rpms/openswan/F-9 openswan-2.6.16-examples.patch, NONE, 1.1 openswan-2.6.16-initscript-correction.patch, NONE, 1.1
avesh agarwal
avesh at fedoraproject.org
Tue Nov 25 21:20:16 UTC 2008
Author: avesh
Update of /cvs/pkgs/rpms/openswan/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31123
Added Files:
openswan-2.6.16-examples.patch
openswan-2.6.16-initscript-correction.patch
Log Message:
* Thu Oct 30 2008 Avesh Agarwal <avagarwa at redhat.com> - 2.6.18-1
- Addressed some issues related to buzilla 447419
- Added xmlto and bind-devel to BuildRequires
- Removed the patch openswan-2.6-noxmlto.patch
- Removed the command "rm -rf programs/readwriteconf" from the spec file
as readwriteconf is used with "make check" for debugging purposes.
- Removed USE_LWRES=false from the spec file as it has been
obsolete in upstream (using bind-devel instead)
- modified default ipsec.conf to address rhbz#463931
- added initscript patch to prevent openswan service start by default
openswan-2.6.16-examples.patch:
--- NEW FILE openswan-2.6.16-examples.patch ---
diff -urN openswan-2.6.16.orig/doc/example-configs/l2tp-cert.conf openswan-2.6.16/doc/example-configs/l2tp-cert.conf
--- openswan-2.6.16.orig/doc/example-configs/l2tp-cert.conf 1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.16/doc/example-configs/l2tp-cert.conf 2008-09-09 16:23:29.000000000 -0400
@@ -0,0 +1,38 @@
+conn l2tp-X.509
+ #
+ # Configuration for one user with any type of IPsec/L2TP client
+ # including the updated Windows 2000/XP (MS KB Q818043), but
+ # excluding the non-updated Windows 2000/XP.
+ #
+ #
+ # Use a certificate. Disable Perfect Forward Secrecy.
+ #
+ authby=rsasig
+ pfs=no
+ auto=add
+ # we cannot rekey for %any, let client rekey
+ rekey=no
+ # Set ikelifetime and keylife to same defaults windows has
+ ikelifetime=8h
+ keylife=1h
+ # l2tp-over-ipsec is transport mode
+ # See http://bugs.xelerance.com/view.php?id=466
+ type=transport
+ #
+ left=%defaultroute
+ # or you can use: left=YourIPAddress
+ leftrsasigkey=%cert
+ leftcert=/etc/ipsec.d/certs/YourGatewayCertHere.pem
+ leftprotoport=17/1701
+ #
+ # The remote user.
+ #
+ right=%any
+ rightca=%same
+ rightrsasigkey=%cert
+ # Using the magic port of "0" means "any one single port". This is
+ # a work around required for Apple OSX clients that use a randomly
+ # high port, but propose "0" instead of their port.
+ rightprotoport=17/0
+ rightsubnet=vhost:%priv,%no
+
diff -urN openswan-2.6.16.orig/doc/example-configs/l2tp-psk.conf openswan-2.6.16/doc/example-configs/l2tp-psk.conf
--- openswan-2.6.16.orig/doc/example-configs/l2tp-psk.conf 1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.16/doc/example-configs/l2tp-psk.conf 2008-09-09 16:23:29.000000000 -0400
@@ -0,0 +1,43 @@
+conn L2TP-PSK-NAT
+ rightsubnet=vhost:%priv
+ also=L2TP-PSK-noNAT
+
+conn L2TP-PSK-noNAT
+ #
+ # Configuration for one user with any type of IPsec/L2TP client
+ # including the updated Windows 2000/XP (MS KB Q818043), but
+ # excluding the non-updated Windows 2000/XP.
+ #
+ #
+ # Use a Preshared Key. Disable Perfect Forward Secrecy.
+ #
+ # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
+ # YourIPAddress %any: "sharedsecret"
+ authby=secret
+ pfs=no
+ auto=add
+ keyingtries=3
+ # we cannot rekey for %any, let client rekey
+ rekey=no
+ # Set ikelifetime and keylife to same defaults windows has
+ ikelifetime=8h
+ keylife=1h
+ # l2tp-over-ipsec is transport mode
+ type=transport
+ #
+ left=%defaultroute
+ # or you can use: left=YourIPAddress
+ #
+ # For updated Windows 2000/XP clients,
+ # to support old clients as well, use leftprotoport=17/%any
+ leftprotoport=17/1701
+ #
+ # The remote user.
+ #
+ right=%any
+ # Using the magic port of "0" means "any one single port". This is
+ # a work around required for Apple OSX clients that use a randomly
+ # high port, but propose "0" instead of their port.
+ rightprotoport=17/0
+
+
diff -urN openswan-2.6.16.orig/doc/example-configs/linux-linux.conf openswan-2.6.16/doc/example-configs/linux-linux.conf
--- openswan-2.6.16.orig/doc/example-configs/linux-linux.conf 1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.16/doc/example-configs/linux-linux.conf 2008-09-09 16:23:29.000000000 -0400
@@ -0,0 +1,19 @@
+conn linux-to-linux
+ #
+ # Simple use raw RSA keys
+ # After starting openswan, run: ipsec showhostkey --left (or --right)
+ # and fill in the connection similarly to the example below.
+ #
+ left=1.2.3.4
+ # optional
+ # leftsubnet=10.0.1.0/24
+ leftid=@bofh.xelerance.com
+ leftrsasigkey=0sAQPWTXt8DDlEhTZJ91ngNMxTSyuos6JZxXQmtRcwUl6ppUCcuuWvjXrF/qiz6eiL1LMlpGJyG1oVhtFhTaFJl7ZkF/4J1B9LCFzYxvYI97AnLuC0op5pVAZ1SZx29+aRjeMcKC4zbZ6dMMjUdn9H1gqG9rpE0MBEFNSVLEu9U8rtlz14RfxQAQ9ePj64HnGLfgJlDB0VYhKEIcRihy72bvjZ4eoX16S1EY1FgnHyrveZPxRi8sgn6Q19RytEzSmUAlGjvMDhNfenq6WCSYMeqgj0jFSArTNBQmR2QBkUG6NSOXfb+18c6jDPicGmbmWfoRx/PUJo46WiRF4RRmsxnFpbHpklILFzEJ+/k6qHVAekpVfp
+ # The remote user.
+ #
+ right=5.6.7.8
+ rightid=@tla.xelerance.com
+ # optional
+ # rightsubnet=10.0.2.0/24
+ rightrsasigkey=0sAQNxf6caKULJklYZycuo66Ko0U+iHaJUDr0QZHnG4MJ9IRNYi5H6kPxcwKIXkg+OGo+NeUyyWDEc+ox27BFYViAHQNEyBRLZu0kyE681h+cHm7lfCSy0AOEBSCyZF3aGcL8GWxVhtimpJQ4tNxXZg7tLX5sfYw8mZnUBjkHvyccIred/q3cNWbDlq2WU4TL+NBb5FnxXi9Hk/SRV7sMe56fvZuXkcJu4e2C7uocltzzF1b0BZx7yeXwHjzqAWnW/UA54fbSTvzgnrpSC+FMuhWTI1EdxcqGaOFIjGWWGV2nxg/QaPU9i8vpwFwrEEdCJTiqlbYYNudblg4vYthnVNez0/RkfZHfhAaHdbJRSaQzOu88h
+ auto=start
diff -urN openswan-2.6.16.orig/doc/example-configs/oe-exclude-dns.conf openswan-2.6.16/doc/example-configs/oe-exclude-dns.conf
--- openswan-2.6.16.orig/doc/example-configs/oe-exclude-dns.conf 1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.16/doc/example-configs/oe-exclude-dns.conf 2008-09-09 16:23:29.000000000 -0400
@@ -0,0 +1,9 @@
+conn let-my-dns-go
+ left=%defaultroute
+ leftnexthop=%defaultroute
+ leftprotoport=17/%any
+ right=0.0.0.0
+ rightsubnet=0.0.0.0/0
+ rightprotoport=17/53
+ type=passthrough
+ auto=route
diff -urN openswan-2.6.16.orig/doc/example-configs/sysctl.conf openswan-2.6.16/doc/example-configs/sysctl.conf
--- openswan-2.6.16.orig/doc/example-configs/sysctl.conf 1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.16/doc/example-configs/sysctl.conf 2008-09-09 16:23:29.000000000 -0400
@@ -0,0 +1,23 @@
+
+# example entries for /etc/sysctl.conf
+# forwarding is needed for subnet or l2tp connections
+net.ipv4.ip_forward = 1
+
+# rp_filter is stupid and cannot deal decrypted packets "appearing out of
+# nowhere"
+net.ipv4.conf.default.rp_filter = 0
+
+# when using 1 interface for two networks, and in some other cases with
+# NETKEY, the kernel thinks it can be clever but breaks things.
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.conf.all.log_martians = 0
+net.ipv4.conf.default.log_martians = 0
+
+# these are non-ipsec specific security policies you should use
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+
+
diff -urN openswan-2.6.16.orig/doc/example-configs/xauth.conf openswan-2.6.16/doc/example-configs/xauth.conf
--- openswan-2.6.16.orig/doc/example-configs/xauth.conf 1969-12-31 19:00:00.000000000 -0500
+++ openswan-2.6.16/doc/example-configs/xauth.conf 2008-09-09 16:23:29.000000000 -0400
@@ -0,0 +1,34 @@
+conn xauthserver
+ #
+ left=1.2.3.4
+ leftcert=/etc/ipsec.d/certs/xauthserver.pem
+ leftxauthserver=yes
+ leftmodecfgserver=yes
+ #
+ right=%any
+ rightxauthclient=yes
+ rightmodecfgclient=yes
+ #
+ auto=add
+ rekey=yes
+ modecfgpull=yes
+ modecfgdns1=1.2.3.4
+ modecfgdns2=5.6.7.8
+ modecfgwins1=1.2.3.4
+ modecfgwins2=5.6.7.8
+
+conn xauthclient
+ #
+ left=1.2.3.4
+ leftxauthserver=yes
+ leftmodecfgserver=yes
+ #
+ right=%defaultroute
+ rightxauthclient=yes
+ rightmodecfgclient=yes
+ #
+ auto=add
+ # you probably can not rekey, it requires xauth password, and openswan does not
+ # cache it for you. Other clients might cache it and rekey to an openswan server
+ rekey=no
+ modecfgpull=yes
openswan-2.6.16-initscript-correction.patch:
--- NEW FILE openswan-2.6.16-initscript-correction.patch ---
diff -ur openswan-2.6.16.orig/programs/setup/setup.in openswan-2.6.16/programs/setup/setup.in
--- openswan-2.6.16.orig/programs/setup/setup.in 2008-09-09 16:22:47.000000000 -0400
+++ openswan-2.6.16/programs/setup/setup.in 2008-09-10 15:02:33.000000000 -0400
@@ -26,7 +26,7 @@
# times of NFS filesystem startup/shutdown). Startup is after startup of
# syslog and pcmcia support; shutdown is just before shutdown of syslog.
#
-# chkconfig: 2345 47 76
+# chkconfig: - 47 76
# description: IPsec provides encrypted and authenticated communications; \
# KLIPS is the kernel half of it, Pluto is the user-level management daemon.
More information about the fedora-extras-commits
mailing list