ipsec

ipsec

#!/bin/sh
# IPsec startup and shutdown script
#
### BEGIN INIT INFO
# Provides:          ipsec
# Required-Start:    $network $remote_fs $syslog $named
# Required-Stop:     $syslog $remote_fs
# Default-Start:
# Default-Stop:      0 1 6
# Short-Description: Start Openswan IPsec at boot time
# Description:       Enable automatic key management for IPsec (KLIPS and NETKEY)
### END INIT INFO
#
### see https://bugzilla.redhat.com/show_bug.cgi?id=636572
### Debian and Fedora interpret the LSB differently
### Default-Start:     2 3 4 5
#
# Copyright (C) 1998, 1999, 2001  Henry Spencer.
# Copyright (C) 2002              Michael Richardson <[email protected]>
# Copyright (C) 2006              Michael Richardson <[email protected]>
# Copyright (C) 2008              Michael Richardson <[email protected]>
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
#
# ipsec         init.d script for starting and stopping
#               the IPsec security subsystem (KLIPS and Pluto).
#
# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec)
# and is also accessible as "ipsec setup" (the preferred route for human
# invocation).
#
# The startup and shutdown times are a difficult compromise (in particular,
# it is almost impossible to reconcile them with the insanely early/late
# times of NFS filesystem startup/shutdown).  Startup is after startup of
# syslog and pcmcia support; shutdown is just before shutdown of syslog.
#
# chkconfig: - 47 76
# description: IPsec provides encrypted and authenticated communications; \
# KLIPS is the kernel half of it, Pluto is the user-level management daemon.

test $IPSEC_INIT_SCRIPT_DEBUG && set -v -x

prog='ipsec setup'		# for messages

# where the private directory and the config files are
IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/local/libexec/ipsec}"
IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/local/lib/ipsec}"
IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/local/sbin}"
IPSEC_CONFS="${IPSEC_CONFS-/etc}"

if [ `id -u` -ne 0 ]
then
    echo "permission denied (must be superuser)" |
      logger -s -p daemon.error -t ipsec_setup 2>&1
    exit 4
fi

if test " $IPSEC_DIR" = " "	# if we were not called by the ipsec command
then
    # we must establish a suitable PATH ourselves
    PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
    export PATH

    IPSEC_DIR="$IPSEC_LIBDIR"
    export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
fi

# Does not make any sense at all to continue without the main binary
# But before we can quit we should check if we are on a Debian based
# system as their policy demands a graceful exit code
test -f /etc/debian_version && BINARY_ERROR=0 || BINARY_ERROR=5
test -x $IPSEC_SBINDIR/ipsec || exit $BINARY_ERROR

# This is so we can get PLUTO_* env variables - the service/systemctl
# commands won't pass the entire environment along.
if [ -f /etc/sysconfig/ipsec ]; then
     . /etc/sysconfig/ipsec
elif [ -f /etc/default/ipsec ]; then
     . /etc/default/ipsec
fi

# misc setup
umask 022

mkdir -p /var/run/pluto
chmod 700 /var/run/pluto

RETVAL=0

verify_config() {
    test -f $IPSEC_CONFS/ipsec.conf || exit 6

    config_error=`ipsec addconn --checkconfig 2>&1`
    RETVAL=$?
    if [ $RETVAL != 0 ]
    then
        echo "failed to start openswan IKE daemon - the following error occured:"
        echo $config_error
        exit $RETVAL
    fi
}

start() {
    verify_config

    # Pick up IPsec configuration (until we have done this, successfully, we
    # do not know where errors should go, hence the explicit "daemon.error"s.)
    # Note the "--export", which exports the variables created.
    variables=`ipsec addconn $IPSEC_CONFS/ipsec.conf --varprefix IPSEC --configsetup`
    eval $variables
    
    IPSEC_confreadsection=${IPSEC_confreadsection:-setup}
    export IPSEC_confreadsection

    IPSECsyslog=${IPSECsyslog:-daemon.error}
    export IPSECsyslog

    # remove for: @cygwin_END@
    (
    ipsec _realsetup start
    RETVAL=$? 
    ) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1  
    return $RETVAL
}


stop() {
    IPSECsyslog=${IPSECsyslog:-daemon.error}
    export IPSECsyslog
    (
    ipsec _realsetup stop
    RETVAL=$? 
    ) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1  
    return $RETVAL
}

restart() {
    verify_config
    stop
    start
}

condrestart() {
    verify_config
    ipsec _realsetup status || exit 0
    restart
}

status() {
    ipsec _realsetup status
    RETVAL=$?	
    return $RETVAL
}

version() {
    ipsec version
    RETVAL=$?
    return $RETVAL
}


# do it
case "$1" in
    start|--start)
         start
         ;;
    stop|--stop)
         stop
         ;;
    restart|--restart)
         restart
 	 ;;
    reload|force-reload)
         restart
 	 ;;
    condrestart|try-restart)
         condrestart
         ;;
    status|--status)
         status
         ;;
    version)
         version
         ;;
    *)
         echo "Usage: $prog {start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}"
         RETVAL=2
esac
 	
exit $RETVAL