Annotation of src/share/ipsec/rc.vpn, Revision 1.1
1.1 ! provos 1: #!/bin/sh
! 2:
! 3: #
! 4: # rc.vpn -- configure IPSec in tunnel mode for M x N networks
! 5: #
! 6: # Richard Reiner, Ph.D., FSC Internet Corp.
! 7: # rreiner@fscinternet.com
! 8: # v0.81 / 26Jul98
! 9: #
! 10:
! 11: echo ' VPN'
! 12:
! 13:
! 14: #############################################################################
! 15: #
! 16: # Configurable parameters
! 17: #
! 18:
! 19: # Should all the commands executed be printed when the script runs?
! 20: # N.B. setting this to "YES" may reveal your keys to persons present
! 21: # at the console when your system boots.
! 22: VPN_DO_ECHO_COMMANDS="YES"
! 23:
! 24: # My interfaces
! 25: VPN_MY_INT_IFACE="ep0"
! 26: VPN_MY_EXT_IFACE="ep1"
! 27:
! 28: # External IP of my tunnel partner
! 29: VPN_PEER_EXT_IP="207.253.158.194"
! 30:
! 31: # The internal IP(s) and mask(s) on the other end of the tunnel -- add as
! 32: # many sets as necessary, numbered from 0 upwards.
! 33: VPN_PEER_INT_IP_0="192.139.247.253"
! 34: VPN_PEER_INT_MASK_0="255.255.255.0"
! 35:
! 36: # IP(s) and mask(s) for *additional* subnets on *our* end of the tunnel
! 37: # (the first one is automagically determined below) -- add as many sets
! 38: # as necessary, numbered from *1* upwards, or comment out if not needed.
! 39: VPN_MY_INT_IP_1="192.139.241.1"
! 40: VPN_MY_INT_MASK_1="255.255.255.0"
! 41: VPN_MY_INT_IP_2="192.139.243.1"
! 42: VPN_MY_INT_MASK_2="255.255.255.0"
! 43:
! 44: # Crypto options and keys
! 45: VPN_ENC="des"
! 46: VPN_AUTH="sha1"
! 47: VPN_SPI_OUT="1000"
! 48: VPN_SPI_IN="1001"
! 49: VPN_KEY="2ea140ac3911cb27"
! 50: VPN_AUTHKEY="176cc284bc1631afbd1468fbe976fa729fcb4321"
! 51: VPN_IV="c4b279f1a9bcd849"
! 52:
! 53:
! 54:
! 55: #############################################################################
! 56: ############# #############
! 57: ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
! 58: ############# #############
! 59: #############################################################################
! 60:
! 61:
! 62:
! 63: #############################################################################
! 64: #
! 65: # Derived (automagically found) parameters
! 66: #
! 67: # Hostnames for ech of our interfaces
! 68: VPN_MY_EXT_NAME=`cut -d" " -f2 < /etc/hostname.$VPN_MY_EXT_IFACE`
! 69: VPN_MY_INT_NAME=`cut -d" " -f2 < /etc/hostname.$VPN_MY_INT_IFACE`
! 70:
! 71: # Our internal IP and mask (extra subnets, if any, are configured above)
! 72: VPN_MY_INT_IP_0=`grep $VPN_MY_INT_NAME < /etc/hosts | cut -d" " -f1`
! 73: VPN_MY_INT_MASK_0=`cut -d" " -f3 < /etc/hostname.$VPN_MY_INT_IFACE`
! 74:
! 75: # Our external IP and mask
! 76: VPN_MY_EXT_IP=`grep $VPN_MY_EXT_NAME < /etc/hosts | cut -d" " -f1`
! 77: VPN_MY_EXT_MASK=`cut -d" " -f3 < /etc/hostname.$VPN_MY_INT_IFACE`
! 78:
! 79:
! 80: #############################################################################
! 81: #
! 82: # Pseudo-constants
! 83: #
! 84: ipsecadm=/sbin/ipsecadm
! 85:
! 86:
! 87: #############################################################################
! 88: #
! 89: # Function definitions
! 90: #
! 91: eval_and_echo () {
! 92: if [ "$VPN_DO_ECHO_COMMANDS" = "YES" ]; then
! 93: echo "$*"
! 94: fi
! 95: eval "$*"
! 96: }
! 97:
! 98:
! 99: #############################################################################
! 100: #
! 101: # Executable setup statements
! 102: #
! 103:
! 104: # Create the SAs
! 105: eval_and_echo "$ipsecadm new esp -src $VPN_MY_EXT_IP -dst $VPN_PEER_EXT_IP -tunnel $VPN_MY_EXT_IP $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -enc $VPN_ENC -auth $VPN_AUTH -iv $VPN_IV -key $VPN_KEY -authkey $VPN_AUTHKEY"
! 106:
! 107: eval_and_echo "$ipsecadm new esp -src $VPN_PEER_EXT_IP -dst $VPN_MY_EXT_IP -tunnel $VPN_PEER_EXT_IP $VPN_MY_EXT_IP -spi $VPN_SPI_IN -enc $VPN_ENC -auth $VPN_AUTH -iv $VPN_IV -key $VPN_KEY -authkey $VPN_AUTHKEY"
! 108:
! 109:
! 110: #
! 111: # Create IPSec routes
! 112: #
! 113:
! 114: # Route between the two external IPs
! 115: eval_and_echo "ipsecadm flow -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $VPN_MY_EXT_IP 255.255.255.255 $VPN_PEER_EXT_IP 255.255.255.255 -local"
! 116:
! 117: # Routes from each internal subnet, to each internal subnet on the far side
! 118: mycount=0
! 119: while :
! 120: do
! 121: eval next_my_ip=\$VPN_MY_INT_IP_${mycount}
! 122: eval next_my_mask=\$VPN_MY_INT_MASK_${mycount}
! 123: if [ -n "${next_my_ip}" ]; then
! 124:
! 125: peercount=0
! 126: while :
! 127: do
! 128: eval next_peer_ip=\$VPN_PEER_INT_IP_${peercount}
! 129: eval next_peer_mask=\$VPN_PEER_INT_MASK_${peercount}
! 130: if [ -n "${next_peer_ip}" ]; then
! 131: # set an IPSec route for this pair of networks
! 132: eval_and_echo "$ipsecadm flow -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $next_my_ip $next_my_mask $next_peer_ip $next_peer_mask"
! 133: peercount=`expr ${peercount} + 1`
! 134: else
! 135: break;
! 136: fi
! 137: done
! 138: mycount=`expr ${mycount} + 1`
! 139: else
! 140: break;
! 141: fi
! 142: done
! 143:
! 144:
! 145: # Routes to each remote internal subnet
! 146: peercount=0
! 147: while :
! 148: do
! 149: eval next_peer_ip=\$VPN_PEER_INT_IP_${peercount}
! 150: eval next_peer_mask=\$VPN_PEER_INT_MASK_${peercount}
! 151: if [ -n "${next_peer_ip}" ]; then
! 152:
! 153: # Route from my ext IP to each remote internal subnet
! 154: eval_and_echo "$ipsecadm flow -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $VPN_MY_EXT_IP 255.255.255.255 $next_peer_ip $next_peer_mask -local"
! 155: peercount=`expr ${peercount} + 1`
! 156: else
! 157: break;
! 158: fi
! 159: done
! 160:
! 161:
! 162: # Routes from each of my internal subnets to the remote external IP
! 163: mycount=0
! 164: while :
! 165: do
! 166: eval next_my_ip=\$VPN_MY_INT_IP_${mycount}
! 167: eval next_my_mask=\$VPN_MY_INT_MASK_${mycount}
! 168: if [ -n "${next_my_ip}" ]; then
! 169: eval_and_echo $ipsecadm flow -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $next_my_ip $next_my_mask $VPN_PEER_EXT_IP 255.255.255.255
! 170: mycount=`expr ${mycount} + 1`
! 171: else
! 172: break;
! 173: fi
! 174: done
! 175:
! 176:
! 177: