ipsec-tools 0.8.0_3 security =15

KAME racoon IKE daemon, ipsec-tools version
Maintained by: vanhu@netasq.com
Port Added: 05 Sep 2005 14:14:25
License: not specified in port

---

---

racoon speaks IKE (ISAKMP/Oakley) key management protocol, to
establish security association with other hosts.

This is the IPSec-tools version of racoon.

Enchancements:
- Support of NAT-T and IKE fragmentation.
- Support of many authentication algorithms.
- Tons of bugfixes.

Known issues:
- Non-threaded implementation.  Simultaneous key negotiation performance
  should be improved.
- Cannot negotiate keys for per-socket policy.
- Cryptic configuration syntax - blame IPsec specification too...
- Needs more documentation.

Design choice, not a bug:
- racoon negotiate IPsec keys only.  It does not negotiate policy.  Policy must
  be configured into the kernel separately from racoon.  If you want to
  support roaming clients, you may need to have a mechanism to put policy
  for the roaming client after phase 1 finishes.

WWW: http://ipsec-tools.sourceforge.net/

CVSWeb : Sources : Main Web Site : Distfiles Availability : PortsMon

---

NOTE: FreshPorts displays only required dependencies information. Optional dependencies are not covered.
Required To Build: devel/libtool
There are no ports dependent upon this port

---

To install the port: cd /usr/ports/security/ipsec-tools/ && make install clean
To add the package: pkg_add -r ipsec-tools

---

Configuration Options

===> The following configuration options are available for ipsec-tools-0.8.0_3:
     DEBUG=on (default) "enable Debug support"
     IPV6=on (default) "enable IPV6 support"
     ADMINPORT=off (default) "enable Admin port"
     STATS=off (default) "enable Statistics logging function"
     DPD=on (default) "enable Dead Peer Detection"
     NATT=on (default) "enable NAT-Traversal (kernel-patch required)"
     NATTF=off (default) "require NAT-Traversal (fail without kernel-patch)"
     FRAG=on (default) "enable IKE fragmentation payload support"
     HYBRID=on (default) "enable Hybrid, Xauth and Mode-cfg support"
     PAM=off (default) "enable PAM authentication (Xauth server)"
     RADIUS=off (default) "enable Radius authentication (Xauth server)"
     LDAP=off (default) "enable LDAP authentication (Xauth server)"
     GSSAPI=off (default) "enable GSS-API authentication"
     SAUNSPEC=off (default) "enable Unspecified SA mode"
     RC5=off (default) "enable RC5 encryption (patented)"
     IDEA=off (default) "enable IDEA encryption (patented)"
===> Use 'make config' to modify these settings

---

Master Sites:

http://heanet.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://sunet.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://iweb.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://switch.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://surfnet.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://kent.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://freefr.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://voxel.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://jaist.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://osdn.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://nchc.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://ncu.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://transact.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://softlayer.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://internode.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://ufpr.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

http://waix.dl.sourceforge.net/project/ipsec-tools/ipsec-tools/0.8.0/

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/

Apply utmp patch from ${FILESDIR} (not files) if OSVERSION <  900007

Spotted by: Jason Hellenthal <jhell at DataIX.net>
Approved by:    crees,rene (mentors,implicit)

In the rc.d scripts, change assignments to rcvar to use the
literal name_enable wherever possible, and ${name}_enable
when it's not, to prepare for the demise of set_rcvar().

In cases where I had to hand-edit unusual instances also
modify formatting slightly to be more uniform (and in
some cases, correct). This includes adding some $FreeBSD$
tags, and most importantly moving rcvar= to right after
name= so it's clear that one is derived from the other.

Fix the rc.d script to avoid unconditional code execution,
and various other cleanups.

- Fix startup script rc.d/racoon.
- Bump portrevision.

PR:             ports/148605
Submitted by:   John Hein <jhein@symmetricom.com>
Approved by:    maho (mentor) and vanhu@netasq.com (maintainer)

- update to 0.8.0

PR:             ports/155883
Submitted by:   vanhu (maintainer)

Sync to new bsd.autotools.mk

Begin the process of deprecating sysutils/rc_subr by
s#. %%RC_SUBR%%#. /etc/rc.subr#

- Mark BROKEN on HEAD: fails to build with new utmpx

Reported by:    pointyhat

- Update to 0.7.3

PR:             137966
Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)

-Repocopy devel/libtool15 -> libtool22 and libltdl15 -> libltdl22.
-Update libtool and libltdl to 2.2.6a.
-Remove devel/libtool15 and devel/libltdl15.
-Fix ports build with libtool22/libltdl22.
-Bump ports that depend on libltdl22 due to shared library version change.
-Explain what to do update in the UPDATING.

It has been tested with GNOME2, XFCE4, KDE3, KDE4 and other many wm/desktop
and applications in the runtime.

With help:      marcus and kwm
Pointyhat-exp:  a few times by pav
Tested by:      pgollucci, "Romain Tartière" <romain@blogreen.org>, and
                a few MarcusCom CVS users. Also, I might have missed a few.
Repocopy by:    marcus
Approved by:    portmgr

Fix a few "bad example" problems in the rc.d scripts that have been
propogated by copy and paste.

1. Primarily the "empty variable" default assignment, which is mostly
${name}_flags="", but fix a few others as well.
2. Where they are not already documented, add the existence of the _flags
(or other deleted empties) option to the comments, and in some cases add
comments from scratch.
3. Replace things that look like:
prefix=%%PREFIX%%
command=${prefix}/sbin/foo
to just use %%PREFIX%%. In many cases the $prefix variable is only used
once, and in some cases it is not used at all.
4. In a few cases remove ${name}_flags from command_args
5. Remove a long-stale comment about putting the port's rc.d script in
/etc/rc.d (which is no longer necessary).

No PORTREVISION bumps because all of these changes are noops.

- Update to 0.7.2. This release fixes a remote DoS bug with IKE
  fragmentation reassembly.

PR:             ports/133922
Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)

Update CONFIGURE_ARGS for how we pass CONFIGURE_TARGET to configure script.
Specifically, newer autoconf (> 2.13) has different semantic of the
configure target. In short, one should use --build=CONFIGURE_TARGET
instead of CONFIGURE_TARGET directly. Otherwise, you will get a warning
and the old semantic may be removed in later autoconf releases.

To workaround this issue, many ports hack the CONFIGURE_TARGET variable
so that it contains the ``--build='' prefix.

To solve this issue, under the fact that some ports still have
configure script generated by the old autoconf, we use runtime detection
in the do-configure target so that the proper argument can be used.

Changes to Mk/*:
 - Add runtime detection magic in bsd.port.mk

Add an WITH_LDAP option
enable hybrid, xauth and mode-cfg per default

PR:             125748
Submitted by:   Matthew Grooms
Approved by:    vanhu (maintainer)

- Update to 0.7.1

PR:             ports/125957
Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)

Fix build on 7.x when RC5 support is enabled.

PR:             103084, 122187
Submitted by:   Dmitry A Grigorovich
Approved by:    maintainer

- Fix: Have the racoon startup script [optionally] create its required dirs.

PR:             ports/117128
Submitted by:   John Hein <jhein@timing.com>
Approved by:    VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)

Remove always-false/true conditions based on OSVERSION 500000

Update to 0.7

PR:             115978
Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com>

- Remove the DESTDIR modifications from individual ports as we have a new,
  fully chrooted DESTDIR, which does not need such any more.

Sponsored by:   Google Summer of Code 2007
Approved by:    portmgr (pav)

- Revert changes to patch-configure. It was slipped in when committing
  fix for gcc 4.x

Noticed by:   sat
Approved by:  maintainer (implicit)

- Fix build with gcc 4.x
- While I'm here, remove extra empty line in distinfo

PR:            ports/113383
Submitted by:  rafan
Approved by:   VANHULLEBUS Yvan <yvan.vanhullebus at netasq.com> (maintainer)

- Version 0.6.7 of ipsec-tools is out, which fixes an easy to exploit
  Denial of Service (CVE-2007-1841).

PR:             ports/111319
Submitted by:   maintainer (VANHULLEBUS Yvan)
Security:       CVE-2007-1841

Use libtool port instead of included version to avoid objformat a.out botch

- An option to force NATT functionality
- Sneak in master sites beautification and use_ldconfig
  while I'm here

PR:             ports/105488
Submitted by:   bz
Approved by:    VANHULLEBUS Yvan <yvan.vanhullebus@netasq.com> (maintainer)

- There should be only one site in the WWW line and kame is obsolete anyway

- Add patch for people having trouble compiling OpenSSL bits

PR:             ports/97442
Submitted by:   Dmitry Andrianov <dimas@dataart.com>
Approved by:    VANHULLEBUS Yvan <yvan.vanhullebus@netasq.com> (maintainer)

- Update to 0.6.6

PR:             ports/98902
Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)

Makefile:
- introduce OPTIONS to enable/disable features
- add more features to the OPTION dialog
- choose reasonable defaults for OPTIONS (disabled patented stuff)
- remove usesless WRKSRC line
- move LDFLAGS to the place where it is necessary
- extend CONFIGURE_ARGS to set the directory for the adminport socket
  * Note: racoonctl is useless without adminport enabled
  * create the socket dir in post-install
- bump PORTREVISION that users notice the changes
- finally: remove one item from the TODO list on top of the Makefile ;)

pkg-descr:
- shortened by one line to please portlint

Conversion to a single libtool environment.

Approved by:    portmgr (kris)

Remove the FreeBSD KEYWORD from all rc.d scripts where it appears.
We have not checked for this KEYWORD for a long time now, so this
is a complete noop, and thus no PORTREVISION bump. Removing it at
this point is mostly for pedantic reasons, and partly to avoid
perpetuating this anachronism by copy and paste to future scripts.

- Update to 0.6.5

Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)
PR:             ports/92838

Change facility from daemon to security, because daemon.info goes to
devnull by default

PR:             ports/91047
Submitted by:   PR: Brian Candler <B.Candler@pobox.com>, patch: VANHULLEBUS Yvan
<vanhu@netasq.com> (maintainer)
Approved by:    garga (mentor)

Replace ugly "@unexec rmdir %D... 2>/dev/null || true" with @dirrmtry

Approved by:    krion@
PR:             ports/88711 (related)

ports/security/ipsec-tools enables itself at startup

        ports/security/ipsec-tools rc.d script defaults to 'enabled'

        It also installs its own versions of setkey and libipsec.so
        which seems redundant as they are part of the base system
        and should be used in preference.

Submitted by:   Vivek Khera <vivek@khera.org>
PR:             ports/91317

Update to 0.6.4

PR:             90326
Submitted by:   maintainer

- Change the location of racoon configuration files to /usr/local/etc/racoon,
  bringing it in line with the old security/racoon port and the handbook [1]
- Make use of USE_RC_SUBR instead of home-grown substitution and install
- Prevent installation of some intermediate sample configuration files

PR:             ports/89273 [1]
Submitted by:   Angelo Turetta <aturetta@bestunion.it> [1]
Approved by:    VANHULLEBUS Yvan <vanhu@netasq.com> (maintainer)

- Update to 0.6.3. It fixes some crashes,
  including potential DoS in aggressive mode.
- Add SHA256

PR:             ports/89365
Submitted by:   ANHULLEBUS Yvan (maintainer)

Mass-conversion to the USE_AUTOTOOLS New World Order.  The code present
in bsd.autotools.mk essentially makes this a no-op given that all the
old variables set a USE_AUTOTOOLS_COMPAT variable, which is parsed in
exactly the same way as USE_AUTOTOOLS itself.

Moreover, USE_AUTOTOOLS has already been extensively tested by the GNOME
team -- all GNOME 2.12.x ports use it.

Preliminary documentation can be found at:
        http://people.FreeBSD.org/~ade/autotools.txt

which is in the process of being SGMLized before introduction into the
Porters Handbook.

Light blue touch-paper.  Run.

Update to 0.6.2

PR:             88042
Submitted by:   VANHULLEBUS Yvan <yvan.vanhullebus@netasq.com> (maintainer)

Update to 0.6.1

Submitted by:   Yvan Vanhullebus (maintainer)

Add IPSec tools port - the new "official" version of racoon,
is the only one which is maintained and have lots of new features.

PR:             85544
Submitted by:   VANHULLEBUS Yvan <vanhu@netasq.com>
Approved by:    perky (mentor)

12 vulnerabilities affecting 31 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities