Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux:[5513] branches/1.0
|
From: <abe...@us...> - 2012-04-14 22:19:31
|
Revision: 5513
http://astlinux.svn.sourceforge.net/astlinux/?rev=5513&view=rev
Author: abelbeck
Date: 2012-04-14 22:19:25 +0000 (Sat, 14 Apr 2012)
Log Message:
-----------
ipsec mobile, initial checkin of XAuth support, much thanks to Ingmar
Modified Paths:
--------------
branches/1.0/package/ipsec-tools/ipsec-tools.mk
branches/1.0/package/ipsec-tools/racoon-ipsec
branches/1.0/project/astlinux/target_skeleton/etc/group
branches/1.0/project/astlinux/target_skeleton/etc/gshadow
branches/1.0/project/astlinux/target_skeleton/etc/passwd
branches/1.0/project/astlinux/target_skeleton/etc/shadow
branches/1.0/project/astlinux/target_skeleton/stat/etc/rc.conf
Modified: branches/1.0/package/ipsec-tools/ipsec-tools.mk
===================================================================
--- branches/1.0/package/ipsec-tools/ipsec-tools.mk 2012-04-12 14:44:59 UTC (rev 5512)
+++ branches/1.0/package/ipsec-tools/ipsec-tools.mk 2012-04-14 22:19:25 UTC (rev 5513)
@@ -15,7 +15,7 @@
IPSEC_TOOLS_MAKE_OPT = CFLAGS='$(TARGET_CFLAGS)'
IPSEC_TOOLS_CONF_OPT = \
- --disable-hybrid \
+ --enable-hybrid \
--without-libpam \
--disable-gssapi \
--localstatedir=/var \
Modified: branches/1.0/package/ipsec-tools/racoon-ipsec
===================================================================
--- branches/1.0/package/ipsec-tools/racoon-ipsec 2012-04-12 14:44:59 UTC (rev 5512)
+++ branches/1.0/package/ipsec-tools/racoon-ipsec 2012-04-14 22:19:25 UTC (rev 5513)
@@ -241,7 +241,7 @@
gen_ipsecmobile()
{
- local auth IFS
+ local auth method IFS
p1_encrypt="$IPSECM_P1_CYPHER"
p1_hash="$IPSECM_P1_HASH"
@@ -266,6 +266,19 @@
fi
done
+ if [ "$IPSECM_AUTH_METHOD" = "xauth_rsa_server" ]; then
+ method="xauth_rsa_server"
+ IFS=' '
+ for name in IPSECM_XAUTH_POOLBASE IPSECM_XAUTH_POOLMASK IPSECM_XAUTH_POOLSIZE; do
+ if [ -z "${!name}" ]; then
+ bad_config "Empty (required) field '$name' in IPsec configuration!"
+ return 1
+ fi
+ done
+ else
+ method="rsasig"
+ fi
+
if ! sanity_check_options; then
return 1
fi
@@ -274,8 +287,12 @@
auth="$(get_rsa_auth_config "$rsa_path" "$rsa_cert" "$rsa_key" "$rsa_ca")"
- (mobile_remote "$do_nat" "$p1_encrypt" "$p1_hash" "$p1_dhgrp" "$p1_lifetime" "$auth") >> /tmp/etc/racoon.conf
+ (mobile_remote "$do_nat" "$p1_encrypt" "$p1_hash" "$p1_dhgrp" "$p1_lifetime" "$method" "$auth") >> /tmp/etc/racoon.conf
+ if [ "$method" = "xauth_rsa_server" ]; then
+ (mobile_xauth) >> /tmp/etc/racoon.conf
+ fi
+
(mobile_sainfo "$p2_encrypt" "$p2_auth" "$p2_pfsgrp" "$p2_lifetime") >> /tmp/etc/racoon.conf
}
@@ -314,8 +331,8 @@
{
echo "
remote anonymous {
- exchange_mode main;${6:+
-$6}
+ exchange_mode main;${7:+
+$7}
nat_traversal $1;
passive on;
generate_policy on;
@@ -326,13 +343,40 @@
proposal {
encryption_algorithm $2;
hash_algorithm $3;
- authentication_method rsasig;
+ authentication_method $6;
dh_group $4;${5:+
lifetime time $5 sec;}
}
}"
}
+mobile_xauth()
+{
+ local arg IFS
+
+ echo "
+mode_cfg {
+ auth_source system;
+ conf_source local;
+ pool_size $IPSECM_XAUTH_POOLSIZE;
+ network4 $IPSECM_XAUTH_POOLBASE;
+ netmask4 $IPSECM_XAUTH_POOLMASK;"
+ for arg in $IPSECM_XAUTH_DNS; do
+ echo " dns4 $arg;"
+ done
+ for arg in $IPSECM_XAUTH_WINS; do
+ echo " wins4 $arg;"
+ done
+ if [ -n "$IPSECM_XAUTH_DOMAIN" -a -n "$IPSECM_XAUTH_DNS" ]; then
+ echo " default_domain \"$IPSECM_XAUTH_DOMAIN\";"
+ echo " split_dns \"$IPSECM_XAUTH_DOMAIN\";"
+ fi
+ if [ "$IPSECM_XAUTH_SAVE_PASSWD" = "yes" ]; then
+ echo " save_passwd on;"
+ fi
+ echo "}"
+}
+
mobile_sainfo()
{
echo "
Modified: branches/1.0/project/astlinux/target_skeleton/etc/group
===================================================================
--- branches/1.0/project/astlinux/target_skeleton/etc/group 2012-04-12 14:44:59 UTC (rev 5512)
+++ branches/1.0/project/astlinux/target_skeleton/etc/group 2012-04-14 22:19:25 UTC (rev 5513)
@@ -12,5 +12,6 @@
audio:x:29:
video:x:44:
users:x:100:
+ipsec:x:901:
zabbix:x:906:
nobody:x:65535:
Modified: branches/1.0/project/astlinux/target_skeleton/etc/gshadow
===================================================================
--- branches/1.0/project/astlinux/target_skeleton/etc/gshadow 2012-04-12 14:44:59 UTC (rev 5512)
+++ branches/1.0/project/astlinux/target_skeleton/etc/gshadow 2012-04-14 22:19:25 UTC (rev 5513)
@@ -1,3 +1,4 @@
root:*::
users:*::
ftp:*::
+ipsec:!::
Modified: branches/1.0/project/astlinux/target_skeleton/etc/passwd
===================================================================
--- branches/1.0/project/astlinux/target_skeleton/etc/passwd 2012-04-12 14:44:59 UTC (rev 5512)
+++ branches/1.0/project/astlinux/target_skeleton/etc/passwd 2012-04-14 22:19:25 UTC (rev 5513)
@@ -1,5 +1,6 @@
root:x:0:0:root:/root:/bin/sh
sshd:x:22:22:sshd:/dev/null:/bin/false
ftp:x:21:21:ftp user:/home/ftp:/bin/false
+ipsec:x:901:901:IPsec XAuth:/dev/null:/bin/false
zabbix:x:906:906:Zabbix User:/dev/null:/bin/false
nobody:x:1000:1000:no one:/dev/null:/bin/false
Modified: branches/1.0/project/astlinux/target_skeleton/etc/shadow
===================================================================
--- branches/1.0/project/astlinux/target_skeleton/etc/shadow 2012-04-12 14:44:59 UTC (rev 5512)
+++ branches/1.0/project/astlinux/target_skeleton/etc/shadow 2012-04-14 22:19:25 UTC (rev 5513)
@@ -1,5 +1,6 @@
root:$1$$axJeFIpwicqOTwFpuoUAs1:12215:0:99999:7:::
sshd:!:0:0:99999:7:::
ftp:!:0:0:99999:7:::
-zabbix:!:0:99999:7:::
-nobody:!:0:99999:7:::
+ipsec:!:0:0:99999:7:::
+zabbix:!:0:0:99999:7:::
+nobody:!:0:0:99999:7:::
Modified: branches/1.0/project/astlinux/target_skeleton/stat/etc/rc.conf
===================================================================
--- branches/1.0/project/astlinux/target_skeleton/stat/etc/rc.conf 2012-04-12 14:44:59 UTC (rev 5512)
+++ branches/1.0/project/astlinux/target_skeleton/stat/etc/rc.conf 2012-04-14 22:19:25 UTC (rev 5513)
@@ -570,6 +570,7 @@
#"
##
## Phase 1 - Authentication
+#IPSECM_AUTH_METHOD="rsasig" # "rsasig" or "xauth_rsa_server", defaults to "rsasig"
#IPSECM_P1_CYPHER="aes 128" # "aes 128" or "aes 192" or "aes 256" or "3des" or "blowfish"
#IPSECM_P1_HASH="sha1" # "md5" or "sha1" or "sha256"
#IPSECM_P1_DHGROUP="modp1024" # "modp768" (1) or "modp1024" (2) or "modp1536" (5)
@@ -581,6 +582,18 @@
#IPSECM_P2_PFSGROUP="modp1024" # "modp768" (1) or "modp1024" (2) or "modp1536" (5) or "none"
#IPSECM_P2_LIFETIME="3600" # seconds (if undefined 3600 is used)
##
+## IPSECM_XAUTH_* only used if IPSECM_AUTH_METHOD="xauth_rsa_server"
+#IPSECM_XAUTH_POOLBASE="192.168.101.222" # Base IPv4 address
+#IPSECM_XAUTH_POOLMASK="255.255.255.0" # Base IPv4 mask
+#IPSECM_XAUTH_POOLSIZE="8" # "4", "8", "16"
+#IPSECM_XAUTH_DNS="" # space separated list of DNS server(s) pushed to client
+#IPSECM_XAUTH_WINS="" # space separated list of local MS WINS servers, rarely needed
+#IPSECM_XAUTH_DOMAIN="" # Default DNS domain pushed to client
+#IPSECM_XAUTH_SAVE_PASSWD="no" # "no" or "yes", defaults to "no"
+##
+#IPSECM_CERT_KEYSIZE="1024" # "1024" or "2048", defaults to "1024"
+#IPSECM_CERT_DNSNAME="" # DNS name (or IP address) of public interface, required by iOS devices
+##
## PPTP VPN Server - VPN above must include "pptp"
##
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
