Index: head/GIDs =================================================================== --- head/GIDs +++ head/GIDs @@ -104,7 +104,7 @@ _ypldap:*:160: solr:*:161: octoprint:*:162: -# free: 163 +_iked:*:163: # free: 164 # free: 165 # free: 166 Index: head/UIDs =================================================================== --- head/UIDs +++ head/UIDs @@ -109,7 +109,7 @@ _ypldap:*:160:160::0:0:YP Ldap unprivileged user:/var/empty:/usr/sbin/nologin solr:*:161:161::0:0:Apache Solr System:/var/db/solr:/usr/sbin/nologin octoprint:*:162:162::0:0:OctoPrint Daemon:/usr/local/octoprint:/usr/sbin/nologin -# free: 163 +_iked:*:163:163::0:0:IKEv2 Daemon:/var/empty:/usr/sbin/nologin # free: 164 # free: 165 # free: 166 Index: head/security/Makefile =================================================================== --- head/security/Makefile +++ head/security/Makefile @@ -417,6 +417,7 @@ SUBDIR += openconnect SUBDIR += opencryptoki SUBDIR += openct + SUBDIR += openiked SUBDIR += opensaml2 SUBDIR += opensc SUBDIR += openscep Index: head/security/openiked/Makefile =================================================================== --- head/security/openiked/Makefile +++ head/security/openiked/Makefile @@ -0,0 +1,32 @@ +# $FreeBSD$ + +PORTNAME= openiked +PORTVERSION= 1.0 +CATEGORIES= security net ipv6 + +MAINTAINER= marcel@FreeBSD.org +COMMENT= IKEv2 daemon + +LICENSE= ISCL + +LIB_DEPENDS= libevent.so:devel/libevent2 + +USE_GITHUB= yes +GH_ACCOUNT= xcllnt + +USE_RC_SUBR= iked +USERS= _iked +GROUPS= _iked + +USES= autoreconf libtool ssl +GNU_CONFIGURE= yes +INSTALL_TARGET= install-strip +CONFIGURE_ARGS= --with-libevent-dir=${PREFIX} + +post-install: + ${MV} ${STAGEDIR}/etc/ssl/ikeca.cnf \ + ${STAGEDIR}${PREFIX}/etc/ikeca.cnf.sample + ${MV} ${STAGEDIR}${PREFIX}/etc/iked.conf \ + ${STAGEDIR}${PREFIX}/etc/iked.conf.sample + +.include Index: head/security/openiked/distinfo =================================================================== --- head/security/openiked/distinfo +++ head/security/openiked/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1477960722 +SHA256 (xcllnt-openiked-1.0_GH0.tar.gz) = 675835edb34ebbfa096eb5e16014ec3a3ba25a3b9468ca7fa063ebaf81e3cb02 +SIZE (xcllnt-openiked-1.0_GH0.tar.gz) = 224063 Index: head/security/openiked/files/iked.in =================================================================== --- head/security/openiked/files/iked.in +++ head/security/openiked/files/iked.in @@ -0,0 +1,70 @@ +#!/bin/sh + +# $FreeBSD$ +# +# PROVIDE: iked +# REQUIRE: LOGIN +# KEYWORD: shutdown +# +# Add these lines to /etc/rc.conf.local or /etc/rc.conf +# to enable this service: +# +# iked_enable (bool): Set to NO by default. +# Set it to YES to enable iked. +# iked_ramdisk (bool): Set to NO by default. See below. +# +# When iked_ramdisk is set to YES, the rc.d script will make sure +# all directories exist, but will not generate a key pair if none +# exists. The daemon is not started when the key pair no config +# files are missing. It is assumed the ramdisk is not populated +# completely. When iked_ramdisk is NO, key pairs are created as +# needed and thr daemon is started unconditionally. + +. /etc/rc.subr + +name=iked +desc="IKEv2 daemon" +rcvar=iked_enable + +load_rc_config $name + +: ${iked_enable:=NO} +: ${iked_ramdisk=NO} + +command=%%PREFIX%%/sbin/iked +start_precmd=iked_precmd + +iked_config=%%PREFIX%%/etc/iked.conf +iked_rootdir=%%PREFIX%%/etc/iked +iked_privkey=${iked_rootdir}/private/local.key +iked_pubkey=${iked_rootdir}/local.pub + +iked_precmd() +{ + + if checkyesno iked_ramdisk; then + # Make sure we have our directory hierarchy. + for D in ca certs crls export private pubkeys \ + pubkeys/fqdn pubkeys/ipv4 pubkeys/ipv6 pubkeys/ufqdn; do + mkdir -p %%PREFIX%%/etc/iked/$D + done + chmod 700 %%PREFIX%%/etc/iked/private + else + # Create a key pair if not already present. + if test ! -f $iked_privkey; then + /usr/bin/openssl genrsa -out $iked_privkey 2048 + /bin/chmod 600 $iked_privkey + /usr/bin/openssl rsa -out $iked_pubkey \ + -in $iked_privkey -pubout + fi + fi + + # We must have a private key and a configuration file. + # Don't start iked when those are missing. + if test ! \( -f $iked_privkey -a -f $iked_config \); then + # Be quiet about it; it must be intentional. + exit 1 + fi +} + +run_rc_command "$1" Index: head/security/openiked/pkg-descr =================================================================== --- head/security/openiked/pkg-descr +++ head/security/openiked/pkg-descr @@ -0,0 +1,9 @@ +OpenIKED is a lean Internet Key Exchange (IKEv2) daemon which performs +mutual authentication and which establishes and maintains IPsec VPN +flows and security associations (SAs) between the two peers. + +This version of OpenIKED is derived from OpenIKED's iked, but changed +to support transport mode IPSec and lazy creation of associations, +among many other improvements. + +WWW: https://github.com/xcllnt/openiked Index: head/security/openiked/pkg-plist =================================================================== --- head/security/openiked/pkg-plist +++ head/security/openiked/pkg-plist @@ -0,0 +1,15 @@ +@sample etc/ikeca.cnf.sample +@sample etc/iked.conf.sample +man/man5/iked.conf.5.gz +man/man8/ikectl.8.gz +man/man8/iked.8.gz +sbin/ikectl +sbin/iked +@dir etc/iked/ca +@dir etc/iked/certs +@dir etc/iked/crls +@dir(,,700) etc/iked/private +@dir etc/iked/pubkeys/fqdn +@dir etc/iked/pubkeys/ipv4 +@dir etc/iked/pubkeys/ipv6 +@dir etc/iked/pubkeys/ufqdn