotoport " qs("rightprotoport") + lud = "--updown " qs("leftupdown") + rud = "--updown " qs("rightupdown") + + lid = "" + if ("leftid" in s) + lid = "--id " qs("leftid") + rid = "" + if ("rightid" in s) + rid = "--id " qs("rightid") + lsip = "" + if ("leftsourceip" in s) + lsip = "--srcip " qs("leftsourceip") + rsip = "" + if ("rightsourceip" in s) + rsip = "--srcip " qs("rightsourceip") + lscert = "" + if ("leftsendcert" in s) + lscert = "--sendcert " qs("leftsendcert") + rscert = "" + if ("rightsendcert" in s) + rscert = "--sendcert " qs("rightsendcert") + lcert = "" + if ("leftcert" in s) + lcert = "--cert " qs("leftcert") + rcert = "" + if ("rightcert" in s) + rcert = "--cert " qs("rightcert") + lca = "" + if ("leftca" in s) + lca = "--ca " qs("leftca") + rca = "" + if ("rightca" in s) + rca = "--ca " qs("rightca") + lgr = "" + if ("leftgroups" in s) + lgr = "--groups " qs("leftgroups") + rgr = "" + if ("rightgroups" in s) + rgr = "--groups " qs("rightgroups") + fuzz = "" + if ("rekeyfuzz" in s) + fuzz = "--rekeyfuzz " qs("rekeyfuzz") + rk = "" + if (s["rekey"] == "no") + rk = "--dontrekey" + pd = "" + if ("_plutodevel" in s) + pd = "--plutodevel " s["_plutodevel"] # not qs() + + lkod = "" + rkod = "" + if (authtype != "--psk") { + kod = "" + whackkey("left", "rsasigkey", "") + whackkey("left", "rsasigkey2", "--addkey") + lkod = kod + kod = "" + whackkey("right", "rsasigkey", "") + whackkey("right", "rsasigkey2", "--addkey") + rkod = kod + } + print "ipsec whack --name", name, settings, "\\" + print "\t--host", qs("left"), lc, lp, "--nexthop", + qs("leftnexthop"), lud, lha, lid, lkod, lscert, lcert, lca, lsip, lgr, "\\" + print "\t--to", "--host", qs("right"), rc, rp, "--nexthop", + qs("rightnexthop"), rud, rha, rid, rkod, rscert, rcert, rca, rsip, rgr, "\\" + print "\t--ipseclifetime", qs("keylife"), + "--rekeymargin", qs("rekeymargin"), "\\" + print "\t--keyingtries", qs("keyingtries"), fuzz, rk, pd, "\\" + print "\t|| exit $?" + } + function output_ca() { + if (!seensome) + fail("internal error, output called inappropriately") + settings = "" + if (op == "--replace") + settings = "--delete" + cacert = "" + if ("cacert" in s) + cacert = "--cacert " qs("cacert") + ldaphost = "" + if ("ldaphost" in s) + ldaphost = "--ldaphost " qs("ldaphost") + ldapbase = "" + if ("ldapbase" in s) + ldapbase = "--ldapbase " qs("ldapbase") + crluri = "" + if ("crluri" in s) + crluri = "--crluri " qs("crluri") + crluri2 = "" + if ("crluri2" in s) + crluri2 = "--crluri2 " qs("crluri2") + ocspuri = "" + if ("ocspuri" in s) + ocspuri = "--ocspuri " qs("ocspuri") + yesno("strictcrlpolicy") + setdefault("strictcrlpolicy", "no") + if (s["strictcrlpolicy"] == "yes") + settings = settings " --strictcrlpolicy" + yesno("cachecrls") + setdefault("cachecrls", "no") + if (s["cachecrls"] == "yes") + settings = settings " --cachecrls" + + print "ipsec whack --caname", name, settings, cacert, ldaphost, ldapbase, + crluri, crluri2, ocspuri, "\\" + print "\t|| exit $?" + } + END { + if (failed) { + print "# fatal error discovered, force failure using \"false\" command" + print "false" + exit 1 # just on general principles + } + if (seensome) { + if (section == "ca") + output_ca() + else + output() + } + }' | runit diff --git a/programs/barf/.cvsignore b/programs/barf/.cvsignore new file mode 100644 index 000000000..bca77a6ee --- /dev/null +++ b/programs/barf/.cvsignore @@ -0,0 +1 @@ +barf diff --git a/programs/barf/Makefile b/programs/barf/Makefile new file mode 100644 index 000000000..6a20d4ee2 --- /dev/null +++ b/programs/barf/Makefile @@ -0,0 +1,38 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=barf + +include ../Makefile.program + +# +# $Log: Makefile,v $ +# Revision 1.1 2004/03/15 20:35:27 as +# added files from freeswan-2.04-x509-1.5.3 +# +# Revision 1.2 2002/06/02 22:02:14 mcr +# changed TOPDIR->FREESWANSRCDIR in all Makefiles. +# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the +# kernel sense.) +# +# Revision 1.1 2002/04/24 07:55:32 mcr +# #include patches and Makefiles for post-reorg compilation. +# +# +# + diff --git a/programs/barf/barf.8 b/programs/barf/barf.8 new file mode 100644 index 000000000..e692a4e5f --- /dev/null +++ b/programs/barf/barf.8 @@ -0,0 +1,84 @@ +.TH IPSEC_BARF 8 "17 March 2002" +.\" RCSID $Id: barf.8,v 1.1 2004/03/15 20:35:27 as Exp $ +.SH NAME +ipsec barf \- spew out collected IPsec debugging information +.SH SYNOPSIS +.B ipsec +.B barf +[ +.B \-\-short +] +.sp +.SH DESCRIPTION +.I Barf +outputs (on standard output) a collection of debugging information +(contents of files, selections from logs, etc.) +related to the IPsec encryption/authentication system. +It is primarily a convenience for remote debugging, +a single command which packages up (and labels) all information +that might be relevant to diagnosing a problem in IPsec. +.PP +.PP +The +.B \-\-short +option limits the length of +the log portion of +.IR barf 's +output, which can otherwise be extremely voluminous +if debug logging is turned on. +.PP +.I Barf +censors its output, +replacing keys +and secrets with brief checksums to avoid revealing sensitive information. +.PP +Beware that the output of both commands is aimed at humans, +not programs, +and the output format is subject to change without warning. +.PP +.I Barf +has to figure out which files in +.I /var/log +contain the IPsec log messages. +It looks for KLIPS and general log messages first in +.IR messages +and +.IR syslog , +and for Pluto messages first in +.IR secure , +.IR auth.log , +and +.IR debug . +In both cases, +if it does not find what it is looking for in one of those ``likely'' places, +it will resort to a brute-force search of most (non-compressed) files in +.IR /var/log . +.SH FILES +.nf +/proc/net/* +/var/log/* +/etc/ipsec.conf +/etc/ipsec.secrets +.fi +.SH HISTORY +Written for the Linux FreeS/WAN project + +by Henry Spencer. +.SH BUGS +.I Barf +uses heuristics to try to pick relevant material out of the logs, +and relevant messages +which are not labelled with any of the tags that +.I barf +looks for will be lost. +We think we've eliminated the last such case, but one never knows... +.PP +Finding +.I updown +scripts (so they can be included in output) is, in general, difficult. +.I Barf +uses a very simple heuristic that is easily fooled. +.PP +The brute-force search for the right log files can get expensive on +systems with a lot of clutter in +.IR /var/log . diff --git a/programs/barf/barf.in b/programs/barf/barf.in new file mode 100755 index 000000000..99cc3546c --- /dev/null +++ b/programs/barf/barf.in @@ -0,0 +1,296 @@ +#! /bin/sh +# dump assorted information of use in debugging +# Copyright (C) 1998, 1999 Henry Spencer. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: barf.in,v 1.4 2004/09/23 21:08:23 as Exp $ + +IPSEC_NAME="strongSwan" + +KERNSRC=${KERNSRC-/usr/src/linux} +LOGS=${LOGS-/var/log} +CONFS=${IPSEC_CONFS-/etc} +CONFDDIR=${IPSEC_CONFDDIR-/etc/ipsec.d} +me="ipsec barf" + +# kludge to produce no barf output mentioning policygroups if none are present. +# This will not catch ".file" policygroups. +PREPOLICIES=${CONFDDIR}/policies +if [ `ls $PREPOLICIES 2> /dev/null | wc -l` -ne 0 ] +then + POLICIES=$PREPOLICIES +fi + +# message patterns that start relevant parts of logs +fstart="Starting $IPSEC_NAME" +pstart='Starting Pluto subsystem' + +case "$1" in +--help) echo "Usage: ipsec barf" ; exit 0 ;; +--version) echo "$me $IPSEC_VERSION" ; exit 0 ;; +esac + +# make sure output is in English +unset LANG LANGUAGE LC_ALL LC_MESSAGES + +# log-location guesser, results in $findlog_file and $findlog_startline +# Fine point: startline is the *last* line containing "string", or +# failing that, the *first* line containing "fallbackstring". +findlog() { # findlog string fallbackstring possiblefile ... + s="$1" + shift + t="$1" + shift + # try the suggested files first + for f in $* + do + if test -r $LOGS/$f -a -f $LOGS/$f && egrep -q "$s" $LOGS/$f + then + # aha, this one has it + findlog_file=$LOGS/$f + findlog_startline=`egrep -n "$s" $LOGS/$f | + sed -n '$s/:.*//p'` + return 0 + fi + done + for f in $* + do + if test -r $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f + then + # aha, this one has it + findlog_file=$LOGS/$f + findlog_startline=`egrep -n "$t" $LOGS/$f | + sed -n '1s/:.*//p'` + return 0 + fi + done + # nope, resort to a search, newest first, of uncompressed logs + for f in `ls -t $LOGS | egrep -v '^mail' | egrep -v '\.(gz|Z)$'` + do + if test -r $LOGS/$f -a ! -d $LOGS/$f && egrep -q "$s" $LOGS/$f + then + # found it + findlog_file=$LOGS/$f + findlog_startline=`egrep -n "$s" $LOGS/$f | + sed -n '$s/:.*//p'` + return 0 + fi + done + for f in `ls -t $LOGS | egrep -v '^mail' | egrep -v '\.(gz|Z)$'` + do + if test -r $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f + then + # found it + findlog_file=$LOGS/$f + findlog_startline=`egrep -n "$t" $LOGS/$f | + sed -n '1s/:.*//p'` + return 0 + fi + done +# echo "$0: unable to find $LOGS/$1 or local equivalent" >&2 + findlog_file=/dev/null + findlog_startline=1 # arbitrary +} + +# try to guess where logs are +findlog "$fstart" "klips" messages syslog +if test " $findlog_file" = " /dev/null" +then +echo "Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run $IPSEC_NAME for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration." +fi +klog=$findlog_file +kline=$findlog_startline + +findlog "$pstart" "Pluto" secure auth.log debug +if test " $findlog_file" = " /dev/null" +then +echo "Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run $IPSEC_NAME for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration." +fi +plog=$findlog_file +pline=$findlog_startline + +# /lib/modules examiner +modulegoo() { + set +x + for d in `ls /lib/modules` + do + if test -d /lib/modules/$d + then + f=/lib/modules/$d/$1 + if test -f $f + then + nm -g $f | egrep "$2" + else + echo + fi | sed "s;^;$d: ;" + fi + done + set -x +} + +# advanced shell deviousness to get dividers into output +_________________________() { + $2 # something to do nothing and not echo anything +} + +exec 2>&1 # stderr on stdout, so errors go into main output + +hostname ; date +set -x +_________________________ version +ipsec --version +_________________________ proc/version +cat /proc/version +_________________________ proc/net/ipsec_eroute +sort -sg +3 /proc/net/ipsec_eroute || cat /proc/net/ipsec_eroute +_________________________ netstat-rn +netstat -nr +_________________________ proc/net/ipsec_spi +cat /proc/net/ipsec_spi +_________________________ proc/net/ipsec_spigrp +cat /proc/net/ipsec_spigrp +_________________________ proc/net/ipsec_tncfg +cat /proc/net/ipsec_tncfg +_________________________ proc/net/pf_key +cat /proc/net/pf_key +_________________________ proc/net/pf_key-star +( cd /proc/net && egrep '^' pf_key_* ) +_________________________ proc/sys/net/ipsec-star +( cd /proc/sys/net/ipsec && egrep '^' * ) +_________________________ ipsec/statusall +ipsec auto --statusall +_________________________ ifconfig-a +ifconfig -a +_________________________ mii-tool +if [ -x /sbin/mii-tool ] +then + /sbin/mii-tool -v +elif [ -x /usr/sbin/mii-tool ] +then + /usr/sbin/mii-tool -v +else + mii-tool -v +fi +_________________________ ipsec/directory +ipsec --directory +_________________________ hostname/fqdn +hostname --fqdn +_________________________ hostname/ipaddress +hostname --ip-address +_________________________ uptime +uptime +_________________________ ps +# -i ppid picks up the header +ps alxwf | egrep -i 'ppid|pluto|ipsec|klips' +_________________________ ipsec/showdefaults +ipsec showdefaults +_________________________ ipsec/conf +ipsec _include $CONFS/ipsec.conf | ipsec _keycensor +_________________________ ipsec/secrets +ipsec _include $CONFS/ipsec.secrets | ipsec _secretcensor +_________________________ ipsec/listall +ipsec auto --listall +if [ $POLICIES ] +then + for policy in $POLICIES/*; do base=`basename $policy`; + _________________________ ipsec/policies/$base + cat $policy + done +fi +_________________________ ipsec/ls-libdir +ls -l ${IPSEC_LIBDIR-/usr/local/lib/ipsec} +_________________________ ipsec/ls-execdir +ls -l ${IPSEC_EXECDIR-/usr/local/libexec/ipsec} +_________________________ ipsec/updowns +for f in `ls ${IPSEC_EXECDIR-/usr/local/libexec/ipsec} | egrep updown` +do + cat ${IPSEC_EXECDIR-/usr/local/libexec/ipsec}/$f +done +_________________________ proc/net/dev +cat /proc/net/dev +_________________________ proc/net/route +cat /proc/net/route +_________________________ proc/sys/net/ipv4/ip_forward +cat /proc/sys/net/ipv4/ip_forward +_________________________ proc/sys/net/ipv4/conf/star-rp_filter +( cd /proc/sys/net/ipv4/conf && egrep '^' */rp_filter ) +_________________________ uname-a +uname -a +_________________________ redhat-release +if test -r /etc/redhat-release +then + cat /etc/redhat-release +fi +_________________________ proc/net/ipsec_version +cat /proc/net/ipsec_version +_________________________ iptables/list +iptables -L -v -n +_________________________ ipchains/list +ipchains -L -v -n +_________________________ ipfwadm/forward +ipfwadm -F -l -n -e +_________________________ ipfwadm/input +ipfwadm -I -l -n -e +_________________________ ipfwadm/output +ipfwadm -O -l -n -e +_________________________ iptables/nat +iptables -t nat -L -v -n +_________________________ ipchains/masq +ipchains -M -L -v -n +_________________________ ipfwadm/masq +ipfwadm -M -l -n -e +_________________________ iptables/mangle +iptables -t mangle -L -v -n +_________________________ proc/modules +cat /proc/modules +_________________________ proc/meminfo +cat /proc/meminfo +_________________________ dev/ipsec-ls +ls -l /dev/ipsec* +_________________________ proc/net/ipsec-ls +ls -l /proc/net/ipsec_* +_________________________ usr/src/linux/.config +if test -f $KERNSRC/.config +then + egrep 'IP|NETLINK' $KERNSRC/.config +fi +_________________________ etc/syslog.conf +cat /etc/syslog.conf +_________________________ etc/resolv.conf +cat /etc/resolv.conf +_________________________ lib/modules-ls +ls -ltr /lib/modules +_________________________ proc/ksyms-netif_rx +egrep netif_rx /proc/ksyms +_________________________ lib/modules-netif_rx +modulegoo kernel/net/ipv4/ipip.o netif_rx +_________________________ kern.debug +if test -f $LOGS/kern.debug +then + tail -100 $LOGS/kern.debug +fi +_________________________ klog +sed -n $kline,'$'p $klog | + egrep -i 'ipsec|klips|pluto' | + case "$1" in + --short) tail -500 ;; + *) cat ;; + esac +_________________________ plog +sed -n $pline,'$'p $plog | + egrep -i 'pluto' | + case "$1" in + --short) tail -500 ;; + *) cat ;; + esac +_________________________ date +date diff --git a/programs/calcgoo/.cvsignore b/programs/calcgoo/.cvsignore new file mode 100644 index 000000000..b4aa748b7 --- /dev/null +++ b/programs/calcgoo/.cvsignore @@ -0,0 +1 @@ +calcgoo diff --git a/programs/calcgoo/Makefile b/programs/calcgoo/Makefile new file mode 100644 index 000000000..8e3cae9ea --- /dev/null +++ b/programs/calcgoo/Makefile @@ -0,0 +1,41 @@ +# Makefile for miscelaneous programs +# Copyright (C) 2002 Michael Richardson +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM=calcgoo + +include ../Makefile.program + +# +# $Log: Makefile,v $ +# Revision 1.1 2004/03/15 20:35:27 as +# added files from freeswan-2.04-x509-1.5.3 +# +# Revision 1.1 2002/06/10 04:27:25 mcr +# calcgoo program processes kernel symbol list and generates a +# composite value by xor'ing the programmed symbol. +# +# Revision 1.1 2002/06/10 00:19:44 mcr +# rename "ipsec check" to "ipsec verify" +# +# Revision 1.1 2002/06/08 17:01:25 mcr +# added new program "ipsec check" to do rudamentary testing +# on a newly installed system to see if it is OE ready. +# +# +# + diff --git a/programs/calcgoo/calcgoo.8 b/programs/calcgoo/calcgoo.8 new file mode 100644 index 000000000..ceb576e41 --- /dev/null +++ b/programs/calcgoo/calcgoo.8 @@ -0,0 +1,31 @@ +.TH IPSEC_CALCGOO 8 "8 June 2002" +.\" RCSID $Id: calcgoo.8,v 1.1 2004/03/15 20:35:27 as Exp $ +.SH NAME +ipsec calcgoo \- calculate hex value for matching modules and kernels +.SH SYNOPSIS +.B ipsec +.B calcgoo +.SH DESCRIPTION +.I calcgoo +accepts the output of +.B nm -ao +or +.B /proc/ksyms +and extracts a release dependant list of symbols from it. The symbols +are processed to extract the values assigned during the MODVERSIONS +process. This process makes sure that Linux modules are only loaded +on matching kernels. +.P +This routine is used to find an appropriate module to match the currently +running kernel by _startklips. +.SH FILES +.nf +/proc/ksyms +.fi +.SH "SEE ALSO" +ipsec__startklips(8), genksyms(8) +.SH HISTORY +Written for the Linux FreeS/WAN project + +by Michael Richardson. +.SH BUGS diff --git a/programs/calcgoo/calcgoo.in b/programs/calcgoo/calcgoo.in new file mode 100644 index 000000000..0d383d173 --- /dev/null +++ b/programs/calcgoo/calcgoo.in @@ -0,0 +1,43 @@ +#!/usr/bin/perl + +$MODULE_GOO_LIST="@MODULE_GOO_LIST@"; + +@goo = split(/\s+/,$MODULE_GOO_LIST); + +$sep="("; +$goore=" "; + +#print "GOO: ",join('|',@goo),"\n"; + +foreach $sym (@goo) { + $goore=${goore}.${sep}.${sym}; + $sep="|"; +} +$goore=${goore}.")_R(smp_){0,1}([0-9A-F]{8})"; + +#print "GOORE: $goore\n"; + +while(<>) { + chomp; + if(/$goore/io) { + $sym=$1; + $goosym=$3; + $bingoo=hex($goosym); + if($2 eq "smp_") { + $bingoo++; + } + #print STDERR "Processing $goosym (from $_)\n"; + $bingoo{$sym}=$bingoo; + } +} +$wholegoo=0; +foreach $sym (keys %bingoo) { + $wholegoo=$wholegoo ^ $bingoo{$sym}; +} +print sprintf("%08x", $wholegoo)."\n"; + +# Local variables:: +# mode: perl +# End variables:: + + diff --git a/programs/eroute/.cvsignore b/programs/eroute/.cvsignore new file mode 100644 index 000000000..133c4b456 --- /dev/null +++ b/programs/eroute/.cvsignore @@ -0,0 +1 @@ +eroute diff --git a/programs/eroute/Makefile b/programs/eroute/Makefile new file mode 100644 index 000000000..6d8f68033 --- /dev/null +++ b/programs/eroute/Makefile @@ -0,0 +1,52 @@ +# Makefile for the KLIPS interface utilities +# Copyright (C) 1998, 1999 Henry Spencer. +# Copyright (C) 1999, 2000, 2001 Richard Guy Briggs +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $ + +FREESWANSRCDIR=../.. +include ${FREESWANSRCDIR}/Makefile.inc + +PROGRAM:=eroute +EXTRA5PROC=eroute.5 + +LIBS:=${FREESWANLIB} + +include ../Makefile.program + +# +# $Log: Makefile,v $ +# Revision 1.1 2004/03/15 20:35:27 as +# added files from freeswan-2.04-x509-1.5.3 +# +# Revision 1.4 2002/06/03 20:25:31 mcr +# man page for files actually existant in /proc/net changed back to +# ipsec_foo via new EXTRA5PROC process. +# +# Revision 1.3 2002/06/02 22:02:14 mcr +# changed TOPDIR->FREESWANSRCDIR in all Makefiles. +# (note that linux/net/ipsec/Makefile uses TOPDIR because this is the +# kernel sense.) +# +# Revision 1.2 2002/04/26 01:21:26 mcr +# while tracking down a missing (not installed) /etc/ipsec.conf, +# MCR has decided that it is not okay for each program subdir to have +# some subset (determined with -f) of possible files. +# Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. +# Optional PROGRAM.5 files have been added to the makefiles. +# +# Revision 1.1 2002/04/24 07:55:32 mcr +# #include patches and Makefiles for post-reorg compilation. +# +# +# diff --git a/programs/eroute/eroute.5 b/programs/eroute/eroute.5 new file mode 100644 index 000000000..52b3f4d25 --- /dev/null +++ b/programs/eroute/eroute.5 @@ -0,0 +1,272 @@ +.TH IPSEC_EROUTE 5 "20 Sep 2001" +.\" +.\" RCSID $Id: eroute.5,v 1.1 2004/03/15 20:35:27 as Exp $ +.\" +.SH NAME +ipsec_eroute \- list of existing eroutes +.SH SYNOPSIS +.B ipsec +.B eroute +.PP +.B cat +.B /proc/net/ipsec_eroute +.SH DESCRIPTION +.I /proc/net/ipsec_eroute +lists the IPSEC extended routing tables, +which control what (if any) processing is applied +to non-encrypted packets arriving for IPSEC processing and forwarding. +At this point it is a read-only file. +.PP +A table entry consists of: +.IP + 3 +packet count, +.IP + +source address with mask and source port (0 if all ports or not applicable) +.IP + +a '->' separator for visual and automated parsing between src and dst +.IP + +destination address with mask and destination port (0 if all ports or +not applicable) +.IP + +a '=>' separator for visual and automated parsing between selection +criteria and SAID to use +.IP + +SAID (Security Association IDentifier), comprised of: +.IP + 6 +protocol +(\fIproto\fR), +.IP + +address family +(\fIaf\fR), +where '.' stands for IPv4 and ':' for IPv6 +.IP + +Security Parameters Index +(\fISPI\fR), +.IP + +effective destination +(\fIedst\fR), +where the packet should be forwarded after processing +(normally the other security gateway) +together indicate which Security Association should be used to process +the packet, +.IP + 3 +a ':' separating the SAID from the transport protocol (0 if all protocols) +.IP + +source identity text string with no whitespace, in parens, +.IP + +destination identity text string with no whitespace, in parens +.PP +Addresses are written as IPv4 dotted quads or IPv6 coloned hex, +protocol is one of "ah", "esp", "comp" or "tun" +and +SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6 +. +.PP +SAIDs are written as "protoafSPI@edst". There are also 5 +"magic" SAIDs which have special meaning: +.IP + 3 +.B %drop +means that matches are to be dropped +.IP + +.B %reject +means that matches are to be dropped and an ICMP returned, if +possible to inform +.IP + +.B %trap +means that matches are to trigger an ACQUIRE message to the Key +Management daemon(s) and a hold eroute will be put in place to +prevent subsequent packets also triggering ACQUIRE messages. +.IP + +.B %hold +means that matches are to stored until the eroute is replaced or +until that eroute gets reaped +.IP + +.B %pass +means that matches are to allowed to pass without IPSEC processing +.br +.ne 5 +.SH EXAMPLES +.LP +.B "1867 172.31.252.0/24:0 -> 0.0.0.0/0:0 => tun0x130@192.168.43.1:0 " +.br +.B " () ()" +.LP +means that 1,867 packets have been sent to an +.BR eroute +that has been set up to protect traffic between the subnet +.BR 172.31.252.0 +with a subnet mask of +.BR 24 +bits and the default address/mask represented by an address of +.BR 0.0.0.0 +with a subnet mask of +.BR 0 +bits using the local machine as a security gateway on this end of the +tunnel and the machine +.BR 192.168.43.1 +on the other end of the tunnel with a Security Association IDentifier of +.BR tun0x130@192.168.43.1 +which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a +Security Parameters Index of +.BR 130 +in hexadecimal with no identies defined for either end. +.LP +.B "746 192.168.2.110/32:0 -> 192.168.2.120/32:25 => esp0x130@192.168.2.120:6 " +.br +.B " () ()" +.LP +means that 746 packets have been sent to an +.BR eroute +that has been set up to protect traffic sent from any port on the host +.BR 192.168.2.110 +to the SMTP (TCP, port 25) port on the host +.BR 192.168.2.120 +with a Security Association IDentifier of +.BR tun0x130@192.168.2.120 +which means that it is a transport mode connection with a +Security Parameters Index of +.BR 130 +in hexadecimal with no identies defined for either end. +.LP +.B 125 3049:1::/64 -> 0:0/0 => tun:130@3058:4::5 () () +.LP +means that 125 packets have been sent to an +.BR eroute +that has been set up to protect traffic between the subnet +.BR 3049:1:: +with a subnet mask of +.BR 64 +bits and the default address/mask represented by an address of +.BR 0:0 +with a subnet mask of +.BR 0 +bits using the local machine as a security gateway on this end of the +tunnel and the machine +.BR 3058:4::5 +on the other end of the tunnel with a Security Association IDentifier of +.BR tun:130@3058:4::5 +which means that it is a tunnel mode connection with a +Security Parameters Index of +.BR 130 +in hexadecimal with no identies defined for either end. +.LP +.B 42 192.168.6.0/24:0 -> 192.168.7.0/24:0 => %passthrough +.LP +means that 42 packets have been sent to an +.BR eroute +that has been set up to pass the traffic from the subnet +.BR 192.168.6.0 +with a subnet mask of +.BR 24 +bits and to subnet +.BR 192.168.7.0 +with a subnet mask of +.BR 24 +bits without any IPSEC processing with no identies defined for either end. +.LP +.B 2112 192.168.8.55/32:0 -> 192.168.9.47/24:0 => %hold (east) () +.LP +means that 2112 packets have been sent to an +.BR eroute +that has been set up to hold the traffic from the host +.BR 192.168.8.55 +and to host +.BR 192.168.9.47 +until a key exchange from a Key Management daemon +succeeds and puts in an SA or fails and puts in a pass +or drop eroute depending on the default configuration with the local client +defined as "east" and no identy defined for the remote end. +.LP +.B "2001 192.168.2.110/32:0 -> 192.168.2.120/32:0 => " +.br +.B " esp0xe6de@192.168.2.120:0 () ()" +.LP +means that 2001 packets have been sent to an +.BR eroute +that has been set up to protect traffic between the host +.BR 192.168.2.110 +and the host +.BR 192.168.2.120 +using +.BR 192.168.2.110 +as a security gateway on this end of the +connection and the machine +.BR 192.168.2.120 +on the other end of the connection with a Security Association IDentifier of +.BR esp0xe6de@192.168.2.120 +which means that it is a transport mode connection with a Security +Parameters Index of +.BR e6de +in hexadecimal using Encapsuation Security Payload protocol (50, +IPPROTO_ESP) with no identies defined for either end. +.LP +.B "1984 3049:1::110/128 -> 3049:1::120/128 => " +.br +.B " ah:f5ed@3049:1::120 () ()" +.LP +means that 1984 packets have been sent to an +.BR eroute +that has been set up to authenticate traffic between the host +.BR 3049:1::110 +and the host +.BR 3049:1::120 +using +.BR 3049:1::110 +as a security gateway on this end of the +connection and the machine +.BR 3049:1::120 +on the other end of the connection with a Security Association IDentifier of +.BR ah:f5ed@3049:1::120 +which means that it is a transport mode connection with a Security +Parameters Index of +.BR f5ed +in hexadecimal using Authentication Header protocol (51, +IPPROTO_AH) with no identies defined for either end. +.SH FILES +/proc/net/ipsec_eroute, /usr/local/bin/ipsec +.SH "SEE ALSO" +ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5), +ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5), +ipsec_pf_key(5) +.SH HISTORY +Written for the Linux FreeS/WAN project + +by Richard Guy Briggs. +.\" +.\" $Log: eroute.5,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.9 2002/04/24 07:35:38 mcr +.\" Moved from ./klips/utils/eroute.5,v +.\" +.\" Revision 1.8 2001/09/20 15:33:13 rgb +.\" PF_KEYv2 ident extension output documentation. +.\" +.\" Revision 1.7 2001/05/29 05:15:31 rgb +.\" Added packet count field at beginning of line. +.\" +.\" Revision 1.6 2001/02/26 19:58:32 rgb +.\" Put SAID elements in order they appear in SAID. +.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part +.\" of the new SPD and to support opportunistic. +.\" +.\" Revision 1.5 2000/09/17 18:56:48 rgb +.\" Added IPCOMP support. +.\" +.\" Revision 1.4 2000/09/13 15:54:31 rgb +.\" Added Gerhard's ipv6 updates. +.\" +.\" Revision 1.3 2000/06/30 18:21:55 rgb +.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5) +.\" and correct FILES sections to no longer refer to /dev/ipsec which has +.\" been removed since PF_KEY does not use it. +.\" +.\" Revision 1.2 2000/06/28 12:44:11 henry +.\" format touchup +.\" +.\" Revision 1.1 2000/06/28 05:43:00 rgb +.\" Added manpages for all 5 klips utils. +.\" +.\" +.\" diff --git a/programs/eroute/eroute.8 b/programs/eroute/eroute.8 new file mode 100644 index 000000000..d9449632b --- /dev/null +++ b/programs/eroute/eroute.8 @@ -0,0 +1,354 @@ +.TH IPSEC_EROUTE 8 "21 Jun 2000" +.\" +.\" RCSID $Id: eroute.8,v 1.1 2004/03/15 20:35:27 as Exp $ +.\" +.SH NAME +ipsec eroute \- manipulate IPSEC extended routing tables +.SH SYNOPSIS +.B ipsec +.B eroute +.PP +.B ipsec +.B eroute +.B \-\-add +.B \-\-eraf (inet | inet6) +.B \-\-src +src/srcmaskbits|srcmask +.B \-\-dst +dst/dstmaskbits|dstmask +[ +.B \-\-transport\-proto +transport-protocol +] +[ +.B \-\-src\-port +source-port +] +[ +.B \-\-dst\-port +dest-port +] + +.PP +.B ipsec +.B eroute +.B \-\-replace +.B \-\-eraf (inet | inet6) +.B \-\-src +src/srcmaskbits|srcmask +.B \-\-dst +dst/dstmaskbits|dstmask +[ +.B \-\-transport\-proto +transport-protocol +] +[ +.B \-\-src\-port +source-port +] +[ +.B \-\-dst\-port +dest-port +] + +.PP +.B ipsec +.B eroute +.B \-\-del +.B \-\-eraf (inet | inet6) +.B \-\-src +src/srcmaskbits|srcmask +.B \-\-dst +dst/dstmaskbits|dstmask +[ +.B \-\-transport\-proto +transport-protocol +] +[ +.B \-\-src\-port +source-port +] +[ +.B \-\-dst\-port +dest-port +] +.PP +.B ipsec +.B eroute +.B \-\-clear +.PP +.B ipsec +.B eroute +.B \-\-help +.PP +.B ipsec +.B eroute +.B \-\-version +.PP +Where is +.B \-\-af +(inet | inet6) +.B \-\-edst +edst +.B \-\-spi +spi +.B \-\-proto +proto +OR +.B \-\-said +said +OR +.B \-\-said +.B (%passthrough | %passthrough4 | %passthrough6 | %drop | %reject | %trap | %hold | %pass ) +.SH DESCRIPTION +.I Eroute +manages the IPSEC extended routing tables, +which control what (if any) processing is applied +to non-encrypted packets arriving for IPSEC processing and forwarding. +The form with no additional arguments lists the contents of +/proc/net/ipsec_eroute. +The +.B \-\-add +form adds a table entry, the +.B \-\-replace +form replaces a table entry, while the +.B \-\-del +form deletes one. The +.B \-\-clear +form deletes the entire table. +.PP +A table entry consists of: +.IP + 3 +source and destination addresses, +with masks, source and destination ports and protocol +for selection of packets. The source and destination ports are only +legal if the transport protocol is +.BR TCP +or +.BR UDP. +A port can be specified as either decimal, hexadecimal (leading 0x), +octal (leading 0) or a name listed in the first column of /etc/services. +A transport protocol can be specified as either decimal, hexadecimal +(leading 0x), octal (leading 0) or a name listed in the first column +of /etc/protocols. If a transport protocol or port is not specified +then it defaults to 0 which means all protocols or all ports +respectively. +.IP + +Security Association IDentifier, comprised of: +.IP + 6 +protocol +(\fIproto\fR), indicating (together with the +effective destination and the security parameters index) +which Security Association should be used to process the packet +.IP + +address family +(\fIaf\fR), +.IP + +Security Parameters Index +(\fIspi\fR), indicating (together with the +effective destination and protocol) +which Security Association should be used to process the packet +(must be larger than or equal to 0x100) +.IP + +effective destination +(\fIedst\fR), +where the packet should be forwarded after processing +(normally the other security gateway) +.IP + 3 +OR +.IP + 6 +SAID +(\fIsaid\fR), indicating +which Security Association should be used to process the packet +.PP +Addresses are written as IPv4 dotted quads or IPv6 coloned hex, +protocol is one of "ah", "esp", "comp" or "tun" and SPIs are +prefixed hexadecimal numbers where '.' represents IPv4 and ':' +stands for IPv6. +.PP +SAIDs are written as "protoafSPI@address". There are also 5 +"magic" SAIDs which have special meaning: +.IP + 3 +.B %drop +means that matches are to be dropped +.IP + +.B %reject +means that matches are to be dropped and an ICMP returned, if +possible to inform +.IP + +.B %trap +means that matches are to trigger an ACQUIRE message to the Key +Management daemon(s) and a hold eroute will be put in place to +prevent subsequent packets also triggering ACQUIRE messages. +.IP + +.B %hold +means that matches are to stored until the eroute is replaced or +until that eroute gets reaped +.IP + +.B %pass +means that matches are to allowed to pass without IPSEC processing +.PP +The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5). +.br +.ne 5 +.SH EXAMPLES +.LP +.B "ipsec eroute \-\-add \-\-eraf inet \-\-src 192.168.0.1/32 \e" +.br +.B " \-\-dst 192.168.2.0/24 \-\-af inet \-\-edst 192.168.0.2 \e" +.br +.B " \-\-spi 0x135 \-\-proto tun" +.LP +sets up an +.BR eroute +on a Security Gateway to protect traffic between the host +.BR 192.168.0.1 +and the subnet +.BR 192.168.2.0 +with +.BR 24 +bits of subnet mask via Security Gateway +.BR 192.168.0.2 +using the Security Association with address +.BR 192.168.0.2 , +Security Parameters Index +.BR 0x135 +and protocol +.BR tun +(50, IPPROTO_ESP). +.LP +.B "ipsec eroute \-\-add \-\-eraf inet6 \-\-src 3049:1::1/128 \e" +.br +.B " \-\-dst 3049:2::/64 \-\-af inet6 \-\-edst 3049:1::2 \e" +.br +.B " \-\-spi 0x145 \-\-proto tun" +.LP +sets up an +.BR eroute +on a Security Gateway to protect traffic between the host +.BR 3049:1::1 +and the subnet +.BR 3049:2:: +with +.BR 64 +bits of subnet mask via Security Gateway +.BR 3049:1::2 +using the Security Association with address +.BR 3049:1::2 , +Security Parameters Index +.BR 0x145 +and protocol +.BR tun +(50, IPPROTO_ESP). +.LP +.B "ipsec eroute \-\-replace \-\-eraf inet \-\-src company.com/24 \e" +.br +.B " \-\-dst ftp.ngo.org/32 \-\-said tun.135@gw.ngo.org" +.LP +replaces an +.BR eroute +on a Security Gateway to protect traffic between the subnet +.BR company.com +with +.BR 24 +bits of subnet mask and the host +.BR ftp.ngo.org +via Security Gateway +.BR gw.ngo.org +using the Security Association with Security Association ID +.BR tun0x135@gw.ngo.org +.LP +.B "ipsec eroute \-\-del \-\-eraf inet \-\-src company.com/24 \e" +.br +.B " \-\-dst www.ietf.org/32 \-\-said %passthrough4" +.LP +deletes an +.BR eroute +on a Security Gateway that allowed traffic between the subnet +.BR company.com +with +.BR 24 +bits of subnet mask and the host +.BR www.ietf.org +to pass in the clear, unprocessed. +.LP +.B "ipsec eroute \-\-add \-\-eraf inet \-\-src company.com/24 \e" +.br +.B " \-\-dst mail.ngo.org/32 \-\-transport-proto 6 \e" +.br +.B " \-\-dst\-port 110 \-\-said tun.135@mail.ngo.org" +.LP +sets up an +.BR eroute +on on a Security Gateway to protect only TCP traffic on port 110 +(pop3) between the subnet +.BR company.com +with +.BR 24 +bits of subnet mask and the host +.BR ftp.ngo.org +via Security Gateway +.BR mail.ngo.org +using the Security Association with Security Association ID +.BR tun0x135@mail.ngo.org. +Note that any other traffic bound for +.BR mail.ngo.org +that is routed via the ipsec device will be dropped. If you wish to +allow other traffic to pass through then you must add a %pass rule. +For example the following rule when combined with the above will +ensure that POP3 messages read from +.BR mail.ngo.org +will be encrypted but all other traffic to/from +.BR mail.ngo.org +will be in clear text. +.LP +.B "ipsec eroute \-\-add \-\-eraf inet \-\-src company.com/24 \e" +.br +.B " \-\-dst mail.ngo.org/32 \-\-said %pass" +.br +.LP +.SH FILES +/proc/net/ipsec_eroute, /usr/local/bin/ipsec +.SH "SEE ALSO" +ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_spi(8), +ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_eroute(5) +.SH HISTORY +Written for the Linux FreeS/WAN project + +by Richard Guy Briggs. +.\" +.\" $Log: eroute.8,v $ +.\" Revision 1.1 2004/03/15 20:35:27 as +.\" added files from freeswan-2.04-x509-1.5.3 +.\" +.\" Revision 1.25 2002/04/24 07:35:38 mcr +.\" Moved from ./klips/utils/eroute.8,v +.\" +.\" Revision 1.24 2001/02/26 19:58:49 rgb +.\" Added a comment on the restriction of spi > 0x100. +.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part +.\" of the new SPD and to support opportunistic. +.\" +.\" Revision 1.23 2000/09/17 18:56:48 rgb +.\" Added IPCOMP support. +.\" +.\" Revision 1.22 2000/09/13 15:54:31 rgb +.\" Added Gerhard's ipv6 updates. +.\" +.\" Revision 1.21 2000/06/30 18:21:55 rgb +.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5) +.\" and correct FILES sections to no longer refer to /dev/ipsec which has +.\" been removed since PF_KEY does not use it. +.\" +.\" Revision 1.20 2000/06/21 16:54:57 rgb +.\" Added 'no additional args' text for listing contents of +.\" /proc/net/ipsec_* files. +.\" +.\" Revision 1.19 1999/07/19 18:47:24 henry +.\" fix slightly-misformed comments +.\" +.\" Revision 1.18 1999/04/06 04:54:37 rgb +.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy. This includes +.\" patch shell fixes. +.\" +.\" diff --git a/programs/eroute/eroute.c b/programs/eroute/eroute.c new file mode 100644 index 000000000..d1b2bff0a --- /dev/null +++ b/programs/eroute/eroute.c @@ -0,0 +1,1044 @@ +/* + * manipulate eroutes + * Copyright (C) 1996 John Ioannidis. + * Copyright (C) 1997, 1998, 1999, 2000, 2001 Richard Guy Briggs. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +char eroute_c_version[] = "RCSID $Id: eroute.c,v 1.3 2005/02/24 20:03:46 as Exp $"; + + +#include +#include /* new */ +#include +#include +#include /* system(), strtoul() */ + +#include +#include +#include +#include +#include +#include + + +#include +#include +#if 0 +#include /* CONFIG_IPSEC_PFKEYv2 */ +#endif +/* permanently turn it on since netlink support has been disabled */ + +#include +#include +#include + +#include "freeswan/radij.h" +#include "freeswan/ipsec_encap.h" + +#include +#include + +char *program_name; +char me[] = "ipsec eroute"; +extern char *optarg; +extern int optind, opterr, optopt; +char *eroute_af_opt, *said_af_opt, *edst_opt, *spi_opt, *proto_opt, *said_opt, *dst_opt, *src_opt; +char *transport_proto_opt, *src_port_opt, *dst_port_opt; +int action_type = 0; + +int pfkey_sock; +fd_set pfkey_socks; +uint32_t pfkey_seq = 0; + +#define EMT_IFADDR 1 /* set enc if addr */ +#define EMT_SETSPI 2 /* Set SPI properties */ +#define EMT_DELSPI 3 /* Delete an SPI */ +#define EMT_GRPSPIS 4 /* Group SPIs (output order) */ +#define EMT_SETEROUTE 5 /* set an extended route */ +#define EMT_DELEROUTE 6 /* del an extended route */ +#define EMT_TESTROUTE 7 /* try to find route, print to console */ +#define EMT_SETDEBUG 8 /* set debug level if active */ +#define EMT_UNGRPSPIS 9 /* UnGroup SPIs (output order) */ +#define EMT_CLREROUTE 10 /* clear the extended route table */ +#define EMT_CLRSPIS 11 /* clear the spi table */ +#define EMT_REPLACEROUTE 12 /* set an extended route */ +#define EMT_GETDEBUG 13 /* get debug level if active */ +#define EMT_INEROUTE 14 /* set incoming policy for IPIP on a chain */ + +static void +add_port(int af, ip_address * addr, short port) +{ + switch (af) + { + case AF_INET: + addr->u.v4.sin_port = port; + break; + case AF_INET6: + addr->u.v6.sin6_port = port; + break; + } +} + +static void +usage(char* arg) +{ + fprintf(stdout, "usage: %s --{add,addin,replace} --eraf --src /| --dst /| [ --transport-proto ] [ --src-port ] [ --dst-port ] \n", arg); + fprintf(stdout, " where is '--af --edst --spi --proto '\n"); + fprintf(stdout, " OR '--said '\n"); + fprintf(stdout, " OR '--said <%%passthrough | %%passthrough4 | %%passthrough6 | %%drop | %%reject | %%trap | %%hold | %%pass>'.\n"); + fprintf(stdout, " %s --del --eraf --src /| --dst /| [ --transport-proto ] [ --src-port ] [ --dst-port ]\n", arg); + fprintf(stdout, " %s --clear\n", arg); + fprintf(stdout, " %s --help\n", arg); + fprintf(stdout, " %s --version\n", arg); + fprintf(stdout, " %s\n", arg); + fprintf(stdout, " [ --debug ] is optional to any %s command.\n", arg); + fprintf(stdout, " [ --label