Annotation of src/share/ipsec/rc.vpn, Revision 1.10
1.1 provos 1: #!/bin/sh
2:
3: #
1.10 ! angelos 4: # $OpenBSD: rc.vpn,v 1.9 2000/01/13 05:19:10 angelos Exp $
1.1 provos 5: #
6: # Richard Reiner, Ph.D., FSC Internet Corp.
7: # rreiner@fscinternet.com
8: # v0.81 / 26Jul98
9: #
1.3 ho 10: # Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
1.1 provos 11: #
1.3 ho 12: # rc.vpn -- configure IPSec in tunnel mode for a mesh of N local and
13: # M remote networks. (N x M mesh)
1.1 provos 14: #
1.4 ho 15: # For this to work, you will need to have these enabled (in /etc/sysctl.conf):
1.3 ho 16: # 'sysctl -w net.inet.ip.forwarding=1' (IP packet routing)
17: # 'sysctl -w net.inet.esp.enable=1' (IPsec ESP protocol)
18:
19: # XXX The configuration parameters should be moved to another file.
20:
21: # Uncomment to debug (and not execute) commands
22: #DEBUG=echo
23:
24: # Gateway adresses
25: GW_LOCAL=192.168.254.254
26: GW_PEER=192.168.1.2
27:
1.7 ho 28: # Local and remote networks, numbered, syntax <network>/<mask>
1.8 angelos 29: LOCAL_NET_0=192.168.254.0/255.255.255.0
30: LOCAL_NET_1=192.168.253.0/255.255.255.0
31: REMOTE_NET_0=192.168.1.0/255.255.255.0
32: REMOTE_NET_1=192.168.2.0/255.255.255.0
1.3 ho 33:
34: # Crypto options and keys, note that key/iv lengths need to correspond
35: # to the selected encryption and authentication algorithms.
1.10 ! angelos 36: ENC=3des
1.3 ho 37: AUTH=sha1
38: SPI_OUT=1000
39: SPI_IN=1001
1.10 ! angelos 40: KEYFILE=/etc/esp-enc-key
! 41: AUTHKEYFILE=/etc/esp-auth-key
1.1 provos 42:
43: #############################################################################
44: ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
45: #############################################################################
46:
1.3 ho 47: ipsecadm=/sbin/ipsecadm
1.1 provos 48:
49: #
1.3 ho 50: # Sanity, be verbose about errors.
51: # XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
1.1 provos 52: #
53:
1.3 ho 54: abort=0
55: if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
56: echo " VPN: variable 'net.inet.esp.enable' (IPsec ESP protocol)"
57: abort=1
58: fi
59: if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
60: echo " VPN: variable 'net.inet.ip.forwarding' (IP forwarding/routing)"
61: abort=1
62: fi
63: if [ ${abort} = 1 ]; then
64: echo " VPN: must be enabled in /etc/sysctl.conf. Aborting VPN setup."
65: exit 0
66: fi
1.1 provos 67:
1.3 ho 68: [ ! -n "${DEBUG}" ] && echo " VPN "
1.1 provos 69:
70: #
1.3 ho 71: # Setup the SAs
1.1 provos 72: #
73:
1.3 ho 74: $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_PEER \
75: -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
1.10 ! angelos 76: -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
1.1 provos 77:
1.3 ho 78: $DEBUG $ipsecadm new esp -src $GW_PEER -dst $GW_LOCAL \
79: -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
1.10 ! angelos 80: -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
1.1 provos 81:
82: #
1.3 ho 83: # Create the flows
1.1 provos 84: #
85:
1.9 angelos 86: # Gateway to gateway (both egress and ingress flows)
1.5 ho 87: $DEBUG $ipsecadm flow -proto esp -dst $GW_PEER -spi $SPI_OUT \
1.8 angelos 88: -addr $GW_LOCAL 255.255.255.255 $GW_PEER 255.255.255.255
1.9 angelos 89: $DEBUG $ipsecadm flow -proto esp -dst $GW_LOCAL -spi $SPI_IN \
90: -addr $GW_PEER 255.255.255.255 $GW_LOCAL 255.255.255.255 -ingress
1.1 provos 91:
1.9 angelos 92: # Flows from each local to each remote subnet, and vice versa for
93: # ACL entries
1.1 provos 94: mycount=0
95: while :
96: do
1.3 ho 97: eval network=\$LOCAL_NET_${mycount}
1.7 ho 98: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 99: local_net=$1
100: local_mask=$2
101: if [ "${local_net}" != "0x0" ]; then
1.1 provos 102: peercount=0
103: while :
104: do
1.3 ho 105: eval network=\$REMOTE_NET_${peercount}
1.7 ho 106: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 107: remote_net=$1
108: remote_mask=$2
109: if [ "${remote_net}" != "0x0" ]; then
110: $DEBUG $ipsecadm flow \
111: -proto esp -dst $GW_PEER -spi $SPI_OUT \
112: -addr $local_net $local_mask $remote_net $remote_mask
1.9 angelos 113:
114: $DEBUG $ipsecadm flow \
115: -proto esp -dst $GW_LOCAL -spi $SPI_IN -ingress \
116: -addr $remote_net $remote_mask $local_net $local_mask
1.3 ho 117: peercount=$(($peercount + 1))
1.1 provos 118: else
1.3 ho 119: break;
1.1 provos 120: fi
121: done
1.3 ho 122: mycount=$(($mycount + 1))
1.1 provos 123: else
124: break;
125: fi
126: done
127:
1.3 ho 128: # XXX Stuff below is mainly for testing, may be removed later.
1.1 provos 129:
1.9 angelos 130: # Flows from local gw to each remote subnet, and vice versa
1.1 provos 131: peercount=0
132: while :
133: do
1.3 ho 134: eval network=\$REMOTE_NET_${peercount}
1.7 ho 135: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 136: remote_net=$1
137: remote_mask=$2
138: if [ "${remote_net}" != "0x0" ]; then
139: $DEBUG $ipsecadm flow \
140: -proto esp -dst $GW_PEER -spi $SPI_OUT \
1.8 angelos 141: -addr $GW_LOCAL 255.255.255.255 $remote_net $remote_mask
1.9 angelos 142:
143: $DEBUG $ipsecadm flow \
144: -proto esp -dst $GW_LOCAL -spi $SPI_IN -ingress\
145: -addr $remote_net $remote_mask $GW_LOCAL 255.255.255.255
1.3 ho 146: peercount=$(($peercount + 1))
1.1 provos 147: else
148: break;
149: fi
150: done
151:
1.9 angelos 152: # Flows from local subnets to the remote gw and vice versa
1.1 provos 153: mycount=0
154: while :
155: do
1.3 ho 156: eval network=\$LOCAL_NET_${mycount}
1.7 ho 157: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 158: local_net=$1
159: local_mask=$2
160: if [ "${local_net}" != "0x0" ]; then
161: $DEBUG $ipsecadm flow \
162: -proto esp -dst $GW_PEER -spi $SPI_OUT \
1.8 angelos 163: -addr $local_net $local_mask $GW_PEER 255.255.255.255
1.9 angelos 164:
165: $DEBUG $ipsecadm flow \
166: -proto esp -dst $GW_LOCAL -spi $SPI_IN -ingress\
167: -addr $GW_PEER 255.255.255.255 $local_net $local_mask
1.3 ho 168: mycount=$(($mycount + 1))
1.1 provos 169: else
170: break;
171: fi
172: done
1.3 ho 173:
174: exit 0