Kernel 2.5/2.6 have a built.-in IPsec-stack. To use the new IPsec-stack, we'll need the ipsec-tools (alternative would be isakmpd from OpenBSD, but it doesn't compile well) which contain the IKE-daemon racoon (KAME) and the SAD-tool setkey. Since racoon doesn't like any CFLAGS or HOST-settings, I had to unset them, but I don't think, that will cause any performance-impact since the real IPsec-stuff is handled in the kernel. I tested both racoon and setkey on x86, no problem establishing a tunnel (tested AES, 3DES and Blowfish) and host-to-host. But should definitly marked testing until 2.6.0 becomes stable.
Created attachment 16211 [details] ipsec-tools-0.2.2 ebuild
Hello, I wrote an isakmpd ebuild: http://bugs.gentoo.org/show_bug.cgi?id=27278 And i also wrote an ebuild for ipsec tools (didn't know, yours already exist) I wrote some init script for racoon,i don't know if you'll find this usefull. I attached them so you can chek it.
Created attachment 16624 [details] My version the ebuild You can get the install part of the init.d and conf.d files
Created attachment 16626 [details] racoon for /etc/conf.d
Created attachment 16627 [details] raccon file for /etc/init.d
Looks OK, but the init-script is quite useless without a way to call setkey and the according policy. Without that, racoon won't start properly.
I did a new version of the init.d that call setkey before starting racoon tell me what you think about it.
Created attachment 16764 [details] racoon.conf.d
Created attachment 16766 [details] racoon.init.d
Looks good, no complaints from my side :)
I would submit that the ebuild for ipsec-tools should also include a sample pre-shared key file and also provide security checks for that file on the system. The PSK file that's called with the path command in racoon.conf needs to exist and be mode 400 for proper operation. Basically I've made the following proposed changes: * Added RACOON_PSK_FILE in /etc/conf.d/racoon * Added a security and sanity check for the file in /etc/init.d/racoon * Included a sample PSK file If you defaultly specify /etc/racoon/psk.txt in the provided conf.d file and everything's commented out, then you have no problems with default configurations that don't use PSK and provide a valuable security check for people who aren't aware of the sucurity needs for this file. Just a thought....
Created attachment 18182 [details] Sample pre-shared key config file
Created attachment 18183 [details] Sample pre-shared key config file
Created attachment 18184 [details] Altered init.d script for racoon that checks for psk security.
Created attachment 18185 [details] Alternate conf.d/racoon config file that includes a PSK location.
Why isn't it yet in the portage tree? It works fine for me - I use it with x509-certs to connect to a freeswan server.
that's a good question. let me see about getting this added...
In the ipsec familly... Why not adding this one too: http://bugs.gentoo.org/show_bug.cgi?id=27278
Created attachment 21547 [details] setkey.conf for tunnel mode this is from my setkey.conf using with x509 certs I also want to add the following to the racoon - init-scripts in the stop-section: --begin-- flush; spdflush; -- end --
Created attachment 21548 [details] racoon.conf for tunnel mode (x509 certs) I use this config to connect to an ipsec-freeswan-gateway (yyy.yyy.yyy.yyy) My own ip is xxx.xxx.xxx.xxx (also in setkey.conf)
hm, what is the reason why ipsec-tools doesn't go into portage tree?
If a developer adds an ebuild he is ultimately responsible for it's upkeep, so devs tend to not add stuff they don't use because they may be unable to maintain it properly. When I get some more people added to the team, I'm going to try to get all these utils (this one and others) added and kept up to date. Thanks for all the hard work on this, hopefully it won't be too much longer.
Can somebody stick this into a tarball as there seem to be too many attachments; so I can commit into Portage?
Created attachment 22224 [details] Tarball containing ipsec-tools/* Here we go... The tarball basically contains - the slightly altered ebuild (id=16211) by Fridtjof Busse. The changes were * reverted from econf back to configure due to python being a cpu pig when using econf (it failed here after running configure for more than five minutes). * DEPENDs on "virtual/glibc". I'm not quite sure whether ipsec-tools depends on openssl, too. * Install the setkey.conf by Georg M
Created attachment 22224 [details] Tarball containing ipsec-tools/* Here we go... The tarball basically contains - the slightly altered ebuild (id=16211) by Fridtjof Busse. The changes were * reverted from econf back to configure due to python being a cpu pig when using econf (it failed here after running configure for more than five minutes). * DEPENDs on "virtual/glibc". I'm not quite sure whether ipsec-tools depends on openssl, too. * Install the setkey.conf by Georg Müller (id=21547) as /etc/ipsec.conf.sample - the unaltered initscript (id=18184) and conf.d-file (id=18185) by Jason McCormick TODO: - Test :-) - Patch the manpages racoon.8 and racoon.conf.5 to use "/etc" instead of "/usr/local/v6/etc" - ChangeLog - Something else? The ebuild works fine on my gateway at home and correctly negotiates an IPsec connection to my iBook, so I assume it will do what it should.
This looks good to me. I'd still recommend putting in a sample pre-shared key because I think a lot of people using the VPN are going to be using PSK. As long as it's commented out of ipsec.conf it doesn't really affect anything.
There already are sample configs for racoon (a racoon.conf and a psk.txt) installed by the ipsec-tools makefile itself. dir /etc/racoon obj /etc/racoon/racoon.conf 36215d029879a12920fef5bf6254b97b 1071417749 obj /etc/racoon/psk.txt.dist f42a2efd32941ff33e88b0dea1731ddd 1071417749 obj /etc/racoon/racoon.conf.dist 36215d029879a12920fef5bf6254b97b 1071417749 obj /etc/racoon/psk.txt f42a2efd32941ff33e88b0dea1731ddd 1071417749 Hmm, perhaps we should patch the makefile to install the .dist-versions only?
Now in portage in `net-firewall'. Thanks a lot for everybody involved; sorry for the long wait and grief!
