Date: Sat, 7 Sep 2002 08:01:44 +0200 (CEST) From: Volker Stolz <vs@foldr.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: conf/42497: rc.network lacks IKE daemon startup Message-ID: <200209070601.g8761ib6001240@monster.ikea.net>
next in thread | raw e-mail | index | archive | help
>Number: 42497 >Category: conf >Synopsis: rc.network lacks IKE daemon startup >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Sep 06 23:10:00 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Volker Stolz >Release: FreeBSD 4.6-STABLE i386 >Organization: Lehrstuhl für Informatik II >Environment: System: FreeBSD monster.ikea.net 4.6-STABLE FreeBSD 4.6-STABLE #19: Sun Aug 11 16:08:23 CEST 2002 root@monster.ikea.net:/usr/obj/usr/src/sys/MONSTER i386 >Description: IPSEC gets more and more common. Even local LANs tend to use it because some hosts might want to connect by WLAN. Although the current rc.network supports static IPSEC configuration through /etc/ipsec.conf, IKE is not supported. security/racoon and security/isakmpd offer this functionality, but are not in the base system. However, if even local traffic is to be protected by IPSEC, this especially means that IPSEC has to be fully configured by the time NFS mounts occur. The current rc-scheme does not support this. The following patch adds three new variables to rc.conf and starts an IKE daemon immediately after IPSEC setup and before NFS mounts. Other services affected include e.g. ntpdate. >How-To-Repeat: Set IPSEC policy to 'require' for the local LAN, enable NFS mounts in /etc/fstab, boot: The NFS mounts will freeze the system as it is not yet possible to establish a connection. The IKE daemon startup in /usr/local/etc/rc.d comes too late in the boot sequence. >Fix: --- /etc/rc.network.orig Sat Sep 7 07:49:52 2002 +++ /etc/rc.network Sat Sep 7 07:48:34 2002 @@ -498,6 +498,15 @@ ;; esac + case ${ike_enable} in + [Yy][Ee][Ss]) + if [ -x ${ike_program} ]; then + echo ' ike daemon: ' ${ike_program} ${ike_flags} + ${ike_program} ${ike_flags} + fi + ;; + esac + echo -n 'Routing daemons:' case ${router_enable} in [Yy][Ee][Ss]) --- /etc/defaults/rc.conf.orig Sat Sep 7 07:23:06 2002 +++ /etc/defaults/rc.conf Sat Sep 7 07:26:01 2002 @@ -54,6 +54,9 @@ ip_portrange_last="NO" # Set last dynamically allocated port ipsec_enable="NO" # Set to YES to run setkey on ipsec_file ipsec_file="/etc/ipsec.conf" # Name of config file for setkey +ike_enable="NO" # Enable IKE daemon (usually racoon or isakmpd) +ike_program="/usr/local/sbin/racoon" # Path to IKE daemon +ike_flags="" # Additional flags for IKE daemon natd_program="/sbin/natd" # path to natd, if you want a different one. natd_enable="NO" # Enable natd (if firewall_enable == YES). natd_interface="" # Public interface or IPaddress to use. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209070601.g8761ib6001240>