On Mon 2008.03.31 at 10:06 -0400, Okan Demirmen wrote:
> it seems an update to security/vpnc has been tossed around for a while
> now. so, i chose the latest one (from Thomas Schoeller, with comments
> from others) and have been running with it for about 2 months now.
> confirmed it works on i386 and amd64; my sparc64 is not currently in a
> net-location to test functionality, but it compiles.
>
> - update to 0.5.1
> - adds a sample split vpn script
>
> one thing i did take out was the work-around for amd64 (-O0). i'm
> unsure why that was in there, for i have vpnc running on amd64 without
> it. can someone provide the failure details?
>
> final comments, oks?
i've only gotten one response, that sparc64 works (thanks!). other vpnc
users out there?
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/vpnc/Makefile,v
> retrieving revision 1.12
> diff -u -p -r1.12 Makefile
> --- Makefile 15 Sep 2007 23:30:01 -0000 1.12
> +++ Makefile 31 Mar 2008 13:58:49 -0000
> @@ -2,8 +2,7 @@
>
> COMMENT= client for Cisco 3000 VPN concentrators
>
> -DISTNAME= vpnc-0.3.3
> -PKGNAME= ${DISTNAME}p1
> +DISTNAME= vpnc-0.5.1
> CATEGORIES= security net
>
> HOMEPAGE= http://www.unix-ag.uni-kl.de/~massar/vpnc/
> @@ -25,6 +24,7 @@ NO_REGRESS= Yes
> do-configure:
> @perl -pi -e "s,/etc,${SYSCONFDIR},g" ${WRKSRC}/{README,config.c}
> @sed -e "s,%%PREFIX%%,${PREFIX},g" ${FILESDIR}/vpnc.sh >
> ${WRKBUILD}/vpnc.sh
> + @sed -e "s,%%PREFIX%%,${PREFIX},g" ${FILESDIR}/split.sh >
> ${WRKBUILD}/split.sh
>
> do-install:
> ${INSTALL_PROGRAM} ${WRKBUILD}/vpnc ${PREFIX}/sbin
> @@ -33,6 +33,7 @@ do-install:
> ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/vpnc
> ${INSTALL_DATA} ${WRKBUILD}/vpnc.conf ${PREFIX}/share/examples/vpnc
> ${INSTALL_DATA} ${WRKBUILD}/vpnc-script ${PREFIX}/share/examples/vpnc
> + ${INSTALL_DATA} ${WRKBUILD}/split.sh ${PREFIX}/share/examples/vpnc
> ${INSTALL_DATA} ${WRKBUILD}/vpnc.sh ${PREFIX}/share/examples/vpnc
> ${INSTALL_MAN} ${WRKBUILD}/vpnc.8 ${PREFIX}/man/man8
>
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/security/vpnc/distinfo,v
> retrieving revision 1.6
> diff -u -p -r1.6 distinfo
> --- distinfo 5 Apr 2007 17:26:10 -0000 1.6
> +++ distinfo 31 Mar 2008 13:58:49 -0000
> @@ -1,5 +1,5 @@
> -MD5 (vpnc-0.3.3.tar.gz) = 51GM/yEyb+frl5W2DCWuag==
> -RMD160 (vpnc-0.3.3.tar.gz) = /8sin7jKwY+NbeoOZ/iM7EIPMdo=
> -SHA1 (vpnc-0.3.3.tar.gz) = lVWeHFsfS8eNwaC5+V4aLWWoTAo=
> -SHA256 (vpnc-0.3.3.tar.gz) = vkqOh7BEy5k0nnHmh5RGc53VN9veE+mexhgX7WdgW9c=
> -SIZE (vpnc-0.3.3.tar.gz) = 59939
> +MD5 (vpnc-0.5.1.tar.gz) = eo6U2+lPOaT9ibcuASX2bw==
> +RMD160 (vpnc-0.5.1.tar.gz) = dt1aOji9IQnPjh+62F4nYuhImDI=
> +SHA1 (vpnc-0.5.1.tar.gz) = 78cdugOqQJRa815LB02Z+SL/f/0=
> +SHA256 (vpnc-0.5.1.tar.gz) = 9jZgvQILvmo56OtnrWDFTXGQRsYZimg0Nx0JiUf5ou0=
> +SIZE (vpnc-0.5.1.tar.gz) = 91496
> Index: files/split.sh
> ===================================================================
> RCS file: files/split.sh
> diff -N files/split.sh
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ files/split.sh 31 Mar 2008 13:58:49 -0000
> @@ -0,0 +1,19 @@
> +#!/bin/sh
> +
> +# this effectively disables changes to /etc/resolv.conf
> +INTERNAL_IP4_DNS=
> +
> +# This sets up split networking regardless
> +# of the concentrators specifications.
> +# You can add as many routes as you want,
> +# but you must set the counter $CISCO_SPLIT_INC
> +# accordingly
> +CISCO_SPLIT_INC=1
> +CISCO_SPLIT_INC_0_ADDR=10.0.0.0
> +CISCO_SPLIT_INC_0_MASK=255.255.0.0
> +CISCO_SPLIT_INC_0_MASKLEN=16
> +CISCO_SPLIT_INC_0_PROTOCOL=0
> +CISCO_SPLIT_INC_0_SPORT=0
> +CISCO_SPLIT_INC_0_DPORT=0
> +
> +. /etc/vpnc/vpnc-script
> Index: patches/patch-Makefile
> ===================================================================
> RCS file: /cvs/ports/security/vpnc/patches/patch-Makefile,v
> retrieving revision 1.3
> diff -u -p -r1.3 patch-Makefile
> --- patches/patch-Makefile 11 Nov 2005 19:38:07 -0000 1.3
> +++ patches/patch-Makefile 31 Mar 2008 13:58:49 -0000
> @@ -1,16 +1,18 @@
> $OpenBSD: patch-Makefile,v 1.3 2005/11/11 19:38:07 sturm Exp $
> ---- Makefile.orig Sun May 1 22:30:35 2005
> -+++ Makefile Fri Nov 4 00:03:54 2005
> -@@ -22,9 +22,9 @@ ETCDIR=/etc/vpnc
> - SBINDIR=$(PREFIX)/sbin
> - MANDIR=$(PREFIX)/share/man
> +--- Makefile.orig Thu Sep 6 16:05:15 2007
> ++++ Makefile Wed Sep 19 06:05:20 2007
> +@@ -49,12 +49,9 @@ RELEASE_VERSION := $(shell cat VERSION)
> + #OPENSSL_GPL_VIOLATION = -DOPENSSL_GPL_VIOLATION
> + #OPENSSLLIBS = -lcrypto
>
> -CC=gcc
> --CFLAGS=-W -Wall -O -g '-DVERSION="$(shell cat VERSION)"' $(shell
> libgcrypt-config --cflags)
> --LDFLAGS=-g $(shell libgcrypt-config --libs)
> -+CC?=gcc
> -+CFLAGS+=-W -Wall '-DVERSION="$(shell cat VERSION)"' $(shell
> libgcrypt-config --cflags)
> -+LDFLAGS+=$(shell libgcrypt-config --libs)
> +-CFLAGS ?= -O3 -g
> +-CFLAGS += -W -Wall -Wmissing-declarations -Wwrite-strings
> +-CFLAGS += $(shell libgcrypt-config --cflags)
> ++CC ?= gcc
> ++CFLAGS += -W -Wall '-DVERSION="$(shell cat VERSION)"' $(shell
> libgcrypt-config --cflags)
> + CPPFLAGS += -DVERSION=\"$(VERSION)\" $(OPENSSL_GPL_VIOLATION)
> +-LDFLAGS ?= -g
> + LDFLAGS += $(shell libgcrypt-config --libs) $(OPENSSLLIBS)
>
> - ifeq ($(shell uname -s), Linux)
> - SYSDEP=sysdep-linux.o
> + ifeq ($(shell uname -s), SunOS)
> Index: patches/patch-tunip_c
> ===================================================================
> RCS file: patches/patch-tunip_c
> diff -N patches/patch-tunip_c
> --- patches/patch-tunip_c 11 Nov 2005 19:38:07 -0000 1.3
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,21 +0,0 @@
> -$OpenBSD: patch-tunip_c,v 1.3 2005/11/11 19:38:07 sturm Exp $
> ---- tunip.c.orig Thu May 5 12:25:00 2005
> -+++ tunip.c Fri Nov 4 00:09:30 2005
> -@@ -436,7 +436,7 @@ int update_sa_addr(struct sa_desc *p)
> - if (new_addr.sin_addr.s_addr != p->source.sin_addr.s_addr) {
> - char addr1[16];
> - p->source.sin_addr = new_addr.sin_addr;
> -- strcpy(addr1, inet_ntoa(p->dest.sin_addr));
> -+ strlcpy(addr1, inet_ntoa(p->dest.sin_addr), sizeof(addr1));
> - syslog(LOG_NOTICE,
> - "local address for %s is %s", addr1,
> inet_ntoa(p->source.sin_addr));
> - return 1;
> -@@ -844,7 +844,7 @@ static void vpnc_main_loop(struct peer_d
> - || from.sin_addr.s_addr !=
> peer->remote_sa->dest.sin_addr.s_addr) {
> - /* remote end changed address */
> - char addr1[16];
> -- strcpy(addr1,
> inet_ntoa(peer->remote_sa->dest.sin_addr));
> -+ strlcpy(addr1,
> inet_ntoa(peer->remote_sa->dest.sin_addr), sizeof(addr1));
> - syslog(LOG_NOTICE,
> - "spi %u: remote address changed from %s
> to %s",
> - peer->remote_sa->spi, addr1,
> inet_ntoa(from.sin_addr));
> Index: patches/patch-vpnc-script
> ===================================================================
> RCS file: /cvs/ports/security/vpnc/patches/patch-vpnc-script,v
> retrieving revision 1.1
> diff -u -p -r1.1 patch-vpnc-script
> --- patches/patch-vpnc-script 11 Nov 2005 19:38:07 -0000 1.1
> +++ patches/patch-vpnc-script 31 Mar 2008 13:58:49 -0000
> @@ -1,64 +1,26 @@
> $OpenBSD: patch-vpnc-script,v 1.1 2005/11/11 19:38:07 sturm Exp $
> ---- vpnc-script.orig Thu Nov 3 23:39:23 2005
> -+++ vpnc-script Thu Nov 3 23:51:02 2005
> -@@ -70,7 +70,7 @@ do_ifconfig() {
> - ifconfig "$TUNDEV" inet "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp
> "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu 1412 up
> - }
> +--- vpnc-script.orig Thu Sep 6 22:05:15 2007
> ++++ vpnc-script Thu Sep 13 21:53:21 2007
> +@@ -108,7 +108,7 @@ destroy_tun_device() {
> +
> + # =========== route handling ====================================
>
> -if [ -n "$IPROUTE" ]; then
> +if [ -x "$IPROUTE" ]; then
> fix_ip_get_output () {
> - sed 's/cache//;s/metric[0-9]\+ [0-9]\+//g'
> - }
> -@@ -117,7 +117,11 @@ if [ -n "$IPROUTE" ]; then
> + sed 's/cache//;s/metric \?[0-9]\+ [0-9]\+//g;s/hoplimit
> [0-9]\+//g'
> }
> - else
> - get_default_gw() {
> -- netstat -r -n | grep '^0.0.0.0' | awk '{print $2}'
> -+ if [ "$OS" = "OpenBSD" ]; then
> -+ netstat -r -n | grep '^default' | awk '{print $2}'
> -+ else
> -+ netstat -r -n | grep '^0.0.0.0' | awk '{print $2}'
> -+ fi
> - }
> -
> - set_vpngateway_route() {
> -@@ -215,15 +219,21 @@ do_connect() {
> - echo "$CISCO_BANNER" | while read LINE ; do echo "|" "$LINE" ;
> done
> - echo
> - fi
> --
> -+
> -+ if [ ! -d /var/run/vpnc ]; then
> -+ mkdir /var/run/vpnc || exit $?
> -+ fi
> -+
> - do_ifconfig
> - set_vpngateway_route
> - if [ -n "$CISCO_SPLIT_INC" ]; then
> -- for ((i = 0 ; i < CISCO_SPLIT_INC ; i++ )) ; do
> -+ i=0
> -+ while [ $i -lt $CISCO_SPLIT_INC ]; do
> - eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
> - eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
> - eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
> - set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
> -+ i=`expr $i + 1`
> - done
> - for i in $INTERNAL_IP4_DNS ; do
> - set_network_route "$i" "255.255.255.255" "32"
> -@@ -239,11 +249,13 @@ do_connect() {
> -
> - do_disconnect() {
> - if [ -n "$CISCO_SPLIT_INC" ]; then
> -- for ((i = 0 ; i < CISCO_SPLIT_INC ; i++ )) ; do
> -+ i=0
> -+ while [ $i -lt $CISCO_SPLIT_INC ]; do
> - eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
> - eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
> - eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
> - del_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
> -+ i=`expr $i + 1`
> - done
> - for i in $INTERNAL_IP4_DNS ; do
> - del_network_route "$i" "255.255.255.255" "32"
> +@@ -195,6 +195,13 @@ else # use route command
> + case "$OS" in
> + Linux|NetBSD) # and probably others...
> + # routes are deleted automatically on device shutdown
> ++ return
> ++ ;;
> ++ OpenBSD)
> ++ # delete only routes that are present
> ++ if [ `route -n get $1|grep $2|wc -l` -ne 0 ]; then
> ++ route $route_syntax_del -net "$NETWORK"
> $route_syntax_netmask "$NETMASK" $route_syntax_gw "$INTERNAL_IP4_ADDRESS"
> ++ fi
> + return
> + ;;
> + esac
> Index: patches/patch-vpnc_c
> ===================================================================
> RCS file: /cvs/ports/security/vpnc/patches/patch-vpnc_c,v
> retrieving revision 1.2
> diff -u -p -r1.2 patch-vpnc_c
> --- patches/patch-vpnc_c 11 Nov 2005 19:38:07 -0000 1.2
> +++ patches/patch-vpnc_c 31 Mar 2008 13:58:49 -0000
> @@ -1,7 +1,7 @@
> $OpenBSD: patch-vpnc_c,v 1.2 2005/11/11 19:38:07 sturm Exp $
> ---- vpnc.c.orig Fri Nov 4 00:09:49 2005
> -+++ vpnc.c Fri Nov 4 00:11:03 2005
> -@@ -196,10 +196,11 @@ static void addenv(const void *name, con
> +--- vpnc.c.orig Mon Sep 10 15:39:48 2007
> ++++ vpnc.c Wed Sep 12 16:47:27 2007
> +@@ -159,10 +159,11 @@ static void addenv(const void *name, const char *value
>
> oldval = getenv(name);
> if (oldval != NULL) {
> Index: patches/patch-vpnc_conf
> ===================================================================
> RCS file: patches/patch-vpnc_conf
> diff -N patches/patch-vpnc_conf
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-vpnc_conf 31 Mar 2008 13:58:49 -0000
> @@ -0,0 +1,10 @@
> +$OpenBSD$
> +--- vpnc.conf.orig Thu Sep 13 22:40:00 2007
> ++++ vpnc.conf Thu Sep 13 22:39:04 2007
> +@@ -4,3 +4,6 @@ IPSec secret <group-psk>
> + IKE Authmode hybrid
> + Xauth username <username>
> + Xauth password <password>
> ++
> ++# run script to manipulate dns and routing settings
> ++#Script /etc/vpnc/split.sh
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/security/vpnc/pkg/PLIST,v
> retrieving revision 1.5
> diff -u -p -r1.5 PLIST
> --- pkg/PLIST 29 Jun 2006 17:26:15 -0000 1.5
> +++ pkg/PLIST 31 Mar 2008 13:58:49 -0000
> @@ -5,6 +5,10 @@ share/doc/vpnc/
> share/doc/vpnc/README
> share/examples/vpnc/
> @sample ${SYSCONFDIR}/vpnc/
> +share/examples/vpnc/split.sh
> [EMAIL PROTECTED] 0755
> [EMAIL PROTECTED] ${SYSCONFDIR}/vpnc/split.sh
> [EMAIL PROTECTED]
> share/examples/vpnc/vpnc-script
> @mode 0755
> @sample ${SYSCONFDIR}/vpnc/vpnc-script
>
