hey, news: ipsec is one giant mess.
unless someone has ze magic recipe for those two connections being able
to live in one ipsec.conf that i might have missed (despite help), i
declare it impossible to have both in one due to the default peer
conflict - both connections have an (implicit or not) "any" peer since
the remote endpoints are dynamic IPs.
# tion / henning home
ike passive esp from $networks to $tion_net \
srcid somehost.bsws.de dstid otherhost.bulabula.org
ike passive esp from $self to $tion_net \
srcid somehost.bsws.de dstid otherhost.bulabula.org
# Android L2TP/IPsec PSK
ike passive esp transport \
proto udp from $self to any port 1701 \
main auth "hmac-sha" enc "3des" group modp1024 \
quick auth "hmac-sha" enc "aes" \
psk "XXXXXXXXXXXX"
so i splitted that in two ipsec.conf (with $self using different IPs
of course), have two isakmpd.conf files which only contain Listen-on
statements and start the second with a galore of cmd line options. now
all missing is ipsecctl being able to talk to the second, which this
patch adds.
rc.local excerpt:
echo -n "l2tp-ipsec"
/sbin/isakmpd -Kv -i /var/run/isakmpd2.pid -f /var/run/isakmpd2.fifo \
-c /etc/isakmpd/isakmpd.conf
/sbin/ipsecctl -f /etc/ipsec-l2tp.conf -i /var/run/isakmpd2.fifo
I think ipsecctl should have an option for the path to the fifo no
matter what, last not least because isakmpd has.
Index: ike.c
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ike.c,v
retrieving revision 1.69
diff -u -p -r1.69 ike.c
--- ike.c 15 Oct 2010 12:11:10 -0000 1.69
+++ ike.c 7 Nov 2011 18:59:37 -0000
@@ -45,15 +45,13 @@ static int ike_delete_config(struct ipse
static void ike_setup_ids(struct ipsec_rule *);
int ike_print_config(struct ipsec_rule *, int);
-int ike_ipsec_establish(int, struct ipsec_rule *);
+int ike_ipsec_establish(int, struct ipsec_rule *, const char *);
#define SET "C set "
#define ADD "C add "
#define DELETE "C rms "
#define RMV "C rmv "
-#define ISAKMPD_FIFO "/var/run/isakmpd.fifo"
-
#define CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL 5
#define CONF_DFLT_DYNAMIC_CHECK_INTERVAL 30
@@ -707,20 +705,20 @@ ike_print_config(struct ipsec_rule *r, i
}
int
-ike_ipsec_establish(int action, struct ipsec_rule *r)
+ike_ipsec_establish(int action, struct ipsec_rule *r, const char *fifo)
{
struct stat sb;
FILE *fdp;
int fd, ret = 0;
- if ((fd = open(ISAKMPD_FIFO, O_WRONLY)) == -1)
- err(1, "ike_ipsec_establish: open(%s)", ISAKMPD_FIFO);
+ if ((fd = open(fifo, O_WRONLY)) == -1)
+ err(1, "ike_ipsec_establish: open(%s)", fifo);
if (fstat(fd, &sb) == -1)
- err(1, "ike_ipsec_establish: fstat(%s)", ISAKMPD_FIFO);
+ err(1, "ike_ipsec_establish: fstat(%s)", fifo);
if (!S_ISFIFO(sb.st_mode))
- errx(1, "ike_ipsec_establish: %s not a fifo", ISAKMPD_FIFO);
+ errx(1, "ike_ipsec_establish: %s not a fifo", fifo);
if ((fdp = fdopen(fd, "w")) == NULL)
- err(1, "ike_ipsec_establish: fdopen(%s)", ISAKMPD_FIFO);
+ err(1, "ike_ipsec_establish: fdopen(%s)", fifo);
switch (action) {
case ACTION_ADD:
Index: ipsecctl.8
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsecctl.8,v
retrieving revision 1.25
diff -u -p -r1.25 ipsecctl.8
--- ipsecctl.8 31 May 2007 19:19:44 -0000 1.25
+++ ipsecctl.8 7 Nov 2011 18:59:37 -0000
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate$
.Dt IPSECCTL 8
.Os
.Sh NAME
@@ -67,6 +67,11 @@ option flushes the SPD and the SAD.
.It Fl f Ar file
Load the rules contained in
.Ar file .
+.It Fl i Ar fifo
+The
+.Fl i
+option specifies the FIFO used to talk to
+.Xr isakmpd 8 .
.It Fl k
Show secret keying material when printing the active SAD entries.
.It Fl m
Index: ipsecctl.c
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsecctl.c,v
retrieving revision 1.73
diff -u -p -r1.73 ipsecctl.c
--- ipsecctl.c 27 Jan 2009 15:32:08 -0000 1.73
+++ ipsecctl.c 7 Nov 2011 18:59:37 -0000
@@ -63,6 +63,7 @@ static int unmask(struct ipsec_addr *,
int sacompare(const void *, const void *);
const char *showopt;
+char *isakmpd_fifo = "/var/run/isakmpd.fifo";
int first_title = 1;
@@ -162,7 +163,8 @@ ipsecctl_commit(int action, struct ipsec
TAILQ_FOREACH(rp, &ipsec->rule_queue, rule_entry) {
if (rp->type & RULE_IKE) {
- if (ike_ipsec_establish(action, rp) == -1) {
+ if (ike_ipsec_establish(action, rp, isakmpd_fifo) ==
+ -1) {
warnx("failed to %s ike rule %d",
action == ACTION_DELETE ? "delete" : "add",
rp->nr);
@@ -639,7 +641,7 @@ main(int argc, char *argv[])
if (argc < 2)
usage();
- while ((ch = getopt(argc, argv, "D:df:Fkmnvs:")) != -1) {
+ while ((ch = getopt(argc, argv, "D:df:Fi:kmnvs:")) != -1) {
switch (ch) {
case 'D':
if (cmdline_symset(optarg) < 0)
@@ -657,6 +659,10 @@ main(int argc, char *argv[])
case 'F':
opts |= IPSECCTL_OPT_FLUSH;
+ break;
+
+ case 'i':
+ isakmpd_fifo = optarg;
break;
case 'k':
Index: ipsecctl.h
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsecctl.h,v
retrieving revision 1.61
diff -u -p -r1.61 ipsecctl.h
--- ipsecctl.h 6 Oct 2010 22:19:20 -0000 1.61
+++ ipsecctl.h 7 Nov 2011 18:59:37 -0000
@@ -233,7 +233,7 @@ void ipsecctl_free_rule(struct ipsec_rul
void ipsecctl_get_rules(struct ipsecctl *);
void ipsecctl_print_rule(struct ipsec_rule *, int);
int ike_print_config(struct ipsec_rule *, int);
-int ike_ipsec_establish(int, struct ipsec_rule *);
+int ike_ipsec_establish(int, struct ipsec_rule *, const char *);
void set_ipmask(struct ipsec_addr_wrap *, u_int8_t);
#endif /* _IPSECCTL_H_ */
