Date: 15 Mar 2001 16:22:53 -0000 From: mlea-freebsd-gnats@atomicbluebear.org To: FreeBSD-gnats-submit@freebsd.org Subject: conf/25829: IPSec config in rc.network doesn't allow for IKE key management Message-ID: <20010315162253.4268.qmail@helium.atomicbluebear.org>
next in thread | raw e-mail | index | archive | help
>Number: 25829 >Category: conf >Synopsis: IPSec config in rc.network doesn't allow for IKE key >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Mar 15 08:30:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Michael Lea >Release: FreeBSD 4.3-BETA i386 >Organization: Individual User >Environment: System: FreeBSD helium.atomicbluebear.org 4.3-BETA FreeBSD 4.3-BETA #1: Wed Mar 14 10:09:53 CST 2001 mlea@helium.atomicbluebear.org:/usr/obj/usr/src/sys/GLUON i386 >Description: IPSec keys and security associations must be established before network services (like NFS) start. If an IKE daemon (like racoon) is being used to handle security associations and key exchange, it must be started in rc.network before other network services. >How-To-Repeat: >Fix: This patch modifies /etc/defaults/rc.conf and /etc/rc.network to optionally start an IKE daemon (by default, racoon) immediately after setkey has been run to set the IPSec policies. --- /usr/src/etc/rc.network Tue Mar 13 23:58:40 2001 +++ /etc/rc.network Thu Mar 15 09:57:58 2001 @@ -435,6 +435,13 @@ if [ -f ${ipsec_file} ]; then echo ' ipsec: enabled' setkey -f ${ipsec_file} + + case ${ike_enable} in + [Yy][Ee][Ss]) + echo ' ike: running' + ${ike_program} ${ike_flags} + ;; + esac else echo ' ipsec: file not found' fi --- /usr/src/etc/defaults/rc.conf Tue Mar 13 23:58:38 2001 +++ /etc/defaults/rc.conf Thu Mar 15 09:56:14 2001 @@ -52,6 +52,9 @@ ip_portrange_last="NO" # Set last dynamically allocated port ipsec_enable="NO" # Set to YES to run setkey on ipsec_file ipsec_file="/etc/ipsec.conf" # Name of config file for setkey +ike_enable="NO" # Set to YES to run an IKE daemon +ike_program="/usr/local/sbin/racoon" # Which IKE daemon to run +ike_flags="" # Additional flags to pass to IKE daemon natd_program="/sbin/natd" # path to natd, if you want a different one. natd_enable="NO" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface or IPaddress to use. >Release-Note: >Audit-Trail: >Unformatted: management To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010315162253.4268.qmail>