#!/bin/sh # PROVIDE: iked # REQUIRE: LOGIN # KEYWORD: shutdown # # Add these lines to /etc/rc.conf.local or /etc/rc.conf # to enable this service: # # iked_enable (bool): Set to NO by default. # Set it to YES to enable iked. # iked_ramdisk (bool): Set to NO by default. See below. # # When iked_ramdisk is set to YES, the rc.d script will make sure # all directories exist, but will not generate a key pair if none # exists. The daemon is not started when the key pair no config # files are missing. It is assumed the ramdisk is not populated # completely. When iked_ramdisk is NO, key pairs are created as # needed and thr daemon is started unconditionally. . /etc/rc.subr name=iked desc="IKEv2 daemon" rcvar=iked_enable load_rc_config $name : ${iked_enable:=NO} : ${iked_ramdisk=NO} command=%%PREFIX%%/sbin/iked start_precmd=iked_precmd iked_config=%%PREFIX%%/etc/iked.conf iked_rootdir=%%PREFIX%%/etc/iked iked_privkey=${iked_rootdir}/private/local.key iked_pubkey=${iked_rootdir}/local.pub iked_precmd() { if checkyesno iked_ramdisk; then # Make sure we have our directory hierarchy. for D in ca certs crls export private pubkeys \ pubkeys/fqdn pubkeys/ipv4 pubkeys/ipv6 pubkeys/ufqdn; do mkdir -p %%PREFIX%%/etc/iked/$D done chmod 700 %%PREFIX%%/etc/iked/private else # Create a key pair if not already present. if test ! -f $iked_privkey; then /usr/bin/openssl genrsa -out $iked_privkey 2048 /bin/chmod 600 $iked_privkey /usr/bin/openssl rsa -out $iked_pubkey \ -in $iked_privkey -pubout fi fi # We must have a private key and a configuration file. # Don't start iked when those are missing. if test ! \( -f $iked_privkey -a -f $iked_config \); then # Be quiet about it; it must be intentional. exit 1 fi } run_rc_command "$1"