+++ /dev/null
-etc/ipsec.conf
-#etc/ipsec.d
-etc/ipsec.d/aacerts
-etc/ipsec.d/cacerts
-etc/ipsec.d/certs
-etc/ipsec.d/crls
-#etc/ipsec.d/examples
-#etc/ipsec.d/examples/hub-spoke.conf
-#etc/ipsec.d/examples/ipv6.conf
-#etc/ipsec.d/examples/l2tp-cert.conf
-#etc/ipsec.d/examples/l2tp-psk.conf
-#etc/ipsec.d/examples/linux-linux.conf
-#etc/ipsec.d/examples/oe-exclude-dns.conf
-#etc/ipsec.d/examples/sysctl.conf
-#etc/ipsec.d/examples/xauth.conf
-etc/ipsec.d/ocspcerts
-etc/ipsec.d/policies
-#etc/ipsec.d/policies/block
-#etc/ipsec.d/policies/clear
-#etc/ipsec.d/policies/clear-or-private
-#etc/ipsec.d/policies/private
-#etc/ipsec.d/policies/private-or-clear
-etc/ipsec.d/private
-etc/ipsec.secrets
-#etc/rc.d/init.d/ipsec.old
-#etc/rc.d/rc0.d/K76ipsec
-#etc/rc.d/rc1.d
-#etc/rc.d/rc1.d/K76ipsec
-#etc/rc.d/rc2.d
-#etc/rc.d/rc2.d/S47ipsec
-#etc/rc.d/rc3.d/S47ipsec
-#etc/rc.d/rc4.d
-#etc/rc.d/rc4.d/S47ipsec
-#etc/rc.d/rc5.d
-#etc/rc.d/rc5.d/S47ipsec
-#etc/rc.d/rc6.d/K76ipsec
-usr/lib/ipsec
-#usr/lib/ipsec/_confread
-#usr/lib/ipsec/_copyright
-#usr/lib/ipsec/_include
-#usr/lib/ipsec/_keycensor
-#usr/lib/ipsec/_plutoload
-#usr/lib/ipsec/_plutorun
-#usr/lib/ipsec/_realsetup
-#usr/lib/ipsec/_secretcensor
-#usr/lib/ipsec/_startklips
-#usr/lib/ipsec/_startnetkey
-#usr/lib/ipsec/_updown
-#usr/lib/ipsec/_updown.klips
-#usr/lib/ipsec/_updown.klips~
-#usr/lib/ipsec/_updown.mast
-#usr/lib/ipsec/_updown.netkey
-usr/libexec/ipsec
-#usr/libexec/ipsec/_pluto_adns
-#usr/libexec/ipsec/addconn
-#usr/libexec/ipsec/auto
-#usr/libexec/ipsec/barf
-#usr/libexec/ipsec/eroute
-#usr/libexec/ipsec/ikeping
-#usr/libexec/ipsec/klipsdebug
-#usr/libexec/ipsec/look
-#usr/libexec/ipsec/newhostkey
-#usr/libexec/ipsec/pf_key
-#usr/libexec/ipsec/pluto
-#usr/libexec/ipsec/ranbits
-#usr/libexec/ipsec/rsasigkey
-#usr/libexec/ipsec/secrets
-#usr/libexec/ipsec/setup
-#usr/libexec/ipsec/showdefaults
-#usr/libexec/ipsec/showhostkey
-#usr/libexec/ipsec/showpolicy
-#usr/libexec/ipsec/spi
-#usr/libexec/ipsec/spigrp
-#usr/libexec/ipsec/tncfg
-#usr/libexec/ipsec/verify
-#usr/libexec/ipsec/whack
-#usr/man/man3/ipsec_addrbytesof.3
-#usr/man/man3/ipsec_addrbytesptr.3
-#usr/man/man3/ipsec_addrcmp.3
-#usr/man/man3/ipsec_addrinsubnet.3
-#usr/man/man3/ipsec_addrlenof.3
-#usr/man/man3/ipsec_addrtoa.3
-#usr/man/man3/ipsec_addrtosubnet.3
-#usr/man/man3/ipsec_addrtot.3
-#usr/man/man3/ipsec_addrtypeof.3
-#usr/man/man3/ipsec_anyaddr.3
-#usr/man/man3/ipsec_atoaddr.3
-#usr/man/man3/ipsec_atoasr.3
-#usr/man/man3/ipsec_atosubnet.3
-#usr/man/man3/ipsec_atoul.3
-#usr/man/man3/ipsec_bitstomask.3
-#usr/man/man3/ipsec_broadcastof.3
-#usr/man/man3/ipsec_copyright_notice.3
-#usr/man/man3/ipsec_goodmask.3
-#usr/man/man3/ipsec_hostof.3
-#usr/man/man3/ipsec_initaddr.3
-#usr/man/man3/ipsec_initsaid.3
-#usr/man/man3/ipsec_initsubnet.3
-#usr/man/man3/ipsec_isanyaddr.3
-#usr/man/man3/ipsec_isloopbackaddr.3
-#usr/man/man3/ipsec_isunspecaddr.3
-#usr/man/man3/ipsec_loopbackaddr.3
-#usr/man/man3/ipsec_maskof.3
-#usr/man/man3/ipsec_masktobits.3
-#usr/man/man3/ipsec_masktocount.3
-#usr/man/man3/ipsec_networkof.3
-#usr/man/man3/ipsec_optionsfrom.3
-#usr/man/man3/ipsec_portof.3
-#usr/man/man3/ipsec_rangetoa.3
-#usr/man/man3/ipsec_rangetosubnet.3
-#usr/man/man3/ipsec_sameaddr.3
-#usr/man/man3/ipsec_sameaddrtype.3
-#usr/man/man3/ipsec_samesaid.3
-#usr/man/man3/ipsec_samesubnet.3
-#usr/man/man3/ipsec_samesubnettype.3
-#usr/man/man3/ipsec_satot.3
-#usr/man/man3/ipsec_setportof.3
-#usr/man/man3/ipsec_sockaddrlenof.3
-#usr/man/man3/ipsec_sockaddrof.3
-#usr/man/man3/ipsec_subnetinsubnet.3
-#usr/man/man3/ipsec_subnetishost.3
-#usr/man/man3/ipsec_subnetof.3
-#usr/man/man3/ipsec_subnettoa.3
-#usr/man/man3/ipsec_subnettot.3
-#usr/man/man3/ipsec_subnettypeof.3
-#usr/man/man3/ipsec_tnatoaddr.3
-#usr/man/man3/ipsec_ttoaddr.3
-#usr/man/man3/ipsec_ttodata.3
-#usr/man/man3/ipsec_ttosa.3
-#usr/man/man3/ipsec_ttosubnet.3
-#usr/man/man3/ipsec_ttoul.3
-#usr/man/man3/ipsec_unspecaddr.3
-#usr/man/man3/ipsec_version.3
-#usr/man/man3/ipsec_version_code.3
-#usr/man/man3/ipsec_version_string.3
-#usr/man/man5/ipsec_eroute.5
-#usr/man/man5/ipsec_klipsdebug.5
-#usr/man/man5/ipsec_showpolicy.8
-#usr/man/man5/ipsec_spi.5
-#usr/man/man5/ipsec_spigrp.5
-#usr/man/man5/ipsec_tncfg.5
-#usr/man/man5/ipsec_trap_count.5
-#usr/man/man5/ipsec_trap_sendcount.5
-#usr/man/man5/ipsec_version.5
-#usr/man/man5/pf_key.5
-#usr/man/man8/ipsec.8
-#usr/man/man8/ipsec__copyright.8
-#usr/man/man8/ipsec__include.8
-#usr/man/man8/ipsec__keycensor.8
-#usr/man/man8/ipsec__plutoload.8
-#usr/man/man8/ipsec__plutorun.8
-#usr/man/man8/ipsec__realsetup.8
-#usr/man/man8/ipsec__secretcensor.8
-#usr/man/man8/ipsec__startklips.8
-#usr/man/man8/ipsec__startnetkey.8
-#usr/man/man8/ipsec__updown.8
-#usr/man/man8/ipsec__updown.klips.8
-#usr/man/man8/ipsec__updown.mast.8
-#usr/man/man8/ipsec__updown.netkey.8
-#usr/man/man8/ipsec_addconn.8
-#usr/man/man8/ipsec_auto.8
-#usr/man/man8/ipsec_barf.8
-#usr/man/man8/ipsec_eroute.8
-#usr/man/man8/ipsec_ikeping.8
-#usr/man/man8/ipsec_klipsdebug.8
-#usr/man/man8/ipsec_look.8
-#usr/man/man8/ipsec_newhostkey.8
-#usr/man/man8/ipsec_pf_key.8
-#usr/man/man8/ipsec_ranbits.8
-#usr/man/man8/ipsec_rsasigkey.8
-#usr/man/man8/ipsec_secrets.8
-#usr/man/man8/ipsec_setup.8
-#usr/man/man8/ipsec_showdefaults.8
-#usr/man/man8/ipsec_showhostkey.8
-#usr/man/man8/ipsec_showpolicy.8
-#usr/man/man8/ipsec_spi.8
-#usr/man/man8/ipsec_spigrp.8
-#usr/man/man8/ipsec_tncfg.8
-#usr/man/man8/ipsec_verify.8
-usr/sbin/ipsec
-#usr/share/doc/openswan
-#usr/share/doc/openswan/index.html
-#usr/share/doc/openswan/ipsec.8.html
-#usr/share/doc/openswan/ipsec.conf-sample
-#usr/share/doc/openswan/ipsec.conf.5.html
-#usr/share/doc/openswan/ipsec.secrets.5.html
-#usr/share/doc/openswan/ipsec__confread.8.html
-#usr/share/doc/openswan/ipsec__copyright.8.html
-#usr/share/doc/openswan/ipsec__include.8.html
-#usr/share/doc/openswan/ipsec__keycensor.8.html
-#usr/share/doc/openswan/ipsec__plutoload.8.html
-#usr/share/doc/openswan/ipsec__plutorun.8.html
-#usr/share/doc/openswan/ipsec__realsetup.8.html
-#usr/share/doc/openswan/ipsec__secretcensor.8.html
-#usr/share/doc/openswan/ipsec__startklips.8.html
-#usr/share/doc/openswan/ipsec__startnetkey.8.html
-#usr/share/doc/openswan/ipsec__updown.8.html
-#usr/share/doc/openswan/ipsec__updown.klips.8.html
-#usr/share/doc/openswan/ipsec__updown.mast.8.html
-#usr/share/doc/openswan/ipsec__updown.netkey.8.html
-#usr/share/doc/openswan/ipsec_addconn.8.html
-#usr/share/doc/openswan/ipsec_addrbytesof.3.html
-#usr/share/doc/openswan/ipsec_addrbytesptr.3.html
-#usr/share/doc/openswan/ipsec_addrcmp.3.html
-#usr/share/doc/openswan/ipsec_addrinsubnet.3.html
-#usr/share/doc/openswan/ipsec_addrlenof.3.html
-#usr/share/doc/openswan/ipsec_addrtoa.3.html
-#usr/share/doc/openswan/ipsec_addrtosubnet.3.html
-#usr/share/doc/openswan/ipsec_addrtot.3.html
-#usr/share/doc/openswan/ipsec_addrtypeof.3.html
-#usr/share/doc/openswan/ipsec_anyaddr.3.html
-#usr/share/doc/openswan/ipsec_atoaddr.3.html
-#usr/share/doc/openswan/ipsec_atoasr.3.html
-#usr/share/doc/openswan/ipsec_atosubnet.3.html
-#usr/share/doc/openswan/ipsec_atoul.3.html
-#usr/share/doc/openswan/ipsec_auto.8.html
-#usr/share/doc/openswan/ipsec_barf.8.html
-#usr/share/doc/openswan/ipsec_bitstomask.3.html
-#usr/share/doc/openswan/ipsec_broadcastof.3.html
-#usr/share/doc/openswan/ipsec_copyright_notice.3.html
-#usr/share/doc/openswan/ipsec_eroute.5.html
-#usr/share/doc/openswan/ipsec_eroute.8.html
-#usr/share/doc/openswan/ipsec_goodmask.3.html
-#usr/share/doc/openswan/ipsec_hostof.3.html
-#usr/share/doc/openswan/ipsec_ikeping.8.html
-#usr/share/doc/openswan/ipsec_initaddr.3.html
-#usr/share/doc/openswan/ipsec_initsaid.3.html
-#usr/share/doc/openswan/ipsec_initsubnet.3.html
-#usr/share/doc/openswan/ipsec_isanyaddr.3.html
-#usr/share/doc/openswan/ipsec_isloopbackaddr.3.html
-#usr/share/doc/openswan/ipsec_isunspecaddr.3.html
-#usr/share/doc/openswan/ipsec_keyblobtoid.3.html
-#usr/share/doc/openswan/ipsec_klipsdebug.5.html
-#usr/share/doc/openswan/ipsec_klipsdebug.8.html
-#usr/share/doc/openswan/ipsec_livetest.8.html
-#usr/share/doc/openswan/ipsec_look.8.html
-#usr/share/doc/openswan/ipsec_loopbackaddr.3.html
-#usr/share/doc/openswan/ipsec_lwdnsq.8.html
-#usr/share/doc/openswan/ipsec_mailkey.8.html
-#usr/share/doc/openswan/ipsec_manual.8.html
-#usr/share/doc/openswan/ipsec_maskof.3.html
-#usr/share/doc/openswan/ipsec_masktobits.3.html
-#usr/share/doc/openswan/ipsec_masktocount.3.html
-#usr/share/doc/openswan/ipsec_networkof.3.html
-#usr/share/doc/openswan/ipsec_newhostkey.8.html
-#usr/share/doc/openswan/ipsec_optionsfrom.3.html
-#usr/share/doc/openswan/ipsec_pf_key.5.html
-#usr/share/doc/openswan/ipsec_pf_key.8.html
-#usr/share/doc/openswan/ipsec_pluto.8.html
-#usr/share/doc/openswan/ipsec_portof.3.html
-#usr/share/doc/openswan/ipsec_prng.3.html
-#usr/share/doc/openswan/ipsec_prng_bytes.3.html
-#usr/share/doc/openswan/ipsec_prng_final.3.html
-#usr/share/doc/openswan/ipsec_prng_init.3.html
-#usr/share/doc/openswan/ipsec_ranbits.8.html
-#usr/share/doc/openswan/ipsec_rangetoa.3.html
-#usr/share/doc/openswan/ipsec_rangetosubnet.3.html
-#usr/share/doc/openswan/ipsec_readwriteconf.8.html
-#usr/share/doc/openswan/ipsec_rsasigkey.8.html
-#usr/share/doc/openswan/ipsec_sameaddr.3.html
-#usr/share/doc/openswan/ipsec_sameaddrtype.3.html
-#usr/share/doc/openswan/ipsec_samesaid.3.html
-#usr/share/doc/openswan/ipsec_samesubnet.3.html
-#usr/share/doc/openswan/ipsec_samesubnettype.3.html
-#usr/share/doc/openswan/ipsec_satot.3.html
-#usr/share/doc/openswan/ipsec_secrets.8.html
-#usr/share/doc/openswan/ipsec_set_policy.3.html
-#usr/share/doc/openswan/ipsec_setportof.3.html
-#usr/share/doc/openswan/ipsec_setup.8.html
-#usr/share/doc/openswan/ipsec_showdefaults.8.html
-#usr/share/doc/openswan/ipsec_showhostkey.8.html
-#usr/share/doc/openswan/ipsec_showpolicy.8.html
-#usr/share/doc/openswan/ipsec_sockaddrlenof.3.html
-#usr/share/doc/openswan/ipsec_sockaddrof.3.html
-#usr/share/doc/openswan/ipsec_spi.5.html
-#usr/share/doc/openswan/ipsec_spi.8.html
-#usr/share/doc/openswan/ipsec_spigrp.5.html
-#usr/share/doc/openswan/ipsec_spigrp.8.html
-#usr/share/doc/openswan/ipsec_strerror.3.html
-#usr/share/doc/openswan/ipsec_subnetinsubnet.3.html
-#usr/share/doc/openswan/ipsec_subnetishost.3.html
-#usr/share/doc/openswan/ipsec_subnetof.3.html
-#usr/share/doc/openswan/ipsec_subnettoa.3.html
-#usr/share/doc/openswan/ipsec_subnettot.3.html
-#usr/share/doc/openswan/ipsec_subnettypeof.3.html
-#usr/share/doc/openswan/ipsec_tnatoaddr.3.html
-#usr/share/doc/openswan/ipsec_tncfg.5.html
-#usr/share/doc/openswan/ipsec_tncfg.8.html
-#usr/share/doc/openswan/ipsec_trap_count.5.html
-#usr/share/doc/openswan/ipsec_trap_sendcount.5.html
-#usr/share/doc/openswan/ipsec_ttoaddr.3.html
-#usr/share/doc/openswan/ipsec_ttodata.3.html
-#usr/share/doc/openswan/ipsec_ttosa.3.html
-#usr/share/doc/openswan/ipsec_ttosubnet.3.html
-#usr/share/doc/openswan/ipsec_ttoul.3.html
-#usr/share/doc/openswan/ipsec_unspecaddr.3.html
-#usr/share/doc/openswan/ipsec_verify.8.html
-#usr/share/doc/openswan/ipsec_version.3.html
-#usr/share/doc/openswan/ipsec_version.5.html
-#usr/share/doc/openswan/ipsec_version_code.3.html
-#usr/share/doc/openswan/ipsec_version_string.3.html
-var/run/pluto
--- /dev/null
+etc/ipsec.conf
+#etc/ipsec.d
+etc/ipsec.d/aacerts
+etc/ipsec.d/acerts
+etc/ipsec.d/cacerts
+etc/ipsec.d/certs
+etc/ipsec.d/crls
+etc/ipsec.d/ocspcerts
+etc/ipsec.d/private
+etc/ipsec.d/reqs
+etc/ipsec.secrets
+etc/strongswan.conf
+#usr/lib/libstrongswan.a
+#usr/lib/libstrongswan.la
+usr/lib/libstrongswan.so
+usr/lib/libstrongswan.so.0
+usr/lib/libstrongswan.so.0.0.0
+#usr/libexec/ipsec
+usr/libexec/ipsec/_copyright
+usr/libexec/ipsec/_pluto_adns
+usr/libexec/ipsec/_updown
+usr/libexec/ipsec/_updown_espmark
+usr/libexec/ipsec/charon
+usr/libexec/ipsec/openac
+usr/libexec/ipsec/pki
+#usr/libexec/ipsec/plugins
+#usr/libexec/ipsec/plugins/libstrongswan-aes.a
+#usr/libexec/ipsec/plugins/libstrongswan-aes.la
+usr/libexec/ipsec/plugins/libstrongswan-aes.so
+#usr/libexec/ipsec/plugins/libstrongswan-attr.a
+#usr/libexec/ipsec/plugins/libstrongswan-attr.la
+usr/libexec/ipsec/plugins/libstrongswan-attr.so
+#usr/libexec/ipsec/plugins/libstrongswan-des.a
+#usr/libexec/ipsec/plugins/libstrongswan-des.la
+usr/libexec/ipsec/plugins/libstrongswan-des.so
+#usr/libexec/ipsec/plugins/libstrongswan-dnskey.a
+#usr/libexec/ipsec/plugins/libstrongswan-dnskey.la
+usr/libexec/ipsec/plugins/libstrongswan-dnskey.so
+#usr/libexec/ipsec/plugins/libstrongswan-fips-prf.a
+#usr/libexec/ipsec/plugins/libstrongswan-fips-prf.la
+usr/libexec/ipsec/plugins/libstrongswan-fips-prf.so
+#usr/libexec/ipsec/plugins/libstrongswan-gmp.a
+#usr/libexec/ipsec/plugins/libstrongswan-gmp.la
+usr/libexec/ipsec/plugins/libstrongswan-gmp.so
+#usr/libexec/ipsec/plugins/libstrongswan-hmac.a
+#usr/libexec/ipsec/plugins/libstrongswan-hmac.la
+usr/libexec/ipsec/plugins/libstrongswan-hmac.so
+#usr/libexec/ipsec/plugins/libstrongswan-kernel-netlink.a
+#usr/libexec/ipsec/plugins/libstrongswan-kernel-netlink.la
+usr/libexec/ipsec/plugins/libstrongswan-kernel-netlink.so
+#usr/libexec/ipsec/plugins/libstrongswan-md5.a
+#usr/libexec/ipsec/plugins/libstrongswan-md5.la
+usr/libexec/ipsec/plugins/libstrongswan-md5.so
+#usr/libexec/ipsec/plugins/libstrongswan-pem.a
+#usr/libexec/ipsec/plugins/libstrongswan-pem.la
+usr/libexec/ipsec/plugins/libstrongswan-pem.so
+#usr/libexec/ipsec/plugins/libstrongswan-pgp.a
+#usr/libexec/ipsec/plugins/libstrongswan-pgp.la
+usr/libexec/ipsec/plugins/libstrongswan-pgp.so
+#usr/libexec/ipsec/plugins/libstrongswan-pkcs1.a
+#usr/libexec/ipsec/plugins/libstrongswan-pkcs1.la
+usr/libexec/ipsec/plugins/libstrongswan-pkcs1.so
+#usr/libexec/ipsec/plugins/libstrongswan-pubkey.a
+#usr/libexec/ipsec/plugins/libstrongswan-pubkey.la
+usr/libexec/ipsec/plugins/libstrongswan-pubkey.so
+#usr/libexec/ipsec/plugins/libstrongswan-random.a
+#usr/libexec/ipsec/plugins/libstrongswan-random.la
+usr/libexec/ipsec/plugins/libstrongswan-random.so
+#usr/libexec/ipsec/plugins/libstrongswan-resolve.a
+#usr/libexec/ipsec/plugins/libstrongswan-resolve.la
+usr/libexec/ipsec/plugins/libstrongswan-resolve.so
+#usr/libexec/ipsec/plugins/libstrongswan-sha1.a
+#usr/libexec/ipsec/plugins/libstrongswan-sha1.la
+usr/libexec/ipsec/plugins/libstrongswan-sha1.so
+#usr/libexec/ipsec/plugins/libstrongswan-sha2.a
+#usr/libexec/ipsec/plugins/libstrongswan-sha2.la
+usr/libexec/ipsec/plugins/libstrongswan-sha2.so
+#usr/libexec/ipsec/plugins/libstrongswan-stroke.a
+#usr/libexec/ipsec/plugins/libstrongswan-stroke.la
+usr/libexec/ipsec/plugins/libstrongswan-stroke.so
+#usr/libexec/ipsec/plugins/libstrongswan-updown.a
+#usr/libexec/ipsec/plugins/libstrongswan-updown.la
+usr/libexec/ipsec/plugins/libstrongswan-updown.so
+#usr/libexec/ipsec/plugins/libstrongswan-x509.a
+#usr/libexec/ipsec/plugins/libstrongswan-x509.la
+usr/libexec/ipsec/plugins/libstrongswan-x509.so
+#usr/libexec/ipsec/plugins/libstrongswan-xcbc.a
+#usr/libexec/ipsec/plugins/libstrongswan-xcbc.la
+usr/libexec/ipsec/plugins/libstrongswan-xcbc.so
+usr/libexec/ipsec/pluto
+usr/libexec/ipsec/scepclient
+usr/libexec/ipsec/starter
+usr/libexec/ipsec/stroke
+usr/libexec/ipsec/whack
+usr/sbin/ipsec
+#usr/share/man/man3/anyaddr.3
+#usr/share/man/man3/atoaddr.3
+#usr/share/man/man3/atoasr.3
+#usr/share/man/man3/atosa.3
+#usr/share/man/man3/atoul.3
+#usr/share/man/man3/goodmask.3
+#usr/share/man/man3/initaddr.3
+#usr/share/man/man3/initsubnet.3
+#usr/share/man/man3/keyblobtoid.3
+#usr/share/man/man3/portof.3
+#usr/share/man/man3/prng.3
+#usr/share/man/man3/rangetosubnet.3
+#usr/share/man/man3/sameaddr.3
+#usr/share/man/man3/subnetof.3
+#usr/share/man/man3/ttoaddr.3
+#usr/share/man/man3/ttodata.3
+#usr/share/man/man3/ttosa.3
+#usr/share/man/man3/ttoul.3
+#usr/share/man/man5/ipsec.conf.5
+#usr/share/man/man5/ipsec.secrets.5
+#usr/share/man/man8/_copyright.8
+#usr/share/man/man8/_updown.8
+#usr/share/man/man8/_updown_espmark.8
+#usr/share/man/man8/ipsec.8
+#usr/share/man/man8/openac.8
+#usr/share/man/man8/pluto.8
+#usr/share/man/man8/scepclient.8
+#usr/share/man/man8/starter.8
* foomatic-3.0-20070813
* freefont-20060126
* freetype-2.1.10
-* fuse-2.7.4
+* fuse-2.8.3
* fwhits
* gawk-3.1.5
* gcc-4.0.4
* groff-1.18.1.1
* grub-0.97
* guardian-ipfire
-* gutenprint-5.0.2
+* gutenprint-5.2.5
* gzip-1.3.5
* hddtemp-0.3-beta14
* hdparm-8.9
-* hostapd-0.6.9
+* hostapd-0.7.1
* hplip-2.7.10
* htop-0.8.1
* httpd-2.2.15
* logrotate-3.7.1
* logwatch-7.3.6
* lsof-4.78
-* lynis-1.2.6
+* lynis-1.2.9
* lzo-2.02
* m4-1.4.4
* mISDNuser_20090906
* openmailadmin-1.0.0
* openssh-5.4p1
* openssl-0.9.8m
-* openswan-2.6.24
-* openswan-2.6.24-kmod-2.6.32.9-ipfire
-* openswan-2.6.24-kmod-2.6.32.9-ipfire-xen
* openvpn-2.1_rc20
* p7zip_4.65
* pam_mysql-0.7RC1
* rssdler-0.4.0a
* rsync-3.0.7
* rtorrent-0.8.6
-* samba-3.3.10
+* samba-3.5.1
* sane-1.0.19
* screen-4.0.3
* sdparm-1.01
* squashfs-lzma-cvs20100214
* squid-2.7.STABLE7
* squidGuard-1.4.1
-* squidclamav-5.0
+* squidclamav-5.2
* sshfs-fuse-2.2
-* sslh-1.6i
+* sslh-1.7a
* streamripper-1.63.5
+* strongswan-4.3.6
* sudo-1.6.8p12
* sysfsutils-1.3.0
* sysklogd-1.5
foreach my $key (keys %lconfighash) {
next if ($lconfighash{$key}[0] ne 'on');
$interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED');
- $interfaces .= "ipsec1=$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN');
- $interfaces .= "ipsec2=$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE');
- $interfaces .= "ipsec3=$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE');
+ #$interfaces .= "ipsec1=$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN');
+ #$interfaces .= "ipsec2=$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE');
+ #$interfaces .= "ipsec3=$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE');
}
print CONF $interfaces . "\"\n";
# deprecated in ipsec.conf version 2
#print CONF "\tplutoload=%search\n";
#print CONF "\tplutostart=%search\n";
+ #Disable IKEv2 deamon
+ print CONF "\tcharonstart=no\n";
print CONF "\tuniqueids=yes\n";
print CONF "\tnat_traversal=yes\n";
print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne '');
print CONF "\n\n";
print CONF "conn %default\n";
print CONF "\tkeyingtries=0\n";
- print CONF "\tdisablearrivalcheck=no\n";
+ #strongswan doesn't know this
+ #print CONF "\tdisablearrivalcheck=no\n";
print CONF "\n";
if (-f "${General::swroot}/certs/hostkey.pem") {
print CONF "\tleft=$localside\n";
print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute');
print CONF "\tleftsubnet=$lconfighash{$key}[8]\n";
+ print CONF "\tleftfirewall=yes\n";
print CONF "\tright=$lconfighash{$key}[10]\n";
if ($lconfighash{$key}[3] eq 'net') {
--- /dev/null
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2010 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+ifeq "$(XEN)" "1"
+ VERSUFIX=ipfire-xen
+else
+ VERSUFIX=ipfire
+endif
+
+VER = 4.3.6
+
+THISAPP = strongswan-$(VER)
+DL_FILE = $(THISAPP).tar.bz2
+DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = e071f46b6c463ce76900758734e6143e
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+ @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
+
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.3.6_ipfire.patch
+
+ cd $(DIR_APP) && ./configure --prefix="/usr" --sysconfdir="/etc"
+ cd $(DIR_APP) && make $(MAKETUNING)
+ cd $(DIR_APP) && make install
+
+ -rm -rfv /etc/rc*.d/*ipsec
+ cd $(DIR_SRC) && cp src/initscripts/init.d/ipsec /etc/rc.d/init.d/ipsec
+ rm -f /etc/ipsec.conf /etc/ipsec.secrets
+ ln -sf $(CONFIG_ROOT)/vpn/ipsec.conf /etc/ipsec.conf
+ ln -sf $(CONFIG_ROOT)/vpn/ipsec.secrets /etc/ipsec.secrets
+
+ rm -rf /etc/ipsec.d/{cacerts,certs,crls}
+ ln -sf $(CONFIG_ROOT)/ca /etc/ipsec.d/cacerts
+ ln -sf $(CONFIG_ROOT)/certs /etc/ipsec.d/certs
+ ln -sf $(CONFIG_ROOT)/crls /etc/ipsec.d/crls
+
+ #@rm -rf $(DIR_APP)
+ @$(POSTBUILD)
ipfiremake madwifi XEN=1
#ipfiremake alsa XEN=1 KMOD=1
ipfiremake dahdi XEN=1 KMOD=1
- ipfiremake openswan XEN=1 KMOD=1
+# ipfiremake openswan XEN=1 KMOD=1
#ipfiremake mISDN XEN=1
#ipfiremake compat-wireless XEN=1
ipfiremake cryptodev XEN=1
ipfiremake madwifi
ipfiremake alsa KMOD=1
ipfiremake dahdi KMOD=1
- ipfiremake openswan KMOD=1
+# ipfiremake openswan KMOD=1
#ipfiremake mISDN
#ipfiremake compat-wireless
ipfiremake cryptodev
ipfiremake tripwire
ipfiremake sysstat
ipfiremake vsftpd
- ipfiremake openswan
+# ipfiremake openswan
+ ipfiremake strongswan
ipfiremake lsof
ipfiremake centerim
ipfiremake br2684ctl
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything
- /sbin/iptables -N IPSECVIRTUAL
+ /sbin/iptables -N IPSECINPUT
+ /sbin/iptables -N IPSECFORWARD
+ /sbin/iptables -N IPSECOUTPUT
/sbin/iptables -N OPENSSLVIRTUAL
- /sbin/iptables -A INPUT -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL INPUT"
+ /sbin/iptables -A INPUT -j IPSECINPUT
/sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT"
- /sbin/iptables -A FORWARD -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL FORWARD"
+ /sbin/iptables -A FORWARD -j IPSECFORWARD
/sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD"
- /sbin/iptables -t nat -N IPSECNAT
- /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
+ /sbin/iptables -A OUTPUT -j IPSECOUTPUT
+ #/sbin/iptables -t nat -N IPSECNAT
+ #/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT
# Outgoing Firewall
/sbin/iptables -A FORWARD -j OUTGOINGFW
/sbin/iptables -N DHCPBLUEINPUT
/sbin/iptables -A INPUT -j DHCPBLUEINPUT
- # IPSec
- /sbin/iptables -N IPSECPHYSICAL
- /sbin/iptables -A INPUT -j IPSECPHYSICAL
-
# OPenSSL
/sbin/iptables -N OPENSSLPHYSICAL
/sbin/iptables -A INPUT -j OPENSSLPHYSICAL
#!/bin/sh
-# IPsec startup and shutdown script
-# Copyright (C) 1998, 1999, 2001 Henry Spencer.
-# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: setup.in,v 1.122.6.3 2006/10/26 23:54:32 paul Exp $
-#
-# ipsec init.d script for starting and stopping
-# the IPsec security subsystem (KLIPS and Pluto).
-#
-# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec)
-# and is also accessible as "ipsec setup" (the preferred route for human
-# invocation).
-#
-# The startup and shutdown times are a difficult compromise (in particular,
-# it is almost impossible to reconcile them with the insanely early/late
-# times of NFS filesystem startup/shutdown). Startup is after startup of
-# syslog and pcmcia support; shutdown is just before shutdown of syslog.
-#
-# chkconfig: 2345 47 76
-# description: IPsec provides encrypted and authenticated communications; \
-# KLIPS is the kernel half of it, Pluto is the user-level management daemon.
-
-me='ipsec setup' # for messages
-
-# where the private directory and the config files are
-IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
-IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}"
-IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
-IPSEC_CONFS="${IPSEC_CONFS-/etc}"
-
-if test " $IPSEC_DIR" = " " # if we were not called by the ipsec command
-then
- # we must establish a suitable PATH ourselves
- PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
- export PATH
-
- IPSEC_DIR="$IPSEC_LIBDIR"
- export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
-fi
-
-# Check that the ipsec command is available.
-found=
-for dir in `echo $PATH | tr ':' ' '`
-do
- if test -f $dir/ipsec -a -x $dir/ipsec
- then
- found=yes
- break # NOTE BREAK OUT
- fi
-done
-if ! test "$found"
-then
- echo "cannot find ipsec command -- \`$1' aborted" |
- logger -s -p daemon.error -t ipsec_setup
- exit 1
-fi
-
-# accept a few flags
-
-export IPSEC_setupflags
-IPSEC_setupflags=""
-
-config=""
-
-for dummy
-do
- case "$1" in
- --showonly|--show) IPSEC_setupflags="$1" ;;
- --config) config="--config $2" ; shift ;;
- *) break ;;
- esac
- shift
-done
-
-
-# Pick up IPsec configuration (until we have done this, successfully, we
-# do not know where errors should go, hence the explicit "daemon.error"s.)
-# Note the "--export", which exports the variables created.
-eval `ipsec _confread $config --optional --varprefix IPSEC --export --type config setup`
-
-if test " $IPSEC_confreadstatus" != " "
-then
- case $1 in
- stop|--stop|_autostop)
- echo "$IPSEC_confreadstatus -- \`$1' may not work" |
- logger -s -p daemon.error -t ipsec_setup;;
-
- *) echo "$IPSEC_confreadstatus -- \`$1' aborted" |
- logger -s -p daemon.error -t ipsec_setup;
- exit 1;;
- esac
-fi
-
-IPSEC_confreadsection=${IPSEC_confreadsection:-setup}
-export IPSEC_confreadsection
-
-IPSECsyslog=${IPSECsyslog-daemon.error}
-export IPSECsyslog
-
-# misc setup
-umask 022
-
-mkdir -p /var/run/pluto
-
-
-# do it
-case "$1" in
- start|--start|stop|--stop|_autostop|_autostart)
- if test " `id -u`" != " 0"
- then
- echo "permission denied (must be superuser)" |
- logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
- exit 1
- fi
- tmp=/var/run/pluto/ipsec_setup.st
- outtmp=/var/run/pluto/ipsec_setup.out
- (
- ipsec _realsetup $1
- echo "$?" >$tmp
- ) > ${outtmp} 2>&1
- st=$?
- if test -f $tmp
- then
- st=`cat $tmp`
- rm -f $tmp
- fi
- if [ -f ${outtmp} ]; then
- cat ${outtmp} | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
- rm -f ${outtmp}
- fi
- sleep 20 && chown root:nobody /var/run/pluto -R && chmod 770 /var/run/pluto -R && ln -sf /var/run/pluto/pluto.pid /var/run/pluto.pid 2>&1 &
- exit $st
- ;;
-
- restart|--restart|force-reload)
- $0 $IPSEC_setupflags stop
- $0 $IPSEC_setupflags start
- ;;
-
- _autorestart) # for internal use only
- $0 $IPSEC_setupflags _autostop
- $0 $IPSEC_setupflags _autostart
- ;;
-
- status|--status)
- ipsec _realsetup $1
- exit
- ;;
-
- --version)
- echo "$me $IPSEC_VERSION"
- exit 0
- ;;
-
- --help)
- echo "Usage: $me [ --showonly ] {--start|--stop|--restart}"
- echo " $me --status"
- exit 0
- ;;
-
- *)
- echo "Usage: $me [ --showonly ] {--start|--stop|--restart}"
- echo " $me --status"
- exit 2
-esac
-
-exit 0
+ipsec $*
}
void load_modules() {
- safe_system("/sbin/modprobe ipsec");
+// safe_system("/sbin/modprobe ipsec");
}
/*
// GRE ???
sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface);
- safe_system(str);
+// safe_system(str);
// ESP
sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface);
- safe_system(str);
+// safe_system(str);
// AH
sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface);
- safe_system(str);
+// safe_system(str);
// IKE
sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface);
- safe_system(str);
+// safe_system(str);
if (! nat_traversal_port)
return;
sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port);
- safe_system(str);
+// safe_system(str);
}
/*
*/
void open_virtual (void) {
// allow anything from any ipsec to go on all interface, including other ipsec
- safe_system("/sbin/iptables -A " virtualtable " -i ipsec+ -j ACCEPT");
+// safe_system("/sbin/iptables -A " virtualtable " -i ipsec+ -j ACCEPT");
//todo: BOT extension?; allowing ipsec0<<==port-list-filter==>>GREEN ?
}
void ipsec_norules() {
/* clear input rules */
- safe_system("/sbin/iptables -F " phystable);
- safe_system("/sbin/iptables -F " virtualtable);
+// safe_system("/sbin/iptables -F " phystable);
+// safe_system("/sbin/iptables -F " virtualtable);
// unmap red alias ????
}
{
memset(s, 0, STRING_SIZE);
snprintf(s, STRING_SIZE-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", offset+alias, redif, alias);
- safe_system(s);
+// safe_system(s);
alias++;
}
}
--- /dev/null
+diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_updown/_updown.in
+--- strongswan-4.3.6.org/src/_updown/_updown.in 2009-09-27 21:50:42.000000000 +0200
++++ strongswan-4.3.6/src/_updown/_updown.in 2010-03-20 18:44:11.000000000 +0100
+@@ -374,10 +374,10 @@
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+@@ -387,10 +387,10 @@
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
++ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
++ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+@@ -398,10 +398,10 @@
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+@@ -411,10 +411,10 @@
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
++ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
++ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+@@ -424,10 +424,10 @@
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+@@ -436,10 +436,10 @@
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+@@ -450,12 +450,27 @@
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
++
++ #
++ # Open Firewall for ESP Traffic
++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p ESP \
++ -d $PLUTO_PEER $S_PEER_PORT \
++ -s $PLUTO_ME $D_MY_PORT -j ACCEPT
++ if [ $VPN_LOGGING ]
++ then
++ logger -t $TAG -p $FAC_PRIO \
++ "ESP+ $PLUTO_PEER -- $PLUTO_ME"
++ fi
++
+ ;;
+ down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+@@ -463,11 +478,11 @@
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+@@ -477,11 +492,11 @@
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+@@ -493,12 +508,27 @@
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
++ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
++
++ #
++ # Close Firewall for ESP Traffic
++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
++ -s $PLUTO_PEER $S_PEER_PORT \
++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p ESP \
++ -d $PLUTO_PEER $S_PEER_PORT \
++ -s $PLUTO_ME $D_MY_PORT -j ACCEPT
++ if [ $VPN_LOGGING ]
++ then
++ logger -t $TAG -p $FAC_PRIO \
++ "ESP- $PLUTO_PEER -- $PLUTO_ME"
++ fi
++
+ ;;
+ #
+ # IPv6
+@@ -533,10 +563,10 @@
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+@@ -557,10 +587,10 @@
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+@@ -583,10 +613,10 @@
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+@@ -595,10 +625,10 @@
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+@@ -622,11 +652,11 @@
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+@@ -636,11 +666,11 @@
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+diff -Naur strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark strongswan-4.3.6/src/_updown_espmark/_updown_espmark
+--- strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark 2009-09-27 21:50:42.000000000 +0200
++++ strongswan-4.3.6/src/_updown_espmark/_updown_espmark 2010-03-15 18:52:28.000000000 +0100
+@@ -247,10 +247,10 @@
+ ESP_MARK=50
+
+ # add the following static rule to the INPUT chain in the mangle table
+-# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
++# iptables -t mangle -A IPSECINPUT -p 50 -j MARK --set-mark 50
+
+ # NAT traversal via UDP encapsulation is supported with the rule
+-# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
++# iptables -t mangle -A IPSECINPUT -p udp --dport 4500 -j MARK --set-mark 50
+
+ # in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
+ if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+@@ -325,10 +325,10 @@
+ up-host:*)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
+- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+ #
+@@ -346,10 +346,10 @@
+ # If you are doing a custom version, firewall commands go here.
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
+- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+ #
+@@ -365,10 +365,10 @@
+ up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+ $CHECK_MARK -j ACCEPT
+@@ -385,10 +385,10 @@
+ down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
++ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+ $CHECK_MARK -j ACCEPT
projects / people / pmueller / ipfire-2.x.git / commitdiff
