#!/bin/sh # IPsec startup and shutdown script # ### BEGIN INIT INFO # Provides: ipsec # Required-Start: $network $remote_fs $syslog $named # Required-Stop: $syslog $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start Openswan IPsec at boot time # Description: Enable automatic key management for IPsec (KLIPS and NETKEY) ### END INIT INFO # # Copyright (C) 1998, 1999, 2001 Henry Spencer. # Copyright (C) 2002 Michael Richardson <mcr@freeswan.org> # Copyright (C) 2006 Michael Richardson <mcr@xelerance.com> # Copyright (C) 2008 Michael Richardson <mcr@sandelman.ca> # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at your # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # # # ipsec init.d script for starting and stopping # the IPsec security subsystem (KLIPS and Pluto). # # This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec) # and is also accessible as "ipsec setup" (the preferred route for human # invocation). # # The startup and shutdown times are a difficult compromise (in particular, # it is almost impossible to reconcile them with the insanely early/late # times of NFS filesystem startup/shutdown). Startup is after startup of # syslog and pcmcia support; shutdown is just before shutdown of syslog. # # chkconfig: - 47 76 # description: IPsec provides encrypted and authenticated communications; \ # KLIPS is the kernel half of it, Pluto is the user-level management daemon. prog='ipsec setup' # for messages # where the private directory and the config files are IPSEC_EXECDIR="${IPSEC_EXECDIR-/usr/lib/ipsec}" IPSEC_LIBDIR="${IPSEC_LIBDIR-/usr/lib/ipsec}" IPSEC_SBINDIR="${IPSEC_SBINDIR-/usr/sbin}" IPSEC_CONFS="${IPSEC_CONFS-/etc/openswan}" if [ `id -u` -ne 0 ] then echo "permission denied (must be superuser)" | logger -s -p daemon.error -t ipsec_setup 2>&1 exit 4 fi if test " $IPSEC_DIR" = " " # if we were not called by the ipsec command then # we must establish a suitable PATH ourselves PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin export PATH IPSEC_DIR="$IPSEC_LIBDIR" export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR fi # misc setup umask 022 mkdir -p /var/run/pluto RETVAL=0 start() { test -x $IPSEC_SBINDIR/ipsec || exit 5 test -f /etc/ipsec.conf || exit 6 # Pick up IPsec configuration (until we have done this, successfully, we # do not know where errors should go, hence the explicit "daemon.error"s.) # Note the "--export", which exports the variables created. variables=`ipsec addconn /etc/ipsec.conf --varprefix IPSEC --configsetup` eval $variables if [ $? != 0 ] then echo "Failed to parse config setup portion of ipsec.conf" exit $? fi IPSEC_confreadsection=${IPSEC_confreadsection:-setup} export IPSEC_confreadsection IPSECsyslog=${IPSECsyslog:-daemon.error} export IPSECsyslog # remove for: @cygwin_END@ ( ipsec _realsetup start RETVAL=$? ) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 return $RETVAL } stop() { IPSECsyslog=${IPSECsyslog:-daemon.error} export IPSECsyslog ( ipsec _realsetup stop RETVAL=$? ) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1 return $RETVAL } restart() { stop start } condrestart() { test -x $IPSEC_SBINDIR/ipsec || exit 5 ipsec _realsetup status || exit 0 restart } status() { test -x $IPSEC_SBINDIR/ipsec || exit 5 ipsec _realsetup status RETVAL=$? return $RETVAL } version() { ipsec version RETVAL=$? return $RETVAL } # do it case "$1" in start|--start) start ;; stop|--stop) stop ;; restart|--restart) restart ;; reload|force-reload) restart ;; condrestart|try-restart) condrestart ;; status|--status) status ;; version) version ;; *) echo "Usage: $prog {start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}" RETVAL=2 esac exit $RETVAL