Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 7 Sep 2002 08:01:44 +0200 (CEST)
From:      Volker Stolz <vs@foldr.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   conf/42497: rc.network lacks IKE daemon startup
Message-ID:  <200209070601.g8761ib6001240@monster.ikea.net>

next in thread | raw e-mail | index | archive | help

>Number:         42497
>Category:       conf
>Synopsis:       rc.network lacks IKE daemon startup
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 06 23:10:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Volker Stolz
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
Lehrstuhl für Informatik II
>Environment:
System: FreeBSD monster.ikea.net 4.6-STABLE FreeBSD 4.6-STABLE #19: Sun Aug 11 16:08:23 CEST 2002 root@monster.ikea.net:/usr/obj/usr/src/sys/MONSTER i386


	
>Description:
IPSEC gets more and more common. Even local LANs tend to use it
because some hosts might want to connect by WLAN. Although the
current rc.network supports static IPSEC configuration through
/etc/ipsec.conf, IKE is not supported. security/racoon and
security/isakmpd offer this functionality, but are not in the
base system.

However, if even local traffic is to be protected by IPSEC,
this especially means that IPSEC has to be fully configured
by the time NFS mounts occur. The current rc-scheme does
not support this. The following patch adds three new variables
to rc.conf and starts an IKE daemon immediately after IPSEC
setup and before NFS mounts.

Other services affected include e.g. ntpdate.
>How-To-Repeat:
Set IPSEC policy to 'require' for the local LAN, enable NFS
mounts in /etc/fstab, boot: The NFS mounts will freeze the
system as it is not yet possible to establish a connection.
The IKE daemon startup in /usr/local/etc/rc.d comes too late
in the boot sequence. 
>Fix:
--- /etc/rc.network.orig	Sat Sep  7 07:49:52 2002
+++ /etc/rc.network	Sat Sep  7 07:48:34 2002
@@ -498,6 +498,15 @@
 		;;
 	esac
 
+	case ${ike_enable} in
+	[Yy][Ee][Ss])
+		if [ -x ${ike_program} ]; then
+		    echo ' ike daemon: ' ${ike_program} ${ike_flags}
+		    ${ike_program} ${ike_flags}
+		fi
+		;;
+	esac
+
 	echo -n 'Routing daemons:'
 	case ${router_enable} in
 	[Yy][Ee][Ss])
--- /etc/defaults/rc.conf.orig	Sat Sep  7 07:23:06 2002
+++ /etc/defaults/rc.conf	Sat Sep  7 07:26:01 2002
@@ -54,6 +54,9 @@
 ip_portrange_last="NO"		# Set last dynamically allocated port
 ipsec_enable="NO"		# Set to YES to run setkey on ipsec_file
 ipsec_file="/etc/ipsec.conf"	# Name of config file for setkey
+ike_enable="NO"			# Enable IKE daemon (usually racoon or isakmpd)
+ike_program="/usr/local/sbin/racoon" # Path to IKE daemon
+ike_flags=""			# Additional flags for IKE daemon
 natd_program="/sbin/natd"	# path to natd, if you want a different one.
 natd_enable="NO"		# Enable natd (if firewall_enable == YES).
 natd_interface=""		# Public interface or IPaddress to use.
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209070601.g8761ib6001240>