#!/bin/sh
  
if [ -f /etc/racoon/racoon.conf ]; then
    logger "IPsec: racoon needs to be started"
else
    logger "IPsec: racoon no config"
    exit 1
fi

chmod 0600 /etc/racoon/psk.txt

start_phase1()
{
    ! rm /tmp/racoonctl.conf
    
    cat /etc/racoon/racoon.conf | grep "peers_identifier address" | awk '{ print $3 }' | sed 's/;$//' > /tmp/racoonctl.conf
    
    while read peer_ip; do
        phase1_up=`/usr/sbin/racoonctl -l show-sa isakmp | grep -c $peer_ip`
        if [ "$phase1_up" -eq "0" ]; then
            policy_count=`/usr/sbin/setkey -DP | grep -c $peer_ip`
            logger "IPsec: start phase 1 for $peer_ip, number of policies:$policy_count"
            /usr/sbin/racoonctl vpn-connect $peer_ip
        fi
    done < /tmp/racoonctl.conf
    
    ! rm /tmp/racoonctl.conf
}

while true
do

    COUNT_RACOON=`ps auxww | grep -c "racoon -f /etc/racoon/racoon.conf"`
    if [ "$COUNT_RACOON" -le "1" ]; then        

        busybox killall -9 racoon
        
        logger "IPsec: racoon error, restarting"
        /usr/sbin/racoon -f /etc/racoon/racoon.conf
        
        # Flush old SA's and SP's
        /usr/sbin/racoonctl flush-sa ipsec
        /usr/sbin/racoonctl flush-sa isakmp  
        
        # Give time for the peer to init connections first.
        # Time to detect old SA's and SP's
        sleep 360
    fi
    
    # As a last resort start phase 1 if it isn't started, broken DPD or peer is passive.
    start_phase1
    
    sleep 360
done

