2 # IPsec startup and shutdown command
3 # Copyright (C) 1998, 1999, 2001 Henry Spencer.
5 # This program is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU General Public License as published by the
7 # Free Software Foundation; either version 2 of the License, or (at your
8 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 # This program is distributed in the hope that it will be useful, but
11 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 # RCSID $Id: _realsetup,v 1.7.2.2 2002/04/11 01:19:05 mcr Exp $
17 me='ipsec setup' # for messages
19 # Misc. paths (some of this should perhaps be overrideable from ipsec.conf).
20 plutopid=/var/run/pluto.pid
21 subsyslock=/var/lock/subsys/ipsec
22 lock=/var/run/ipsec_setup.pid
23 info=/var/run/ipsec.info
24 sysflags=/proc/sys/net/ipsec
26 ipforward=/proc/sys/net/ipv4/ip_forward
27 ipsecversion=/proc/net/ipsec_version
29 # make sure output of (e.g.) ifconfig is in English
30 unset LANG LANGUAGE LC_ALL LC_MESSAGES
32 # check we were called properly
33 if test " $IPSEC_confreadsection" != " setup"
35 echo "$me: must be called by ipsec_setup" >&2
41 # function to set up manually-keyed connections
43 if test " $IPSECmanualstart" != " "
45 for tu in $IPSECmanualstart
52 # function for no-stdout logging
54 logger -p $IPSECsyslog -t ipsec_setup
58 for i in `ifconfig | awk '/^ipsec/ { print $1 }'`
61 ipsec tncfg --detach --virtual $i
64 if test -r /proc/net/ipsec_klipsdebug
66 ipsec klipsdebug --none
70 i=`lsmod 2>&1 | awk '$1 == "ipsec" { print $1 }'`
71 if test " $i" = " ipsec"
78 # misc. backward compatibility
79 if test " $IPSECdump" = " yes" -a " $IPSECdumpdir" = " "
83 if test " $IPSECpacketdefault" = " "
85 case "$IPSECno_eroute_pass" in
86 ''|no) IPSECpacketdefault=drop ;;
87 yes) IPSECpacketdefault=pass ;;
88 *) echo "unknown (not yes/no) no_eroute_pass value \`$IPSECno_eroute_pass'"
89 IPSECpacketdefault=drop
98 start|--start|_autostart)
99 # First, does it seem to be going already?
102 echo "FreeS/WAN IPsec apparently already running, start aborted"
107 # (Warning, changes to this log message may affect barf.)
108 version="`ipsec --version | awk 'NR == 1 { print $NF }'`"
110 start|--start) echo "Starting FreeS/WAN IPsec $version..." ;;
111 _autostart) echo "Restarting FreeS/WAN IPsec $version..." ;;
116 if test ! -r /dev/random
118 echo "...unable to start FreeS/WAN IPsec, no /dev/random!"
121 if test ! -r /dev/urandom
123 echo "...unable to start FreeS/WAN IPsec, no /dev/urandom!"
129 echo "...unable to create $lock, aborting start!"
130 rm -f $lock # might be there but empty
136 ipsec _startklips --info $info --debug "$IPSECklipsdebug" \
137 --omtu "$IPSECoverridemtu" --fragicmp "$IPSECfragicmp" \
138 --hidetos "$IPSEChidetos" --default "$IPSECpacketdefault" \
139 --log "$IPSECsyslog" $IPSECinterfaces || (rm -f $lock; exit 1)
141 # misc pre-Pluto setup
142 if test -d `dirname $subsyslock`
147 if test " $IPSECforwardcontrol" = " yes" -a " $fw" = " 0"
149 echo "enabling IP forwarding:" | logonly
150 echo "ipforwardingwas=$fw" >>$info
157 start|--start) re= ;;
158 _autostart) re=--re ;;
160 if test " $IPSECpluto" != " no"
162 if ipsec _plutorun $re --debug "$IPSECplutodebug" \
163 --uniqueids "$IPSECuniqueids" \
164 --nocrsend "$IPSECnocrsend" \
165 --nat_traversal "$IPSECnat_traversal" \
166 --keep_alive "$IPSECkeep_alive" \
167 --force_keepalive "$IPSECforce_keepalive" \
168 --disable_port_floating "$IPSECdisable_port_floating" \
169 --virtual_private "$IPSECvirtual_private" \
170 --dump "$IPSECdumpdir" --load "$IPSECplutoload" \
171 --start "$IPSECplutostart" --wait "$IPSECplutowait" \
172 --pre "$IPSECprepluto" --post "$IPSECpostpluto" \
173 --log "$IPSECsyslog" --pid "$plutopid"
184 echo "...FreeS/WAN IPsec started" | logonly
187 stop|--stop|_autostop) # _autostop is same as stop
189 echo "Stopping FreeS/WAN IPsec..."
195 echo "stop ordered, but IPsec does not appear to be running!"
196 echo "doing cleanup anyway..."
199 if test " $IPSECforwardcontrol" = " yes" -a " $ipforwardingwas" = " 0"
201 echo "disabling IP forwarding:" | logonly
204 if test ! -f $plutopid
207 elif test ! -s $plutopid
209 echo "Removing empty $plutopid -- pluto still running?"
211 elif ps -p `cat $plutopid` >/dev/null # process exists
213 ipsec whack --shutdown | awk '$1 != "002"'
214 sleep 1 # general paranoia
217 echo "Attempt to shut Pluto down failed! Trying kill:"
221 rm -f $plutopid # harmless if already gone
223 echo "Removing orphaned $plutopid:"
229 if test -d `dirname $subsyslock`
234 echo "...FreeS/WAN IPsec stopped" | logonly
247 if test -f $subsyslock
254 if ps -p `cat $plutopid` >/dev/null
257 elif ps -C pluto >/dev/null
261 elif ps -C pluto >/dev/null
268 if test -r /proc/net/ipsec_eroute
270 if test " `wc -l </proc/net/ipsec_eroute`" -gt 0
276 if test -r $ipsecversion
279 elif test -r $modules
289 # might not be a subsystem lock dir, ignore that issue
290 if test "$plutokind" = "normal" -a "$klips" = "yes" -a "$hasinfo"
292 echo "pluto pid `cat $plutopid`"
296 if test "$plutokind" != "normal"
298 echo "$plutokind Pluto running!"
302 echo "$info file missing!"
305 maybe) echo "KLIPS module is not loaded!" ;;
306 none) echo "no KLIPS in kernel!" ;;
310 echo "some eroutes exist"
315 if test ! "$hassublock" -a ! "$hasinfo" -a "$plutokind" = "no" \
321 if test "$hassublock"
323 echo "has subsystem lock ($subsyslock)!"
327 echo "has $info file!"
329 if test "$plutokind" != "normal"
331 echo "$plutokind Pluto is running!"
335 echo "some eroutes exist!"
342 echo "$me $IPSEC_VERSION"
347 echo "Usage: $me {--start|--stop|--restart|--status}"
352 echo "Usage: $me {--start|--stop|--restart|--status}" >&2