Add strongswan (#1330)

SVN-Revision: 6429

package/strongswan/Makefile

@@ -0,0 +1,96 @@
+# 
+# Copyright (C) 2006 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+# $Id: Makefile $
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=strongswan
+PKG_VERSION:=2.8.2
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=http://download.strongswan.org/
+PKG_MD5SUM:=57427f5b48123851a73b10d78dd4f8d6
+PKG_CAT:=bzcat
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
+PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/strongswan/Default
+  TITLE:=strongSwan
+  DESCRIPTION:=\
+	strongSwan is an IPsec implementation for Linux.
+  URL:=http://www.strongswan.org/
+endef
+
+define Package/strongswan
+  $(call Package/strongswan/Default)
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+kmod-strongswan +libgmp @LINUX_2_4
+  TITLE+= (daemon)
+  DESCRIPTION+=\\\
+	\\\
+	This package contains the strongSwan user-land daemon.
+  URL:=http://www.strongswan.org/
+endef
+
+define KernelPackage/strongswan
+  SUBMENU:=Network Support
+  $(call Package/strongswan/Default)
+  TITLE+= (kernel module)
+  DESCRIPTION+=\\\
+	\\\
+	This package contains the strongSwan kernel module.
+  VERSION:=$(LINUX_VERSION)+$(PKG_VERSION)-$(BOARD)-$(PKG_RELEASE)
+  FILES:=$(PKG_BUILD_DIR)/linux/net/ipsec/ipsec.$(LINUX_KMOD_SUFFIX)
+  AUTOLOAD:=$(call AutoLoad,50,ipsec)
+endef
+
+PKG_MAKE_OPTS:= \
+		LINUX_RELEASE="$(LINUX_RELEASE)" \
+		KERNELSRC="$(LINUX_DIR)" \
+		ARCH="$(LINUX_KARCH)" \
+		CROSS_COMPILE="$(TARGET_CROSS)" \
+		USERCOMPILE="$(TARGET_CFLAGS) -I./linux/include -I$(STAGING_DIR)/usr/include -L$(STAGING_DIR)/usr/lib" \
+		IPSECDIR="/usr/lib/ipsec" \
+		INC_USRLOCAL="/usr" \
+
+define Build/Compile
+	$(MAKE) -C $(PKG_BUILD_DIR) \
+		$(TARGET_CONFIGURE_OPTS) \
+		$(PKG_MAKE_OPTS) \
+		LDFLAGS="-L$(STAGING_DIR)/usr/lib -L$(STAGING_DIR)/lib" \
+		DESTDIR="$(PKG_INSTALL_DIR)" \
+		programs module install
+endef
+
+define Package/strongswan/install
+	$(CP) $(PKG_INSTALL_DIR)/* $(1)
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_DIR) $(1)/etc/cron.tick
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/button
+	$(INSTALL_BIN) ./files/ipsec.init   $(1)/etc/init.d/ipsec
+	$(INSTALL_BIN) ./files/ipsec.cron   $(1)/etc/cron.tick/ipsec-wakeup
+	$(INSTALL_BIN) ./files/ipsec.iface  $(1)/etc/hotplug.d/iface/65-ipsec
+	$(INSTALL_BIN) ./files/ipsec.button $(1)/etc/hotplug.d/button/65-ipsec
+	$(INSTALL_DATA) ./files/ipsec.config $(1)/etc/config/ipsec
+	$(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf
+	rm -rf $(1)/usr/share
+	rm -rf $(1)/usr/man
+	rm -rf $(1)/var
+	rm -rf $(1)/etc/rc.d
+	find $(1) -name \*.old | xargs rm -rf
+endef
+
+$(eval $(call BuildPackage,strongswan))
+$(eval $(call KernelPackage,strongswan))

package/strongswan/files/ipsec.button

@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# snarf the code that loads the config values
+# since we also load the functions, might as well save the shell calls
+. /etc/init.d/ipsec
+
+[ -n "$IPSEC_RESET_BUTTON" -a "$BUTTON" = "$IPSEC_RESET_BUTTON" ] || exit
+
+if [ ! -e /var/run/pluto.pid ] ; then
+
+	[ "$ACTION" = "pressed" ] && start
+	
+else
+
+	if   [ "$ACTION" = "pressed"  ] ; then
+	
+		stop 
+		
+	elif [ "$ACTION" = "released" ] ; then
+
+		while [ -e /var/run/pluto.pid ] ; do
+			sleep 1
+		done
+
+		while ps auxww | grep ipsec | grep -v grep ; do
+			sleep 1
+		done
+
+		start
+		
+	fi
+	
+fi
+

package/strongswan/files/ipsec.conf

@@ -0,0 +1,34 @@
+
+version 2.0
+
+config setup
+        interfaces=%defaultroute
+        nat_traversal=yes		# required on both ends
+        uniqueids=yes			# makes sense on client, not server
+        hidetos=no
+
+conn %default
+        authby=rsasig
+        keyingtries=3
+        keyexchange=ike
+        left=%defaultroute
+        leftrsasigkey=%cert
+        rightrsasigkey=%cert
+        dpdtimeout=30			# keepalive must arrive within
+        dpddelay=5			# secs before keepalives start
+        compress=no			# breaks double nat installations
+        pfs=yes
+
+conn sample
+        leftca=%same
+        leftcert=my.certificate.crt
+        leftsourceip=192.168.10.1
+        leftsubnet=192.168.10.0/24
+        right=my.vpn.concentrator.net.
+        rightca=%same
+        rightid="C=??, ST=??, O=??, OU=??, CN=my.vpn.concentrator.net, [email protected]"
+        rightsourceip=192.168.11.1
+        rightsubnet=192.168.11.0/24
+        dpdaction=hold
+        auto=start
+

package/strongswan/files/ipsec.config

@@ -0,0 +1,21 @@
+
+# Configure button/light behavior here.
+config device
+	option reset_button	ses
+	option status_start	ses_orange
+	option status_valid	ses_white
+
+# iptables setup for traffic to/from this host
+config filter
+	option rule_in		input_rule
+	option dest_in		ACCEPT
+	option rule_out		output_rule
+	option dest_out		ACCEPT
+
+# iptables setup for traffic to/from another host
+config forward
+	option rule_in		forwarding_rule
+	option dest_in		forwarding_vpn_in
+	option rule_out		forwarding_rule
+	option dest_out		forwarding_vpn_out
+

package/strongswan/files/ipsec.cron

@@ -0,0 +1,2 @@
+#!/bin/sh
+/usr/sbin/ipsec wakeup

package/strongswan/files/ipsec.iface

@@ -0,0 +1,8 @@
+NAME=ipsec
+CTLFILE="/var/run/pluto.ctl"
+
+[ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] || exit
+
+[ -e "$CTLFILE" ] || exit
+
+/etc/init.d/ipsec restart

package/strongswan/files/ipsec.init

@@ -0,0 +1,101 @@
+#!/bin/sh /etc/rc.common
+
+START=65
+
+config_cb() {
+	local cfg="$CONFIG_SECTION"
+	local cfgt
+	config_get cfgt "$cfg" TYPE
+
+	case "$cfgt" in
+		device)
+			config_get IPSEC_RESET_BUTTON		$cfg reset_button
+			config_get IPSEC_STATUS_LED_START	$cfg status_start
+			config_get IPSEC_STATUS_LED_VALID	$cfg status_valid
+			;;
+		filter)
+			config_get IPSEC_UPDOWN_RULE_IN		$cfg rule_in
+			config_get IPSEC_UPDOWN_DEST_IN		$cfg dest_in
+			config_get IPSEC_UPDOWN_RULE_OUT	$cfg rule_out
+			config_get IPSEC_UPDOWN_DEST_OUT	$cfg dest_out
+			;;
+		forward)
+			config_get IPSEC_UPDOWN_FWD_RULE_IN	$cfg rule_in
+			config_get IPSEC_UPDOWN_FWD_DEST_IN	$cfg dest_in
+			config_get IPSEC_UPDOWN_FWD_RULE_OUT	$cfg rule_out
+			config_get IPSEC_UPDOWN_FWD_DEST_OUT	$cfg dest_out
+			;;
+		*)
+			;;
+	esac
+}
+
+config_load ipsec
+
+export IPSEC_RESET_BUTTON
+export IPSEC_STATUS_LED_START
+export IPSEC_STATUS_LED_VALID
+
+export IPSEC_UPDOWN_RULE_IN
+export IPSEC_UPDOWN_DEST_IN
+export IPSEC_UPDOWN_RULE_OUT
+export IPSEC_UPDOWN_DEST_OUT
+
+export IPSEC_UPDOWN_FWD_RULE_IN
+export IPSEC_UPDOWN_FWD_DEST_IN
+export IPSEC_UPDOWN_FWD_RULE_OUT
+export IPSEC_UPDOWN_FWD_DEST_OUT
+
+
+start() {
+
+	[ -f /etc/ipsec.conf      ] || exit
+	[ -e /var/run/starter.pid ] && exit
+
+	/usr/sbin/ipsec _showstatus start
+	
+	# stuff the dnsmasq cache in case dns is on our own subnet
+	for peer in `grep left= /etc/ipsec.conf | \
+				cut -f 1 -d% | cut -f 2 -d=` ; do
+		ping -c 1 $peer > /dev/null 2>&1
+	done
+	
+	/usr/sbin/ipsec start || exit
+	
+	# work around broken routing behavior:
+	# a route to the local wan segment will appear
+	# the need was removed in the patched _updown script
+
+	while ! route -n | grep -q ipsec ; do sleep 1 ; done
+
+	defint=`route -n | awk '/^0.0.0.0/{print $8}'`
+	defnet=`route -n | grep $defint | awk  '!/^0.0.0.0/{print $1}'`
+	dnmask=`route -n | grep $defint | awk  '!/^0.0.0.0/{print $3}'`
+	tundev=`route -n | grep $defnet | awk '/ipsec/{print $8}'`
+	
+	route del -net $defnet netmask $dnmask dev $tundev
+}
+
+
+stop() {
+
+	/usr/sbin/ipsec stop 2> /dev/null
+
+	# wait until the shutdown actually happens
+	while [ -e /var/run/starter.pid ] ; do
+		if [ -d /proc/`cat /var/run/starter.pid` ] ; then
+			sleep 1
+		else
+			rm /var/run/starter.pid
+		fi
+	done
+
+	# kill any lingering processes
+	while ps auxww | grep -q ipsec | grep -v init.d; do
+		kill `ps auxww | grep -v init.d | awk '/\/ipsec\//{print $1}'` 2> /dev/null
+		sleep 1
+	done
+
+ 	ipsec _showstatus stop
+}
+

package/strongswan/patches/100-ar-fixes.patch

@@ -0,0 +1,76 @@
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libaes/Makefile strongswan-2.8.1/lib/libcrypto/libaes/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libaes/Makefile	2004-03-22 16:53:16.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libaes/Makefile	2007-01-17 00:48:52.260789653 -0500
+@@ -25,10 +25,8 @@
+ 
+ $(BLIB): $(LIBOBJ)
+ 	/bin/rm -f $(BLIB)
+-	ar cr $(BLIB) $(LIBOBJ)
+-	-if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+-	else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+-	else exit 0; fi; fi
++	$(AR) cr $(BLIB) $(LIBOBJ)
++	$(RANLIB) $(BLIB)
+ 
+ testx: test_main_mac.o $(BLIB)
+ 	$(CC) -o $@ $^ 
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libblowfish/Makefile strongswan-2.8.1/lib/libcrypto/libblowfish/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libblowfish/Makefile	2004-03-22 16:53:16.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libblowfish/Makefile	2007-01-17 01:40:41.716879761 -0500
+@@ -58,7 +58,7 @@
+ lib:	$(LIB)
+ 
+ $(LIB):	$(LIBOBJ)
+-	$(AR) $(LIB) $(LIBOBJ)
++	$(AR) -r $(LIB) $(LIBOBJ)
+ 	$(RANLIB) $(LIB)
+ 
+ # elf
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libserpent/Makefile strongswan-2.8.1/lib/libcrypto/libserpent/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libserpent/Makefile	2004-03-22 16:53:16.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libserpent/Makefile	2007-01-17 00:50:37.692571031 -0500
+@@ -8,10 +8,8 @@
+ 
+ $(BLIB): $(LIBOBJ)
+ 	/bin/rm -f $(BLIB)
+-	ar cr $(BLIB) $(LIBOBJ)
+-	-if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+-	else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+-	else exit 0; fi; fi
++	$(AR) cr $(BLIB) $(LIBOBJ)
++	$(RANLIB) $(BLIB)
+ 
+ test: test_main.o $(BLIB)
+ 	$(CC) -o $@ $^ 
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libsha2/Makefile strongswan-2.8.1/lib/libcrypto/libsha2/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libsha2/Makefile	2004-03-22 16:53:16.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libsha2/Makefile	2007-01-17 00:50:46.050791555 -0500
+@@ -9,10 +9,8 @@
+ 
+ $(BLIB): $(LIBOBJ)
+ 	/bin/rm -f $(BLIB)
+-	ar cr $(BLIB) $(LIBOBJ)
+-	-if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+-	else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+-	else exit 0; fi; fi
++	$(AR) cr $(BLIB) $(LIBOBJ)
++	$(RANLIB) $(BLIB)
+ 
+ test: test_main.o $(BLIB)
+ 	$(CC) -o $@ $^ 
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libtwofish/Makefile strongswan-2.8.1/lib/libcrypto/libtwofish/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libtwofish/Makefile	2004-03-22 16:53:17.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libtwofish/Makefile	2007-01-17 00:50:53.533988997 -0500
+@@ -9,10 +9,8 @@
+ 
+ $(BLIB): $(LIBOBJ)
+ 	/bin/rm -f $(BLIB)
+-	ar cr $(BLIB) $(LIBOBJ)
+-	-if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+-	else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+-	else exit 0; fi; fi
++	$(AR) cr $(BLIB) $(LIBOBJ)
++	$(RANLIB) $(BLIB)
+ 
+ test: test_main.o $(BLIB)
+ 	$(CC) -o $@ $^ 

package/strongswan/patches/110-make-ipsec.patch

@@ -0,0 +1,10 @@
+diff -ruN strongswan-2.8.1-orig/programs/ipsec/Makefile strongswan-2.8.1/programs/ipsec/Makefile
+--- strongswan-2.8.1-orig/programs/ipsec/Makefile	2006-02-10 06:27:31.000000000 -0500
++++ strongswan-2.8.1/programs/ipsec/Makefile	2007-01-17 02:46:06.027124968 -0500
+@@ -24,5 +24,5 @@
+ include ../Makefile.program
+ 
+ install:: ipsec
+-	@$(INSTALL) $(INSTBINFLAGS) ipsec $(RCDIR)/ipsec
++	@$(INSTALL) $(INSTBINFLAGS) -D ipsec $(RCDIR)/ipsec
+ 

package/strongswan/patches/120-make-pluto.patch

@@ -0,0 +1,12 @@
+diff -ruN strongswan-2.8.1-orig/programs/pluto/alg/Makefile strongswan-2.8.1/programs/pluto/alg/Makefile
+--- strongswan-2.8.1-orig/programs/pluto/alg/Makefile	2004-06-23 00:45:20.000000000 -0400
++++ strongswan-2.8.1/programs/pluto/alg/Makefile	2007-01-17 00:19:58.249033414 -0500
+@@ -20,7 +20,7 @@
+ include Config.ike_alg
+ 
+ LIBCRYPTO:=../../../lib/libcrypto
+-ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I-  -I ../../../linux/include -I $(LIBCRYPTO)
++ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I-  -I ../../../linux/include -I $(LIBCRYPTO) $(USERCOMPILE)
+ LIBALG := libalg.o
+ 
+ all : $(LIBALG)

package/strongswan/patches/130-make-starter.patch

@@ -0,0 +1,20 @@
+diff -ruN strongswan-2.8.1-orig/programs/starter/Makefile strongswan-2.8.1/programs/starter/Makefile
+--- strongswan-2.8.1-orig/programs/starter/Makefile	2006-02-17 14:34:02.000000000 -0500
++++ strongswan-2.8.1/programs/starter/Makefile	2007-01-17 16:15:30.740490094 -0500
+@@ -16,7 +16,6 @@
+ FREESWANSRCDIR?=$(shell cd ../..; pwd)
+ include ${FREESWANSRCDIR}/Makefile.inc
+ 
+-LD=$(CC)
+ RM=rm
+ LEX=flex
+ BISON=bison
+@@ -59,7 +58,7 @@
+ all:	starter
+ 
+ starter:	$(OBJS) $(FREESWANLIB)
+-		$(LD) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
++		$(CC) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
+ 
+ lex.yy.c:	parser.tab.c parser.l parser.y parser.h
+ 		$(LEX) parser.l

package/strongswan/patches/200-wakeup-showstatus.patch

@@ -0,0 +1,227 @@
+diff -ruN strongswan-2.8.2-orig/programs/Makefile strongswan-2.8.2/programs/Makefile
+--- strongswan-2.8.2-orig/programs/Makefile	2006-08-28 07:12:36.000000000 -0400
++++ strongswan-2.8.2/programs/Makefile	2007-02-05 00:27:47.214280563 -0500
+@@ -22,7 +22,7 @@
+ SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
+ SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
+ SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
+-SUBDIRS+=ikeping examples openac scepclient
++SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup
+ 
+ ifeq ($(USE_LWRES),true)
+ SUBDIRS+=lwdnsq
+diff -ruN strongswan-2.8.2-orig/programs/_showstatus/Makefile strongswan-2.8.2/programs/_showstatus/Makefile
+--- strongswan-2.8.2-orig/programs/_showstatus/Makefile	1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/_showstatus/Makefile	2007-02-05 00:31:11.380714322 -0500
+@@ -0,0 +1,22 @@
++# Makefile for miscelaneous programs
++# Copyright (C) 2002  Michael Richardson	<[email protected]>
++# 
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
++# 
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++# for more details.
++#
++# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
++
++FREESWANSRCDIR=../..
++include ${FREESWANSRCDIR}/Makefile.inc
++
++PROGRAM=_showstatus
++PROGRAMDIR=${LIBDIR}
++
++include ../Makefile.program
+diff -ruN strongswan-2.8.2-orig/programs/_showstatus/_showstatus.8 strongswan-2.8.2/programs/_showstatus/_showstatus.8
+--- strongswan-2.8.2-orig/programs/_showstatus/_showstatus.8	1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/_showstatus/_showstatus.8	2007-02-05 00:36:00.650410824 -0500
+@@ -0,0 +1,23 @@
++.TH _showstatus 8 "03 Feb 2007"
++.\"
++.\" RCSID $Id: _showstatus.8
++.\"
++.SH NAME
++ipsec _showstatus \- give state feedback via led or other method
++.SH SYNOPSIS
++.I _showstatus
++is invoked by _updown to trigger led's, or other distribution
++or platform specific behavior. Presently, the SES button is
++supported as a status light on OpenWRT platforms. The button
++is configurable by environment variable:
++-B IPSEC_STATUS_LED_START
++defaults to ses_orange, and
++-B IPSEC_STATUS_LED_VALID
++defaults to ses_white.
++.SH "SEE ALSO"
++ipsec(8), ipsec_updown(8).
++.SH HISTORY
++Man page written for the Linux strongSwan project <http://www.strongswan.org/>
++by Kevin Cody Jr. Original manpage for _updown by Michael Richardson.
++Original program written by Henry Spencer. Extended for the Linux strongSwan
++project <http://www.strongswan.org/> by Andreas Steffen.
+diff -ruN strongswan-2.8.2-orig/programs/_showstatus/_showstatus.in strongswan-2.8.2/programs/_showstatus/_showstatus.in
+--- strongswan-2.8.2-orig/programs/_showstatus/_showstatus.in	1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/_showstatus/_showstatus.in	2007-02-05 00:55:56.563116192 -0500
+@@ -0,0 +1,70 @@
++#! /bin/sh
++#
++# Copyright (C) 2007 Kevin Cody Jr. <[email protected]>
++# 
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
++# 
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++# for more details.
++#
++# RCSID $Id: _showstatus.in
++
++
++LED_START=$IPSEC_STATUS_LED_START
++LED_VALID=$IPSEC_STATUS_LED_VALID
++
++[ -z "$LED_START" ] && LED_START="ses_orange"
++[ -z "$LED_VALID" ] && LED_VALID="ses_white"
++
++
++setled() {
++	led=$1
++	st=$2
++
++	[ -n "$led" -a -n "$st" ] || return
++	
++	if [ -w "/proc/diag/led/$led" ] ; then
++		echo "$st" > "/proc/diag/led/$led"
++	fi
++
++	# integrate other led control methods here
++
++}
++
++
++case "$1" in
++	'start')
++		[ -n "$LED_VALID" ] && setled "$LED_START" 1
++		[ -z "$LED_VALID" ] && setled "$LED_START" f
++		setled "$LED_VALID" 0
++		;;
++	'stop')
++		setled "$LED_START" 0
++		setled "$LED_VALID" 0
++		;;
++	'valid')
++		setled "$LED_VALID" 1
++		;;
++	'invalid')
++		setled "$LED_VALID" 0
++		;;
++	'up')
++		[ -n "$LED_VALID" ] && setled "$LED_START" 0
++		[ -z "$LED_VALID" ] && setled "$LED_START" 1
++		setled "$LED_VALID" 1
++		;;
++	'down')
++		[ -n "$LED_VALID" ] && setled "$LED_START" 1
++		[ -z "$LED_VALID" ] && setled "$LED_START" f
++		setled "$LED_VALID" f
++		;;
++	*)
++		echo "$0: unknown status $status" >&2
++		;;
++esac
++
+diff -ruN strongswan-2.8.2-orig/programs/wakeup/Makefile strongswan-2.8.2/programs/wakeup/Makefile
+--- strongswan-2.8.2-orig/programs/wakeup/Makefile	1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/wakeup/Makefile	2007-02-05 00:28:03.960726309 -0500
+@@ -0,0 +1,22 @@
++# Makefile for miscelaneous programs
++# Copyright (C) 2002  Michael Richardson	<[email protected]>
++# 
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
++# 
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++# for more details.
++#
++# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
++
++FREESWANSRCDIR=../..
++include ${FREESWANSRCDIR}/Makefile.inc
++
++PROGRAM=wakeup
++PROGRAMDIR=${LIBDIR}
++
++include ../Makefile.program
+diff -ruN strongswan-2.8.2-orig/programs/wakeup/wakeup.8 strongswan-2.8.2/programs/wakeup/wakeup.8
+--- strongswan-2.8.2-orig/programs/wakeup/wakeup.8	1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/wakeup/wakeup.8	2007-02-05 00:36:34.029298760 -0500
+@@ -0,0 +1,16 @@
++.TH wakeup 8 "03 Feb 2007"
++.\"
++.\" RCSID $Id: wakeup.8
++.\"
++.SH NAME
++ipsec wakeup \- stalled and down connection detection
++.SH SYNOPSIS
++.I wakeup
++is invoked by cron and checks ipsec status, whacking as necessary.
++.SH "SEE ALSO"
++ipsec(8), ipsec_whack(8).
++.SH HISTORY
++Man page written for the Linux strongSwan project <http://www.strongswan.org/>
++by Kevin Cody Jr. Original manpage for _updown by Michael Richardson.
++Original program written by Henry Spencer. Extended for the Linux strongSwan
++project <http://www.strongswan.org/> by Andreas Steffen.
+diff -ruN strongswan-2.8.2-orig/programs/wakeup/wakeup.in strongswan-2.8.2/programs/wakeup/wakeup.in
+--- strongswan-2.8.2-orig/programs/wakeup/wakeup.in	1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/wakeup/wakeup.in	2007-02-05 00:28:03.961726336 -0500
+@@ -0,0 +1,38 @@
++#! /bin/sh
++# wakeup script
++#
++# Copyright (C) 2007 Kevin Cody Jr. <[email protected]>
++# 
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
++# 
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++# for more details.
++#
++
++# only applicable when ipsec is running
++[ -e /var/run/pluto.pid ] || exit
++
++# loop through any erouted tunnels in the HOLD state
++for f in  `ipsec status | awk '/erouted HOLD/{ print $2 }' | cut -f1 -d\: | cut -f2 -d\"` ; do
++
++        # only whack if no pending events at all exists
++        ipsec status | grep STATE | grep -q $f ||
++                ipsec whack --name $f --initiate --asynchronous
++
++done
++
++# loop through any tunnels that don't quite exist
++for f in `ipsec status | awk '/prospective erouted/{ print $2 }' | cut -f1 -d: | grep -v \# | cut -f2 -d\"` ; do
++
++        ipsec status | grep STATE_QUICK | grep -q $f || {
++                ipsec status | grep STATE_MAIN | grep -q $f && ipsec down $f
++                ipsec up $f
++        }
++
++done
++

package/strongswan/patches/210-updown.patch

@@ -0,0 +1,660 @@
+diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.8 strongswan-2.8.2/programs/_updown/_updown.8
+--- strongswan-2.8.2-orig/programs/_updown/_updown.8	2006-04-17 02:48:49.000000000 -0400
++++ strongswan-2.8.2/programs/_updown/_updown.8	2007-02-05 02:13:05.252612099 -0500
+@@ -8,8 +8,23 @@
+ .I _updown
+ is invoked by pluto when it has brought up a new connection. This script
+ is used to insert the appropriate routing entries for IPsec operation.
+-It can also be used to insert and delete dynamic iptables firewall rules.
+-The interface to the script is documented in the pluto man page.
++It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
++By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
++tables. Most distributions will want to change that to provide more
++flexibility in their firewall configuration.
++The script looks for the environment variables
++.B IPSEC_UPDOWN_RULE_IN
++for the iptables table it should insert into,
++.B IPSEC_UPDOWN_DEST_IN
++for where the rule should -j jump to,
++.B IPSEC_UPDOWN_RULE_OUT
++.B IPSEC_UPDOWN_DEST_OUT
++for the same on outgoing packets, and
++.B IPSEC_UPDOWN_FWD_RULE_IN
++.B IPSEC_UPDOWN_FWD_DEST_IN
++.B IPSEC_UPDOWN_FWD_RULE_OUT
++.B IPSEC_UPDOWN_FWD_DEST_OUT
++respectively for packets being forwarded to/from the local networks.
+ .SH "SEE ALSO"
+ ipsec(8), ipsec_pluto(8).
+ .SH HISTORY
+diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.in strongswan-2.8.2/programs/_updown/_updown.in
+--- strongswan-2.8.2-orig/programs/_updown/_updown.in	2006-04-17 11:06:29.000000000 -0400
++++ strongswan-2.8.2/programs/_updown/_updown.in	2007-02-05 02:08:24.969100428 -0500
+@@ -5,6 +5,7 @@
+ # Copyright (C) 2003-2004 Tuomo Soini
+ # Copyright (C) 2002-2004 Michael Richardson
+ # Copyright (C) 2005-2006 Andreas Steffen <[email protected]>
++# Copyright (C) 2007 Kevin Cody Jr <[email protected]>
+ # 
+ # This program is free software; you can redistribute it and/or modify it
+ # under the terms of the GNU General Public License as published by the
+@@ -118,20 +119,61 @@
+ #              restricted on the peer side.
+ #
+ 
+-# uncomment to log VPN connections
+-VPN_LOGGING=1
+-#
++# set to /bin/true to silence log messages
++LOGGER=logger
++
+ # tag put in front of each log entry:
+ TAG=vpn
+-#
++
+ # syslog facility and priority used:
+-FAC_PRIO=local0.notice
+-#
+-# to create a special vpn logging file, put the following line into
+-# the syslog configuration file /etc/syslog.conf:
+-#
+-# local0.notice                   -/var/log/vpn
+-#
++FAC_PRIO=authpriv.info
++
++
++# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY 
++if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
++	IPSEC_POLICY_IN=""
++	IPSEC_POLICY_OUT=""
++else
++	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
++	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
++	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
++fi
++
++# are there port numbers?
++if [ "$PLUTO_MY_PORT" != 0 ] ; then
++	S_MY_PORT="--sport $PLUTO_MY_PORT"
++	D_MY_PORT="--dport $PLUTO_MY_PORT"
++fi
++
++if [ "$PLUTO_PEER_PORT" != 0 ] ; then
++	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
++	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
++fi
++
++# import firewall behavior
++IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
++IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
++IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
++IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
++
++# import forwarding behavior
++FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
++FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
++FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
++FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
++
++# default firewall behavior
++[ -z "$IPT_RULE_IN"  ] && IPT_RULE_IN=INPUT
++[ -z "$IPT_DEST_IN"  ] && IPT_DEST_IN=ACCEPT
++[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
++[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
++
++# default forwarding behavior
++[ -z "$FWD_RULE_IN"  ] && FWD_RULE_IN=FORWARD
++[ -z "$FWD_DEST_IN"  ] && FWD_DEST_IN=ACCEPT
++[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
++[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
++
+ 
+ # check interface version
+ case "$PLUTO_VERSION" in
+@@ -150,8 +192,6 @@
+ case "$1:$*" in
+ ':')			# no parameters
+ 	;;
+-iptables:iptables)	# due to (left/right)firewall; for default script only
+-	;;
+ custom:*)		# custom parameters (see above CAUTION comment)
+ 	;;
+ *)	echo "$0: unknown parameters \`$*'" >&2
+@@ -159,345 +199,307 @@
+ 	;;
+ esac
+ 
++
+ # utility functions for route manipulation
+ # Meddling with this stuff should not be necessary and requires great care.
++
+ uproute() {
+ 	doroute add
+ 	ip route flush cache
+ }
++
+ downroute() {
+ 	doroute delete
+ 	ip route flush cache
+ }
+ 
++upfirewall() {
++	in_rule=$1
++	in_dest=$2
++	out_rule=$3
++	out_dest=$4
++
++	[ -n "$in_rule" -a -n "$in_dest" ] &&		\
++	iptables -I $in_rule 1				\
++		-i $PLUTO_INTERFACE			\
++		-p $PLUTO_MY_PROTOCOL			\
++		-s $PLUTO_PEER_CLIENT	$S_PEER_PORT	\
++		-d $PLUTO_MY_CLIENT	$D_MY_PORT	\
++		$IPSEC_POLICY_IN			\
++		-j $in_dest
++
++	[ -n "$out_rule" -a -n "$out_dest" ] &&		\
++	iptables -I $out_rule 1				\
++		-o $PLUTO_INTERFACE			\
++		-p $PLUTO_PEER_PROTOCOL			\
++		-s $PLUTO_MY_CLIENT	$S_MY_PORT	\
++		-d $PLUTO_PEER_CLIENT	$D_PEER_PORT	\
++		$IPSEC_POLICY_OUT			\
++		-j $out_dest
++
++}
++
++downfirewall() {
++	in_rule=$1
++	in_dest=$2
++	out_rule=$3
++	out_dest=$4
++
++	[ -n "$in_rule" -a -n "$in_dest" ] &&		\
++	iptables -D $in_rule				\
++		-i $PLUTO_INTERFACE			\
++		-p $PLUTO_MY_PROTOCOL			\
++		-s $PLUTO_PEER_CLIENT	$S_PEER_PORT	\
++		-d $PLUTO_MY_CLIENT	$D_MY_PORT	\
++		$IPSEC_POLICY_IN			\
++		-j $in_dest
++
++	[ -n "$out_rule" -a -n "$out_dest" ] &&		\
++	iptables -D $out_rule				\
++		-o $PLUTO_INTERFACE			\
++		-p $PLUTO_PEER_PROTOCOL			\
++		-s $PLUTO_MY_CLIENT	$S_MY_PORT	\
++		-d $PLUTO_PEER_CLIENT	$D_PEER_PORT	\
++		$IPSEC_POLICY_OUT			\
++		-j $out_dest
++
++}
++
+ addsource() {
+ 	st=0
+-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+-	then
++
++	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
++
+ 	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ 	    oops="`eval $it 2>&1`"
+ 	    st=$?
+-	    if test " $oops" = " " -a " $st" != " 0"
+-	    then
++
++	    if [ " $oops"  = " " -a " $st" != " 0" ] ; then
+ 		oops="silent error, exit status $st"
+ 	    fi
+-	    if test " $oops" != " " -o " $st" != " 0"
+-	    then
++
++	    if [ " $oops" != " " -o " $st" != " 0" ] ; then
+ 		echo "$0: addsource \`$it' failed ($oops)" >&2
+ 	    fi
+ 	fi
++
+ 	return $st
+ }
+ 
+ doroute() {
+ 	st=0
+ 	parms="$PLUTO_PEER_CLIENT"
++	parms2="dev $PLUTO_INTERFACE"
+ 
+-	parms2=
+-	if [ -n "$PLUTO_NEXT_HOP" ]
+-	then
+-	   parms2="via $PLUTO_NEXT_HOP"
+-	fi
+-	parms2="$parms2 dev $PLUTO_INTERFACE"
+-
+-	if [ -z "$PLUTO_MY_SOURCEIP" ]
+-	then
+-	    if [ -f /etc/sysconfig/defaultsource ]
+-	    then
+-		. /etc/sysconfig/defaultsource
+-	    fi
++	if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
+ 
+-	    if [ -f /etc/conf.d/defaultsource ]
+-	    then
+-		. /etc/conf.d/defaultsource
+-	    fi
++		[ -f /etc/sysconfig/defaultsource ] && \
++			. /etc/sysconfig/defaultsource
++
++		[ -f /etc/conf.d/defaultsource ] && \
++			. /etc/conf.d/defaultsource
++
++	    	[ -n "$DEFAULTSOURCE" ]	&& \
++			PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ 
+-	    if [ -n "$DEFAULTSOURCE" ]
+-	    then
+-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+-	    fi
+         fi
+ 
+ 	parms3=
+-	if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
+-	then
++	if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
+ 	    addsource
+ 	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
+ 	fi
+ 
+-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+-	"0.0.0.0/0.0.0.0")
++	if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
++						"0.0.0.0/0.0.0.0" ] ; then
+ 		# opportunistic encryption work around
+ 		# need to provide route that eclipses default, without 
+ 		# replacing it.
+-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+-			ip route $1 128.0.0.0/1 $parms2 $parms3"
+-		;;
+-	*)	it="ip route $1 $parms $parms2 $parms3"
+-		;;
+-	esac
++		it="ip route $1   0.0.0.0/1 $parms2 $parms3 &&
++		    ip route $1 128.0.0.0/1 $parms2 $parms3"
++	else
++		it="ip route $1 $parms $parms2 $parms3"
++	fi
++
+ 	oops="`eval $it 2>&1`"
+ 	st=$?
+-	if test " $oops" = " " -a " $st" != " 0"
+-	then
+-	    oops="silent error, exit status $st"
+-	fi
+-	if test " $oops" != " " -o " $st" != " 0"
+-	then
+-	    echo "$0: doroute \`$it' failed ($oops)" >&2
++
++	if [ " $oops" = " " -a " $st" != " 0" ] ; then
++		oops="silent error, exit status $st"
+ 	fi
++
++	if [ " $oops" != " " -o " $st" != " 0" ] ; then
++		echo "$0: doroute \`$it' failed ($oops)" >&2
++	fi
++
+ 	return $st
+ }
+- 
+-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY 
+-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+-then
+-	IPSEC_POLICY_IN=""
+-	IPSEC_POLICY_OUT=""
+-else
+-	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+-	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+-	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+-fi
+ 
+-# are there port numbers?
+-if [ "$PLUTO_MY_PORT" != 0 ]
+-then
+-	S_MY_PORT="--sport $PLUTO_MY_PORT"
+-	D_MY_PORT="--dport $PLUTO_MY_PORT"
+-fi
+-if [ "$PLUTO_PEER_PORT" != 0 ]
+-then
+-	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+-	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+-fi
++dologentry() {
++	action=$1
++
++	if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
++		rem="$PLUTO_PEER"
++	else
++		rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
++	fi
++
++	if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
++		loc="$PLUTO_ME"
++	else
++		loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
++	fi
++
++	$LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
++}
++
+ 
+ # the big choice
++
+ case "$PLUTO_VERB:$1" in
+ prepare-host:*|prepare-client:*)
+ 	# delete possibly-existing route (preliminary to adding a route)
+-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+-	"0.0.0.0/0.0.0.0")
+-		# need to provide route that eclipses default, without 
++
++	if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
++						"0.0.0.0/0.0.0.0" ] ; then
++		# need to remove the route that eclipses default, without 
+ 		# replacing it.
+-		parms1="0.0.0.0/1"
+-		parms2="128.0.0.0/1"
+-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+-		;;
+-	*)
+-		parms="$PLUTO_PEER_CLIENT"
+-		it="ip route delete $parms 2>&1"
+-		oops="`ip route delete $parms 2>&1`"
+-		;;
+-	esac
+-	status="$?"
+-	if test " $oops" = " " -a " $status" != " 0"
+-	then
+-		oops="silent error, exit status $status"
++		it="( ip route delete   0.0.0.0/1 ;
++		      ip route delete 128.0.0.0/1 )"
++	else
++		it="ip route delete $PLUTO_PEER_CLIENT"
++	fi
++
++	oops="`$it 2>&1`"
++	st="$?"
++
++	if [ " $oops" = " " -a " $st" != " 0" ] ; then
++		oops="silent error, exit status $st"
+ 	fi
++
+ 	case "$oops" in
+ 	*'RTNETLINK answers: No such process'*)	
+ 		# This is what route (currently -- not documented!) gives
+ 		# for "could not find such a route".
+ 		oops=
+-		status=0
++		st=0
+ 		;;
+ 	esac
+-	if test " $oops" != " " -o " $status" != " 0"
+-	then
++
++	if [ " $oops" != " " -o " $st" != " 0" ] ; then
+ 		echo "$0: \`$it' failed ($oops)" >&2
+ 	fi
+-	exit $status
++
++	exit $st
++
+ 	;;
+ route-host:*|route-client:*)
+ 	# connection to me or my client subnet being routed
++
++	ipsec _showstatus valid
+ 	uproute
++
+ 	;;
+ unroute-host:*|unroute-client:*)
+ 	# connection to me or my client subnet being unrouted
++
++	ipsec _showstatus invalid
+ 	downroute
++
+ 	;;
+-up-host:)
++up-host:*)
+ 	# connection to me coming up
+-	# If you are doing a custom version, firewall commands go here.
++
++	ipsec _showstatus up
++	upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++	dologentry "VPN-UP"
++
+ 	;;
+-down-host:)
++down-host:*)
+ 	# connection to me going down
+-	# If you are doing a custom version, firewall commands go here.
+-	;;
+-up-client:)
+-	# connection to my client subnet coming up
+-	# If you are doing a custom version, firewall commands go here.
+-	;;
+-down-client:)
+-	# connection to my client subnet going down
+-	# If you are doing a custom version, firewall commands go here.
++
++	ipsec _showstatus down
++	downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++	dologentry "VPN-DN"
++
+ 	;;
+-up-host:iptables)
+-	# connection to me, with (left/right)firewall=yes, coming up
+-	# This is used only by the default updown script, not by your custom
+-	# ones, so do not mess with it; see CAUTION comment up at top.
+-	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+-	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+-	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+-	#
+-	# log IPsec host connection setup
+-	if [ $VPN_LOGGING ]
+-	then
+-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+-	  then
+-	    logger -t $TAG -p $FAC_PRIO \
+-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+-	  else
+-	    logger -t $TAG -p $FAC_PRIO \
+-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+-	  fi
+-	fi	
+-	;;
+-down-host:iptables)
+-	# connection to me, with (left/right)firewall=yes, going down
+-	# This is used only by the default updown script, not by your custom
+-	# ones, so do not mess with it; see CAUTION comment up at top.
+-	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-	    -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+-	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+-	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+-	    -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+-	#
+-	# log IPsec host connection teardown
+-	if [ $VPN_LOGGING ]
+-	then
+-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+-	  then
+-	    logger -t $TAG -p $FAC_PRIO -- \
+-	      "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+-	  else
+-	    logger -t $TAG -p $FAC_PRIO -- \
+-	    "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+-	  fi
+-	fi
+-	;;
+-up-client:iptables)
+-	# connection to client subnet, with (left/right)firewall=yes, coming up
+-	# This is used only by the default updown script, not by your custom
+-	# ones, so do not mess with it; see CAUTION comment up at top.
+-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+-	then
+-	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-	      -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+-	      -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+-	         $IPSEC_POLICY_OUT -j ACCEPT
+-	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-	      -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+-	      -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+-	         $IPSEC_POLICY_IN -j ACCEPT
++up-client:*)
++	# connection to client subnet coming up
++
++	ipsec _showstatus up
++
++	if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
++	     "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
++		upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
+ 	fi
+-	#
++
+ 	# a virtual IP requires an INPUT and OUTPUT rule on the host
+ 	# or sometimes host access via the internal IP is needed
+-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+-	then
+-	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-	      -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+-	      -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+-	         $IPSEC_POLICY_IN -j ACCEPT
+-	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-	      -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+-	      -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+-	         $IPSEC_POLICY_OUT -j ACCEPT
+-	fi
+-	#
+-	# log IPsec client connection setup
+-	if [ $VPN_LOGGING ]
+-	then
+-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+-	  then
+-	    logger -t $TAG -p $FAC_PRIO \
+-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+-	  else
+-	    logger -t $TAG -p $FAC_PRIO \
+-	      "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+-	  fi
+-	fi
+-	;;
+-down-client:iptables)
+-	# connection to client subnet, with (left/right)firewall=yes, going down
+-	# This is used only by the default updown script, not by your custom
+-	# ones, so do not mess with it; see CAUTION comment up at top.
+-	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+-	then
+-	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-	      -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+-	      -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+-	         $IPSEC_POLICY_OUT -j ACCEPT
+-	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-	      -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+-	      -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+-	         $IPSEC_POLICY_IN -j ACCEPT
++	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
++		upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++	fi
++
++	dologentry "VPN-UP"
++
++	;;
++down-client:*)
++	# connection to client subnet going down
++
++	ipsec _showstatus down
++
++	if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
++	     "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
++		downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
+ 	fi
+-	#
++
+ 	# a virtual IP requires an INPUT and OUTPUT rule on the host
+ 	# or sometimes host access via the internal IP is needed
+-	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+-	then
+-	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+-	      -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+-	      -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+-	         $IPSEC_POLICY_IN -j ACCEPT
+-	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+-	      -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+-	      -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+-	         $IPSEC_POLICY_OUT -j ACCEPT
+-	fi
+-	#
+-	# log IPsec client connection teardown
+-	if [ $VPN_LOGGING ]
+-	then
+-	  if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+-	  then
+-	    logger -t $TAG -p $FAC_PRIO -- \
+-	      "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+-	  else
+-	    logger -t $TAG -p $FAC_PRIO -- \
+-	      "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+-	  fi
++	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
++		downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
+ 	fi
++
++	dologentry "VPN-DN"
++
+ 	;;
+-#
+-# IPv6
+-#
+ prepare-host-v6:*|prepare-client-v6:*)
++
+ 	;;
+ route-host-v6:*|route-client-v6:*)
+ 	# connection to me or my client subnet being routed
++
+ 	#uproute_v6
++
+ 	;;
+ unroute-host-v6:*|unroute-client-v6:*)
+ 	# connection to me or my client subnet being unrouted
++
+ 	#downroute_v6
++
+ 	;;
+ up-host-v6:*)
+ 	# connection to me coming up
+ 	# If you are doing a custom version, firewall commands go here.
++
+ 	;;
+ down-host-v6:*)
+ 	# connection to me going down
+ 	# If you are doing a custom version, firewall commands go here.
++
+ 	;;
+ up-client-v6:)
+ 	# connection to my client subnet coming up
+ 	# If you are doing a custom version, firewall commands go here.
++
+ 	;;
+ down-client-v6:)
+ 	# connection to my client subnet going down
+ 	# If you are doing a custom version, firewall commands go here.
++
+ 	;;
+-*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
++*)
++	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ 	exit 1
++
+ 	;;
+ esac
++

package/strongswan/patches/300-openwrt.patch

@@ -0,0 +1,24 @@
+diff -ruN strongswan-2.8.1-orig/Makefile.inc strongswan-2.8.1/Makefile.inc
+--- strongswan-2.8.1-orig/Makefile.inc	2007-01-11 16:42:11.000000000 -0500
++++ strongswan-2.8.1/Makefile.inc	2007-01-17 02:42:25.961297797 -0500
+@@ -123,7 +123,7 @@
+ # With a non-null DESTDIR, INC_RCDEFAULT will be used unless one of the
+ # INC_RCDIRS directories has been pre-created under DESTDIR.
+ INC_RCDIRS=/etc/rc.d/init.d /etc/rc.d /etc/init.d /sbin/init.d
+-INC_RCDEFAULT=/etc/rc.d/init.d
++INC_RCDEFAULT=/etc/init.d
+ 
+ # RCDIR is where boot/shutdown scripts go; FINALRCDIR is where they think
+ # will finally be (so utils/Makefile can create a symlink in BINDIR to the
+diff -ruN strongswan-2.8.1-orig/programs/showhostkey/showhostkey.in strongswan-2.8.1/programs/showhostkey/showhostkey.in
+--- strongswan-2.8.1-orig/programs/showhostkey/showhostkey.in	2004-03-15 15:35:31.000000000 -0500
++++ strongswan-2.8.1/programs/showhostkey/showhostkey.in	2007-01-17 00:02:35.433150839 -0500
+@@ -62,7 +62,7 @@
+ 	exit 1
+ fi
+ 
+-host="`hostname --fqdn`"
++host="`cat /proc/sys/kernel/hostname`"
+ 
+ awk '	BEGIN {
+ 		inkey = 0

package/strongswan/patches/310-make-ipsec-alg.patch

@@ -0,0 +1,18 @@
+diff -ruN strongswan-2.8.1-orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi strongswan-2.8.1/linux/net/ipsec/alg/Makefile.alg_cryptoapi
+--- strongswan-2.8.1-orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi	2004-03-22 16:53:19.000000000 -0500
++++ strongswan-2.8.1/linux/net/ipsec/alg/Makefile.alg_cryptoapi	2007-01-17 02:28:26.835241726 -0500
+@@ -1,10 +1,10 @@
+ MOD_CRYPTOAPI := ipsec_cryptoapi.o
+ 
+ ifneq ($(wildcard $(TOPDIR)/include/linux/crypto.h),)
+-ALG_MODULES += $(MOD_CRYPTOAPI)
+-obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
+-static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
+-alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
++#ALG_MODULES += $(MOD_CRYPTOAPI)
++#obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
++#static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
++#alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
+ else
+ $(warning "Linux CryptoAPI (2.4.22+ or 2.6.x) not found, not building ipsec_cryptoapi.o")
+ endif

package/strongswan/patches/320-no-modprobe.patch

@@ -0,0 +1,105 @@
+diff -ruN strongswan-2.8.1-orig/programs/starter/klips.c strongswan-2.8.1/programs/starter/klips.c
+--- strongswan-2.8.1-orig/programs/starter/klips.c	2006-02-15 13:33:57.000000000 -0500
++++ strongswan-2.8.1/programs/starter/klips.c	2007-01-16 23:57:19.107972109 -0500
+@@ -44,7 +44,7 @@
+ 	    unsetenv("MODPATH");
+ 	    unsetenv("MODULECONF");
+ 	    system("depmod -a >/dev/null 2>&1");
+-	    system("modprobe -qv ipsec");
++	    system("insmod -qv ipsec");
+ 	}
+ 	if (stat(PROC_IPSECVERSION, &stb) == 0)
+ 	{
+@@ -62,11 +62,11 @@
+     /* make sure that all available crypto algorithms are loaded */
+     if (stat(PROC_MODULES, &stb) == 0)
+     {
+-	system("modprobe -qv ipsec_aes");
+-	system("modprobe -qv ipsec_serpent");
+-	system("modprobe -qv ipsec_twofish");
+-	system("modprobe -qv ipsec_blowfish");
+-	system("modprobe -qv ipsec_sha2");
++	system("insmod -qv ipsec_aes");
++	system("insmod -qv ipsec_serpent");
++	system("insmod -qv ipsec_twofish");
++	system("insmod -qv ipsec_blowfish");
++	system("insmod -qv ipsec_sha2");
+     }
+ 
+     starter_klips_clear();
+diff -ruN strongswan-2.8.1-orig/programs/starter/netkey.c strongswan-2.8.1/programs/starter/netkey.c
+--- strongswan-2.8.1-orig/programs/starter/netkey.c	2006-02-15 13:33:57.000000000 -0500
++++ strongswan-2.8.1/programs/starter/netkey.c	2007-01-16 23:57:28.094204186 -0500
+@@ -36,7 +36,7 @@
+ 	/* af_key module makes the netkey proc interface visible */
+ 	if (stat(PROC_MODULES, &stb) == 0)
+ 	{
+-	    system("modprobe -qv af_key");
++	    system("insmod -qv af_key");
+ 	}
+ 
+ 	/* now test again */
+@@ -52,11 +52,11 @@
+     /* make sure that all required IPsec modules are loaded */
+     if (stat(PROC_MODULES, &stb) == 0)
+     {
+-	system("modprobe -qv ah4");
+-	system("modprobe -qv esp4");
+-	system("modprobe -qv ipcomp");
+-	system("modprobe -qv xfrm4_tunnel");
+-	system("modprobe -qv xfrm_user");
++	system("insmod -qv ah4");
++	system("insmod -qv esp4");
++	system("insmod -qv ipcomp");
++	system("insmod -qv xfrm4_tunnel");
++	system("insmod -qv xfrm_user");
+     }
+ 
+     DBG(DBG_CONTROL,
+diff -ruN strongswan-2.8.1-orig/programs/_startklips/_startklips.in strongswan-2.8.1/programs/_startklips/_startklips.in
+--- strongswan-2.8.1-orig/programs/_startklips/_startklips.in	2005-05-06 18:11:33.000000000 -0400
++++ strongswan-2.8.1/programs/_startklips/_startklips.in	2007-01-17 00:04:11.189627735 -0500
+@@ -249,7 +249,7 @@
+ 
+ if test ! -f $ipsecversion && test ! -f $netkey
+ then
+-	modprobe -v af_key
++	insmod -v af_key
+ fi
+ 
+ if test -f $netkey
+@@ -257,11 +257,11 @@
+ 	klips=false
+ 	if test -f $modules
+ 	then
+-		modprobe -qv ah4
+-		modprobe -qv esp4
+-		modprobe -qv ipcomp
+-		modprobe -qv xfrm4_tunnel
+-		modprobe -qv xfrm_user
++		insmod -qv ah4
++		insmod -qv esp4
++		insmod -qv ipcomp
++		insmod -qv xfrm4_tunnel
++		insmod -qv xfrm_user
+ 	fi
+ fi
+ 
+@@ -272,7 +272,7 @@
+                 setmodule
+                 unset MODPATH MODULECONF        # no user overrides!
+                 depmod -a >/dev/null 2>&1
+-                modprobe -v ipsec
++                insmod -v ipsec
+         fi
+         if test ! -f $ipsecversion
+         then
+@@ -288,7 +288,7 @@
+ 	do
+ 		if test -f $moduleinstplace/alg/ipsec_$alg.o
+ 		then
+-			modprobe ipsec_$alg
++			insmod ipsec_$alg
+ 		fi
+ 	done
+ fi

package/strongswan/patches/350-make-programs.patch

@@ -0,0 +1,20 @@
+diff -ruN strongswan-2.8.2-orig/programs/Makefile strongswan-2.8.2/programs/Makefile
+--- strongswan-2.8.2-orig/programs/Makefile	2006-08-28 07:12:36.000000000 -0400
++++ strongswan-2.8.2/programs/Makefile	2007-02-04 01:24:18.751598552 -0500
+@@ -17,12 +17,10 @@
+ FREESWANSRCDIR=..
+ include ${FREESWANSRCDIR}/Makefile.inc
+ 
+-SUBDIRS=spi eroute spigrp tncfg klipsdebug pf_key proc pluto 
+-SUBDIRS+=_confread _copyright _include _keycensor _plutoload _plutorun
+-SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
+-SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
+-SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
+-SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup
++SUBDIRS=_copyright _updown _showstatus wakeup examples
++SUBDIRS+=barf calcgoo eroute ikeping klipsdebug look mailkey manual
++SUBDIRS+=openac pf_key pluto proc ranbits rsasigkey scepclient secrets
++SUBDIRS+=showdefaults showhostkey spi spigrp starter tncfg ipsec
+ 
+ ifeq ($(USE_LWRES),true)
+ SUBDIRS+=lwdnsq