From: Florian Fainelli Date: Wed, 28 Feb 2007 13:30:51 +0000 (+0000) Subject: Add strongswan (#1330) X-Git-Tag: reboot~29832 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=c3521420dc2ddd0535690ab6569cd57c4b078035;p=oweals%2Fopenwrt.git Add strongswan (#1330) SVN-Revision: 6429 --- diff --git a/package/strongswan/Makefile b/package/strongswan/Makefile new file mode 100644 index 0000000000..7169635e05 --- /dev/null +++ b/package/strongswan/Makefile @@ -0,0 +1,96 @@ +# +# Copyright (C) 2006 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# +# $Id: Makefile $ + +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/kernel.mk + +PKG_NAME:=strongswan +PKG_VERSION:=2.8.2 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=http://download.strongswan.org/ +PKG_MD5SUM:=57427f5b48123851a73b10d78dd4f8d6 +PKG_CAT:=bzcat + +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) +PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install + +include $(INCLUDE_DIR)/package.mk + +define Package/strongswan/Default + TITLE:=strongSwan + DESCRIPTION:=\ + strongSwan is an IPsec implementation for Linux. + URL:=http://www.strongswan.org/ +endef + +define Package/strongswan + $(call Package/strongswan/Default) + SECTION:=net + CATEGORY:=Network + DEPENDS:=+kmod-strongswan +libgmp @LINUX_2_4 + TITLE+= (daemon) + DESCRIPTION+=\\\ + \\\ + This package contains the strongSwan user-land daemon. + URL:=http://www.strongswan.org/ +endef + +define KernelPackage/strongswan + SUBMENU:=Network Support + $(call Package/strongswan/Default) + TITLE+= (kernel module) + DESCRIPTION+=\\\ + \\\ + This package contains the strongSwan kernel module. + VERSION:=$(LINUX_VERSION)+$(PKG_VERSION)-$(BOARD)-$(PKG_RELEASE) + FILES:=$(PKG_BUILD_DIR)/linux/net/ipsec/ipsec.$(LINUX_KMOD_SUFFIX) + AUTOLOAD:=$(call AutoLoad,50,ipsec) +endef + +PKG_MAKE_OPTS:= \ + LINUX_RELEASE="$(LINUX_RELEASE)" \ + KERNELSRC="$(LINUX_DIR)" \ + ARCH="$(LINUX_KARCH)" \ + CROSS_COMPILE="$(TARGET_CROSS)" \ + USERCOMPILE="$(TARGET_CFLAGS) -I./linux/include -I$(STAGING_DIR)/usr/include -L$(STAGING_DIR)/usr/lib" \ + IPSECDIR="/usr/lib/ipsec" \ + INC_USRLOCAL="/usr" \ + +define Build/Compile + $(MAKE) -C $(PKG_BUILD_DIR) \ + $(TARGET_CONFIGURE_OPTS) \ + $(PKG_MAKE_OPTS) \ + LDFLAGS="-L$(STAGING_DIR)/usr/lib -L$(STAGING_DIR)/lib" \ + DESTDIR="$(PKG_INSTALL_DIR)" \ + programs module install +endef + +define Package/strongswan/install + $(CP) $(PKG_INSTALL_DIR)/* $(1) + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DIR) $(1)/etc/cron.tick + $(INSTALL_DIR) $(1)/etc/hotplug.d/iface + $(INSTALL_DIR) $(1)/etc/hotplug.d/button + $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec + $(INSTALL_BIN) ./files/ipsec.cron $(1)/etc/cron.tick/ipsec-wakeup + $(INSTALL_BIN) ./files/ipsec.iface $(1)/etc/hotplug.d/iface/65-ipsec + $(INSTALL_BIN) ./files/ipsec.button $(1)/etc/hotplug.d/button/65-ipsec + $(INSTALL_DATA) ./files/ipsec.config $(1)/etc/config/ipsec + $(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf + rm -rf $(1)/usr/share + rm -rf $(1)/usr/man + rm -rf $(1)/var + rm -rf $(1)/etc/rc.d + find $(1) -name \*.old | xargs rm -rf +endef + +$(eval $(call BuildPackage,strongswan)) +$(eval $(call KernelPackage,strongswan)) diff --git a/package/strongswan/files/ipsec.button b/package/strongswan/files/ipsec.button new file mode 100644 index 0000000000..9bd9023560 --- /dev/null +++ b/package/strongswan/files/ipsec.button @@ -0,0 +1,34 @@ +#!/bin/sh + +# snarf the code that loads the config values +# since we also load the functions, might as well save the shell calls +. /etc/init.d/ipsec + +[ -n "$IPSEC_RESET_BUTTON" -a "$BUTTON" = "$IPSEC_RESET_BUTTON" ] || exit + +if [ ! -e /var/run/pluto.pid ] ; then + + [ "$ACTION" = "pressed" ] && start + +else + + if [ "$ACTION" = "pressed" ] ; then + + stop + + elif [ "$ACTION" = "released" ] ; then + + while [ -e /var/run/pluto.pid ] ; do + sleep 1 + done + + while ps auxww | grep ipsec | grep -v grep ; do + sleep 1 + done + + start + + fi + +fi + diff --git a/package/strongswan/files/ipsec.conf b/package/strongswan/files/ipsec.conf new file mode 100644 index 0000000000..8f59008831 --- /dev/null +++ b/package/strongswan/files/ipsec.conf @@ -0,0 +1,34 @@ + +version 2.0 + +config setup + interfaces=%defaultroute + nat_traversal=yes # required on both ends + uniqueids=yes # makes sense on client, not server + hidetos=no + +conn %default + authby=rsasig + keyingtries=3 + keyexchange=ike + left=%defaultroute + leftrsasigkey=%cert + rightrsasigkey=%cert + dpdtimeout=30 # keepalive must arrive within + dpddelay=5 # secs before keepalives start + compress=no # breaks double nat installations + pfs=yes + +conn sample + leftca=%same + leftcert=my.certificate.crt + leftsourceip=192.168.10.1 + leftsubnet=192.168.10.0/24 + right=my.vpn.concentrator.net. + rightca=%same + rightid="C=??, ST=??, O=??, OU=??, CN=my.vpn.concentrator.net, E=root@concentrator.net" + rightsourceip=192.168.11.1 + rightsubnet=192.168.11.0/24 + dpdaction=hold + auto=start + diff --git a/package/strongswan/files/ipsec.config b/package/strongswan/files/ipsec.config new file mode 100644 index 0000000000..b4865e40b5 --- /dev/null +++ b/package/strongswan/files/ipsec.config @@ -0,0 +1,21 @@ + +# Configure button/light behavior here. +config device + option reset_button ses + option status_start ses_orange + option status_valid ses_white + +# iptables setup for traffic to/from this host +config filter + option rule_in input_rule + option dest_in ACCEPT + option rule_out output_rule + option dest_out ACCEPT + +# iptables setup for traffic to/from another host +config forward + option rule_in forwarding_rule + option dest_in forwarding_vpn_in + option rule_out forwarding_rule + option dest_out forwarding_vpn_out + diff --git a/package/strongswan/files/ipsec.cron b/package/strongswan/files/ipsec.cron new file mode 100644 index 0000000000..d8c7dccfa8 --- /dev/null +++ b/package/strongswan/files/ipsec.cron @@ -0,0 +1,2 @@ +#!/bin/sh +/usr/sbin/ipsec wakeup diff --git a/package/strongswan/files/ipsec.iface b/package/strongswan/files/ipsec.iface new file mode 100644 index 0000000000..95e0958b84 --- /dev/null +++ b/package/strongswan/files/ipsec.iface @@ -0,0 +1,8 @@ +NAME=ipsec +CTLFILE="/var/run/pluto.ctl" + +[ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] || exit + +[ -e "$CTLFILE" ] || exit + +/etc/init.d/ipsec restart diff --git a/package/strongswan/files/ipsec.init b/package/strongswan/files/ipsec.init new file mode 100644 index 0000000000..4e8b8a2166 --- /dev/null +++ b/package/strongswan/files/ipsec.init @@ -0,0 +1,101 @@ +#!/bin/sh /etc/rc.common + +START=65 + +config_cb() { + local cfg="$CONFIG_SECTION" + local cfgt + config_get cfgt "$cfg" TYPE + + case "$cfgt" in + device) + config_get IPSEC_RESET_BUTTON $cfg reset_button + config_get IPSEC_STATUS_LED_START $cfg status_start + config_get IPSEC_STATUS_LED_VALID $cfg status_valid + ;; + filter) + config_get IPSEC_UPDOWN_RULE_IN $cfg rule_in + config_get IPSEC_UPDOWN_DEST_IN $cfg dest_in + config_get IPSEC_UPDOWN_RULE_OUT $cfg rule_out + config_get IPSEC_UPDOWN_DEST_OUT $cfg dest_out + ;; + forward) + config_get IPSEC_UPDOWN_FWD_RULE_IN $cfg rule_in + config_get IPSEC_UPDOWN_FWD_DEST_IN $cfg dest_in + config_get IPSEC_UPDOWN_FWD_RULE_OUT $cfg rule_out + config_get IPSEC_UPDOWN_FWD_DEST_OUT $cfg dest_out + ;; + *) + ;; + esac +} + +config_load ipsec + +export IPSEC_RESET_BUTTON +export IPSEC_STATUS_LED_START +export IPSEC_STATUS_LED_VALID + +export IPSEC_UPDOWN_RULE_IN +export IPSEC_UPDOWN_DEST_IN +export IPSEC_UPDOWN_RULE_OUT +export IPSEC_UPDOWN_DEST_OUT + +export IPSEC_UPDOWN_FWD_RULE_IN +export IPSEC_UPDOWN_FWD_DEST_IN +export IPSEC_UPDOWN_FWD_RULE_OUT +export IPSEC_UPDOWN_FWD_DEST_OUT + + +start() { + + [ -f /etc/ipsec.conf ] || exit + [ -e /var/run/starter.pid ] && exit + + /usr/sbin/ipsec _showstatus start + + # stuff the dnsmasq cache in case dns is on our own subnet + for peer in `grep left= /etc/ipsec.conf | \ + cut -f 1 -d% | cut -f 2 -d=` ; do + ping -c 1 $peer > /dev/null 2>&1 + done + + /usr/sbin/ipsec start || exit + + # work around broken routing behavior: + # a route to the local wan segment will appear + # the need was removed in the patched _updown script + + while ! route -n | grep -q ipsec ; do sleep 1 ; done + + defint=`route -n | awk '/^0.0.0.0/{print $8}'` + defnet=`route -n | grep $defint | awk '!/^0.0.0.0/{print $1}'` + dnmask=`route -n | grep $defint | awk '!/^0.0.0.0/{print $3}'` + tundev=`route -n | grep $defnet | awk '/ipsec/{print $8}'` + + route del -net $defnet netmask $dnmask dev $tundev +} + + +stop() { + + /usr/sbin/ipsec stop 2> /dev/null + + # wait until the shutdown actually happens + while [ -e /var/run/starter.pid ] ; do + if [ -d /proc/`cat /var/run/starter.pid` ] ; then + sleep 1 + else + rm /var/run/starter.pid + fi + done + + # kill any lingering processes + while ps auxww | grep -q ipsec | grep -v init.d; do + kill `ps auxww | grep -v init.d | awk '/\/ipsec\//{print $1}'` 2> /dev/null + sleep 1 + done + + ipsec _showstatus stop +} + diff --git a/package/strongswan/patches/100-ar-fixes.patch b/package/strongswan/patches/100-ar-fixes.patch new file mode 100644 index 0000000000..d6ce9f337a --- /dev/null +++ b/package/strongswan/patches/100-ar-fixes.patch @@ -0,0 +1,76 @@ +diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libaes/Makefile strongswan-2.8.1/lib/libcrypto/libaes/Makefile +--- strongswan-2.8.1-orig/lib/libcrypto/libaes/Makefile 2004-03-22 16:53:16.000000000 -0500 ++++ strongswan-2.8.1/lib/libcrypto/libaes/Makefile 2007-01-17 00:48:52.260789653 -0500 +@@ -25,10 +25,8 @@ + + $(BLIB): $(LIBOBJ) + /bin/rm -f $(BLIB) +- ar cr $(BLIB) $(LIBOBJ) +- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \ +- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \ +- else exit 0; fi; fi ++ $(AR) cr $(BLIB) $(LIBOBJ) ++ $(RANLIB) $(BLIB) + + testx: test_main_mac.o $(BLIB) + $(CC) -o $@ $^ +diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libblowfish/Makefile strongswan-2.8.1/lib/libcrypto/libblowfish/Makefile +--- strongswan-2.8.1-orig/lib/libcrypto/libblowfish/Makefile 2004-03-22 16:53:16.000000000 -0500 ++++ strongswan-2.8.1/lib/libcrypto/libblowfish/Makefile 2007-01-17 01:40:41.716879761 -0500 +@@ -58,7 +58,7 @@ + lib: $(LIB) + + $(LIB): $(LIBOBJ) +- $(AR) $(LIB) $(LIBOBJ) ++ $(AR) -r $(LIB) $(LIBOBJ) + $(RANLIB) $(LIB) + + # elf +diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libserpent/Makefile strongswan-2.8.1/lib/libcrypto/libserpent/Makefile +--- strongswan-2.8.1-orig/lib/libcrypto/libserpent/Makefile 2004-03-22 16:53:16.000000000 -0500 ++++ strongswan-2.8.1/lib/libcrypto/libserpent/Makefile 2007-01-17 00:50:37.692571031 -0500 +@@ -8,10 +8,8 @@ + + $(BLIB): $(LIBOBJ) + /bin/rm -f $(BLIB) +- ar cr $(BLIB) $(LIBOBJ) +- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \ +- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \ +- else exit 0; fi; fi ++ $(AR) cr $(BLIB) $(LIBOBJ) ++ $(RANLIB) $(BLIB) + + test: test_main.o $(BLIB) + $(CC) -o $@ $^ +diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libsha2/Makefile strongswan-2.8.1/lib/libcrypto/libsha2/Makefile +--- strongswan-2.8.1-orig/lib/libcrypto/libsha2/Makefile 2004-03-22 16:53:16.000000000 -0500 ++++ strongswan-2.8.1/lib/libcrypto/libsha2/Makefile 2007-01-17 00:50:46.050791555 -0500 +@@ -9,10 +9,8 @@ + + $(BLIB): $(LIBOBJ) + /bin/rm -f $(BLIB) +- ar cr $(BLIB) $(LIBOBJ) +- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \ +- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \ +- else exit 0; fi; fi ++ $(AR) cr $(BLIB) $(LIBOBJ) ++ $(RANLIB) $(BLIB) + + test: test_main.o $(BLIB) + $(CC) -o $@ $^ +diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libtwofish/Makefile strongswan-2.8.1/lib/libcrypto/libtwofish/Makefile +--- strongswan-2.8.1-orig/lib/libcrypto/libtwofish/Makefile 2004-03-22 16:53:17.000000000 -0500 ++++ strongswan-2.8.1/lib/libcrypto/libtwofish/Makefile 2007-01-17 00:50:53.533988997 -0500 +@@ -9,10 +9,8 @@ + + $(BLIB): $(LIBOBJ) + /bin/rm -f $(BLIB) +- ar cr $(BLIB) $(LIBOBJ) +- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \ +- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \ +- else exit 0; fi; fi ++ $(AR) cr $(BLIB) $(LIBOBJ) ++ $(RANLIB) $(BLIB) + + test: test_main.o $(BLIB) + $(CC) -o $@ $^ diff --git a/package/strongswan/patches/110-make-ipsec.patch b/package/strongswan/patches/110-make-ipsec.patch new file mode 100644 index 0000000000..861def4118 --- /dev/null +++ b/package/strongswan/patches/110-make-ipsec.patch @@ -0,0 +1,10 @@ +diff -ruN strongswan-2.8.1-orig/programs/ipsec/Makefile strongswan-2.8.1/programs/ipsec/Makefile +--- strongswan-2.8.1-orig/programs/ipsec/Makefile 2006-02-10 06:27:31.000000000 -0500 ++++ strongswan-2.8.1/programs/ipsec/Makefile 2007-01-17 02:46:06.027124968 -0500 +@@ -24,5 +24,5 @@ + include ../Makefile.program + + install:: ipsec +- @$(INSTALL) $(INSTBINFLAGS) ipsec $(RCDIR)/ipsec ++ @$(INSTALL) $(INSTBINFLAGS) -D ipsec $(RCDIR)/ipsec + diff --git a/package/strongswan/patches/120-make-pluto.patch b/package/strongswan/patches/120-make-pluto.patch new file mode 100644 index 0000000000..890863fa0e --- /dev/null +++ b/package/strongswan/patches/120-make-pluto.patch @@ -0,0 +1,12 @@ +diff -ruN strongswan-2.8.1-orig/programs/pluto/alg/Makefile strongswan-2.8.1/programs/pluto/alg/Makefile +--- strongswan-2.8.1-orig/programs/pluto/alg/Makefile 2004-06-23 00:45:20.000000000 -0400 ++++ strongswan-2.8.1/programs/pluto/alg/Makefile 2007-01-17 00:19:58.249033414 -0500 +@@ -20,7 +20,7 @@ + include Config.ike_alg + + LIBCRYPTO:=../../../lib/libcrypto +-ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I- -I ../../../linux/include -I $(LIBCRYPTO) ++ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I- -I ../../../linux/include -I $(LIBCRYPTO) $(USERCOMPILE) + LIBALG := libalg.o + + all : $(LIBALG) diff --git a/package/strongswan/patches/130-make-starter.patch b/package/strongswan/patches/130-make-starter.patch new file mode 100644 index 0000000000..9250f01081 --- /dev/null +++ b/package/strongswan/patches/130-make-starter.patch @@ -0,0 +1,20 @@ +diff -ruN strongswan-2.8.1-orig/programs/starter/Makefile strongswan-2.8.1/programs/starter/Makefile +--- strongswan-2.8.1-orig/programs/starter/Makefile 2006-02-17 14:34:02.000000000 -0500 ++++ strongswan-2.8.1/programs/starter/Makefile 2007-01-17 16:15:30.740490094 -0500 +@@ -16,7 +16,6 @@ + FREESWANSRCDIR?=$(shell cd ../..; pwd) + include ${FREESWANSRCDIR}/Makefile.inc + +-LD=$(CC) + RM=rm + LEX=flex + BISON=bison +@@ -59,7 +58,7 @@ + all: starter + + starter: $(OBJS) $(FREESWANLIB) +- $(LD) $(LDFLAGS) -o starter $(OBJS) $(LIBS) ++ $(CC) $(LDFLAGS) -o starter $(OBJS) $(LIBS) + + lex.yy.c: parser.tab.c parser.l parser.y parser.h + $(LEX) parser.l diff --git a/package/strongswan/patches/200-wakeup-showstatus.patch b/package/strongswan/patches/200-wakeup-showstatus.patch new file mode 100644 index 0000000000..2722282454 --- /dev/null +++ b/package/strongswan/patches/200-wakeup-showstatus.patch @@ -0,0 +1,227 @@ +diff -ruN strongswan-2.8.2-orig/programs/Makefile strongswan-2.8.2/programs/Makefile +--- strongswan-2.8.2-orig/programs/Makefile 2006-08-28 07:12:36.000000000 -0400 ++++ strongswan-2.8.2/programs/Makefile 2007-02-05 00:27:47.214280563 -0500 +@@ -22,7 +22,7 @@ + SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark + SUBDIRS+=auto barf ipsec look manual ranbits secrets starter + SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey +-SUBDIRS+=ikeping examples openac scepclient ++SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup + + ifeq ($(USE_LWRES),true) + SUBDIRS+=lwdnsq +diff -ruN strongswan-2.8.2-orig/programs/_showstatus/Makefile strongswan-2.8.2/programs/_showstatus/Makefile +--- strongswan-2.8.2-orig/programs/_showstatus/Makefile 1969-12-31 19:00:00.000000000 -0500 ++++ strongswan-2.8.2/programs/_showstatus/Makefile 2007-02-05 00:31:11.380714322 -0500 +@@ -0,0 +1,22 @@ ++# Makefile for miscelaneous programs ++# Copyright (C) 2002 Michael Richardson ++# ++# This program is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 2 of the License, or (at your ++# option) any later version. See . ++# ++# This program is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# for more details. ++# ++# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $ ++ ++FREESWANSRCDIR=../.. ++include ${FREESWANSRCDIR}/Makefile.inc ++ ++PROGRAM=_showstatus ++PROGRAMDIR=${LIBDIR} ++ ++include ../Makefile.program +diff -ruN strongswan-2.8.2-orig/programs/_showstatus/_showstatus.8 strongswan-2.8.2/programs/_showstatus/_showstatus.8 +--- strongswan-2.8.2-orig/programs/_showstatus/_showstatus.8 1969-12-31 19:00:00.000000000 -0500 ++++ strongswan-2.8.2/programs/_showstatus/_showstatus.8 2007-02-05 00:36:00.650410824 -0500 +@@ -0,0 +1,23 @@ ++.TH _showstatus 8 "03 Feb 2007" ++.\" ++.\" RCSID $Id: _showstatus.8 ++.\" ++.SH NAME ++ipsec _showstatus \- give state feedback via led or other method ++.SH SYNOPSIS ++.I _showstatus ++is invoked by _updown to trigger led's, or other distribution ++or platform specific behavior. Presently, the SES button is ++supported as a status light on OpenWRT platforms. The button ++is configurable by environment variable: ++-B IPSEC_STATUS_LED_START ++defaults to ses_orange, and ++-B IPSEC_STATUS_LED_VALID ++defaults to ses_white. ++.SH "SEE ALSO" ++ipsec(8), ipsec_updown(8). ++.SH HISTORY ++Man page written for the Linux strongSwan project ++by Kevin Cody Jr. Original manpage for _updown by Michael Richardson. ++Original program written by Henry Spencer. Extended for the Linux strongSwan ++project by Andreas Steffen. +diff -ruN strongswan-2.8.2-orig/programs/_showstatus/_showstatus.in strongswan-2.8.2/programs/_showstatus/_showstatus.in +--- strongswan-2.8.2-orig/programs/_showstatus/_showstatus.in 1969-12-31 19:00:00.000000000 -0500 ++++ strongswan-2.8.2/programs/_showstatus/_showstatus.in 2007-02-05 00:55:56.563116192 -0500 +@@ -0,0 +1,70 @@ ++#! /bin/sh ++# ++# Copyright (C) 2007 Kevin Cody Jr. ++# ++# This program is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 2 of the License, or (at your ++# option) any later version. See . ++# ++# This program is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# for more details. ++# ++# RCSID $Id: _showstatus.in ++ ++ ++LED_START=$IPSEC_STATUS_LED_START ++LED_VALID=$IPSEC_STATUS_LED_VALID ++ ++[ -z "$LED_START" ] && LED_START="ses_orange" ++[ -z "$LED_VALID" ] && LED_VALID="ses_white" ++ ++ ++setled() { ++ led=$1 ++ st=$2 ++ ++ [ -n "$led" -a -n "$st" ] || return ++ ++ if [ -w "/proc/diag/led/$led" ] ; then ++ echo "$st" > "/proc/diag/led/$led" ++ fi ++ ++ # integrate other led control methods here ++ ++} ++ ++ ++case "$1" in ++ 'start') ++ [ -n "$LED_VALID" ] && setled "$LED_START" 1 ++ [ -z "$LED_VALID" ] && setled "$LED_START" f ++ setled "$LED_VALID" 0 ++ ;; ++ 'stop') ++ setled "$LED_START" 0 ++ setled "$LED_VALID" 0 ++ ;; ++ 'valid') ++ setled "$LED_VALID" 1 ++ ;; ++ 'invalid') ++ setled "$LED_VALID" 0 ++ ;; ++ 'up') ++ [ -n "$LED_VALID" ] && setled "$LED_START" 0 ++ [ -z "$LED_VALID" ] && setled "$LED_START" 1 ++ setled "$LED_VALID" 1 ++ ;; ++ 'down') ++ [ -n "$LED_VALID" ] && setled "$LED_START" 1 ++ [ -z "$LED_VALID" ] && setled "$LED_START" f ++ setled "$LED_VALID" f ++ ;; ++ *) ++ echo "$0: unknown status $status" >&2 ++ ;; ++esac ++ +diff -ruN strongswan-2.8.2-orig/programs/wakeup/Makefile strongswan-2.8.2/programs/wakeup/Makefile +--- strongswan-2.8.2-orig/programs/wakeup/Makefile 1969-12-31 19:00:00.000000000 -0500 ++++ strongswan-2.8.2/programs/wakeup/Makefile 2007-02-05 00:28:03.960726309 -0500 +@@ -0,0 +1,22 @@ ++# Makefile for miscelaneous programs ++# Copyright (C) 2002 Michael Richardson ++# ++# This program is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 2 of the License, or (at your ++# option) any later version. See . ++# ++# This program is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# for more details. ++# ++# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $ ++ ++FREESWANSRCDIR=../.. ++include ${FREESWANSRCDIR}/Makefile.inc ++ ++PROGRAM=wakeup ++PROGRAMDIR=${LIBDIR} ++ ++include ../Makefile.program +diff -ruN strongswan-2.8.2-orig/programs/wakeup/wakeup.8 strongswan-2.8.2/programs/wakeup/wakeup.8 +--- strongswan-2.8.2-orig/programs/wakeup/wakeup.8 1969-12-31 19:00:00.000000000 -0500 ++++ strongswan-2.8.2/programs/wakeup/wakeup.8 2007-02-05 00:36:34.029298760 -0500 +@@ -0,0 +1,16 @@ ++.TH wakeup 8 "03 Feb 2007" ++.\" ++.\" RCSID $Id: wakeup.8 ++.\" ++.SH NAME ++ipsec wakeup \- stalled and down connection detection ++.SH SYNOPSIS ++.I wakeup ++is invoked by cron and checks ipsec status, whacking as necessary. ++.SH "SEE ALSO" ++ipsec(8), ipsec_whack(8). ++.SH HISTORY ++Man page written for the Linux strongSwan project ++by Kevin Cody Jr. Original manpage for _updown by Michael Richardson. ++Original program written by Henry Spencer. Extended for the Linux strongSwan ++project by Andreas Steffen. +diff -ruN strongswan-2.8.2-orig/programs/wakeup/wakeup.in strongswan-2.8.2/programs/wakeup/wakeup.in +--- strongswan-2.8.2-orig/programs/wakeup/wakeup.in 1969-12-31 19:00:00.000000000 -0500 ++++ strongswan-2.8.2/programs/wakeup/wakeup.in 2007-02-05 00:28:03.961726336 -0500 +@@ -0,0 +1,38 @@ ++#! /bin/sh ++# wakeup script ++# ++# Copyright (C) 2007 Kevin Cody Jr. ++# ++# This program is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 2 of the License, or (at your ++# option) any later version. See . ++# ++# This program is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++# for more details. ++# ++ ++# only applicable when ipsec is running ++[ -e /var/run/pluto.pid ] || exit ++ ++# loop through any erouted tunnels in the HOLD state ++for f in `ipsec status | awk '/erouted HOLD/{ print $2 }' | cut -f1 -d\: | cut -f2 -d\"` ; do ++ ++ # only whack if no pending events at all exists ++ ipsec status | grep STATE | grep -q $f || ++ ipsec whack --name $f --initiate --asynchronous ++ ++done ++ ++# loop through any tunnels that don't quite exist ++for f in `ipsec status | awk '/prospective erouted/{ print $2 }' | cut -f1 -d: | grep -v \# | cut -f2 -d\"` ; do ++ ++ ipsec status | grep STATE_QUICK | grep -q $f || { ++ ipsec status | grep STATE_MAIN | grep -q $f && ipsec down $f ++ ipsec up $f ++ } ++ ++done ++ diff --git a/package/strongswan/patches/210-updown.patch b/package/strongswan/patches/210-updown.patch new file mode 100644 index 0000000000..9361f43481 --- /dev/null +++ b/package/strongswan/patches/210-updown.patch @@ -0,0 +1,660 @@ +diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.8 strongswan-2.8.2/programs/_updown/_updown.8 +--- strongswan-2.8.2-orig/programs/_updown/_updown.8 2006-04-17 02:48:49.000000000 -0400 ++++ strongswan-2.8.2/programs/_updown/_updown.8 2007-02-05 02:13:05.252612099 -0500 +@@ -8,8 +8,23 @@ + .I _updown + is invoked by pluto when it has brought up a new connection. This script + is used to insert the appropriate routing entries for IPsec operation. +-It can also be used to insert and delete dynamic iptables firewall rules. +-The interface to the script is documented in the pluto man page. ++It also inserts and deletes dynamic iptables firewall rules. IMPORTANT! ++By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD ++tables. Most distributions will want to change that to provide more ++flexibility in their firewall configuration. ++The script looks for the environment variables ++.B IPSEC_UPDOWN_RULE_IN ++for the iptables table it should insert into, ++.B IPSEC_UPDOWN_DEST_IN ++for where the rule should -j jump to, ++.B IPSEC_UPDOWN_RULE_OUT ++.B IPSEC_UPDOWN_DEST_OUT ++for the same on outgoing packets, and ++.B IPSEC_UPDOWN_FWD_RULE_IN ++.B IPSEC_UPDOWN_FWD_DEST_IN ++.B IPSEC_UPDOWN_FWD_RULE_OUT ++.B IPSEC_UPDOWN_FWD_DEST_OUT ++respectively for packets being forwarded to/from the local networks. + .SH "SEE ALSO" + ipsec(8), ipsec_pluto(8). + .SH HISTORY +diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.in strongswan-2.8.2/programs/_updown/_updown.in +--- strongswan-2.8.2-orig/programs/_updown/_updown.in 2006-04-17 11:06:29.000000000 -0400 ++++ strongswan-2.8.2/programs/_updown/_updown.in 2007-02-05 02:08:24.969100428 -0500 +@@ -5,6 +5,7 @@ + # Copyright (C) 2003-2004 Tuomo Soini + # Copyright (C) 2002-2004 Michael Richardson + # Copyright (C) 2005-2006 Andreas Steffen ++# Copyright (C) 2007 Kevin Cody Jr + # + # This program is free software; you can redistribute it and/or modify it + # under the terms of the GNU General Public License as published by the +@@ -118,20 +119,61 @@ + # restricted on the peer side. + # + +-# uncomment to log VPN connections +-VPN_LOGGING=1 +-# ++# set to /bin/true to silence log messages ++LOGGER=logger ++ + # tag put in front of each log entry: + TAG=vpn +-# ++ + # syslog facility and priority used: +-FAC_PRIO=local0.notice +-# +-# to create a special vpn logging file, put the following line into +-# the syslog configuration file /etc/syslog.conf: +-# +-# local0.notice -/var/log/vpn +-# ++FAC_PRIO=authpriv.info ++ ++ ++# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY ++if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then ++ IPSEC_POLICY_IN="" ++ IPSEC_POLICY_OUT="" ++else ++ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" ++ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" ++ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" ++fi ++ ++# are there port numbers? ++if [ "$PLUTO_MY_PORT" != 0 ] ; then ++ S_MY_PORT="--sport $PLUTO_MY_PORT" ++ D_MY_PORT="--dport $PLUTO_MY_PORT" ++fi ++ ++if [ "$PLUTO_PEER_PORT" != 0 ] ; then ++ S_PEER_PORT="--sport $PLUTO_PEER_PORT" ++ D_PEER_PORT="--dport $PLUTO_PEER_PORT" ++fi ++ ++# import firewall behavior ++IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN ++IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN ++IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT ++IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT ++ ++# import forwarding behavior ++FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN ++FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN ++FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT ++FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT ++ ++# default firewall behavior ++[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT ++[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT ++[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT ++[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT ++ ++# default forwarding behavior ++[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD ++[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT ++[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD ++[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT ++ + + # check interface version + case "$PLUTO_VERSION" in +@@ -150,8 +192,6 @@ + case "$1:$*" in + ':') # no parameters + ;; +-iptables:iptables) # due to (left/right)firewall; for default script only +- ;; + custom:*) # custom parameters (see above CAUTION comment) + ;; + *) echo "$0: unknown parameters \`$*'" >&2 +@@ -159,345 +199,307 @@ + ;; + esac + ++ + # utility functions for route manipulation + # Meddling with this stuff should not be necessary and requires great care. ++ + uproute() { + doroute add + ip route flush cache + } ++ + downroute() { + doroute delete + ip route flush cache + } + ++upfirewall() { ++ in_rule=$1 ++ in_dest=$2 ++ out_rule=$3 ++ out_dest=$4 ++ ++ [ -n "$in_rule" -a -n "$in_dest" ] && \ ++ iptables -I $in_rule 1 \ ++ -i $PLUTO_INTERFACE \ ++ -p $PLUTO_MY_PROTOCOL \ ++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ++ -d $PLUTO_MY_CLIENT $D_MY_PORT \ ++ $IPSEC_POLICY_IN \ ++ -j $in_dest ++ ++ [ -n "$out_rule" -a -n "$out_dest" ] && \ ++ iptables -I $out_rule 1 \ ++ -o $PLUTO_INTERFACE \ ++ -p $PLUTO_PEER_PROTOCOL \ ++ -s $PLUTO_MY_CLIENT $S_MY_PORT \ ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ ++ $IPSEC_POLICY_OUT \ ++ -j $out_dest ++ ++} ++ ++downfirewall() { ++ in_rule=$1 ++ in_dest=$2 ++ out_rule=$3 ++ out_dest=$4 ++ ++ [ -n "$in_rule" -a -n "$in_dest" ] && \ ++ iptables -D $in_rule \ ++ -i $PLUTO_INTERFACE \ ++ -p $PLUTO_MY_PROTOCOL \ ++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ ++ -d $PLUTO_MY_CLIENT $D_MY_PORT \ ++ $IPSEC_POLICY_IN \ ++ -j $in_dest ++ ++ [ -n "$out_rule" -a -n "$out_dest" ] && \ ++ iptables -D $out_rule \ ++ -o $PLUTO_INTERFACE \ ++ -p $PLUTO_PEER_PROTOCOL \ ++ -s $PLUTO_MY_CLIENT $S_MY_PORT \ ++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ ++ $IPSEC_POLICY_OUT \ ++ -j $out_dest ++ ++} ++ + addsource() { + st=0 +- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local +- then ++ ++ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then ++ + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? +- if test " $oops" = " " -a " $st" != " 0" +- then ++ ++ if [ " $oops" = " " -a " $st" != " 0" ] ; then + oops="silent error, exit status $st" + fi +- if test " $oops" != " " -o " $st" != " 0" +- then ++ ++ if [ " $oops" != " " -o " $st" != " 0" ] ; then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi ++ + return $st + } + + doroute() { + st=0 + parms="$PLUTO_PEER_CLIENT" ++ parms2="dev $PLUTO_INTERFACE" + +- parms2= +- if [ -n "$PLUTO_NEXT_HOP" ] +- then +- parms2="via $PLUTO_NEXT_HOP" +- fi +- parms2="$parms2 dev $PLUTO_INTERFACE" +- +- if [ -z "$PLUTO_MY_SOURCEIP" ] +- then +- if [ -f /etc/sysconfig/defaultsource ] +- then +- . /etc/sysconfig/defaultsource +- fi ++ if [ -z "$PLUTO_MY_SOURCEIP" ] ; then + +- if [ -f /etc/conf.d/defaultsource ] +- then +- . /etc/conf.d/defaultsource +- fi ++ [ -f /etc/sysconfig/defaultsource ] && \ ++ . /etc/sysconfig/defaultsource ++ ++ [ -f /etc/conf.d/defaultsource ] && \ ++ . /etc/conf.d/defaultsource ++ ++ [ -n "$DEFAULTSOURCE" ] && \ ++ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + +- if [ -n "$DEFAULTSOURCE" ] +- then +- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE +- fi + fi + + parms3= +- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" +- then ++ if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then + addsource + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}" + fi + +- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in +- "0.0.0.0/0.0.0.0") ++ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \ ++ "0.0.0.0/0.0.0.0" ] ; then + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. +- it="ip route $1 0.0.0.0/1 $parms2 $parms3 && +- ip route $1 128.0.0.0/1 $parms2 $parms3" +- ;; +- *) it="ip route $1 $parms $parms2 $parms3" +- ;; +- esac ++ it="ip route $1 0.0.0.0/1 $parms2 $parms3 && ++ ip route $1 128.0.0.0/1 $parms2 $parms3" ++ else ++ it="ip route $1 $parms $parms2 $parms3" ++ fi ++ + oops="`eval $it 2>&1`" + st=$? +- if test " $oops" = " " -a " $st" != " 0" +- then +- oops="silent error, exit status $st" +- fi +- if test " $oops" != " " -o " $st" != " 0" +- then +- echo "$0: doroute \`$it' failed ($oops)" >&2 ++ ++ if [ " $oops" = " " -a " $st" != " 0" ] ; then ++ oops="silent error, exit status $st" + fi ++ ++ if [ " $oops" != " " -o " $st" != " 0" ] ; then ++ echo "$0: doroute \`$it' failed ($oops)" >&2 ++ fi ++ + return $st + } +- +-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +-then +- IPSEC_POLICY_IN="" +- IPSEC_POLICY_OUT="" +-else +- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" +- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +-fi + +-# are there port numbers? +-if [ "$PLUTO_MY_PORT" != 0 ] +-then +- S_MY_PORT="--sport $PLUTO_MY_PORT" +- D_MY_PORT="--dport $PLUTO_MY_PORT" +-fi +-if [ "$PLUTO_PEER_PORT" != 0 ] +-then +- S_PEER_PORT="--sport $PLUTO_PEER_PORT" +- D_PEER_PORT="--dport $PLUTO_PEER_PORT" +-fi ++dologentry() { ++ action=$1 ++ ++ if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then ++ rem="$PLUTO_PEER" ++ else ++ rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER" ++ fi ++ ++ if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then ++ loc="$PLUTO_ME" ++ else ++ loc="$PLUTO_ME == $PLUTO_MY_CLIENT" ++ fi ++ ++ $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)" ++} ++ + + # the big choice ++ + case "$PLUTO_VERB:$1" in + prepare-host:*|prepare-client:*) + # delete possibly-existing route (preliminary to adding a route) +- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in +- "0.0.0.0/0.0.0.0") +- # need to provide route that eclipses default, without ++ ++ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \ ++ "0.0.0.0/0.0.0.0" ] ; then ++ # need to remove the route that eclipses default, without + # replacing it. +- parms1="0.0.0.0/1" +- parms2="128.0.0.0/1" +- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" +- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" +- ;; +- *) +- parms="$PLUTO_PEER_CLIENT" +- it="ip route delete $parms 2>&1" +- oops="`ip route delete $parms 2>&1`" +- ;; +- esac +- status="$?" +- if test " $oops" = " " -a " $status" != " 0" +- then +- oops="silent error, exit status $status" ++ it="( ip route delete 0.0.0.0/1 ; ++ ip route delete 128.0.0.0/1 )" ++ else ++ it="ip route delete $PLUTO_PEER_CLIENT" ++ fi ++ ++ oops="`$it 2>&1`" ++ st="$?" ++ ++ if [ " $oops" = " " -a " $st" != " 0" ] ; then ++ oops="silent error, exit status $st" + fi ++ + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= +- status=0 ++ st=0 + ;; + esac +- if test " $oops" != " " -o " $status" != " 0" +- then ++ ++ if [ " $oops" != " " -o " $st" != " 0" ] ; then + echo "$0: \`$it' failed ($oops)" >&2 + fi +- exit $status ++ ++ exit $st ++ + ;; + route-host:*|route-client:*) + # connection to me or my client subnet being routed ++ ++ ipsec _showstatus valid + uproute ++ + ;; + unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted ++ ++ ipsec _showstatus invalid + downroute ++ + ;; +-up-host:) ++up-host:*) + # connection to me coming up +- # If you are doing a custom version, firewall commands go here. ++ ++ ipsec _showstatus up ++ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT ++ dologentry "VPN-UP" ++ + ;; +-down-host:) ++down-host:*) + # connection to me going down +- # If you are doing a custom version, firewall commands go here. +- ;; +-up-client:) +- # connection to my client subnet coming up +- # If you are doing a custom version, firewall commands go here. +- ;; +-down-client:) +- # connection to my client subnet going down +- # If you are doing a custom version, firewall commands go here. ++ ++ ipsec _showstatus down ++ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT ++ dologentry "VPN-DN" ++ + ;; +-up-host:iptables) +- # connection to me, with (left/right)firewall=yes, coming up +- # This is used only by the default updown script, not by your custom +- # ones, so do not mess with it; see CAUTION comment up at top. +- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ +- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ +- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ +- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ +- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT +- # +- # log IPsec host connection setup +- if [ $VPN_LOGGING ] +- then +- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] +- then +- logger -t $TAG -p $FAC_PRIO \ +- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" +- else +- logger -t $TAG -p $FAC_PRIO \ +- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" +- fi +- fi +- ;; +-down-host:iptables) +- # connection to me, with (left/right)firewall=yes, going down +- # This is used only by the default updown script, not by your custom +- # ones, so do not mess with it; see CAUTION comment up at top. +- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ +- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ +- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ +- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ +- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT +- # +- # log IPsec host connection teardown +- if [ $VPN_LOGGING ] +- then +- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] +- then +- logger -t $TAG -p $FAC_PRIO -- \ +- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME" +- else +- logger -t $TAG -p $FAC_PRIO -- \ +- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" +- fi +- fi +- ;; +-up-client:iptables) +- # connection to client subnet, with (left/right)firewall=yes, coming up +- # This is used only by the default updown script, not by your custom +- # ones, so do not mess with it; see CAUTION comment up at top. +- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] +- then +- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ +- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ +- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ +- $IPSEC_POLICY_OUT -j ACCEPT +- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ +- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ +- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ +- $IPSEC_POLICY_IN -j ACCEPT ++up-client:*) ++ # connection to client subnet coming up ++ ++ ipsec _showstatus up ++ ++ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \ ++ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then ++ upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT + fi +- # ++ + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed +- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] +- then +- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ +- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ +- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ +- $IPSEC_POLICY_IN -j ACCEPT +- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ +- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ +- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ +- $IPSEC_POLICY_OUT -j ACCEPT +- fi +- # +- # log IPsec client connection setup +- if [ $VPN_LOGGING ] +- then +- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] +- then +- logger -t $TAG -p $FAC_PRIO \ +- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" +- else +- logger -t $TAG -p $FAC_PRIO \ +- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" +- fi +- fi +- ;; +-down-client:iptables) +- # connection to client subnet, with (left/right)firewall=yes, going down +- # This is used only by the default updown script, not by your custom +- # ones, so do not mess with it; see CAUTION comment up at top. +- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] +- then +- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ +- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ +- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ +- $IPSEC_POLICY_OUT -j ACCEPT +- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ +- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ +- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ +- $IPSEC_POLICY_IN -j ACCEPT ++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then ++ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT ++ fi ++ ++ dologentry "VPN-UP" ++ ++ ;; ++down-client:*) ++ # connection to client subnet going down ++ ++ ipsec _showstatus down ++ ++ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \ ++ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then ++ downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT + fi +- # ++ + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed +- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] +- then +- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ +- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \ +- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \ +- $IPSEC_POLICY_IN -j ACCEPT +- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ +- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \ +- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \ +- $IPSEC_POLICY_OUT -j ACCEPT +- fi +- # +- # log IPsec client connection teardown +- if [ $VPN_LOGGING ] +- then +- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] +- then +- logger -t $TAG -p $FAC_PRIO -- \ +- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" +- else +- logger -t $TAG -p $FAC_PRIO -- \ +- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" +- fi ++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then ++ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT + fi ++ ++ dologentry "VPN-DN" ++ + ;; +-# +-# IPv6 +-# + prepare-host-v6:*|prepare-client-v6:*) ++ + ;; + route-host-v6:*|route-client-v6:*) + # connection to me or my client subnet being routed ++ + #uproute_v6 ++ + ;; + unroute-host-v6:*|unroute-client-v6:*) + # connection to me or my client subnet being unrouted ++ + #downroute_v6 ++ + ;; + up-host-v6:*) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. ++ + ;; + down-host-v6:*) + # connection to me going down + # If you are doing a custom version, firewall commands go here. ++ + ;; + up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. ++ + ;; + down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. ++ + ;; +-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 ++*) ++ echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 ++ + ;; + esac ++ diff --git a/package/strongswan/patches/300-openwrt.patch b/package/strongswan/patches/300-openwrt.patch new file mode 100644 index 0000000000..7386af56ab --- /dev/null +++ b/package/strongswan/patches/300-openwrt.patch @@ -0,0 +1,24 @@ +diff -ruN strongswan-2.8.1-orig/Makefile.inc strongswan-2.8.1/Makefile.inc +--- strongswan-2.8.1-orig/Makefile.inc 2007-01-11 16:42:11.000000000 -0500 ++++ strongswan-2.8.1/Makefile.inc 2007-01-17 02:42:25.961297797 -0500 +@@ -123,7 +123,7 @@ + # With a non-null DESTDIR, INC_RCDEFAULT will be used unless one of the + # INC_RCDIRS directories has been pre-created under DESTDIR. + INC_RCDIRS=/etc/rc.d/init.d /etc/rc.d /etc/init.d /sbin/init.d +-INC_RCDEFAULT=/etc/rc.d/init.d ++INC_RCDEFAULT=/etc/init.d + + # RCDIR is where boot/shutdown scripts go; FINALRCDIR is where they think + # will finally be (so utils/Makefile can create a symlink in BINDIR to the +diff -ruN strongswan-2.8.1-orig/programs/showhostkey/showhostkey.in strongswan-2.8.1/programs/showhostkey/showhostkey.in +--- strongswan-2.8.1-orig/programs/showhostkey/showhostkey.in 2004-03-15 15:35:31.000000000 -0500 ++++ strongswan-2.8.1/programs/showhostkey/showhostkey.in 2007-01-17 00:02:35.433150839 -0500 +@@ -62,7 +62,7 @@ + exit 1 + fi + +-host="`hostname --fqdn`" ++host="`cat /proc/sys/kernel/hostname`" + + awk ' BEGIN { + inkey = 0 diff --git a/package/strongswan/patches/310-make-ipsec-alg.patch b/package/strongswan/patches/310-make-ipsec-alg.patch new file mode 100644 index 0000000000..cf4842a935 --- /dev/null +++ b/package/strongswan/patches/310-make-ipsec-alg.patch @@ -0,0 +1,18 @@ +diff -ruN strongswan-2.8.1-orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi strongswan-2.8.1/linux/net/ipsec/alg/Makefile.alg_cryptoapi +--- strongswan-2.8.1-orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi 2004-03-22 16:53:19.000000000 -0500 ++++ strongswan-2.8.1/linux/net/ipsec/alg/Makefile.alg_cryptoapi 2007-01-17 02:28:26.835241726 -0500 +@@ -1,10 +1,10 @@ + MOD_CRYPTOAPI := ipsec_cryptoapi.o + + ifneq ($(wildcard $(TOPDIR)/include/linux/crypto.h),) +-ALG_MODULES += $(MOD_CRYPTOAPI) +-obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI) +-static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init +-alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o ++#ALG_MODULES += $(MOD_CRYPTOAPI) ++#obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI) ++#static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init ++#alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o + else + $(warning "Linux CryptoAPI (2.4.22+ or 2.6.x) not found, not building ipsec_cryptoapi.o") + endif diff --git a/package/strongswan/patches/320-no-modprobe.patch b/package/strongswan/patches/320-no-modprobe.patch new file mode 100644 index 0000000000..cbd720a6a3 --- /dev/null +++ b/package/strongswan/patches/320-no-modprobe.patch @@ -0,0 +1,105 @@ +diff -ruN strongswan-2.8.1-orig/programs/starter/klips.c strongswan-2.8.1/programs/starter/klips.c +--- strongswan-2.8.1-orig/programs/starter/klips.c 2006-02-15 13:33:57.000000000 -0500 ++++ strongswan-2.8.1/programs/starter/klips.c 2007-01-16 23:57:19.107972109 -0500 +@@ -44,7 +44,7 @@ + unsetenv("MODPATH"); + unsetenv("MODULECONF"); + system("depmod -a >/dev/null 2>&1"); +- system("modprobe -qv ipsec"); ++ system("insmod -qv ipsec"); + } + if (stat(PROC_IPSECVERSION, &stb) == 0) + { +@@ -62,11 +62,11 @@ + /* make sure that all available crypto algorithms are loaded */ + if (stat(PROC_MODULES, &stb) == 0) + { +- system("modprobe -qv ipsec_aes"); +- system("modprobe -qv ipsec_serpent"); +- system("modprobe -qv ipsec_twofish"); +- system("modprobe -qv ipsec_blowfish"); +- system("modprobe -qv ipsec_sha2"); ++ system("insmod -qv ipsec_aes"); ++ system("insmod -qv ipsec_serpent"); ++ system("insmod -qv ipsec_twofish"); ++ system("insmod -qv ipsec_blowfish"); ++ system("insmod -qv ipsec_sha2"); + } + + starter_klips_clear(); +diff -ruN strongswan-2.8.1-orig/programs/starter/netkey.c strongswan-2.8.1/programs/starter/netkey.c +--- strongswan-2.8.1-orig/programs/starter/netkey.c 2006-02-15 13:33:57.000000000 -0500 ++++ strongswan-2.8.1/programs/starter/netkey.c 2007-01-16 23:57:28.094204186 -0500 +@@ -36,7 +36,7 @@ + /* af_key module makes the netkey proc interface visible */ + if (stat(PROC_MODULES, &stb) == 0) + { +- system("modprobe -qv af_key"); ++ system("insmod -qv af_key"); + } + + /* now test again */ +@@ -52,11 +52,11 @@ + /* make sure that all required IPsec modules are loaded */ + if (stat(PROC_MODULES, &stb) == 0) + { +- system("modprobe -qv ah4"); +- system("modprobe -qv esp4"); +- system("modprobe -qv ipcomp"); +- system("modprobe -qv xfrm4_tunnel"); +- system("modprobe -qv xfrm_user"); ++ system("insmod -qv ah4"); ++ system("insmod -qv esp4"); ++ system("insmod -qv ipcomp"); ++ system("insmod -qv xfrm4_tunnel"); ++ system("insmod -qv xfrm_user"); + } + + DBG(DBG_CONTROL, +diff -ruN strongswan-2.8.1-orig/programs/_startklips/_startklips.in strongswan-2.8.1/programs/_startklips/_startklips.in +--- strongswan-2.8.1-orig/programs/_startklips/_startklips.in 2005-05-06 18:11:33.000000000 -0400 ++++ strongswan-2.8.1/programs/_startklips/_startklips.in 2007-01-17 00:04:11.189627735 -0500 +@@ -249,7 +249,7 @@ + + if test ! -f $ipsecversion && test ! -f $netkey + then +- modprobe -v af_key ++ insmod -v af_key + fi + + if test -f $netkey +@@ -257,11 +257,11 @@ + klips=false + if test -f $modules + then +- modprobe -qv ah4 +- modprobe -qv esp4 +- modprobe -qv ipcomp +- modprobe -qv xfrm4_tunnel +- modprobe -qv xfrm_user ++ insmod -qv ah4 ++ insmod -qv esp4 ++ insmod -qv ipcomp ++ insmod -qv xfrm4_tunnel ++ insmod -qv xfrm_user + fi + fi + +@@ -272,7 +272,7 @@ + setmodule + unset MODPATH MODULECONF # no user overrides! + depmod -a >/dev/null 2>&1 +- modprobe -v ipsec ++ insmod -v ipsec + fi + if test ! -f $ipsecversion + then +@@ -288,7 +288,7 @@ + do + if test -f $moduleinstplace/alg/ipsec_$alg.o + then +- modprobe ipsec_$alg ++ insmod ipsec_$alg + fi + done + fi diff --git a/package/strongswan/patches/350-make-programs.patch b/package/strongswan/patches/350-make-programs.patch new file mode 100644 index 0000000000..5c2173b469 --- /dev/null +++ b/package/strongswan/patches/350-make-programs.patch @@ -0,0 +1,20 @@ +diff -ruN strongswan-2.8.2-orig/programs/Makefile strongswan-2.8.2/programs/Makefile +--- strongswan-2.8.2-orig/programs/Makefile 2006-08-28 07:12:36.000000000 -0400 ++++ strongswan-2.8.2/programs/Makefile 2007-02-04 01:24:18.751598552 -0500 +@@ -17,12 +17,10 @@ + FREESWANSRCDIR=.. + include ${FREESWANSRCDIR}/Makefile.inc + +-SUBDIRS=spi eroute spigrp tncfg klipsdebug pf_key proc pluto +-SUBDIRS+=_confread _copyright _include _keycensor _plutoload _plutorun +-SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark +-SUBDIRS+=auto barf ipsec look manual ranbits secrets starter +-SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey +-SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup ++SUBDIRS=_copyright _updown _showstatus wakeup examples ++SUBDIRS+=barf calcgoo eroute ikeping klipsdebug look mailkey manual ++SUBDIRS+=openac pf_key pluto proc ranbits rsasigkey scepclient secrets ++SUBDIRS+=showdefaults showhostkey spi spigrp starter tncfg ipsec + + ifeq ($(USE_LWRES),true) + SUBDIRS+=lwdnsq