From owner-freebsd-bugs Fri Sep 6 23:10:14 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44C7237B400 for ; Fri, 6 Sep 2002 23:10:07 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DFC043E65 for ; Fri, 6 Sep 2002 23:10:06 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g876A6JU020439 for ; Fri, 6 Sep 2002 23:10:06 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g876A6WP020438; Fri, 6 Sep 2002 23:10:06 -0700 (PDT) Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA0B037B400 for ; Fri, 6 Sep 2002 23:01:54 -0700 (PDT) Received: from lambda.foldr.org (lambda.foldr.org [198.78.66.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4D7743E42 for ; Fri, 6 Sep 2002 23:01:53 -0700 (PDT) (envelope-from vs@foldr.org) Received: from theater.dyndns.org (pD9509C8B.dip.t-dialin.net [217.80.156.139]) by lambda.foldr.org (8.12.3/8.11.6) with ESMTP id g8761QgQ007697 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK) for ; Sat, 7 Sep 2002 08:01:29 +0200 (CEST) (envelope-from vs@foldr.org) Received: from monster.ikea.net (monster.ikea.net [IPv6:3ffe:b80:2de:3:2e0:29ff:fe98:abca]) by theater.dyndns.org (8.12.5/8.12.5) with ESMTP id g8762rV1045608 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK) for ; Sat, 7 Sep 2002 08:02:54 +0200 (CEST) (envelope-from vs@monster.ikea.net) Received: (from vs@localhost) by monster.ikea.net (8.12.5/8.12.5/Submit) id g8761ib6001240; Sat, 7 Sep 2002 08:01:44 +0200 (CEST) (envelope-from vs) Message-Id: <200209070601.g8761ib6001240@monster.ikea.net> Date: Sat, 7 Sep 2002 08:01:44 +0200 (CEST) From: Volker Stolz Reply-To: Volker Stolz To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: conf/42497: rc.network lacks IKE daemon startup Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 42497 >Category: conf >Synopsis: rc.network lacks IKE daemon startup >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Sep 06 23:10:00 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Volker Stolz >Release: FreeBSD 4.6-STABLE i386 >Organization: Lehrstuhl für Informatik II >Environment: System: FreeBSD monster.ikea.net 4.6-STABLE FreeBSD 4.6-STABLE #19: Sun Aug 11 16:08:23 CEST 2002 root@monster.ikea.net:/usr/obj/usr/src/sys/MONSTER i386 >Description: IPSEC gets more and more common. Even local LANs tend to use it because some hosts might want to connect by WLAN. Although the current rc.network supports static IPSEC configuration through /etc/ipsec.conf, IKE is not supported. security/racoon and security/isakmpd offer this functionality, but are not in the base system. However, if even local traffic is to be protected by IPSEC, this especially means that IPSEC has to be fully configured by the time NFS mounts occur. The current rc-scheme does not support this. The following patch adds three new variables to rc.conf and starts an IKE daemon immediately after IPSEC setup and before NFS mounts. Other services affected include e.g. ntpdate. >How-To-Repeat: Set IPSEC policy to 'require' for the local LAN, enable NFS mounts in /etc/fstab, boot: The NFS mounts will freeze the system as it is not yet possible to establish a connection. The IKE daemon startup in /usr/local/etc/rc.d comes too late in the boot sequence. >Fix: --- /etc/rc.network.orig Sat Sep 7 07:49:52 2002 +++ /etc/rc.network Sat Sep 7 07:48:34 2002 @@ -498,6 +498,15 @@ ;; esac + case ${ike_enable} in + [Yy][Ee][Ss]) + if [ -x ${ike_program} ]; then + echo ' ike daemon: ' ${ike_program} ${ike_flags} + ${ike_program} ${ike_flags} + fi + ;; + esac + echo -n 'Routing daemons:' case ${router_enable} in [Yy][Ee][Ss]) --- /etc/defaults/rc.conf.orig Sat Sep 7 07:23:06 2002 +++ /etc/defaults/rc.conf Sat Sep 7 07:26:01 2002 @@ -54,6 +54,9 @@ ip_portrange_last="NO" # Set last dynamically allocated port ipsec_enable="NO" # Set to YES to run setkey on ipsec_file ipsec_file="/etc/ipsec.conf" # Name of config file for setkey +ike_enable="NO" # Enable IKE daemon (usually racoon or isakmpd) +ike_program="/usr/local/sbin/racoon" # Path to IKE daemon +ike_flags="" # Additional flags for IKE daemon natd_program="/sbin/natd" # path to natd, if you want a different one. natd_enable="NO" # Enable natd (if firewall_enable == YES). natd_interface="" # Public interface or IPaddress to use. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message