rpms/ipsec-tools/devel ipsec-tools-0.7-dupsplit.patch, NONE, 1.1 ipsec-tools-0.7-iface.patch, NONE, 1.1 p1_up_down, NONE, 1.1 racoon.init, NONE, 1.1 ipsec-tools.spec, 1.44, 1.45 racoon.conf, 1.1, 1.2
Steve Conklin (sconklin)
fedora-extras-commits at redhat.com
Thu Sep 20 16:42:39 UTC 2007
Author: sconklin
Update of /cvs/pkgs/rpms/ipsec-tools/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31062
Modified Files:
ipsec-tools.spec racoon.conf
Added Files:
ipsec-tools-0.7-dupsplit.patch ipsec-tools-0.7-iface.patch
p1_up_down racoon.init
Log Message:
Added patches from Gabriel Somlo
ipsec-tools-0.7-dupsplit.patch:
--- NEW FILE ipsec-tools-0.7-dupsplit.patch ---
diff -NarU5 ipsec-tools-0.7.0-cvs070822.orig/src/racoon/isakmp_unity.c ipsec-tools-0.7.0-cvs070822/src/racoon/isakmp_unity.c
--- ipsec-tools-0.7.0-cvs070822.orig/src/racoon/isakmp_unity.c 2006-10-09 02:17:20.000000000 -0400
+++ ipsec-tools-0.7.0-cvs070822/src/racoon/isakmp_unity.c 2007-08-22 13:07:29.000000000 -0400
@@ -303,36 +303,45 @@
int splitnet_list_add(list, network, count)
struct unity_netentry ** list;
struct unity_network * network;
int *count;
{
- struct unity_netentry * newentry;
+ struct unity_netentry * nentry;
+
+ /*
+ * search for network in current list
+ * to avoid adding duplicates
+ */
+ for (nentry = *list; nentry != NULL; nentry = nentry->next)
+ if (memcmp(&nentry->network, network,
+ sizeof(struct unity_network)) == 0)
+ return 0; /* it's a dupe */
/*
* allocate new netentry and copy
- * new splitnet network data
+ * new splitnet network data
*/
- newentry = (struct unity_netentry *)
+ nentry = (struct unity_netentry *)
racoon_malloc(sizeof(struct unity_netentry));
- if (newentry == NULL)
+ if (nentry == NULL)
return -1;
- memcpy(&newentry->network,network,
+ memcpy(&nentry->network,network,
sizeof(struct unity_network));
- newentry->next = NULL;
+ nentry->next = NULL;
/*
* locate the last netentry in our
* splitnet list and add our entry
*/
if (*list == NULL)
- *list = newentry;
+ *list = nentry;
else {
struct unity_netentry * tmpentry = *list;
while (tmpentry->next != NULL)
tmpentry = tmpentry->next;
- tmpentry->next = newentry;
+ tmpentry->next = nentry;
}
(*count)++;
return 0;
ipsec-tools-0.7-iface.patch:
--- NEW FILE ipsec-tools-0.7-iface.patch ---
diff -NarU5 ipsec-tools-0.7.0-cvs070822.orig/src/racoon/isakmp.c ipsec-tools-0.7.0-cvs070822/src/racoon/isakmp.c
--- ipsec-tools-0.7.0-cvs070822.orig/src/racoon/isakmp.c 2007-07-18 08:07:51.000000000 -0400
+++ ipsec-tools-0.7.0-cvs070822/src/racoon/isakmp.c 2007-08-22 13:04:33.000000000 -0400
@@ -1722,10 +1722,24 @@
strerror(errno));
return -1;
}
#endif
+ if (setsockopt(p->sock, SOL_SOCKET,
+#ifdef __linux__
+ SO_REUSEADDR,
+#else
+ SO_REUSEPORT,
+#endif
+ (void *)&yes, sizeof(yes)) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "failed to set REUSE flag on %s (%s).\n",
+ saddr2str(p->addr), strerror(errno));
+ close(p->sock);
+ goto err_and_next;
+ }
+
if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0)
goto err_and_next;
if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) {
plog(LLV_ERROR, LOCATION, p->addr,
--- NEW FILE p1_up_down ---
#!/bin/bash
#
# manipulate IPSec SA database on behalf of the racoon daemon
# Gabriel Somlo <somlo at cmu edu>, 08/27/2007
#
#FIXME: read this from, e.g., /etc/sysconfig/racoon
NAT_T="yes"
shopt -s nocasematch
umask 0022
PATH=/bin:/sbin:/usr/bin:/usr/sbin
case "${NAT_T}" in
yes|true|on|enable*|1)
LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]"
;;
*)
LOCAL="${LOCAL_ADDR}"
REMOTE="${REMOTE_ADDR}"
;;
esac
DFLT_RT=$(ip route list | awk '($1 == "default"){print $3 ";" $5}')
DFLT_IF=${DFLT_RT#*;}
DFLT_GW=${DFLT_RT%;*}
# convert something like '192.168.123.0/255.255.255.0' into '192.168.123.0/24'
# FIXME: convince racoon folks to return SPLIT_INCLUDE in the latter form ?
to_cidr() {
local IP_ADDR=${1%/*}
local NETMASK=${1#*/}
local PREFIX_STR=$(ipcalc -p ${IP_ADDR} ${NETMASK})
local PREFIX=${PREFIX_STR#*=}
echo ${IP_ADDR}/${PREFIX}
}
phase1_up() {
[ -f /etc/resolv.conf.prevpn ] || cp /etc/resolv.conf /etc/resolv.conf.prevpn
{
echo "# Generated by racoon on $(date)"
echo "search ${DEFAULT_DOMAIN}"
for NS in ${INTERNAL_DNS4_LIST}; do
echo "nameserver ${NS}"
done
} > /etc/resolv.conf
ip addr add dev ${DFLT_IF} ${INTERNAL_ADDR4}/32
ip route add ${REMOTE_ADDR} via ${DFLT_GW} dev ${DFLT_IF}
if [ -n "${SPLIT_INCLUDE}" ]; then
for N in ${SPLIT_INCLUDE}; do
ip route add $(to_cidr ${N}) via ${DFLT_GW} dev ${DFLT_IF} \
src ${INTERNAL_ADDR4}
done
else
for N in ${SPLIT_LOCAL}; do
ip route add $(to_cidr ${N}) via ${DFLT_GW} dev ${DFLT_IF}
done
ip route del default
ip route add default via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4}
fi
setkey -c << EOT
spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
esp/tunnel/${LOCAL}-${REMOTE}/require;
spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec
esp/tunnel/${REMOTE}-${LOCAL}/require;
EOT
}
phase1_down() {
[ -f /etc/resolv.conf.prevpn ] && mv /etc/resolv.conf.prevpn /etc/resolv.conf
if [ -n "${SPLIT_INCLUDE}" ]; then
for N in ${SPLIT_INCLUDE}; do
ip route del $(to_cidr ${N})
done
else
for N in ${SPLIT_LOCAL}; do
ip route del $(to_cidr ${N})
done
ip route del default
ip route add default via ${DFLT_GW} dev ${DFLT_IF}
fi
ip route del ${REMOTE_ADDR}
ip addr del dev ${DFLT_IF} ${INTERNAL_ADDR4}/32
setkey -c << EOT
spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
esp/tunnel/${LOCAL}-${REMOTE}/require;
spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec
esp/tunnel/${REMOTE}-${LOCAL}/require;
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;
# linux won't honor a 'deleteall', so we use flush (bad, but necessary for now)
flush;
EOT
}
echo "p1_up_down: $1 starting..."
echo "p1_up_down: LOCAL_ADDR = ${LOCAL_ADDR}"
echo "p1_up_down: LOCAL_PORT = ${LOCAL_PORT}"
echo "p1_up_down: REMOTE_ADDR = ${REMOTE_ADDR}"
echo "p1_up_down: REMOTE_PORT = ${REMOTE_PORT}"
echo "p1_up_down: DFLT_GW = ${DFLT_GW}"
echo "p1_up_down: DFLT_IF = ${DFLT_IF}"
echo "p1_up_down: INTERNAL_ADDR4 = ${INTERNAL_ADDR4}"
echo "p1_up_down: INTERNAL_DNS4 = ${INTERNAL_DNS4}"
echo "p1_up_down: DEFAULT_DOMAIN = ${DEFAULT_DOMAIN}"
echo "p1_up_down: SPLIT_INCLUDE = ${SPLIT_INCLUDE}"
echo "p1_up_down: SPLIT_LOCAL = ${SPLIT_LOCAL}"
echo ${INTERNAL_ADDR4} | grep -q '[0-9]' || {
echo "p1_up_down: error: invalid INTERNAL_ADDR4."
exit 1
}
echo ${DFLT_GW} | grep -q '[0-9]' || {
echo "p1_up_down: error: invalid DFLT_GW."
exit 2
}
case "$1" in
phase1_up)
phase1_up
;;
phase1_down)
phase1_down
;;
*)
echo "p1_up_down: error: must be called by racoon w. arg=phase1_[up|down]"
exit 3
;;
esac
echo "p1_up_down: $1 completed successfully."
exit 0
--- NEW FILE racoon.init ---
#!/bin/sh
#
# chkconfig: - 15 85
# description: racoon is an IKE (ISAKMP/Oakley) key management daemon
# processname: racoon
# config: /etc/racoon/racoon.conf
#
# Source function library.
. /etc/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
prog=racoon
lockfile=/var/lock/subsys/$prog
RETVAL=0
start() {
echo -n $"Starting $prog: "
daemon $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f $lockfile
echo
return $RETVAL
}
dostatus() {
status $prog
}
restart() {
stop
start
}
condrestart() {
[ -e $lockfile ] && restart || :
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
restart
;;
condrestart)
condrestart
;;
status)
dostatus
;;
*)
echo "Usage: $prog {start|stop|restart|reload|condrestart|status}"
exit 1
esac
exit $RETVAL
Index: ipsec-tools.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/devel/ipsec-tools.spec,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- ipsec-tools.spec 29 Aug 2007 04:53:14 -0000 1.44
+++ ipsec-tools.spec 20 Sep 2007 16:42:06 -0000 1.45
@@ -1,21 +1,22 @@
Name: ipsec-tools
Version: 0.7
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Tools for configuring and using IPSEC
License: BSD
Group: System Environment/Base
URL: http://ipsec-tools.sourceforge.net/
Source: http://prdownload.sourceforge.net/ipsec-tools/ipsec-tools-%{version}.tar.bz2
-Source1: ipsec.h
-Source2: pfkeyv2.h
-Source3: racoon.conf
-Source4: psk.txt
-Source5: xfrm.h
-Source6: udp.h
+Source1: racoon.conf
+Source2: psk.txt
+Source3: p1_up_down
+Source4: racoon.init
Patch: ipsec-tools-0.7-libs.patch
Patch2: isakmp.c.diff
Patch3: ipsec-tools-0.7-acquires.patch
Patch4: ipsec-tools-0.7-loopback.patch
+# the following three patches were also submitted upstream:
+Patch5: ipsec-tools-0.7-iface.patch
+Patch6: ipsec-tools-0.7-dupsplit.patch
BuildRequires: openssl-devel, krb5-devel, bison, flex, automake, libtool
BuildRequires: libselinux-devel >= 1.30.28-2
@@ -37,15 +38,15 @@
%patch2 -p1
%patch3 -p1 -b .acquires
%patch4 -p1 -b .loopback
+%patch5 -p1 -b .iface
+%patch6 -p1 -b .dupsplit
-mkdir -p kernel-headers/linux
-cp %{SOURCE1} %{SOURCE2} %{SOURCE5} %{SOURCE6} kernel-headers/linux
./bootstrap
%build
sed -i 's|-Werror||g' configure
CFLAGS="$RPM_OPT_FLAGS" %configure \
- --with-kernel-headers=`pwd`/kernel-headers \
+ --with-kernel-headers=/usr/include \
--sysconfdir=/etc/racoon \
--without-readline \
--enable-adminport \
@@ -70,18 +71,33 @@
$RPM_BUILD_ROOT/%{_includedir} \
$RPM_BUILD_ROOT/%{_mandir}/man3
-install -m 600 %{SOURCE3} \
+install -m 600 %{SOURCE1} \
$RPM_BUILD_ROOT/etc/racoon/racoon.conf
-install -m 600 %{SOURCE4} \
+install -m 600 %{SOURCE2} \
$RPM_BUILD_ROOT/etc/racoon/psk.txt
mv $RPM_BUILD_ROOT%{_sbindir}/setkey $RPM_BUILD_ROOT/sbin
mkdir -m 0700 -p $RPM_BUILD_ROOT/etc/racoon/certs
+mkdir -m 0700 -p $RPM_BUILD_ROOT/etc/racoon/scripts
+install -m 700 %{SOURCE3} \
+ $RPM_BUILD_ROOT/etc/racoon/scripts/p1_up_down
+install -D -m755 %{SOURCE4} $RPM_BUILD_ROOT/%{_initrddir}/racoon
%clean
rm -rf $RPM_BUILD_ROOT
+%post
+if [ $1 = 1 ]; then
+ chkconfig --add racoon
+fi
+
+%preun
+if [ $1 = 0 ]; then
+ service %{name} stop > /dev/null 2>&1
+ /sbin/chkconfig --del racoon
+fi
+
%files
%defattr(-,root,root)
%doc src/racoon/samples/racoon.conf src/racoon/samples/psk.txt
@@ -90,13 +106,23 @@
/sbin/*
%{_sbindir}/*
%{_mandir}/man*/*
+%{_sysconfdir}/racoon/scripts/*
+%{_initrddir}/racoon
%dir /etc/racoon
%dir /etc/racoon/certs
+%dir /etc/racoon/scripts
%dir /var/racoon
%config(noreplace) /etc/racoon/psk.txt
%config(noreplace) /etc/racoon/racoon.conf
%changelog
+* Thu Sep 20 2007 Steve Conklin <sconklin at redhat.com> - 0.7-3
+- Applied the following patches from Gabriel Somlo
+- Patches for connecting to Cisco ASA in remote-access (road-warrior) mode
+- Added phase1_up_down mode config script
+- Including our own .h files (ipsec, pfkeyv2, xfrm, udp) no longer necessary
+- Added init script for racoon daemon
+
* Tue Aug 28 2007 Steve Conklin <sconklin at redhat.com> - 0.7-2
- Fixed the loopback patch
Index: racoon.conf
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/devel/racoon.conf,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- racoon.conf 9 Sep 2004 06:18:45 -0000 1.1
+++ racoon.conf 20 Sep 2007 16:42:06 -0000 1.2
@@ -5,12 +5,31 @@
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
+path script "/etc/racoon/scripts";
sainfo anonymous
{
- pfs_group 2;
+ #pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
+
+#remote <IP-of-Cisco-ASA>
+#{
+# exchange_mode main;
+# my_identifier fqdn "host.name.of.vpn.client";
+# certificate_type x509 "client.crt" "client.key";
+# ca_type x509 "ca.crt";
+# mode_cfg on;
+# script "p1_up_down" phase1_up;
+# script "p1_up_down" phase1_down;
+# proposal
+# {
+# encryption_algorithm 3des;
+# hash_algorithm sha1;
+# authentication_method xauth_rsa_client;
+# dh_group 2;
+# }
+#}
More information about the fedora-extras-commits
mailing list