Date: 15 Mar 2001 16:22:53 -0000 From: mlea-freebsd-gnats@atomicbluebear.org To: FreeBSD-gnats-submit@freebsd.org Subject: conf/25829: IPSec config in rc.network doesn't allow for IKE key management Message-ID: <20010315162253.4268.qmail@helium.atomicbluebear.org>
next in thread | raw e-mail | index | archive | help
>Number: 25829
>Category: conf
>Synopsis: IPSec config in rc.network doesn't allow for IKE key
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Mar 15 08:30:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Michael Lea
>Release: FreeBSD 4.3-BETA i386
>Organization:
Individual User
>Environment:
System: FreeBSD helium.atomicbluebear.org 4.3-BETA FreeBSD 4.3-BETA #1: Wed Mar 14 10:09:53 CST 2001 mlea@helium.atomicbluebear.org:/usr/obj/usr/src/sys/GLUON i386
>Description:
IPSec keys and security associations must be established before network
services (like NFS) start. If an IKE daemon (like racoon) is being used to
handle security associations and key exchange, it must be started in
rc.network before other network services.
>How-To-Repeat:
>Fix:
This patch modifies /etc/defaults/rc.conf and /etc/rc.network to
optionally
start an IKE daemon (by default, racoon) immediately after setkey has been
run to set the IPSec policies.
--- /usr/src/etc/rc.network Tue Mar 13 23:58:40 2001
+++ /etc/rc.network Thu Mar 15 09:57:58 2001
@@ -435,6 +435,13 @@
if [ -f ${ipsec_file} ]; then
echo ' ipsec: enabled'
setkey -f ${ipsec_file}
+
+ case ${ike_enable} in
+ [Yy][Ee][Ss])
+ echo ' ike: running'
+ ${ike_program} ${ike_flags}
+ ;;
+ esac
else
echo ' ipsec: file not found'
fi
--- /usr/src/etc/defaults/rc.conf Tue Mar 13 23:58:38 2001
+++ /etc/defaults/rc.conf Thu Mar 15 09:56:14 2001
@@ -52,6 +52,9 @@
ip_portrange_last="NO" # Set last dynamically allocated port
ipsec_enable="NO" # Set to YES to run setkey on ipsec_file
ipsec_file="/etc/ipsec.conf" # Name of config file for setkey
+ike_enable="NO" # Set to YES to run an IKE daemon
+ike_program="/usr/local/sbin/racoon" # Which IKE daemon to run
+ike_flags="" # Additional flags to pass to IKE daemon
natd_program="/sbin/natd" # path to natd, if you want a different one.
natd_enable="NO" # Enable natd (if firewall_enable == YES).
natd_interface="fxp0" # Public interface or IPaddress to use.
>Release-Note:
>Audit-Trail:
>Unformatted:
management
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010315162253.4268.qmail>