From aa0f5b38aec14428b4b80e06f90ff781f8bca5f1 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Mon, 22 May 2006 05:12:18 +0000 Subject: Import initial strongswan 2.7.0 version into SVN. --- testing/hosts/bob/etc/conf.d/hostname | 1 + testing/hosts/bob/etc/conf.d/net | 10 + testing/hosts/bob/etc/init.d/iptables | 74 +++++ testing/hosts/bob/etc/init.d/net.eth0 | 314 +++++++++++++++++++++ testing/hosts/bob/etc/ipsec.conf | 24 ++ .../bob/etc/ipsec.d/cacerts/strongswanCert.pem | 22 ++ testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem | 25 ++ testing/hosts/bob/etc/ipsec.d/private/bobKey.pem | 27 ++ testing/hosts/bob/etc/ipsec.secrets | 8 + testing/hosts/bob/etc/runlevels/default/net.eth0 | 314 +++++++++++++++++++++ 10 files changed, 819 insertions(+) create mode 100644 testing/hosts/bob/etc/conf.d/hostname create mode 100644 testing/hosts/bob/etc/conf.d/net create mode 100755 testing/hosts/bob/etc/init.d/iptables create mode 100755 testing/hosts/bob/etc/init.d/net.eth0 create mode 100755 testing/hosts/bob/etc/ipsec.conf create mode 100644 testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem create mode 100644 testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem create mode 100644 testing/hosts/bob/etc/ipsec.d/private/bobKey.pem create mode 100644 testing/hosts/bob/etc/ipsec.secrets create mode 100755 testing/hosts/bob/etc/runlevels/default/net.eth0 (limited to 'testing/hosts/bob') diff --git a/testing/hosts/bob/etc/conf.d/hostname b/testing/hosts/bob/etc/conf.d/hostname new file mode 100644 index 000000000..bbf5a2ea6 --- /dev/null +++ b/testing/hosts/bob/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=bob diff --git a/testing/hosts/bob/etc/conf.d/net b/testing/hosts/bob/etc/conf.d/net new file mode 100644 index 000000000..09133acad --- /dev/null +++ b/testing/hosts/bob/etc/conf.d/net @@ -0,0 +1,10 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_BOB broadcast 10.2.255.255 netmask 255.255.0.0" + +# For setting the default gateway +# +gateway="eth0/PH_IP1_SUN" diff --git a/testing/hosts/bob/etc/init.d/iptables b/testing/hosts/bob/etc/init.d/iptables new file mode 100755 index 000000000..7b8756b81 --- /dev/null +++ b/testing/hosts/bob/etc/init.d/iptables @@ -0,0 +1,74 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow IKE + iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + + # allow NAT-T + iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/bob/etc/init.d/net.eth0 b/testing/hosts/bob/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/bob/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/bob/etc/ipsec.conf b/testing/hosts/bob/etc/ipsec.conf new file mode 100755 index 000000000..cdef4e042 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=bobCert.pem + leftid=bob@strongswan.org + leftfirewall=yes + right=%any + rightsubnetwithin=10.1.0.0/16 + auto=add diff --git a/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem b/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem new file mode 100644 index 000000000..199d3eee2 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHjCCAwagAwIBAgIBBjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjUzNFoXDTA5MDkwOTExMjUzNFowWDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDAJaejS3/lJfQHgw0nzvotgSQS8ey/6tvbx7s5RsWY +27x9K5xd44aPrvP2Qpyq34IXRY6uPlIqeUTQN7EKpLrWCxMOT36x5N0Co9J5UWRB +fJC141D+8+1RwJ9/baEIecpCvb0GfDOX0GXN5ltcJk82hZjE4y1yHC1FN7V3zdRg +xmloupPuon+X3bTmyMQ93NKkg48CQGtqtfwQ0MqPiOWu8MBhdztfOyu6aW3EgviF +ithLc02SeNzlpqB3M8GDfX+mr3OVDhhhC2OI+VRlZzz7KxJ13DUR2KkvLZR8Ak4E +5lRjkUnTYd/f3OQYxfjC8idUmj5ojR6Fb0x1tsV/glzXAgMBAAGjggEEMIIBADAJ +BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUaLN5EPOkOkVU3J1Ud0sl ++27OOHswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ +BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz +dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u +b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv +c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIyQLLxdeO8clplzRW9z +TRR3J0zSedvi2XlIZ/XCsv0ZVfoBLLWcDp3QrxNiVZXvXXtzjPsDs+DAveZF9LGq +0tIw1uT3JorbgNNrmWvxBvJoQTtSw4LQBuV7vF27jrposx3Hi5qtUXUDS6wVnDUI +5iORqsrddnoDuMN+Jt7oRcvKfYSNwTV+m0ZAHdB5a/ARWO5UILOrxEA/N72NcDYN +NdAd+bLaB38SbkSbh1xj/AGnrHxdJBF4h4mx4btc9gtBSh+dwBHOsn4TheqJ6bbw +7FlXBowQDCJIswKNhWfnIepQlM1KEzmq5YX43uZO2b7amRaIKqy2vNE7+UNFYBpE +Mto= +-----END CERTIFICATE----- diff --git a/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem b/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem new file mode 100644 index 000000000..42af98bb0 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAwCWno0t/5SX0B4MNJ876LYEkEvHsv+rb28e7OUbFmNu8fSuc +XeOGj67z9kKcqt+CF0WOrj5SKnlE0DexCqS61gsTDk9+seTdAqPSeVFkQXyQteNQ +/vPtUcCff22hCHnKQr29Bnwzl9BlzeZbXCZPNoWYxOMtchwtRTe1d83UYMZpaLqT +7qJ/l9205sjEPdzSpIOPAkBrarX8ENDKj4jlrvDAYXc7XzsrumltxIL4hYrYS3NN +knjc5aagdzPBg31/pq9zlQ4YYQtjiPlUZWc8+ysSddw1EdipLy2UfAJOBOZUY5FJ +02Hf39zkGMX4wvInVJo+aI0ehW9MdbbFf4Jc1wIDAQABAoIBAGbSP5jUiAYZfzKd +4GZTDfFXz/QLXcN9bFV51ihaRNb9jyn0MmLTpGgzGP3Iu4l8vWKyqB154AI2jqpV +gvnNGOX9Wx8nTwbnD5WgELs24M1iWRXcJLWp1m8PAsrv4WJlueRpIEPeJsWwkSnT +gUQYg/8LEqsZXnJXvanym7sWe/Wkh8i/UyMQJv7zwS+TZ5qeKRfSVo8/9622Ppsh +n+zKFKnTUhiICUHFed4qZWyVR6NVyuzIYjeQy+VmBa5AOzmF549Izg6llwNrvJ8g +DiIKSdtblMrN5OlmTra8LGn2QmlETipRb+4qx+MasbVI8pM1VMMQtBGAJYjhpC51 +rX/RLLECgYEA/Qk9PlUfw2aTA7I6a93pcjhUFTnKFVe9RdrwY7mds5t7dOAPcRBj +5wnIv+OhVszoEo/uOPrgWmBu3ifkmcpPTe4NREFEVA99NOadiJDI/7oAj/Is4c5t +CEb/zHTqKtYMVDrjwhszuPD3m2KNIJ38y4gkkrWT071xQBciztWhvYUCgYEAwmXV +DFoNagTrNhf7Ep5sUek0O3nXPXY/cYKnKhlloUP41ftLbNvZ02qBQ6zqxPHtjGlB +5sPeRQMFbVbmyb+97oa3Mrui1TPiTa5IBPyD36Gg0nFx+xLeXTsy8O8leoFcq02D +1SDSye+fEdj2uYr+f33CIknQHUR4/xkOikgSQasCgYEAzTjOHBzsGw25VLkbmtqr +eIDo6SIqnS7BCsPsTeWAWuhSs9L5kyjI7dxIniEffIfJ/SwQ+NO4XHRz1ugiBv1H +Xpwg1Gfe5BJ/6QTVZaqP6qBPzm+LKUTDt3/l/Uwhk8Zwz2vHx2lKhMei+rpuXbLl +EaoEh5yPHZ87F9Dr4Tbw7AUCgYAjtFpmE2AlWdPtsofdypUwkjmStvUuh7ptWcbk +N5fv/7EDdE1NKDAg4Y3uZSMVmy27PVXqUY1QdZaYl356DaqP1dRuEAJ/UDE/fUQj +DlIWT/Re0pFRwQxwaUAY+oOStZHUsL8G9SliB43a1FO0jm/h8LIoZBBCX+ItUGfY +RBZ+UwKBgCToB2oPwDfrfCkScNozV7GPfcmHTR5bvvpYgRMGyuE1hAwLIWW9V4u9 +1Bp1vCR/C4kiUSBpYsGXLRqJ1GURueQoEbREE4ZvkmNV+t40uX3Fd8/OchAGi934 +0jYmd3dvN4MtF7O02YwpBzuH/wAwdxK0iDbdv+KEZb7TLdL37IN1 +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/bob/etc/ipsec.secrets b/testing/hosts/bob/etc/ipsec.secrets new file mode 100644 index 000000000..b3a0af048 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.secrets @@ -0,0 +1,8 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA bobKey.pem + + + + + diff --git a/testing/hosts/bob/etc/runlevels/default/net.eth0 b/testing/hosts/bob/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/bob/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 -- cgit v1.2.3