[ipsec-tools] prefer the main IKE exchange mode (#475337)
Tomáš Mráz
tmraz at fedoraproject.org
Thu Jan 26 14:44:55 UTC 2012
commit cbda27b7ce7abdf051918f837701b7dbf931ae48
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Thu Jan 26 15:44:51 2012 +0100
prefer the main IKE exchange mode (#475337)
- allow specification of additional parameters for the ifup-ipsec (#784859)
- convert the init script to systemd unit (#662714)
ifup-ipsec | 11 +++++-
ipsec-tools.spec | 44 ++++++++++++++++++-----
racoon.init | 100 ------------------------------------------------------
racoon.service | 10 +++++
4 files changed, 54 insertions(+), 111 deletions(-)
---
diff --git a/ifup-ipsec b/ifup-ipsec
index f3da7d4..ef93b96 100755
--- a/ifup-ipsec
+++ b/ifup-ipsec
@@ -215,8 +215,14 @@ if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then
cat > /etc/racoon/$DST.conf << EOF
remote $DST
{
- exchange_mode aggressive, main;
+ exchange_mode ${IKE_MODE:-main, aggressive};
EOF
+ if [ -n "$DPD_DELAY" ]; then
+ echo " dpd_delay $DPD_DELAY;" >> /etc/racoon/$DST.conf
+ fi
+ if [ -n "$NAT_TRAVERSAL" ]; then
+ echo " nat_traversal $NAT_TRAVERSAL;" >> /etc/racoon/$DST.conf
+ fi
case "$IKE_METHOD" in
PSK)
cat >> /etc/racoon/$DST.conf << EOF
@@ -242,6 +248,9 @@ EOF
if [ -n "$IKE_PEER_CERTFILE" ]; then
echo " peers_certfile x509 \"$IKE_PEER_CERTFILE.public\";" >> /etc/racoon/$DST.conf
fi
+ if [ -n "$IKE_CA_CERTFILE" ]; then
+ echo " ca_type x509 \"$IKE_CA_CERTFILE.public\";" >> /etc/racoon/$DST.conf
+ fi
cat >> /etc/racoon/$DST.conf << EOF
proposal {
encryption_algorithm $IKE_ENC;
diff --git a/ipsec-tools.spec b/ipsec-tools.spec
index cc2cd8a..8921084 100644
--- a/ipsec-tools.spec
+++ b/ipsec-tools.spec
@@ -1,6 +1,6 @@
Name: ipsec-tools
Version: 0.8.0
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Tools for configuring and using IPSEC
License: BSD
Group: System Environment/Base
@@ -9,7 +9,7 @@ Source: ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ipsec-tools-%{versi
Source1: racoon.conf
Source2: psk.txt
Source3: p1_up_down
-Source4: racoon.init
+Source4: racoon.service
Source5: racoon.pam
Source6: ifup-ipsec
Source7: ifdown-ipsec
@@ -36,12 +36,16 @@ BuildRequires: openssl-devel, krb5-devel, bison, flex, flex-static
BuildRequires: automake, libtool
BuildRequires: libselinux-devel >= 1.30.28-2, pam-devel
BuildRequires: audit-libs-devel >= 1.3.1
+BuildRequires: systemd-units
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: pam, initscripts
Requires(post): chkconfig
-Requires(preun): chkconfig, initscripts
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+Requires(post): systemd-sysv
%global racoonconfdir %{_sysconfdir}/racoon
@@ -105,7 +109,7 @@ mkdir -m 0700 -p $RPM_BUILD_ROOT%{racoonconfdir}/certs
mkdir -m 0700 -p $RPM_BUILD_ROOT%{racoonconfdir}/scripts
install -m 700 %{SOURCE3} \
$RPM_BUILD_ROOT%{racoonconfdir}/scripts/p1_up_down
-install -D -m755 %{SOURCE4} $RPM_BUILD_ROOT%{_initrddir}/racoon
+install -D -m755 %{SOURCE4} $RPM_BUILD_ROOT%{_unitdir}/racoon
install -D -m644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/racoon
mkdir -m 0755 -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/network-scripts
@@ -115,16 +119,31 @@ install -p -m755 %{SOURCE6} %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/n
rm -rf $RPM_BUILD_ROOT
%post
-if [ $1 = 1 ]; then
- chkconfig --add racoon
+if [ $1 -eq 1 ] ; then
+ /bin/systemctl daemon-reload >/dev/null 2>&1 || :
fi
%preun
-if [ $1 = 0 ]; then
- service racoon stop > /dev/null 2>&1
- /sbin/chkconfig --del racoon
+if [ $1 -eq 0 ] ; then
+ /bin/systemctl --no-reload disable racoon.service > /dev/null 2>&1 || :
+ /bin/systemctl stop racoon.service > /dev/null 2>&1 || :
fi
+%postun
+/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+if [ $1 -ge 1 ] ; then
+ /bin/systemctl try-restart racoon.service >/dev/null 2>&1 || :
+fi
+
+%triggerun -- racoon < 0.8.0-4
+# Save the current service runlevel info
+# User must manually run systemd-sysv-convert --apply racoon
+# to migrate them to systemd targets
+/usr/bin/systemd-sysv-convert --save racoon >/dev/null 2>&1 ||:
+
+# Run these because the SysV package being removed won't do them
+/sbin/chkconfig --del racoon >/dev/null 2>&1 || :
+
%files
%defattr(-,root,root,-)
%doc src/racoon/samples/racoon.conf src/racoon/samples/psk.txt
@@ -133,7 +152,7 @@ fi
/sbin/*
%{_sbindir}/*
%{_mandir}/man*/*
-%{_initrddir}/racoon
+%{_unitdir}/racoon.service
%dir %{racoonconfdir}
%{racoonconfdir}/scripts/*
%dir %{racoonconfdir}/certs
@@ -146,6 +165,11 @@ fi
%{_sysconfdir}/sysconfig/network-scripts/ifdown-ipsec
%changelog
+* Thu Jan 26 2012 Tomas Mraz <tmraz at redhat.com> - 0.8.0-4
+- prefer the main IKE exchange mode (#475337)
+- allow specification of additional parameters for the ifup-ipsec (#784859)
+- convert the init script to systemd unit (#662714)
+
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.8.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
diff --git a/racoon.service b/racoon.service
new file mode 100644
index 0000000..792cfd3
--- /dev/null
+++ b/racoon.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Racoon IKEv1 key management daemon for IPSEC
+After=syslog.target network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/racoon
+
+[Install]
+WantedBy=multi-user.target
More information about the scm-commits
mailing list