--- ipsec-tools-0.6.6.orig/src/racoon/gssapi.c +++ ipsec-tools-0.6.6/src/racoon/gssapi.c @@ -152,6 +152,7 @@ gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service) { char name[NI_MAXHOST]; + char *buf = NULL; struct sockaddr *sa; gss_buffer_desc name_token; OM_uint32 min_stat, maj_stat; @@ -161,8 +162,8 @@ if (getnameinfo(sa, sysdep_sa_len(sa), name, NI_MAXHOST, NULL, 0, 0) != 0) return -1; - name_token.length = asprintf((char **)&name_token.value, - "%s@%s", GSSAPI_DEF_NAME, name); + name_token.length = asprintf(&buf, "%s@%s", GSSAPI_DEF_NAME, name); + name_token.value = buf; maj_stat = gss_import_name(&min_stat, &name_token, GSS_C_NT_HOSTBASED_SERVICE, service); if (GSS_ERROR(maj_stat)) { @@ -288,7 +289,7 @@ if (iph1->approval != NULL && iph1->approval->gssid != NULL) { plog(LLV_DEBUG, LOCATION, NULL, "using provided service '%.*s'\n", - iph1->approval->gssid->l, iph1->approval->gssid->v); + (int) iph1->approval->gssid->l, iph1->approval->gssid->v); name_token.length = iph1->approval->gssid->l; name_token.value = iph1->approval->gssid->v; maj_stat = gss_import_name(&min_stat, &name_token, @@ -466,7 +467,7 @@ *tokens = toks; plog(LLV_DEBUG, LOCATION, NULL, - "%d itokens of length %d\n", gps->gsscnt, (*tokens)->l); + "%d itokens of length %zu\n", gps->gsscnt, (*tokens)->l); return 0; } @@ -547,7 +548,7 @@ return NULL; } - plog(LLV_DEBUG, LOCATION, NULL, "wrapped HASH, ilen %d olen %d\n", + plog(LLV_DEBUG, LOCATION, NULL, "wrapped HASH, ilen %zu olen %zu\n", hash_in->length, hash_out->length); maj_stat = gss_release_buffer(&min_stat, hash_in); @@ -589,7 +590,7 @@ hashbuf.length = ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash); hashbuf.value = (char *)(iph1->pl_hash + 1); - plog(LLV_DEBUG, LOCATION, NULL, "unwrapping HASH of len %d\n", + plog(LLV_DEBUG, LOCATION, NULL, "unwrapping HASH of len %zu\n", hashbuf.length); maj_stat = gss_unwrap(&min_stat, gps->gss_context, hash_in, hash_out, --- ipsec-tools-0.6.6.orig/src/racoon/ipsec_doi.c +++ ipsec-tools-0.6.6/src/racoon/ipsec_doi.c @@ -285,7 +285,7 @@ #ifdef HAVE_GSSAPI if (sa->gssid != NULL) plog(LLV_DEBUG, LOCATION, NULL, "gss id in new sa '%.*s'\n", - sa->gssid->l, sa->gssid->v); + (int) sa->gssid->l, sa->gssid->v); if (iph1-> side == INITIATOR) { if (iph1->rmconf->proposal->gssid != NULL) iph1->gi_i = vdup(iph1->rmconf->proposal->gssid); @@ -303,10 +303,10 @@ } if (iph1->gi_i != NULL) plog(LLV_DEBUG, LOCATION, NULL, "GIi is %.*s\n", - iph1->gi_i->l, iph1->gi_i->v); + (int) iph1->gi_i->l, iph1->gi_i->v); if (iph1->gi_r != NULL) plog(LLV_DEBUG, LOCATION, NULL, "GIr is %.*s\n", - iph1->gi_r->l, iph1->gi_r->v); + (int) iph1->gi_r->l, iph1->gi_r->v); #else iph1->approval = sa; #endif @@ -756,8 +756,8 @@ sa->gssid = vmalloc(len); memcpy(sa->gssid->v, d + 1, len); plog(LLV_DEBUG, LOCATION, NULL, - "received old-style gss id '%.*s' (len %d)\n", - sa->gssid->l, sa->gssid->v, sa->gssid->l); + "received old-style gss id '%.*s' (len %zu)\n", + (int) sa->gssid->l, sa->gssid->v, sa->gssid->l); break; } @@ -811,8 +811,8 @@ sa->gssid->l = (len / 2) - dstleft; plog(LLV_DEBUG, LOCATION, NULL, - "received gss id '%.*s' (len %d)\n", - sa->gssid->l, sa->gssid->v, sa->gssid->l); + "received gss id '%.*s' (len %zu)\n", + (int) sa->gssid->l, sa->gssid->v, sa->gssid->l); break; } #endif /* HAVE_GSSAPI */ @@ -2804,8 +2804,8 @@ else attrlen += sa->gssid->l * 2; if (buf) { - plog(LLV_DEBUG, LOCATION, NULL, "gss id attr: len %d, " - "val '%.*s'\n", sa->gssid->l, sa->gssid->l, + plog(LLV_DEBUG, LOCATION, NULL, "gss id attr: len %zu, " + "val '%.*s'\n", sa->gssid->l, (int) sa->gssid->l, sa->gssid->v); if (lcconf->gss_id_enc == LC_GSSENC_LATIN1) { p = isakmp_set_attr_v(p, OAKLEY_ATTR_GSS_ID, --- ipsec-tools-0.6.6.orig/src/racoon/oakley.c +++ ipsec-tools-0.6.6/src/racoon/oakley.c @@ -252,7 +252,7 @@ #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__, + syslog(LOG_NOTICE, "%s(%s%zd): %8.6f", __func__, s_attr_isakmp_group(dh->type), dh->prime->l << 3, timedelta(&start, &end)); #endif @@ -299,7 +299,7 @@ #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__, + syslog(LOG_NOTICE, "%s(%s%zd): %8.6f", __func__, s_attr_isakmp_group(dh->type), dh->prime->l << 3, timedelta(&start, &end)); #endif --- ipsec-tools-0.6.6.orig/src/racoon/grabmyaddr.c +++ ipsec-tools-0.6.6/src/racoon/grabmyaddr.c @@ -77,12 +77,17 @@ #ifdef __linux__ #include #include +#include #ifndef HAVE_GETIFADDRS #define HAVE_GETIFADDRS #define NEED_LINUX_GETIFADDRS #endif #endif +#ifndef IFA_RTA +#define IFA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct ifaddrmsg)))) +#endif + #ifndef HAVE_GETIFADDRS static unsigned int if_maxindex __P((void)); #endif --- ipsec-tools-0.6.6.orig/src/racoon/algorithm.c +++ ipsec-tools-0.6.6/src/racoon/algorithm.c @@ -394,7 +394,7 @@ #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s size=%d): %8.6f", __func__, + syslog(LOG_NOTICE, "%s(%s size=%zd): %8.6f", __func__, f->name, buf->l, timedelta(&start, &end)); #endif @@ -506,7 +506,7 @@ #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s klen=%d size=%d): %8.6f", __func__, + syslog(LOG_NOTICE, "%s(%s klen=%zd size=%zd): %8.6f", __func__, f->name, key->l << 3, buf->l, timedelta(&start, &end)); #endif return res; @@ -535,7 +535,7 @@ #ifdef ENABLE_STATS gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s klen=%d size=%d): %8.6f", __func__, + syslog(LOG_NOTICE, "%s(%s klen=%zd size=%zd): %8.6f", __func__, f->name, key->l << 3, buf->l, timedelta(&start, &end)); #endif return res; --- ipsec-tools-0.6.6.orig/src/racoon/racoon.conf.5 +++ ipsec-tools-0.6.6/src/racoon/racoon.conf.5 @@ -1096,7 +1096,7 @@ .Sh EXAMPLES The following shows how the remote directive should be configured. .Bd -literal -offset -path pre_shared_key "/usr/local/v6/etc/psk.txt" ; +path pre_shared_key "/etc/racoon/psk.txt" ; remote anonymous { exchange_mode aggressive,main,base; --- ipsec-tools-0.6.6.orig/src/racoon/racoon.8 +++ ipsec-tools-0.6.6/src/racoon/racoon.8 @@ -128,8 +128,8 @@ The command exits with 0 on success, and non-zero on errors. .\" .Sh FILES -.Bl -tag -width /etc/racoon.conf -compact -.It Pa /etc/racoon.conf +.Bl -tag -width /etc/racoon/racoon.conf -compact +.It Pa /etc/racoon/racoon.conf default configuration file. .El .\" --- ipsec-tools-0.6.6.orig/src/libipsec/policy_parse.y +++ ipsec-tools-0.6.6/src/libipsec/policy_parse.y @@ -546,7 +546,7 @@ __ipsec_errcode = EIPSEC_NO_BUFS; return -1; } - pbuf = n; + pbuf = (u_int8_t *) n; p = (struct sadb_x_ipsecrequest *)&pbuf[offset]; p->sadb_x_ipsecrequest_len = reqlen; --- ipsec-tools-0.6.6.orig/config.guess +++ ipsec-tools-0.6.6/config.guess @@ -3,7 +3,7 @@ # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, # 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. -timestamp='2005-05-15' +timestamp='2006-02-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -106,7 +106,7 @@ trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; : ${TMPDIR=/tmp} ; - { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; @@ -125,7 +125,7 @@ ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; -esac ;' +esac ; set_cc_for_build= ;' # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) @@ -199,48 +199,16 @@ # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; - amd64:OpenBSD:*:*) - echo x86_64-unknown-openbsd${UNAME_RELEASE} - exit ;; - amiga:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit ;; - cats:OpenBSD:*:*) - echo arm-unknown-openbsd${UNAME_RELEASE} - exit ;; - hp300:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit ;; - luna88k:OpenBSD:*:*) - echo m88k-unknown-openbsd${UNAME_RELEASE} - exit ;; - mac68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit ;; - macppc:OpenBSD:*:*) - echo powerpc-unknown-openbsd${UNAME_RELEASE} - exit ;; - mvme68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit ;; - mvme88k:OpenBSD:*:*) - echo m88k-unknown-openbsd${UNAME_RELEASE} - exit ;; - mvmeppc:OpenBSD:*:*) - echo powerpc-unknown-openbsd${UNAME_RELEASE} - exit ;; - sgi:OpenBSD:*:*) - echo mips64-unknown-openbsd${UNAME_RELEASE} - exit ;; - sun3:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit ;; *:OpenBSD:*:*) - echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE} + UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; + *:SolidBSD:*:*) + echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} + exit ;; macppc:MirBSD:*:*) echo powerppc-unknown-mirbsd${UNAME_RELEASE} exit ;; @@ -658,8 +626,7 @@ esac if [ ${HP_ARCH} = "hppa2.0w" ] then - # avoid double evaluation of $set_cc_for_build - test -n "$CC_FOR_BUILD" || eval $set_cc_for_build + eval $set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler @@ -800,19 +767,34 @@ echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit ;; *:FreeBSD:*:*) - echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + case ${UNAME_MACHINE} in + pc98) + echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + *) + echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + esac exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; - i*:MINGW*:* | i*:windows32*:*) + i*:MINGW*:*) + echo ${UNAME_MACHINE}-pc-mingw32 + exit ;; + i*:MSYS_NT-*:*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; + i*:windows32*:*) + # uname -m includes "-pc" on this system. + echo ${UNAME_MACHINE}-mingw32 + exit ;; i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; - x86:Interix*:[34]*) - echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//' + x86:Interix*:[345]*) + echo i586-pc-interix${UNAME_RELEASE} + exit ;; + EM64T:Interix*:[345]*) + echo x86_64-unknown-interix${UNAME_RELEASE} exit ;; [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) echo i${UNAME_MACHINE}-pc-mks @@ -826,7 +808,7 @@ i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin exit ;; - amd64:CYGWIN*:*:*) + amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) echo x86_64-unknown-cygwin exit ;; p*:CYGWIN*:*) @@ -883,7 +865,11 @@ #endif #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` + eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' + /^CPU/{ + s: ::g + p + }'`" test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } ;; mips64:Linux:*:*) @@ -902,9 +888,16 @@ #endif #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` + eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' + /^CPU/{ + s: ::g + p + }'`" test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } ;; + or32:Linux:*:*) + echo or32-unknown-linux-gnu + exit ;; ppc:Linux:*:*) echo powerpc-unknown-linux-gnu exit ;; @@ -948,6 +941,9 @@ sparc:Linux:*:* | sparc64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; + vax:Linux:*:*) + echo ${UNAME_MACHINE}-dec-linux-gnu + exit ;; x86_64:Linux:*:*) echo x86_64-unknown-linux-gnu exit ;; @@ -993,7 +989,7 @@ LIBC=gnulibc1 # endif #else - #ifdef __INTEL_COMPILER + #if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__sun) LIBC=gnu #else LIBC=gnuaout @@ -1003,7 +999,11 @@ LIBC=dietlibc #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=` + eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' + /^LIBC/{ + s: ::g + p + }'`" test x"${LIBC}" != x && { echo "${UNAME_MACHINE}-pc-linux-${LIBC}" exit @@ -1214,7 +1214,6 @@ *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown case $UNAME_PROCESSOR in - *86) UNAME_PROCESSOR=i686 ;; unknown) UNAME_PROCESSOR=powerpc ;; esac echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} @@ -1293,6 +1292,9 @@ i*86:skyos:*:*) echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' exit ;; + i*86:rdos:*:*) + echo ${UNAME_MACHINE}-pc-rdos + exit ;; esac #echo '(No uname command or uname output not recognized.)' 1>&2 --- ipsec-tools-0.6.6.orig/config.sub +++ ipsec-tools-0.6.6/config.sub @@ -3,7 +3,7 @@ # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, # 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. -timestamp='2005-05-12' +timestamp='2006-02-23' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -119,8 +119,9 @@ # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in - nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \ - kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*) + nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \ + uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \ + storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; @@ -171,6 +172,10 @@ -hiux*) os=-hiuxwe2 ;; + -sco6) + os=-sco5v6 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; -sco5) os=-sco3.2v5 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` @@ -187,6 +192,10 @@ # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; + -sco5v6*) + # Don't forget version if it is 3.2v4 or newer. + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; -sco*) os=-sco3.2v2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` @@ -239,7 +248,7 @@ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ - | m32r | m32rle | m68000 | m68k | m88k | maxq | mcore \ + | m32r | m32rle | m68000 | m68k | m88k | maxq | mb | microblaze | mcore \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ @@ -248,6 +257,7 @@ | mips64vr4100 | mips64vr4100el \ | mips64vr4300 | mips64vr4300el \ | mips64vr5000 | mips64vr5000el \ + | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ | mipsisa64 | mipsisa64el \ @@ -256,13 +266,15 @@ | mipsisa64sr71k | mipsisa64sr71kel \ | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ + | mt \ | msp430 \ + | nios | nios2 \ | ns16k | ns32k \ - | openrisc | or32 \ + | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ | pyramid \ - | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ + | sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b \ @@ -274,6 +286,9 @@ | z8k) basic_machine=$basic_machine-unknown ;; + m32c) + basic_machine=$basic_machine-unknown + ;; m6811 | m68hc11 | m6812 | m68hc12) # Motorola 68HC11/12. basic_machine=$basic_machine-unknown @@ -281,6 +296,9 @@ ;; m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) ;; + ms1) + basic_machine=mt-unknown + ;; # We use `pc' rather than `unknown' # because (1) that's what they normally are, and @@ -322,6 +340,7 @@ | mips64vr4100-* | mips64vr4100el-* \ | mips64vr4300-* | mips64vr4300el-* \ | mips64vr5000-* | mips64vr5000el-* \ + | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ | mipsisa64-* | mipsisa64el-* \ @@ -330,14 +349,16 @@ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipstx39-* | mipstx39el-* \ | mmix-* \ + | mt-* \ | msp430-* \ + | nios-* | nios2-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ | pyramid-* \ | romp-* | rs6000-* \ - | sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \ + | sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \ | sparclite-* \ @@ -352,6 +373,8 @@ | ymp-* \ | z8k-*) ;; + m32c-*) + ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. 386bsd) @@ -687,6 +710,9 @@ basic_machine=i386-pc os=-msdos ;; + ms1-*) + basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` + ;; mvs) basic_machine=i370-ibm os=-mvs @@ -762,9 +788,8 @@ basic_machine=hppa1.1-oki os=-proelf ;; - or32 | or32-*) + openrisc | openrisc-*) basic_machine=or32-unknown - os=-coff ;; os400) basic_machine=powerpc-ibm @@ -795,6 +820,12 @@ pc532 | pc532-*) basic_machine=ns32k-pc532 ;; + pc98) + basic_machine=i386-pc + ;; + pc98-*) + basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc ;; @@ -851,6 +882,10 @@ basic_machine=i586-unknown os=-pw32 ;; + rdos) + basic_machine=i386-pc + os=-rdos + ;; rom68k) basic_machine=m68k-rom68k os=-coff @@ -1090,12 +1125,9 @@ we32k) basic_machine=we32k-att ;; - sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele) + sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; - sh64) - basic_machine=sh64-unknown - ;; sparc | sparcv8 | sparcv9 | sparcv9b) basic_machine=sparc-sun ;; @@ -1169,20 +1201,23 @@ | -aos* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \ + | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ + | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* \ | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \ + | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \ + | -uxpv* | -beos* | -mpeix* | -udk* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ - | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* | -skyos*) + | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ + | -skyos* | -haiku* | -rdos*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1200,7 +1235,7 @@ os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ - | -windows* | -osx | -abug | -netware* | -os9* | -beos* \ + | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) ;; -mac*) @@ -1389,6 +1424,9 @@ *-be) os=-beos ;; + *-haiku) + os=-haiku + ;; *-ibm) os=-aix ;; --- ipsec-tools-0.6.6.orig/debian/po/templates.pot +++ ipsec-tools-0.6.6/debian/po/templates.pot @@ -0,0 +1,45 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: rganesan@debian.org\n" +"POT-Creation-Date: 2006-07-19 11:36+0000\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "direct" +msgstr "" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "racoon-tool" +msgstr "" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "Please select the configuration mode for racoon IKE daemon." +msgstr "" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "" +"racoon can be configured two ways, either by directly editing /etc/racoon/" +"racoon.conf or using the racoon-tool adminstrative front end. racoon-tool is " +"now deprecated and is only available for backward compatibility. New " +"installations should always use the \"direct\" method." +msgstr "" --- ipsec-tools-0.6.6.orig/debian/po/de.po +++ ipsec-tools-0.6.6/debian/po/de.po @@ -0,0 +1,94 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans# +# Developers do not need to manually edit POT or PO files. +# Erik Schanze , 2004. +# +msgid "" +msgstr "" +"Project-Id-Version: ipsec-tools_0.5rc2-1\n" +"Report-Msgid-Bugs-To: rganesan@debian.org\n" +"POT-Creation-Date: 2006-07-19 11:36+0000\n" +"PO-Revision-Date: 2004-08-02 22:17+0200\n" +"Last-Translator: Erik Schanze \n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.3.1\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "direct" +msgstr "direkt" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "racoon-tool" +msgstr "Racoons Hilfsprogramm" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "Please select the configuration mode for racoon IKE daemon." +msgstr "Bitte wählen Sie aus, wie Sie den Racoon-IKE-Dienst einrichten wollen." + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "" +"racoon can be configured two ways, either by directly editing /etc/racoon/" +"racoon.conf or using the racoon-tool adminstrative front end. racoon-tool is " +"now deprecated and is only available for backward compatibility. New " +"installations should always use the \"direct\" method." +msgstr "" + +#, fuzzy +#~ msgid "Please select the racoon configuration mode." +#~ msgstr "" +#~ "Bitte wählen Sie aus, wie Sie den Racoon-IKE-Dienst einrichten wollen." + +#~ msgid "Racoon can now be configured two ways." +#~ msgstr "Racoon kann auf zwei verschiedene Arten eingerichtet werden." + +#~ msgid "" +#~ "The traditional one (direct), which is for direct editing of /etc/racoon/" +#~ "racoon.conf and setup of the SPD using setkey via a shell script written " +#~ "by the systems administrator. You will have to make sure that the kernel " +#~ "has all required modules loaded or the racoon daemon can exit with a " +#~ "'failed to parse configuration file' error." +#~ msgstr "" +#~ "Der übliche Weg (direkt), die Datei /etc racoon/racoon.conf direkt zu " +#~ "bearbeiten oder das Aufsetzen des SPD über setkey mittels eines Shell-" +#~ "Skripts vom System-Administrator. Sie müssen sicherstellen, dass der " +#~ "Kernel alle erforderlichen Module geladen hat oder racoon endet mit einem " +#~ "Fehler: 'failed to parse configuration file'" + +#~ msgid "" +#~ "The new one is the racoon-tool administration front end which configures " +#~ "both, as well as handling module loading and can handle most common " +#~ "setups. Please read /usr/share/doc/racoon/README.Debian for more " +#~ "details." +#~ msgstr "" +#~ "Der neue Weg ist ein Racoon-Hilfsprogramm, eine Administrations-Hilfe, " +#~ "mit der beides, Handhabung von Modulen und üblicher Einstellungen. Bitte " +#~ "lesen Sie dazu die Datei /usr/share/doc/racoon/README.Debian." + +#~ msgid "" +#~ "Would you like to use the new racoon-tool program to configure VPNs, or " +#~ "the direct editing of /etc/racoon/racoon.conf?" +#~ msgstr "" +#~ "Wollen Sie das neue Hilfsprogramm für die Einrichtung der VPNs benutzen " +#~ "oder die Datei /etc/racoon/racoon.conf direkt ändern?" + +#~ msgid "Please select from either 'direct' or 'racoon-tool'." +#~ msgstr "Bitte wählen Sie'direkt' oder 'Racoons Hilfsprogramm' aus." --- ipsec-tools-0.6.6.orig/debian/po/cs.po +++ ipsec-tools-0.6.6/debian/po/cs.po @@ -0,0 +1,56 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: ipsec-tools\n" +"Report-Msgid-Bugs-To: rganesan@debian.org\n" +"POT-Creation-Date: 2006-07-19 11:36+0000\n" +"PO-Revision-Date: 2006-05-29 18:21+0200\n" +"Last-Translator: Miroslav Kure \n" +"Language-Team: Czech \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "direct" +msgstr "přímo" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "racoon-tool" +msgstr "racoon-tool" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "Please select the configuration mode for racoon IKE daemon." +msgstr "Vyberte způsob nastavení racoon IKE daemona." + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "" +"racoon can be configured two ways, either by directly editing /etc/racoon/" +"racoon.conf or using the racoon-tool adminstrative front end. racoon-tool is " +"now deprecated and is only available for backward compatibility. New " +"installations should always use the \"direct\" method." +msgstr "" +"racoon můžete nastavit dvěma způsoby. Buď přímou úpravou souboru /etc/racoon/" +"racoon.conf, nebo použitím administračního rozhraní racoon-tool. racoon-tool " +"je nyní zastaralý a je poskytován jen pro zachování zpětné kompatibility. U " +"nových instalací byste vždy měli použít \"přímý\" způsob." --- ipsec-tools-0.6.6.orig/debian/po/fr.po +++ ipsec-tools-0.6.6/debian/po/fr.po @@ -0,0 +1,63 @@ +# translation of fr.po to French +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# Remerciements aux relecteurs : +# Jean-Luc Coulon (f5ibh)" +# Christian Perrier +# et Denis Barbier +# Sylvain Archenault , 2005. +# +msgid "" +msgstr "" +"Project-Id-Version: fr\n" +"Report-Msgid-Bugs-To: rganesan@debian.org\n" +"POT-Creation-Date: 2006-07-19 11:36+0000\n" +"PO-Revision-Date: 2006-05-29 14:10+0200\n" +"Last-Translator: Sylvain Archenault \n" +"Language-Team: French >\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=ISO-8859-15\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "direct" +msgstr "Modification directe" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "racoon-tool" +msgstr "Utilisation de racoon-tool" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "Please select the configuration mode for racoon IKE daemon." +msgstr "Mode de configuration pour le dmon IKE racoon:" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "" +"racoon can be configured two ways, either by directly editing /etc/racoon/" +"racoon.conf or using the racoon-tool adminstrative front end. racoon-tool is " +"now deprecated and is only available for backward compatibility. New " +"installations should always use the \"direct\" method." +msgstr "" +"Racoon peut tre configur de deux faons, soit en modifiant directement le " +"fichier /etc/racoon/racoon.conf, soit en utilisant l'outil d'administration " +"racoon-tool. Racoon-tool est dsormais obsolte et est seulement disponible " +"pour la rtrocompatibilit. Les nouvelles installations ne doivent utiliser " +"que la mthode directe." --- ipsec-tools-0.6.6.orig/debian/po/ja.po +++ ipsec-tools-0.6.6/debian/po/ja.po @@ -0,0 +1,92 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: ipsec-tools_1 0.5.1-1\n" +"Report-Msgid-Bugs-To: rganesan@debian.org\n" +"POT-Creation-Date: 2006-07-19 11:36+0000\n" +"PO-Revision-Date: 2005-05-19 14:30+0900\n" +"Last-Translator: Atsushi Shimono \n" +"Language-Team: Japanese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=EUC-JP\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "direct" +msgstr "ľ" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "racoon-tool" +msgstr "racoon-tool" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "Please select the configuration mode for racoon IKE daemon." +msgstr "racoon IKE ǡˡ򤷤Ƥ" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "" +"racoon can be configured two ways, either by directly editing /etc/racoon/" +"racoon.conf or using the racoon-tool adminstrative front end. racoon-tool is " +"now deprecated and is only available for backward compatibility. New " +"installations should always use the \"direct\" method." +msgstr "" + +#, fuzzy +#~ msgid "Please select the racoon configuration mode." +#~ msgstr "racoon IKE ǡˡ򤷤Ƥ" + +#~ msgid "Racoon can now be configured two ways." +#~ msgstr "racoon 2 ĤˡǽǤ" + +#~ msgid "" +#~ "The traditional one (direct), which is for direct editing of /etc/racoon/" +#~ "racoon.conf and setup of the SPD using setkey via a shell script written " +#~ "by the systems administrator. You will have to make sure that the kernel " +#~ "has all required modules loaded or the racoon daemon can exit with a " +#~ "'failed to parse configuration file' error." +#~ msgstr "" +#~ "ˡ (ľ) Ǥϡ/etc/racoon/racoon.conf ľԽԤˤ" +#~ "ƽ񤫤줿륹ץȤˤ setkey Ѥ SPD ꤷޤ" +#~ "ɬפƤΥ⥸塼뤬ɤ߹ޤƤʤСracoon ǡ '" +#~ "եβϥ顼' ǽλޤ" + +#~ msgid "" +#~ "The new one is the racoon-tool administration front end which configures " +#~ "both, as well as handling module loading and can handle most common " +#~ "setups. Please read /usr/share/doc/racoon/README.Debian for more " +#~ "details." +#~ msgstr "" +#~ "ˡϡracoon-tool եȥɤǤϡ⥸塼Υɤȡ" +#~ "ŪʥåȥåפξԤޤܺ٤ʾˤĤƤϡ/usr/share/" +#~ "doc/racoon/README.Debian ɤǤ" + +#~ msgid "" +#~ "Would you like to use the new racoon-tool program to configure VPNs, or " +#~ "the direct editing of /etc/racoon/racoon.conf?" +#~ msgstr "" +#~ "VPN ˿ racoon-tool ץѤޤ⤷ϡľ /" +#~ "etc/racoon/racoon.conf Խޤ" + +#~ msgid "Please select from either 'direct' or 'racoon-tool'." +#~ msgstr "'ľ' ⤷ 'racoon-tool' ΤŤ줫򤷤Ƥ" --- ipsec-tools-0.6.6.orig/debian/po/ru.po +++ ipsec-tools-0.6.6/debian/po/ru.po @@ -0,0 +1,49 @@ +# Russian translation of ipsec-tools_1:0.6.5-6.po. +# This file is distributed under the same license as the ipsec-tools package. +# Aleksandr Bouksha , 2006.A , 2006. +# +# +msgid "" +msgstr "" +"Project-Id-Version: ipsec-tools 1:0.6.5-6\n" +"Report-Msgid-Bugs-To: rganesan@debian.org\n" +"POT-Creation-Date: 2006-07-19 11:36+0000\n" +"PO-Revision-Date: 2006-06-16 16:00+0600\n" +"Last-Translator: Aleksandr Bouksha \n" +"Language-Team: Russian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=koi8-r\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "direct" +msgstr " " + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "racoon-tool" +msgstr " racoon-tool" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "Please select the configuration mode for racoon IKE daemon." +msgstr " rakoon IKE" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +#, fuzzy +msgid "" +"racoon can be configured two ways, either by directly editing /etc/racoon/" +"racoon.conf or using the racoon-tool adminstrative front end. racoon-tool is " +"now deprecated and is only available for backward compatibility. New " +"installations should always use the \"direct\" method." +msgstr "" +"racoon : /etc/init." +"d/racoon.conf racoon-tool.racoon-tool " +" . " +" ." --- ipsec-tools-0.6.6.orig/debian/po/sv.po +++ ipsec-tools-0.6.6/debian/po/sv.po @@ -0,0 +1,96 @@ +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# Developers do not need to manually edit POT or PO files. +# , fuzzy +# +# +msgid "" +msgstr "" +"Project-Id-Version: ipsec-tools 1:0.6.1-1\n" +"Report-Msgid-Bugs-To: rganesan@debian.org\n" +"POT-Creation-Date: 2006-07-19 11:36+0000\n" +"PO-Revision-Date: 2006-05-30 17:06+0100\n" +"Last-Translator: Daniel Nylander \n" +"Language-Team: Swedish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=iso-8859-1\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "direct" +msgstr "direkt" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "racoon-tool" +msgstr "racoon-tool" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "Please select the configuration mode for racoon IKE daemon." +msgstr "Vlj konfigurationslget fr racoon IKE-demonen." + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "" +"racoon can be configured two ways, either by directly editing /etc/racoon/" +"racoon.conf or using the racoon-tool adminstrative front end. racoon-tool is " +"now deprecated and is only available for backward compatibility. New " +"installations should always use the \"direct\" method." +msgstr "" +"racoon kan konfigureras p tv stt, antingen genom att direkt redigera /etc/" +"racoon/racoon.conf eller genom att anvnda verktyget racoon-tool. racoon-" +"tool r nu frldrat och finns endast tillgngligt fr kompatibilitet bakt. " +"Nya installationer br alltid anvnda metoden \"direkt\"." + +#, fuzzy +#~ msgid "Please select the racoon configuration mode." +#~ msgstr "Vlj konfigurationslget fr racoon IKE daemon." + +#~ msgid "Racoon can now be configured two ways." +#~ msgstr "Racoon kan konfigureras p tv stt." + +#~ msgid "" +#~ "The traditional one (direct), which is for direct editing of /etc/racoon/" +#~ "racoon.conf and setup of the SPD using setkey via a shell script written " +#~ "by the systems administrator. You will have to make sure that the kernel " +#~ "has all required modules loaded or the racoon daemon can exit with a " +#~ "'failed to parse configuration file' error." +#~ msgstr "" +#~ "Den traditionella metoden (direkt) som r fr att direkt gra ndringar " +#~ "i /etc/racoon/racoon.conf och stta upp SPD med setkey via shellskript " +#~ "(skrivet av systemadministratren). Du mste kontrollera att kerneln har " +#~ "alla ndvndiga moduler laddade annars kommer racoon daemonen att " +#~ "avslutas med ett 'failed to parse configuration file' fel." + +#~ msgid "" +#~ "The new one is the racoon-tool administration front end which configures " +#~ "both, as well as handling module loading and can handle most common " +#~ "setups. Please read /usr/share/doc/racoon/README.Debian for more " +#~ "details." +#~ msgstr "" +#~ "Det nya r racoon-tools administrationsgrnssnitt som konfigurerar dem " +#~ "bda och som ven hanterar laddning av moduler och kan ven hantera de " +#~ "flesta allmnna instllningar. Vnligen ls /usr/share/doc/racoon/README." +#~ "Debian fr mer information." + +#~ msgid "" +#~ "Would you like to use the new racoon-tool program to configure VPNs, or " +#~ "the direct editing of /etc/racoon/racoon.conf?" +#~ msgstr "" +#~ "Vill du anvnda det nya programmet racoon-tool fr att konfigurera VPN " +#~ "eller direkt ndra /etc/racoon/racoon.conf manuellt?" + +#~ msgid "Please select from either 'direct' or 'racoon-tool'." +#~ msgstr "Vlj mellan antingen 'direkt' eller 'racoon-tool'." --- ipsec-tools-0.6.6.orig/debian/po/vi.po +++ ipsec-tools-0.6.6/debian/po/vi.po @@ -0,0 +1,89 @@ +# Vietnamese Translation for ipsec-tools. +# Copyright © 2006 Free Software Foundation, Inc. +# Clytie Siddall , 2005-2006. +# +msgid "" +msgstr "" +"Project-Id-Version: ipsec-tools 1/0.6.5-6\n" +"Report-Msgid-Bugs-To: rganesan@debian.org\n" +"POT-Creation-Date: 2006-07-19 11:36+0000\n" +"PO-Revision-Date: 2006-05-30 22:43+0930\n" +"Last-Translator: Clytie Siddall \n" +"Language-Team: Vietnamese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0\n" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "direct" +msgstr "trực tiếp" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "racoon-tool" +msgstr "racoon-tool" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "Please select the configuration mode for racoon IKE daemon." +msgstr "Hãy chọn chế độ cấu hình cho trình nền IKE racoon." + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "" +"racoon can be configured two ways, either by directly editing /etc/racoon/" +"racoon.conf or using the racoon-tool adminstrative front end. racoon-tool is " +"now deprecated and is only available for backward compatibility. New " +"installations should always use the \"direct\" method." +msgstr "" +"Trình racoon có thể được cấu hình bằng hai cách, hoặc bằng cách hiệu chỉnh " +"trực tiếp tập tin , hoặc bằng cách sử dụng tiền " +"tiêu quản lý racoon-tool. Tùy nhiên, racoon-tool lúc bây giờ bị phản đối và " +"sẵn sàng chỉ để tương thích ngược. Việc cài đặt mới luôn luôn nên dùng " +"phương pháp « trực tiếp »." + +#~ msgid "Please select the racoon configuration mode." +#~ msgstr "Hãy chọn chế độ cấu hình racoon." + +#~ msgid "Racoon can now be configured two ways." +#~ msgstr "Hiện thời có thể cấu hình Racoon bằng hai cách." + +#~ msgid "" +#~ "The traditional one (direct), which is for direct editing of /etc/racoon/" +#~ "racoon.conf and setup of the SPD using setkey via a shell script written " +#~ "by the systems administrator. You will have to make sure that the kernel " +#~ "has all required modules loaded or the racoon daemon can exit with a " +#~ "'failed to parse configuration file' error." +#~ msgstr "" +#~ "Cách truyền thống (trực tiếp) dành cho sửa đổi trực tiếp tập tin «/etc/" +#~ "racoon/racoon.conf» và thiết lập SPD dùng setkey thông qua một tập lệnh " +#~ "hệ vỏ do quản trị hệ thống viết. Bạn sẽ phải đảm bảo hạt nhân đá tải mọi " +#~ "mô-đun cần đến: nếu không thì trình nền racoon sẽ thoát với lỗi «failed " +#~ "to parse configuration file» (không phân tách tập tin cấu hình được)." + +#~ msgid "" +#~ "The new one is the racoon-tool administration front end which configures " +#~ "both, as well as handling module loading and can handle most common " +#~ "setups. Please read /usr/share/doc/racoon/README.Debian for more " +#~ "details." +#~ msgstr "" +#~ "Cách mới là tiền tiêu quản lý racoon-tool (công cụ racoon) mà cấu hình cả " +#~ "hai điều, cũng với quản lý tải mô-đun, và có thể quản lý phần lớn cách " +#~ "thiết lập thường. Hãy đọc tập tin « /usr/share/doc/racoon/README.Debian» " +#~ "để tìm chi tiết." + +#~ msgid "" +#~ "Would you like to use the new racoon-tool program to configure VPNs, or " +#~ "the direct editing of /etc/racoon/racoon.conf?" +#~ msgstr "" +#~ "Bạn có muốn sử dụng chương trình racoon-tool mới để cấu hình một số VPN, " +#~ "hoặc để sửa đổi trực tiếp tập tin «/etc/racoon/racoon.conf»." + +#~ msgid "Please select from either 'direct' or 'racoon-tool'." +#~ msgstr "Hãy chọn hoặc «trực tiếp» hay «racoon-tool»." --- ipsec-tools-0.6.6.orig/debian/po/POTFILES.in +++ ipsec-tools-0.6.6/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] racoon.templates --- ipsec-tools-0.6.6.orig/debian/po/pt_BR.po +++ ipsec-tools-0.6.6/debian/po/pt_BR.po @@ -0,0 +1,101 @@ +# +# Translators, if you are not familiar with the PO format, gettext +# documentation is worth reading, especially sections dedicated to +# this format, e.g. by running: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# +# Some information specific to po-debconf are available at +# /usr/share/doc/po-debconf/README-trans +# or http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# Developers do not need to manually edit POT or PO files. +# +msgid "" +msgstr "" +"Project-Id-Version: ipsec-tools\n" +"Report-Msgid-Bugs-To: rganesan@debian.org\n" +"POT-Creation-Date: 2006-07-19 11:36+0000\n" +"PO-Revision-Date: 2006-06-10 13:56-0300\n" +"Last-Translator: André Luís Lopes \n" +"Language-Team: Debian-BR Project \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "direct" +msgstr "direta" + +#. Type: select +#. Choices +#: ../racoon.templates:1001 +msgid "racoon-tool" +msgstr "racoon-tool" + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "Please select the configuration mode for racoon IKE daemon." +msgstr "Por favor, selecione o modo de configuração para o daemon IKE racoon." + +#. Type: select +#. Description +#: ../racoon.templates:1002 +msgid "" +"racoon can be configured two ways, either by directly editing /etc/racoon/" +"racoon.conf or using the racoon-tool adminstrative front end. racoon-tool is " +"now deprecated and is only available for backward compatibility. New " +"installations should always use the \"direct\" method." +msgstr "" +"O racoon pode ser configurado de duas formas : editando diretamente o " +"arquivo /etc/racoon/racoon.conf ou usando o ferramenta administrativa racoon-" +"tool. A ferramenta racoon-tool ficou obsoleta e está disponível somente para " +"compatibilidade anterior. Novas instalações devem sempre utilizar o método " +"\"direto\"." + +#, fuzzy +#~ msgid "Please select the racoon configuration mode." +#~ msgstr "" +#~ "Por favor, selecione o modo de configuração para o daemon IKE racoon." + +#~ msgid "Racoon can now be configured two ways." +#~ msgstr "O racoon pode agora ser configurado de duas maneiras." + +#~ msgid "" +#~ "The traditional one (direct), which is for direct editing of /etc/racoon/" +#~ "racoon.conf and setup of the SPD using setkey via a shell script written " +#~ "by the systems administrator. You will have to make sure that the kernel " +#~ "has all required modules loaded or the racoon daemon can exit with a " +#~ "'failed to parse configuration file' error." +#~ msgstr "" +#~ "A maneira tradicional (direta) é através da edição direta do arquivo /etc/" +#~ "racoon/racoon.conf e da configuração do SPD usando setkey através de um " +#~ "script shell escrito pelos administradores do sistema. Será necessário se " +#~ "certificar de que o kernel possua todos os módulos requeridos carregados " +#~ "ou o daemon racoon pode finalizar com um erro 'falha ao interpretar " +#~ "arquivo de configuração'." + +#~ msgid "" +#~ "The new one is the racoon-tool administration front end which configures " +#~ "both, as well as handling module loading and can handle most common " +#~ "setups. Please read /usr/share/doc/racoon/README.Debian for more " +#~ "details." +#~ msgstr "" +#~ "A nova maneira é atravpés da interface de administração racoon-tool, a " +#~ "qual configura ambos, bem como gerencia o carregamento de módulos e " +#~ "também pode gerenciar a maioria dos cenários ce configuração comuns. Por " +#~ "favor, leia o arquivo /usr/share/doc/racoon/README.Debian para maiores " +#~ "detalhes." + +#~ msgid "" +#~ "Would you like to use the new racoon-tool program to configure VPNs, or " +#~ "the direct editing of /etc/racoon/racoon.conf?" +#~ msgstr "" +#~ "Você gostaria de usar a ferramenta racoon-tool para configurar VPNs ou " +#~ "gostaria de editar diretamente o arquivo /etc/racoon/racoon.conf ?" + +#~ msgid "Please select from either 'direct' or 'racoon-tool'." +#~ msgstr "Por favor, selecione uma dentre as opções 'direta' e 'racoon-tool'." --- ipsec-tools-0.6.6.orig/debian/ipsec-tools.postinst +++ ipsec-tools-0.6.6/debian/ipsec-tools.postinst @@ -0,0 +1,43 @@ +#! /bin/sh +# postinst script for ipsec-tools +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package +# + +case "$1" in + configure) + if [ -L /etc/rc2.d/S20setkey -o -L /etc/rc0.d/K37setkey ]; then + # remove this old entry, we'll add correct one below + update-rc.d -f setkey remove > /dev/null || exit 0 + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + exit 0 + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + + +#DEBHELPER# + +exit 0 + + --- ipsec-tools-0.6.6.orig/debian/control +++ ipsec-tools-0.6.6/debian/control @@ -0,0 +1,25 @@ +Source: ipsec-tools +Section: net +Priority: extra +Maintainer: Ubuntu Core Developers +XSBC-Original-Maintainer: Ganesan Rajagopal +Build-Depends: debhelper (>= 4.0.0), flex, bison, libkrb5-dev, libssl-dev (>= 0.9.6), libreadline5-dev, libpam0g-dev +Build-Conflicts: bison++ +Standards-Version: 3.7.2 + +Package: ipsec-tools +Architecture: any +Depends: ${shlibs:Depends}, lsb-base (>= 3.0) +Description: IPsec tools for Linux + IPsec-Tools is a port of the KAME IPsec utilities for Linux. It can be + used with the ipsec implementation in 2.6 and later kernels or with + the 2.4 backport of the ipsec changes. + +Package: racoon +Architecture: any +Provides: ike-server +Depends: ${shlibs:Depends}, debconf (>= 0.2.26) | debconf-2.0, ${perl:Depends} +Description: IPsec IKE keying daemon + racoon is the KAME IKE (ipsec key exchange) server. It can be used with + the Linux ipsec implementation in 2.6 and later kernels or with + the 2.4 backport of the ipsec changes. --- ipsec-tools-0.6.6.orig/debian/racoon.templates +++ ipsec-tools-0.6.6/debian/racoon.templates @@ -0,0 +1,12 @@ +Template: racoon/config_mode +Type: select +__Choices: direct, racoon-tool +# The above choices have to be left as they are as the values are used directly +# in the postinst script. They do not need translation. +# Please explain what they are in any rewritten description. +Default: direct +_Description: Please select the configuration mode for racoon IKE daemon. + racoon can be configured two ways, either by directly editing + /etc/racoon/racoon.conf or using the racoon-tool adminstrative front end. + racoon-tool is now deprecated and is only available for backward + compatibility. New installations should always use the "direct" method. --- ipsec-tools-0.6.6.orig/debian/racoon.conf +++ ipsec-tools-0.6.6/debian/racoon.conf @@ -0,0 +1,40 @@ +# +# NOTE: This file will not be used if you use racoon-tool(8) to manage your +# IPsec connections. racoon-tool will process racoon-tool.conf(5) and +# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead +# of this file. +# +# Simple racoon.conf +# +# +# Please look in /usr/share/doc/racoon/examples for +# examples that come with the source. +# +# Please read racoon.conf(5) for details, and alsoread setkey(8). +# +# +# Also read the Linux IPSEC Howto up at +# http://www.ipsec-howto.org/t1.html +# + +path pre_shared_key "/etc/racoon/psk.txt"; +path certificate "/etc/racoon/certs"; + +#remote 172.31.1.1 { +# exchange_mode main,aggressive; +# proposal { +# encryption_algorithm 3des; +# hash_algorithm sha1; +# authentication_method pre_shared_key; +# dh_group modp1024; +# } +# generate_policy off; +#} +# +#sainfo address 192.168.203.10[any] any address 192.168.22.0/24[any] any { +# pfs_group modp768; +# encryption_algorithm 3des; +# authentication_algorithm hmac_md5; +# compression_algorithm deflate; +#} + --- ipsec-tools-0.6.6.orig/debian/racoon.dirs +++ ipsec-tools-0.6.6/debian/racoon.dirs @@ -0,0 +1,4 @@ +usr/bin +usr/sbin +usr/lib + --- ipsec-tools-0.6.6.orig/debian/racoon.docs +++ ipsec-tools-0.6.6/debian/racoon.docs @@ -0,0 +1,6 @@ +NEWS +README +src/racoon/doc/FAQ +src/racoon/doc/README.certificate + + --- ipsec-tools-0.6.6.orig/debian/racoon.init +++ ipsec-tools-0.6.6/debian/racoon.init @@ -0,0 +1,93 @@ +#! /bin/sh +# +# netscript script to fire up netscript network configuration system +# +# Written by Miquel van Smoorenburg . +# Modified for Debian GNU/Linux +# by Ian Murdock . +# Modified from /etc/init.d/skeleton +# by Matthew Grant +# + +set -e + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +TOOL=/usr/sbin/racoon-tool +DAEMON=/usr/sbin/racoon +NAME=racoon +DESC="racoon" +DEF_CFG="/etc/default/racoon" +PID_FILE="/var/run/racoon.pid" +PROC_FILE="/proc/net/pfkey" + +test -f $TOOL || exit 0 +test -f $DAEMON || exit 0 + +CONFIG_MODE="direct" +RACOON_ARGS="" + +[ -f "$DEF_CFG" ] && . $DEF_CFG + +if [ ! -d /var/run/racoon ]; then + mkdir -p /var/run/racoon +fi + +check_kernel () { + local MOD_DIR=/lib/modules/`uname -r` + local FOUT + + [ -f "$PROC_FILE" ] && return 0 + [ ! -d "$MOD_DIR" ] && return 1 + FOUT=`find $MOD_DIR -name "*af_key*"` + [ -z "$FOUT" ] && return 1 + return 0 +} + +if ! check_kernel ; then + echo "racoon - IKE keying daemon will not be started as $PROC_FILE is not" 1>&2 + echo " available or a suitable 2.6 (or 2.4 with IPSEC backport)" 1>&2 + echo " kernel with af_key.[k]o module is not installed." 1>&2 + exit 0 +fi + +case $CONFIG_MODE in + racoon-tool) + # /usr/sbin/racoon-tool command complies with Debian Policy so just do this: + # NB the following makes lintian happy + case "$1" in + start|stop|reload|force-reload|restart) + $TOOL $* + ;; + *) + $TOOL $* + ;; + esac + ;; + *) + case "$1" in + start) + echo -n "Starting IKE (ISAKMP/Oakley) server: racoon" + start-stop-daemon --start --quiet --exec /usr/sbin/racoon -- ${RACOON_ARGS} + echo "." + ;; + + stop) + echo -n "Stopping IKE (ISAKMP/Oakley) server: racoon" + start-stop-daemon --stop --retry 25 --quiet --oknodo \ + --pidfile $PID_FILE --name racoon + echo "." + ;; + + reload|force_reload|restart) + $0 stop + $0 start + ;; + + *) + echo "Usage: $0 (start|stop|reload|force-reload|restart)" >&2 + exit 1 + esac + ;; +esac + +exit 0 --- ipsec-tools-0.6.6.orig/debian/ipsec-tools.setkey.default +++ ipsec-tools-0.6.6/debian/ipsec-tools.setkey.default @@ -0,0 +1,2 @@ +# Set to "no" to disable loading ipsec.conf on startup +# RUN_SETKEY=yes --- ipsec-tools-0.6.6.orig/debian/rules +++ ipsec-tools-0.6.6/debian/rules @@ -0,0 +1,136 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. +# +# Modified to make a template file for a multi-binary package with separated +# build-arch and build-indep targets by Bill Allombert 2001 + +# Uncomment this to turn on verbose mode. +export DH_VERBOSE=1 + +# This has to be exported to make some magic below work. +export DH_OPTIONS + +# These are used for cross-compiling and for saving the configure script +# from having to guess our platform (since we know it already) +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + +config.status: configure + dh_testdir + # Add here commands to configure the package. + CFLAGS="$(CFLAGS)" ./configure --verbose --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --sysconfdir=/etc/racoon --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --localstatedir=/var/run --enable-shared --disable-static --enable-frag --enable-gssapi --enable-hybrid --enable-xauth --enable-dpd --enable-adminport --enable-natt --with-kernel-headers=/usr/include --with-libpam --without-readline + +#Architecture +build: build-arch build-indep + +build-arch: build-arch-stamp +build-arch-stamp: config.status + + # Add here commands to compile the arch part of the package. + #$(MAKE) + touch build-arch-stamp + +build-indep: build-indep-stamp +build-indep-stamp: config.status + + # Add here commands to compile the indep part of the package. + #$(MAKE) doc + touch build-indep-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-arch-stamp build-indep-stamp #CONFIGURE-STAMP# + + # Add here commands to clean up after the build process. + rm -f config.log + -$(MAKE) distclean +ifneq "$(wildcard /usr/share/misc/config.sub)" "" + cp -f /usr/share/misc/config.sub config.sub +endif +ifneq "$(wildcard /usr/share/misc/config.guess)" "" + cp -f /usr/share/misc/config.guess config.guess +endif + + debconf-updatepo + dh_clean + +install: install-indep install-arch +install-indep: + # we have no indep packages + +install-arch: + dh_testdir + dh_testroot + dh_clean -k -s + dh_installdirs -s + + # Add here commands to install the arch part of the package into + # debian/tmp. + $(MAKE) install DESTDIR=$(CURDIR)/debian/racoon + + dh_movefiles -pipsec-tools --sourcedir=debian/racoon \ + usr/sbin/setkey usr/share/man/man8/setkey.8 \ + /usr/lib/libipsec.so.0 /usr/lib/libipsec.so.0.0.0 + rm debian/racoon/usr/lib/*.so debian/racoon/usr/lib/*.la + + mkdir -p debian/racoon/var/lib/racoon + install -m 755 -o root -g root debian/racoon-tool.pl \ + debian/racoon/usr/sbin/racoon-tool + install -D -m 600 -o root -g root src/racoon/samples/psk.txt.sample \ + debian/racoon/etc/racoon/psk.txt + install -m 644 -o root -g root debian/racoon-tool.conf \ + debian/racoon/etc/racoon + install -m 644 -o root -g root debian/racoon.conf \ + debian/racoon/etc/racoon/racoon.conf + mkdir -p debian/ipsec-tools/etc + install -m 755 -o root -g root debian/ipsec-tools.conf \ + debian/ipsec-tools/etc/ipsec-tools.conf + +# Must not depend on anything. This is to be called by +# binary-arch/binary-indep +# in another 'make' thread. +binary-arch: build-arch install-arch + dh_testdir + dh_testroot + dh_installchangelogs ChangeLog + dh_installdocs + dh_installexamples -pracoon src/racoon/samples + dh_installdebconf + dh_installinit -pracoon -- start 40 S . stop 89 1 . + dh_installinit -pipsec-tools --name=setkey --no-start -- \ + start 37 S . + dh_installman -pracoon debian/racoon-tool.8 debian/racoon-tool.conf.5 + dh_link + dh_strip + dh_compress + dh_fixperms + dh_perl + dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build architecture independant packages using the common target. +binary-indep: build-indep install-indep + # we have no architecture independant stuff yet + +binary: binary-arch binary-indep +.PHONY: build clean binary-indep binary-arch binary install install-indep install-arch --- ipsec-tools-0.6.6.orig/debian/ipsec-tools.conf +++ ipsec-tools-0.6.6/debian/ipsec-tools.conf @@ -0,0 +1,20 @@ +#!/usr/sbin/setkey -f + +# NOTE: Do not use this file if you use racoon with racoon-tool +# utility. racoon-tool will setup SAs and SPDs automatically using +# /etc/racoon/racoon-tool.conf configuration. +# + +## Flush the SAD and SPD +# +# flush; +# spdflush; + +## Some sample SPDs for use racoon +# +# spdadd 10.10.100.1 10.10.100.2 any -P out ipsec +# esp/transport//require; +# +# spdadd 10.10.100.2 10.10.100.1 any -P in ipsec +# esp/transport//require; +# --- ipsec-tools-0.6.6.orig/debian/racoon.postinst +++ ipsec-tools-0.6.6/debian/racoon.postinst @@ -0,0 +1,102 @@ +#! /bin/sh +# postinst script for racoon +# +# see: dh_installdeb(1) + +set -e + +update_param() { + eval old=\"'$'$1\" + eval new=\"'$'new_$1\" + + if test "$old" = "$new"; then + return + fi + + if test -z "$old"; then + grep -Eq "^ *$1=" "$INITCONFFILE" || echo "$1=" \ + >> "$INITCONFFILE" + fi + + sed -e "s/^ *$1=.*/$1=\"$new\"/" < $INITCONFFILE > $INITCONFFILE.$$ + mv -f $INITCONFFILE.$$ $INITCONFFILE +} + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package +# + +case "$1" in + configure) + if [ -L /etc/rc2.d/S20racoon ]; then + # remove this old entry, we'll add correct one below + update-rc.d -f racoon remove > /dev/null || exit 0 + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + exit 0 + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# Handle debconf +. /usr/share/debconf/confmodule + +INITCONFFILE=/etc/default/racoon + +# We generate several files during the postinst, and we don't want +# them to be readable only by root. +umask 022 + +# Generate configuration file if it does not exist, using default values. +[ -r "${INITCONFFILE}" ] || { + echo Generating ${INITCONFFILE}... >&2 + cat >${INITCONFFILE} <<'EOFMAGICNUMBER1234' +# Defaults for racoon initscript +# sourced by /etc/init.d/racoon +# installed at /etc/default/racoon by the maintainer scripts + +# +# This is a POSIX shell fragment +# + +# Which configuration mode shall we use for racoon? +# Should be either "direct" (edit racoon.conf by hand) +# or "racoon-tool" (use this tool to do it). +# Unknown values are treated as if "direct" was given. +CONFIG_MODE="" +# Arguments to pass to racoon (ignored when config mode is racoon-tool) +RACOON_ARGS="" +EOFMAGICNUMBER1234 +} + +# ------------------------- Debconf questions start --------------------- + +db_get racoon/config_mode || true +new_CONFIG_MODE="${RET}" +update_param CONFIG_MODE +db_stop + +# ------------------------- Debconf questions end --------------------- + +# Fix psk.txt permissions +[ -f /etc/racoon/psk.txt ] && chmod 0600 /etc/racoon/psk.txt + +#DEBHELPER# + +exit 0 + + --- ipsec-tools-0.6.6.orig/debian/watch +++ ipsec-tools-0.6.6/debian/watch @@ -0,0 +1,6 @@ +# Example watch control file for uscan +# Rename this file to "watch" and then you can run the "uscan" command +# to check for upstream updates and more. +# Site Directory Pattern Version Script +version=2 +unc.dl.sf.net ipsec-tools ipsec-tools-(.*)\.tar\.gz debian uupdate --- ipsec-tools-0.6.6.orig/debian/racoon.files +++ ipsec-tools-0.6.6/debian/racoon.files @@ -0,0 +1,2 @@ +ipsec-tools_0.4999pre5-20041206cvs_i386.deb net optional +racoon_0.4999pre5-20041206cvs_i386.deb net optional --- ipsec-tools-0.6.6.orig/debian/racoon.prerm +++ ipsec-tools-0.6.6/debian/racoon.prerm @@ -0,0 +1,39 @@ +#! /bin/sh +# prerm script for ipsec-tools +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `upgrade' +# * `failed-upgrade' +# * `remove' `in-favour' +# * `deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + remove|upgrade|deconfigure) +# install-info --quiet --remove /usr/info/ipsec-tools.info.gz + ;; + failed-upgrade) + ;; + *) + echo "prerm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + --- ipsec-tools-0.6.6.orig/debian/changelog +++ ipsec-tools-0.6.6/debian/changelog @@ -0,0 +1,585 @@ +ipsec-tools (1:0.6.6-3ubuntu2) feisty; urgency=low + + * Rebuild for changes in the amd64 toolchain. + * Set Ubuntu maintainer address. + + -- Matthias Klose Mon, 5 Mar 2007 01:19:03 +0000 + +ipsec-tools (1:0.6.6-3ubuntu1) feisty; urgency=low + + * Merge from debian unstable. + - LSB init script. + - debian/racoon.init: Create /var/run/racoon. + * src/racoon/grabmyaddr.c: Define IFA_RTA and #include . + + -- Martin Pitt Fri, 3 Nov 2006 10:15:57 +0100 + +ipsec-tools (1:0.6.6-3) unstable; urgency=low + + * Remove old rc*.d symlinks to fix existing installations. + + -- Ganesan Rajagopal Wed, 19 Jul 2006 19:59:57 +0530 + +ipsec-tools (1:0.6.6-2) unstable; urgency=low + + * Fix typo in enabling PAM. + * Include russian translation. + * Don't flush keys on reboot/shutdown (closes: #340740). + * Start racoon in rcS.d to help VPN configurations (closes: #372665). + + -- Ganesan Rajagopal Wed, 19 Jul 2006 17:10:15 +0530 + +ipsec-tools (1:0.6.6-1ubuntu1) edgy; urgency=low + + * Merge from Debian. Only changes left: + - LSB init script. + - debian/racoon.init: Create /var/run/racoon. + + -- Martin Pitt Fri, 30 Jun 2006 10:21:40 +0200 + +ipsec-tools (1:0.6.6-1) unstable; urgency=low + + * New upstream release. + * Added debconf-updatepo in clean target (closes: #372910). + * Compiled with PAM support (closes: #299806, #371053). + * Fixed typo in racoon.templates and corresponding po files. + * Updated Brazilian Portugese, Vietnamese, Swedish, French and Czech + translations for debconf templates (closes: #370148, #369409). + + -- Ganesan Rajagopal Thu, 15 Jun 2006 17:47:58 +0530 + +ipsec-tools (1:0.6.5-6) unstable; urgency=low + + * Fix regex in racoon-tool.conf man page (closes: #352157). + * Switch to "/sbin/modprobe" instead of "/sbin/insmod" for module loading + in racoon-tool (closes: #298286). + * Apply patch by Teddy Hogeborn to fix as1dn handling + by racoon-tool (closes: #296259). + * Apply patch by Kristjan Räts to make sure + racoon is configured before it's started (closes: #304573). + * Officially deprecate racoon-tool and cleanup debconf template + (closes: #338216). + * Update Standards-Version to 3.7.2 (no packaging changes required). + + -- Ganesan Rajagopal Mon, 29 May 2006 15:43:05 +0530 + +ipsec-tools (1:0.6.5-5) unstable; urgency=low + + * Fix "dereferencing type-punned...." gcc-4.1 FTBFS bug (closes: #361334). + * Include updated French translation (closes: #338642). + * Include swedish debconf translation (closes: #330569). + * Fix racoon-tool tool braindead shutdown delay (closes: #332814). + + -- Ganesan Rajagopal Wed, 17 May 2006 17:03:11 +0530 + +ipsec-tools (1:0.6.5-4ubuntu1) dapper; urgency=low + + * Synchronize to Debian to bring in new upstream version. + - UVF exception approved by Matt Zimmerman. + - New version repairs racoon for road warrior setup (which broke in + earlier Dapper versions, but worked fine in Breezy). Closes: LP#40386 + + -- Martin Pitt Tue, 9 May 2006 11:33:01 +0200 + +ipsec-tools (1:0.6.5-4) unstable; urgency=low + + * Fixed FTBFS on another source file on 64-bit platforms. (closes: #359092). + * Include samples directory in package. + + -- Ganesan Rajagopal Thu, 30 Mar 2006 14:30:45 +0530 + +ipsec-tools (1:0.6.5-3) unstable; urgency=low + + * Fixed FTBFS on 64-bit platforms (closes: #359092). + + -- Ganesan Rajagopal Mon, 27 Mar 2006 17:41:45 +0530 + +ipsec-tools (1:0.6.5-2) unstable; urgency=low + + * Enable GSSAPI/Kerberos 5 support (closes: #352040). + + -- Ganesan Rajagopal Sun, 26 Mar 2006 09:48:51 +0530 + +ipsec-tools (1:0.6.5-1) unstable; urgency=low + + * New upstream release. + * Don't rerun bootstrap because upstream libtool problem is fixed. + + -- Ganesan Rajagopal Tue, 7 Feb 2006 13:40:27 +0530 + +ipsec-tools (1:0.6.4-1ubuntu2) dapper; urgency=low + + * Create /var/run/racoon in the init script. + + -- Scott James Remnant Wed, 19 Apr 2006 14:26:13 +0100 + +ipsec-tools (1:0.6.4-1ubuntu1) dapper; urgency=low + + * Resynchronise with Debian. + + -- Martin Pitt Tue, 7 Feb 2006 11:45:50 +0100 + +ipsec-tools (1:0.6.4-1) unstable; urgency=low + + * New upstream release. + * Apply racoon-tool patch to use modprobe instead of insmod + (closes: #320087). + * Rerun bootstrap because upstream libtool appears to be broken (configure + breaks if g++ is not installed). + + -- Ganesan Rajagopal Tue, 24 Jan 2006 10:20:11 +0530 + +ipsec-tools (1:0.6.3-1) unstable; urgency=low + + * New upstream release with fix for CVE-2005-3732 (closes: #340584). + + -- Ganesan Rajagopal Mon, 28 Nov 2005 11:58:31 +0530 + +ipsec-tools (1:0.6.2-2ubuntu2) dapper; urgency=low + + * Rebuild against openssl 0.9.8. + + -- Martin Pitt Mon, 30 Jan 2006 10:48:21 +0000 + +ipsec-tools (1:0.6.2-2ubuntu1) dapper; urgency=low + + * Resynchronise with Debian. + + -- Tollef Fog Heen Fri, 11 Nov 2005 09:59:03 +0100 + +ipsec-tools (1:0.6.2-2) unstable; urgency=low + + * Fix build breakage with OpenSSL 0.9.8 (closes: #334669). + + -- Ganesan Rajagopal Mon, 31 Oct 2005 11:19:53 +0530 + +ipsec-tools (1:0.6.2-1) unstable; urgency=low + + * New upstream release. + * Update FSF address in copyright. + * Remove bashism in postinst. + + -- Ganesan Rajagopal Tue, 18 Oct 2005 10:30:53 +0530 + +ipsec-tools (1:0.6.1-1) unstable; urgency=low + + * New upstream release + + -- Ganesan Rajagopal Sun, 21 Aug 2005 13:24:15 +0530 + +ipsec-tools (1:0.6-2) unstable; urgency=low + + * Add debconf-2.0 as an alternate for debconf dependency. + * Updated standards version. + * Fixed racoonctl breakage (closes: #320535). + + -- Ganesan Rajagopal Sat, 13 Aug 2005 09:27:43 +0530 + +ipsec-tools (1:0.6-1ubuntu1) breezy; urgency=low + + * LSB init scripts. + + -- LaMont Jones Wed, 28 Sep 2005 18:33:52 -0600 + +ipsec-tools (1:0.6-1) unstable; urgency=low + + * New upstream release. + * Include Vietnamese translation for debconf template (closes: #312031). + * Include Japanese translation for debconf template (closes: #309732). + * Registering /etc/init.d/setkey in rcS.d before ifupdown (closes: #303451). + + -- Ganesan Rajagopal Wed, 29 Jun 2005 10:16:54 +0530 + +ipsec-tools (1:0.5.2-1) unstable; urgency=high + + * New upstream release. This release fixes ph2handle unlink bug + (closes: #307233). + * Urgency high because of fix for security problem with single DES. + * Applied patch from Richard Lucassen to pass options to racoon via + /etc/default/racoon file. + + -- Ganesan Rajagopal Wed, 4 May 2005 13:46:45 +0530 + +ipsec-tools (1:0.5.1-2) unstable; urgency=low + + * Disabled readline support because it introduces a bug in setkey and + confuses a lot of people (closes: #303573). + * Added Build-Conflicts for bison++ (closes: #305974). + + -- Ganesan Rajagopal Mon, 2 May 2005 10:18:04 +0530 + +ipsec-tools (1:0.5.1-1) unstable; urgency=low + + * New upstream release (closes: #305310). + * Removed --enabled-stats while building (closes: #300718). + * Removed --enable-ipv6 while build; this enables IPv6 automatically. + (closes: #304000). + + -- Ganesan Rajagopal Tue, 19 Apr 2005 15:47:29 +0530 + +ipsec-tools (1:0.5-5) unstable; urgency=high + + * Fix ISAKMP Header Parsing DoS bug (closes: #299716). + * Quote URL in README.Debian to avoid confusion (closes: #297179). + + -- Ganesan Rajagopal Wed, 16 Mar 2005 09:31:30 +0530 + +ipsec-tools (1:0.5-4) unstable; urgency=low + + * Fix typo in ipsec-tools.setkey.init (closes: #296912). + + -- Ganesan Rajagopal Sat, 26 Feb 2005 11:39:19 +0530 + +ipsec-tools (1:0.5-3) unstable; urgency=low + + * Renamed ipsec.conf to ipsec-tools.conf to avoid conflict with openswan + (closes: #296079). + * Fix bug in quotes handling for peers_certfile (closes: #296105). + + -- Ganesan Rajagopal Sun, 20 Feb 2005 21:51:41 +0530 + +ipsec-tools (1:0.5-2) unstable; urgency=low + + * Fix compile warnings to avoid build failures on 64-bit platforms. + + -- Ganesan Rajagopal Sat, 19 Feb 2005 10:03:27 +0530 + +ipsec-tools (1:0.5-1) unstable; urgency=low + + * New upstream stable release. + * Forced to introduce epoch because I misunderstood how comparing + version strings works (0.4999 > 0.5). I can't believe I screwed up + this one :-(. + * Added initscript to run setkey on boot (closes: #276970). + * Renamed racoon.init.d to racoon.init as per dh_installinit documentation. + * Added note in README.Debian that racoon-tool may lag behind in features. + * Included racoon.conf samples directory. + * Added note in sample racoon.conf that it will not be used if racoon-tool + is used. + + -- Ganesan Rajagopal Fri, 18 Feb 2005 11:00:23 +0530 + +ipsec-tools (0.4999pre0.5rc2-3) unstable; urgency=low + + * Added libssl-dev to build-deps (closes: #295263). + * Updated racoon-tool.pl to handle certtype for peers_certfile + (closes: #295035). + * Escape quote ('"') characters in racoon-tool.pl to prevent messing up + syntax highlighting in emacs. + + -- Ganesan Rajagopal Thu, 17 Feb 2005 14:34:06 +0530 + +ipsec-tools (0.4999pre0.5rc2-2) unstable; urgency=low + + * Applied patch to support SPD levels and NAT traversl from + Lockenvitz Jan EXT + (closes: #277285). + * Included debconf template Czech translation by + Miroslav Kure (closes: #294779). + + -- Ganesan Rajagopal Mon, 14 Feb 2005 18:27:14 +0530 + +ipsec-tools (0.4999pre0.5rc2-1) unstable; urgency=low + + * New upstream release. + * Redone packaging using debhelper. + * Upstream supports Linux fwd policy (closes: #292850). + * Source address patch applied upstream (closes: #289604). + * Enabled NATT support (closes: #238795). + * Removed empty racoon.conf (closes: #255124). + * Fixed paths in man pages (closes: #276854). + + -- Ganesan Rajagopal Tue, 1 Feb 2005 13:55:37 +0530 + +ipsec-tools (0.3.3-7) unstable; urgency=low + + * Fixed fix memory leak in crypto_openssl.c (closes: #292732). + * French translation already included (closes: #245583). + * Brazilian portugese translation already included (closes: #262550). + * We don't include a debbugs URL anymore (closes: #220089). + + -- Ganesan Rajagopal Tue, 1 Feb 2005 13:48:22 +0530 + +ipsec-tools (0.3.3-6) unstable; urgency=low + + * Taking over as maintainer from Matthew Grant with his approval. + + -- Ganesan Rajagopal Mon, 31 Jan 2005 20:52:43 +0530 + +ipsec-tools (0.3.3-5) unstable; urgency=low + + * Removed unneeded dependency on ed from control file, which I forgot to do. + + -- Matthew Grant Sat, 18 Dec 2004 16:14:10 +1300 + +ipsec-tools (0.3.3-4) unstable; urgency=medium + + * Didn't properly fix Bug #285103. This upload fixes it by adjusting the + config scripts. Priority set to medium to make sure that the 3 RC bugs get + cleared promptly from testing version. Removed use of ed as this tool + is only used in racoon.postint, and is not needed by any package essential + to run a firewall. + + -- Matthew Grant Sat, 18 Dec 2004 11:46:36 +1300 + +ipsec-tools (0.3.3-3) unstable; urgency=low + + * Fix use of 'find' in debian/rules. Thanks to Christian Ospelkaus + for patch. (closes: #285788) + * Fix use of $? after another command execution in if statement at line 2161 + of racoon-tool. Thanks to shonorio@alpargatas.com.br + for analysis. (closes: #285549) + * debian/racoon.init.d: In stop target, pass option --name instead of + --exec to start-stop-daemon to make sure old versions of the daemon + are properly stopped even if a new version is already on disk. + (closes: #285117) (Daniel Kobras ) + * debian/racoon.{config,postinst}: Seed debconf settings from + configuration file, and take care to preserve manual changes. + (closes: #285103) (Daniel Kobras ) + * debian/control: Add ed to racoon's dependencies as it is used in the + postinst script. (Daniel Kobras ) + + -- Matthew Grant Thu, 16 Dec 2004 22:29:48 +1300 + +ipsec-tools (0.3.3-2) unstable; urgency=medium + + * Fix spelling mistake for 'available' in racoon init script. (closes: #249288) + * Fixed URL in README.certificate (closes: #252513) + * Fixed gzipping of under sized files (closes: #279739) + * Added french debconf translation for racoon (closes: #245251) + * Added pt_BR.po Brazilian Portuguese translation for raccon debconf + (closes #262550) + * Added German de.po for raccon debconf (closes: #263055) + * Applied patch from Wilfried Weissmann who + forwarded a fix for "initial_contact" spelling error (closes: #280837) + * Fixed racoon-tool address type parsing bug. Fix forwarded by + Kolja Waschk (closes: #269934) + * Fixed racoon-tool port parsing bug with port numbers more than 3 chars. + Patch from Jeremy Jackson (closes: #260875) + * Fixed parsing of file paths delimited by optional double quotes. + (closes: #257350) + + -- Matthew Grant Fri, 26 Nov 2004 08:34:17 +1300 + +ipsec-tools (0.3.3-1) unstable; urgency=high + + * Security upload. Updated to vesion 0.3.3 which fixes a "authentication + bug in KAME's racoon" in eay_check_x509cert() (Bugtraq + http://seclists.org/lists/bugtraq/2004/Jun/0219.html) (closes: #254663). + * Fix for "racooninit" in racoon-tool.conf. Applied patch submitted by + Teddy Hogeborn . (closes: #249222) + * Stopped patching racoon.conf.5 manpage as the "Japlish" fix is now in the + source tree. + + -- Matthew Grant Thu, 17 Jun 2004 09:05:50 +1200 + +ipsec-tools (0.3.1-4) unstable; urgency=low + + * Fixed autoconf more so that it only gets called by maintainer. This is to + fix the woody backport support. + + -- Matthew Grant Thu, 22 Apr 2004 15:55:45 +1200 + +ipsec-tools (0.3.1-3) unstable; urgency=high + + * Security upload. Correct urgency so that it will be accepted into + testing in 2 days because version in testing suffers from CAN-2004-0403 + and CAN-2004-0155. + * New upstrem release. Fixes remote DoS in racoon (CAN-2004-0403) + (closes: #244182). Repeated for sake of BTS. + + -- Matthew Grant Thu, 22 Apr 2004 10:42:49 +1200 + +ipsec-tools (0.3.1-2) unstable; urgency=high + + * Security upload. Correct urgency so that it will be accepted into + testing in 2 days because version in testing suffers from CAN-2004-0403 + and CAN-2004-0155. + * New upstrem release. Fixes remote DoS in racoon (CAN-2004-0403) + (closes: #244182). Repeated for sake of BTS. + + -- Matthew Grant Thu, 22 Apr 2004 10:00:58 +1200 + +ipsec-tools (0.3.1-1) unstable; urgency=high (Fixes remote DoS CAN-2004-0403) + + * New upstrem release. Fixes remote DoS in racoon (CAN-2004-0403) + (closes: #244182) + * Enable shared libraries for libipsec - had been turned off upstream. + * Removed support for GNU readline as there is definitely a licensing + conflist, and it breadks the stdin processing of setkey which is needed + for racoon-tool. + * rpm building Makefile was causing a lot of grief by recursively calling + toplevel makefile. Removed from configure.ac + * Removed autoconf from build targets as rebuilding Makefile.in makes + debian/rules clean target non-idempotent. + * Security release, set urgency to high. + + -- Matthew Grant Thu, 22 Apr 2004 08:42:28 +1200 + +ipsec-tools (0.2.5-2) unstable; urgency=low + + * New upstream release. Fixes the the X509 security authentication bug. + (CAN-2004-0155) Closes: #242327 + * Finally worked out autoconf so that it is dependable. Package needs to + use 2 DIFFERENT versions of autoconf so that it works! + * Fixed some 'Japlish' in the racoon.conf.5 manpage. Closes: #235456 + + -- Matthew Grant Wed, 7 Apr 2004 16:05:34 +1200 + +ipsec-tools (0.2.5-1) unstable; urgency=low + + * Botched upload due to Ctrl-C-ing dupload... + + -- Matthew Grant Wed, 7 Apr 2004 13:18:03 +1200 + +ipsec-tools (0.2.4-3) unstable; urgency=low + + * Fixed start and stop being in the wrong order in legacy init.d target. + Closes: #198755 + * Rearranged racoon maintainer scripts starting and stopping of daemon. + Dropped testing of kernel in postinst - test in init script is enough. + Closes: #233642 + * Reorganised the debconf screens as there was too many of them. + Closes: #240056. Removal of one of the screens - Closes: #240010 + * Installed a README.Debian in the racoon package, describing most + things needed to get racoon starting properly. + * Replaced racoon.conf with a far simpler one to make sure racoon + has a good chance of starting properly. Closes: #209226 + * Made sure packaged is autoconfed correctly. This was causing + trouble when building with set CC, CPP and CFLAGS in environment. + Closes: #229614 + * Set racoon and ipsec-tools priorities to optional, shouldn't be extra. + Closes: #212985 + + -- Matthew Grant Sun, 28 Mar 2004 23:19:16 +1200 + +ipsec-tools (0.2.4-2) unstable; urgency=low + + * Fix problem with do_patch do_unpatch not having execute bits set on + dpkg-source -x causing build failures. Closes: Bug#239668 + * Forgot to mention that upgrade to upstream does this: Closes: Bug#216650 + * Upstream release also Closes: Bug#233642 Closes: Bug#231006, Bug#224960 + * This build also Closes: Bug#230269, lintian checks found it! + + -- Matthew Grant Thu, 25 Mar 2004 22:32:34 +1200 + +ipsec-tools (0.2.4-1) unstable; urgency=low + + * Upload takes over maintainership of ipsec-tools. I have already emailed + Wichert Akkerman , and he has said this is good and OK. + * Converted templates to po-debconf. + * Built support into debian/rules, templates and control files to allow + easy building on woody as well as unstable. + * Rebuilt autoconf and libtool using latest versions in sid. This should + fix ARM compilation problems. + * Ported to sid. + * Included patches and portablilty in debian/rules to make building + on either tons easier. + + -- Matthew Grant Wed, 24 Mar 2004 08:41:14 +1200 + +ipsec-tools (0.2.4-0.mag.4) unstable; urgency=low + + * Set up a quick and dirty patching scheme so that all changes are in + debian directory. Make source tree easier to maintain. + * Make a test build. + + -- Matthew Grant Mon, 22 Mar 2004 02:40:53 +0000 + +ipsec-tools (0.2.4-0.mag.3) unstable; urgency=low + + * Made it generate a .diff file. + + -- Matthew Grant Mon, 22 Mar 2004 01:51:20 +0000 + +ipsec-tools (0.2.4-0.mag.2) unstable; urgency=low + + * Added manpages for racoon-tool(8) and racoon-tool.conf(5) + * Updated copyright file etc. + * Fixed a lot of problems lintian detected. + + -- Matthew Grant Sun, 21 Mar 2004 21:01:07 +0000 + +ipsec-tools (0.2.4-0.mag.1) unstable; urgency=low + + * Fix install so that racoon goes into /usr/sbin. + * Fix restart operation of racoon init script. + * Set up debconf to either select racoon-tool or use direct editing + of the configuration. Default to direct configuration mode. + * Fix dependency generation for racoon package. + * Fix racoon init scripts and posinst script to detect if a suitable + kernel is installed. + + -- Matthew Grant Wed, 17 Mar 2004 00:34:24 +0000 + +ipsec-tools (0.2.4-0.mag.0) unstable; urgency=low + + * Updated to new upstream release. + + -- Matthew Grant Tue, 2 Mar 2004 03:05:17 +0000 + +ipsec-tools (0.2.2-8) unstable; urgency=low + + * Give libtool and auto* the deserved kick in the pants and upgrade them + to newer versions which do not break on ARM. Closes: Bug#221553 + + -- Wichert Akkerman Wed, 19 Nov 2003 13:42:19 +0100 + +ipsec-tools (0.2.2-7) unstable; urgency=low + + * Tell configure that our kernel includes are in /usr/include. + Closes: Bug#221380 + * Stop using debian email address in changelog as well + + -- Wichert Akkerman Tue, 18 Nov 2003 11:13:48 +0100 + +ipsec-tools (0.2.2-6) unstable; urgency=low + + * Build using the new linux-kernel-headers package + * Split out racoon into its own package + + -- Wichert Akkerman Fri, 14 Nov 2003 00:09:21 +0100 + +ipsec-tools (0.2.2-5) unstable; urgency=low + + * Update kernel headers so DES and 3DES work again with current kernels. + + -- Wichert Akkerman Mon, 23 Jun 2003 14:01:40 +0200 + +ipsec-tools (0.2.2-4) unstable; urgency=low + + * Fix logic error in init script which prevented racoon from being + started + * Update link to the PKIX certificate documentation + * Use invoke-rc.d. Note that whoever decided its --query option should + return 104 on an obvious success case should be shot. + * Include GSSAPI copyright. Closes: Bug#192281 + + -- Wichert Akkerman Wed, 14 May 2003 11:21:47 +0200 + +ipsec-tools (0.2.2-3) unstable; urgency=low + + * Add libssl-dev Build-Depend. Closes: Bug#186750 + * Add a Standards-Version. Closes: Bug#186748 + * Update config.{guess,sub} to version from autotools-dev 20030110.1. + Closes: Bug#186587 + * Don't abort if make distclean fails. Closes: Bug#186751 + + -- Wichert Akkerman Sat, 29 Mar 2003 18:16:01 +0100 + +ipsec-tools (0.2.2-2) unstable; urgency=low + + * Add a real description and copyright + * Install all racoon documentation + * Install conffiles + * Fix permissions, compress manpages + * Properly restart and stop racoon on upgrade and removal + + -- Wichert Akkerman Sat, 22 Mar 2003 18:42:03 +0100 + +ipsec-tools (0.2.2-1) unstable; urgency=low + + * First trivial packaging + + -- Wichert Akkerman Sat, 15 Mar 2003 11:53:05 +0100 + --- ipsec-tools-0.6.6.orig/debian/racoon.README.Debian +++ ipsec-tools-0.6.6/debian/racoon.README.Debian @@ -0,0 +1,34 @@ +Debian README for racoon +------------------------ + +This package requires a 2.6 kernel with IPSEC available, or a 2.4 kernel +with the new IPSEC backport as in the latest 2.4 kernel source in sid and +sarge. + +Please note that the xfrm_user.o module must be loaded unless statically +compiled into the kernel so that the /proc/net/pfkey file is available for +setkey and racoon. + +If a suitable kernel is not installed, or /proc/net/pfkey is not available +racoon will fail to start properly. + +You will also have to make sure all required kernel encryption and xfrm +modules are loaded, or that they are statically linked if using 'direct' +debconf configuration. + +racoon-tool +----------- +racoon-tool is now officially deprecated. It used to be the preferred method +of configuration in older releases (till 0.3.1) but is now deprecated because +of several reasons; it's debian specific, upstream doesn't like it, it lags +behind in features when compared to racoon.conf(5). If you're interested in +using the latest and greatest feature in racoon, use /etc/racoon.conf +directly. + +Further Information +------------------- +Further information about the new Linux KAME/racoon IPSEC can be found +up at http://ipsec-tools.sourceforge.net, and a HOWTO can be found up at +"http://www.ipsec-howto.org/t1.html". + + -- Ganesan Rajagopal , Mon, 29 May 2006 14:16:56 +0530 --- ipsec-tools-0.6.6.orig/debian/racoon-tool.pl +++ ipsec-tools-0.6.6/debian/racoon-tool.pl @@ -0,0 +1,2468 @@ +#!/usr/bin/perl -w +# +# Script for configuring linux 2.6.x IPSEC +# +# Copyright 2004 Matthew Grant, Catalyst IT Ltd, GPL2 +# + +# Loads and unloads all modules needed for IPSEC + +# Writes configuration files for racoon + +# Administers SPD in kernel using setkey program + +# Basically imitates Free S/WAN without all the kludgy garbage... + +# We are only dealing with IP addresses +use integer; + +sub mod_ls (); +sub mod_load ($); +sub mod_unload ($); +sub usage (); +sub mod_start(); +sub mod_stop(); +sub sad_flush(); +sub spd_flush(); +sub parse_config(); +sub ipsec_start(); +sub ipsec_stop(); +sub ipsec_load(); +sub spd_show(); +sub sad_show(); +sub parse_spd(\@\%); +sub conn_dump_list(); +sub peer_dump_list(); +sub global_dump_list(); +sub spd_dump_list(\@\%); +sub prog_warn($$;$); +sub prog_die($;$); +sub match_spd_connection(\@\%); +sub conn_down_handle($); +sub conn_down (\@\%$;$$); +sub conn_list($); +sub log_backend(); +sub conn_up_handle($); +sub conn_menu($); +sub racoon_write_config($$); +sub racoon_configure(;$); +sub peer_get_indexes (\%); +sub conn_reload_handle($); +sub check_if_running (); +sub racoon_start(); +sub racoon_stop(); +sub basename($$); +sub openlog($$$); +sub syslog($$); + +$proc_modules = "/proc/modules"; +$kver = `uname -r`; chomp $kver; +$modpath = "/lib/modules/" . $kver; +$modpath_ipsec = "$modpath/kernel/net/ipv4"; +$modpath_ipsec6 = "$modpath/kernel/net/ipv6"; +$modpath_xfrm = "$modpath/kernel/net/xfrm"; +$modpath_key = "$modpath/kernel/net/key"; +$modpath_crypto = "$modpath/kernel/crypto"; +$modpath_zlib = "$modpath/kernel/lib/zlib_deflate"; +$modext = ( $kver =~ /^2\.6\./ ? ".ko" : ".o" ); +$progname = basename($0, ""); +$proc_ipv4 = "/proc/sys/net/ipv4"; +$proc_ipv6 = "/proc/sys/net/ipv6"; + +$setkey_cmd = "/usr/sbin/setkey"; +$confdir = "/etc/racoon"; +$vardir = "/var/lib/racoon"; +$conffile = "${confdir}/racoon-tool.conf"; +$less_cmd = "/usr/bin/less"; +$more_cmd = "/bin/more"; +$pager_cmd = ( -x $less_cmd ? $less_cmd : $more_cmd ); +@pager_flags = ( -x $less_cmd ? ( '-MMXEi' ): ()); +# Handle BSD and SYSV ps... +$ps_cmd = ($^O =~ /bsd/i ? "ps axc" : "ps -e"); +$psf_cmd = ($^O =~ /bsd/i ? "ps axw" : "ps -eo pid,cmd"); +$racoon_cmd = "/usr/sbin/racoon"; +%fmt = ( 'normal' => 1, 'brief' => 2, 'comma' => 3 ); +$global_format = $fmt{'normal'}; +local $proc_id = $$; +$racoon_kill_delay = 25; # seconds + +# global settings hash +my $global_proplist = 'path_pre_shared_key|path_certificate|path_racoon_conf|racoon_command|racoon_pid_file|log|listen\[[0-9a-z]\]|complex_bundle'; +my %global = ( + 'path_pre_shared_key' => "$confdir/psk.txt", + 'path_certificate' => "$confdir/certs", + 'path_racoon_conf' => "${vardir}/racoon.conf", + 'racoon_command' => "${racoon_cmd} -f ___path_racoon_conf___", + 'racoon_pid_file' => "/var/run/racoon.pid", + ); + +# Peer related stuff +my $peer_proplist = 'exchange_mode|encryption_algorithm\[[0-9a-z]\]|hash_algorithm\[[0-9a-z]\]|dh_group\[[0-9a-z]\]|authentication_method\[[0-9a-z]\]|remote_template|lifetime|verify_identifier|verify_cert|passive|generate_policy|my_identifier|peers_identifier|certificate_type|peers_certfile|support_mip6|send_cr|send_cert|initial_contact|proposal_check|nat_traversal|nonce_size'; +my %peer_list = ( '%default' => { + 'exchange_mode' => 'main', + 'encryption_algorithm[0]' => '3des', + 'hash_algorithm[0]' => 'sha1', + 'dh_group[0]' => 'modp1024', + 'authentication_method[0]' => 'pre_shared_key', + 'remote_template' => '%default' + }, + '%anonymous' => { + 'passive' => 'on', + 'generate_policy' => 'on' + } ); + +# Connection related stuff +my $conn_proplist = 'src_range|dst_range|src_ip|dst_ip|upperspec|encap|mode|level|admin_status|spdadd_template|sadadd_template|sainfo_template|pfs_group|lifetime|encryption_algorithm|authentication_algorithm|compression'; +my @conn_required_props = ( 'src_ip', 'dst_ip'); +my %connection_list = ( '%default' => { + 'admin_status' => 'disabled', + 'upperspec' => 'any', + 'encap' => 'esp', + 'level' => 'unique', + 'spdadd_template' => '%default', + 'sadadd_template' => '%default', + 'sainfo_template' => '%default', + 'pfs_group' => 'modp1024', + 'encryption_algorithm' => 'aes,3des', + 'authentication_algorithm' => 'hmac_sha1,hmac_md5' + }, + '%anonymous' => { + 'admin_status' => 'disabled' + } ); + +my %prop_typehash = ( 'connection' => { + 'src_range' => 'range', + 'dst_range' => 'range', + 'src_ip' => 'ip', + 'dst_ip' => 'ip', + 'upperspec' => 'upperspec', + 'encap' => 'encap', + 'level' => 'level', + 'mode' => 'mode', + 'admin_status' => 'boolean', + 'spdadd_template' => 'template_name', + 'sadadd_template' => 'template_name', + 'sainfo_template' => 'template_name', + 'pfs_group' => 'pfs_group', + 'lifetime' => 'lifetime', + 'encryption_algorithm' => 'phase2_encryption', + 'authentication_algorithm' => 'phase2_auth_algorithm', + 'compression' => 'boolean' + }, + 'peer' => { + 'exchange_mode' => 'phase1_exchange_mode', + 'encryption_algorithm' => 'phase1_encryption', + 'hash_algorithm' => 'hash_algorithm', + 'dh_group' => 'dh_group', + 'authentication_method' => 'phase1_auth_method', + 'remote_template' => 'template_name', + 'lifetime' => 'lifetime', + 'verify_identifier' => 'switch', + 'verify_cert' => 'switch', + 'passive' => 'switch', + 'generate_policy' => 'switch', + 'initial_contact' => 'switch', + 'send_cr' => 'switch', + 'send_cert' => 'switch', + 'support_mip6' => 'switch', + 'my_identifier' => 'identifier', + 'peers_identifier' => 'identifier', + 'certificate_type' => 'certificate', + 'peers_certfile' => 'peers_certfile', + 'nonce_size' => 'nonce_size', + 'proposal_check' => 'proposal_check', + 'nat_traversal' => 'nat_traversal' + }, + 'global' => { + 'racoon_command' => 'shell_command', + 'racoon_pid_file' => 'path_generated_file', + 'path_pre_shared_key' => 'path_conf_file', + 'path_racoon_conf' => 'path_generated_file', + 'path_certificate' => 'path_certificate', + 'log' => 'log', + 'listen' => 'listen', + 'complex_bundle' => 'switch' + } + ); + +my %prop_syntaxhash = ( 'range' => '{ip-address|ip-address/masklen|ip-address[port]|ip-address/masklen[port]}', + 'ip' => '{ip-address} - IPv4 or IPv6', + 'uppserspec' => '{protocol} - number or /etc/protocols or any or icmp6', + 'encap' => '{ah|esp}', + 'mode' => '{tunnel|transport}', + 'boolean' => '{enabled|disabled|true|false|yes|no|up|down|on|off|0|1}', + 'template_name' => '{template-name} - can be %default or ^[-a-zA-Z0-9_]+', + 'level' => '{default|use|require|unique}', + 'phase1_exchange_mode' => '{main|aggressive|base}', + 'phase1_encryption' => '{aes|des|3des|blowfish|cast128}', + 'hash_algorithm' => '{md5|sha1}', + 'dh_group' => '{modp768|modp1024|modp1536|1|2|5}', + 'pfs_group' => '{none|modp768|modp1024|modp1536|1|2|5}', + 'phase1_auth_method' => '{pre_shared_key|rsasig}', + 'switch' => '{on|off}', + 'lifetime' => '{time} {integer} {hour|hours|min|mins|minutes|sec|secs|seconds}', + 'phase2_encryption' => '{aes|des|3des|des_iv64|des_iv32|rc5|rc4|idea|3idea|cast128|blowfish|null_enc|twofish|rijndael}', + 'phase2_auth_algorithm' => '{aes|des|3des|des_iv64|des_iv32|hmac_md5|hmac_sha1|non_auth}', + 'identifier' => '{address [ip-address]|fqdn dns-name|user_fqdn user@dns-name|keyid file-name|asn1dn [asn1-name]}', + 'certificate' => '{x509 cert-file privkey-file}', + 'peers_certfile' => '{x509|plain_rsa|dnssec} {cert-file}', + 'path_conf_file' => '{full-path-file-name}', + 'shell_command' => '{shell-command}', + 'path_generated_file' => '{full-path-file-name}', + 'path_certificate' => '{full-path-dir}', + 'log' => '{notify|debug|debug2}', + 'listen' => '{ip-address} [[port]]', + 'proposal_check' => '{obey|strict|claim|exact}', + 'nat_traversal' => '{on|off|force}', + 'nonce_size' => '{number} - between 8 and 256' + ); + +my %bool_val = ( 'enabled' => 1, + 'disabled' => 0, + 'true' => 1, + 'false' => 0, + 'yes' => 1, + 'no' => 0, + 'up' => 1, + 'down' => 0, + 'on' => 1, + 'off' => 0, + '0' => 0, + '1' =>1 ); + +# Default templates for spdadd and sadadd defined here +my $sadadd_default = ""; +my $spdadd_default = <<'EOF'; +spdadd ___src_range___ ___dst_range___ ___upperspec___ -P out ipsec + ___encap___/___mode___/___src_ip___-___dst_ip___/___level___; + +spdadd ___dst_range___ ___src_range___ ___upperspec___ -P in ipsec + ___encap___/___mode___/___dst_ip___-___src_ip___/___level___; + +EOF +%spdadd_addons = ( 'ipcomp_in' => 'ipcomp/___mode___/___dst_ip___-___src_ip___/use', + 'ipcomp_out' => 'ipcomp/___mode___/___src_ip___-___dst_ip___/use' + ); + +my $racoon_init_default = <<"EOF"; +path pre_shared_key ___path_pre_shared_key___; +path certificate ___path_certificate___; + +EOF +%init_addons = ('log' => 'log ___log___;', + 'listen' => "listen {\n\tstrict_address;\n}", + 'isakmp' => 'isakmp ___listen___;', + 'complex_bundle' => 'complex_bundle ___complex_bundle___;' + ); + + +my $remote_default = <<'EOF'; +remote ___dst_ip___ { + exchange_mode ___exchange_mode___; +} + +EOF +my $remote_proposal = <<'EOF'; + proposal { + encryption_algorithm ___encryption_algorithm___; + hash_algorithm ___hash_algorithm___; + authentication_method ___authentication_method___; + dh_group ___dh_group___; + } +EOF + +%remote_addons = ( 'verify_identifier' => 'verify_identifier ___verify_identifier___;', + 'verify_cert' => 'verify_cert ___verify_cert___;', + 'passive' => 'passive ___passive___;', + 'generate_policy' => 'generate_policy ___generate_policy___;', + 'my_identifier' => 'my_identifier ___my_identifier___;', + 'peers_identifier' => 'peers_identifier ___peers_identifier___;', + 'peers_certfile' => 'peers_certfile ___peers_certfile___;', + 'certificate_type' => 'certificate_type ___certificate_type___;', + 'lifetime' => 'lifetime ___lifetime___;', + 'initial_contact' => 'initial_contact ___initial_contact___;', + 'send_cr' => 'send_cr ___send_cr___;', + 'send_cert' => 'send_cert ___send_cert___;', + 'support_mip6' => 'support_mip6 ___support_mip6___;', + 'nonce_size' => 'nonce_size ___nonce_size___;', + 'proposal_check' => 'proposal_check ___proposal_check___;', + 'nat_traversal' => 'nat_traversal ___nat_traversal___;' + ); + +my $sainfo_default = <<'EOF'; +sainfo address ___src_range___ ___upperspec___ address ___dst_range___ ___upperspec___ { + encryption_algorithm ___encryption_algorithm___; + authentication_algorithm ___authentication_algorithm___; + compression_algorithm deflate; +} + +EOF +%sainfo_addons = ( 'pfs_group' => 'pfs_group ___pfs_group___;', + 'lifetime' => 'lifetime ___lifetime___;' + ); + +@modules = (); +@modules_ipsec = ('ah4', 'esp4', 'ipcomp'); +@modules_ipsec6 = ('ah6', 'esp6', 'ipcomp6'); + +# Make stdout and stderr unbuffered +select STDERR; +$| = 1; +select STDOUT; +$| = 1; + +# Make sure we are running as root +if ( $> != 0 ) { + print STDERR "$progname: must be root to run this.\n"; + exit 1; +} + +# 'Open' syslog +openlog ($progname, 'pid', 'daemon'); + +# Handle logging backend if '-l' switch given +log_backend (); + +# See if we are already running... +check_if_running(); + +mod_ls(); + +parse_config(); + +$have_1arg = "vpndown|vpnup|vpnreload|vpnlist|vpnmenu|vdown|vup|vreload|vlist|vmenu"; + +# Process command line... +foreach my $i ( 0..$#ARGV ) { + $ARGV[$i] = lc $ARGV[$i]; +} + +SWITCH: { + !defined $ARGV[0] && do { + usage (); + exit 1; + }; + $ARGV[0] =~ /^(${have_1arg})$/ && @ARGV > 2 && do { + usage (); + exit 1; + }; + $ARGV[0] !~ /^(${have_1arg})$/ && @ARGV > 1 && do { + usage (); + exit 1; + }; + + $ARGV[0] =~ /^start$/ && do { + + ipsec_start (); + + last SWITCH; + }; + $ARGV[0] =~ /^stop$/ && do { + + ipsec_stop (); + + last SWITCH; + }; + $ARGV[0] =~ /^reload$/ && do { + + ipsec_load (); + + last SWITCH; + }; + $ARGV[0] =~ /^(restart|force-reload)$/ && do { + + ipsec_stop (); + + @modules = (); + ipsec_start (); + + last SWITCH; + }; + + $ARGV[0] =~ /^(sadshow|saddump|dump)$/ && do { + # Show the SAD + sad_show (); + last SWITCH; + }; + $ARGV[0] =~ /^(spdshow|spddump)$/ && do { + # Show the SPD + spd_show (); + last SWITCH; + }; + + $ARGV[0] =~ /^(sadflush|flush)$/ && do { + + # Flush the SAD + print "Flushing SAD...\n"; + sad_flush (); + print "SAD flushed.\n"; + prog_warn 'info', "manually flushed SAD"; + + last SWITCH; + }; + + $ARGV[0] =~ /^spdflush$/ && do { + + # Flush the SPD + print "Flushing SPD...\n"; + spd_flush (); + print "SPD flushed.\n"; + prog_warn 'info', "manually flushed SPD"; + + last SWITCH; + }; + + $ARGV[0] =~ /^(vpndown|vdown)$/ && do { + + # Go and do it + conn_down_handle ($ARGV[1]); + + last SWITCH; + }; + + $ARGV[0] =~ /^(vpnmenu|vmenu)$/ && do { + + # Go and do it + conn_menu ($ARGV[1]); + + last SWITCH; + }; + + + $ARGV[0] =~ /^(vpnup|vup)$/ && do { + + # Go and do it + conn_up_handle ($ARGV[1]); + + last SWITCH; + }; + + $ARGV[0] =~ /^(vpnreload|vreload)$/ && do { + + # Go and do it + conn_reload_handle ($ARGV[1]); + + last SWITCH; + }; + + $ARGV[0] =~ /^(vpnlist|vlist)$/ && do { + + # Go and do it + conn_list ($ARGV[1]); + + last SWITCH; + }; + + $ARGV[0] =~ /^(racoonstart|rstart)$/ && do { + + # Go and do it + racoon_start(); + + last SWITCH; + }; + + $ARGV[0] =~ /^(racoonstop|rstop)$/ && do { + + # Go and do it + racoon_stop(); + + last SWITCH; + }; + + usage (); + exit 1; +}; + +exit 0; + +# Functions start here + +sub usage () { + print STDERR "\n"; + print STDERR " Usage: $progname [-h] sadflush|spdflush|saddump|spddump\n"; + print STDERR " |reload|restart|force-reload|start|stop\n"; + print STDERR " $progname [-h] vpndown|vdown|vpnup|vup\n"; + print STDERR " |vpnreload|vreload connection-name|all\n"; + print STDERR " $progname [-h] vpnlist|vlist [connection-name|all]\n"; + print STDERR " $progname [-h] vpnmenu|vmenu\n"; + print STDERR " $progname [-h] racoonstart|racoonstop|rstart|rstop\n"; + print STDERR "\n"; +}; + +sub basename ($$) { + my $name = shift; + my $ext = shift; + $name =~ s/^.*\/(.*)$/$1/; + $name =~ s/^(.*)${ext}$/$1/; + return $name; +} + +sub openlog ($$$) { + $log{'ident'} = shift; + $log{'logopt'} = shift; + $log{'facility'} = shift; + my $logger; + + $logger = "/usr/bin/logger"; + if ( ! -x $logger ) { + $logger = "/bin/logger"; + } elsif ( ! -x $logger ) { + die "$progname: cannot run $logger.\n"; + } + + $log{'logger'} = $logger; + +} + +sub syslog ($$) { + my $priority = shift; + my $msg = shift; + + system("$log{'logger'}", '-p', "$log{'facility'}.${priority}", '-t', "$log{'ident'}\[${proc_id}\]", "$msg"); +} + +sub check_if_running () { + my @pids = (); + my @procs = grep /\b${progname}$/, (grep ! /^\s*${proc_id}\b/, `$ps_cmd`); + foreach (@procs) { + my @fields = split; + if (!$fields[0]) { + next; + } + push @pids, $fields[0]; + } + + if (@pids) { + print STDERR "$progname: process(es) @pids are already running.\n"; + exit 2; + } +} + +sub racoon_get_pids () { + my @pids = (); + my $cmd = ''; + my $pid_file = $global{'racoon_pid_file'}; + + $cmd = $global{'racoon_command'}; + if ( $cmd =~ m/^(\S+).*$/ ) { + $cmd = $1; + } + + if ( -f $pid_file ) { + if ( ! open PID, "$pid_file" ) { + prog_die "cannot open $pid_file - $!"; + } + @pids = ( ); + close PID; + } elsif ( scalar(@pids = grep m#${cmd}[\s\n]#s, (split /^/m, `$psf_cmd`)) ) { + grep { s/^\s*([0-9]+)\s+.*$/$1/; } @pids; + } + + return @pids; +} + + +sub racoon_fill_command ($) { + my $stuff = shift; + foreach my $key (keys %global) { + my $key_reg = $key; + $key_reg =~ s/\[/\\[/g; + $key_reg =~ s/\]/\\]/g; + $stuff =~ s/___${key_reg}___/$global{"$key"}/img; + } + return $stuff; +} + +sub racoon_start () { + my $running; + my @pids = (); + + print "Starting IKE (ISAKMP/Oakley) server: "; + + # see if it is already running + @pids = racoon_get_pids(); + + if ( $running = kill ( '0', @pids ) ) { + prog_warn 'warning', "racoon already running - exiting.", $fmt{'brief'}; + exit 10; + } + + # Start it. + my $stuff = racoon_fill_command ($global{'racoon_command'}); + system "$stuff"; + + # See if it started + @pids = racoon_get_pids(); + $running = @pids; + if ( ! $running ) { + prog_die "racoon did not start."; + } + + print "racoon.\n"; + prog_warn 'info', "racoon started."; +} + +sub racoon_stop () { + my @pids = (); + my $running; + + print "Stopping IKE (ISAKMP/Oakley) server: "; + + # Find PIDs to use + @pids = racoon_get_pids(); + + # see if it is running + $running = kill ('0', @pids ); + if ( ! $running ) { + print "not found running.\n"; + return; + } + + # kill -15 it + $running = kill ( 'TERM', @pids ); + + my $delay = $racoon_kill_delay; + # Check if any still running + while ( ($running = kill ( '0', @pids )) && $delay) { + sleep 1; + $delay--; + # see if still running, and loop back to wait upto 25 secs + } + + # kill -9 it + kill ( 'KILL', @pids ); + + print "racoon.\n"; + prog_warn 'info', "racoon stopped."; +} + +sub racoon_configure (;$) { + my $format = shift; + my @pids; + my @new; + my $running = 0; + + # Prepare new config file + racoon_write_config ($global{'path_racoon_conf'}, $format); + + # HUP racoon to reconfigure it + @pids = racoon_get_pids(); + $running = @pids; + + sad_flush(); + kill ( 'HUP', @pids ); + @pids = racoon_get_pids(); + if ($running && @pids < 1 ) { + prog_warn 'err', "reconfiguring racoon failed - racoon died, check system logs.", $format; + return -1; + } elsif ( ! $running && @pids < 1) { + prog_warn 'warning', "racoon not running.", $format; + return 0; + } + return 1; +} + +sub racoon_fill_remote ($) { + my $peer = shift; + my $stuff; + + my $hndl = $peer_list{$peer}; + my $template = $hndl->{'remote_template'}; + $stuff = $remote{$template}; + if ( $template eq '%default' ) { + foreach my $property ( keys %remote_addons ) { + if (defined $hndl->{"$property"}) { + $stuff =~ s/^(\s*remote.*{\s*)$/${1}\n\t${remote_addons{"$property"}}/m; + } + } + my @pindexes = peer_get_indexes ( %$hndl ); + foreach my $ind ( @pindexes ) { + my $to_add = $remote_proposal; + $to_add =~ s/___(\S+)___/___$1\[$ind\]___/gm; + $stuff =~ s/^(\s*remote.*{\s*)$/${1}\n${to_add}/m + } + } + + + foreach my $key (keys %$hndl) { + my $key_reg = $key; + $key_reg =~ s/\[/\\[/g; + $key_reg =~ s/\]/\\]/g; + $stuff =~ s/___${key_reg}___/$$hndl{"$key"}/img; + } + + if ($peer eq '%anonymous' && $template eq '%default' ) { + $stuff =~ s/(remote\s+)\%anonymous/remote anonymous/ + } + + return $stuff; +} + +sub racoon_fill_sainfo ($) { + my $connection = shift; + my $stuff; + + my $hndl = $connection_list{$connection}; + my $template = $hndl->{'sainfo_template'}; + $stuff = $sainfo{$template}; + if ( $template eq '%default' ) { + foreach my $property ( keys %sainfo_addons ) { + next if defined $hndl->{'pfs_group'} && $hndl->{'pfs_group'} eq 'none'; + if ( defined $hndl->{"$property"} ) { + $stuff =~ s/^(\s*sainfo.*)$/${1}\n\t${sainfo_addons{"$property"}}/m; + } + } + } + + foreach my $key (keys %$hndl) { + $stuff =~ s/___${key}___/$$hndl{$key}/img; + } + + if ($connection eq '%anonymous' && $template eq '%default' ) { + $stuff =~ s/sainfo.*{/sainfo anonymous {/ + } + + return $stuff; +} + +sub racoon_fill_init () { + my $stuff = $racoon_init; + + foreach my $key ( keys %global ) { + $key =~ s/^(\S+)\[[0-9a-z]\]$/$1/i; + if ( defined $init_addons{"$key"} ) { + $stuff =~ s/^(\s*path certificate.*)$/${1}\n${init_addons{"$key"}}/m; + } + } + my @indexes = peer_get_indexes ( %global ); + foreach my $ind ( @indexes ) { + my $to_add = $init_addons{'isakmp'}; + $to_add =~ s/___(\S+)___/___$1\[$ind\]___/gm; + $stuff =~ s/^(\s*listen.*{\s*)$/${1}\n\t${to_add}/m + } + + foreach my $key (keys %global) { + my $key_reg = $key; + $key_reg =~ s/\[/\\[/g; + $key_reg =~ s/\]/\\]/g; + $stuff =~ s/___${key_reg}___/$global{"$key"}/img; + } + + return $stuff; +} + +sub racoon_write_config ($$) { + my $file = shift; + my $format = shift; + my @spd_list; + my %conn_spd_hash; + my @remote_done = (); + + parse_spd (@spd_list, %conn_spd_hash); + + open (RCF, ">$file") + or prog_die "can't open $file - $!", $format; + + # Pretty print comments... + my $hostname = `/bin/hostname`; + my $date = scalar localtime; + print RCF <<"EOF"; +# +# Racoon configuration for $hostname +# Generated on $date by $progname +# + +EOF + # Print out the racoon header + print RCF "#\n# Global items\n#\n"; + my $stuff = racoon_fill_init(); + print RCF $stuff; + + foreach my $connection ( keys %conn_spd_hash ) { + my $stuff = ''; + my $hndl = $connection_list{$connection}; + + print RCF "#\n# Connection $connection\n#\n"; + # print remote clauses needed... + my $dst_ip = $hndl->{'dst_ip'}; + if ( ! grep { $dst_ip eq $_ } @remote_done ) { + push @remote_done, $dst_ip; + $stuff = racoon_fill_remote($dst_ip); + print RCF $stuff; + } + + # print sainfo clauses needed... + $stuff = racoon_fill_sainfo($connection); + print RCF $stuff; + } + + # Handle anonymous connection + my $hndl = $connection_list{'%anonymous'}; + my $phndl = $peer_list{'%anonymous'}; + + if ( defined $hndl && $hndl + && defined $hndl->{'admin_status'} + && $bool_val{"$hndl->{'admin_status'}"} != 0 + && $hndl->{'makelive'} != 0 + && defined $phndl + && $phndl + && $phndl->{'makelive'} != 0 ) { + my $stuff = ''; + print RCF "#\n# Anonymous connection section\n#\n"; + $stuff = racoon_fill_remote('%anonymous'); + print RCF $stuff; + $stuff = racoon_fill_sainfo('%anonymous'); + print RCF $stuff; + } + + close RCF; +} + +sub log_backend () { +foreach my $arg ( @ARGV ) { + next if $arg ne '-l'; + + my $error = 0; + while ( ) { + chomp; + prog_warn 0, "setkey said: $_"; + $error = 1; + } + + exit $error; +} + + +} + +# List all connections +sub conn_list ($) { + my $connection = shift; + + my $exit_code = 1; + + if ( ! defined $connection || $connection eq 'all' ) { + $connection = '.*'; + } + + my @conns = grep /${connection}/, keys(%connection_list); + @conns = grep !/^%default$/, @conns; + open( PAGER, '|-' ) + || exec ("$pager_cmd", @pager_flags); + foreach my $conn ( @conns ) { + print PAGER "$conn\n"; + } + close PAGER or die "$progname: conn_list () - $pager_cmd failed - exit code " . ($? >> 8) . "\n"; + + exit ( scalar(@conns) == 0 ); +} + +# Connection up +sub conn_up_handle ($) { + my $connection = shift; + + if (! defined $connection ) { + usage (); + exit 1; + } + + if ( $connection eq 'all' ) { + # Flush SPD and SAD + ipsec_flush (); + + # Load the SPD + spd_load(); + + # Do dee racoon... + exit 1 if racoon_configure() < 0; + + exit 0; + } + + print "Starting VPN $connection..."; + if ((my $ret = spd_load($connection)) <= 0 ) { + print "not found in configuration\n" if $ret == 0; + print "syntax problem in configuration.\n" if $ret == -1; + print "already in SPD.\n" if $ret == -2; + exit 1; + } + + # Do dee racoon... + exit 1 if racoon_configure($fmt{'brief'}) < 0; + + print "done.\n"; + prog_warn 'info', "$connection started."; + + + exit 0; +} + +# Connection down +sub conn_down_handle ($) { + my $connection = shift; + my @spd_list; + my %conn_spd_hash; + + if ( ! defined $connection ) { + usage (); + exit 1; + } + + if ( $connection eq 'all' ) { + # Flush SPD and SAD + ipsec_flush (); + + # Do dee racoon... + exit 1 if racoon_configure() < 0; + + exit 0; + } + + print "Shutting down VPN $connection..."; + if ( ! grep /^${connection}$/, keys %connection_list) { + print "not found in configuration.\n"; + exit 1; + } + # Read SPD list from kernel... + parse_spd(@spd_list, %conn_spd_hash); + if ( ! conn_down (@spd_list, %conn_spd_hash, $connection, 1) ) { + print "not found in SPD.\n"; + exit 0; + } + print "done.\n"; + prog_warn 'info', "$connection shutdown."; + + exit 0 +} + +sub conn_reload_handle ($) { + my $connection = shift; + my @spd_list; + my %conn_spd_hash; + + if ( ! defined $connection ) { + usage (); + exit 1; + } + + if ( $connection eq 'all' ) { + ipsec_load(); + + exit 0; + } + + print "Reloading VPN $connection..."; + if ( ! grep /^${connection}$/, keys %connection_list) { + print "not found in configuration.\n"; + exit 1; + } + # Read SPD list from kernel... + parse_spd(@spd_list, %conn_spd_hash); + if ( ! conn_down (@spd_list, %conn_spd_hash, $connection, 1, 1) ) { + print "not found in SPD, "; + } + + if ((my $ret = spd_load($connection)) <= 0 ) { + print "not found in configuration.\n" if $ret == 0; + print "syntax problem in configuration.\n" if $ret == -1; + print "already in SPD.\n" if $ret == -2; + exit 1; + } + + # Do dee racoon... + exit 1 if racoon_configure($fmt{'brief'}) < 0; + + print "done.\n"; + prog_warn 'info', "$connection reloaded."; + + exit 0; +} + +sub spd_show_header () { + print "Number Connection Name UpperSpec DirN\n"; + print " src_range\n"; + print " dst_range\n"; +} + +sub spd_show_entry ($) { + my $entry = shift; + my $conn_name; + + if (defined $$entry{'connection'}) { + $conn_name = $$entry{'connection'}; + } else { + $conn_name = ''; + } + + printf " %3.1d %-50s %-9s %-3s\n", + $$entry{'index'}, $conn_name, + $$entry{'upperspec'}, $$entry{'direction'}; + print " $$entry{'src_range'}\n"; + print " $$entry{'dst_range'}\n"; +} + +sub spd_show_footer () { + print "\n"; + print "Press for more, or enter number or VPN-name > "; +} + +sub conn_menu ($) { + my $term = shift; + my @spd_list; + my %conn_spd_hash; + + # Initialise the SPD data structure + parse_spd(@spd_list, %conn_spd_hash); + + my ($pos,$rows,$cols,$do_fill) = 0; + $term = '.*' if ! defined $term; + my @spd = grep { ( defined $$_{'connection'} && $$_{'connection'} =~ m/${term}/ ) + || $$_{'src_range'} =~ m/${term}/ + || $$_{'dst_range'} =~ m/${term}/ } @spd_list; + + if ( ! @spd ) { + print "No SPD entries found.\n"; + return; + } + +REDRAW: while ($pos < @spd_list) { + # get terminal size + ($rows, $cols) = split ' ', `stty size`; + my $ntoshow = ($rows - 6) / 3; + my $fill = $rows % $ntoshow; + if ( ($pos +$ntoshow) > @spd) { + $fill += 3*($pos + $ntoshow - @spd); + } + # display SPD list + if ( $do_fill ) { + foreach (0..$fill) { print "\n" }; + } + $do_fill = 1; + spd_show_header (); + for ($i=$pos; $i < ($pos + $ntoshow) && $i < @spd; $i++) { + + spd_show_entry ($spd[$i]); + } + spd_show_footer (); + + # wait for keypress + while ( my $chars = ) { + last if $chars =~ /^$/; + $chars = lc $chars; + exit 0 if $chars =~ /^q$/; + chomp $chars; + my @deleted = conn_down(@spd_list, %conn_spd_hash, $chars) if $chars =~ /^[-0-9a-z_]+$/; + if (! @deleted) { + print "$chars does not exist or cannot be deleted.\n"; + } + else { + foreach my $i ( @deleted ) { + @spd = grep { $i != $$_{'index'} } @spd; + $pos -= 1 if $pos > 0; + } + } + if ( ! @spd ) { + print "No selected SPD entries left.\n"; + last REDRAW; + } + sleep 2; + next REDRAW; + } + + $pos += $ntoshow; + } + + +} + +sub conn_down (\@\%$;$$) { + my $spd_list = shift; + my $conn_spd_hash = shift; + my $spd = shift; + my $conn_force = shift; + my $no_racoon = shift; + + my @ret = (); + my @spd_to_del = (); + if ( $conn_force || $spd !~ m/^[0-9]+$/ ) { + # Deal with a connection name + @spd_to_del = keys %$conn_spd_hash; + return @ret if @spd_to_del <= 0; + return @ret if ! grep /^$spd$/, keys %$conn_spd_hash; + @spd_to_del = @{ $conn_spd_hash->{$spd} }; + return @ret if @spd_to_del <= 0; + } + else { + # Handle a connection number + # Check that it exists + return @ret if ! grep { $$_{'index'} == $spd } @$spd_list; + + # Follow up any connection name and add that one to + my ($spdentry) = grep { $$_{'index'} == $spd } @$spd_list; + goto GO if ! defined $$spdentry{'connection'}; + $connection = $$spdentry{'connection'}; + goto GO if @{ $conn_spd_hash->{$connection} } <= 0; + push @spd_to_del, @{ $conn_spd_hash->{$connection} }; + } + +GO: + # Delete entries from SPD + open( SETKEY, '|-') + || exec ("$setkey_cmd", '-c'); + + foreach my $spdnum ( @spd_to_del ) { + my ($spdentry) = grep { $$_{'index'} == $spdnum } @$spd_list; + print SETKEY <<"EOF"; +spddelete -n $$spdentry{'src_range'} $$spdentry{'dst_range'} $$spdentry{'upperspec'} -P $$spdentry{'direction'}; +EOF + push @ret, $spdnum; + } + + close SETKEY + or prog_die ("conn_down() - setkey connection deletion failed - exit code ". ($? >> 8) ); + + # Deal with racoon + if ( ! $no_racoon ) { + racoon_configure(); + } + + return @ret; +} + +# Process warning message + +sub prog_warn($$;$) { + my $level = shift; + my $msg = shift; + my $format = shift; + + $format = $global_format if ! $format; + $level = 'warning' if ! $level; + $msg =~ s/\t/ /g; + if ( $level ne 'info' ) { + if ( $format == $fmt{'normal'} ) { + print STDERR "$progname: $msg\n" + } elsif ( $format == $fmt{'brief'} ) { + print STDOUT "${msg}\n"; + } elsif ( $format == $fmt{'comma'} ) { + $msg =~ s/\.$//; + print STDOUT "${msg}, "; + } + } + $msg =~ s/%/%%/g; + syslog ($level, "$msg"); +} + +sub prog_die($;$) { + my $msg = shift; + my $format = shift; + prog_warn 'err', $msg, $format; + exit 255; +} + +# Dump read in SPD list +sub spd_dump_list (\@\%) { + my $spd_list = shift; + my $conn_spd_hash = shift; + + for my $spd ( @$spd_list ) { + print "{ "; + for $val ( keys %$spd ) { + print "$val=$spd->{$val} "; + } + print "}\n"; + } + + for my $conn ( keys(%$conn_spd_hash) ) { + print "$conn: @{ $conn_spd_hash->{$conn} }\n"; + } +} + +# Parse SPD to produce SPD list +sub parse_spd (\@\%) { + my $spd_list = shift; + my $conn_spd_hash = shift; + my $src_range; + my $dst_range; + my $upperspec; + my $direction; + my $onespd_flag = 0; + + @$spd_list = (); + + open (SETKEY, '-|') + || exec ($setkey_cmd, '-PD'); + + while (my $line = ) { + # print "$line"; + if ( $line =~ m/^\s*([0-9a-fny\.\:\/\[\]]+)\s+([0-9a-fny\.\:\/\[\]]+)\s+([0-9a-z]+)\s*$/ ){ + $src_range = $1; + $dst_range = $2; + $upperspec = $3; + $onespd_flag = 1 + } + elsif ($onespd_flag > 0) { + $onespd_flag = 0; + $line =~ m/^\s*(in|out)\s+(ipsec|none|discard)\s*$/; + $direction = $1; + push @$spd_list, { 'src_range', $src_range, 'dst_range', $dst_range, + 'upperspec', $upperspec, 'direction', $direction }; + # print "[ src_range=$src_range, dst_range=$dst_range, upperspec=$upperspec, direction=$direction ]\n"; + } + } + + close (SETKEY) + or prog_die "parse_spd() - can't parse SPD - exit code " . ($? >> 8); + + # match the SPD policies to configuration data. + match_spd_connection (@$spd_list, %$conn_spd_hash); + +} + + +sub match_spd_connection (\@\%) { + my $spd_list = shift; + my $conn_spd_hash = shift; + my $index = 0; + + %$conn_spd_hash = (); + + foreach my $spd ( @$spd_list ) { + $spd->{'index'} = $index; + + # Loop over connection list to find connection name + foreach my $connection ( keys %connection_list ) { + next if "$connection" eq '%default'; + next if ! defined $connection_list{$connection}{'src_ip'}; + next if ! defined $connection_list{$connection}{'dst_ip'}; + + # Quick handle - read only + my $conn = $connection_list{$connection}; + + if ( ($spd->{'src_range' } eq $conn->{'src_range'} + && $spd->{'dst_range'} eq $conn->{'dst_range'} + && $spd->{'direction'} eq 'out' + || $spd->{'dst_range'} eq $conn->{'src_range'} + && $spd->{'src_range'} eq $conn->{'dst_range'} + && $spd->{'direction'} eq 'in') + && $spd->{'upperspec'} eq $conn->{'upperspec'} ) { + $spd->{'connection'} = $connection; + push @{ $conn_spd_hash->{$connection} }, $index; + } + } + + $index ++; + } + +} + +# start +sub ipsec_start () { + mod_start (); + ipsec_flush (); + ipsec_load (); + racoon_start(); +} + +# stop +sub ipsec_stop () { + racoon_stop(); + ipsec_flush (); + mod_stop (); +} + +# load +sub ipsec_load () { + print "Loading SAD and SPD...\n"; + sad_init (); + spd_init (); + spd_load(); + print "SAD and SPD loaded.\n"; + prog_warn 'info', "loaded SAD and SPD."; + print "Configuring racoon..."; + exit 1 if racoon_configure($fmt{'brief'}) < 0; + print "done.\n"; + prog_warn 'info', "configured racoon."; + return 1; +} + +# flush +sub ipsec_flush () { + print "Flushing SAD and SPD...\n"; + # Flush the SAD + sad_flush (); + + # Flush the SPD + spd_flush (); + print "SAD and SPD flushed.\n"; + prog_warn 'info', "flushed SAD and SPD."; +} + +# Read configuration +sub parse_config () { + my $line = 0; + my $barf = 0; + my $section = ""; + my $connection = ""; + my $peer = ""; + my $stuff = ""; + + open(CONF, "< $conffile") + || prog_die "can't open $conffile - $!"; + + LINE: while () { + $line +=1; + + # Deal with blank lines + if ( m/^\s*$/) { + next LINE; + } + + # Comments + if ( m/^[ \t]*#.*$/ ) { + next LINE; + } + # Comments at the end of lines + if ( m/^([^#]*)#.*$/ ) { + $_ = $1; + } + + chomp; + + if (! m/^[-\"{}()\[\]_;\%\@\w\s.:\/=]+$/) { + prog_warn 0, "bad data in $conffile, line $line:"; + prog_warn 0, $_; + # $barf = 1; + next LINE; + } + + if ( m/^\s*SPDADD\((\%default|[-_a-z0-9]+)\):([\S \t]*)$/i ) { + $name = $1; + $stuff = $2 . "\n"; + if ( defined $spdadd{"$name"} ) { + $spdadd{"$name"} .= $stuff; + } else { + $spdadd{"$name"} = $stuff; + } + next LINE; + } elsif ( m/^\s*SADADD\((\%default|[-_a-z0-9]+)\):([\S \t]*)$/i ) { + $name = $1; + $stuff = $2 . "\n"; + if ( defined $sadadd{"$name"} ) { + $sadadd{"$name" } .= $stuff; + } else { + $sadadd{"$name"} = $stuff; + } + next LINE; + } elsif ( m/^\s*REMOTE\((\%default|[-_a-z0-9]+)\):([\S \t]*)$/i ) { + $name = $1; + $stuff = $2 . "\n"; + if ( defined $remote{"$name"} ) { + $remote{"$name" } .= $stuff; + } else { + $remote{"$name"} = $stuff; + } + next LINE; + + } elsif ( m/^\s*SAINFO\((\%default|[-_a-z0-9]+)\):([\S \t]*)$/i ) { + $name = $1; + $stuff = $2 . "\n"; + if ( defined $sainfo{"$name"} ) { + $sainfo{"$name" } .= $stuff; + } else { + $sainfo{"$name"} = $stuff; + } + next LINE; + + } elsif ( m/^\s*SADINIT:([\S \t]*)$/i ) { + $name = ''; + $stuff = $1 . "\n"; + if ( defined $sadinit ) { + $sadinit .= $stuff; + } else { + $sadinit = $stuff; + } + next LINE; + } elsif ( m/^\s*SPDINIT:([\S \t]*)$/i ) { + $name = ''; + $stuff = $1 . "\n"; + if ( defined $spdinit ) { + $spdinit .= $stuff; + } else { + $spdinit = $stuff; + } + next LINE; + } elsif ( m/^\s*RACOONINIT:([\S \t]*)$/i ) { + $name = ''; + $stuff = $1 . "\n"; + if ( defined $racoon_init ) { + $racoon_init .= $stuff; + } else { + $racoon_init = $stuff; + } + next LINE; + + } elsif ( m/^\s*CONNECTION\((\%default|\%anonymous|[-_a-z0-9]+)\):\s*$/i ) { + $section = 'connection'; + $connection = lc $1; + # Make place holder so that error message gets generated + $connection_list{$connection}{'makelive'} = 0; + next LINE; + } + + elsif ( m/^\s*PEER\((\%default|\%anonymous|[a-f0-9:\.]+)\):\s*$/i ) { + $peer = lc $1; + if ( $peer ne '%default' && $peer ne '%anonymous' && ! ip_check_syntax ($peer)) { + prog_warn 0, "unrecognised tag in $conffile, line $line:"; + prog_warn 0, "$_"; + prog_warn 0, "invalid peer name - $peer"; + next LINE; + } + $section = 'peer'; + # Make place holder so that error message gets generated + $peer_list{$peer}{'makelive'} = 0; + next LINE; + } + + elsif ( m/^\s*GLOBAL:\s*$/i ) { + $section = 'global'; + next LINE; + } + + elsif ( $section eq 'connection' && m/^\s*($conn_proplist):\s*(.+)\s*$/i ) { + my $property = lc $1; + my $value = $2; + $value =~ s/^(.*\S)\s*$/$1/; + + if ( ! check_property_syntax($section, $property, $value) ) { + prog_warn 0, "$connection - unrecognised connection property syntax."; + prog_warn 0, "$connection - file $conffile, line $line:"; + prog_warn 0, error_getmsg($section, $property); + prog_warn 0, $_; + $connection_list{$connection}{'syntax_error'} = 1; + next LINE; + } + $value = value_lc($section, $property, $value); + $connection_list{$connection}{$property} = $value; + } elsif ( $section eq 'connection' ) { + prog_warn 0, "$connection - unrecognised tag in $conffile, line $line:"; + prog_warn 0, $_; + prog_warn 0, "$connection - allowed tags are $conn_proplist"; + $connection_list{$connection}{'syntax_error'} = 1; + next LINE; + } + + elsif ( $section eq 'peer' && m/^\s*($peer_proplist):\s*(.+)\s*$/i ) { + my $property = lc $1; + my $value = $2; + $value =~ s/^(.*\S)\s*$/$1/; + + if ( ! check_property_syntax($section, $property, $value) ) { + prog_warn 0, "$peer - unrecognised peer property syntax or unreadable file(s)."; + prog_warn 0, "$peer - file $conffile, line $line:"; + prog_warn 0, error_getmsg($section, $property); + prog_warn 0, $_; + $peer_list{$peer}{'syntax_error'} = 1; + next LINE; + } + # $value = value_lc($section, $property, $value); + $peer_list{$peer}{$property} = $value; + } elsif ( $section eq 'peer' ) { + prog_warn 0, "$peer - unrecognised tag in $conffile, line $line:"; + prog_warn 0, $_; + prog_warn 0, "$peer - allowed tags are $peer_proplist"; + $peer_list{$peer}{'syntax_error'} = 1; + next LINE; + } + + elsif ( $section eq 'global' && m /^\s*($global_proplist):\s*(.+)\s*$/i ) { + my $property = lc $1; + my $value = $2; + $value =~ s/^(.*\S)\s*$/$1/; + + if (! check_property_syntax($section, $property, $value)) { + prog_warn 0, "global - unrecognised global property syntax or unreadable file(s)."; + prog_warn 0, "global - file $conffile, line $line:"; + prog_warn 0, error_getmsg($section, $property); + prog_warn 0, $_; + prog_warn 0, "global - allowed tags are $global_proplist"; + $global{'deadly_error'} = 1; + next LINE; + } + $value = value_lc($section, $property, $value); + $global{$property} = $value; + + } elsif ( $section eq 'global' ) { + prog_warn 0, "$global - unrecognised tag in $conffile, line $line:"; + prog_warn 0, $_; + prog_warn 0, "$global - allowed tags are $global_proplist"; + } + + else { + prog_warn 0, "unrecognised tag in $conffile, line $line:"; + prog_warn 0, $_; + next LINE; + } + + } + close (CONF); + + if ( $barf ) { + exit 1; + } + + # apply defaults + $spdadd{'%default'} = $spdadd_default if ( ! defined $spdadd{'%default'} ); + $sadadd{'%default'} = $sadadd_default if ( ! defined $sadadd{'%default'} ); + $remote{'%default'} = $remote_default if ( ! defined $remote{'%default'} ); + $sainfo{'%default'} = $sainfo_default if ( ! defined $sainfo{'%default'} ); + $racoon_init = $racoon_init_default if ( ! defined $racoon_init ); + global_fillin_defaults(); + conn_fillin_defaults(); + peer_fillin_defaults(); + peer_check_required(); + conn_check_required(); + global_check_required(); +}; + +# Lower case value function +sub value_lc ($$$) { + my $section = shift; + my $property = shift; + my $value = shift; + + my $ptype = get_proptype($section, $property); + + if ( $ptype eq 'path_conf_file' ) { + $value = $value; + } elsif ( $ptype eq 'path_generated_file' ) { + $value = $value; + } elsif ( $ptype eq 'shell_command' ) { + $value = $value; + } elsif ( $ptype eq 'path_certificate' ) { + $value = $value; + } elsif ( $ptype eq 'certificate' ) { + if ( $value =~ m/^\s*x509\s+(\S+)\s+(\S+)\s*$/i ) { + $value = "x509 $1 $2"; + } + } elsif ( $ptype =~ 'peers_certfile' ) { + if ( $value =~ m/^\s*dnssec\s*$/i ) { + $value = "dnssec"; + } elsif ( $value =~ m/^\s*(plain_rsa|x509)\s+(\S+)\s*$/i ) { + $value = "$1 $2"; + } + } elsif ( $ptype eq 'identity' ) { + if ( $value =~ m/^\s*keyid\s+(\S+)\s*$/i ) { + $value = "keyid $1" + } + } else { + $value = lc $value; + } + return $value; +} + +# Error mesage lookups +sub error_getmsg ($$) { + my $section = shift; + my $property = shift; + my $ptype = get_proptype($section, $property); + + return "$property only takes $prop_syntaxhash{$ptype}"; +} + +#Fill in global defaults +sub global_fillin_defaults () { + foreach $prop ('path_pre_shared_key', 'path_certificate') { + if ( defined $global{$prop} && $global{$prop} =~ m/^"?(\S+)"?$/i ) { + $global{$prop} = "\"${1}\""; + } + } + foreach $prop ('path_racoon_conf', 'racoon_command', 'racoon_pid_file') { + if ( defined $global{$prop} && $global{$prop} =~ m/^"(\S+)"$/i ) { + $global{$prop} = "${1}"; + } + } +} + +sub global_check_required () { + if ( $global{'deadly_error'} ) { + prog_warn 'err', "deadly error in global configuration - exiting."; + exit 10; + } +} + +#Check synax of IP address +sub ip_check_syntax ($) { + my $ip = shift; + if ( $ip =~ m/^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/ ) { + return 1 if ( $1 >=0 && $1 <= 255 && $2 >= 0 && $2 <= 255 + && $3 >= 0 && $3 <= 255 && $4 >= 0 && $4 <= 255 ); + } elsif ( $ip =~ m/^[0-9a-f]{1,4}:[0-9a-f:]*:[0-9a-f]{0,4}$/i ) { + my @dbytes = split /:/, $ip; + my $valid = 1; + foreach my $v ( @dbytes ) { + if ( $v ne '' && $v !~ m/^[0-9a-f]{1,4}$/i && $v < 0 && $v > 0xffff ) + { $valid = 0; } + } + return 1 if $valid; + } + return 0; +} + + +# Check syntax + +sub get_proptype($$) { + my $section = shift; + my $property = shift; + my $ptype; + + if ( $property =~ m/^(.*)\[[0-9a-z]+\]$/ ) { + $property = $1; + } + $ptype = $prop_typehash{$section}{$property}; + + return $ptype; +} + +sub check_property_syntax ($$$) { + my $section = shift; + my $property = shift; + my $value = shift; + my ($protoname, $protoaliases, $protonumber); + my $ptype; + + $ptype = get_proptype($section,$property); + + if ( $ptype eq 'boolean' ) { + $value =~ m/^(enabled|disabled|true|false|up|down|on|off|yes|no|0|1)$/i && return 1; + } elsif ( $ptype eq 'encap' ) { + $value =~ m/^(ah|esp)$/i && return 1; + } elsif ( $ptype eq 'mode' ) { + $value =~ m/^(transport|tunnel)$/i && return 1; + } elsif ( $ptype eq 'template_name' ) { + $value =~ m/^(%default|[-a-z0-9_]+)$/i && return 1; + } elsif ( $ptype eq 'phase1_exchange_mode' ) { + $value =~ m/^((main|aggressive|base),? ?){1,3}$/i && return 1; + } elsif ( $ptype eq 'phase1_encryption' ) { + $value =~ m/^(aes|des|3des|blowfish|cast128)$/i && return 1; + } elsif ( $ptype eq 'hash_algorithm' ) { + $value =~ m/^(md5|sha1)$/i && return 1; + } elsif ( $ptype eq 'phase1_auth_method' ) { + $value =~ m/^(pre_shared_key|rsasig)$/i && return 1; + } elsif ( $ptype eq 'switch' ) { + $value =~ m/^(on|off)$/i && return 1; + } elsif ( $ptype eq 'lifetime' ) { + $value =~ m/^time\s+[0-9]+\s+(hour|hours|min|mins|minutes|sec|secs|seconds)$/i && return 1; + } elsif ( $ptype eq 'phase2_encryption' ) { + $value =~ m/^((aes|des|3des|des_iv64|des_iv32|rc5|rc4|idea|3idea|cast128|blowfish|null_enc|twofish|rijndael),? ?)+$/i && return 1; + } elsif ( $ptype eq 'phase2_auth_algorithm' ) { + $value =~ m/^((des|3des|des_iv64|des_iv32|hmac_md5|hmac_sha1|non_auth),? ?)+$/i && return 1; + } elsif ( $ptype eq 'dh_group' ) { + $value =~ m/^(modp768|modp1024|modp1536|1|2|5)$/i && return 1; + } elsif ( $ptype eq 'pfs_group' ) { + $value =~ m/^(none|modp768|modp1024|modp1536|1|2|5)$/i && return 1; + } elsif ( $ptype eq 'level') { + $value =~ m/^(default|use|require|unique)$/i && return 1; + } elsif ( $ptype eq 'log') { + $value =~ m/^(notify|debug|debug2)$/i && return 1; + } elsif ( $ptype eq 'proposal_check' ) { + $value =~ m/^(obey|strict|claim|exact)$/i && return 1; + } elsif ( $ptype eq 'nat_traversal' ) { + $value =~ m/^(on|off|force)$/i && return 1; + } elsif ( $ptype =~ 'nonce_size' ) { + $value =~ m/^[0-9]{1,3}$/ && $value >= 8 && $value <= 256 && return 1; + } elsif ( $ptype eq 'listen' ) { + if ( $value =~ m/^[0-9a-f:\.]+$/i ) { + return ip_check_syntax( $value ); + } + if ( $value =~ m/^([0-9a-f:\.]+)\s+\[([0-9]{1,5})\]$/i ) { + my $ip = $1; + my $port = $2; + return 0 if ! ip_check_syntax ( $ip ); + return 0 if $port !~ m/^[0-9]{1,5}$/; + return 1; + } + return 0; + } elsif ( $ptype eq 'shell_command' ) { + if ( $value =~ m/^"?([\S]+)\s+.*"?$/i ) { + if ( ! -x $1 ) { + prog_warn 'err', "$property - cannot execute $1"; + return 0; + } + return 1; + } + return 0; + } elsif ( $ptype eq 'path_conf_file' ) { + if ( $value =~ m/^\"?([^\"\s]+)\"?$/i ) { + if ( ! -r $1 ) { + prog_warn 0, "$property - cannot read file $1"; + return 0; + } + return 1; + } + return 0; + } elsif ( $ptype eq 'path_generated_file' ) { + if ( $value =~ m/^\"?([^\"\s]+)\"?$/i ) { + my $dir = dirname($1); + if ( ! defined $dir || $dir == '' ) { + prog_warn 0, "$property - directory does not exist"; + return 0; + } + if ( ! -r $dir ) { + prog_warn 0, "$property - cannot access directory $dir"; + return 0; + } + return 1; + } + return 0; + } elsif ( $ptype eq 'path_certificate' ) { + if ( $value =~ m/^\"?([^\"\s]+)\"?$/i ) { + if ( ! -r $1 ) { + prog_warn 0, "$property - cannot read directory $1"; + return 0; + } + return 1; + } + return 0; + } elsif ( $ptype eq 'peers_certfile' ){ + # TODO - do we need do something extra for plain_rsa? + $value =~ m/^(dnssec|plain_rsa)$/i && return 1; + if ( $value =~ m/^x509\s+\"?([^\"\s]+)\"?\s*$/i ) { + if (-r "$global{'path_certificate'}/$1") { + return 1; + } else { + prog_warn 0, "$property - cannot read $global{'path_certificate'}/$1"; + return 0; + } + } + return 0; + } elsif ( $ptype eq 'certificate' ) { + if ( $value =~ m/^x509\s+\"?([^\"\s]+)\"?\s+\"?([^\"\s]+)\"?\s*$/i ) { + if ( ! -r "$global{'path_certificate'}/$1" ) { + prog_warn 0, "$property - cannot read $global{'path_certificate'}/$1"; + return 0; + } + if ( ! -r "$global{'path_certificate'}/$2" ) { + prog_warn 0, "$property - cannot read $global{'path_certificate'}/$2"; + return 0; + } + return 1; + } + return 0; + } elsif ( $ptype eq 'identifier' ) { + if ( $value =~ m/^address\s*$/i ) { + return 1; + } + if ( $value =~ m/^address\s+([0-9a-f:\.]+)\s*$/i ) { + local $ip = $1; + return ip_check_syntax($ip); + } + if ( $value =~ m/^fqdn\s+"?([-a-z0-9\._]+)"?\s*$/i ) { + return 1; + } + if ( $value =~ m/^user_fqdn\s+"?([-a-z0-9\.\@_]+)"?\s*$/i ) { + return 1; + } + if ( $value =~ m/^asn1dn\s+"?([-a-z0-9\.\@_\s\\\/='\[\]]+)"?\s*$/i ) { + return 1; + } + if ( $value =~ m/^asn1dn\s*$/i ) { + return 1; + } + if ( $value =~ m/^keyid\s+\"?(\/[^\"\s]+)\"?$/i ) { + if ( -r $1 ) { + return 1; + } else { + prog_warn 0, "$property - cannot read $1"; + return 0; + } + } + return 0; + } elsif ( $ptype eq 'upperspec' ) { + if ( ($protoname, $protoaliases, $protonumber ) + = getprotobyname $value ) { + return 1; + } + $value =~ m/^(any|icmp6)$/i && return 1; + if ( $value =~ m/^icmp6[ \t]+([0-9]{1,3})$/i ) { + return 1 if ( $1 >= 0 && $1 <= 255 ); + } + if ( $value =~ m/^icmp6[ \t]+([0-9]{1,3}),([0-9]{1,3})$/i ) { + return 1 if ( $1 >= 0 && $1 <= 255 && $2 >= 0 && $2 <= 255 ); + } + if ( $value =~ m/[0-9]{1,5}/ && $value > 0 && $value <= 65535 ) { + return 1; + } + return 0 + } elsif ( $ptype eq 'ip' ) { + return ip_check_syntax($value); + } elsif ( $ptype eq 'range' ) { + my $valid = 1; + my ($ip, $mask, $port, $type); + + # make sure we have only 1 slash; + return 0 if $value =~ m/^.*\/.*\/.*$/; + + # Split range into address, mask and port + if ( $value !~ m/^.*\[(any|[0-9]{1,5})\]$/i ) { + $value .= "[any]"; + } + if ( $value =~ m/^(.*)\/([0-9]{1,5})\[(any|[0-9]{1,5})\]$/i ) { + $ip = $1; + $mask = $2; + $port = $3; + } elsif ( $value =~ m/^(.*)\[(any|[0-9]{1,5})\]$/i ) { + $ip = $1; + $mask = 255; + $port = $2; + } elsif ( $value =~ m/^(.*)$/i ) { + $ip = $1; + $mask = 255; + $port = 'any'; + } else { + return 0; + } + + # Work out type of IP address + if ( $ip =~ m/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/ ) { + $type = 'ipv4'; + } elsif ( $ip =~ m/^::$|^[0-9a-f]{1,4}:[0-9a-f:]*:[0-9a-f]{0,4}$/i ) { + $type = 'ipv6'; + } else { + return 0; + } + + # Check IP address + if ( ! ip_check_syntax($ip) && $ip ne '::' ) { + $valid = 0; + } + + # Check mask + if ( $mask != 255 ) { + if ( $type eq 'ipv4') { + $valid = 0 if ( $mask < 0 || $mask > 32 ); + } else { + $valid = 0 if ( $mask < 0 || $mask > 128 ); + } + } + + # Check port + if ( $port ne 'any' ) { + $valid = 0 if ( $port < 0 || $port > 65535 ); + } + + return $valid; + } + else { + return 0; + } + return 0; +} + +# Check for required paarameters for activation +sub conn_check_required () { + foreach my $connection ( keys %connection_list ) { + my $makelive = 1; + next if $connection eq '%default'; + if ( $connection ne '%anonymous' ) { + foreach my $property ( @conn_required_props ) { + $makelive = 0 if ! defined $connection_list{$connection}{$property}; + } + my $dst_ip = $connection_list{$connection}{'dst_ip'}; + if ( ! defined $dst_ip + || ! defined $peer_list{$dst_ip} + || ! defined $peer_list{$dst_ip}{'makelive'} + || $peer_list{$dst_ip}{'makelive'} == 0 ) { + $makelive = 0; + } + } + $makelive = 0 if ( $connection_list{$connection}{'syntax_error'} ); + if (! $makelive) { + prog_warn 0, "$connection - required parameters missing, peer missing or syntax error."; + prog_warn 0, "$connection - not activating."; + $connection_list{$connection}{'makelive'} = 0; + next; + } + $connection_list{$connection}{'makelive'} = 1; + } +} + +# Fill in default missing parameters +sub conn_fillin_defaults () { + foreach my $connection ( keys %connection_list ) { + next if $connection eq '%default'; + foreach my $property ( keys %{ $connection_list{'%default'} } ) { + if ( ! defined $connection_list{$connection}{$property} ) { + $connection_list{$connection}{$property} = $connection_list{'%default'}{$property}; + } + } + next if ! defined $connection_list{$connection}{'src_ip'}; + next if ! defined $connection_list{$connection}{'dst_ip'}; + + # Set up default values for range and ID if they do not exist already + foreach my $p ( 'src', 'dst' ) { + if ( ! defined $connection_list{$connection}{"${p}_range"} ) { + $connection_list{$connection}{"${p}_range"} + = $connection_list{$connection}{"${p}_ip"}; + } + if ( $connection_list{$connection}{"${p}_range"} + !~ m/^.*\[(any|[0-9]{1,5})\]$/ ) { + $connection_list{$connection}{"${p}_range"} .= "[any]"; + } + # Remove full length netmasks to avoid confusing things... + $connection_list{$connection}{"${p}_range"} =~ s/\/32//; + $connection_list{$connection}{"${p}_range"} =~ s/\/128//; + + } + + # Set the mode appropriately if not already set + if ( !defined $connection_list{$connection}{'mode'} ) { + if ( $connection_list{$connection}{'src_range'} + eq $connection_list{$connection}{'src_ip'} . "[any]" + && $connection_list{$connection}{'dst_range'} + eq $connection_list{$connection}{'dst_ip'} . "[any]" ) { + $connection_list{$connection}{'mode'} = 'transport'; + } else { + $connection_list{$connection}{'mode'} = 'tunnel'; + } + } + + } +} + +sub peer_get_indexes (\%) { + my $hndl = shift; + my %tmp; + + my @keys = keys %$hndl; + @keys = grep /^.*\[[0-9]+\]$/, @keys; + map { s/^.*\[([0-9]+)\]$/$1/; } @keys; + $tmp{$_} = 1 foreach (@keys); + @keys = reverse (sort (keys (%tmp))); + + return @keys; +} + +sub peer_fillin_defaults () { + + # Copy default to defined peers + my $dhndl = $peer_list{'%default'}; + foreach my $peer ( keys %peer_list ) { + next if $peer eq '%default'; + my $phndl = $peer_list{$peer}; + + foreach my $property ( keys %{ $dhndl } ) { + if ( ! defined $phndl->{$property} ) { + $phndl->{$property} = $dhndl->{$property}; + } + } + } + + foreach my $peer ( keys %peer_list ) { + my $phndl = $peer_list{$peer}; + # Fill in all proposals... + my @pindexes = peer_get_indexes ( %$phndl ); + foreach my $property ( grep { $_ = $1 if /^(.*)\[[0-9]+\]$/; } keys %$dhndl ) { + foreach my $ind ( @pindexes ) { + next if $peer eq '%default' && $ind == 0; + my $name = "$property" . '[' . "$ind" . "]"; + my $dname = "$property" . '[0]'; + if ( ! defined $phndl->{"$name"} ) { + $phndl->{"$name"} = $dhndl->{"$dname"} + } + } + } + + } + + # If a peer does not exist, create it from %default + my @peers = keys %peer_list; + foreach my $connection ( keys %connection_list ) { + next if $connection eq '%default'; + my $conn_hndl = $connection_list{$connection}; + next if ! defined $conn_hndl->{'dst_ip'}; + my $ip_addr = $conn_hndl->{'dst_ip'}; + next if grep { $ip_addr eq $_ } @peers; + + foreach my $element ( keys %{ $peer_list{'%default'} } ) { + $peer_list{$ip_addr}{$element} = $peer_list{'%default'}{$element}; + } + } + + # fill in dst_ip property if not already done... + foreach my $peer ( keys %peer_list ) { + next if $peer eq '%default'; + $peer_list{$peer}{'dst_ip'} = $peer; + } + + # Fix up missing " ... + foreach my $peer ( keys %peer_list ) { + my $phndl = $peer_list{$peer}; + foreach my $prop ( 'my_identifier', 'peers_identifier', 'certificate_type', 'peers_certfile') { + my $ptype = get_proptype('peer', "$prop"); + next if ! defined $phndl->{"$prop"}; + my $value = $phndl->{"$prop"}; + if ( $ptype eq 'peers_certfile' ){ + next if $value =~ m/^dnssec$/i; + if ( $value =~ m/^(x509|plain_rsa)\s+\"?(\S+)\"?\s*$/i ) { + $phndl->{"$prop"} = "$1" . ' "' . "$2" . '"'; + } + } elsif ( $ptype eq 'certificate' ) { + if ( $value =~ m/^x509\s+\"?(\S+)\"?\s+\"?(\S+)\"?\s*$/ ) { + $phndl->{"$prop"} = "x509 " . '"' . $1 . '" "' . $2 . '"'; + } + } elsif ( $ptype eq 'identifier' ) { + next if $value =~ m/^address\s*$/i; + next if $value =~ m/^asn1dn\s*$/i; + if ( $value =~ m/^address\s+([0-9a-f:\.]+)\s*$/i ) { + $phndl->{"$prop"} = "address $1"; + } + if ( $value =~ m/^fqdn\s+"?([-a-z0-9\._]+)"?\s*$/i ) { + $phndl->{"$prop"} = "fqdn " . '"' . $1 . '"'; + } + if ( $value =~ m/^user_fqdn\s+"?([-a-z0-9\.\@_]+)"?\s*$/i ) { + $phndl->{"$prop"} = "user_fqdn " . '"' . $1 . '"'; + } + if ( $value =~ m/^asn1dn\s+"?([-a-z0-9\.\@_\s\\\/='\[\]]+)"?\s*$/i ) { + $phndl->{"$prop"} = "asn1dn " . '"' . $1 . '"'; + } + if ( $value =~ m/^keyid\s+"?(\/\S+)"?$/i ) { + $phndl->{"$prop"} = "keyid " . '"' . $1 . '"'; + } + } + } + } + +} + +sub peer_check_required () { + + # For now, every peer has required values... +PEER: foreach my $peer ( keys %peer_list ) { + my $makelive = 1; + next PEER if $peer eq '%default'; + + $makelive = 0 if ( $peer_list{$peer}{'syntax_error'} ); + if (! $makelive) { + prog_warn 0, "$peer - required parameters missing or syntax error."; + prog_warn 0, "$peer - not activating."; + $peer_list{$peer}{'makelive'} = 0; + next PEER; + } + + $peer_list{$peer}{'makelive'} = 1; + } +} + + + +# print connection output +sub global_dump_list () { + print "global: "; + foreach my $prop ( keys %global ) { + print "$prop=$global{$prop} "; + } + print "\n"; +} + +sub peer_dump_list () { + foreach my $peer ( keys %peer_list ) { + print "$peer: "; + foreach my $property ( keys %{ $peer_list{$peer} } ) { + print "$property=$peer_list{$peer}{$property} "; + } + print "\n"; + } +} + +sub conn_dump_list () { + foreach my $connection ( keys %connection_list ) { + print "$connection: "; + foreach my $property ( keys %{ $connection_list{$connection} } ) { + print "$property=$connection_list{$connection}{$property} "; + } + print "\n"; + } +} + +# setup the kernel +sub setkey_start () { + # Flush and reinit kernel + sadspd_reset(); + + # Load all peers +} + +sub setkey_stop () { + # Flush kernel + spd_flush(); + sad_flush(); +} + +# Reset SAD and SPD +sub spd_reset () { + spd_flush (); + spd_init (); +} + +sub sad_reset () { + sad_flush (); + sad_init (); +} + +# Fill in spdadd command +sub spd_fill_add ($) { + my $connection = shift; + my $stuff; + + my $hndl = $connection_list{$connection}; + $stuff = $spdadd{$$hndl{'spdadd_template'}}; + + if ($hndl->{'spdadd_template'} eq '%default') { + # Do fill in values for compression + if (defined $hndl->{'compression'} + && $bool_val{"$hndl->{'compression'}"} != 0) { + $stuff =~ s/^(\s*spdadd.*out ipsec\s*)$/${1}\n${spdadd_addons{'ipcomp_out'}}/m; + $stuff =~ s/^(\s*spdadd.*in ipsec\s*)$/${1}\n${spdadd_addons{'ipcomp_in'}}/m; + } + } + + foreach my $key (keys %$hndl) { + $stuff =~ s/___${key}___/$$hndl{$key}/img; + } + + + return $stuff; +} + +# Load the SPD +sub spd_load (;$) { + my $conn = shift; + my $setkey_buffer = ''; + my @conns = (); + my @spd_list; + my %conn_spd_hash; + + parse_spd(@spd_list, %conn_spd_hash); + if ( defined $conn ) { + return 0 if ( ! grep /^${conn}$/, (keys %connection_list) ); + return -1 if ( ! $connection_list{$conn}{'makelive'} ); + return -2 if ( grep /^${conn}$/, keys %conn_spd_hash ); + @conns = ( $conn ); + } else { + @conns = keys %connection_list; + } + + open ( SETKEY, '|-' ) + || exec ("$setkey_cmd -c 2>&1 | $0 -l" ); + for my $connection ( @conns ) { + next if $connection eq '%default'; + next if $connection eq '%anonymous'; + next if grep /^${connection}$/, keys %conn_spd_hash; + my $hndl = $connection_list{$connection}; + next if ! $$hndl{'makelive'}; + next if ! $bool_val{$$hndl{'admin_status'}}; + my $stuff = spd_fill_add ($connection); + $setkey_buffer .= $stuff. "\n"; + print SETKEY <<"EOF"; +$stuff +EOF + } + close SETKEY; + my $err = $?; + if ( $err ) { + my $i = 1; + foreach my $line ( split /^/m, $setkey_buffer ) { + chomp $line; + prog_warn 0, "setkey input: $i $line"; + $i++; + } + prog_die "loading SPD failed - exit code " . ($err >> 8); + } + return 1; +} + +# Initialise the SPD +sub spd_init() { + open ( SETKEY, '|-' ) + || exec ($setkey_cmd, '-c'); + $spdinit = '' if ! defined $spdinit; + print SETKEY <<"EOF"; +spdflush; +$spdinit +EOF + + close SETKEY or prog_die "initialising SPD failed - exit code " . ($? >> 8); + return 1; +} + +# Initialise the SAD +sub sad_init() { + open ( SETKEY, '|-' ) + || exec ($setkey_cmd, '-c'); + $sadinit = '' if ! defined $sadinit; + print SETKEY <<"EOF"; +$sadinit +EOF + + close SETKEY or prog_die "initialising SPD failed - exit code " . ($? >> 8); + return 1; +} + + +# Flush the SAD +sub sad_flush () { + setkey_flush('SAD'); +} + +# Flush the SPD +sub spd_flush() { + setkey_flush('SPD'); +} + +sub setkey_flush ($) { + my $table = shift; + my $cleanret = 0; + my $arg = ""; + + if ( $table =~ /SAD/ ) { + $arg = ""; + } + elsif ( $table =~ /SPD/ ) { + $arg = "-P"; + } else { + prog_die "setkey_flush() - wrong arg $table"; + } + + open ( SETKEY, '-|' ) + || exec ("$setkey_cmd $arg -F 2>&1"); + while ( ) { + if ( m/pfkey_open: Address family not supported by protocol/ ) { + $cleanret = 1; + next; + } + chomp; + prog_warn 0, "setkey said: $_"; + # print "$_\n"; + } + + close SETKEY; + prog_die ("flushing $table failed - exit code " . ($? >> 8)) + if ( $? && ! $cleanret); + return 0 +} + +sub spd_show () { + setkey_show('SPD'); +} + +sub sad_show () { + setkey_show('SAD'); +} + +sub setkey_show ($) { + my $table = shift; + my $cleanret = 0; + my $arg = ""; + + if ( $table =~ /SAD/ ) { + $arg = ""; + } + elsif ( $table =~ /SPD/ ) { + $arg = "-P"; + } else { + prog_die "setkey_show() - wrong arg $table"; + } + + system ("$setkey_cmd $arg -D | $pager_cmd @pager_flags"); + + return 0 +} + +sub mod_start () { + + print "Loading IPSEC/crypto modules...\n"; + + # Load cryptographic modules + mod_start_crypto (); + + # Load xfrm and af_key + mod_load "$modpath_xfrm/xfrm_user${modext}"; + mod_load "$modpath_key/af_key${modext}"; + + # Load IPv4 IPSEC + mod_start_ipsec (); + + # Load IPv6 IPSEC + mod_start_ipsec6 (); + + print "IPSEC/crypto modules loaded.\n"; + prog_warn 'info', "loaded IPSEC/crypto modules."; + + return 0; +} + +sub mod_stop () { + + print "Unloading IPSEC/crypto modules...\n"; + + # Unload crypto modules + mod_stop_crypto (); + + # Unload xfrm and af_key + mod_unload "$modpath_xfrm/xfrm_user${modext}"; + mod_unload "$modpath_key/af_key${modext}"; + + # Unload IPv4 IPSEC + mod_stop_ipsec (); + + # Unload IPv6 IPSEC + mod_stop_ipsec6 (); + + print "IPSEC/crypto modules unloaded.\n"; + prog_warn 'info', "unloaded IPSEC/crypto modules"; + + return 0; +} + +sub mod_start_ipsec6 () { + + return 0 if ! -d $proc_ipv6; + + for my $mod ( @modules_ipsec6 ) { + mod_load "${modpath_ipsec6}/${mod}${modext}"; + } + + return 0; +} + +sub mod_stop_ipsec6 () { + + for my $mod ( @modules_ipsec6 ) { + mod_unload $mod; + } + + return 0; +} + + +sub mod_start_ipsec () { + + return 0 if ! -d $proc_ipv4; + + for my $mod ( @modules_ipsec ) { + mod_load "${modpath_ipsec}/${mod}${modext}"; + } + + return 0; +} + +sub mod_stop_ipsec () { + + for my $mod ( @modules_ipsec ) { + mod_unload $mod; + } + + return 0; +} + +sub mod_start_crypto () { + local @modfiles; + + return 0 if ( ! -d $modpath_crypto ); + + # Load zlib_deflate if present + mod_load "$modpath_zlib/zlib_deflate${modext}"; + + opendir DIR, $modpath_crypto or prog_die "$modpath_crypto - $!"; + @modfiles = grep /${modext}$/, readdir DIR; + closedir DIR; + + for my $mod ( @modfiles ) { + next if ( $mod =~ /tcrypt${modext}$/ ); + mod_load "$modpath_crypto/$mod"; + } + + return 0 +} + +sub mod_stop_crypto () { + local @modfiles; + + return 0 if ( ! -d $modpath_crypto ); + + opendir DIR, $modpath_crypto or prog_die "$modpath_crypto - $!"; + @modfiles = grep /${modext}$/, readdir DIR; + closedir DIR; + for my $mod ( @modfiles ) { + mod_unload $mod; + } + + # Unload zlib_deflate if present + mod_unload "$modpath_zlib/zlib_deflate${modext}"; + + return 0 +} + +sub mod_load ($) { + local $modtoload = shift; + local $modname; + + # Check that kernel supports modules + return 1 if ( ! -f $proc_modules ); + + return 1 if ( ! -f $modtoload ); + + return 1 if ( ! -f "/sbin/modprobe" ); + + $modname = basename("$modtoload", "$modext"); + + if ( ! grep /^${modname}$/, @modules ) { + system ( "/sbin/modprobe $modtoload" ); + } + + return 0 + +} + +sub mod_unload ($) { + my $modname = shift; + + $modname = basename("$modname", "$modext"); + + if ( ! grep /^${modname}$/, @modules ) { + return 0; + } + + system ( "/sbin/modprobe -r $modname > /dev/null 2>&1" ); + + return 0; +} + +sub mod_ls () { + local $module; + + if (@modules > 0) { + return 0 + } + + # Check that kernel supports modules + if ( ! -f $proc_modules ) { + return 1; + } + + open MOD, "<$proc_modules"; + while ($module = ) { + chomp $module; + next if ($module =~ /^Module\s+Size/); + $module =~ s/^([a-zA-Z0-9_\-]+)\s+.*$/$1/; + push @modules, $module; + } + close MOD; + + return 0; +} + + + --- ipsec-tools-0.6.6.orig/debian/racoon-tool.conf.5 +++ ipsec-tools-0.6.6/debian/racoon-tool.conf.5 @@ -0,0 +1,291 @@ +.TH RACOON-TOOL.CONF 5 +.SH NAME +racoon-tool.conf \- configuration file for +.BR racoon-tool (8). +.SH "DESCRIPTION" +This manual page documents briefly the +.BR racoon-tool.conf (5) , +configuration file format. +.PP +Please consult the +.BR racoon.conf (5) +man-page first to better understand what is written about here. +.SH SYNTAX +The +.BR racoon-tool.conf (5) +file is laid out in sections. +.PP +Comments are delimited on the left by `#', and can be on a line by +themselves, or at the end of a line. +.PP +The possible sections are +.I global, +.I connection, +and +.I peer. +The possible templates are +.I spdadd, +.I spdinit, +.I sadinit, +.I sadadd, +.I remote, +.I sainfo, +and +.I racooninit. +.PP +Sections start with +.I section: +and then continue with their properties (name terminated by `:' then +value), and templates ALWAYS have to have each line started with +.I template: +Sections and templates can be named, with the name occurring in +parenthesis between the last character of their type and the final +colon. +.SH SECTIONS +The possible sections are: +.TP +.BR global: +Contains global parameters for the generated +.BR racoon.conf (5), +and global settings used by +.BR racoon-tool (8). +Available settings are: +.I path_pre_shared_key, +.I path_certificate, +.I path_racoon_conf, +.I racoon_command, +.I racoon_pid_file, +.I log, +.I listen[[0-9a-z]], +and +.I complex_bundle. + +Apart from +.I racoon-command +and +.I racoon_pid_file, +the setting map across to the similar names in +.BR racoon.conf (5). + +The +.I listen +directive is a bit different from the man-page and takes multiple +.I {ip-address} [[port]] +statements by attaching an index `0-9',`a-z' in square brackets immediately +before the colon. +.TP +.BR connection( "%default|%anonymous|[-_a-z0-9]+" ): +Connection as described by the complementary SPD entries. Creates +`sainfo' sections in the generated +.BR racoon.conf (5), +and associated SPD entries. + +Directives and values are basically one for +one with the relevant entries in +.BR racoon.conf (5). + +The `%default' VPN connection fills in entries in other specified +connections, unless they are otherwise defined within the specific +connection. The `%anonymous' connection is there for a passive VPN +server. +.TP +.BR peer( "%default|%anonymous|[a-f0-9:\.]+" ): +Defines the phase 1 attributes associated with a peer. This creates +`remote' entries in the generated +.BR racoon.conf (5). + +Directives and values are basically one for one with the relevant +entries in +.BR racoon.conf (5). +Different proposals are signified by adding an index `0-9', or `a-z' to +the +.I encryption_algorithm, +.I hash_algorithm, +.I dh_group, +and +.I authentication_method +entries, within square brackets immediately before the colon. + +The `%default' VPN connection fills in entries in other specified +connections, unless they are otherwise defined within the specific +connection. The `%anonymous' connection is there for a passive VPN +server. +.SH TEMPLATES +Templates are described briefly here. You will have to look inside the +.BR racoon-tool (8) +perl script to see exactly what you can do. +.TP +.BR spdinit: +Portion that can be used to initialise the SPD. Uses setkey syntax. +See +.BR setkey (8). +.TP +.BR sadinit: +Portion that can be used to initialise the SAD. Uses setkey syntax. +See +.BR setkey (8). +.TP +.BR spdadd(%default|[-_a-z0-9]+): +Template for adding SPD entries. Different templates can be used. +Keys for replacement are of the form `___setkey_name___', with names +found in +.BR setkey (8). +The built in template is named `%default'. +.TP +.BR sadadd(%default|[-_a-z0-9]+): +Template for adding SAD entries. Different templates can be used. +Keys for replacement are of the form `___setkey_name___', with names +found in +.BR setkey (8). +The built in template is named `%default'. +.TP +.BR remote(%default|[-_a-z0-9]+): +Template for adding 'remote' entries to the generated +.BR racoon.conf(5). +Different templates can be used. Keys for replacement are +of the form `___setkey_name___', with names found in +.BR setkey (8). +The built in template is named `%default'. +.TP +.BR sainfo(%default|[-_a-z0-9]+): +Template for adding 'sainfo' entries to the generated +.BR racoon.conf (5). +Different templates can be used. +Keys for replacement are of the form `___setkey_name___', with names +found in +.BR setkey (8). +The built in template is named `%default'. +.TP +.BR racooninit: +Template for adding your own section to the start of the generated +.BR racoon.conf (5). + +.SH "EXAMPLES" +Example of a simple configuration using PSK authentication. +.PP +.nf +# +# Configuration file for racoon-tool +# +# See racoon-tool.conf(5) for details +# + +# +# Simple PSK - authentication defaults to pre_shared_key +# +connection(bacckdoor-doormat): + src_range: 192.168.223.1/32 + dst_range: 192.168.200.0/24 + src_ip: 172.31.1.1 + dst_ip: 10.0.0.1 + admin_status: enabled + compression: no + lifetime: time 20 min + authentication_algorithm: hmac_sha1 + encryption_algorithm: 3des + +peer(10.0.0.1): + verify_cert: on + passive: off + verify_identifier: off + lifetime: time 60 min + hash_algorithm[0]: sha1 + encryption_algorithm[0]: 3des + +.fi +.PP +Example of a complex configuration with multple networks betweenthe +same endpoints, as well as use of `%default' for common settings. +.PP +.nf +# +# Configuration file for racoon-tool +# + +global: + log: notify + +# default settings to save typing +peer(%default): + certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key + my_identifier: fqdn blurke.bar.com + lifetime: time 60 min + verify_identifier: on + verify_cert: on + hash_algorithm[0]: sha1 + encryption_algorithm[0]: 3des + authentication_method[0]: rsasig + +connection(%default): + authentication_algorithm: hmac_sha1 + encryption_algorithm: 3des + src_ip: 172.31.1.1 + lifetime: time 20 min + +# Connection to work +peer(10.0.0.1): + peers_identifier: fqdn blue.sky.com + +connection(blurke-blue-sky-work): + src_range: 192.168.203.1/32 + dst_range: 172.16.0.0/24 + dst_ip: 10.0.0.1 + admin_status: enabled + +# Connection to telehoused servers +connection(blurke-mail): + src_range: 192.168.203.0/24 + dst_range: 172.20.1.1 + dst_ip: 10.100.0.1 + encryption_algorithm: blowfish + compression: on + admin_status: yes + +peer(10.100.0.1): + peers_identifier: fqdn mail.bar.com + +connection(blurke-web1): + src_range: 192.168.203.0/24 + dst_range: 172.20.1.23 + dst_ip: 10.100.0.1 + encryption_algorithm: blowfish + admin_status: yes + +connection(blurke-web2): + src_range: 192.168.203.0/24 + dst_range: 172.20.1.24 + dst_ip: 10.100.0.1 + encryption_algorithm: blowfish + admin_status: yes + + + +# Test connection to Free S/WAN +connection(blurke-freeswan): + src_range: 192.168.203.0/24 + dst_range: 172.17.100.0/24 + dst_ip: 172.30.1.1 + admin_status: yes + +peer(172.30.1.1): + peers_identifier: fqdn banshee +.fi + +.SH "FILES" +.TP +.I /etc/racoon/racoon-tool.conf +The file that this man page describes. +.TP +.I /var/lib/racoon/racoon.conf +The generated racoon.conf. + +.SH "SEE ALSO" +.BR racoon.conf (5), +.BR racoon-tool (8), +.BR racoon (8), +.BR setkey (8). +.SH BUGS +This man page is by no means complete. +.SH AUTHOR +This manual page was written by Matthew Grant +for the Debian GNU/Linux system (but may be used by others). --- ipsec-tools-0.6.6.orig/debian/postinst +++ ipsec-tools-0.6.6/debian/postinst @@ -0,0 +1,42 @@ +#! /bin/sh +# postinst script for ipsec-tools +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package +# + +case "$1" in + configure) + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + --- ipsec-tools-0.6.6.orig/debian/compat +++ ipsec-tools-0.6.6/debian/compat @@ -0,0 +1 @@ +4 --- ipsec-tools-0.6.6.orig/debian/postrm +++ ipsec-tools-0.6.6/debian/postrm @@ -0,0 +1,38 @@ +#! /bin/sh +# postrm script for ipsec-tools +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + + + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- ipsec-tools-0.6.6.orig/debian/racoon.config +++ ipsec-tools-0.6.6/debian/racoon.config @@ -0,0 +1,25 @@ +#!/bin/sh -e +CONFFILE=/etc/default/racoon + +# Source debconf library. +. /usr/share/debconf/confmodule + +CONFIG_MODE="" + +if test -e "$CONFFILE"; then + . "$CONFFILE" + + # Guard against admin writing silly things into the + # config file... + if test "$CONFIG_MODE" != "racoon-tool"; then + db_set racoon/config_mode "direct" + else + db_set racoon/config_mode "racoon-tool" + fi + +fi + +# Setup and select the configuration mode +db_input high racoon/config_mode || true +db_go + --- ipsec-tools-0.6.6.orig/debian/ipsec-tools.setkey.init +++ ipsec-tools-0.6.6/debian/ipsec-tools.setkey.init @@ -0,0 +1,52 @@ +#!/bin/sh + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +SETKEY=/usr/sbin/setkey +SETKEY_CONF=/etc/ipsec-tools.conf +NAME=setkey + +test -x $SETKEY -a -f $SETKEY_CONF || exit 0 + +RUN_SETKEY="yes" +if [ -f /etc/default/setkey ] ; then + . /etc/default/setkey +fi + +if [ $RUN_SETKEY != "yes" ] ; then + exit 0 +fi + +set -e + +. /lib/lsb/init-functions + +case "$1" in + start) + log_begin_msg "Loading IPsec SA/SP database from $SETKEY_CONF: " + if $SETKEY -f $SETKEY_CONF; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + stop) + log_begin_msg "Flushing IPsec SA/SP database: " + if $SETKEY -F -FP; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + restart|force-reload) + $0 stop || true + sleep 1 + $0 start + ;; + *) + N=/etc/init.d/$NAME + log_success_msg "Usage: $N {start|stop|restart|force-reload}" + exit 1 + ;; +esac + +exit 0 --- ipsec-tools-0.6.6.orig/debian/racoon-tool.8 +++ ipsec-tools-0.6.6/debian/racoon-tool.8 @@ -0,0 +1,143 @@ +.TH RACOON-TOOL 8 +.\" NAME should be all caps, SECTION should be 1-8, maybe w/ subsection +.\" other parms are allowed: see man(7), man(1) +.SH NAME +racoon-tool \- program to manage the +.BR racoon (8) +IPSEC IKE daemon. +.SH SYNOPSIS +.B racoon-tool +.I "[-h] reload|restart|force-reload|start|stop" +.br +.B racoon-tool +.I "[-h] sadflush|spdflush|saddump|spddump" +.br +.B racoon-tool +.I "[-h] vpndown|vdown|vpnup|vup connection-name|all" +.br +.B racoon-tool +.I "[-h] vpnreload|vreload connection-name|all" +.br +.B racoon-tool +.I "[-h] vpnlist|vlist [connection-name|all]" +.br +.B racoon-tool +.I "[-h] vpnmenu|vmenu [connection-name-regexp]" +.br +.B racoon-tool +.I "[-h] racoonstart|racoonstop|rstart|rstop" +.br +.SH "DESCRIPTION" +This manual page documents briefly the +.BR racoon-tool +command. +.BR racoon-tool (8) +is a perl script that can be used to control the +.BR racoon (8) +IKE daemon and the SPD database within the kernel via the +.BR setkey (8) +command. Various operations that it can do +are described below. +.PP +You can also optionally choose not to use it via reconfiguring the +.I racoon +package using +.BR dpkg-reconfigure (8). + +.SH OPTIONS +A summary of options are included below. +.TP +.B \-h +Show summary of options. + +.SH COMMANDS +.TP +.B start +Start +.BR racoon (8), +loading any needed modules, configuring the SPD, and generating +a configuration from +.I/etc/racoon/racoon-tool.conf. +.TP +.B stop +Stop +.BR racoon (8) +unloading any crypto/IPSEC modules, flushing the SAD and SPD. +.TP +.B reload +Regenerate configuration from +.I/etc/racoon/racoon.conf, HUP +.BR racoon (8) +and reinitialise the SPD and SAD. +.TP +.B restart|force-reload +Perform a +.I stop +followed by a +.I start +.TP +.B sadflush +Flush the SAD via +.BR setkey (8). +.TP +.B spdflush +Flush the SPD via +.BR setkey (8). +.TP +.B saddump|dump +Dump the SAD to screen via +.BR setkey (8), +paginating via your pager. +.TP +.B spddump +Dump the SPD to screen via +.BR setkey (8), +paginating via your pager. +.TP +.BR "vpnup|vup" " connection-name|all" +Bring up the VPN connection(s). +.TP +.BR "vpndown|vdown" " connection-name|all" +Take down the VPN connection(s). +.TP +.BR "vpnreload|vreload" " connection-name|all" +Reload the VPN connection(s). +.TP +.BR "vpnlist|vlist" " [connection-name|all]" +List the known VPN connections in +.I /etc/racoon/racoon-tool.conf. +Can be used by a script or administrator to see +if a VPN connection exists. +.TP +.BR "vpnmenu|vmenu" " [connection-name-regexp]" +Start the VPN menu management mode. This displays the SPD, +and you can shutdown VPNs from here. Latter on support will +be added for checking status and reloading the chosen connection. +.TP +.B racoonstart|rstart +Start only the +.BR racoon (8) +daemon. +.TP +.B racoonstop|rstop +Stop only the +.BR racoon (8) +daemon. +.SH "FILES" +.TP +.I /etc/racoon/racoon-tool.conf +\- configuration file. +.TP +.I /var/lib/racoon/racoon.conf +\- generated racoon.conf +.SH "SEE ALSO" +.BR racoon (8), +.BR racoon.conf (5), +.BR setkey (8), +.BR racoon-tool.conf (5). + +.SH AUTHOR +This manual page was written by Matthew Grant , +for the Debian GNU/Linux system (but may be used by others). + +\" LocalWords: RACOON --- ipsec-tools-0.6.6.orig/debian/copyright +++ ipsec-tools-0.6.6/debian/copyright @@ -0,0 +1,61 @@ +This is the Debian packaged version of ipsec-tools. + +Sources for this package can be found at its homepage at +http://ipsec-tools.sourceforge.net/ . + +The code is copyright 1995, 1996, 1997, 1998, and 1999 by the WIDE Project +and licensed under the BSD license. On Debian systems a copy of the +license can be found in /usr/share/common-licenses/BSD . + +The GSSAPI code is copyright 2000 Wasabi Systems, Inc and lincensed under +the following license: + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + This product includes software developed by Wasabi Systems for + Zembu Labs, Inc. http://www.zembu.com/ + 4. The name of Wasabi Systems, Inc. may not be used to endorse + or promote products derived from this software without specific prior + written permission. + + THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC + BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +The racoon-tool perl script is: + +Copyright Matthew Grant, Catalyst IT Ltd 2004. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + +On Debian GNU/Linux systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. + + A copy of the GNU General Public License is also available at + . You may also obtain + it by writing to the Free Software Foundation, Inc., 51 Franklin + St, Fifth Floor, Boston, MA 02110-1301, USA. + --- ipsec-tools-0.6.6.orig/debian/examples/racoon.conf-upstream-install +++ ipsec-tools-0.6.6/debian/examples/racoon.conf-upstream-install @@ -0,0 +1,125 @@ +# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ + +# "path" must be placed before it should be used. +# You can overwrite which you defined, but it should not use due to confusing. +path include "/etc/racoon" ; +#include "remote.conf" ; + +# search this file for pre_shared_key with various ID key. +path pre_shared_key "/etc/racoon/psk.txt" ; + +# racoon will look for certificate file in the directory, +# if the certificate/certificate request payload is received. +path certificate "/etc/cert" ; + +# "log" specifies logging level. It is followed by either "notify", "debug" +# or "debug2". +#log debug; + +# "padding" defines some parameter of padding. You should not touch these. +padding +{ + maximum_length 20; # maximum padding length. + randomize off; # enable randomize length. + strict_check off; # enable strict check. + exclusive_tail off; # extract last one octet. +} + +# if no listen directive is specified, racoon will listen to all +# available interface addresses. +listen +{ + #isakmp ::1 [7000]; + #isakmp 202.249.11.124 [500]; + #admin [7002]; # administrative's port by kmpstat. + #strict_address; # required all addresses must be bound. +} + +# Specification of default various timer. +timer +{ + # These value can be changed per remote node. + counter 5; # maximum trying count to send. + interval 20 sec; # maximum interval to resend. + persend 1; # the number of packets per a send. + + # timer for waiting to complete each phase. + phase1 30 sec; + phase2 15 sec; +} + +remote anonymous +{ + #exchange_mode main,aggressive; + exchange_mode aggressive,main; + doi ipsec_doi; + situation identity_only; + + #my_identifier address; + my_identifier user_fqdn "sakane@kame.net"; + peers_identifier user_fqdn "sakane@kame.net"; + #certificate_type x509 "mycert" "mypriv"; + + nonce_size 16; + lifetime time 1 min; # sec,min,hour + initial_contact on; + support_mip6 on; + proposal_check obey; # obey, strict or claim + + proposal { + encryption_algorithm 3des; + hash_algorithm sha1; + authentication_method pre_shared_key ; + dh_group 2 ; + } +} + +remote ::1 [8000] +{ + #exchange_mode main,aggressive; + exchange_mode aggressive,main; + doi ipsec_doi; + situation identity_only; + + my_identifier user_fqdn "sakane@kame.net"; + peers_identifier user_fqdn "sakane@kame.net"; + #certificate_type x509 "mycert" "mypriv"; + + nonce_size 16; + lifetime time 1 min; # sec,min,hour + + proposal { + encryption_algorithm 3des; + hash_algorithm sha1; + authentication_method pre_shared_key ; + dh_group 2 ; + } +} + +sainfo anonymous +{ + pfs_group 1; + lifetime time 30 sec; + encryption_algorithm 3des ; + authentication_algorithm hmac_sha1; + compression_algorithm deflate ; +} + +sainfo address 203.178.141.209 any address 203.178.141.218 any +{ + pfs_group 1; + lifetime time 30 sec; + encryption_algorithm des ; + authentication_algorithm hmac_md5; + compression_algorithm deflate ; +} + +sainfo address ::1 icmp6 address ::1 icmp6 +{ + pfs_group 1; + lifetime time 60 sec; + encryption_algorithm 3des, blowfish 448, des ; + authentication_algorithm hmac_sha1, hmac_md5 ; + compression_algorithm deflate ; +} + --- ipsec-tools-0.6.6.orig/debian/examples/racoon-tool.conf-basic +++ ipsec-tools-0.6.6/debian/examples/racoon-tool.conf-basic @@ -0,0 +1,28 @@ +# +# Configuration file for racoon-tool +# +# See racoon-tool.conf(5) for details +# + +# +# Simple PSK - authentication defaults to pre_shared_key +# +connection(bacckdoor-doormat): + src_range: 192.168.223.1/32 + dst_range: 192.168.200.0/24 + src_ip: 172.31.1.1 + dst_ip: 10.0.0.1 + admin_status: enabled + compression: no + lifetime: time 20 min + authentication_algorithm: hmac_sha1 + encryption_algorithm: 3des + +peer(10.0.0.1): + verify_cert: on + passive: off + verify_identifier: off + lifetime: time 60 min + hash_algorithm[0]: sha1 + encryption_algorithm[0]: 3des + --- ipsec-tools-0.6.6.orig/debian/examples/racoon-tool.conf-complex +++ ipsec-tools-0.6.6/debian/examples/racoon-tool.conf-complex @@ -0,0 +1,71 @@ +# +# Configuration file for racoon-tool +# + +global: + log: notify + +# default settings to save typing +peer(%default): + certificate_type: x509 blurke-ipsec.crt blurke-ipsec.key + my_identifier: fqdn blurke.bar.com + lifetime: time 60 min + verify_identifier: on + verify_cert: on + hash_algorithm[0]: sha1 + encryption_algorithm[0]: 3des + authentication_method[0]: rsasig + +connection(%default): + authentication_algorithm: hmac_sha1 + encryption_algorithm: 3des + src_ip: 172.31.1.1 + lifetime: time 20 min + +# Connection to work +peer(10.0.0.1): + peers_identifier: fqdn blue.sky.com + +connection(blurke-blue-sky-work): + src_range: 192.168.203.1/32 + dst_range: 172.16.0.0/24 + dst_ip: 10.0.0.1 + admin_status: enabled + +# Connection to telehoused servers +connection(blurke-mail): + src_range: 192.168.203.0/24 + dst_range: 172.20.1.1 + dst_ip: 10.100.0.1 + encryption_algorithm: blowfish + compression: on + admin_status: yes + +peer(10.100.0.1): + peers_identifier: fqdn mail.bar.com + +connection(blurke-web1): + src_range: 192.168.203.0/24 + dst_range: 172.20.1.23 + dst_ip: 10.100.0.1 + encryption_algorithm: blowfish + admin_status: yes + +connection(blurke-web2): + src_range: 192.168.203.0/24 + dst_range: 172.20.1.24 + dst_ip: 10.100.0.1 + encryption_algorithm: blowfish + admin_status: yes + + + +# Test connection to Free S/WAN +connection(blurke-freeswan): + src_range: 192.168.203.0/24 + dst_range: 172.17.100.0/24 + dst_ip: 172.30.1.1 + admin_status: yes + +peer(172.30.1.1): + peers_identifier: fqdn banshee --- ipsec-tools-0.6.6.orig/debian/racoon.postrm +++ ipsec-tools-0.6.6/debian/racoon.postrm @@ -0,0 +1,38 @@ +#! /bin/sh +# postrm script for ipsec-tools +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + + + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- ipsec-tools-0.6.6.orig/debian/racoon-tool.conf +++ ipsec-tools-0.6.6/debian/racoon-tool.conf @@ -0,0 +1,46 @@ +# +# Configuration file for racoon-tool +# +# See racoon-tool.conf(5) for details +# + +# How to control the syslog level +global: + log: notify + +# +# Example of multiple networks to one endpoint +# +#connection(bacckdoor-doormat): +# src_range: 192.168.223.1/32 +# dst_range: 192.168.200.0/24 +# src_ip: 172.31.1.1 +# dst_ip: 10.0.0.1 +# admin_status: enabled +# compression: no +# lifetime: time 20 min +# authentication_algorithm: hmac_sha1,hmac_md5 +# encryption_algorithm: aes,3des + +#connection(backdoor-outhouse): +# src_range: 192.168.223.0/24 +# dst_range: 10.255.255.254 +# src_ip: 172.31.1.1 +# dst_ip: 10.0.0.1 +# admin_status: no +# lifetime: time 20 min +# authentication_algorithm: hmac_sha1 +# encryption_algorithm: 3des + + +#peer(10.0.0.1): +# verify_cert: on +# passive: off +# verify_identifier: off +# lifetime: time 60 min +# hash_algorithm[0]: sha1 +# encryption_algorithm[0]: 3des +## my_identifier: fqdn backdoor.foo.bar +## peers_identifier: fqdn garden-path.foo.bar +## certificate_type: x509 bLaH.pem PrIv.pem + --- ipsec-tools-0.6.6.orig/debian/preinst +++ ipsec-tools-0.6.6/debian/preinst @@ -0,0 +1,44 @@ +#! /bin/sh +# preinst script for ipsec-tools +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `install' +# * `install' +# * `upgrade' +# * `abort-upgrade' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + install|upgrade) +# if [ "$1" = "upgrade" ] +# then +# start-stop-daemon --stop --quiet --oknodo \ +# --pidfile /var/run/ipsec-tools.pid \ +# --exec /usr/sbin/ipsec-tools 2>/dev/null || true +# fi + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + +