1 #!/bin/sh /etc/rc.common
2 # IPsec startup and shutdown script
3 # Copyright (C) 1998, 1999, 2001 Henry Spencer.
4 # Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
6 # This program is free software; you can redistribute it and/or modify it
7 # under the terms of the GNU General Public License as published by the
8 # Free Software Foundation; either version 2 of the License, or (at your
9 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 # This program is distributed in the hope that it will be useful, but
12 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 # ipsec init.d script for starting and stopping
18 # the IPsec security subsystem (KLIPS and Pluto).
20 # This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec)
21 # and is also accessible as "ipsec setup" (the preferred route for human
24 # The startup and shutdown times are a difficult compromise (in particular,
25 # it is almost impossible to reconcile them with the insanely early/late
26 # times of NFS filesystem startup/shutdown). Startup is after startup of
27 # syslog and pcmcia support; shutdown is just before shutdown of syslog.
29 # chkconfig: 2345 47 76
30 # description: IPsec provides encrypted and authenticated communications; \
31 # KLIPS is the kernel half of it, Pluto is the user-level management daemon.
35 EXTRA_HELP=" status Show the status of the service"
37 # Format a list into a delimited string and print it
38 config_list_delimit() {
41 local DELIMITER="${3:- }"
43 config_list_foreach "$SECTION" "$OPTION" "printf \"%s%s\"" "$DELIMITER" | sed "s/.\{${#DELIMITER}\}$//"
46 # Callback for each ipsec configuration section
47 # Converts list options from UCI to ipsec format and writes ipsec section headers
54 # Handle list options from previous section
55 if [ "$CUR_SECTION_TYPE" = "ipsec_conn" ] ; then
56 local IKE="$(config_list_delimit "$CUR_SECTION_NAME" "ike" ", ")"
57 if [ -n "$IKE" ] ; then
58 printf "\tike=\"%s\"\n" "$IKE" >> "$IPSEC_UCI_CONF"
63 config_get "SUBNETS" "$CUR_SECTION_NAME" "leftsubnets"
66 printf "\tleftsubnets={ %s }\n" "$SUBNETS" >> "$IPSEC_UCI_CONF"
69 printf "\tleftsubnet=%s\n" "$SUBNETS" >> "$IPSEC_UCI_CONF"
73 config_get "SUBNETS" "$CUR_SECTION_NAME" "rightsubnets"
76 printf "\trightsubnets={ %s }\n" "$SUBNETS" >> "$IPSEC_UCI_CONF"
79 printf "\trightsubnet=%s\n" "$SUBNETS" >> "$IPSEC_UCI_CONF"
82 elif [ "$CUR_SECTION_TYPE" = "ipsec_config" ] ; then
83 local VPRIV="$(config_list_delimit "$CUR_SECTION_NAME" "virtual_private" ",")"
84 if [ -n "$VPRIV" ] ; then
85 printf "\tvirtual_private=%s\n" "$VPRIV" >> "$IPSEC_UCI_CONF"
89 CUR_SECTION_NAME="$NAME"
90 CUR_SECTION_TYPE="$TYPE"
92 case "$CUR_SECTION_TYPE" in
93 ipsec_config|ipsec_conn)
94 # Handled in option_cb
95 echo >> "$IPSEC_UCI_CONF"
96 echo "${TYPE#ipsec_} $NAME" >> "$IPSEC_UCI_CONF"
99 # Not handled in option_cb
106 # Callback for each ipsec configuration option
107 # Prints each UCI option to $IPSEC_UCI_CONF in ipsec.conf format
112 case "$CUR_SECTION_TYPE" in
113 ipsec_config|ipsec_conn)
114 # Handle option in these sections
117 # Ignore options in all other sections
123 modecfgdns_ITEM[0-9]*)
124 printf "\tmodecfgdns%d=%s\n" "${NAME##modecfgdns_ITEM}" "$VALUE" >> "$IPSEC_UCI_CONF"
126 modecfgwins_ITEM[0-9]*)
127 printf "\tmodecfgwins%d=%s\n" "${NAME##modecfgwins_ITEM}" "$VALUE" >> "$IPSEC_UCI_CONF"
129 *_ITEM[0-9]*|*_LENGTH)
130 # Ignore list items and length updates
133 # Ignore non-ipsec.conf parameters
136 # Quote values with characers which require quoting
137 if echo "$VALUE" | grep -q '^[[:alnum:]_%.]*$' ; then
138 printf "\t%s=%s\n" "$NAME" "$VALUE" >> "$IPSEC_UCI_CONF"
140 printf "\t%s=\"%s\"\n" "$NAME" "$VALUE" >> "$IPSEC_UCI_CONF"
148 ipsec_config_convert() {
149 IPSEC_UCI_CONF="${IPSEC_UCI_CONF:-${IPSEC_CONFS:-/etc}/ipsec.uci.conf}"
150 ipsec_config_print_header
152 # Conversion for $IPSEC_UCI_CONF handled in section_cb and option_cb
154 IPSEC_SEC_UCI_CONF="${IPSEC_SEC_UCI_CONF:-${IPSEC_CONFS:-/etc}/ipsec.uci.secrets}"
155 ipsec_config_print_header_secret
156 echo >> "$IPSEC_SEC_UCI_CONF"
157 echo "# Certificate Secrets" >> "$IPSEC_SEC_UCI_CONF"
158 config_foreach "ipsec_config_add_secret_cs" "ipsec_secret_cs"
159 echo >> "$IPSEC_SEC_UCI_CONF"
160 echo "# Shared Secrets" >> "$IPSEC_SEC_UCI_CONF"
161 config_foreach "ipsec_config_add_secret_ss" "ipsec_secret_ss"
162 echo >> "$IPSEC_SEC_UCI_CONF"
163 echo "# XAUTH Secrets" >> "$IPSEC_SEC_UCI_CONF"
164 config_foreach "ipsec_config_add_secret_xs" "ipsec_secret_xs"
167 ipsec_config_print_header() {
168 cat > "$IPSEC_UCI_CONF" <<ENDHEADER
169 # $IPSEC_UCI_CONF - UCI IPsec configuration file
171 # This file is automatically generated by the ipsec init script from
172 # configuration information stored in UCI. DO NOT EDIT THIS FILE BY HAND.
176 ipsec_config_print_header_secret() {
177 cat > "$IPSEC_SEC_UCI_CONF" <<ENDHEADER
178 # $IPSEC_SEC_UCI_CONF - UCI IPsec sensitive configuration file
180 # This file is automatically generated by the ipsec init script from
181 # configuration information stored in UCI. DO NOT EDIT THIS FILE BY HAND.
185 ipsec_config_add_secret_cs() {
188 config_get "FILE" "$SECTNAME" "file"
189 config_get "SECRET" "$SECTNAME" "secret"
192 if [ "$SECRET" != "%prompt" ] ; then
196 echo ": RSA $FILE $SECRET" >> "$IPSEC_SEC_UCI_CONF"
199 ipsec_config_add_secret_ss() {
202 config_get "INDICES" "$SECTNAME" "indices"
203 config_get "SECRET" "$SECTNAME" "secret"
205 echo "$INDICES : PSK \"$SECRET\"" >> "$IPSEC_SEC_UCI_CONF"
208 ipsec_config_add_secret_xs() {
211 config_get "USERNAME" "$SECTNAME" "username"
212 config_get "SECRET" "$SECTNAME" "secret"
214 echo "@$USERNAME : XAUTH \"$SECRET\"" >> "$IPSEC_SEC_UCI_CONF"
218 me='ipsec setup' # for messages
220 # where the private directory and the config files are
221 IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/libexec/ipsec}"
222 IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}"
223 IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}"
224 IPSEC_CONFS="${IPSEC_CONFS-/etc}"
226 if test " $IPSEC_DIR" = " " # if we were not called by the ipsec command
228 # we must establish a suitable PATH ourselves
229 PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
232 IPSEC_DIR="$IPSEC_LIBDIR"
233 export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
236 # Check that the ipsec command is available.
238 for dir in `echo $PATH | tr ':' ' '`
240 if test -f $dir/ipsec -a -x $dir/ipsec
243 break # NOTE BREAK OUT
248 echo "cannot find ipsec command -- \`$1' aborted" |
249 logger -s -p daemon.error -t ipsec_setup
255 export IPSEC_setupflags
263 --showonly|--show) IPSEC_setupflags="$1" ;;
264 --config) config="--config $2" ; shift ;;
271 # Pick up IPsec configuration (until we have done this, successfully, we
272 # do not know where errors should go, hence the explicit "daemon.error"s.)
273 # Note the "--export", which exports the variables created.
274 variables=`ipsec addconn $config --varprefix IPSEC --configsetup`
277 echo "Failed to parse config setup portion of ipsec.conf"
282 if test " $IPSEC_confreadstatus" != " "
285 stop|--stop|_autostop)
286 echo "$IPSEC_confreadstatus -- \`$1' may not work" |
287 logger -s -p daemon.error -t ipsec_setup;;
289 *) echo "$IPSEC_confreadstatus -- \`$1' aborted" |
290 logger -s -p daemon.error -t ipsec_setup;
295 IPSEC_confreadsection=${IPSEC_confreadsection:-setup}
296 export IPSEC_confreadsection
298 IPSECsyslog=${IPSECsyslog-daemon.error}
304 mkdir -p /var/run/pluto
310 start|--start|stop|--stop|_autostop|_autostart)
311 # remove for: @cygwin_START@
312 # portable way for checking for root
316 echo "permission denied (must be superuser)" |
317 logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
320 # remove for: @cygwin_END@
321 tmp=/var/run/pluto/ipsec_setup.st
322 outtmp=/var/run/pluto/ipsec_setup.out
333 if [ -f ${outtmp} ]; then
334 cat ${outtmp} | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
339 restart|--restart|force-reload)
340 $0 $IPSEC_setupflags stop
341 $0 $IPSEC_setupflags start
344 _autorestart) # for internal use only
345 $0 $IPSEC_setupflags _autostop
346 $0 $IPSEC_setupflags _autostart
355 echo "$me $IPSEC_VERSION"
360 echo "Usage: $me [ --showonly ] {--start|--stop|--restart}"
366 echo "Usage: $me [ --showonly ] {--start|--stop|--restart}"
373 script_init start "$@"
374 script_command start "$@"
378 script_init stop "$@"
379 script_command stop "$@"
384 script_init stop "$@"
385 script_command stop "$@"
386 script_command start "$@"
390 script_init status "$@"
391 ipsec _realsetup status