]>
git.ipfire.org Git - thirdparty/strongswan.git/blob - src/_updown/_updown.in
2 # default updown script
4 # Copyright (C) 2003-2004 Nigel Meteringham
5 # Copyright (C) 2003-2004 Tuomo Soini
6 # Copyright (C) 2002-2004 Michael Richardson
7 # Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
9 # This program is free software; you can redistribute it and/or modify it
10 # under the terms of the GNU General Public License as published by the
11 # Free Software Foundation; either version 2 of the License, or (at your
12 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 # This program is distributed in the hope that it will be useful, but
15 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 # CAUTION: Installing a new version of strongSwan will install a new
20 # copy of this script, wiping out any custom changes you make. If
21 # you need changes, make a copy of this under another name, and customize
22 # that, and use the (left/right)updown parameters in ipsec.conf to make
23 # strongSwan use yours instead of this default one.
26 # indicates what version of this interface is being
27 # used. This document describes version 1.1. This
28 # is upwardly compatible with version 1.0.
31 # specifies the name of the operation to be performed
32 # (prepare-host, prepare-client, up-host, up-client,
33 # down-host, or down-client). If the address family
34 # for security gateway to security gateway communica-
35 # tions is IPv6, then a suffix of -v6 is added to the
39 # is the name of the connection for which we are
43 # is the name of the ipsec interface to be used.
46 # is the requid of the AH|ESP policy
49 # is the negotiated IPsec protocol, ah|esp
52 # is not empty if IPComp was negotiated
55 # is the unique identifier of the associated IKE_SA
58 # is the IP address of our host.
61 # is the ID of our host.
64 # is the IP address / count of our client subnet. If
65 # the client is just the host, this will be the
66 # host's own IP address / max (where max is 32 for
67 # IPv4 and 128 for IPv6).
70 # PLUTO_MY_SOURCEIP4_$i
71 # PLUTO_MY_SOURCEIP6_$i
72 # contains IPv4/IPv6 virtual IP received from a responder,
73 # $i enumerates from 1 to the number of IP per address family.
74 # PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
75 # virtual IP, IPv4 or IPv6.
78 # is the IP protocol that will be transported.
81 # is the UDP/TCP port to which the IPsec SA is
82 # restricted on our side. For ICMP/ICMPv6 this contains the
83 # message type, and PLUTO_PEER_PORT the message code.
86 # is the IP address of our peer.
89 # is the ID of our peer.
92 # is the IP address / count of the peer's client sub-
93 # net. If the client is just the peer, this will be
94 # the peer's own IP address / max (where max is 32
95 # for IPv4 and 128 for IPv6).
98 # PLUTO_PEER_SOURCEIP4_$i
99 # PLUTO_PEER_SOURCEIP6_$i
100 # contains IPv4/IPv6 virtual IP sent to an initiator,
101 # $i enumerates from 1 to the number of IP per address family.
102 # PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
103 # virtual IP, IPv4 or IPv6.
105 # PLUTO_PEER_PROTOCOL
106 # is the IP protocol that will be transported.
109 # is the UDP/TCP port to which the IPsec SA is
110 # restricted on the peer side. For ICMP/ICMPv6 this contains the
111 # message code, and PLUTO_MY_PORT the message type.
114 # is an optional user ID employed by the XAUTH protocol
117 # is an optional XFRM mark set on the inbound IPsec SA
120 # is an optional XFRM mark set on the outbound IPsec SA
123 # is an optional XFRM interface ID set on the inbound IPsec SA
126 # is an optional XFRM interface ID set on the outbound IPsec SA
129 # contains the remote UDP port in the case of ESP_IN_UDP
134 # contains IPv4/IPv6 DNS server attribute received from a
135 # responder, $i enumerates from 1 to the number of servers per
139 # define a minimum PATH environment in case it is not set
140 PATH
="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
143 # comment to disable logging VPN connections to syslog
146 # tag put in front of each log entry:
149 # syslog facility and priority used:
150 FAC_PRIO
=local0.notice
152 # to create a special vpn logging file, put the following line into
153 # the syslog configuration file /etc/syslog.conf:
155 # local0.notice -/var/log/vpn
157 # check interface version
158 case "$PLUTO_VERSION" in
159 1.
[0|
1]) # Older release?!? Play it safe, script may be using new features.
160 echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
161 echo "$0: called by obsolete release?" >&2
165 *) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
174 iptables
:iptables
) # due to (left/right)firewall; for default script only
176 custom
:*) # custom parameters (see above CAUTION comment)
178 *) echo "$0: unknown parameters \`$*'" >&2
183 IPSEC_POLICY
="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
184 IPSEC_POLICY_IN
="$IPSEC_POLICY --dir in"
185 IPSEC_POLICY_OUT
="$IPSEC_POLICY --dir out"
187 # use protocol specific options to set ports
188 case "$PLUTO_MY_PROTOCOL" in
190 ICMP_TYPE_OPTION
="--icmp-type"
193 ICMP_TYPE_OPTION
="--icmpv6-type"
199 # are there port numbers?
200 if [ "$PLUTO_MY_PORT" != 0 ]
202 if [ -n "$ICMP_TYPE_OPTION" ]
204 S_MY_PORT
="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
205 D_MY_PORT
="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
207 S_MY_PORT
="--sport $PLUTO_MY_PORT"
208 D_MY_PORT
="--dport $PLUTO_MY_PORT"
211 if [ "$PLUTO_PEER_PORT" != 0 ]
213 if [ -n "$ICMP_TYPE_OPTION" ]
215 # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
216 S_MY_PORT
="$S_MY_PORT/$PLUTO_PEER_PORT"
217 D_MY_PORT
="$D_MY_PORT/$PLUTO_PEER_PORT"
219 S_PEER_PORT
="--sport $PLUTO_PEER_PORT"
220 D_PEER_PORT
="--dport $PLUTO_PEER_PORT"
224 case "$PLUTO_VERB:$1" in
226 # connection to me coming up
227 # If you are doing a custom version, firewall commands go here.
230 # connection to me going down
231 # If you are doing a custom version, firewall commands go here.
234 # connection to my client subnet coming up
235 # If you are doing a custom version, firewall commands go here.
238 # connection to my client subnet going down
239 # If you are doing a custom version, firewall commands go here.
242 # connection to me, with (left/right)firewall=yes, coming up
243 # This is used only by the default updown script, not by your custom
244 # ones, so do not mess with it; see CAUTION comment up at top.
245 iptables
-I INPUT
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
246 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
247 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
248 iptables
-I OUTPUT
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
249 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
250 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
252 # allow IPIP traffic because of the implicit SA created by the kernel if
253 # IPComp is used (for small inbound packets that are not compressed)
254 if [ -n "$PLUTO_IPCOMP" ]
256 iptables
-I INPUT
1 -i $PLUTO_INTERFACE -p 4 \
257 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
260 # log IPsec host connection setup
263 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
265 logger
-t $TAG -p $FAC_PRIO \
266 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
268 logger
-t $TAG -p $FAC_PRIO \
269 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
274 # connection to me, with (left/right)firewall=yes, going down
275 # This is used only by the default updown script, not by your custom
276 # ones, so do not mess with it; see CAUTION comment up at top.
277 iptables
-D INPUT
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
278 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
279 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
280 iptables
-D OUTPUT
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
281 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
282 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
284 # IPIP exception teardown
285 if [ -n "$PLUTO_IPCOMP" ]
287 iptables
-D INPUT
-i $PLUTO_INTERFACE -p 4 \
288 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
291 # log IPsec host connection teardown
294 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
296 logger
-t $TAG -p $FAC_PRIO -- \
297 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
299 logger
-t $TAG -p $FAC_PRIO -- \
300 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
305 # connection to client subnet, with (left/right)firewall=yes, coming up
306 # This is used only by the default updown script, not by your custom
307 # ones, so do not mess with it; see CAUTION comment up at top.
308 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
310 iptables
-I FORWARD
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
311 -s $PLUTO_MY_CLIENT $S_MY_PORT \
312 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
313 iptables
-I FORWARD
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
314 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
315 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
318 # a virtual IP requires an INPUT and OUTPUT rule on the host
319 # or sometimes host access via the internal IP is needed
320 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
322 iptables
-I INPUT
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
323 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
324 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
325 iptables
-I OUTPUT
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
326 -s $PLUTO_MY_CLIENT $S_MY_PORT \
327 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
330 # allow IPIP traffic because of the implicit SA created by the kernel if
331 # IPComp is used (for small inbound packets that are not compressed).
332 # INPUT is correct here even for forwarded traffic.
333 if [ -n "$PLUTO_IPCOMP" ]
335 iptables
-I INPUT
1 -i $PLUTO_INTERFACE -p 4 \
336 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
339 # log IPsec client connection setup
342 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
344 logger
-t $TAG -p $FAC_PRIO \
345 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
347 logger
-t $TAG -p $FAC_PRIO \
348 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
352 down-client
:iptables
)
353 # connection to client subnet, with (left/right)firewall=yes, going down
354 # This is used only by the default updown script, not by your custom
355 # ones, so do not mess with it; see CAUTION comment up at top.
356 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
358 iptables
-D FORWARD
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
359 -s $PLUTO_MY_CLIENT $S_MY_PORT \
360 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
361 $IPSEC_POLICY_OUT -j ACCEPT
362 iptables
-D FORWARD
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
363 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
364 -d $PLUTO_MY_CLIENT $D_MY_PORT \
365 $IPSEC_POLICY_IN -j ACCEPT
368 # a virtual IP requires an INPUT and OUTPUT rule on the host
369 # or sometimes host access via the internal IP is needed
370 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
372 iptables
-D INPUT
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
373 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
374 -d $PLUTO_MY_CLIENT $D_MY_PORT \
375 $IPSEC_POLICY_IN -j ACCEPT
376 iptables
-D OUTPUT
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
377 -s $PLUTO_MY_CLIENT $S_MY_PORT \
378 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
379 $IPSEC_POLICY_OUT -j ACCEPT
382 # IPIP exception teardown
383 if [ -n "$PLUTO_IPCOMP" ]
385 iptables
-D INPUT
-i $PLUTO_INTERFACE -p 4 \
386 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
389 # log IPsec client connection teardown
392 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
394 logger
-t $TAG -p $FAC_PRIO -- \
395 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
397 logger
-t $TAG -p $FAC_PRIO -- \
398 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
406 # connection to me coming up
407 # If you are doing a custom version, firewall commands go here.
410 # connection to me going down
411 # If you are doing a custom version, firewall commands go here.
414 # connection to my client subnet coming up
415 # If you are doing a custom version, firewall commands go here.
418 # connection to my client subnet going down
419 # If you are doing a custom version, firewall commands go here.
422 # connection to me, with (left/right)firewall=yes, coming up
423 # This is used only by the default updown script, not by your custom
424 # ones, so do not mess with it; see CAUTION comment up at top.
425 ip6tables
-I INPUT
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
426 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
427 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
428 ip6tables
-I OUTPUT
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
429 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
430 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
432 # allow IP6IP6 traffic because of the implicit SA created by the kernel if
433 # IPComp is used (for small inbound packets that are not compressed)
434 if [ -n "$PLUTO_IPCOMP" ]
436 ip6tables
-I INPUT
1 -i $PLUTO_INTERFACE -p 41 \
437 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
440 # log IPsec host connection setup
443 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
445 logger
-t $TAG -p $FAC_PRIO \
446 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
448 logger
-t $TAG -p $FAC_PRIO \
449 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
453 down-host-v6
:iptables
)
454 # connection to me, with (left/right)firewall=yes, going down
455 # This is used only by the default updown script, not by your custom
456 # ones, so do not mess with it; see CAUTION comment up at top.
457 ip6tables
-D INPUT
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
458 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
459 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
460 ip6tables
-D OUTPUT
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
461 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
462 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
464 # IP6IP6 exception teardown
465 if [ -n "$PLUTO_IPCOMP" ]
467 ip6tables
-D INPUT
-i $PLUTO_INTERFACE -p 41 \
468 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
471 # log IPsec host connection teardown
474 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
476 logger
-t $TAG -p $FAC_PRIO -- \
477 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
479 logger
-t $TAG -p $FAC_PRIO -- \
480 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
484 up-client-v6
:iptables
)
485 # connection to client subnet, with (left/right)firewall=yes, coming up
486 # This is used only by the default updown script, not by your custom
487 # ones, so do not mess with it; see CAUTION comment up at top.
488 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
490 ip6tables
-I FORWARD
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
491 -s $PLUTO_MY_CLIENT $S_MY_PORT \
492 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
493 ip6tables
-I FORWARD
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
494 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
495 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
498 # a virtual IP requires an INPUT and OUTPUT rule on the host
499 # or sometimes host access via the internal IP is needed
500 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
502 ip6tables
-I INPUT
1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
503 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
504 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
505 ip6tables
-I OUTPUT
1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
506 -s $PLUTO_MY_CLIENT $S_MY_PORT \
507 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
510 # allow IP6IP6 traffic because of the implicit SA created by the kernel if
511 # IPComp is used (for small inbound packets that are not compressed).
512 # INPUT is correct here even for forwarded traffic.
513 if [ -n "$PLUTO_IPCOMP" ]
515 ip6tables
-I INPUT
1 -i $PLUTO_INTERFACE -p 41 \
516 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
519 # log IPsec client connection setup
522 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
524 logger
-t $TAG -p $FAC_PRIO \
525 "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
527 logger
-t $TAG -p $FAC_PRIO \
528 "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
532 down-client-v6
:iptables
)
533 # connection to client subnet, with (left/right)firewall=yes, going down
534 # This is used only by the default updown script, not by your custom
535 # ones, so do not mess with it; see CAUTION comment up at top.
536 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
538 ip6tables
-D FORWARD
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
539 -s $PLUTO_MY_CLIENT $S_MY_PORT \
540 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
541 $IPSEC_POLICY_OUT -j ACCEPT
542 ip6tables
-D FORWARD
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
543 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
544 -d $PLUTO_MY_CLIENT $D_MY_PORT \
545 $IPSEC_POLICY_IN -j ACCEPT
548 # a virtual IP requires an INPUT and OUTPUT rule on the host
549 # or sometimes host access via the internal IP is needed
550 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
552 ip6tables
-D INPUT
-i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
553 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
554 -d $PLUTO_MY_CLIENT $D_MY_PORT \
555 $IPSEC_POLICY_IN -j ACCEPT
556 ip6tables
-D OUTPUT
-o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
557 -s $PLUTO_MY_CLIENT $S_MY_PORT \
558 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
559 $IPSEC_POLICY_OUT -j ACCEPT
562 # IP6IP6 exception teardown
563 if [ -n "$PLUTO_IPCOMP" ]
565 ip6tables
-D INPUT
-i $PLUTO_INTERFACE -p 41 \
566 -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
569 # log IPsec client connection teardown
572 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
574 logger
-t $TAG -p $FAC_PRIO -- \
575 "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
577 logger
-t $TAG -p $FAC_PRIO -- \
578 "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
582 *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2