From owner-freebsd-bugs Thu Mar 15 8:30:13 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B69CC37B719 for ; Thu, 15 Mar 2001 08:30:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2FGU1X36331; Thu, 15 Mar 2001 08:30:01 -0800 (PST) (envelope-from gnats) Received: from hydrogen.atomicbluebear.org (atomicbluebear.org [64.4.83.19]) by hub.freebsd.org (Postfix) with SMTP id 5AA0237B718 for ; Thu, 15 Mar 2001 08:22:55 -0800 (PST) (envelope-from mlea-freebsd-gnats@atomicbluebear.org) Received: (qmail 3353 invoked by uid 86); 15 Mar 2001 16:22:53 -0000 Received: from helium.atomicbluebear.org (192.168.0.2) by hydrogen.atomicbluebear.org with QMQP; 15 Mar 2001 16:22:53 -0000 Message-Id: <20010315162253.4268.qmail@helium.atomicbluebear.org> Date: 15 Mar 2001 16:22:53 -0000 From: mlea-freebsd-gnats@atomicbluebear.org To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: conf/25829: IPSec config in rc.network doesn't allow for IKE key management Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 25829 >Category: conf >Synopsis: IPSec config in rc.network doesn't allow for IKE key >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Mar 15 08:30:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Michael Lea >Release: FreeBSD 4.3-BETA i386 >Organization: Individual User >Environment: System: FreeBSD helium.atomicbluebear.org 4.3-BETA FreeBSD 4.3-BETA #1: Wed Mar 14 10:09:53 CST 2001 mlea@helium.atomicbluebear.org:/usr/obj/usr/src/sys/GLUON i386 >Description: IPSec keys and security associations must be established before network services (like NFS) start. If an IKE daemon (like racoon) is being used to handle security associations and key exchange, it must be started in rc.network before other network services. >How-To-Repeat: >Fix: This patch modifies /etc/defaults/rc.conf and /etc/rc.network to optionally start an IKE daemon (by default, racoon) immediately after setkey has been run to set the IPSec policies. --- /usr/src/etc/rc.network Tue Mar 13 23:58:40 2001 +++ /etc/rc.network Thu Mar 15 09:57:58 2001 @@ -435,6 +435,13 @@ if [ -f ${ipsec_file} ]; then echo ' ipsec: enabled' setkey -f ${ipsec_file} + + case ${ike_enable} in + [Yy][Ee][Ss]) + echo ' ike: running' + ${ike_program} ${ike_flags} + ;; + esac else echo ' ipsec: file not found' fi --- /usr/src/etc/defaults/rc.conf Tue Mar 13 23:58:38 2001 +++ /etc/defaults/rc.conf Thu Mar 15 09:56:14 2001 @@ -52,6 +52,9 @@ ip_portrange_last="NO" # Set last dynamically allocated port ipsec_enable="NO" # Set to YES to run setkey on ipsec_file ipsec_file="/etc/ipsec.conf" # Name of config file for setkey +ike_enable="NO" # Set to YES to run an IKE daemon +ike_program="/usr/local/sbin/racoon" # Which IKE daemon to run +ike_flags="" # Additional flags to pass to IKE daemon natd_program="/sbin/natd" # path to natd, if you want a different one. natd_enable="NO" # Enable natd (if firewall_enable == YES). natd_interface="fxp0" # Public interface or IPaddress to use. >Release-Note: >Audit-Trail: >Unformatted: management To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message