diff -ruN smeserver-libreswan-0.5.old/createlinks smeserver-libreswan-0.5/createlinks --- smeserver-libreswan-0.5.old/createlinks 2016-02-17 14:19:42.000000000 +0100 +++ smeserver-libreswan-0.5/createlinks 2016-03-22 18:26:42.624000613 +0100 @@ -12,6 +12,7 @@ /etc/ipsec.secrets /etc/ipsec.d/ipsec.conf /etc/ipsec.d/ipsec.secrets + /etc/rc.d/init.d/masq )) { templates2events("$_", qw( diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update --- smeserver-libreswan-0.5.old/root/etc/e-smith/events/actions/ipsec-update 2016-02-17 14:19:42.000000000 +0100 +++ smeserver-libreswan-0.5/root/etc/e-smith/events/actions/ipsec-update 2016-03-22 18:26:42.623000615 +0100 @@ -43,7 +43,7 @@ if ( $configDB->get_prop( $dbKey, 'status' ) eq 'disabled' ) { # Do we check if it is already stopped ? - # For now we stop it regradless + # For now we stop it regardless print "Ipsec Information - ipsec disabled - Stopping ipsec \n"; @@ -264,16 +264,11 @@ or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.default.send_redirects=0") == 0 or die("Ipsec Error - A problem occurred with sysctl: $?"); - - # I don;t beleive these are required - # system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0 - # or die("Ipsec Error - A problem occurred with sysctl: $?"); - # system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0 - # or die("Ipsec Error - A problem occurred with sysctl: $?"); - # system("/sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects=0") == 0 - # or die("Ipsec Error - A problem occurred with sysctl: $?"); - # system("/sbin/sysctl -w net.ipv4.conf.eth1.accept_redirects=0") == 0 - # or die("Ipsec Error - A problem occurred with sysctl: $?"); + + system("/sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0") == 0 + or die("Ipsec Error - A problem occurred with sysctl: $?"); + system("/sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0") == 0 + or die("Ipsec Error - A problem occurred with sysctl: $?"); system("/sbin/sysctl -w net.ipv4.conf.default.rp_filter=0") == 0 or die("Ipsec Error - A problem occurred with sysctl: $?"); diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-02-17 14:19:42.000000000 +0100 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/ipsec.conf/10Setup 2016-03-22 18:26:42.624000613 +0100 @@ -30,7 +30,7 @@ $OUT .= " protostack=netkey\n"; $OUT .= " #plutodebug=none\n"; $OUT .= " #klipsdebug=none\n"; - $OUT .= " plutostderrlog=/var/log/pluto.log\n"; + $OUT .= " plutostderrlog=/var/log/pluto/pluto.log\n"; $OUT .= " dumpdir=/var/run/pluto/\n"; $OUT .= " nat_traversal=yes\n"; @@ -66,7 +66,7 @@ chop($virtual_private); $OUT .= "$virtual_private\n"; $OUT .= "\n"; - $OUT .= "include /etc/ipsec.d/*.conf\n"; + $OUT .= "include /etc/ipsec.d/ipsec.conf\n"; # End else } diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2016-02-17 14:19:42.000000000 +0100 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/logrotate.d/pluto/00pluto 2016-03-22 18:26:42.623000615 +0100 @@ -1,4 +1,4 @@ -/var/log/pluto.log \{ +/var/log/pluto/pluto.log \{ missingok notifempty compress diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:26:25.223000613 +0100 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40AllowIPsec 2016-03-22 18:26:42.624000613 +0100 @@ -1,9 +1,16 @@ +# Required PostRouting for VPN + { - my $ipsec_access = $ipsec{access} || ''; + my $ipsec_status = $ipsec{status} || ''; + +# print "Ipsec Information - 40AllowIpsec - $ipsec_status\n"; - if ( $ipsec_access eq 'public' ) { + if ( $ipsec_status eq 'enabled' ) { $OUT .= " # Do not NAT VPN traffic\n"; - $OUT .= -" /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n"; + $OUT .= " /sbin/iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT\n"; + } + + else { + $OUT .= " # 40AllowIPsec VPN POSTROUTING disabled\n"; } } diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2016-03-22 18:26:25.223000613 +0100 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/56AllowESP 2016-03-22 18:26:42.623000615 +0100 @@ -1,14 +1,18 @@ # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/55AllowGRE { -my $ipsec_access = $ipsec{access} || ''; + my $ipsec_status = $ipsec{status} || ''; -if ($ipsec_access eq 'public') { +# print "Ipsec Information - 56AllowESP - $ipsec_status\n"; - $OUT .= " /sbin/iptables --new-chain esp-in\n"; - $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n"; - $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n"; - $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n"; - $OUT .= " /sbin/iptables --append esp-in -j denylog\n"; - } + if ( $ipsec_status eq 'enabled' ) { + $OUT .= " /sbin/iptables --new-chain esp-in\n"; + $OUT .= " /sbin/iptables --append INPUT -p ESP -j esp-in\n"; + $OUT .= " /sbin/iptables --append INPUT -p ESP -j denylog\n"; + $OUT .= " /sbin/iptables --append esp-in \! -d \$OUTERNET -j denylog\n"; + $OUT .= " /sbin/iptables --append esp-in -j denylog\n"; + } + else { + $OUT .= " # 56AllowESP disabled\n"; + } } diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2016-03-22 18:26:25.241000615 +0100 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustESP 2016-03-22 18:26:42.623000615 +0100 @@ -1,12 +1,16 @@ # based on /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustGRE + { - my $ipsec_access = $ipsec{access} || ''; - my $ipsec_status = $ipsec{status}; - if ( $ipsec_access eq 'public' ) { - - my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog"; + my $ipsec_status = $ipsec{status} || ''; + +# print "Ipsec Information - 90AdjustESP - $ipsec_status\n"; + if ( $ipsec_status eq 'enabled' ) { + my $target = ( $ipsec_status eq 'enabled' ) ? "ACCEPT" : "denylog"; $OUT .= " /sbin/iptables --replace esp-in 1 ! -d \$OUTERNET -j denylog\n"; $OUT .= " /sbin/iptables --replace esp-in 2 -j $target\n"; } + else { + $OUT .= " # 90adjustESP disabled\n"; + } } diff -ruN smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications --- smeserver-libreswan-0.5.old/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 1970-01-01 01:00:00.000000000 +0100 +++ smeserver-libreswan-0.5/root/etc/e-smith/templates/etc/sysctl.conf/z-ipsec-modifications 2016-03-22 18:26:42.624000613 +0100 @@ -0,0 +1,29 @@ +{ +# Set up sysctl.conf for ipsec +# need a check on release version as v8 needs +# net.core.xfrm_larval_drop = 1 +# $configDB->get_prop( 'sysconfig', 'ReleaseVersion' ) eq 'v8/v9' + +use strict; +use warnings; +use esmith::ConfigDB; + +my $configDB = esmith::ConfigDB->open or die("can't open Config DB"); + + if ( $configDB->get_prop( 'ipsec', 'status' ) eq 'enabled' ) { + + $OUT .= <