| version 1.16, 2002/12/04 15:03:56 |
version 1.17, 2002/12/05 12:50:03 |
|
|
| # v0.81 / 26Jul98 |
# v0.81 / 26Jul98 |
| # |
# |
| # Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99 |
# Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99 |
| |
# and Markus Friedl <markus@openbsd.org> |
| # |
# |
| # rc.vpn -- configure IPsec in tunnel mode for a mesh of N local and |
# rc.vpn -- configure IPsec in tunnel mode for a mesh of N local and |
| # M remote networks. (N x M mesh) |
# M remote networks. (N x M mesh) |
|
|
| GW_LOCAL=192.168.254.254 |
GW_LOCAL=192.168.254.254 |
| GW_REMOTE=192.168.1.2 |
GW_REMOTE=192.168.1.2 |
| |
|
| # Local and remote networks, numbered |
# Local and remote networks |
| LOCAL_NET_0="192.168.254.0/24" |
LOCAL_NETWORKS="192.168.254.0/24 192.168.253.0/24" |
| LOCAL_NET_1="192.168.253.0/24" |
REMOTE_NETWORKS="192.168.1.0/24 192.168.2.0/24" |
| REMOTE_NET_0="192.168.1.0/24" |
|
| REMOTE_NET_1="192.168.2.0/24" |
|
| |
|
| # Optional, use for manual keying only |
# Optional, use for manual keying only |
| # Crypto options and keys, note that key/iv lengths need to correspond |
# Crypto options and keys, note that key/iv lengths need to correspond |
|
|
| |
|
| abort=0 |
abort=0 |
| if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then |
if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then |
| echo "$0: variable 'net.inet.esp.enable' (IPsec ESP protocol)" |
echo "$0: variable 'net.inet.esp.enable=0' (IPsec ESP protocol)" |
| abort=1 |
abort=1 |
| fi |
fi |
| if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then |
if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then |
| echo "$0: variable 'net.inet.ip.forwarding' (IP forwarding/routing)" |
echo "$0: variable 'net.inet.ip.forwarding=0' (IP forwarding/routing)" |
| abort=1 |
abort=1 |
| fi |
fi |
| if [ ${abort} = 1 ]; then |
if [ ${abort} = 1 ]; then |
|
|
| # Setup the Flows, aka SPD |
# Setup the Flows, aka SPD |
| # |
# |
| |
|
| FLOW="$DEBUG $ipsecadm flow -proto esp -src $GW_LOCAL -dst $GW_REMOTE" |
# add the gateways |
| FLOWIN="$FLOW -in -require -addr" |
LOCAL_NETWORKS="${GW_LOCAL}/32 ${LOCAL_NETWORKS}" |
| FLOWOUT="$FLOW -out -require -addr" |
REMOTE_NETWORKS="${GW_REMOTE}/32 ${REMOTE_NETWORKS}" |
| |
|
| # local gateway to remote gateway |
FLOW="$DEBUG ${ipsecadm} flow -proto esp -src ${GW_LOCAL} -dst ${GW_REMOTE} -require" |
| |
|
| $FLOWOUT ${GW_LOCAL}/32 ${GW_REMOTE}/32 |
|
| $FLOWIN ${GW_REMOTE}/32 ${GW_LOCAL}/32 |
|
| |
|
| # each local net to each remote net |
# each local net to each remote net |
| |
for local_net in ${LOCAL_NETWORKS}; do |
| localcount=0 |
for remote_net in ${REMOTE_NETWORKS}; do |
| while true; do |
$FLOW -out -addr $local_net $remote_net |
| local_net=`eval "echo \\\$LOCAL_NET_${localcount}"` |
$FLOW -in -addr $remote_net $local_net |
| if [ "x${local_net}" == "x" ]; then |
|
| break; |
|
| fi |
|
| remotecount=0 |
|
| while true; do |
|
| remote_net=`eval "echo \\\$REMOTE_NET_${remotecount}"` |
|
| if [ "x${remote_net}" == "x" ]; then |
|
| break; |
|
| fi |
|
| $FLOWOUT $local_net $remote_net |
|
| $FLOWIN $remote_net $local_net |
|
| remotecount=$(($remotecount + 1)) |
|
| done |
done |
| localcount=$(($localcount + 1)) |
|
| done |
done |
| |
|
| exit 0 |
exit 0 |
![[BACK]](/icons/back.gif){kind=icon}
Return to rc.vpn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / share / ipsec