From 6652626c88bca3a3e89126c47d31779740a21732 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 20 Mar 2010 22:31:43 +0100 Subject: [PATCH] Add strongswan (4.3.6) for testing. --- config/rootfiles/common/openswan | 302 --------------------- config/rootfiles/common/strongswan | 123 +++++++++ doc/packages-list.txt | 18 +- html/cgi-bin/vpnmain.cgi | 12 +- lfs/strongswan | 98 +++++++ make.sh | 7 +- src/initscripts/init.d/firewall | 17 +- src/initscripts/init.d/ipsec | 178 +----------- src/misc-progs/ipsecctrl.c | 20 +- src/patches/strongswan-4.3.6_ipfire.patch | 317 ++++++++++++++++++++++ 10 files changed, 577 insertions(+), 515 deletions(-) delete mode 100644 config/rootfiles/common/openswan create mode 100644 config/rootfiles/common/strongswan create mode 100644 lfs/strongswan create mode 100644 src/patches/strongswan-4.3.6_ipfire.patch diff --git a/config/rootfiles/common/openswan b/config/rootfiles/common/openswan deleted file mode 100644 index 48837884b7..0000000000 --- a/config/rootfiles/common/openswan +++ /dev/null @@ -1,302 +0,0 @@ -etc/ipsec.conf -#etc/ipsec.d -etc/ipsec.d/aacerts -etc/ipsec.d/cacerts -etc/ipsec.d/certs -etc/ipsec.d/crls -#etc/ipsec.d/examples -#etc/ipsec.d/examples/hub-spoke.conf -#etc/ipsec.d/examples/ipv6.conf -#etc/ipsec.d/examples/l2tp-cert.conf -#etc/ipsec.d/examples/l2tp-psk.conf -#etc/ipsec.d/examples/linux-linux.conf -#etc/ipsec.d/examples/oe-exclude-dns.conf -#etc/ipsec.d/examples/sysctl.conf -#etc/ipsec.d/examples/xauth.conf -etc/ipsec.d/ocspcerts -etc/ipsec.d/policies -#etc/ipsec.d/policies/block -#etc/ipsec.d/policies/clear -#etc/ipsec.d/policies/clear-or-private -#etc/ipsec.d/policies/private -#etc/ipsec.d/policies/private-or-clear -etc/ipsec.d/private -etc/ipsec.secrets -#etc/rc.d/init.d/ipsec.old -#etc/rc.d/rc0.d/K76ipsec -#etc/rc.d/rc1.d -#etc/rc.d/rc1.d/K76ipsec -#etc/rc.d/rc2.d -#etc/rc.d/rc2.d/S47ipsec -#etc/rc.d/rc3.d/S47ipsec -#etc/rc.d/rc4.d -#etc/rc.d/rc4.d/S47ipsec -#etc/rc.d/rc5.d -#etc/rc.d/rc5.d/S47ipsec -#etc/rc.d/rc6.d/K76ipsec -usr/lib/ipsec -#usr/lib/ipsec/_confread -#usr/lib/ipsec/_copyright -#usr/lib/ipsec/_include -#usr/lib/ipsec/_keycensor -#usr/lib/ipsec/_plutoload -#usr/lib/ipsec/_plutorun -#usr/lib/ipsec/_realsetup -#usr/lib/ipsec/_secretcensor -#usr/lib/ipsec/_startklips -#usr/lib/ipsec/_startnetkey -#usr/lib/ipsec/_updown -#usr/lib/ipsec/_updown.klips -#usr/lib/ipsec/_updown.klips~ -#usr/lib/ipsec/_updown.mast -#usr/lib/ipsec/_updown.netkey -usr/libexec/ipsec -#usr/libexec/ipsec/_pluto_adns -#usr/libexec/ipsec/addconn -#usr/libexec/ipsec/auto -#usr/libexec/ipsec/barf -#usr/libexec/ipsec/eroute -#usr/libexec/ipsec/ikeping -#usr/libexec/ipsec/klipsdebug -#usr/libexec/ipsec/look -#usr/libexec/ipsec/newhostkey -#usr/libexec/ipsec/pf_key -#usr/libexec/ipsec/pluto -#usr/libexec/ipsec/ranbits -#usr/libexec/ipsec/rsasigkey -#usr/libexec/ipsec/secrets -#usr/libexec/ipsec/setup -#usr/libexec/ipsec/showdefaults -#usr/libexec/ipsec/showhostkey -#usr/libexec/ipsec/showpolicy -#usr/libexec/ipsec/spi -#usr/libexec/ipsec/spigrp -#usr/libexec/ipsec/tncfg -#usr/libexec/ipsec/verify -#usr/libexec/ipsec/whack -#usr/man/man3/ipsec_addrbytesof.3 -#usr/man/man3/ipsec_addrbytesptr.3 -#usr/man/man3/ipsec_addrcmp.3 -#usr/man/man3/ipsec_addrinsubnet.3 -#usr/man/man3/ipsec_addrlenof.3 -#usr/man/man3/ipsec_addrtoa.3 -#usr/man/man3/ipsec_addrtosubnet.3 -#usr/man/man3/ipsec_addrtot.3 -#usr/man/man3/ipsec_addrtypeof.3 -#usr/man/man3/ipsec_anyaddr.3 -#usr/man/man3/ipsec_atoaddr.3 -#usr/man/man3/ipsec_atoasr.3 -#usr/man/man3/ipsec_atosubnet.3 -#usr/man/man3/ipsec_atoul.3 -#usr/man/man3/ipsec_bitstomask.3 -#usr/man/man3/ipsec_broadcastof.3 -#usr/man/man3/ipsec_copyright_notice.3 -#usr/man/man3/ipsec_goodmask.3 -#usr/man/man3/ipsec_hostof.3 -#usr/man/man3/ipsec_initaddr.3 -#usr/man/man3/ipsec_initsaid.3 -#usr/man/man3/ipsec_initsubnet.3 -#usr/man/man3/ipsec_isanyaddr.3 -#usr/man/man3/ipsec_isloopbackaddr.3 -#usr/man/man3/ipsec_isunspecaddr.3 -#usr/man/man3/ipsec_loopbackaddr.3 -#usr/man/man3/ipsec_maskof.3 -#usr/man/man3/ipsec_masktobits.3 -#usr/man/man3/ipsec_masktocount.3 -#usr/man/man3/ipsec_networkof.3 -#usr/man/man3/ipsec_optionsfrom.3 -#usr/man/man3/ipsec_portof.3 -#usr/man/man3/ipsec_rangetoa.3 -#usr/man/man3/ipsec_rangetosubnet.3 -#usr/man/man3/ipsec_sameaddr.3 -#usr/man/man3/ipsec_sameaddrtype.3 -#usr/man/man3/ipsec_samesaid.3 -#usr/man/man3/ipsec_samesubnet.3 -#usr/man/man3/ipsec_samesubnettype.3 -#usr/man/man3/ipsec_satot.3 -#usr/man/man3/ipsec_setportof.3 -#usr/man/man3/ipsec_sockaddrlenof.3 -#usr/man/man3/ipsec_sockaddrof.3 -#usr/man/man3/ipsec_subnetinsubnet.3 -#usr/man/man3/ipsec_subnetishost.3 -#usr/man/man3/ipsec_subnetof.3 -#usr/man/man3/ipsec_subnettoa.3 -#usr/man/man3/ipsec_subnettot.3 -#usr/man/man3/ipsec_subnettypeof.3 -#usr/man/man3/ipsec_tnatoaddr.3 -#usr/man/man3/ipsec_ttoaddr.3 -#usr/man/man3/ipsec_ttodata.3 -#usr/man/man3/ipsec_ttosa.3 -#usr/man/man3/ipsec_ttosubnet.3 -#usr/man/man3/ipsec_ttoul.3 -#usr/man/man3/ipsec_unspecaddr.3 -#usr/man/man3/ipsec_version.3 -#usr/man/man3/ipsec_version_code.3 -#usr/man/man3/ipsec_version_string.3 -#usr/man/man5/ipsec_eroute.5 -#usr/man/man5/ipsec_klipsdebug.5 -#usr/man/man5/ipsec_showpolicy.8 -#usr/man/man5/ipsec_spi.5 -#usr/man/man5/ipsec_spigrp.5 -#usr/man/man5/ipsec_tncfg.5 -#usr/man/man5/ipsec_trap_count.5 -#usr/man/man5/ipsec_trap_sendcount.5 -#usr/man/man5/ipsec_version.5 -#usr/man/man5/pf_key.5 -#usr/man/man8/ipsec.8 -#usr/man/man8/ipsec__copyright.8 -#usr/man/man8/ipsec__include.8 -#usr/man/man8/ipsec__keycensor.8 -#usr/man/man8/ipsec__plutoload.8 -#usr/man/man8/ipsec__plutorun.8 -#usr/man/man8/ipsec__realsetup.8 -#usr/man/man8/ipsec__secretcensor.8 -#usr/man/man8/ipsec__startklips.8 -#usr/man/man8/ipsec__startnetkey.8 -#usr/man/man8/ipsec__updown.8 -#usr/man/man8/ipsec__updown.klips.8 -#usr/man/man8/ipsec__updown.mast.8 -#usr/man/man8/ipsec__updown.netkey.8 -#usr/man/man8/ipsec_addconn.8 -#usr/man/man8/ipsec_auto.8 -#usr/man/man8/ipsec_barf.8 -#usr/man/man8/ipsec_eroute.8 -#usr/man/man8/ipsec_ikeping.8 -#usr/man/man8/ipsec_klipsdebug.8 -#usr/man/man8/ipsec_look.8 -#usr/man/man8/ipsec_newhostkey.8 -#usr/man/man8/ipsec_pf_key.8 -#usr/man/man8/ipsec_ranbits.8 -#usr/man/man8/ipsec_rsasigkey.8 -#usr/man/man8/ipsec_secrets.8 -#usr/man/man8/ipsec_setup.8 -#usr/man/man8/ipsec_showdefaults.8 -#usr/man/man8/ipsec_showhostkey.8 -#usr/man/man8/ipsec_showpolicy.8 -#usr/man/man8/ipsec_spi.8 -#usr/man/man8/ipsec_spigrp.8 -#usr/man/man8/ipsec_tncfg.8 -#usr/man/man8/ipsec_verify.8 -usr/sbin/ipsec -#usr/share/doc/openswan -#usr/share/doc/openswan/index.html -#usr/share/doc/openswan/ipsec.8.html -#usr/share/doc/openswan/ipsec.conf-sample -#usr/share/doc/openswan/ipsec.conf.5.html -#usr/share/doc/openswan/ipsec.secrets.5.html -#usr/share/doc/openswan/ipsec__confread.8.html -#usr/share/doc/openswan/ipsec__copyright.8.html -#usr/share/doc/openswan/ipsec__include.8.html -#usr/share/doc/openswan/ipsec__keycensor.8.html -#usr/share/doc/openswan/ipsec__plutoload.8.html -#usr/share/doc/openswan/ipsec__plutorun.8.html -#usr/share/doc/openswan/ipsec__realsetup.8.html -#usr/share/doc/openswan/ipsec__secretcensor.8.html -#usr/share/doc/openswan/ipsec__startklips.8.html -#usr/share/doc/openswan/ipsec__startnetkey.8.html -#usr/share/doc/openswan/ipsec__updown.8.html -#usr/share/doc/openswan/ipsec__updown.klips.8.html -#usr/share/doc/openswan/ipsec__updown.mast.8.html -#usr/share/doc/openswan/ipsec__updown.netkey.8.html -#usr/share/doc/openswan/ipsec_addconn.8.html -#usr/share/doc/openswan/ipsec_addrbytesof.3.html -#usr/share/doc/openswan/ipsec_addrbytesptr.3.html -#usr/share/doc/openswan/ipsec_addrcmp.3.html -#usr/share/doc/openswan/ipsec_addrinsubnet.3.html -#usr/share/doc/openswan/ipsec_addrlenof.3.html -#usr/share/doc/openswan/ipsec_addrtoa.3.html -#usr/share/doc/openswan/ipsec_addrtosubnet.3.html -#usr/share/doc/openswan/ipsec_addrtot.3.html -#usr/share/doc/openswan/ipsec_addrtypeof.3.html -#usr/share/doc/openswan/ipsec_anyaddr.3.html -#usr/share/doc/openswan/ipsec_atoaddr.3.html -#usr/share/doc/openswan/ipsec_atoasr.3.html -#usr/share/doc/openswan/ipsec_atosubnet.3.html -#usr/share/doc/openswan/ipsec_atoul.3.html -#usr/share/doc/openswan/ipsec_auto.8.html -#usr/share/doc/openswan/ipsec_barf.8.html -#usr/share/doc/openswan/ipsec_bitstomask.3.html -#usr/share/doc/openswan/ipsec_broadcastof.3.html -#usr/share/doc/openswan/ipsec_copyright_notice.3.html -#usr/share/doc/openswan/ipsec_eroute.5.html -#usr/share/doc/openswan/ipsec_eroute.8.html -#usr/share/doc/openswan/ipsec_goodmask.3.html -#usr/share/doc/openswan/ipsec_hostof.3.html -#usr/share/doc/openswan/ipsec_ikeping.8.html -#usr/share/doc/openswan/ipsec_initaddr.3.html -#usr/share/doc/openswan/ipsec_initsaid.3.html -#usr/share/doc/openswan/ipsec_initsubnet.3.html -#usr/share/doc/openswan/ipsec_isanyaddr.3.html -#usr/share/doc/openswan/ipsec_isloopbackaddr.3.html -#usr/share/doc/openswan/ipsec_isunspecaddr.3.html -#usr/share/doc/openswan/ipsec_keyblobtoid.3.html -#usr/share/doc/openswan/ipsec_klipsdebug.5.html -#usr/share/doc/openswan/ipsec_klipsdebug.8.html -#usr/share/doc/openswan/ipsec_livetest.8.html -#usr/share/doc/openswan/ipsec_look.8.html -#usr/share/doc/openswan/ipsec_loopbackaddr.3.html -#usr/share/doc/openswan/ipsec_lwdnsq.8.html -#usr/share/doc/openswan/ipsec_mailkey.8.html -#usr/share/doc/openswan/ipsec_manual.8.html -#usr/share/doc/openswan/ipsec_maskof.3.html -#usr/share/doc/openswan/ipsec_masktobits.3.html -#usr/share/doc/openswan/ipsec_masktocount.3.html -#usr/share/doc/openswan/ipsec_networkof.3.html -#usr/share/doc/openswan/ipsec_newhostkey.8.html -#usr/share/doc/openswan/ipsec_optionsfrom.3.html -#usr/share/doc/openswan/ipsec_pf_key.5.html -#usr/share/doc/openswan/ipsec_pf_key.8.html -#usr/share/doc/openswan/ipsec_pluto.8.html -#usr/share/doc/openswan/ipsec_portof.3.html -#usr/share/doc/openswan/ipsec_prng.3.html -#usr/share/doc/openswan/ipsec_prng_bytes.3.html -#usr/share/doc/openswan/ipsec_prng_final.3.html -#usr/share/doc/openswan/ipsec_prng_init.3.html -#usr/share/doc/openswan/ipsec_ranbits.8.html -#usr/share/doc/openswan/ipsec_rangetoa.3.html -#usr/share/doc/openswan/ipsec_rangetosubnet.3.html -#usr/share/doc/openswan/ipsec_readwriteconf.8.html -#usr/share/doc/openswan/ipsec_rsasigkey.8.html -#usr/share/doc/openswan/ipsec_sameaddr.3.html -#usr/share/doc/openswan/ipsec_sameaddrtype.3.html -#usr/share/doc/openswan/ipsec_samesaid.3.html -#usr/share/doc/openswan/ipsec_samesubnet.3.html -#usr/share/doc/openswan/ipsec_samesubnettype.3.html -#usr/share/doc/openswan/ipsec_satot.3.html -#usr/share/doc/openswan/ipsec_secrets.8.html -#usr/share/doc/openswan/ipsec_set_policy.3.html -#usr/share/doc/openswan/ipsec_setportof.3.html -#usr/share/doc/openswan/ipsec_setup.8.html -#usr/share/doc/openswan/ipsec_showdefaults.8.html -#usr/share/doc/openswan/ipsec_showhostkey.8.html -#usr/share/doc/openswan/ipsec_showpolicy.8.html -#usr/share/doc/openswan/ipsec_sockaddrlenof.3.html -#usr/share/doc/openswan/ipsec_sockaddrof.3.html -#usr/share/doc/openswan/ipsec_spi.5.html -#usr/share/doc/openswan/ipsec_spi.8.html -#usr/share/doc/openswan/ipsec_spigrp.5.html -#usr/share/doc/openswan/ipsec_spigrp.8.html -#usr/share/doc/openswan/ipsec_strerror.3.html -#usr/share/doc/openswan/ipsec_subnetinsubnet.3.html -#usr/share/doc/openswan/ipsec_subnetishost.3.html -#usr/share/doc/openswan/ipsec_subnetof.3.html -#usr/share/doc/openswan/ipsec_subnettoa.3.html -#usr/share/doc/openswan/ipsec_subnettot.3.html -#usr/share/doc/openswan/ipsec_subnettypeof.3.html -#usr/share/doc/openswan/ipsec_tnatoaddr.3.html -#usr/share/doc/openswan/ipsec_tncfg.5.html -#usr/share/doc/openswan/ipsec_tncfg.8.html -#usr/share/doc/openswan/ipsec_trap_count.5.html -#usr/share/doc/openswan/ipsec_trap_sendcount.5.html -#usr/share/doc/openswan/ipsec_ttoaddr.3.html -#usr/share/doc/openswan/ipsec_ttodata.3.html -#usr/share/doc/openswan/ipsec_ttosa.3.html -#usr/share/doc/openswan/ipsec_ttosubnet.3.html -#usr/share/doc/openswan/ipsec_ttoul.3.html -#usr/share/doc/openswan/ipsec_unspecaddr.3.html -#usr/share/doc/openswan/ipsec_verify.8.html -#usr/share/doc/openswan/ipsec_version.3.html -#usr/share/doc/openswan/ipsec_version.5.html -#usr/share/doc/openswan/ipsec_version_code.3.html -#usr/share/doc/openswan/ipsec_version_string.3.html -var/run/pluto diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan new file mode 100644 index 0000000000..1130cc5efe --- /dev/null +++ b/config/rootfiles/common/strongswan @@ -0,0 +1,123 @@ +etc/ipsec.conf +#etc/ipsec.d +etc/ipsec.d/aacerts +etc/ipsec.d/acerts +etc/ipsec.d/cacerts +etc/ipsec.d/certs +etc/ipsec.d/crls +etc/ipsec.d/ocspcerts +etc/ipsec.d/private +etc/ipsec.d/reqs +etc/ipsec.secrets +etc/strongswan.conf +#usr/lib/libstrongswan.a +#usr/lib/libstrongswan.la +usr/lib/libstrongswan.so +usr/lib/libstrongswan.so.0 +usr/lib/libstrongswan.so.0.0.0 +#usr/libexec/ipsec +usr/libexec/ipsec/_copyright +usr/libexec/ipsec/_pluto_adns +usr/libexec/ipsec/_updown +usr/libexec/ipsec/_updown_espmark +usr/libexec/ipsec/charon +usr/libexec/ipsec/openac +usr/libexec/ipsec/pki +#usr/libexec/ipsec/plugins +#usr/libexec/ipsec/plugins/libstrongswan-aes.a +#usr/libexec/ipsec/plugins/libstrongswan-aes.la +usr/libexec/ipsec/plugins/libstrongswan-aes.so +#usr/libexec/ipsec/plugins/libstrongswan-attr.a +#usr/libexec/ipsec/plugins/libstrongswan-attr.la +usr/libexec/ipsec/plugins/libstrongswan-attr.so +#usr/libexec/ipsec/plugins/libstrongswan-des.a +#usr/libexec/ipsec/plugins/libstrongswan-des.la +usr/libexec/ipsec/plugins/libstrongswan-des.so +#usr/libexec/ipsec/plugins/libstrongswan-dnskey.a +#usr/libexec/ipsec/plugins/libstrongswan-dnskey.la +usr/libexec/ipsec/plugins/libstrongswan-dnskey.so +#usr/libexec/ipsec/plugins/libstrongswan-fips-prf.a +#usr/libexec/ipsec/plugins/libstrongswan-fips-prf.la +usr/libexec/ipsec/plugins/libstrongswan-fips-prf.so +#usr/libexec/ipsec/plugins/libstrongswan-gmp.a +#usr/libexec/ipsec/plugins/libstrongswan-gmp.la +usr/libexec/ipsec/plugins/libstrongswan-gmp.so +#usr/libexec/ipsec/plugins/libstrongswan-hmac.a +#usr/libexec/ipsec/plugins/libstrongswan-hmac.la +usr/libexec/ipsec/plugins/libstrongswan-hmac.so +#usr/libexec/ipsec/plugins/libstrongswan-kernel-netlink.a +#usr/libexec/ipsec/plugins/libstrongswan-kernel-netlink.la +usr/libexec/ipsec/plugins/libstrongswan-kernel-netlink.so +#usr/libexec/ipsec/plugins/libstrongswan-md5.a +#usr/libexec/ipsec/plugins/libstrongswan-md5.la +usr/libexec/ipsec/plugins/libstrongswan-md5.so +#usr/libexec/ipsec/plugins/libstrongswan-pem.a +#usr/libexec/ipsec/plugins/libstrongswan-pem.la +usr/libexec/ipsec/plugins/libstrongswan-pem.so +#usr/libexec/ipsec/plugins/libstrongswan-pgp.a +#usr/libexec/ipsec/plugins/libstrongswan-pgp.la +usr/libexec/ipsec/plugins/libstrongswan-pgp.so +#usr/libexec/ipsec/plugins/libstrongswan-pkcs1.a +#usr/libexec/ipsec/plugins/libstrongswan-pkcs1.la +usr/libexec/ipsec/plugins/libstrongswan-pkcs1.so +#usr/libexec/ipsec/plugins/libstrongswan-pubkey.a +#usr/libexec/ipsec/plugins/libstrongswan-pubkey.la +usr/libexec/ipsec/plugins/libstrongswan-pubkey.so +#usr/libexec/ipsec/plugins/libstrongswan-random.a +#usr/libexec/ipsec/plugins/libstrongswan-random.la +usr/libexec/ipsec/plugins/libstrongswan-random.so +#usr/libexec/ipsec/plugins/libstrongswan-resolve.a +#usr/libexec/ipsec/plugins/libstrongswan-resolve.la +usr/libexec/ipsec/plugins/libstrongswan-resolve.so +#usr/libexec/ipsec/plugins/libstrongswan-sha1.a +#usr/libexec/ipsec/plugins/libstrongswan-sha1.la +usr/libexec/ipsec/plugins/libstrongswan-sha1.so +#usr/libexec/ipsec/plugins/libstrongswan-sha2.a +#usr/libexec/ipsec/plugins/libstrongswan-sha2.la +usr/libexec/ipsec/plugins/libstrongswan-sha2.so +#usr/libexec/ipsec/plugins/libstrongswan-stroke.a +#usr/libexec/ipsec/plugins/libstrongswan-stroke.la +usr/libexec/ipsec/plugins/libstrongswan-stroke.so +#usr/libexec/ipsec/plugins/libstrongswan-updown.a +#usr/libexec/ipsec/plugins/libstrongswan-updown.la +usr/libexec/ipsec/plugins/libstrongswan-updown.so +#usr/libexec/ipsec/plugins/libstrongswan-x509.a +#usr/libexec/ipsec/plugins/libstrongswan-x509.la +usr/libexec/ipsec/plugins/libstrongswan-x509.so +#usr/libexec/ipsec/plugins/libstrongswan-xcbc.a +#usr/libexec/ipsec/plugins/libstrongswan-xcbc.la +usr/libexec/ipsec/plugins/libstrongswan-xcbc.so +usr/libexec/ipsec/pluto +usr/libexec/ipsec/scepclient +usr/libexec/ipsec/starter +usr/libexec/ipsec/stroke +usr/libexec/ipsec/whack +usr/sbin/ipsec +#usr/share/man/man3/anyaddr.3 +#usr/share/man/man3/atoaddr.3 +#usr/share/man/man3/atoasr.3 +#usr/share/man/man3/atosa.3 +#usr/share/man/man3/atoul.3 +#usr/share/man/man3/goodmask.3 +#usr/share/man/man3/initaddr.3 +#usr/share/man/man3/initsubnet.3 +#usr/share/man/man3/keyblobtoid.3 +#usr/share/man/man3/portof.3 +#usr/share/man/man3/prng.3 +#usr/share/man/man3/rangetosubnet.3 +#usr/share/man/man3/sameaddr.3 +#usr/share/man/man3/subnetof.3 +#usr/share/man/man3/ttoaddr.3 +#usr/share/man/man3/ttodata.3 +#usr/share/man/man3/ttosa.3 +#usr/share/man/man3/ttoul.3 +#usr/share/man/man5/ipsec.conf.5 +#usr/share/man/man5/ipsec.secrets.5 +#usr/share/man/man8/_copyright.8 +#usr/share/man/man8/_updown.8 +#usr/share/man/man8/_updown_espmark.8 +#usr/share/man/man8/ipsec.8 +#usr/share/man/man8/openac.8 +#usr/share/man/man8/pluto.8 +#usr/share/man/man8/scepclient.8 +#usr/share/man/man8/starter.8 diff --git a/doc/packages-list.txt b/doc/packages-list.txt index eb98dabf30..1b7287db2d 100644 --- a/doc/packages-list.txt +++ b/doc/packages-list.txt @@ -110,7 +110,7 @@ * foomatic-3.0-20070813 * freefont-20060126 * freetype-2.1.10 -* fuse-2.7.4 +* fuse-2.8.3 * fwhits * gawk-3.1.5 * gcc-4.0.4 @@ -127,11 +127,11 @@ * groff-1.18.1.1 * grub-0.97 * guardian-ipfire -* gutenprint-5.0.2 +* gutenprint-5.2.5 * gzip-1.3.5 * hddtemp-0.3-beta14 * hdparm-8.9 -* hostapd-0.6.9 +* hostapd-0.7.1 * hplip-2.7.10 * htop-0.8.1 * httpd-2.2.15 @@ -198,7 +198,7 @@ * logrotate-3.7.1 * logwatch-7.3.6 * lsof-4.78 -* lynis-1.2.6 +* lynis-1.2.9 * lzo-2.02 * m4-1.4.4 * mISDNuser_20090906 @@ -251,9 +251,6 @@ * openmailadmin-1.0.0 * openssh-5.4p1 * openssl-0.9.8m -* openswan-2.6.24 -* openswan-2.6.24-kmod-2.6.32.9-ipfire -* openswan-2.6.24-kmod-2.6.32.9-ipfire-xen * openvpn-2.1_rc20 * p7zip_4.65 * pam_mysql-0.7RC1 @@ -282,7 +279,7 @@ * rssdler-0.4.0a * rsync-3.0.7 * rtorrent-0.8.6 -* samba-3.3.10 +* samba-3.5.1 * sane-1.0.19 * screen-4.0.3 * sdparm-1.01 @@ -300,10 +297,11 @@ * squashfs-lzma-cvs20100214 * squid-2.7.STABLE7 * squidGuard-1.4.1 -* squidclamav-5.0 +* squidclamav-5.2 * sshfs-fuse-2.2 -* sslh-1.6i +* sslh-1.7a * streamripper-1.63.5 +* strongswan-4.3.6 * sudo-1.6.8p12 * sysfsutils-1.3.0 * sysklogd-1.5 diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index d19f22e6bc..9e75c69061 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -248,9 +248,9 @@ sub writeipsecfiles { foreach my $key (keys %lconfighash) { next if ($lconfighash{$key}[0] ne 'on'); $interfaces .= "%defaultroute " if ($interfaces !~ /defaultroute/ && $lconfighash{$key}[26] eq 'RED'); - $interfaces .= "ipsec1=$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN'); - $interfaces .= "ipsec2=$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE'); - $interfaces .= "ipsec3=$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE'); + #$interfaces .= "ipsec1=$netsettings{'GREEN_DEV'} " if ($interfaces !~ /ipsec1/ && $lconfighash{$key}[26] eq 'GREEN'); + #$interfaces .= "ipsec2=$netsettings{'BLUE_DEV'} " if ($interfaces !~ /ipsec2/ && $lconfighash{$key}[26] eq 'BLUE'); + #$interfaces .= "ipsec3=$netsettings{'ORANGE_DEV'} " if ($interfaces !~ /ipsec3/ && $lconfighash{$key}[26] eq 'ORANGE'); } print CONF $interfaces . "\"\n"; @@ -264,6 +264,8 @@ sub writeipsecfiles { # deprecated in ipsec.conf version 2 #print CONF "\tplutoload=%search\n"; #print CONF "\tplutostart=%search\n"; + #Disable IKEv2 deamon + print CONF "\tcharonstart=no\n"; print CONF "\tuniqueids=yes\n"; print CONF "\tnat_traversal=yes\n"; print CONF "\toverridemtu=$lvpnsettings{'VPN_OVERRIDE_MTU'}\n" if ($lvpnsettings{'VPN_OVERRIDE_MTU'} ne ''); @@ -283,7 +285,8 @@ sub writeipsecfiles { print CONF "\n\n"; print CONF "conn %default\n"; print CONF "\tkeyingtries=0\n"; - print CONF "\tdisablearrivalcheck=no\n"; + #strongswan doesn't know this + #print CONF "\tdisablearrivalcheck=no\n"; print CONF "\n"; if (-f "${General::swroot}/certs/hostkey.pem") { @@ -312,6 +315,7 @@ sub writeipsecfiles { print CONF "\tleft=$localside\n"; print CONF "\tleftnexthop=%defaultroute\n" if ($lconfighash{$key}[26] eq 'RED' && $lvpnsettings{'VPN_IP'} ne '%defaultroute'); print CONF "\tleftsubnet=$lconfighash{$key}[8]\n"; + print CONF "\tleftfirewall=yes\n"; print CONF "\tright=$lconfighash{$key}[10]\n"; if ($lconfighash{$key}[3] eq 'net') { diff --git a/lfs/strongswan b/lfs/strongswan new file mode 100644 index 0000000000..29290f9b9f --- /dev/null +++ b/lfs/strongswan @@ -0,0 +1,98 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2010 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +ifeq "$(XEN)" "1" + VERSUFIX=ipfire-xen +else + VERSUFIX=ipfire +endif + +VER = 4.3.6 + +THISAPP = strongswan-$(VER) +DL_FILE = $(THISAPP).tar.bz2 +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = e071f46b6c463ce76900758734e6143e + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) + + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-4.3.6_ipfire.patch + + cd $(DIR_APP) && ./configure --prefix="/usr" --sysconfdir="/etc" + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + + -rm -rfv /etc/rc*.d/*ipsec + cd $(DIR_SRC) && cp src/initscripts/init.d/ipsec /etc/rc.d/init.d/ipsec + rm -f /etc/ipsec.conf /etc/ipsec.secrets + ln -sf $(CONFIG_ROOT)/vpn/ipsec.conf /etc/ipsec.conf + ln -sf $(CONFIG_ROOT)/vpn/ipsec.secrets /etc/ipsec.secrets + + rm -rf /etc/ipsec.d/{cacerts,certs,crls} + ln -sf $(CONFIG_ROOT)/ca /etc/ipsec.d/cacerts + ln -sf $(CONFIG_ROOT)/certs /etc/ipsec.d/certs + ln -sf $(CONFIG_ROOT)/crls /etc/ipsec.d/crls + + #@rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 6a7c63aa0b..8d79f1da0d 100755 --- a/make.sh +++ b/make.sh @@ -348,7 +348,7 @@ buildipfire() { ipfiremake madwifi XEN=1 #ipfiremake alsa XEN=1 KMOD=1 ipfiremake dahdi XEN=1 KMOD=1 - ipfiremake openswan XEN=1 KMOD=1 +# ipfiremake openswan XEN=1 KMOD=1 #ipfiremake mISDN XEN=1 #ipfiremake compat-wireless XEN=1 ipfiremake cryptodev XEN=1 @@ -359,7 +359,7 @@ buildipfire() { ipfiremake madwifi ipfiremake alsa KMOD=1 ipfiremake dahdi KMOD=1 - ipfiremake openswan KMOD=1 +# ipfiremake openswan KMOD=1 #ipfiremake mISDN #ipfiremake compat-wireless ipfiremake cryptodev @@ -546,7 +546,8 @@ buildipfire() { ipfiremake tripwire ipfiremake sysstat ipfiremake vsftpd - ipfiremake openswan +# ipfiremake openswan + ipfiremake strongswan ipfiremake lsof ipfiremake centerim ipfiremake br2684ctl diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 55ab624a71..55bc066aae 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -166,14 +166,17 @@ case "$1" in /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # trafic from ipsecX/TUN/TAP interfaces, before "-i GREEN_DEV" accept everything - /sbin/iptables -N IPSECVIRTUAL + /sbin/iptables -N IPSECINPUT + /sbin/iptables -N IPSECFORWARD + /sbin/iptables -N IPSECOUTPUT /sbin/iptables -N OPENSSLVIRTUAL - /sbin/iptables -A INPUT -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL INPUT" + /sbin/iptables -A INPUT -j IPSECINPUT /sbin/iptables -A INPUT -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL INPUT" - /sbin/iptables -A FORWARD -j IPSECVIRTUAL -m comment --comment "IPSECVIRTUAL FORWARD" + /sbin/iptables -A FORWARD -j IPSECFORWARD /sbin/iptables -A FORWARD -j OPENSSLVIRTUAL -m comment --comment "OPENSSLVIRTUAL FORWARD" - /sbin/iptables -t nat -N IPSECNAT - /sbin/iptables -t nat -A POSTROUTING -j IPSECNAT + /sbin/iptables -A OUTPUT -j IPSECOUTPUT + #/sbin/iptables -t nat -N IPSECNAT + #/sbin/iptables -t nat -A POSTROUTING -j IPSECNAT # Outgoing Firewall /sbin/iptables -A FORWARD -j OUTGOINGFW @@ -197,10 +200,6 @@ case "$1" in /sbin/iptables -N DHCPBLUEINPUT /sbin/iptables -A INPUT -j DHCPBLUEINPUT - # IPSec - /sbin/iptables -N IPSECPHYSICAL - /sbin/iptables -A INPUT -j IPSECPHYSICAL - # OPenSSL /sbin/iptables -N OPENSSLPHYSICAL /sbin/iptables -A INPUT -j OPENSSLPHYSICAL diff --git a/src/initscripts/init.d/ipsec b/src/initscripts/init.d/ipsec index e37074742c..0c62db5037 100644 --- a/src/initscripts/init.d/ipsec +++ b/src/initscripts/init.d/ipsec @@ -1,178 +1,2 @@ #!/bin/sh -# IPsec startup and shutdown script -# Copyright (C) 1998, 1999, 2001 Henry Spencer. -# Copyright (C) 2002 Michael Richardson -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. -# -# RCSID $Id: setup.in,v 1.122.6.3 2006/10/26 23:54:32 paul Exp $ -# -# ipsec init.d script for starting and stopping -# the IPsec security subsystem (KLIPS and Pluto). -# -# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec) -# and is also accessible as "ipsec setup" (the preferred route for human -# invocation). -# -# The startup and shutdown times are a difficult compromise (in particular, -# it is almost impossible to reconcile them with the insanely early/late -# times of NFS filesystem startup/shutdown). Startup is after startup of -# syslog and pcmcia support; shutdown is just before shutdown of syslog. -# -# chkconfig: 2345 47 76 -# description: IPsec provides encrypted and authenticated communications; \ -# KLIPS is the kernel half of it, Pluto is the user-level management daemon. - -me='ipsec setup' # for messages - -# where the private directory and the config files are -IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}" -IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}" -IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}" -IPSEC_CONFS="${IPSEC_CONFS-/etc}" - -if test " $IPSEC_DIR" = " " # if we were not called by the ipsec command -then - # we must establish a suitable PATH ourselves - PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin - export PATH - - IPSEC_DIR="$IPSEC_LIBDIR" - export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR -fi - -# Check that the ipsec command is available. -found= -for dir in `echo $PATH | tr ':' ' '` -do - if test -f $dir/ipsec -a -x $dir/ipsec - then - found=yes - break # NOTE BREAK OUT - fi -done -if ! test "$found" -then - echo "cannot find ipsec command -- \`$1' aborted" | - logger -s -p daemon.error -t ipsec_setup - exit 1 -fi - -# accept a few flags - -export IPSEC_setupflags -IPSEC_setupflags="" - -config="" - -for dummy -do - case "$1" in - --showonly|--show) IPSEC_setupflags="$1" ;; - --config) config="--config $2" ; shift ;; - *) break ;; - esac - shift -done - - -# Pick up IPsec configuration (until we have done this, successfully, we -# do not know where errors should go, hence the explicit "daemon.error"s.) -# Note the "--export", which exports the variables created. -eval `ipsec _confread $config --optional --varprefix IPSEC --export --type config setup` - -if test " $IPSEC_confreadstatus" != " " -then - case $1 in - stop|--stop|_autostop) - echo "$IPSEC_confreadstatus -- \`$1' may not work" | - logger -s -p daemon.error -t ipsec_setup;; - - *) echo "$IPSEC_confreadstatus -- \`$1' aborted" | - logger -s -p daemon.error -t ipsec_setup; - exit 1;; - esac -fi - -IPSEC_confreadsection=${IPSEC_confreadsection:-setup} -export IPSEC_confreadsection - -IPSECsyslog=${IPSECsyslog-daemon.error} -export IPSECsyslog - -# misc setup -umask 022 - -mkdir -p /var/run/pluto - - -# do it -case "$1" in - start|--start|stop|--stop|_autostop|_autostart) - if test " `id -u`" != " 0" - then - echo "permission denied (must be superuser)" | - logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 - exit 1 - fi - tmp=/var/run/pluto/ipsec_setup.st - outtmp=/var/run/pluto/ipsec_setup.out - ( - ipsec _realsetup $1 - echo "$?" >$tmp - ) > ${outtmp} 2>&1 - st=$? - if test -f $tmp - then - st=`cat $tmp` - rm -f $tmp - fi - if [ -f ${outtmp} ]; then - cat ${outtmp} | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 - rm -f ${outtmp} - fi - sleep 20 && chown root:nobody /var/run/pluto -R && chmod 770 /var/run/pluto -R && ln -sf /var/run/pluto/pluto.pid /var/run/pluto.pid 2>&1 & - exit $st - ;; - - restart|--restart|force-reload) - $0 $IPSEC_setupflags stop - $0 $IPSEC_setupflags start - ;; - - _autorestart) # for internal use only - $0 $IPSEC_setupflags _autostop - $0 $IPSEC_setupflags _autostart - ;; - - status|--status) - ipsec _realsetup $1 - exit - ;; - - --version) - echo "$me $IPSEC_VERSION" - exit 0 - ;; - - --help) - echo "Usage: $me [ --showonly ] {--start|--stop|--restart}" - echo " $me --status" - exit 0 - ;; - - *) - echo "Usage: $me [ --showonly ] {--start|--stop|--restart}" - echo " $me --status" - exit 2 -esac - -exit 0 +ipsec $* diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index 763b81f96d..c46bc060ec 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -44,7 +44,7 @@ void usage() { } void load_modules() { - safe_system("/sbin/modprobe ipsec"); +// safe_system("/sbin/modprobe ipsec"); } /* @@ -55,22 +55,22 @@ void open_physical (char *interface, int nat_traversal_port) { // GRE ??? sprintf(str, "/sbin/iptables -A " phystable " -p 47 -i %s -j ACCEPT", interface); - safe_system(str); +// safe_system(str); // ESP sprintf(str, "/sbin/iptables -A " phystable " -p 50 -i %s -j ACCEPT", interface); - safe_system(str); +// safe_system(str); // AH sprintf(str, "/sbin/iptables -A " phystable " -p 51 -i %s -j ACCEPT", interface); - safe_system(str); +// safe_system(str); // IKE sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --sport 500 --dport 500 -j ACCEPT", interface); - safe_system(str); +// safe_system(str); if (! nat_traversal_port) return; sprintf(str, "/sbin/iptables -A " phystable " -p udp -i %s --dport %i -j ACCEPT", interface, nat_traversal_port); - safe_system(str); +// safe_system(str); } /* @@ -81,14 +81,14 @@ void open_physical (char *interface, int nat_traversal_port) { */ void open_virtual (void) { // allow anything from any ipsec to go on all interface, including other ipsec - safe_system("/sbin/iptables -A " virtualtable " -i ipsec+ -j ACCEPT"); +// safe_system("/sbin/iptables -A " virtualtable " -i ipsec+ -j ACCEPT"); //todo: BOT extension?; allowing ipsec0<<==port-list-filter==>>GREEN ? } void ipsec_norules() { /* clear input rules */ - safe_system("/sbin/iptables -F " phystable); - safe_system("/sbin/iptables -F " virtualtable); +// safe_system("/sbin/iptables -F " phystable); +// safe_system("/sbin/iptables -F " virtualtable); // unmap red alias ???? } @@ -152,7 +152,7 @@ void add_alias_interfaces(char *configtype, { memset(s, 0, STRING_SIZE); snprintf(s, STRING_SIZE-1, "/usr/sbin/ipsec tncfg --attach --virtual ipsec%d --physical %s:%d >/dev/null", offset+alias, redif, alias); - safe_system(s); +// safe_system(s); alias++; } } diff --git a/src/patches/strongswan-4.3.6_ipfire.patch b/src/patches/strongswan-4.3.6_ipfire.patch new file mode 100644 index 0000000000..69f2abaebb --- /dev/null +++ b/src/patches/strongswan-4.3.6_ipfire.patch @@ -0,0 +1,317 @@ +diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_updown/_updown.in +--- strongswan-4.3.6.org/src/_updown/_updown.in 2009-09-27 21:50:42.000000000 +0200 ++++ strongswan-4.3.6/src/_updown/_updown.in 2010-03-20 18:44:11.000000000 +0100 +@@ -374,10 +374,10 @@ + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # +@@ -387,10 +387,10 @@ + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ +- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" ++ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ +- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" ++ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +@@ -398,10 +398,10 @@ + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # +@@ -411,10 +411,10 @@ + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ +- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" ++ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ +- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" ++ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +@@ -424,10 +424,10 @@ + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then +- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT +- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi +@@ -436,10 +436,10 @@ + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then +- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi +@@ -450,12 +450,27 @@ + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ +- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ++ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ +- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ++ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi ++ ++ # ++ # Open Firewall for ESP Traffic ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p ESP \ ++ -d $PLUTO_PEER $S_PEER_PORT \ ++ -s $PLUTO_ME $D_MY_PORT -j ACCEPT ++ if [ $VPN_LOGGING ] ++ then ++ logger -t $TAG -p $FAC_PRIO \ ++ "ESP+ $PLUTO_PEER -- $PLUTO_ME" ++ fi ++ + ;; + down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down +@@ -463,11 +478,11 @@ + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then +- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT +- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT +@@ -477,11 +492,11 @@ + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then +- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT +- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT +@@ -493,12 +508,27 @@ + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ +- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ++ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ +- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" ++ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi ++ ++ # ++ # Close Firewall for ESP Traffic ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \ ++ -s $PLUTO_PEER $S_PEER_PORT \ ++ -d $PLUTO_ME $D_MY_PORT -j ACCEPT ++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p ESP \ ++ -d $PLUTO_PEER $S_PEER_PORT \ ++ -s $PLUTO_ME $D_MY_PORT -j ACCEPT ++ if [ $VPN_LOGGING ] ++ then ++ logger -t $TAG -p $FAC_PRIO \ ++ "ESP- $PLUTO_PEER -- $PLUTO_ME" ++ fi ++ + ;; + # + # IPv6 +@@ -533,10 +563,10 @@ + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # +@@ -557,10 +587,10 @@ + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # +@@ -583,10 +613,10 @@ + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then +- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT +- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi +@@ -595,10 +625,10 @@ + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then +- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi +@@ -622,11 +652,11 @@ + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then +- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT +- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT +@@ -636,11 +666,11 @@ + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then +- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT +- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT +diff -Naur strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark strongswan-4.3.6/src/_updown_espmark/_updown_espmark +--- strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark 2009-09-27 21:50:42.000000000 +0200 ++++ strongswan-4.3.6/src/_updown_espmark/_updown_espmark 2010-03-15 18:52:28.000000000 +0100 +@@ -247,10 +247,10 @@ + ESP_MARK=50 + + # add the following static rule to the INPUT chain in the mangle table +-# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50 ++# iptables -t mangle -A IPSECINPUT -p 50 -j MARK --set-mark 50 + + # NAT traversal via UDP encapsulation is supported with the rule +-# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50 ++# iptables -t mangle -A IPSECINPUT -p udp --dport 4500 -j MARK --set-mark 50 + + # in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules + if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +@@ -325,10 +325,10 @@ + up-host:*) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. +- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT +- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT + # +@@ -346,10 +346,10 @@ + # If you are doing a custom version, firewall commands go here. + # connection to me going down + # If you are doing a custom version, firewall commands go here. +- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT +- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT + # +@@ -365,10 +365,10 @@ + up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. +- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT +- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ + $CHECK_MARK -j ACCEPT +@@ -385,10 +385,10 @@ + down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. +- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT +- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ ++ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ + $CHECK_MARK -j ACCEPT -- 2.39.2