From vs@foldr.org  Fri Sep  6 23:01:54 2002
Return-Path: <vs@foldr.org>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AA0B037B400
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  6 Sep 2002 23:01:54 -0700 (PDT)
Received: from lambda.foldr.org (lambda.foldr.org [198.78.66.36])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C4D7743E42
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  6 Sep 2002 23:01:53 -0700 (PDT)
	(envelope-from vs@foldr.org)
Received: from theater.dyndns.org (pD9509C8B.dip.t-dialin.net [217.80.156.139])
	by lambda.foldr.org (8.12.3/8.11.6) with ESMTP id g8761QgQ007697
	(using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK)
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 7 Sep 2002 08:01:29 +0200 (CEST)
	(envelope-from vs@foldr.org)
Received: from monster.ikea.net (monster.ikea.net [IPv6:3ffe:b80:2de:3:2e0:29ff:fe98:abca])
	by theater.dyndns.org (8.12.5/8.12.5) with ESMTP id g8762rV1045608
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK)
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 7 Sep 2002 08:02:54 +0200 (CEST)
	(envelope-from vs@monster.ikea.net)
Received: (from vs@localhost)
	by monster.ikea.net (8.12.5/8.12.5/Submit) id g8761ib6001240;
	Sat, 7 Sep 2002 08:01:44 +0200 (CEST)
	(envelope-from vs)
Message-Id: <200209070601.g8761ib6001240@monster.ikea.net>
Date: Sat, 7 Sep 2002 08:01:44 +0200 (CEST)
From: Volker Stolz <vs@foldr.org>
Reply-To: Volker Stolz <vs@foldr.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: rc.network lacks IKE daemon startup
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         42497
>Category:       conf
>Synopsis:       rc.network lacks IKE daemon startup
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bms
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 06 23:10:00 PDT 2002
>Closed-Date:    Fri Nov 28 09:29:58 PST 2003
>Last-Modified:  Fri Nov 28 09:29:58 PST 2003
>Originator:     Volker Stolz
>Release:        FreeBSD 4.6-STABLE i386
>Organization:
Lehrstuhl fr Informatik II
>Environment:
System: FreeBSD monster.ikea.net 4.6-STABLE FreeBSD 4.6-STABLE #19: Sun Aug 11 16:08:23 CEST 2002 root@monster.ikea.net:/usr/obj/usr/src/sys/MONSTER i386


	
>Description:
IPSEC gets more and more common. Even local LANs tend to use it
because some hosts might want to connect by WLAN. Although the
current rc.network supports static IPSEC configuration through
/etc/ipsec.conf, IKE is not supported. security/racoon and
security/isakmpd offer this functionality, but are not in the
base system.

However, if even local traffic is to be protected by IPSEC,
this especially means that IPSEC has to be fully configured
by the time NFS mounts occur. The current rc-scheme does
not support this. The following patch adds three new variables
to rc.conf and starts an IKE daemon immediately after IPSEC
setup and before NFS mounts.

Other services affected include e.g. ntpdate.
>How-To-Repeat:
Set IPSEC policy to 'require' for the local LAN, enable NFS
mounts in /etc/fstab, boot: The NFS mounts will freeze the
system as it is not yet possible to establish a connection.
The IKE daemon startup in /usr/local/etc/rc.d comes too late
in the boot sequence. 
>Fix:
--- /etc/rc.network.orig	Sat Sep  7 07:49:52 2002
+++ /etc/rc.network	Sat Sep  7 07:48:34 2002
@@ -498,6 +498,15 @@
 		;;
 	esac
 
+	case ${ike_enable} in
+	[Yy][Ee][Ss])
+		if [ -x ${ike_program} ]; then
+		    echo ' ike daemon: ' ${ike_program} ${ike_flags}
+		    ${ike_program} ${ike_flags}
+		fi
+		;;
+	esac
+
 	echo -n 'Routing daemons:'
 	case ${router_enable} in
 	[Yy][Ee][Ss])
--- /etc/defaults/rc.conf.orig	Sat Sep  7 07:23:06 2002
+++ /etc/defaults/rc.conf	Sat Sep  7 07:26:01 2002
@@ -54,6 +54,9 @@
 ip_portrange_last="NO"		# Set last dynamically allocated port
 ipsec_enable="NO"		# Set to YES to run setkey on ipsec_file
 ipsec_file="/etc/ipsec.conf"	# Name of config file for setkey
+ike_enable="NO"			# Enable IKE daemon (usually racoon or isakmpd)
+ike_program="/usr/local/sbin/racoon" # Path to IKE daemon
+ike_flags=""			# Additional flags for IKE daemon
 natd_program="/sbin/natd"	# path to natd, if you want a different one.
 natd_enable="NO"		# Enable natd (if firewall_enable == YES).
 natd_interface=""		# Public interface or IPaddress to use.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bms 
Responsible-Changed-By: bms 
Responsible-Changed-When: Tue 25 Nov 2003 09:10:33 PST 
Responsible-Changed-Why:  
I'm in hoover up network PRs mode. I'll look into this. 

We do this for routed and mrouted already, as well as providing for the use 
of setkey(8) at boot time; I see no reason why this can't be committed as-is. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=42497 
State-Changed-From-To: open->patched 
State-Changed-By: bms 
State-Changed-When: Thu 27 Nov 2003 01:52:01 PST 
State-Changed-Why:  
Committed to RELENG_4 with some fixups, thanks. 
This will be closed when crossported to -CURRENT. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=42497 
State-Changed-From-To: patched->closed 
State-Changed-By: bms 
State-Changed-When: Fri 28 Nov 2003 09:29:48 PST 
State-Changed-Why:  
Committed. thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=42497 
>Unformatted:
