summaryrefslogtreecommitdiffstats
path: root/package/strongswan
diff options
context:
space:
mode:
authorflorian <florian@3c298f89-4303-0410-b956-a3cf2f4a3e73>2007-02-28 13:30:51 +0000
committerflorian <florian@3c298f89-4303-0410-b956-a3cf2f4a3e73>2007-02-28 13:30:51 +0000
commitdceafb31b9e065bdf5197b1b85b0f94933e88fa7 (patch)
tree9651a517795b0064548993905ffe2979e28fdd7a /package/strongswan
parent5af0df16d07fbff270ccd6e4bb1cbd2f2d869c83 (diff)
Add strongswan (#1330)
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@6429 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/strongswan')
-rw-r--r--package/strongswan/Makefile96
-rw-r--r--package/strongswan/files/ipsec.button34
-rw-r--r--package/strongswan/files/ipsec.conf34
-rw-r--r--package/strongswan/files/ipsec.config21
-rw-r--r--package/strongswan/files/ipsec.cron2
-rw-r--r--package/strongswan/files/ipsec.iface8
-rw-r--r--package/strongswan/files/ipsec.init101
-rw-r--r--package/strongswan/patches/100-ar-fixes.patch76
-rw-r--r--package/strongswan/patches/110-make-ipsec.patch10
-rw-r--r--package/strongswan/patches/120-make-pluto.patch12
-rw-r--r--package/strongswan/patches/130-make-starter.patch20
-rw-r--r--package/strongswan/patches/200-wakeup-showstatus.patch227
-rw-r--r--package/strongswan/patches/210-updown.patch660
-rw-r--r--package/strongswan/patches/300-openwrt.patch24
-rw-r--r--package/strongswan/patches/310-make-ipsec-alg.patch18
-rw-r--r--package/strongswan/patches/320-no-modprobe.patch105
-rw-r--r--package/strongswan/patches/350-make-programs.patch20
17 files changed, 1468 insertions, 0 deletions
diff --git a/package/strongswan/Makefile b/package/strongswan/Makefile
new file mode 100644
index 000000000..7169635e0
--- /dev/null
+++ b/package/strongswan/Makefile
@@ -0,0 +1,96 @@
+#
+# Copyright (C) 2006 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+# $Id: Makefile $
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=strongswan
+PKG_VERSION:=2.8.2
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=http://download.strongswan.org/
+PKG_MD5SUM:=57427f5b48123851a73b10d78dd4f8d6
+PKG_CAT:=bzcat
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
+PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/strongswan/Default
+ TITLE:=strongSwan
+ DESCRIPTION:=\
+ strongSwan is an IPsec implementation for Linux.
+ URL:=http://www.strongswan.org/
+endef
+
+define Package/strongswan
+ $(call Package/strongswan/Default)
+ SECTION:=net
+ CATEGORY:=Network
+ DEPENDS:=+kmod-strongswan +libgmp @LINUX_2_4
+ TITLE+= (daemon)
+ DESCRIPTION+=\\\
+ \\\
+ This package contains the strongSwan user-land daemon.
+ URL:=http://www.strongswan.org/
+endef
+
+define KernelPackage/strongswan
+ SUBMENU:=Network Support
+ $(call Package/strongswan/Default)
+ TITLE+= (kernel module)
+ DESCRIPTION+=\\\
+ \\\
+ This package contains the strongSwan kernel module.
+ VERSION:=$(LINUX_VERSION)+$(PKG_VERSION)-$(BOARD)-$(PKG_RELEASE)
+ FILES:=$(PKG_BUILD_DIR)/linux/net/ipsec/ipsec.$(LINUX_KMOD_SUFFIX)
+ AUTOLOAD:=$(call AutoLoad,50,ipsec)
+endef
+
+PKG_MAKE_OPTS:= \
+ LINUX_RELEASE="$(LINUX_RELEASE)" \
+ KERNELSRC="$(LINUX_DIR)" \
+ ARCH="$(LINUX_KARCH)" \
+ CROSS_COMPILE="$(TARGET_CROSS)" \
+ USERCOMPILE="$(TARGET_CFLAGS) -I./linux/include -I$(STAGING_DIR)/usr/include -L$(STAGING_DIR)/usr/lib" \
+ IPSECDIR="/usr/lib/ipsec" \
+ INC_USRLOCAL="/usr" \
+
+define Build/Compile
+ $(MAKE) -C $(PKG_BUILD_DIR) \
+ $(TARGET_CONFIGURE_OPTS) \
+ $(PKG_MAKE_OPTS) \
+ LDFLAGS="-L$(STAGING_DIR)/usr/lib -L$(STAGING_DIR)/lib" \
+ DESTDIR="$(PKG_INSTALL_DIR)" \
+ programs module install
+endef
+
+define Package/strongswan/install
+ $(CP) $(PKG_INSTALL_DIR)/* $(1)
+ $(INSTALL_DIR) $(1)/etc/init.d
+ $(INSTALL_DIR) $(1)/etc/config
+ $(INSTALL_DIR) $(1)/etc/cron.tick
+ $(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+ $(INSTALL_DIR) $(1)/etc/hotplug.d/button
+ $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
+ $(INSTALL_BIN) ./files/ipsec.cron $(1)/etc/cron.tick/ipsec-wakeup
+ $(INSTALL_BIN) ./files/ipsec.iface $(1)/etc/hotplug.d/iface/65-ipsec
+ $(INSTALL_BIN) ./files/ipsec.button $(1)/etc/hotplug.d/button/65-ipsec
+ $(INSTALL_DATA) ./files/ipsec.config $(1)/etc/config/ipsec
+ $(INSTALL_DATA) ./files/ipsec.conf $(1)/etc/ipsec.conf
+ rm -rf $(1)/usr/share
+ rm -rf $(1)/usr/man
+ rm -rf $(1)/var
+ rm -rf $(1)/etc/rc.d
+ find $(1) -name \*.old | xargs rm -rf
+endef
+
+$(eval $(call BuildPackage,strongswan))
+$(eval $(call KernelPackage,strongswan))
diff --git a/package/strongswan/files/ipsec.button b/package/strongswan/files/ipsec.button
new file mode 100644
index 000000000..9bd902356
--- /dev/null
+++ b/package/strongswan/files/ipsec.button
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# snarf the code that loads the config values
+# since we also load the functions, might as well save the shell calls
+. /etc/init.d/ipsec
+
+[ -n "$IPSEC_RESET_BUTTON" -a "$BUTTON" = "$IPSEC_RESET_BUTTON" ] || exit
+
+if [ ! -e /var/run/pluto.pid ] ; then
+
+ [ "$ACTION" = "pressed" ] && start
+
+else
+
+ if [ "$ACTION" = "pressed" ] ; then
+
+ stop
+
+ elif [ "$ACTION" = "released" ] ; then
+
+ while [ -e /var/run/pluto.pid ] ; do
+ sleep 1
+ done
+
+ while ps auxww | grep ipsec | grep -v grep ; do
+ sleep 1
+ done
+
+ start
+
+ fi
+
+fi
+
diff --git a/package/strongswan/files/ipsec.conf b/package/strongswan/files/ipsec.conf
new file mode 100644
index 000000000..8f5900883
--- /dev/null
+++ b/package/strongswan/files/ipsec.conf
@@ -0,0 +1,34 @@
+
+version 2.0
+
+config setup
+ interfaces=%defaultroute
+ nat_traversal=yes # required on both ends
+ uniqueids=yes # makes sense on client, not server
+ hidetos=no
+
+conn %default
+ authby=rsasig
+ keyingtries=3
+ keyexchange=ike
+ left=%defaultroute
+ leftrsasigkey=%cert
+ rightrsasigkey=%cert
+ dpdtimeout=30 # keepalive must arrive within
+ dpddelay=5 # secs before keepalives start
+ compress=no # breaks double nat installations
+ pfs=yes
+
+conn sample
+ leftca=%same
+ leftcert=my.certificate.crt
+ leftsourceip=192.168.10.1
+ leftsubnet=192.168.10.0/24
+ right=my.vpn.concentrator.net.
+ rightca=%same
+ rightid="C=??, ST=??, O=??, OU=??, CN=my.vpn.concentrator.net, E=root@concentrator.net"
+ rightsourceip=192.168.11.1
+ rightsubnet=192.168.11.0/24
+ dpdaction=hold
+ auto=start
+
diff --git a/package/strongswan/files/ipsec.config b/package/strongswan/files/ipsec.config
new file mode 100644
index 000000000..b4865e40b
--- /dev/null
+++ b/package/strongswan/files/ipsec.config
@@ -0,0 +1,21 @@
+
+# Configure button/light behavior here.
+config device
+ option reset_button ses
+ option status_start ses_orange
+ option status_valid ses_white
+
+# iptables setup for traffic to/from this host
+config filter
+ option rule_in input_rule
+ option dest_in ACCEPT
+ option rule_out output_rule
+ option dest_out ACCEPT
+
+# iptables setup for traffic to/from another host
+config forward
+ option rule_in forwarding_rule
+ option dest_in forwarding_vpn_in
+ option rule_out forwarding_rule
+ option dest_out forwarding_vpn_out
+
diff --git a/package/strongswan/files/ipsec.cron b/package/strongswan/files/ipsec.cron
new file mode 100644
index 000000000..d8c7dccfa
--- /dev/null
+++ b/package/strongswan/files/ipsec.cron
@@ -0,0 +1,2 @@
+#!/bin/sh
+/usr/sbin/ipsec wakeup
diff --git a/package/strongswan/files/ipsec.iface b/package/strongswan/files/ipsec.iface
new file mode 100644
index 000000000..95e0958b8
--- /dev/null
+++ b/package/strongswan/files/ipsec.iface
@@ -0,0 +1,8 @@
+NAME=ipsec
+CTLFILE="/var/run/pluto.ctl"
+
+[ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] || exit
+
+[ -e "$CTLFILE" ] || exit
+
+/etc/init.d/ipsec restart
diff --git a/package/strongswan/files/ipsec.init b/package/strongswan/files/ipsec.init
new file mode 100644
index 000000000..4e8b8a216
--- /dev/null
+++ b/package/strongswan/files/ipsec.init
@@ -0,0 +1,101 @@
+#!/bin/sh /etc/rc.common
+
+START=65
+
+config_cb() {
+ local cfg="$CONFIG_SECTION"
+ local cfgt
+ config_get cfgt "$cfg" TYPE
+
+ case "$cfgt" in
+ device)
+ config_get IPSEC_RESET_BUTTON $cfg reset_button
+ config_get IPSEC_STATUS_LED_START $cfg status_start
+ config_get IPSEC_STATUS_LED_VALID $cfg status_valid
+ ;;
+ filter)
+ config_get IPSEC_UPDOWN_RULE_IN $cfg rule_in
+ config_get IPSEC_UPDOWN_DEST_IN $cfg dest_in
+ config_get IPSEC_UPDOWN_RULE_OUT $cfg rule_out
+ config_get IPSEC_UPDOWN_DEST_OUT $cfg dest_out
+ ;;
+ forward)
+ config_get IPSEC_UPDOWN_FWD_RULE_IN $cfg rule_in
+ config_get IPSEC_UPDOWN_FWD_DEST_IN $cfg dest_in
+ config_get IPSEC_UPDOWN_FWD_RULE_OUT $cfg rule_out
+ config_get IPSEC_UPDOWN_FWD_DEST_OUT $cfg dest_out
+ ;;
+ *)
+ ;;
+ esac
+}
+
+config_load ipsec
+
+export IPSEC_RESET_BUTTON
+export IPSEC_STATUS_LED_START
+export IPSEC_STATUS_LED_VALID
+
+export IPSEC_UPDOWN_RULE_IN
+export IPSEC_UPDOWN_DEST_IN
+export IPSEC_UPDOWN_RULE_OUT
+export IPSEC_UPDOWN_DEST_OUT
+
+export IPSEC_UPDOWN_FWD_RULE_IN
+export IPSEC_UPDOWN_FWD_DEST_IN
+export IPSEC_UPDOWN_FWD_RULE_OUT
+export IPSEC_UPDOWN_FWD_DEST_OUT
+
+
+start() {
+
+ [ -f /etc/ipsec.conf ] || exit
+ [ -e /var/run/starter.pid ] && exit
+
+ /usr/sbin/ipsec _showstatus start
+
+ # stuff the dnsmasq cache in case dns is on our own subnet
+ for peer in `grep left= /etc/ipsec.conf | \
+ cut -f 1 -d% | cut -f 2 -d=` ; do
+ ping -c 1 $peer > /dev/null 2>&1
+ done
+
+ /usr/sbin/ipsec start || exit
+
+ # work around broken routing behavior:
+ # a route to the local wan segment will appear
+ # the need was removed in the patched _updown script
+
+ while ! route -n | grep -q ipsec ; do sleep 1 ; done
+
+ defint=`route -n | awk '/^0.0.0.0/{print $8}'`
+ defnet=`route -n | grep $defint | awk '!/^0.0.0.0/{print $1}'`
+ dnmask=`route -n | grep $defint | awk '!/^0.0.0.0/{print $3}'`
+ tundev=`route -n | grep $defnet | awk '/ipsec/{print $8}'`
+
+ route del -net $defnet netmask $dnmask dev $tundev
+}
+
+
+stop() {
+
+ /usr/sbin/ipsec stop 2> /dev/null
+
+ # wait until the shutdown actually happens
+ while [ -e /var/run/starter.pid ] ; do
+ if [ -d /proc/`cat /var/run/starter.pid` ] ; then
+ sleep 1
+ else
+ rm /var/run/starter.pid
+ fi
+ done
+
+ # kill any lingering processes
+ while ps auxww | grep -q ipsec | grep -v init.d; do
+ kill `ps auxww | grep -v init.d | awk '/\/ipsec\//{print $1}'` 2> /dev/null
+ sleep 1
+ done
+
+ ipsec _showstatus stop
+}
+
diff --git a/package/strongswan/patches/100-ar-fixes.patch b/package/strongswan/patches/100-ar-fixes.patch
new file mode 100644
index 000000000..d6ce9f337
--- /dev/null
+++ b/package/strongswan/patches/100-ar-fixes.patch
@@ -0,0 +1,76 @@
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libaes/Makefile strongswan-2.8.1/lib/libcrypto/libaes/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libaes/Makefile 2004-03-22 16:53:16.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libaes/Makefile 2007-01-17 00:48:52.260789653 -0500
+@@ -25,10 +25,8 @@
+
+ $(BLIB): $(LIBOBJ)
+ /bin/rm -f $(BLIB)
+- ar cr $(BLIB) $(LIBOBJ)
+- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+- else exit 0; fi; fi
++ $(AR) cr $(BLIB) $(LIBOBJ)
++ $(RANLIB) $(BLIB)
+
+ testx: test_main_mac.o $(BLIB)
+ $(CC) -o $@ $^
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libblowfish/Makefile strongswan-2.8.1/lib/libcrypto/libblowfish/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libblowfish/Makefile 2004-03-22 16:53:16.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libblowfish/Makefile 2007-01-17 01:40:41.716879761 -0500
+@@ -58,7 +58,7 @@
+ lib: $(LIB)
+
+ $(LIB): $(LIBOBJ)
+- $(AR) $(LIB) $(LIBOBJ)
++ $(AR) -r $(LIB) $(LIBOBJ)
+ $(RANLIB) $(LIB)
+
+ # elf
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libserpent/Makefile strongswan-2.8.1/lib/libcrypto/libserpent/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libserpent/Makefile 2004-03-22 16:53:16.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libserpent/Makefile 2007-01-17 00:50:37.692571031 -0500
+@@ -8,10 +8,8 @@
+
+ $(BLIB): $(LIBOBJ)
+ /bin/rm -f $(BLIB)
+- ar cr $(BLIB) $(LIBOBJ)
+- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+- else exit 0; fi; fi
++ $(AR) cr $(BLIB) $(LIBOBJ)
++ $(RANLIB) $(BLIB)
+
+ test: test_main.o $(BLIB)
+ $(CC) -o $@ $^
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libsha2/Makefile strongswan-2.8.1/lib/libcrypto/libsha2/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libsha2/Makefile 2004-03-22 16:53:16.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libsha2/Makefile 2007-01-17 00:50:46.050791555 -0500
+@@ -9,10 +9,8 @@
+
+ $(BLIB): $(LIBOBJ)
+ /bin/rm -f $(BLIB)
+- ar cr $(BLIB) $(LIBOBJ)
+- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+- else exit 0; fi; fi
++ $(AR) cr $(BLIB) $(LIBOBJ)
++ $(RANLIB) $(BLIB)
+
+ test: test_main.o $(BLIB)
+ $(CC) -o $@ $^
+diff -ruN strongswan-2.8.1-orig/lib/libcrypto/libtwofish/Makefile strongswan-2.8.1/lib/libcrypto/libtwofish/Makefile
+--- strongswan-2.8.1-orig/lib/libcrypto/libtwofish/Makefile 2004-03-22 16:53:17.000000000 -0500
++++ strongswan-2.8.1/lib/libcrypto/libtwofish/Makefile 2007-01-17 00:50:53.533988997 -0500
+@@ -9,10 +9,8 @@
+
+ $(BLIB): $(LIBOBJ)
+ /bin/rm -f $(BLIB)
+- ar cr $(BLIB) $(LIBOBJ)
+- -if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
+- else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
+- else exit 0; fi; fi
++ $(AR) cr $(BLIB) $(LIBOBJ)
++ $(RANLIB) $(BLIB)
+
+ test: test_main.o $(BLIB)
+ $(CC) -o $@ $^
diff --git a/package/strongswan/patches/110-make-ipsec.patch b/package/strongswan/patches/110-make-ipsec.patch
new file mode 100644
index 000000000..861def411
--- /dev/null
+++ b/package/strongswan/patches/110-make-ipsec.patch
@@ -0,0 +1,10 @@
+diff -ruN strongswan-2.8.1-orig/programs/ipsec/Makefile strongswan-2.8.1/programs/ipsec/Makefile
+--- strongswan-2.8.1-orig/programs/ipsec/Makefile 2006-02-10 06:27:31.000000000 -0500
++++ strongswan-2.8.1/programs/ipsec/Makefile 2007-01-17 02:46:06.027124968 -0500
+@@ -24,5 +24,5 @@
+ include ../Makefile.program
+
+ install:: ipsec
+- @$(INSTALL) $(INSTBINFLAGS) ipsec $(RCDIR)/ipsec
++ @$(INSTALL) $(INSTBINFLAGS) -D ipsec $(RCDIR)/ipsec
+
diff --git a/package/strongswan/patches/120-make-pluto.patch b/package/strongswan/patches/120-make-pluto.patch
new file mode 100644
index 000000000..890863fa0
--- /dev/null
+++ b/package/strongswan/patches/120-make-pluto.patch
@@ -0,0 +1,12 @@
+diff -ruN strongswan-2.8.1-orig/programs/pluto/alg/Makefile strongswan-2.8.1/programs/pluto/alg/Makefile
+--- strongswan-2.8.1-orig/programs/pluto/alg/Makefile 2004-06-23 00:45:20.000000000 -0400
++++ strongswan-2.8.1/programs/pluto/alg/Makefile 2007-01-17 00:19:58.249033414 -0500
+@@ -20,7 +20,7 @@
+ include Config.ike_alg
+
+ LIBCRYPTO:=../../../lib/libcrypto
+-ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I- -I ../../../linux/include -I $(LIBCRYPTO)
++ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I- -I ../../../linux/include -I $(LIBCRYPTO) $(USERCOMPILE)
+ LIBALG := libalg.o
+
+ all : $(LIBALG)
diff --git a/package/strongswan/patches/130-make-starter.patch b/package/strongswan/patches/130-make-starter.patch
new file mode 100644
index 000000000..9250f0108
--- /dev/null
+++ b/package/strongswan/patches/130-make-starter.patch
@@ -0,0 +1,20 @@
+diff -ruN strongswan-2.8.1-orig/programs/starter/Makefile strongswan-2.8.1/programs/starter/Makefile
+--- strongswan-2.8.1-orig/programs/starter/Makefile 2006-02-17 14:34:02.000000000 -0500
++++ strongswan-2.8.1/programs/starter/Makefile 2007-01-17 16:15:30.740490094 -0500
+@@ -16,7 +16,6 @@
+ FREESWANSRCDIR?=$(shell cd ../..; pwd)
+ include ${FREESWANSRCDIR}/Makefile.inc
+
+-LD=$(CC)
+ RM=rm
+ LEX=flex
+ BISON=bison
+@@ -59,7 +58,7 @@
+ all: starter
+
+ starter: $(OBJS) $(FREESWANLIB)
+- $(LD) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
++ $(CC) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
+
+ lex.yy.c: parser.tab.c parser.l parser.y parser.h
+ $(LEX) parser.l
diff --git a/package/strongswan/patches/200-wakeup-showstatus.patch b/package/strongswan/patches/200-wakeup-showstatus.patch
new file mode 100644
index 000000000..272228245
--- /dev/null
+++ b/package/strongswan/patches/200-wakeup-showstatus.patch
@@ -0,0 +1,227 @@
+diff -ruN strongswan-2.8.2-orig/programs/Makefile strongswan-2.8.2/programs/Makefile
+--- strongswan-2.8.2-orig/programs/Makefile 2006-08-28 07:12:36.000000000 -0400
++++ strongswan-2.8.2/programs/Makefile 2007-02-05 00:27:47.214280563 -0500
+@@ -22,7 +22,7 @@
+ SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
+ SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
+ SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
+-SUBDIRS+=ikeping examples openac scepclient
++SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup
+
+ ifeq ($(USE_LWRES),true)
+ SUBDIRS+=lwdnsq
+diff -ruN strongswan-2.8.2-orig/programs/_showstatus/Makefile strongswan-2.8.2/programs/_showstatus/Makefile
+--- strongswan-2.8.2-orig/programs/_showstatus/Makefile 1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/_showstatus/Makefile 2007-02-05 00:31:11.380714322 -0500
+@@ -0,0 +1,22 @@
++# Makefile for miscelaneous programs
++# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
++#
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
++#
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# for more details.
++#
++# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
++
++FREESWANSRCDIR=../..
++include ${FREESWANSRCDIR}/Makefile.inc
++
++PROGRAM=_showstatus
++PROGRAMDIR=${LIBDIR}
++
++include ../Makefile.program
+diff -ruN strongswan-2.8.2-orig/programs/_showstatus/_showstatus.8 strongswan-2.8.2/programs/_showstatus/_showstatus.8
+--- strongswan-2.8.2-orig/programs/_showstatus/_showstatus.8 1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/_showstatus/_showstatus.8 2007-02-05 00:36:00.650410824 -0500
+@@ -0,0 +1,23 @@
++.TH _showstatus 8 "03 Feb 2007"
++.\"
++.\" RCSID $Id: _showstatus.8
++.\"
++.SH NAME
++ipsec _showstatus \- give state feedback via led or other method
++.SH SYNOPSIS
++.I _showstatus
++is invoked by _updown to trigger led's, or other distribution
++or platform specific behavior. Presently, the SES button is
++supported as a status light on OpenWRT platforms. The button
++is configurable by environment variable:
++-B IPSEC_STATUS_LED_START
++defaults to ses_orange, and
++-B IPSEC_STATUS_LED_VALID
++defaults to ses_white.
++.SH "SEE ALSO"
++ipsec(8), ipsec_updown(8).
++.SH HISTORY
++Man page written for the Linux strongSwan project <http://www.strongswan.org/>
++by Kevin Cody Jr. Original manpage for _updown by Michael Richardson.
++Original program written by Henry Spencer. Extended for the Linux strongSwan
++project <http://www.strongswan.org/> by Andreas Steffen.
+diff -ruN strongswan-2.8.2-orig/programs/_showstatus/_showstatus.in strongswan-2.8.2/programs/_showstatus/_showstatus.in
+--- strongswan-2.8.2-orig/programs/_showstatus/_showstatus.in 1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/_showstatus/_showstatus.in 2007-02-05 00:55:56.563116192 -0500
+@@ -0,0 +1,70 @@
++#! /bin/sh
++#
++# Copyright (C) 2007 Kevin Cody Jr. <kcody@vegaresearch.com>
++#
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
++#
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# for more details.
++#
++# RCSID $Id: _showstatus.in
++
++
++LED_START=$IPSEC_STATUS_LED_START
++LED_VALID=$IPSEC_STATUS_LED_VALID
++
++[ -z "$LED_START" ] && LED_START="ses_orange"
++[ -z "$LED_VALID" ] && LED_VALID="ses_white"
++
++
++setled() {
++ led=$1
++ st=$2
++
++ [ -n "$led" -a -n "$st" ] || return
++
++ if [ -w "/proc/diag/led/$led" ] ; then
++ echo "$st" > "/proc/diag/led/$led"
++ fi
++
++ # integrate other led control methods here
++
++}
++
++
++case "$1" in
++ 'start')
++ [ -n "$LED_VALID" ] && setled "$LED_START" 1
++ [ -z "$LED_VALID" ] && setled "$LED_START" f
++ setled "$LED_VALID" 0
++ ;;
++ 'stop')
++ setled "$LED_START" 0
++ setled "$LED_VALID" 0
++ ;;
++ 'valid')
++ setled "$LED_VALID" 1
++ ;;
++ 'invalid')
++ setled "$LED_VALID" 0
++ ;;
++ 'up')
++ [ -n "$LED_VALID" ] && setled "$LED_START" 0
++ [ -z "$LED_VALID" ] && setled "$LED_START" 1
++ setled "$LED_VALID" 1
++ ;;
++ 'down')
++ [ -n "$LED_VALID" ] && setled "$LED_START" 1
++ [ -z "$LED_VALID" ] && setled "$LED_START" f
++ setled "$LED_VALID" f
++ ;;
++ *)
++ echo "$0: unknown status $status" >&2
++ ;;
++esac
++
+diff -ruN strongswan-2.8.2-orig/programs/wakeup/Makefile strongswan-2.8.2/programs/wakeup/Makefile
+--- strongswan-2.8.2-orig/programs/wakeup/Makefile 1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/wakeup/Makefile 2007-02-05 00:28:03.960726309 -0500
+@@ -0,0 +1,22 @@
++# Makefile for miscelaneous programs
++# Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
++#
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
++#
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# for more details.
++#
++# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
++
++FREESWANSRCDIR=../..
++include ${FREESWANSRCDIR}/Makefile.inc
++
++PROGRAM=wakeup
++PROGRAMDIR=${LIBDIR}
++
++include ../Makefile.program
+diff -ruN strongswan-2.8.2-orig/programs/wakeup/wakeup.8 strongswan-2.8.2/programs/wakeup/wakeup.8
+--- strongswan-2.8.2-orig/programs/wakeup/wakeup.8 1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/wakeup/wakeup.8 2007-02-05 00:36:34.029298760 -0500
+@@ -0,0 +1,16 @@
++.TH wakeup 8 "03 Feb 2007"
++.\"
++.\" RCSID $Id: wakeup.8
++.\"
++.SH NAME
++ipsec wakeup \- stalled and down connection detection
++.SH SYNOPSIS
++.I wakeup
++is invoked by cron and checks ipsec status, whacking as necessary.
++.SH "SEE ALSO"
++ipsec(8), ipsec_whack(8).
++.SH HISTORY
++Man page written for the Linux strongSwan project <http://www.strongswan.org/>
++by Kevin Cody Jr. Original manpage for _updown by Michael Richardson.
++Original program written by Henry Spencer. Extended for the Linux strongSwan
++project <http://www.strongswan.org/> by Andreas Steffen.
+diff -ruN strongswan-2.8.2-orig/programs/wakeup/wakeup.in strongswan-2.8.2/programs/wakeup/wakeup.in
+--- strongswan-2.8.2-orig/programs/wakeup/wakeup.in 1969-12-31 19:00:00.000000000 -0500
++++ strongswan-2.8.2/programs/wakeup/wakeup.in 2007-02-05 00:28:03.961726336 -0500
+@@ -0,0 +1,38 @@
++#! /bin/sh
++# wakeup script
++#
++# Copyright (C) 2007 Kevin Cody Jr. <kcody@vegaresearch.com>
++#
++# This program is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 2 of the License, or (at your
++# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
++#
++# This program is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
++# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# for more details.
++#
++
++# only applicable when ipsec is running
++[ -e /var/run/pluto.pid ] || exit
++
++# loop through any erouted tunnels in the HOLD state
++for f in `ipsec status | awk '/erouted HOLD/{ print $2 }' | cut -f1 -d\: | cut -f2 -d\"` ; do
++
++ # only whack if no pending events at all exists
++ ipsec status | grep STATE | grep -q $f ||
++ ipsec whack --name $f --initiate --asynchronous
++
++done
++
++# loop through any tunnels that don't quite exist
++for f in `ipsec status | awk '/prospective erouted/{ print $2 }' | cut -f1 -d: | grep -v \# | cut -f2 -d\"` ; do
++
++ ipsec status | grep STATE_QUICK | grep -q $f || {
++ ipsec status | grep STATE_MAIN | grep -q $f && ipsec down $f
++ ipsec up $f
++ }
++
++done
++
diff --git a/package/strongswan/patches/210-updown.patch b/package/strongswan/patches/210-updown.patch
new file mode 100644
index 000000000..9361f4348
--- /dev/null
+++ b/package/strongswan/patches/210-updown.patch
@@ -0,0 +1,660 @@
+diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.8 strongswan-2.8.2/programs/_updown/_updown.8
+--- strongswan-2.8.2-orig/programs/_updown/_updown.8 2006-04-17 02:48:49.000000000 -0400
++++ strongswan-2.8.2/programs/_updown/_updown.8 2007-02-05 02:13:05.252612099 -0500
+@@ -8,8 +8,23 @@
+ .I _updown
+ is invoked by pluto when it has brought up a new connection. This script
+ is used to insert the appropriate routing entries for IPsec operation.
+-It can also be used to insert and delete dynamic iptables firewall rules.
+-The interface to the script is documented in the pluto man page.
++It also inserts and deletes dynamic iptables firewall rules. IMPORTANT!
++By default, it will ACCEPT as appropriate on the INPUT, OUTPUT, FORWARD
++tables. Most distributions will want to change that to provide more
++flexibility in their firewall configuration.
++The script looks for the environment variables
++.B IPSEC_UPDOWN_RULE_IN
++for the iptables table it should insert into,
++.B IPSEC_UPDOWN_DEST_IN
++for where the rule should -j jump to,
++.B IPSEC_UPDOWN_RULE_OUT
++.B IPSEC_UPDOWN_DEST_OUT
++for the same on outgoing packets, and
++.B IPSEC_UPDOWN_FWD_RULE_IN
++.B IPSEC_UPDOWN_FWD_DEST_IN
++.B IPSEC_UPDOWN_FWD_RULE_OUT
++.B IPSEC_UPDOWN_FWD_DEST_OUT
++respectively for packets being forwarded to/from the local networks.
+ .SH "SEE ALSO"
+ ipsec(8), ipsec_pluto(8).
+ .SH HISTORY
+diff -ruN strongswan-2.8.2-orig/programs/_updown/_updown.in strongswan-2.8.2/programs/_updown/_updown.in
+--- strongswan-2.8.2-orig/programs/_updown/_updown.in 2006-04-17 11:06:29.000000000 -0400
++++ strongswan-2.8.2/programs/_updown/_updown.in 2007-02-05 02:08:24.969100428 -0500
+@@ -5,6 +5,7 @@
+ # Copyright (C) 2003-2004 Tuomo Soini
+ # Copyright (C) 2002-2004 Michael Richardson
+ # Copyright (C) 2005-2006 Andreas Steffen <andreas.steffen@strongswan.org>
++# Copyright (C) 2007 Kevin Cody Jr <kcody@vegaresearch.com>
+ #
+ # This program is free software; you can redistribute it and/or modify it
+ # under the terms of the GNU General Public License as published by the
+@@ -118,20 +119,61 @@
+ # restricted on the peer side.
+ #
+
+-# uncomment to log VPN connections
+-VPN_LOGGING=1
+-#
++# set to /bin/true to silence log messages
++LOGGER=logger
++
+ # tag put in front of each log entry:
+ TAG=vpn
+-#
++
+ # syslog facility and priority used:
+-FAC_PRIO=local0.notice
+-#
+-# to create a special vpn logging file, put the following line into
+-# the syslog configuration file /etc/syslog.conf:
+-#
+-# local0.notice -/var/log/vpn
+-#
++FAC_PRIO=authpriv.info
++
++
++# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
++if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] ; then
++ IPSEC_POLICY_IN=""
++ IPSEC_POLICY_OUT=""
++else
++ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
++ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
++ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
++fi
++
++# are there port numbers?
++if [ "$PLUTO_MY_PORT" != 0 ] ; then
++ S_MY_PORT="--sport $PLUTO_MY_PORT"
++ D_MY_PORT="--dport $PLUTO_MY_PORT"
++fi
++
++if [ "$PLUTO_PEER_PORT" != 0 ] ; then
++ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
++ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
++fi
++
++# import firewall behavior
++IPT_RULE_IN=$IPSEC_UPDOWN_RULE_IN
++IPT_DEST_IN=$IPSEC_UPDOWN_DEST_IN
++IPT_RULE_OUT=$IPSEC_UPDOWN_RULE_OUT
++IPT_DEST_OUT=$IPSEC_UPDOWN_DEST_OUT
++
++# import forwarding behavior
++FWD_RULE_IN=$IPSEC_UPDOWN_FWD_RULE_IN
++FWD_DEST_IN=$IPSEC_UPDOWN_FWD_DEST_IN
++FWD_RULE_OUT=$IPSEC_UPDOWN_FWD_RULE_OUT
++FWD_DEST_OUT=$IPSEC_UPDOWN_FWD_DEST_OUT
++
++# default firewall behavior
++[ -z "$IPT_RULE_IN" ] && IPT_RULE_IN=INPUT
++[ -z "$IPT_DEST_IN" ] && IPT_DEST_IN=ACCEPT
++[ -z "$IPT_RULE_OUT" ] && IPT_RULE_OUT=OUTPUT
++[ -z "$IPT_DEST_OUT" ] && IPT_DEST_OUT=ACCEPT
++
++# default forwarding behavior
++[ -z "$FWD_RULE_IN" ] && FWD_RULE_IN=FORWARD
++[ -z "$FWD_DEST_IN" ] && FWD_DEST_IN=ACCEPT
++[ -z "$FWD_RULE_OUT" ] && FWD_RULE_OUT=FORWARD
++[ -z "$FWD_DEST_OUT" ] && FWD_DEST_OUT=ACCEPT
++
+
+ # check interface version
+ case "$PLUTO_VERSION" in
+@@ -150,8 +192,6 @@
+ case "$1:$*" in
+ ':') # no parameters
+ ;;
+-iptables:iptables) # due to (left/right)firewall; for default script only
+- ;;
+ custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+ *) echo "$0: unknown parameters \`$*'" >&2
+@@ -159,345 +199,307 @@
+ ;;
+ esac
+
++
+ # utility functions for route manipulation
+ # Meddling with this stuff should not be necessary and requires great care.
++
+ uproute() {
+ doroute add
+ ip route flush cache
+ }
++
+ downroute() {
+ doroute delete
+ ip route flush cache
+ }
+
++upfirewall() {
++ in_rule=$1
++ in_dest=$2
++ out_rule=$3
++ out_dest=$4
++
++ [ -n "$in_rule" -a -n "$in_dest" ] && \
++ iptables -I $in_rule 1 \
++ -i $PLUTO_INTERFACE \
++ -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN \
++ -j $in_dest
++
++ [ -n "$out_rule" -a -n "$out_dest" ] && \
++ iptables -I $out_rule 1 \
++ -o $PLUTO_INTERFACE \
++ -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++ $IPSEC_POLICY_OUT \
++ -j $out_dest
++
++}
++
++downfirewall() {
++ in_rule=$1
++ in_dest=$2
++ out_rule=$3
++ out_dest=$4
++
++ [ -n "$in_rule" -a -n "$in_dest" ] && \
++ iptables -D $in_rule \
++ -i $PLUTO_INTERFACE \
++ -p $PLUTO_MY_PROTOCOL \
++ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT \
++ $IPSEC_POLICY_IN \
++ -j $in_dest
++
++ [ -n "$out_rule" -a -n "$out_dest" ] && \
++ iptables -D $out_rule \
++ -o $PLUTO_INTERFACE \
++ -p $PLUTO_PEER_PROTOCOL \
++ -s $PLUTO_MY_CLIENT $S_MY_PORT \
++ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
++ $IPSEC_POLICY_OUT \
++ -j $out_dest
++
++}
++
+ addsource() {
+ st=0
+- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+- then
++
++ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local ; then
++
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+- if test " $oops" = " " -a " $st" != " 0"
+- then
++
++ if [ " $oops" = " " -a " $st" != " 0" ] ; then
+ oops="silent error, exit status $st"
+ fi
+- if test " $oops" != " " -o " $st" != " 0"
+- then
++
++ if [ " $oops" != " " -o " $st" != " 0" ] ; then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
++
+ return $st
+ }
+
+ doroute() {
+ st=0
+ parms="$PLUTO_PEER_CLIENT"
++ parms2="dev $PLUTO_INTERFACE"
+
+- parms2=
+- if [ -n "$PLUTO_NEXT_HOP" ]
+- then
+- parms2="via $PLUTO_NEXT_HOP"
+- fi
+- parms2="$parms2 dev $PLUTO_INTERFACE"
+-
+- if [ -z "$PLUTO_MY_SOURCEIP" ]
+- then
+- if [ -f /etc/sysconfig/defaultsource ]
+- then
+- . /etc/sysconfig/defaultsource
+- fi
++ if [ -z "$PLUTO_MY_SOURCEIP" ] ; then
+
+- if [ -f /etc/conf.d/defaultsource ]
+- then
+- . /etc/conf.d/defaultsource
+- fi
++ [ -f /etc/sysconfig/defaultsource ] && \
++ . /etc/sysconfig/defaultsource
++
++ [ -f /etc/conf.d/defaultsource ] && \
++ . /etc/conf.d/defaultsource
++
++ [ -n "$DEFAULTSOURCE" ] && \
++ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+
+- if [ -n "$DEFAULTSOURCE" ]
+- then
+- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+- fi
+ fi
+
+ parms3=
+- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
+- then
++ if [ "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP" ] ; then
+ addsource
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
+ fi
+
+- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+- "0.0.0.0/0.0.0.0")
++ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
++ "0.0.0.0/0.0.0.0" ] ; then
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+- ip route $1 128.0.0.0/1 $parms2 $parms3"
+- ;;
+- *) it="ip route $1 $parms $parms2 $parms3"
+- ;;
+- esac
++ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
++ ip route $1 128.0.0.0/1 $parms2 $parms3"
++ else
++ it="ip route $1 $parms $parms2 $parms3"
++ fi
++
+ oops="`eval $it 2>&1`"
+ st=$?
+- if test " $oops" = " " -a " $st" != " 0"
+- then
+- oops="silent error, exit status $st"
+- fi
+- if test " $oops" != " " -o " $st" != " 0"
+- then
+- echo "$0: doroute \`$it' failed ($oops)" >&2
++
++ if [ " $oops" = " " -a " $st" != " 0" ] ; then
++ oops="silent error, exit status $st"
+ fi
++
++ if [ " $oops" != " " -o " $st" != " 0" ] ; then
++ echo "$0: doroute \`$it' failed ($oops)" >&2
++ fi
++
+ return $st
+ }
+-
+-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+-then
+- IPSEC_POLICY_IN=""
+- IPSEC_POLICY_OUT=""
+-else
+- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+-fi
+
+-# are there port numbers?
+-if [ "$PLUTO_MY_PORT" != 0 ]
+-then
+- S_MY_PORT="--sport $PLUTO_MY_PORT"
+- D_MY_PORT="--dport $PLUTO_MY_PORT"
+-fi
+-if [ "$PLUTO_PEER_PORT" != 0 ]
+-then
+- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+-fi
++dologentry() {
++ action=$1
++
++ if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ] ; then
++ rem="$PLUTO_PEER"
++ else
++ rem="$PLUTO_PEER_CLIENT == $PLUTO_PEER"
++ fi
++
++ if [ "$PLUTO_MY_CLIENT" == "$PLUTO_ME/32" ] ; then
++ loc="$PLUTO_ME"
++ else
++ loc="$PLUTO_ME == $PLUTO_MY_CLIENT"
++ fi
++
++ $LOGGER -t $TAG -p $FAC_PRIO "$action $rem -- $loc ($PLUTO_PEER_ID)"
++}
++
+
+ # the big choice
++
+ case "$PLUTO_VERB:$1" in
+ prepare-host:*|prepare-client:*)
+ # delete possibly-existing route (preliminary to adding a route)
+- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+- "0.0.0.0/0.0.0.0")
+- # need to provide route that eclipses default, without
++
++ if [ "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" = \
++ "0.0.0.0/0.0.0.0" ] ; then
++ # need to remove the route that eclipses default, without
+ # replacing it.
+- parms1="0.0.0.0/1"
+- parms2="128.0.0.0/1"
+- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+- ;;
+- *)
+- parms="$PLUTO_PEER_CLIENT"
+- it="ip route delete $parms 2>&1"
+- oops="`ip route delete $parms 2>&1`"
+- ;;
+- esac
+- status="$?"
+- if test " $oops" = " " -a " $status" != " 0"
+- then
+- oops="silent error, exit status $status"
++ it="( ip route delete 0.0.0.0/1 ;
++ ip route delete 128.0.0.0/1 )"
++ else
++ it="ip route delete $PLUTO_PEER_CLIENT"
++ fi
++
++ oops="`$it 2>&1`"
++ st="$?"
++
++ if [ " $oops" = " " -a " $st" != " 0" ] ; then
++ oops="silent error, exit status $st"
+ fi
++
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+- status=0
++ st=0
+ ;;
+ esac
+- if test " $oops" != " " -o " $status" != " 0"
+- then
++
++ if [ " $oops" != " " -o " $st" != " 0" ] ; then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+- exit $status
++
++ exit $st
++
+ ;;
+ route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
++
++ ipsec _showstatus valid
+ uproute
++
+ ;;
+ unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
++
++ ipsec _showstatus invalid
+ downroute
++
+ ;;
+-up-host:)
++up-host:*)
+ # connection to me coming up
+- # If you are doing a custom version, firewall commands go here.
++
++ ipsec _showstatus up
++ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++ dologentry "VPN-UP"
++
+ ;;
+-down-host:)
++down-host:*)
+ # connection to me going down
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-up-client:)
+- # connection to my client subnet coming up
+- # If you are doing a custom version, firewall commands go here.
+- ;;
+-down-client:)
+- # connection to my client subnet going down
+- # If you are doing a custom version, firewall commands go here.
++
++ ipsec _showstatus down
++ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++ dologentry "VPN-DN"
++
+ ;;
+-up-host:iptables)
+- # connection to me, with (left/right)firewall=yes, coming up
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+- #
+- # log IPsec host connection setup
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+- fi
+- fi
+- ;;
+-down-host:iptables)
+- # connection to me, with (left/right)firewall=yes, going down
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
+- #
+- # log IPsec host connection teardown
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME"
+- else
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+- fi
+- fi
+- ;;
+-up-client:iptables)
+- # connection to client subnet, with (left/right)firewall=yes, coming up
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+- then
+- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
++up-client:*)
++ # connection to client subnet coming up
++
++ ipsec _showstatus up
++
++ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
++ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
++ upfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
+ fi
+- #
++
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- fi
+- #
+- # log IPsec client connection setup
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO \
+- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- else
+- logger -t $TAG -p $FAC_PRIO \
+- "+ `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- fi
+- fi
+- ;;
+-down-client:iptables)
+- # connection to client subnet, with (left/right)firewall=yes, going down
+- # This is used only by the default updown script, not by your custom
+- # ones, so do not mess with it; see CAUTION comment up at top.
+- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+- then
+- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
++ upfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
++ fi
++
++ dologentry "VPN-UP"
++
++ ;;
++down-client:*)
++ # connection to client subnet going down
++
++ ipsec _showstatus down
++
++ if [ "$PLUTO_MY_CLIENT" != "$PLUTO_ME/32" -a \
++ "$PLUTO_MY_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] ; then
++ downfirewall $FWD_RULE_IN $FWD_DEST_IN $FWD_RULE_OUT $FWD_DEST_OUT
+ fi
+- #
++
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+- if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+- then
+- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
+- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
+- $IPSEC_POLICY_IN -j ACCEPT
+- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
+- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT \
+- $IPSEC_POLICY_OUT -j ACCEPT
+- fi
+- #
+- # log IPsec client connection teardown
+- if [ $VPN_LOGGING ]
+- then
+- if [ "$PLUTO_PEER_CLIENT" == "$PLUTO_PEER/32" ]
+- then
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- else
+- logger -t $TAG -p $FAC_PRIO -- \
+- "- `echo -e $PLUTO_PEER_ID` $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+- fi
++ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] ; then
++ downfirewall $IPT_RULE_IN $IPT_DEST_IN $IPT_RULE_OUT $OUT_DEST_OUT
+ fi
++
++ dologentry "VPN-DN"
++
+ ;;
+-#
+-# IPv6
+-#
+ prepare-host-v6:*|prepare-client-v6:*)
++
+ ;;
+ route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
++
+ #uproute_v6
++
+ ;;
+ unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
++
+ #downroute_v6
++
+ ;;
+ up-host-v6:*)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
++
+ ;;
+ down-host-v6:*)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
++
+ ;;
+ up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
++
+ ;;
+ down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
++
+ ;;
+-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
++*)
++ echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
++
+ ;;
+ esac
++
diff --git a/package/strongswan/patches/300-openwrt.patch b/package/strongswan/patches/300-openwrt.patch
new file mode 100644
index 000000000..7386af56a
--- /dev/null
+++ b/package/strongswan/patches/300-openwrt.patch
@@ -0,0 +1,24 @@
+diff -ruN strongswan-2.8.1-orig/Makefile.inc strongswan-2.8.1/Makefile.inc
+--- strongswan-2.8.1-orig/Makefile.inc 2007-01-11 16:42:11.000000000 -0500
++++ strongswan-2.8.1/Makefile.inc 2007-01-17 02:42:25.961297797 -0500
+@@ -123,7 +123,7 @@
+ # With a non-null DESTDIR, INC_RCDEFAULT will be used unless one of the
+ # INC_RCDIRS directories has been pre-created under DESTDIR.
+ INC_RCDIRS=/etc/rc.d/init.d /etc/rc.d /etc/init.d /sbin/init.d
+-INC_RCDEFAULT=/etc/rc.d/init.d
++INC_RCDEFAULT=/etc/init.d
+
+ # RCDIR is where boot/shutdown scripts go; FINALRCDIR is where they think
+ # will finally be (so utils/Makefile can create a symlink in BINDIR to the
+diff -ruN strongswan-2.8.1-orig/programs/showhostkey/showhostkey.in strongswan-2.8.1/programs/showhostkey/showhostkey.in
+--- strongswan-2.8.1-orig/programs/showhostkey/showhostkey.in 2004-03-15 15:35:31.000000000 -0500
++++ strongswan-2.8.1/programs/showhostkey/showhostkey.in 2007-01-17 00:02:35.433150839 -0500
+@@ -62,7 +62,7 @@
+ exit 1
+ fi
+
+-host="`hostname --fqdn`"
++host="`cat /proc/sys/kernel/hostname`"
+
+ awk ' BEGIN {
+ inkey = 0
diff --git a/package/strongswan/patches/310-make-ipsec-alg.patch b/package/strongswan/patches/310-make-ipsec-alg.patch
new file mode 100644
index 000000000..cf4842a93
--- /dev/null
+++ b/package/strongswan/patches/310-make-ipsec-alg.patch
@@ -0,0 +1,18 @@
+diff -ruN strongswan-2.8.1-orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi strongswan-2.8.1/linux/net/ipsec/alg/Makefile.alg_cryptoapi
+--- strongswan-2.8.1-orig/linux/net/ipsec/alg/Makefile.alg_cryptoapi 2004-03-22 16:53:19.000000000 -0500
++++ strongswan-2.8.1/linux/net/ipsec/alg/Makefile.alg_cryptoapi 2007-01-17 02:28:26.835241726 -0500
+@@ -1,10 +1,10 @@
+ MOD_CRYPTOAPI := ipsec_cryptoapi.o
+
+ ifneq ($(wildcard $(TOPDIR)/include/linux/crypto.h),)
+-ALG_MODULES += $(MOD_CRYPTOAPI)
+-obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
+-static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
+-alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
++#ALG_MODULES += $(MOD_CRYPTOAPI)
++#obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
++#static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
++#alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
+ else
+ $(warning "Linux CryptoAPI (2.4.22+ or 2.6.x) not found, not building ipsec_cryptoapi.o")
+ endif
diff --git a/package/strongswan/patches/320-no-modprobe.patch b/package/strongswan/patches/320-no-modprobe.patch
new file mode 100644
index 000000000..cbd720a6a
--- /dev/null
+++ b/package/strongswan/patches/320-no-modprobe.patch
@@ -0,0 +1,105 @@
+diff -ruN strongswan-2.8.1-orig/programs/starter/klips.c strongswan-2.8.1/programs/starter/klips.c
+--- strongswan-2.8.1-orig/programs/starter/klips.c 2006-02-15 13:33:57.000000000 -0500
++++ strongswan-2.8.1/programs/starter/klips.c 2007-01-16 23:57:19.107972109 -0500
+@@ -44,7 +44,7 @@
+ unsetenv("MODPATH");
+ unsetenv("MODULECONF");
+ system("depmod -a >/dev/null 2>&1");
+- system("modprobe -qv ipsec");
++ system("insmod -qv ipsec");
+ }
+ if (stat(PROC_IPSECVERSION, &stb) == 0)
+ {
+@@ -62,11 +62,11 @@
+ /* make sure that all available crypto algorithms are loaded */
+ if (stat(PROC_MODULES, &stb) == 0)
+ {
+- system("modprobe -qv ipsec_aes");
+- system("modprobe -qv ipsec_serpent");
+- system("modprobe -qv ipsec_twofish");
+- system("modprobe -qv ipsec_blowfish");
+- system("modprobe -qv ipsec_sha2");
++ system("insmod -qv ipsec_aes");
++ system("insmod -qv ipsec_serpent");
++ system("insmod -qv ipsec_twofish");
++ system("insmod -qv ipsec_blowfish");
++ system("insmod -qv ipsec_sha2");
+ }
+
+ starter_klips_clear();
+diff -ruN strongswan-2.8.1-orig/programs/starter/netkey.c strongswan-2.8.1/programs/starter/netkey.c
+--- strongswan-2.8.1-orig/programs/starter/netkey.c 2006-02-15 13:33:57.000000000 -0500
++++ strongswan-2.8.1/programs/starter/netkey.c 2007-01-16 23:57:28.094204186 -0500
+@@ -36,7 +36,7 @@
+ /* af_key module makes the netkey proc interface visible */
+ if (stat(PROC_MODULES, &stb) == 0)
+ {
+- system("modprobe -qv af_key");
++ system("insmod -qv af_key");
+ }
+
+ /* now test again */
+@@ -52,11 +52,11 @@
+ /* make sure that all required IPsec modules are loaded */
+ if (stat(PROC_MODULES, &stb) == 0)
+ {
+- system("modprobe -qv ah4");
+- system("modprobe -qv esp4");
+- system("modprobe -qv ipcomp");
+- system("modprobe -qv xfrm4_tunnel");
+- system("modprobe -qv xfrm_user");
++ system("insmod -qv ah4");
++ system("insmod -qv esp4");
++ system("insmod -qv ipcomp");
++ system("insmod -qv xfrm4_tunnel");
++ system("insmod -qv xfrm_user");
+ }
+
+ DBG(DBG_CONTROL,
+diff -ruN strongswan-2.8.1-orig/programs/_startklips/_startklips.in strongswan-2.8.1/programs/_startklips/_startklips.in
+--- strongswan-2.8.1-orig/programs/_startklips/_startklips.in 2005-05-06 18:11:33.000000000 -0400
++++ strongswan-2.8.1/programs/_startklips/_startklips.in 2007-01-17 00:04:11.189627735 -0500
+@@ -249,7 +249,7 @@
+
+ if test ! -f $ipsecversion && test ! -f $netkey
+ then
+- modprobe -v af_key
++ insmod -v af_key
+ fi
+
+ if test -f $netkey
+@@ -257,11 +257,11 @@
+ klips=false
+ if test -f $modules
+ then
+- modprobe -qv ah4
+- modprobe -qv esp4
+- modprobe -qv ipcomp
+- modprobe -qv xfrm4_tunnel
+- modprobe -qv xfrm_user
++ insmod -qv ah4
++ insmod -qv esp4
++ insmod -qv ipcomp
++ insmod -qv xfrm4_tunnel
++ insmod -qv xfrm_user
+ fi
+ fi
+
+@@ -272,7 +272,7 @@
+ setmodule
+ unset MODPATH MODULECONF # no user overrides!
+ depmod -a >/dev/null 2>&1
+- modprobe -v ipsec
++ insmod -v ipsec
+ fi
+ if test ! -f $ipsecversion
+ then
+@@ -288,7 +288,7 @@
+ do
+ if test -f $moduleinstplace/alg/ipsec_$alg.o
+ then
+- modprobe ipsec_$alg
++ insmod ipsec_$alg
+ fi
+ done
+ fi
diff --git a/package/strongswan/patches/350-make-programs.patch b/package/strongswan/patches/350-make-programs.patch
new file mode 100644
index 000000000..5c2173b46
--- /dev/null
+++ b/package/strongswan/patches/350-make-programs.patch
@@ -0,0 +1,20 @@
+diff -ruN strongswan-2.8.2-orig/programs/Makefile strongswan-2.8.2/programs/Makefile
+--- strongswan-2.8.2-orig/programs/Makefile 2006-08-28 07:12:36.000000000 -0400
++++ strongswan-2.8.2/programs/Makefile 2007-02-04 01:24:18.751598552 -0500
+@@ -17,12 +17,10 @@
+ FREESWANSRCDIR=..
+ include ${FREESWANSRCDIR}/Makefile.inc
+
+-SUBDIRS=spi eroute spigrp tncfg klipsdebug pf_key proc pluto
+-SUBDIRS+=_confread _copyright _include _keycensor _plutoload _plutorun
+-SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
+-SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
+-SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
+-SUBDIRS+=ikeping examples openac scepclient _showstatus wakeup
++SUBDIRS=_copyright _updown _showstatus wakeup examples
++SUBDIRS+=barf calcgoo eroute ikeping klipsdebug look mailkey manual
++SUBDIRS+=openac pf_key pluto proc ranbits rsasigkey scepclient secrets
++SUBDIRS+=showdefaults showhostkey spi spigrp starter tncfg ipsec
+
+ ifeq ($(USE_LWRES),true)
+ SUBDIRS+=lwdnsq