From mlea-freebsd-gnats@atomicbluebear.org  Thu Mar 15 08:22:56 2001
Return-Path: <mlea-freebsd-gnats@atomicbluebear.org>
Received: from hydrogen.atomicbluebear.org (atomicbluebear.org [64.4.83.19])
	by hub.freebsd.org (Postfix) with SMTP id 5AA0237B718
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 15 Mar 2001 08:22:55 -0800 (PST)
	(envelope-from mlea-freebsd-gnats@atomicbluebear.org)
Received: (qmail 3353 invoked by uid 86); 15 Mar 2001 16:22:53 -0000
Received: from helium.atomicbluebear.org (192.168.0.2)
  by hydrogen.atomicbluebear.org with QMQP; 15 Mar 2001 16:22:53 -0000
Message-Id: <20010315162253.4268.qmail@helium.atomicbluebear.org>
Date: 15 Mar 2001 16:22:53 -0000
From: mlea-freebsd-gnats@atomicbluebear.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: IPSec config in rc.network doesn't allow for IKE key management
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         25829
>Category:       conf
>Synopsis:       IPSec config in rc.network doesn't allow for IKE key
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    dougb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 15 08:30:01 PST 2001
>Closed-Date:    Wed Feb 22 02:13:04 GMT 2006
>Last-Modified:  Wed Feb 22 02:13:04 GMT 2006
>Originator:     Michael Lea
>Release:        FreeBSD 4.3-BETA i386
>Organization:
Individual User
>Environment:
System: FreeBSD helium.atomicbluebear.org 4.3-BETA FreeBSD 4.3-BETA #1: Wed Mar 14 10:09:53 CST 2001 mlea@helium.atomicbluebear.org:/usr/obj/usr/src/sys/GLUON i386


>Description:
IPSec keys and security associations must be established before network
services (like NFS) start. If an IKE daemon (like racoon) is being used to
handle security associations and key exchange, it must be started in
rc.network before other network services.

>How-To-Repeat:

>Fix:

This patch modifies /etc/defaults/rc.conf and /etc/rc.network to
optionally
start an IKE daemon (by default, racoon) immediately after setkey has been
run to set the IPSec policies.

--- /usr/src/etc/rc.network	Tue Mar 13 23:58:40 2001
+++ /etc/rc.network	Thu Mar 15 09:57:58 2001
@@ -435,6 +435,13 @@
 		if [ -f ${ipsec_file} ]; then
 		    echo ' ipsec: enabled'
 		    setkey -f ${ipsec_file}
+
+		    case ${ike_enable} in
+		    [Yy][Ee][Ss])
+			echo ' ike: running'
+			${ike_program} ${ike_flags}
+			;;
+		    esac
 		else
 		    echo ' ipsec: file not found'
 		fi
--- /usr/src/etc/defaults/rc.conf	Tue Mar 13 23:58:38 2001
+++ /etc/defaults/rc.conf	Thu Mar 15 09:56:14 2001
@@ -52,6 +52,9 @@
 ip_portrange_last="NO"		# Set last dynamically allocated port
 ipsec_enable="NO"		# Set to YES to run setkey on ipsec_file
 ipsec_file="/etc/ipsec.conf"	# Name of config file for setkey
+ike_enable="NO"			# Set to YES to run an IKE daemon
+ike_program="/usr/local/sbin/racoon" # Which IKE daemon to run
+ike_flags=""			# Additional flags to pass to IKE daemon
 natd_program="/sbin/natd"	# path to natd, if you want a different one.
 natd_enable="NO"                # Enable natd (if firewall_enable == YES).
 natd_interface="fxp0"           # Public interface or IPaddress to use.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: dougb 
State-Changed-When: Wed Feb 22 02:12:17 UTC 2006 
State-Changed-Why:  

This report has been overtaken by events in 5.x and beyond. 

Thanks for your interest in making FreeBSD better. 

Doug 


Responsible-Changed-From-To: freebsd-bugs->dougb 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Wed Feb 22 02:12:17 UTC 2006 
Responsible-Changed-Why:  

I closed this PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25829 
>Unformatted:
 management
