blob: f2ba640a6ea6441fc06010df4d3666fbc942ddcb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
#!/bin/sh
# PROVIDE: iked
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
# Add these lines to /etc/rc.conf.local or /etc/rc.conf
# to enable this service:
#
# iked_enable (bool): Set to NO by default.
# Set it to YES to enable iked.
# iked_ramdisk (bool): Set to NO by default. See below.
#
# When iked_ramdisk is set to YES, the rc.d script will make sure
# all directories exist, but will not generate a key pair if none
# exists. The daemon is not started when the key pair no config
# files are missing. It is assumed the ramdisk is not populated
# completely. When iked_ramdisk is NO, key pairs are created as
# needed and thr daemon is started unconditionally.
. /etc/rc.subr
name=iked
desc="IKEv2 daemon"
rcvar=iked_enable
load_rc_config $name
: ${iked_enable:=NO}
: ${iked_ramdisk=NO}
command=%%PREFIX%%/sbin/iked
start_precmd=iked_precmd
iked_config=%%PREFIX%%/etc/iked.conf
iked_rootdir=%%PREFIX%%/etc/iked
iked_privkey=${iked_rootdir}/private/local.key
iked_pubkey=${iked_rootdir}/local.pub
iked_precmd()
{
if checkyesno iked_ramdisk; then
# Make sure we have our directory hierarchy.
for D in ca certs crls export private pubkeys \
pubkeys/fqdn pubkeys/ipv4 pubkeys/ipv6 pubkeys/ufqdn; do
mkdir -p %%PREFIX%%/etc/iked/$D
done
chmod 700 %%PREFIX%%/etc/iked/private
else
# Create a key pair if not already present.
if test ! -f $iked_privkey; then
/usr/bin/openssl genrsa -out $iked_privkey 2048
/bin/chmod 600 $iked_privkey
/usr/bin/openssl rsa -out $iked_pubkey \
-in $iked_privkey -pubout
fi
fi
# We must have a private key and a configuration file.
# Don't start iked when those are missing.
if test ! \( -f $iked_privkey -a -f $iked_config \); then
# Be quiet about it; it must be intentional.
exit 1
fi
}
run_rc_command "$1"
|
