Add strongswan (4.3.6) for testing.
authorArne Fitzenreiter <arne_f@ipfire.org>
Sat, 20 Mar 2010 21:31:43 +0000 (22:31 +0100)
committerArne Fitzenreiter <arne_f@ipfire.org>
Sat, 20 Mar 2010 21:31:43 +0000 (22:31 +0100)
config/rootfiles/common/openswan [deleted file]
config/rootfiles/common/strongswan [new file with mode: 0644]
doc/packages-list.txt
html/cgi-bin/vpnmain.cgi
lfs/strongswan [new file with mode: 0644]
make.sh
src/initscripts/init.d/firewall
src/initscripts/init.d/ipsec
src/misc-progs/ipsecctrl.c
src/patches/strongswan-4.3.6_ipfire.patch [new file with mode: 0644]

diff --git a/config/rootfiles/common/openswan b/config/rootfiles/common/openswan
deleted file mode 100644 (file)
index 4883788..0000000
+++ /dev/null
@@ -1,302 +0,0 @@
-etc/ipsec.conf
-#etc/ipsec.d
-etc/ipsec.d/aacerts
-etc/ipsec.d/cacerts
-etc/ipsec.d/certs
-etc/ipsec.d/crls
-#etc/ipsec.d/examples
-#etc/ipsec.d/examples/hub-spoke.conf
-#etc/ipsec.d/examples/ipv6.conf
-#etc/ipsec.d/examples/l2tp-cert.conf
-#etc/ipsec.d/examples/l2tp-psk.conf
-#etc/ipsec.d/examples/linux-linux.conf
-#etc/ipsec.d/examples/oe-exclude-dns.conf
-#etc/ipsec.d/examples/sysctl.conf
-#etc/ipsec.d/examples/xauth.conf
-etc/ipsec.d/ocspcerts
-etc/ipsec.d/policies
-#etc/ipsec.d/policies/block
-#etc/ipsec.d/policies/clear
-#etc/ipsec.d/policies/clear-or-private
-#etc/ipsec.d/policies/private
-#etc/ipsec.d/policies/private-or-clear
-etc/ipsec.d/private
-etc/ipsec.secrets
-#etc/rc.d/init.d/ipsec.old
-#etc/rc.d/rc0.d/K76ipsec
-#etc/rc.d/rc1.d
-#etc/rc.d/rc1.d/K76ipsec
-#etc/rc.d/rc2.d
-#etc/rc.d/rc2.d/S47ipsec
-#etc/rc.d/rc3.d/S47ipsec
-#etc/rc.d/rc4.d
-#etc/rc.d/rc4.d/S47ipsec
-#etc/rc.d/rc5.d
-#etc/rc.d/rc5.d/S47ipsec
-#etc/rc.d/rc6.d/K76ipsec
-usr/lib/ipsec
-#usr/lib/ipsec/_confread
-#usr/lib/ipsec/_copyright
-#usr/lib/ipsec/_include
-#usr/lib/ipsec/_keycensor
-#usr/lib/ipsec/_plutoload
-#usr/lib/ipsec/_plutorun
-#usr/lib/ipsec/_realsetup
-#usr/lib/ipsec/_secretcensor
-#usr/lib/ipsec/_startklips
-#usr/lib/ipsec/_startnetkey
-#usr/lib/ipsec/_updown
-#usr/lib/ipsec/_updown.klips
-#usr/lib/ipsec/_updown.klips~
-#usr/lib/ipsec/_updown.mast
-#usr/lib/ipsec/_updown.netkey
-usr/libexec/ipsec
-#usr/libexec/ipsec/_pluto_adns
-#usr/libexec/ipsec/addconn
-#usr/libexec/ipsec/auto
-#usr/libexec/ipsec/barf
-#usr/libexec/ipsec/eroute
-#usr/libexec/ipsec/ikeping
-#usr/libexec/ipsec/klipsdebug
-#usr/libexec/ipsec/look
-#usr/libexec/ipsec/newhostkey
-#usr/libexec/ipsec/pf_key
-#usr/libexec/ipsec/pluto
-#usr/libexec/ipsec/ranbits
-#usr/libexec/ipsec/rsasigkey
-#usr/libexec/ipsec/secrets
-#usr/libexec/ipsec/setup
-#usr/libexec/ipsec/showdefaults
-#usr/libexec/ipsec/showhostkey
-#usr/libexec/ipsec/showpolicy
-#usr/libexec/ipsec/spi
-#usr/libexec/ipsec/spigrp
-#usr/libexec/ipsec/tncfg
-#usr/libexec/ipsec/verify
-#usr/libexec/ipsec/whack
-#usr/man/man3/ipsec_addrbytesof.3
-#usr/man/man3/ipsec_addrbytesptr.3
-#usr/man/man3/ipsec_addrcmp.3
-#usr/man/man3/ipsec_addrinsubnet.3
-#usr/man/man3/ipsec_addrlenof.3
-#usr/man/man3/ipsec_addrtoa.3
-#usr/man/man3/ipsec_addrtosubnet.3
-#usr/man/man3/ipsec_addrtot.3
-#usr/man/man3/ipsec_addrtypeof.3
-#usr/man/man3/ipsec_anyaddr.3
-#usr/man/man3/ipsec_atoaddr.3
-#usr/man/man3/ipsec_atoasr.3
-#usr/man/man3/ipsec_atosubnet.3
-#usr/man/man3/ipsec_atoul.3
-#usr/man/man3/ipsec_bitstomask.3
-#usr/man/man3/ipsec_broadcastof.3
-#usr/man/man3/ipsec_copyright_notice.3
-#usr/man/man3/ipsec_goodmask.3
-#usr/man/man3/ipsec_hostof.3
-#usr/man/man3/ipsec_initaddr.3
-#usr/man/man3/ipsec_initsaid.3
-#usr/man/man3/ipsec_initsubnet.3
-#usr/man/man3/ipsec_isanyaddr.3
-#usr/man/man3/ipsec_isloopbackaddr.3
-#usr/man/man3/ipsec_isunspecaddr.3
-#usr/man/man3/ipsec_loopbackaddr.3
-#usr/man/man3/ipsec_maskof.3
-#usr/man/man3/ipsec_masktobits.3
-#usr/man/man3/ipsec_masktocount.3
-#usr/man/man3/ipsec_networkof.3
-#usr/man/man3/ipsec_optionsfrom.3
-#usr/man/man3/ipsec_portof.3
-#usr/man/man3/ipsec_rangetoa.3
-#usr/man/man3/ipsec_rangetosubnet.3
-#usr/man/man3/ipsec_sameaddr.3
-#usr/man/man3/ipsec_sameaddrtype.3
-#usr/man/man3/ipsec_samesaid.3
-#usr/man/man3/ipsec_samesubnet.3
-#usr/man/man3/ipsec_samesubnettype.3
-#usr/man/man3/ipsec_satot.3
-#usr/man/man3/ipsec_setportof.3
-#usr/man/man3/ipsec_sockaddrlenof.3
-#usr/man/man3/ipsec_sockaddrof.3
-#usr/man/man3/ipsec_subnetinsubnet.3
-#usr/man/man3/ipsec_subnetishost.3
-#usr/man/man3/ipsec_subnetof.3
-#usr/man/man3/ipsec_subnettoa.3
-#usr/man/man3/ipsec_subnettot.3
-#usr/man/man3/ipsec_subnettypeof.3
-#usr/man/man3/ipsec_tnatoaddr.3
-#usr/man/man3/ipsec_ttoaddr.3
-#usr/man/man3/ipsec_ttodata.3
-#usr/man/man3/ipsec_ttosa.3
-#usr/man/man3/ipsec_ttosubnet.3
-#usr/man/man3/ipsec_ttoul.3
-#usr/man/man3/ipsec_unspecaddr.3
-#usr/man/man3/ipsec_version.3
-#usr/man/man3/ipsec_version_code.3
-#usr/man/man3/ipsec_version_string.3
-#usr/man/man5/ipsec_eroute.5
-#usr/man/man5/ipsec_klipsdebug.5
-#usr/man/man5/ipsec_showpolicy.8
-#usr/man/man5/ipsec_spi.5
-#usr/man/man5/ipsec_spigrp.5
-#usr/man/man5/ipsec_tncfg.5
-#usr/man/man5/ipsec_trap_count.5
-#usr/man/man5/ipsec_trap_sendcount.5
-#usr/man/man5/ipsec_version.5
-#usr/man/man5/pf_key.5
-#usr/man/man8/ipsec.8
-#usr/man/man8/ipsec__copyright.8
-#usr/man/man8/ipsec__include.8
-#usr/man/man8/ipsec__keycensor.8
-#usr/man/man8/ipsec__plutoload.8
-#usr/man/man8/ipsec__plutorun.8
-#usr/man/man8/ipsec__realsetup.8
-#usr/man/man8/ipsec__secretcensor.8
-#usr/man/man8/ipsec__startklips.8
-#usr/man/man8/ipsec__startnetkey.8
-#usr/man/man8/ipsec__updown.8
-#usr/man/man8/ipsec__updown.klips.8
-#usr/man/man8/ipsec__updown.mast.8
-#usr/man/man8/ipsec__updown.netkey.8
-#usr/man/man8/ipsec_addconn.8
-#usr/man/man8/ipsec_auto.8
-#usr/man/man8/ipsec_barf.8
-#usr/man/man8/ipsec_eroute.8
-#usr/man/man8/ipsec_ikeping.8
-#usr/man/man8/ipsec_klipsdebug.8
-#usr/man/man8/ipsec_look.8
-#usr/man/man8/ipsec_newhostkey.8
-#usr/man/man8/ipsec_pf_key.8
-#usr/man/man8/ipsec_ranbits.8
-#usr/man/man8/ipsec_rsasigkey.8
-#usr/man/man8/ipsec_secrets.8
-#usr/man/man8/ipsec_setup.8
-#usr/man/man8/ipsec_showdefaults.8
-#usr/man/man8/ipsec_showhostkey.8
-#usr/man/man8/ipsec_showpolicy.8
-#usr/man/man8/ipsec_spi.8
-#usr/man/man8/ipsec_spigrp.8
-#usr/man/man8/ipsec_tncfg.8
-#usr/man/man8/ipsec_verify.8
-usr/sbin/ipsec
-#usr/share/doc/openswan
-#usr/share/doc/openswan/index.html
-#usr/share/doc/openswan/ipsec.8.html
-#usr/share/doc/openswan/ipsec.conf-sample
-#usr/share/doc/openswan/ipsec.conf.5.html
-#usr/share/doc/openswan/ipsec.secrets.5.html
-#usr/share/doc/openswan/ipsec__confread.8.html
-#usr/share/doc/openswan/ipsec__copyright.8.html
-#usr/share/doc/openswan/ipsec__include.8.html
-#usr/share/doc/openswan/ipsec__keycensor.8.html
-#usr/share/doc/openswan/ipsec__plutoload.8.html
-#usr/share/doc/openswan/ipsec__plutorun.8.html
-#usr/share/doc/openswan/ipsec__realsetup.8.html
-#usr/share/doc/openswan/ipsec__secretcensor.8.html
-#usr/share/doc/openswan/ipsec__startklips.8.html
-#usr/share/doc/openswan/ipsec__startnetkey.8.html
-#usr/share/doc/openswan/ipsec__updown.8.html
-#usr/share/doc/openswan/ipsec__updown.klips.8.html
-#usr/share/doc/openswan/ipsec__updown.mast.8.html
-#usr/share/doc/openswan/ipsec__updown.netkey.8.html
-#usr/share/doc/openswan/ipsec_addconn.8.html
-#usr/share/doc/openswan/ipsec_addrbytesof.3.html
-#usr/share/doc/openswan/ipsec_addrbytesptr.3.html
-#usr/share/doc/openswan/ipsec_addrcmp.3.html
-#usr/share/doc/openswan/ipsec_addrinsubnet.3.html
-#usr/share/doc/openswan/ipsec_addrlenof.3.html
-#usr/share/doc/openswan/ipsec_addrtoa.3.html
-#usr/share/doc/openswan/ipsec_addrtosubnet.3.html
-#usr/share/doc/openswan/ipsec_addrtot.3.html
-#usr/share/doc/openswan/ipsec_addrtypeof.3.html
-#usr/share/doc/openswan/ipsec_anyaddr.3.html
-#usr/share/doc/openswan/ipsec_atoaddr.3.html
-#usr/share/doc/openswan/ipsec_atoasr.3.html
-#usr/share/doc/openswan/ipsec_atosubnet.3.html
-#usr/share/doc/openswan/ipsec_atoul.3.html
-#usr/share/doc/openswan/ipsec_auto.8.html
-#usr/share/doc/openswan/ipsec_barf.8.html
-#usr/share/doc/openswan/ipsec_bitstomask.3.html
-#usr/share/doc/openswan/ipsec_broadcastof.3.html
-#usr/share/doc/openswan/ipsec_copyright_notice.3.html
-#usr/share/doc/openswan/ipsec_eroute.5.html
-#usr/share/doc/openswan/ipsec_eroute.8.html
-#usr/share/doc/openswan/ipsec_goodmask.3.html
-#usr/share/doc/openswan/ipsec_hostof.3.html
-#usr/share/doc/openswan/ipsec_ikeping.8.html
-#usr/share/doc/openswan/ipsec_initaddr.3.html
-#usr/share/doc/openswan/ipsec_initsaid.3.html
-#usr/share/doc/openswan/ipsec_initsubnet.3.html
-#usr/share/doc/openswan/ipsec_isanyaddr.3.html
-#usr/share/doc/openswan/ipsec_isloopbackaddr.3.html
-#usr/share/doc/openswan/ipsec_isunspecaddr.3.html
-#usr/share/doc/openswan/ipsec_keyblobtoid.3.html
-#usr/share/doc/openswan/ipsec_klipsdebug.5.html
-#usr/share/doc/openswan/ipsec_klipsdebug.8.html
-#usr/share/doc/openswan/ipsec_livetest.8.html
-#usr/share/doc/openswan/ipsec_look.8.html
-#usr/share/doc/openswan/ipsec_loopbackaddr.3.html
-#usr/share/doc/openswan/ipsec_lwdnsq.8.html
-#usr/share/doc/openswan/ipsec_mailkey.8.html
-#usr/share/doc/openswan/ipsec_manual.8.html
-#usr/share/doc/openswan/ipsec_maskof.3.html
-#usr/share/doc/openswan/ipsec_masktobits.3.html
-#usr/share/doc/openswan/ipsec_masktocount.3.html
-#usr/share/doc/openswan/ipsec_networkof.3.html
-#usr/share/doc/openswan/ipsec_newhostkey.8.html
-#usr/share/doc/openswan/ipsec_optionsfrom.3.html
-#usr/share/doc/openswan/ipsec_pf_key.5.html
-#usr/share/doc/openswan/ipsec_pf_key.8.html
-#usr/share/doc/openswan/ipsec_pluto.8.html
-#usr/share/doc/openswan/ipsec_portof.3.html
-#usr/share/doc/openswan/ipsec_prng.3.html
-#usr/share/doc/openswan/ipsec_prng_bytes.3.html
-#usr/share/doc/openswan/ipsec_prng_final.3.html
-#usr/share/doc/openswan/ipsec_prng_init.3.html
-#usr/share/doc/openswan/ipsec_ranbits.8.html
-#usr/share/doc/openswan/ipsec_rangetoa.3.html
-#usr/share/doc/openswan/ipsec_rangetosubnet.3.html
-#usr/share/doc/openswan/ipsec_readwriteconf.8.html
-#usr/share/doc/openswan/ipsec_rsasigkey.8.html
-#usr/share/doc/openswan/ipsec_sameaddr.3.html
-#usr/share/doc/openswan/ipsec_sameaddrtype.3.html
-#usr/share/doc/openswan/ipsec_samesaid.3.html
-#usr/share/doc/openswan/ipsec_samesubnet.3.html
-#usr/share/doc/openswan/ipsec_samesubnettype.3.html
-#usr/share/doc/openswan/ipsec_satot.3.html
-#usr/share/doc/openswan/ipsec_secrets.8.html
-#usr/share/doc/openswan/ipsec_set_policy.3.html
-#usr/share/doc/openswan/ipsec_setportof.3.html
-#usr/share/doc/openswan/ipsec_setup.8.html
-#usr/share/doc/openswan/ipsec_showdefaults.8.html
-#usr/share/doc/openswan/ipsec_showhostkey.8.html
-#usr/share/doc/openswan/ipsec_showpolicy.8.html
-#usr/share/doc/openswan/ipsec_sockaddrlenof.3.html
-#usr/share/doc/openswan/ipsec_sockaddrof.3.html
-#usr/share/doc/openswan/ipsec_spi.5.html
-#usr/share/doc/openswan/ipsec_spi.8.html
-#usr/share/doc/openswan/ipsec_spigrp.5.html
-#usr/share/doc/openswan/ipsec_spigrp.8.html
-#usr/share/doc/openswan/ipsec_strerror.3.html
-#usr/share/doc/openswan/ipsec_subnetinsubnet.3.html
-#usr/share/doc/openswan/ipsec_subnetishost.3.html
-#usr/share/doc/openswan/ipsec_subnetof.3.html
-#usr/share/doc/openswan/ipsec_subnettoa.3.html
-#usr/share/doc/openswan/ipsec_subnettot.3.html
-#usr/share/doc/openswan/ipsec_subnettypeof.3.html
-#usr/share/doc/openswan/ipsec_tnatoaddr.3.html
-#usr/share/doc/openswan/ipsec_tncfg.5.html
-#usr/share/doc/openswan/ipsec_tncfg.8.html
-#usr/share/doc/openswan/ipsec_trap_count.5.html
-#usr/share/doc/openswan/ipsec_trap_sendcount.5.html
-#usr/share/doc/openswan/ipsec_ttoaddr.3.html
-#usr/share/doc/openswan/ipsec_ttodata.3.html
-#usr/share/doc/openswan/ipsec_ttosa.3.html
-#usr/share/doc/openswan/ipsec_ttosubnet.3.html
-#usr/share/doc/openswan/ipsec_ttoul.3.html
-#usr/share/doc/openswan/ipsec_unspecaddr.3.html
-#usr/share/doc/openswan/ipsec_verify.8.html
-#usr/share/doc/openswan/ipsec_version.3.html
-#usr/share/doc/openswan/ipsec_version.5.html
-#usr/share/doc/openswan/ipsec_version_code.3.html
-#usr/share/doc/openswan/ipsec_version_string.3.html
-var/run/pluto
diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan
new file mode 100644 (file)
index 0000000..1130cc5
--- /dev/null
@@ -0,0 +1,123 @@
+etc/ipsec.conf
+#etc/ipsec.d
+etc/ipsec.d/aacerts
+etc/ipsec.d/acerts
+etc/ipsec.d/cacerts
+etc/ipsec.d/certs
+etc/ipsec.d/crls
+etc/ipsec.d/ocspcerts
+etc/ipsec.d/private
+etc/ipsec.d/reqs
+etc/ipsec.secrets
+etc/strongswan.conf
+#usr/lib/libstrongswan.a
+#usr/lib/libstrongswan.la
+usr/lib/libstrongswan.so
+usr/lib/libstrongswan.so.0
+usr/lib/libstrongswan.so.0.0.0
+#usr/libexec/ipsec
+usr/libexec/ipsec/_copyright
+usr/libexec/ipsec/_pluto_adns
+usr/libexec/ipsec/_updown
+usr/libexec/ipsec/_updown_espmark
+usr/libexec/ipsec/charon
+usr/libexec/ipsec/openac
+usr/libexec/ipsec/pki
+#usr/libexec/ipsec/plugins
+#usr/libexec/ipsec/plugins/libstrongswan-aes.a
+#usr/libexec/ipsec/plugins/libstrongswan-aes.la
+usr/libexec/ipsec/plugins/libstrongswan-aes.so
+#usr/libexec/ipsec/plugins/libstrongswan-attr.a
+#usr/libexec/ipsec/plugins/libstrongswan-attr.la
+usr/libexec/ipsec/plugins/libstrongswan-attr.so
+#usr/libexec/ipsec/plugins/libstrongswan-des.a
+#usr/libexec/ipsec/plugins/libstrongswan-des.la
+usr/libexec/ipsec/plugins/libstrongswan-des.so
+#usr/libexec/ipsec/plugins/libstrongswan-dnskey.a
+#usr/libexec/ipsec/plugins/libstrongswan-dnskey.la
+usr/libexec/ipsec/plugins/libstrongswan-dnskey.so
+#usr/libexec/ipsec/plugins/libstrongswan-fips-prf.a
+#usr/libexec/ipsec/plugins/libstrongswan-fips-prf.la
+usr/libexec/ipsec/plugins/libstrongswan-fips-prf.so
+#usr/libexec/ipsec/plugins/libstrongswan-gmp.a
+#usr/libexec/ipsec/plugins/libstrongswan-gmp.la
+usr/libexec/ipsec/plugins/libstrongswan-gmp.so
+#usr/libexec/ipsec/plugins/libstrongswan-hmac.a
+#usr/libexec/ipsec/plugins/libstrongswan-hmac.la
+usr/libexec/ipsec/plugins/libstrongswan-hmac.so
+#usr/libexec/ipsec/plugins/libstrongswan-kernel-netlink.a
+#usr/libexec/ipsec/plugins/libstrongswan-kernel-netlink.la
+usr/libexec/ipsec/plugins/libstrongswan-kernel-netlink.so
+#usr/libexec/ipsec/plugins/libstrongswan-md5.a
+#usr/libexec/ipsec/plugins/libstrongswan-md5.la
+usr/libexec/ipsec/plugins/libstrongswan-md5.so
+#usr/libexec/ipsec/plugins/libstrongswan-pem.a
+#usr/libexec/ipsec/plugins/libstrongswan-pem.la
+usr/libexec/ipsec/plugins/libstrongswan-pem.so
+#usr/libexec/ipsec/plugins/libstrongswan-pgp.a
+#usr/libexec/ipsec/plugins/libstrongswan-pgp.la
+usr/libexec/ipsec/plugins/libstrongswan-pgp.so
+#usr/libexec/ipsec/plugins/libstrongswan-pkcs1.a
+#usr/libexec/ipsec/plugins/libstrongswan-pkcs1.la
+usr/libexec/ipsec/plugins/libstrongswan-pkcs1.so
+#usr/libexec/ipsec/plugins/libstrongswan-pubkey.a
+#usr/libexec/ipsec/plugins/libstrongswan-pubkey.la
+usr/libexec/ipsec/plugins/libstrongswan-pubkey.so
+#usr/libexec/ipsec/plugins/libstrongswan-random.a
+#usr/libexec/ipsec/plugins/libstrongswan-random.la
+usr/libexec/ipsec/plugins/libstrongswan-random.so
+#usr/libexec/ipsec/plugins/libstrongswan-resolve.a
+#usr/libexec/ipsec/plugins/libstrongswan-resolve.la
+usr/libexec/ipsec/plugins/libstrongswan-resolve.so
+#usr/libexec/ipsec/plugins/libstrongswan-sha1.a
+#usr/libexec/ipsec/plugins/libstrongswan-sha1.la
+usr/libexec/ipsec/plugins/libstrongswan-sha1.so
+#usr/libexec/ipsec/plugins/libstrongswan-sha2.a
+#usr/libexec/ipsec/plugins/libstrongswan-sha2.la
+usr/libexec/ipsec/plugins/libstrongswan-sha2.so
+#usr/libexec/ipsec/plugins/libstrongswan-stroke.a
+#usr/libexec/ipsec/plugins/libstrongswan-stroke.la
+usr/libexec/ipsec/plugins/libstrongswan-stroke.so
+#usr/libexec/ipsec/plugins/libstrongswan-updown.a
+#usr/libexec/ipsec/plugins/libstrongswan-updown.la
+usr/libexec/ipsec/plugins/libstrongswan-updown.so
+#usr/libexec/ipsec/plugins/libstrongswan-x509.a
+#usr/libexec/ipsec/plugins/libstrongswan-x509.la
+usr/libexec/ipsec/plugins/libstrongswan-x509.so
+#usr/libexec/ipsec/plugins/libstrongswan-xcbc.a
+#usr/libexec/ipsec/plugins/libstrongswan-xcbc.la
+usr/libexec/ipsec/plugins/libstrongswan-xcbc.so
+usr/libexec/ipsec/pluto
+usr/libexec/ipsec/scepclient
+usr/libexec/ipsec/starter
+usr/libexec/ipsec/stroke
+usr/libexec/ipsec/whack
+usr/sbin/ipsec
+#usr/share/man/man3/anyaddr.3
+#usr/share/man/man3/atoaddr.3
+#usr/share/man/man3/atoasr.3
+#usr/share/man/man3/atosa.3
+#usr/share/man/man3/atoul.3
+#usr/share/man/man3/goodmask.3
+#usr/share/man/man3/initaddr.3
+#usr/share/man/man3/initsubnet.3
+#usr/share/man/man3/keyblobtoid.3
+#usr/share/man/man3/portof.3
+#usr/share/man/man3/prng.3
+#usr/share/man/man3/rangetosubnet.3
+#usr/share/man/man3/sameaddr.3
+#usr/share/man/man3/subnetof.3
+#usr/share/man/man3/ttoaddr.3
+#usr/share/man/man3/ttodata.3
+#usr/share/man/man3/ttosa.3
+#usr/share/man/man3/ttoul.3
+#usr/share/man/man5/ipsec.conf.5
+#usr/share/man/man5/ipsec.secrets.5
+#usr/share/man/man8/_copyright.8
+#usr/share/man/man8/_updown.8
+#usr/share/man/man8/_updown_espmark.8
+#usr/share/man/man8/ipsec.8
+#usr/share/man/man8/openac.8
+#usr/share/man/man8/pluto.8
+#usr/share/man/man8/scepclient.8
+#usr/share/man/man8/starter.8
index eb98dab..1b7287d 100644 (file)
 * foomatic-3.0-20070813
 * freefont-20060126
 * freetype-2.1.10
-* fuse-2.7.4
+* fuse-2.8.3
 * fwhits
 * gawk-3.1.5
 * gcc-4.0.4
 * groff-1.18.1.1
 * grub-0.97
 * guardian-ipfire
-* gutenprint-5.0.2
+* gutenprint-5.2.5
 * gzip-1.3.5
 * hddtemp-0.3-beta14
 * hdparm-8.9
-* hostapd-0.6.9
+* hostapd-0.7.1
 * hplip-2.7.10
 * htop-0.8.1
 * httpd-2.2.15
 * logrotate-3.7.1
 * logwatch-7.3.6
 * lsof-4.78
-* lynis-1.2.6
+* lynis-1.2.9
 * lzo-2.02
 * m4-1.4.4
 * mISDNuser_20090906
 * openmailadmin-1.0.0
 * openssh-5.4p1
 * openssl-0.9.8m
-* openswan-2.6.24
-* openswan-2.6.24-kmod-2.6.32.9-ipfire
-* openswan-2.6.24-kmod-2.6.32.9-ipfire-xen
 * openvpn-2.1_rc20
 * p7zip_4.65
 * pam_mysql-0.7RC1
 * rssdler-0.4.0a
 * rsync-3.0.7
 * rtorrent-0.8.6
-* samba-3.3.10
+* samba-3.5.1
 * sane-1.0.19
 * screen-4.0.3
 * sdparm-1.01
 * squashfs-lzma-cvs20100214
 * squid-2.7.STABLE7
 * squidGuard-1.4.1
-* squidclamav-5.0
+* squidclamav-5.2
 * sshfs-fuse-2.2
-* sslh-1.6i
+* sslh-1.7a
 * streamripper-1.63.5
+* strongswan-4.3.6
 * sudo-1.6.8p12
 * sysfsutils-1.3.0
 * sysklogd-1.5
index d19f22e..9e75c69 100644 (file)
@@ -248,9 +248,9 @@ sub writeipsecfiles {
     foreach my $key (keys %lconfighash) {
        next if ($lconfighash{$key}[0] ne 'on');
         $interfaces .= "%defaultroute "                    if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED');
-       $interfaces .= "ipsec1=$netsettings{'GREEN_DEV'} "  if ($interfaces !~ /ipsec1/       && $lconfighash{$key}[26] eq 'GREEN');
-       $interfaces .= "ipsec2=$netsettings{'BLUE_DEV'} "   if ($interfaces !~ /ipsec2/       && $lconfighash{$key}[26] eq 'BLUE');
-       $interfaces .= "ipsec3=$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/       && $lconfighash{$key}[26] eq 'ORANGE');
+       #$interfaces .= "ipsec1=$netsettings{'GREEN_DEV'} "  if ($interfaces !~ /ipsec1/              && $lconfighash{$key}[26] eq 'GREEN');
+       #$interfaces .= "ipsec2=$netsettings{'BLUE_DEV'} "   if ($interfaces !~ /ipsec2/              && $lconfighash{$key}[26] eq 'BLUE');
+       #$interfaces .= "ipsec3=$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/              && $lconfighash{$key}[26] eq 'ORANGE');
     }
     print CONF $interfaces . "\"\n";
 
@@ -264,6 +264,8 @@ sub writeipsecfiles {
     # deprecated in ipsec.conf version 2
     #print CONF "\tplutoload=%search\n";
     #print CONF "\tplutostart=%search\n";
+    #Disable IKEv2 deamon
+    print CONF "\tcharonstart=no\n";
     print CONF "\tuniqueids=yes\n";
     print CONF "\tnat_traversal=yes\n";
     print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne '');
@@ -283,7 +285,8 @@ sub writeipsecfiles {
     print CONF "\n\n";
     print CONF "conn %default\n";
     print CONF "\tkeyingtries=0\n";
-    print CONF "\tdisablearrivalcheck=no\n";
+    #strongswan doesn't know this
+    #print CONF "\tdisablearrivalcheck=no\n";
     print CONF "\n";
 
     if (-f "${General::swroot}/certs/hostkey.pem") {
@@ -312,6 +315,7 @@ sub writeipsecfiles {
        print CONF "\tleft=$localside\n";
        print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute');
        print CONF "\tleftsubnet=$lconfighash{$key}[8]\n";
+       print CONF "\tleftfirewall=yes\n";
 
        print CONF "\tright=$lconfighash{$key}[10]\n";
        if ($lconfighash{$key}[3] eq 'net') {
diff --git a/lfs/strongswan b/lfs/strongswan
new file mode 100644 (file)
index 0000000..29290f9
--- /dev/null
@@ -0,0 +1,98 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2010  Michael Tremer & Christian Schmidt                      #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+ifeq "$(XEN)" "1"
+       VERSUFIX=ipfire-xen
+else
+       VERSUFIX=ipfire
+endif
+
+VER        = 4.3.6
+
+THISAPP    = strongswan-$(VER)
+DL_FILE    = $(THISAPP).tar.bz2
+DL_FROM    = $(URL_IPFIRE)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = e071f46b6c463ce76900758734e6143e
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+       @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+       @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+       @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+       @$(PREBUILD)
+       @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
+
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.3.6_ipfire.patch
+
+       cd $(DIR_APP) && ./configure --prefix="/usr" --sysconfdir="/etc"
+       cd $(DIR_APP) && make $(MAKETUNING)
+       cd $(DIR_APP) && make install
+
+       -rm -rfv /etc/rc*.d/*ipsec
+       cd $(DIR_SRC) && cp src/initscripts/init.d/ipsec /etc/rc.d/init.d/ipsec
+       rm -f /etc/ipsec.conf /etc/ipsec.secrets
+       ln -sf $(CONFIG_ROOT)/vpn/ipsec.conf /etc/ipsec.conf
+       ln -sf $(CONFIG_ROOT)/vpn/ipsec.secrets /etc/ipsec.secrets
+
+       rm -rf /etc/ipsec.d/{cacerts,certs,crls}
+       ln -sf $(CONFIG_ROOT)/ca    /etc/ipsec.d/cacerts
+       ln -sf $(CONFIG_ROOT)/certs /etc/ipsec.d/certs
+       ln -sf $(CONFIG_ROOT)/crls  /etc/ipsec.d/crls
+
+       #@rm -rf $(DIR_APP)
+       @$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 6a7c63a..8d79f1d 100755 (executable)
--- a/make.sh
+++ b/make.sh
@@ -348,7 +348,7 @@ buildipfire() {
   ipfiremake madwifi                   XEN=1
   #ipfiremake alsa                     XEN=1 KMOD=1
   ipfiremake dahdi                     XEN=1 KMOD=1
-  ipfiremake openswan                  XEN=1 KMOD=1
+#  ipfiremake openswan                 XEN=1 KMOD=1
   #ipfiremake mISDN                    XEN=1
   #ipfiremake compat-wireless          XEN=1
   ipfiremake cryptodev                 XEN=1
@@ -359,7 +359,7 @@ buildipfire() {
   ipfiremake madwifi
   ipfiremake alsa                      KMOD=1
   ipfiremake dahdi                     KMOD=1
-  ipfiremake openswan                  KMOD=1
+#  ipfiremake openswan                 KMOD=1
   #ipfiremake mISDN
   #ipfiremake compat-wireless
   ipfiremake cryptodev
@@ -546,7 +546,8 @@ buildipfire() {
   ipfiremake tripwire
   ipfiremake sysstat
   ipfiremake vsftpd
-  ipfiremake openswan
+#  ipfiremake openswan
+  ipfiremake strongswan
   ipfiremake lsof
   ipfiremake centerim
   ipfiremake br2684ctl
index 55ab624..55bc066 100644 (file)
@@ -166,14 +166,17 @@ case "$1" in
        /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
        
        # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
-       /sbin/iptables -N IPSECVIRTUAL
+       /sbin/iptables -N IPSECINPUT
+       /sbin/iptables -N IPSECFORWARD
+       /sbin/iptables -N IPSECOUTPUT
        /sbin/iptables -N OPENSSLVIRTUAL
-       /sbin/iptables -A INPUT -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL INPUT"
+       /sbin/iptables -A INPUT -j IPSECINPUT
        /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT"
-       /sbin/iptables -A FORWARD -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL FORWARD"
+       /sbin/iptables -A FORWARD -j IPSECFORWARD
        /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
-       /sbin/iptables -t nat -N IPSECNAT
-       /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
+       /sbin/iptables -A OUTPUT -j IPSECOUTPUT
+       #/sbin/iptables -t nat -N IPSECNAT
+       #/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
 
        # Outgoing Firewall
        /sbin/iptables -A FORWARD -j OUTGOINGFW
@@ -197,10 +200,6 @@ case "$1" in
        /sbin/iptables -N DHCPBLUEINPUT 
        /sbin/iptables -A INPUT -j DHCPBLUEINPUT
 
-       # IPSec
-       /sbin/iptables -N IPSECPHYSICAL
-       /sbin/iptables -A INPUT -j IPSECPHYSICAL
-
        # OPenSSL
        /sbin/iptables -N OPENSSLPHYSICAL
        /sbin/iptables -A INPUT -j OPENSSLPHYSICAL
index e370747..0c62db5 100644 (file)
@@ -1,178 +1,2 @@
 #!/bin/sh
-# IPsec startup and shutdown script
-# Copyright (C) 1998, 1999, 2001  Henry Spencer.
-# Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: setup.in,v 1.122.6.3 2006/10/26 23:54:32 paul Exp $
-#
-# ipsec         init.d script for starting and stopping
-#               the IPsec security subsystem (KLIPS and Pluto).
-#
-# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec)
-# and is also accessible as "ipsec setup" (the preferred route for human
-# invocation).
-#
-# The startup and shutdown times are a difficult compromise (in particular,
-# it is almost impossible to reconcile them with the insanely early/late
-# times of NFS filesystem startup/shutdown).  Startup is after startup of
-# syslog and pcmcia support; shutdown is just before shutdown of syslog.
-#
-# chkconfig: 2345 47 76
-# description: IPsec provides encrypted and authenticated communications; \
-# KLIPS is the kernel half of it, Pluto is the user-level management daemon.
-
-me='ipsec setup'               # for messages
-
-# where the private directory and the config files are
-IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
-IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}"
-IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
-IPSEC_CONFS="${IPSEC_CONFS-/etc}"
-
-if test " $IPSEC_DIR" = " "    # if we were not called by the ipsec command
-then
-    # we must establish a suitable PATH ourselves
-    PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
-    export PATH
-
-    IPSEC_DIR="$IPSEC_LIBDIR"
-    export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
-fi
-
-# Check that the ipsec command is available.
-found=
-for dir in `echo $PATH | tr ':' ' '`
-do
-       if test -f $dir/ipsec -a -x $dir/ipsec
-       then
-               found=yes
-               break                   # NOTE BREAK OUT
-       fi
-done
-if ! test "$found"
-then
-       echo "cannot find ipsec command -- \`$1' aborted" |
-               logger -s -p daemon.error -t ipsec_setup
-       exit 1
-fi
-
-# accept a few flags
-
-export IPSEC_setupflags
-IPSEC_setupflags=""
-
-config=""
-
-for dummy
-do
-       case "$1" in
-       --showonly|--show)  IPSEC_setupflags="$1" ;;
-       --config)  config="--config $2" ; shift ;;
-       *) break ;;
-       esac
-       shift
-done
-
-
-# Pick up IPsec configuration (until we have done this, successfully, we
-# do not know where errors should go, hence the explicit "daemon.error"s.)
-# Note the "--export", which exports the variables created.
-eval `ipsec _confread $config --optional --varprefix IPSEC --export --type config setup`
-
-if test " $IPSEC_confreadstatus" != " "
-then
-    case $1 in 
-    stop|--stop|_autostop) 
-       echo "$IPSEC_confreadstatus -- \`$1' may not work" |
-               logger -s -p daemon.error -t ipsec_setup;;
-               
-    *) echo "$IPSEC_confreadstatus -- \`$1' aborted" |
-           logger -s -p daemon.error -t ipsec_setup;
-       exit 1;;
-    esac
-fi
-
-IPSEC_confreadsection=${IPSEC_confreadsection:-setup}
-export IPSEC_confreadsection
-
-IPSECsyslog=${IPSECsyslog-daemon.error}
-export IPSECsyslog
-
-# misc setup
-umask 022
-
-mkdir -p /var/run/pluto
-
-
-# do it
-case "$1" in
-  start|--start|stop|--stop|_autostop|_autostart)
-       if test " `id -u`" != " 0"
-       then
-               echo "permission denied (must be superuser)" |
-                       logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
-               exit 1
-       fi
-       tmp=/var/run/pluto/ipsec_setup.st
-       outtmp=/var/run/pluto/ipsec_setup.out
-       (
-               ipsec _realsetup $1
-               echo "$?" >$tmp
-       ) > ${outtmp} 2>&1
-       st=$?
-       if test -f $tmp
-       then
-               st=`cat $tmp`
-               rm -f $tmp
-       fi
-       if [ -f ${outtmp} ]; then
-               cat ${outtmp} | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
-               rm -f ${outtmp}
-       fi
-       sleep 20 && chown root:nobody  /var/run/pluto -R && chmod 770 /var/run/pluto -R && ln -sf /var/run/pluto/pluto.pid /var/run/pluto.pid 2>&1 &
-       exit $st
-       ;;
-
-  restart|--restart|force-reload)
-       $0 $IPSEC_setupflags stop
-       $0 $IPSEC_setupflags start
-       ;;
-
-  _autorestart)                        # for internal use only
-       $0 $IPSEC_setupflags _autostop
-       $0 $IPSEC_setupflags _autostart
-       ;;
-
-  status|--status)
-       ipsec _realsetup $1
-       exit
-       ;;
-
-  --version)
-       echo "$me $IPSEC_VERSION"
-       exit 0
-       ;;
-
-  --help)
-       echo "Usage: $me [ --showonly ] {--start|--stop|--restart}"
-       echo "       $me --status"
-       exit 0
-       ;;
-
-  *)
-       echo "Usage: $me [ --showonly ] {--start|--stop|--restart}"
-       echo "       $me --status"
-       exit 2
-esac
-
-exit 0
+ipsec $*
index 763b81f..c46bc06 100644 (file)
@@ -44,7 +44,7 @@ void usage() {
 }
 
 void load_modules() {
-        safe_system("/sbin/modprobe ipsec");
+//        safe_system("/sbin/modprobe ipsec");
 }
 
 /*
@@ -55,22 +55,22 @@ void open_physical (char *interface, int nat_traversal_port) {
 
         // GRE ???
         sprintf(str, "/sbin/iptables -A " phystable " -p 47  -i %s -j ACCEPT", interface);
-        safe_system(str);
+//        safe_system(str);
         // ESP
         sprintf(str, "/sbin/iptables -A " phystable " -p 50  -i %s -j ACCEPT", interface);
-        safe_system(str);
+//        safe_system(str);
         // AH
         sprintf(str, "/sbin/iptables -A " phystable " -p 51  -i %s -j ACCEPT", interface);
-        safe_system(str);
+//        safe_system(str);
         // IKE
         sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface);
-        safe_system(str);
+//        safe_system(str);
 
         if (! nat_traversal_port) 
             return;
 
         sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
-        safe_system(str);
+//        safe_system(str);
 }
 
 /*
@@ -81,14 +81,14 @@ void open_physical (char *interface, int nat_traversal_port) {
 */
 void open_virtual (void) {
         // allow anything from any ipsec to go on all interface, including other ipsec
-        safe_system("/sbin/iptables -A " virtualtable " -i ipsec+ -j ACCEPT");
+//        safe_system("/sbin/iptables -A " virtualtable " -i ipsec+ -j ACCEPT");
         //todo: BOT extension?; allowing ipsec0<<==port-list-filter==>>GREEN ?
 }
 
 void ipsec_norules() {
         /* clear input rules */
-        safe_system("/sbin/iptables -F " phystable);
-        safe_system("/sbin/iptables -F " virtualtable);
+//        safe_system("/sbin/iptables -F " phystable);
+//        safe_system("/sbin/iptables -F " virtualtable);
 
         // unmap red alias ????
 }
@@ -152,7 +152,7 @@ void add_alias_interfaces(char *configtype,
                 {
                         memset(s, 0, STRING_SIZE);
                         snprintf(s, STRING_SIZE-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", offset+alias, redif, alias);
-                        safe_system(s);
+//                        safe_system(s);
                         alias++;
                 }
         }
diff --git a/src/patches/strongswan-4.3.6_ipfire.patch b/src/patches/strongswan-4.3.6_ipfire.patch
new file mode 100644 (file)
index 0000000..69f2aba
--- /dev/null
@@ -0,0 +1,317 @@
+diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_updown/_updown.in
+--- strongswan-4.3.6.org/src/_updown/_updown.in        2009-09-27 21:50:42.000000000 +0200
++++ strongswan-4.3.6/src/_updown/_updown.in    2010-03-20 18:44:11.000000000 +0100
+@@ -374,10 +374,10 @@
+       # connection to me, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+-      iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++      iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-      iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++      iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+@@ -387,10 +387,10 @@
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+-            "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
++            "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+-            "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
++            "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+@@ -398,10 +398,10 @@
+       # connection to me, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+-      iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++      iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-      iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++      iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+@@ -411,10 +411,10 @@
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+-            "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
++            "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+-          "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
++          "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+         fi
+       fi
+       ;;
+@@ -424,10 +424,10 @@
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+       then
+-        iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++        iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+-        iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++        iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       fi
+@@ -436,10 +436,10 @@
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+-        iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++        iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-        iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++        iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+@@ -450,12 +450,27 @@
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO \
+-            "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++            "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO \
+-            "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++            "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
++
++      #
++      # Open Firewall for ESP Traffic
++        iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
++            -s $PLUTO_PEER $S_PEER_PORT \
++            -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++        iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p ESP \
++            -d $PLUTO_PEER $S_PEER_PORT \
++            -s $PLUTO_ME $D_MY_PORT -j ACCEPT
++      if [ $VPN_LOGGING ]
++      then
++          logger -t $TAG -p $FAC_PRIO \
++            "ESP+ $PLUTO_PEER -- $PLUTO_ME"
++      fi
++
+       ;;
+ down-client:iptables)
+       # connection to client subnet, with (left/right)firewall=yes, going down
+@@ -463,11 +478,11 @@
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+       then
+-        iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++        iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+-        iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++        iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+@@ -477,11 +492,11 @@
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+-        iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++        iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+-        iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++        iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+@@ -493,12 +508,27 @@
+         if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+         then
+           logger -t $TAG -p $FAC_PRIO -- \
+-            "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++            "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         else
+           logger -t $TAG -p $FAC_PRIO -- \
+-            "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++            "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+         fi
+       fi
++
++      #
++      # Close Firewall for ESP Traffic
++        iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
++            -s $PLUTO_PEER $S_PEER_PORT \
++            -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++        iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p ESP \
++            -d $PLUTO_PEER $S_PEER_PORT \
++            -s $PLUTO_ME $D_MY_PORT -j ACCEPT
++      if [ $VPN_LOGGING ]
++      then
++          logger -t $TAG -p $FAC_PRIO \
++            "ESP- $PLUTO_PEER -- $PLUTO_ME"
++      fi
++
+       ;;
+ #
+ # IPv6
+@@ -533,10 +563,10 @@
+       # connection to me, with (left/right)firewall=yes, coming up
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+-      ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++      ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-      ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++      ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+@@ -557,10 +587,10 @@
+       # connection to me, with (left/right)firewall=yes, going down
+       # This is used only by the default updown script, not by your custom
+       # ones, so do not mess with it; see CAUTION comment up at top.
+-      ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++      ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-      ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++      ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+           -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+       #
+@@ -583,10 +613,10 @@
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+       then
+-        ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++        ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+-        ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++        ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+       fi
+@@ -595,10 +625,10 @@
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+-        ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++        ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-        ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++        ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+       fi
+@@ -622,11 +652,11 @@
+       # ones, so do not mess with it; see CAUTION comment up at top.
+       if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+       then
+-        ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++        ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+-        ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++        ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+@@ -636,11 +666,11 @@
+       # or sometimes host access via the internal IP is needed
+       if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+       then
+-        ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++        ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+             -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+             -d $PLUTO_MY_CLIENT $D_MY_PORT \
+                $IPSEC_POLICY_IN -j ACCEPT
+-        ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++        ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+             -s $PLUTO_MY_CLIENT $S_MY_PORT \
+             -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+                $IPSEC_POLICY_OUT -j ACCEPT
+diff -Naur strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark strongswan-4.3.6/src/_updown_espmark/_updown_espmark
+--- strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark   2009-09-27 21:50:42.000000000 +0200
++++ strongswan-4.3.6/src/_updown_espmark/_updown_espmark       2010-03-15 18:52:28.000000000 +0100
+@@ -247,10 +247,10 @@
+ ESP_MARK=50
+ # add the following static rule to the INPUT chain in the mangle table
+-# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
++# iptables -t mangle -A IPSECINPUT -p 50 -j MARK --set-mark 50
+ # NAT traversal via UDP encapsulation is supported with the rule
+-# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
++# iptables -t mangle -A IPSECINPUT -p udp --dport 4500 -j MARK --set-mark 50
+ # in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
+ if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+@@ -325,10 +325,10 @@
+ up-host:*)
+       # connection to me coming up
+       # If you are doing a custom version, firewall commands go here.
+-      iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++      iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
+-      iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++      iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+       #
+@@ -346,10 +346,10 @@
+       # If you are doing a custom version, firewall commands go here.
+       # connection to me going down
+       # If you are doing a custom version, firewall commands go here.
+-      iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++      iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+           -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
+-      iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++      iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_ME $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+       #
+@@ -365,10 +365,10 @@
+ up-client:)
+       # connection to my client subnet coming up
+       # If you are doing a custom version, firewall commands go here.
+-      iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++      iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+-      iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++      iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+           -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+              $CHECK_MARK -j ACCEPT
+@@ -385,10 +385,10 @@
+ down-client:)
+       # connection to my client subnet going down
+       # If you are doing a custom version, firewall commands go here.
+-      iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++      iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+           -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+           -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+-      iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++      iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+           -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+           -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+              $CHECK_MARK -j ACCEPT