[ipsec-tools] prefer the main IKE exchange mode (#475337)

Tomáš Mráz tmraz at fedoraproject.org
Thu Jan 26 14:44:55 UTC 2012 

commit cbda27b7ce7abdf051918f837701b7dbf931ae48
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Thu Jan 26 15:44:51 2012 +0100

    prefer the main IKE exchange mode (#475337)
    
    - allow specification of additional parameters for the ifup-ipsec (#784859)
    - convert the init script to systemd unit (#662714)

 ifup-ipsec       |   11 +++++-
 ipsec-tools.spec |   44 ++++++++++++++++++-----
 racoon.init      |  100 ------------------------------------------------------
 racoon.service   |   10 +++++
 4 files changed, 54 insertions(+), 111 deletions(-)
---
diff --git a/ifup-ipsec b/ifup-ipsec
index f3da7d4..ef93b96 100755
--- a/ifup-ipsec
+++ b/ifup-ipsec
@@ -215,8 +215,14 @@ if [ "$KEYING" = "automatic" -a -n "$IKE_METHOD" ]; then
         cat > /etc/racoon/$DST.conf << EOF
 remote $DST
 {
-	exchange_mode aggressive, main;
+	exchange_mode ${IKE_MODE:-main, aggressive};
 EOF
+	if [ -n "$DPD_DELAY" ]; then
+	    echo "        dpd_delay $DPD_DELAY;" >> /etc/racoon/$DST.conf
+	fi
+	if [ -n "$NAT_TRAVERSAL" ]; then
+	    echo "        nat_traversal $NAT_TRAVERSAL;" >> /etc/racoon/$DST.conf
+	fi
         case "$IKE_METHOD" in
            PSK)
 	      cat >> /etc/racoon/$DST.conf << EOF
@@ -242,6 +248,9 @@ EOF
 	      if [ -n "$IKE_PEER_CERTFILE" ]; then
 	          echo "        peers_certfile x509 \"$IKE_PEER_CERTFILE.public\";" >> /etc/racoon/$DST.conf
 	      fi
+	      if [ -n "$IKE_CA_CERTFILE" ]; then
+	          echo "        ca_type x509 \"$IKE_CA_CERTFILE.public\";" >> /etc/racoon/$DST.conf
+	      fi
 	      cat >> /etc/racoon/$DST.conf << EOF
         proposal {
 	        encryption_algorithm $IKE_ENC;
diff --git a/ipsec-tools.spec b/ipsec-tools.spec
index cc2cd8a..8921084 100644
--- a/ipsec-tools.spec
+++ b/ipsec-tools.spec
@@ -1,6 +1,6 @@
 Name: ipsec-tools
 Version: 0.8.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: Tools for configuring and using IPSEC
 License: BSD
 Group: System Environment/Base
@@ -9,7 +9,7 @@ Source: ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ipsec-tools-%{versi
 Source1: racoon.conf
 Source2: psk.txt
 Source3: p1_up_down
-Source4: racoon.init
+Source4: racoon.service
 Source5: racoon.pam
 Source6: ifup-ipsec
 Source7: ifdown-ipsec
@@ -36,12 +36,16 @@ BuildRequires: openssl-devel, krb5-devel, bison, flex, flex-static
 BuildRequires: automake, libtool
 BuildRequires: libselinux-devel >= 1.30.28-2, pam-devel
 BuildRequires: audit-libs-devel >= 1.3.1
+BuildRequires: systemd-units
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 Requires: pam, initscripts
 Requires(post): chkconfig
-Requires(preun): chkconfig, initscripts
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+Requires(post): systemd-sysv
 
 %global racoonconfdir %{_sysconfdir}/racoon
 
@@ -105,7 +109,7 @@ mkdir -m 0700 -p $RPM_BUILD_ROOT%{racoonconfdir}/certs
 mkdir -m 0700 -p $RPM_BUILD_ROOT%{racoonconfdir}/scripts
 install -m 700 %{SOURCE3} \
   $RPM_BUILD_ROOT%{racoonconfdir}/scripts/p1_up_down
-install -D -m755 %{SOURCE4} $RPM_BUILD_ROOT%{_initrddir}/racoon
+install -D -m755 %{SOURCE4} $RPM_BUILD_ROOT%{_unitdir}/racoon
 install -D -m644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/racoon
 
 mkdir -m 0755 -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/network-scripts
@@ -115,16 +119,31 @@ install -p -m755 %{SOURCE6} %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/n
 rm -rf $RPM_BUILD_ROOT
 
 %post
-if [ $1 = 1 ]; then
-        chkconfig --add racoon
+if [ $1 -eq 1 ] ; then 
+        /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 fi
 
 %preun
-if [ $1 = 0 ]; then
-        service racoon stop > /dev/null 2>&1
-        /sbin/chkconfig --del racoon
+if [ $1 -eq 0 ] ; then
+        /bin/systemctl --no-reload disable racoon.service > /dev/null 2>&1 || :
+        /bin/systemctl stop racoon.service > /dev/null 2>&1 || :
 fi
 
+%postun
+/bin/systemctl daemon-reload >/dev/null 2>&1 || :
+if [ $1 -ge 1 ] ; then
+        /bin/systemctl try-restart racoon.service >/dev/null 2>&1 || :
+fi
+
+%triggerun -- racoon < 0.8.0-4
+# Save the current service runlevel info
+# User must manually run systemd-sysv-convert --apply racoon
+# to migrate them to systemd targets
+/usr/bin/systemd-sysv-convert --save racoon >/dev/null 2>&1 ||:
+
+# Run these because the SysV package being removed won't do them
+/sbin/chkconfig --del racoon >/dev/null 2>&1 || :
+
 %files
 %defattr(-,root,root,-)
 %doc src/racoon/samples/racoon.conf src/racoon/samples/psk.txt
@@ -133,7 +152,7 @@ fi
 /sbin/*
 %{_sbindir}/*
 %{_mandir}/man*/*
-%{_initrddir}/racoon
+%{_unitdir}/racoon.service
 %dir %{racoonconfdir}
 %{racoonconfdir}/scripts/*
 %dir %{racoonconfdir}/certs
@@ -146,6 +165,11 @@ fi
 %{_sysconfdir}/sysconfig/network-scripts/ifdown-ipsec
 
 %changelog
+* Thu Jan 26 2012 Tomas Mraz <tmraz at redhat.com> - 0.8.0-4
+- prefer the main IKE exchange mode (#475337)
+- allow specification of additional parameters for the ifup-ipsec (#784859)
+- convert the init script to systemd unit (#662714)
+
 * Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.8.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
 
diff --git a/racoon.service b/racoon.service
new file mode 100644
index 0000000..792cfd3
--- /dev/null
+++ b/racoon.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Racoon IKEv1 key management daemon for IPSEC
+After=syslog.target network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/racoon
+
+[Install]
+WantedBy=multi-user.target

More information about the scm-commits mailing list