#!/bin/sh # IPsec startup and shutdown script # ### BEGIN INIT INFO # Provides: ipsec # Required-Start: $network $remote_fs $syslog $named # Required-Stop: $syslog $remote_fs # Default-Start: # Default-Stop: 0 1 6 # Short-Description: Start Openswan IPsec at boot time # Description: Enable automatic key management for IPsec (KLIPS and NETKEY) ### END INIT INFO # ### see https://bugzilla.redhat.com/show_bug.cgi?id=636572 ### Debian and Fedora interpret the LSB differently ### Default-Start: 2 3 4 5 # # Copyright (C) 1998, 1999, 2001 Henry Spencer. # Copyright (C) 2002 Michael Richardson <mcr@freeswan.org> # Copyright (C) 2006 Michael Richardson <mcr@xelerance.com> # Copyright (C) 2008 Michael Richardson <mcr@sandelman.ca> # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # # ipsec init.d script for starting and stopping # the IPsec security subsystem (KLIPS and Pluto). # # This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec) # and is also accessible as "ipsec setup" (the preferred route for human # invocation). # # The startup and shutdown times are a difficult compromise (in particular, # it is almost impossible to reconcile them with the insanely early/late # times of NFS filesystem startup/shutdown). Startup is after startup of # syslog and pcmcia support; shutdown is just before shutdown of syslog. # # chkconfig: - 47 76 # description: IPsec provides encrypted and authenticated communications; \ # KLIPS is the kernel half of it, Pluto is the user-level management daemon. test $IPSEC_INIT_SCRIPT_DEBUG && set -v -x prog='ipsec setup' # for messages # where the private directory and the config files are IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/lib/ipsec}" IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}" IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}" IPSEC_CONFS="${IPSEC_CONFS-/etc/openswan}" if [ `id -u` -ne 0 ] then echo "permission denied (must be superuser)" | logger -s -p daemon.error -t ipsec_setup 2>&1 exit 4 fi if test " $IPSEC_DIR" = " " # if we were not called by the ipsec command then # we must establish a suitable PATH ourselves PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin export PATH IPSEC_DIR="$IPSEC_LIBDIR" export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR fi # Does not make any sense at all to continue without the main binary # But before we can quit we should check if we are on a Debian based # system as their policy demands a graceful exit code test -f /etc/debian_version && BINARY_ERROR=0 || BINARY_ERROR=5 test -x $IPSEC_SBINDIR/ipsec || exit $BINARY_ERROR # misc setup umask 022 mkdir -p /var/run/pluto chmod 700 /var/run/pluto RETVAL=0 verify_config() { test -f $IPSEC_CONFS/ipsec.conf || exit 6 config_error=`ipsec addconn --checkconfig 2>&1` RETVAL=$? if [ $RETVAL != 0 ] then echo "failed to start openswan IKE daemon - the following error occured:" echo $config_error exit $RETVAL fi } start() { verify_config # Pick up IPsec configuration (until we have done this, successfully, we # do not know where errors should go, hence the explicit "daemon.error"s.) # Note the "--export", which exports the variables created. variables=`ipsec addconn $IPSEC_CONFS/ipsec.conf --varprefix IPSEC --configsetup` eval $variables IPSEC_confreadsection=${IPSEC_confreadsection:-setup} export IPSEC_confreadsection IPSECsyslog=${IPSECsyslog:-daemon.error} export IPSECsyslog # remove for: @cygwin_END@ ( ipsec _realsetup start RETVAL=$? ) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 return $RETVAL } stop() { IPSECsyslog=${IPSECsyslog:-daemon.error} export IPSECsyslog ( ipsec _realsetup stop RETVAL=$? ) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 return $RETVAL } restart() { verify_config stop start } condrestart() { verify_config ipsec _realsetup status || exit 0 restart } status() { ipsec _realsetup status RETVAL=$? return $RETVAL } version() { ipsec version RETVAL=$? return $RETVAL } # do it case "$1" in start|--start) start ;; stop|--stop) stop ;; restart|--restart) restart ;; reload|force-reload) restart ;; condrestart|try-restart) condrestart ;; status|--status) status ;; version) version ;; *) echo "Usage: $prog {start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}" RETVAL=2 esac exit $RETVAL