Patch to make ipsec peers reachable from the ipfire.

config/rootfiles/core/34/filelists/files

@@ -17,3 +17,4 @@ var/ipfire/langs/list
 var/ipfire/outgoing/bin/outgoingfw.pl
 var/ipfire/snort/oinkmaster.conf
 usr/local/sbin/setup
+usr/lib/ipsec/_updown

doc/packages-list.txt

@@ -36,17 +36,17 @@
 * Unix-Syslog-0.100
 * XML-Parser-2.34
 * alsa-lib-1.0.21a
-* alsa-lib-1.0.21a-kmod-2.6.27.41-ipfire
+* alsa-lib-1.0.21a-kmod-2.6.27.42-ipfire
 * amavisd-new-2.5.2
 * apcupsd-3.14.4
 * applejuice-0.31
 * arping-2.05
 * as86-0.16.17
 * asterisk-1.4.26.3
-* atl1c-kmod-2.6.27.41-ipfire
-* atl1c-kmod-2.6.27.41-ipfire-xen
-* atl2-2.0.5-kmod-2.6.27.41-ipfire
-* atl2-2.0.5-kmod-2.6.27.41-ipfire-xen
+* atl1c-kmod-2.6.27.42-ipfire
+* atl1c-kmod-2.6.27.42-ipfire-xen
+* atl2-2.0.5-kmod-2.6.27.42-ipfire
+* atl2-2.0.5-kmod-2.6.27.42-ipfire-xen
 * autoconf-2.59
 * automake-1.9.6
 * backup-ipfire
@@ -71,8 +71,8 @@
 * clamav-0.95.3
 * cmake-2.4.8
 * collectd-4.5.3
-* compat-wireless-2.6.32-rc7-kmod-2.6.27.41-ipfire
-* compat-wireless-2.6.32-rc7-kmod-2.6.27.41-ipfire-xen
+* compat-wireless-2.6.32.2-kmod-2.6.27.42-ipfire
+* compat-wireless-2.6.32.2-kmod-2.6.27.42-ipfire-xen
 * coreutils-5.96
 * cpio-2.6
 * cpufrequtils-005
@@ -81,8 +81,8 @@
 * cyrus-imapd-2.2.12
 * cyrus-sasl-2.1.21
 * dahdi-2.2.0.2
-* dahdi-2.2.0.2-kmod-2.6.27.41-ipfire
-* dahdi-2.2.0.2-kmod-2.6.27.41-ipfire-xen
+* dahdi-2.2.0.2-kmod-2.6.27.42-ipfire
+* dahdi-2.2.0.2-kmod-2.6.27.42-ipfire-xen
 * db-4.4.20
 * dbus-1.0.3
 * dhcp-3.1.0
@@ -90,8 +90,8 @@
 * diffutils-2.8.1
 * dnsmasq-2.45
 * dosfstools-2.11
-* e1000e-1.0.2.5-kmod-2.6.27.41-ipfire
-* e1000e-1.0.2.5-kmod-2.6.27.41-ipfire-xen
+* e1000e-1.0.2.5-kmod-2.6.27.42-ipfire
+* e1000e-1.0.2.5-kmod-2.6.27.42-ipfire-xen
 * e2fsprogs-1.39
 * ebtables-v2.0.8-2
 * ed-0.2
@@ -137,8 +137,8 @@
 * hdparm-8.9
 * hostapd-0.6.9
 * hplip-2.7.10
-* hso-1.9-kmod-2.6.27.41-ipfire
-* hso-1.9-kmod-2.6.27.41-ipfire-xen
+* hso-1.9-kmod-2.6.27.42-ipfire
+* hso-1.9-kmod-2.6.27.42-ipfire-xen
 * htop-0.8.1
 * httpd-2.2.11
 * hwdata
@@ -162,10 +162,10 @@
 * jpegsrc.v6b
 * kbd-1.12
 * klibc-1.5.14
-* kqemu-1.4.0pre1-kmod-2.6.27.41-ipfire
-* kqemu-1.4.0pre1-kmod-2.6.27.41-ipfire-xen
+* kqemu-1.4.0pre1-kmod-2.6.27.42-ipfire
+* kqemu-1.4.0pre1-kmod-2.6.27.42-ipfire-xen
 * kudzu-1.2.64
-* kvm-kmod-2.6.31.5-kmod-2.6.27.41-ipfire
+* kvm-kmod-2.6.31.5-kmod-2.6.27.42-ipfire
 * l7-protocols-2009-05-10
 * lame-3.97
 * lcd4linux-0.10.1-RC2
@@ -195,8 +195,8 @@
 * libwww-perl-5.803
 * libxml2-2.6.26
 * libxslt-1.1.17
-* linux-2.6.27.41-ipfire
-* linux-2.6.27.41-ipfire-xen
+* linux-2.6.27.42-ipfire
+* linux-2.6.27.42-ipfire-xen
 * linux-atm-2.4.1
 * linux-libc-headers-2.6.12.0
 * lm_sensors-3.0.3
@@ -206,11 +206,11 @@
 * lynis-1.2.6
 * lzo-2.02
 * m4-1.4.4
-* mISDN.git-9bf7deaa4b8829ab8fbccb34529a17aab2ddea93-kmod-2.6.27.41-ipfire
-* mISDN.git-9bf7deaa4b8829ab8fbccb34529a17aab2ddea93-kmod-2.6.27.41-ipfire-xen
+* mISDN.git-9bf7deaa4b8829ab8fbccb34529a17aab2ddea93-kmod-2.6.27.42-ipfire
+* mISDN.git-9bf7deaa4b8829ab8fbccb34529a17aab2ddea93-kmod-2.6.27.42-ipfire-xen
 * mISDNuser.git-54928dec57bc846f2c2186f3640e69a053cd3641
-* madwifi-hal-0.10.5.6-r4031-20090529-kmod-2.6.27.41-ipfire
-* madwifi-hal-0.10.5.6-r4031-20090529-kmod-2.6.27.41-ipfire-xen
+* madwifi-hal-0.10.5.6-r4031-20090529-kmod-2.6.27.42-ipfire
+* madwifi-hal-0.10.5.6-r4031-20090529-kmod-2.6.27.42-ipfire-xen
 * make-3.81
 * man-db-2.4.3
 * man-pages-2.34
@@ -258,8 +258,8 @@
 * openssh-5.2p1
 * openssl-0.9.8k
 * openswan-2.6.23
-* openswan-2.6.23-kmod-2.6.27.41-ipfire
-* openswan-2.6.23-kmod-2.6.27.41-ipfire-xen
+* openswan-2.6.23-kmod-2.6.27.42-ipfire
+* openswan-2.6.23-kmod-2.6.27.42-ipfire-xen
 * openvpn-2.1_rc20
 * p7zip_4.65
 * pam_mysql-0.7RC1
@@ -280,12 +280,12 @@
 * procps-3.2.6
 * psmisc-22.2
 * qemu-0.11.0
-* r8101-kmod-2.6.27.41-ipfire
-* r8101-kmod-2.6.27.41-ipfire-xen
-* r8168-8.014.00-kmod-2.6.27.41-ipfire
-* r8168-8.014.00-kmod-2.6.27.41-ipfire-xen
-* r8169-6.011.00-kmod-2.6.27.41-ipfire
-* r8169-6.011.00-kmod-2.6.27.41-ipfire-xen
+* r8101-kmod-2.6.27.42-ipfire
+* r8101-kmod-2.6.27.42-ipfire-xen
+* r8168-8.014.00-kmod-2.6.27.42-ipfire
+* r8168-8.014.00-kmod-2.6.27.42-ipfire-xen
+* r8169-6.011.00-kmod-2.6.27.42-ipfire
+* r8169-6.011.00-kmod-2.6.27.42-ipfire-xen
 * readline-5.1
 * reiser4progs-1.0.5
 * reiserfsprogs-3.6.19
@@ -341,8 +341,8 @@
 * usb_modeswitch-1.0.5
 * usbutils-0.72
 * util-linux-2.12r
-* v4l-dvb-aba823ecaea6-kmod-2.6.27.41-ipfire
-* v4l-dvb-aba823ecaea6-kmod-2.6.27.41-ipfire-xen
+* v4l-dvb-aba823ecaea6-kmod-2.6.27.42-ipfire
+* v4l-dvb-aba823ecaea6-kmod-2.6.27.42-ipfire-xen
 * vdr-1.6.0
 * vdradmin-am-3.6.4
 * vim-7.0

lfs/openswan

@@ -115,6 +115,7 @@ else
 	
 	cd /usr/lib/ipsec && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.6.16-startklips-1.patch
 	cd /usr/lib/ipsec && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.6.16-updown.klips-1.patch
+	cd /usr/lib/ipsec && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch
 	cd /etc/ipsec.d/policies && patch -Np0 < $(DIR_SRC)/src/patches/openswan-2.6.16-clear-1.patch
 endif	
 	#@rm -rf $(DIR_APP)

src/patches/openswan-2.6.23-updown-add_ipfire-snat.patch

@@ -0,0 +1,24 @@
+--- /usr/lib/ipsec/_updown	2009-10-08 01:43:58.000000000 +0200
++++ /usr/lib/ipsec/_updown	2009-12-20 23:13:24.000000000 +0100
+@@ -128,6 +128,21 @@
+     2.*) ;;
+ esac
+ 
++# add/remove rules to reach vpn-peers from ipfire
++src=$(/sbin/ip route|grep $PLUTO_MY_CLIENT|(read net key_dev dev key_proto key_kernel key_scope key_link key_src src; echo $src))
++
++case "$PLUTO_VERB" in
++"route-client")
++   logger -t "ipsec_updown" "iptables -t nat -A CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src"
++   /sbin/iptables -t nat -A CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++   ;;
++
++"unroute-client")
++   logger -t "ipsec_updown" "iptables -t nat -D CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src"
++   /sbin/iptables -t nat -D CUSTOMPOSTROUTING -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
++   ;;
++esac
++
+ if [ -x /usr/lib/ipsec/_updown.${PLUTO_STACK} ]
+ then
+ 	exec /usr/lib/ipsec/_updown.${PLUTO_STACK} $*