Return to rc.vpn CVS log

Up to [local] / src / share / ipsec

Annotation of src/share/ipsec/rc.vpn, Revision 1.12

1.1       provos      1: #!/bin/sh
                      2:
                      3: #
1.12    ! angelos     4: #    $OpenBSD: rc.vpn,v 1.11 2000/09/19 03:35:08 angelos Exp $
1.1       provos      5: #
                      6: # Richard Reiner, Ph.D., FSC Internet Corp.
                      7: # rreiner@fscinternet.com
                      8: # v0.81 / 26Jul98
                      9: #
1.3       ho         10: # Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
1.1       provos     11: #
1.3       ho         12: # rc.vpn -- configure IPSec in tunnel mode for a mesh of N local and
                     13: #           M remote networks. (N x M mesh)
1.1       provos     14: #
1.4       ho         15: # For this to work, you will need to have these enabled (in /etc/sysctl.conf):
1.3       ho         16: #   'sysctl -w net.inet.ip.forwarding=1'   (IP packet routing)
                     17: #   'sysctl -w net.inet.esp.enable=1'      (IPsec ESP protocol)
                     18:
                     19: # XXX The configuration parameters should be moved to another file.
                     20:
                     21: # Uncomment to debug (and not execute) commands
                     22: #DEBUG=echo
                     23:
                     24: # Gateway adresses
                     25: GW_LOCAL=192.168.254.254
                     26: GW_PEER=192.168.1.2
                     27:
1.7       ho         28: # Local and remote networks, numbered, syntax <network>/<mask>
1.8       angelos    29: LOCAL_NET_0=192.168.254.0/255.255.255.0
                     30: LOCAL_NET_1=192.168.253.0/255.255.255.0
                     31: REMOTE_NET_0=192.168.1.0/255.255.255.0
                     32: REMOTE_NET_1=192.168.2.0/255.255.255.0
1.3       ho         33:
                     34: # Crypto options and keys, note that key/iv lengths need to correspond
                     35: # to the selected encryption and authentication algorithms.
1.10      angelos    36: ENC=3des
1.3       ho         37: AUTH=sha1
                     38: SPI_OUT=1000
                     39: SPI_IN=1001
1.10      angelos    40: KEYFILE=/etc/esp-enc-key
                     41: AUTHKEYFILE=/etc/esp-auth-key
1.1       provos     42:
                     43: #############################################################################
                     44: ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
                     45: #############################################################################
                     46:
1.3       ho         47: ipsecadm=/sbin/ipsecadm
1.1       provos     48:
                     49: #
1.3       ho         50: # Sanity, be verbose about errors.
                     51: # XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
1.1       provos     52: #
                     53:
1.3       ho         54: abort=0
                     55: if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
                     56:     echo " VPN: variable 'net.inet.esp.enable' (IPsec ESP protocol)"
                     57:     abort=1
                     58: fi
                     59: if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
                     60:     echo " VPN: variable 'net.inet.ip.forwarding' (IP forwarding/routing)"
                     61:     abort=1
                     62: fi
                     63: if [ ${abort} = 1 ]; then
                     64:     echo " VPN: must be enabled in /etc/sysctl.conf. Aborting VPN setup."
                     65:     exit 0
                     66: fi
1.1       provos     67:
1.3       ho         68: [ ! -n "${DEBUG}" ] && echo " VPN "
1.1       provos     69:
                     70: #
1.3       ho         71: # Setup the SAs
1.1       provos     72: #
                     73:
1.3       ho         74: $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_PEER \
                     75:     -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
1.10      angelos    76:     -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
1.1       provos     77:
1.3       ho         78: $DEBUG $ipsecadm new esp -src $GW_PEER -dst $GW_LOCAL \
                     79:     -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
1.10      angelos    80:     -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
1.1       provos     81:
                     82: #
1.3       ho         83: # Create the flows
1.1       provos     84: #
                     85:
1.9       angelos    86: # Gateway to gateway (both egress and ingress flows)
1.12    ! angelos    87: $DEBUG $ipsecadm flow -proto esp -src $GW_LOCAL -dst $GW_PEER -spi $SPI_OUT \
1.11      angelos    88:     -addr $GW_LOCAL 255.255.255.255 $GW_PEER 255.255.255.255 -out -require
1.12    ! angelos    89: $DEBUG $ipsecadm flow -proto esp -src $GW_LOCAL -dst $GW_PEER -spi $SPI_IN \
1.11      angelos    90:     -addr $GW_PEER 255.255.255.255 $GW_LOCAL 255.255.255.255 -in -require
1.1       provos     91:
1.9       angelos    92: # Flows from each local to each remote subnet, and vice versa for
                     93: # ACL entries
1.1       provos     94: mycount=0
                     95: while :
                     96: do
1.3       ho         97:     eval network=\$LOCAL_NET_${mycount}
1.7       ho         98:     set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3       ho         99:     local_net=$1
                    100:     local_mask=$2
                    101:     if [ "${local_net}" != "0x0" ]; then
1.1       provos    102:        peercount=0
                    103:        while :
                    104:        do
1.3       ho        105:            eval network=\$REMOTE_NET_${peercount}
1.7       ho        106:            set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3       ho        107:            remote_net=$1
                    108:            remote_mask=$2
                    109:            if [ "${remote_net}" != "0x0" ]; then
                    110:                $DEBUG $ipsecadm flow \
1.12    ! angelos   111:                    -proto esp -src $GW_LOCAL -dst $GW_PEER -spi $SPI_OUT \
1.11      angelos   112:                    -addr $local_net $local_mask $remote_net $remote_mask \
                    113:                    -out -require
1.9       angelos   114:
                    115:                $DEBUG $ipsecadm flow \
1.12    ! angelos   116:                    -proto esp -src $GW_LOCAL -dst $GW_PEER -spi $SPI_IN \
        !           117:                     -in -require \
1.9       angelos   118:                    -addr $remote_net $remote_mask $local_net $local_mask
1.3       ho        119:                peercount=$(($peercount + 1))
1.1       provos    120:            else
1.3       ho        121:                break;
1.1       provos    122:            fi
                    123:        done
1.3       ho        124:        mycount=$(($mycount + 1))
1.1       provos    125:     else
                    126:        break;
                    127:     fi
                    128: done
                    129:
1.3       ho        130: # XXX Stuff below is mainly for testing, may be removed later.
1.1       provos    131:
1.9       angelos   132: # Flows from local gw to each remote subnet, and vice versa
1.1       provos    133: peercount=0
                    134: while :
                    135: do
1.3       ho        136:     eval network=\$REMOTE_NET_${peercount}
1.7       ho        137:     set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3       ho        138:     remote_net=$1
                    139:     remote_mask=$2
                    140:     if [ "${remote_net}" != "0x0" ]; then
                    141:        $DEBUG $ipsecadm flow \
1.11      angelos   142:            -proto esp -dst $GW_PEER -spi $SPI_OUT -out -require \
                    143:            -addr $GW_LOCAL 255.255.255.255 $remote_net $remote_mask \
1.9       angelos   144:
                    145:        $DEBUG $ipsecadm flow \
1.12    ! angelos   146:            -proto esp -dst $GW_PEER -spi $SPI_IN -in -require \
        !           147:             -src $GW_LOCAL
1.9       angelos   148:            -addr $remote_net $remote_mask $GW_LOCAL 255.255.255.255
1.3       ho        149:        peercount=$(($peercount + 1))
1.1       provos    150:     else
                    151:        break;
                    152:     fi
                    153: done
                    154:
1.9       angelos   155: # Flows from local subnets to the remote gw and vice versa
1.1       provos    156: mycount=0
                    157: while :
                    158: do
1.3       ho        159:     eval network=\$LOCAL_NET_${mycount}
1.7       ho        160:     set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3       ho        161:     local_net=$1
                    162:     local_mask=$2
                    163:     if [ "${local_net}" != "0x0" ]; then
                    164:        $DEBUG $ipsecadm flow \
1.11      angelos   165:            -proto esp -dst $GW_PEER -spi $SPI_OUT -out -require \
1.12    ! angelos   166:             -src $GW_LOCAL \
1.8       angelos   167:            -addr $local_net $local_mask $GW_PEER 255.255.255.255
1.9       angelos   168:
                    169:        $DEBUG $ipsecadm flow \
1.12    ! angelos   170:            -proto esp -dst $GW_PEER -spi $SPI_IN -in -require \
        !           171:             -src $GW_LOCAL
1.9       angelos   172:            -addr $GW_PEER 255.255.255.255 $local_net $local_mask
1.3       ho        173:        mycount=$(($mycount + 1))
1.1       provos    174:     else
                    175:        break;
                    176:     fi
                    177: done
1.3       ho        178:
                    179: exit 0