rpms/openswan/F-9 openswan-2.6.16-examples.patch, NONE, 1.1 openswan-2.6.16-initscript-correction.patch, NONE, 1.1

avesh agarwal avesh at fedoraproject.org
Tue Nov 25 21:20:16 UTC 2008 

Author: avesh

Update of /cvs/pkgs/rpms/openswan/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31123

Added Files:
	openswan-2.6.16-examples.patch 
	openswan-2.6.16-initscript-correction.patch 
Log Message:
* Thu Oct 30 2008 Avesh Agarwal <avagarwa at redhat.com> - 2.6.18-1
- Addressed some issues related to buzilla 447419
- Added xmlto and bind-devel to BuildRequires 
- Removed the patch openswan-2.6-noxmlto.patch
- Removed the command "rm -rf programs/readwriteconf" from the spec file
  as readwriteconf is used with "make check" for debugging purposes.
- Removed USE_LWRES=false from the spec file as it has been 
  obsolete in upstream (using bind-devel instead)	
- modified default ipsec.conf to address rhbz#463931
- added initscript patch to prevent openswan service start by default


openswan-2.6.16-examples.patch:

--- NEW FILE openswan-2.6.16-examples.patch ---
diff -urN openswan-2.6.16.orig/doc/example-configs/l2tp-cert.conf openswan-2.6.16/doc/example-configs/l2tp-cert.conf
--- openswan-2.6.16.orig/doc/example-configs/l2tp-cert.conf	1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.16/doc/example-configs/l2tp-cert.conf	2008-09-09 16:23:29.000000000 -0400
@@ -0,0 +1,38 @@
+conn l2tp-X.509
+	#
+	# Configuration for one user with any type of IPsec/L2TP client
+	# including the updated Windows 2000/XP (MS KB Q818043), but
+	# excluding the non-updated Windows 2000/XP.
+	#
+	#
+	# Use a certificate. Disable Perfect Forward Secrecy.
+	#
+	authby=rsasig
+	pfs=no
+	auto=add
+	# we cannot rekey for %any, let client rekey
+	rekey=no
+	# Set ikelifetime and keylife to same defaults windows has
+	ikelifetime=8h
+	keylife=1h
+	# l2tp-over-ipsec is transport mode
+	# See http://bugs.xelerance.com/view.php?id=466
+	type=transport
+	#
+	left=%defaultroute
+	# or you can use: left=YourIPAddress
+	leftrsasigkey=%cert
+	leftcert=/etc/ipsec.d/certs/YourGatewayCertHere.pem
+	leftprotoport=17/1701
+	#
+	# The remote user.
+	#
+	right=%any
+	rightca=%same
+	rightrsasigkey=%cert
+	# Using the magic port of "0" means "any one single port". This is
+	# a work around required for Apple OSX clients that use a randomly
+	# high port, but propose "0" instead of their port.
+	rightprotoport=17/0
+	rightsubnet=vhost:%priv,%no
+
diff -urN openswan-2.6.16.orig/doc/example-configs/l2tp-psk.conf openswan-2.6.16/doc/example-configs/l2tp-psk.conf
--- openswan-2.6.16.orig/doc/example-configs/l2tp-psk.conf	1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.16/doc/example-configs/l2tp-psk.conf	2008-09-09 16:23:29.000000000 -0400
@@ -0,0 +1,43 @@
+conn L2TP-PSK-NAT
+	rightsubnet=vhost:%priv
+	also=L2TP-PSK-noNAT
+
+conn L2TP-PSK-noNAT
+	#
+	# Configuration for one user with any type of IPsec/L2TP client
+	# including the updated Windows 2000/XP (MS KB Q818043), but
+	# excluding the non-updated Windows 2000/XP.
+	#
+	#
+	# Use a Preshared Key. Disable Perfect Forward Secrecy.
+	#
+	# PreSharedSecret needs to be specified in /etc/ipsec.secrets as
+	# YourIPAddress	 %any: "sharedsecret"
+	authby=secret
+	pfs=no
+	auto=add
+	keyingtries=3
+	# we cannot rekey for %any, let client rekey
+	rekey=no
+	# Set ikelifetime and keylife to same defaults windows has
+	ikelifetime=8h
+	keylife=1h
+	# l2tp-over-ipsec is transport mode
+	type=transport
+	#
+	left=%defaultroute
+	# or you can use: left=YourIPAddress
+	#
+	# For updated Windows 2000/XP clients,
+	# to support old clients as well, use leftprotoport=17/%any
+	leftprotoport=17/1701
+	#
+	# The remote user.
+	#
+	right=%any
+	# Using the magic port of "0" means "any one single port". This is
+	# a work around required for Apple OSX clients that use a randomly
+	# high port, but propose "0" instead of their port.
+	rightprotoport=17/0
+
+
diff -urN openswan-2.6.16.orig/doc/example-configs/linux-linux.conf openswan-2.6.16/doc/example-configs/linux-linux.conf
--- openswan-2.6.16.orig/doc/example-configs/linux-linux.conf	1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.16/doc/example-configs/linux-linux.conf	2008-09-09 16:23:29.000000000 -0400
@@ -0,0 +1,19 @@
+conn linux-to-linux
+	#
+	# Simple use raw RSA keys
+	# After starting openswan, run: ipsec showhostkey --left (or --right)
+	# and fill in the connection similarly to the example below.
+	#
+	left=1.2.3.4
+	# optional
+	# leftsubnet=10.0.1.0/24
+	leftid=@bofh.xelerance.com
+	leftrsasigkey=0sAQPWTXt8DDlEhTZJ91ngNMxTSyuos6JZxXQmtRcwUl6ppUCcuuWvjXrF/qiz6eiL1LMlpGJyG1oVhtFhTaFJl7ZkF/4J1B9LCFzYxvYI97AnLuC0op5pVAZ1SZx29+aRjeMcKC4zbZ6dMMjUdn9H1gqG9rpE0MBEFNSVLEu9U8rtlz14RfxQAQ9ePj64HnGLfgJlDB0VYhKEIcRihy72bvjZ4eoX16S1EY1FgnHyrveZPxRi8sgn6Q19RytEzSmUAlGjvMDhNfenq6WCSYMeqgj0jFSArTNBQmR2QBkUG6NSOXfb+18c6jDPicGmbmWfoRx/PUJo46WiRF4RRmsxnFpbHpklILFzEJ+/k6qHVAekpVfp
+	# The remote user.
+	#
+	right=5.6.7.8
+	rightid=@tla.xelerance.com
+	# optional
+	# rightsubnet=10.0.2.0/24
+	rightrsasigkey=0sAQNxf6caKULJklYZycuo66Ko0U+iHaJUDr0QZHnG4MJ9IRNYi5H6kPxcwKIXkg+OGo+NeUyyWDEc+ox27BFYViAHQNEyBRLZu0kyE681h+cHm7lfCSy0AOEBSCyZF3aGcL8GWxVhtimpJQ4tNxXZg7tLX5sfYw8mZnUBjkHvyccIred/q3cNWbDlq2WU4TL+NBb5FnxXi9Hk/SRV7sMe56fvZuXkcJu4e2C7uocltzzF1b0BZx7yeXwHjzqAWnW/UA54fbSTvzgnrpSC+FMuhWTI1EdxcqGaOFIjGWWGV2nxg/QaPU9i8vpwFwrEEdCJTiqlbYYNudblg4vYthnVNez0/RkfZHfhAaHdbJRSaQzOu88h
+	auto=start
diff -urN openswan-2.6.16.orig/doc/example-configs/oe-exclude-dns.conf openswan-2.6.16/doc/example-configs/oe-exclude-dns.conf
--- openswan-2.6.16.orig/doc/example-configs/oe-exclude-dns.conf	1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.16/doc/example-configs/oe-exclude-dns.conf	2008-09-09 16:23:29.000000000 -0400
@@ -0,0 +1,9 @@
+conn let-my-dns-go
+        left=%defaultroute
+        leftnexthop=%defaultroute
+        leftprotoport=17/%any
+        right=0.0.0.0
+        rightsubnet=0.0.0.0/0
+        rightprotoport=17/53
+        type=passthrough
+        auto=route
diff -urN openswan-2.6.16.orig/doc/example-configs/sysctl.conf openswan-2.6.16/doc/example-configs/sysctl.conf
--- openswan-2.6.16.orig/doc/example-configs/sysctl.conf	1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.16/doc/example-configs/sysctl.conf	2008-09-09 16:23:29.000000000 -0400
@@ -0,0 +1,23 @@
+
+# example entries for /etc/sysctl.conf
+# forwarding is needed for subnet or l2tp connections
+net.ipv4.ip_forward = 1
+
+# rp_filter is stupid and cannot deal decrypted packets "appearing out of
+# nowhere"
+net.ipv4.conf.default.rp_filter = 0
+
+# when using 1 interface for two networks, and in some other cases with
+# NETKEY, the kernel thinks it can be clever but breaks things.
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.conf.all.log_martians = 0
+net.ipv4.conf.default.log_martians = 0
+
+# these are non-ipsec specific security policies you should use
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+
+
diff -urN openswan-2.6.16.orig/doc/example-configs/xauth.conf openswan-2.6.16/doc/example-configs/xauth.conf
--- openswan-2.6.16.orig/doc/example-configs/xauth.conf	1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.16/doc/example-configs/xauth.conf	2008-09-09 16:23:29.000000000 -0400
@@ -0,0 +1,34 @@
+conn xauthserver
+	#
+	left=1.2.3.4
+	leftcert=/etc/ipsec.d/certs/xauthserver.pem
+	leftxauthserver=yes
+	leftmodecfgserver=yes
+	#
+	right=%any
+	rightxauthclient=yes
+	rightmodecfgclient=yes
+	#
+	auto=add
+	rekey=yes
+	modecfgpull=yes
+	modecfgdns1=1.2.3.4
+	modecfgdns2=5.6.7.8
+	modecfgwins1=1.2.3.4
+	modecfgwins2=5.6.7.8
+
+conn xauthclient	
+	#
+	left=1.2.3.4
+	leftxauthserver=yes
+	leftmodecfgserver=yes
+	#
+	right=%defaultroute
+	rightxauthclient=yes
+	rightmodecfgclient=yes
+	#
+	auto=add
+	# you probably can not rekey, it requires xauth password, and openswan does not
+	# cache it for you. Other clients might cache it and rekey to an openswan server
+	rekey=no
+	modecfgpull=yes

openswan-2.6.16-initscript-correction.patch:

--- NEW FILE openswan-2.6.16-initscript-correction.patch ---
diff -ur openswan-2.6.16.orig/programs/setup/setup.in openswan-2.6.16/programs/setup/setup.in
--- openswan-2.6.16.orig/programs/setup/setup.in	2008-09-09 16:22:47.000000000 -0400
+++ openswan-2.6.16/programs/setup/setup.in	2008-09-10 15:02:33.000000000 -0400
@@ -26,7 +26,7 @@
 # times of NFS filesystem startup/shutdown).  Startup is after startup of
 # syslog and pcmcia support; shutdown is just before shutdown of syslog.
 #
-# chkconfig: 2345 47 76
+# chkconfig: - 47 76
 # description: IPsec provides encrypted and authenticated communications; \
 # KLIPS is the kernel half of it, Pluto is the user-level management daemon.

More information about the fedora-extras-commits mailing list