Annotation of src/share/ipsec/rc.vpn, Revision 1.12
1.1 provos 1: #!/bin/sh
2:
3: #
1.12 ! angelos 4: # $OpenBSD: rc.vpn,v 1.11 2000/09/19 03:35:08 angelos Exp $
1.1 provos 5: #
6: # Richard Reiner, Ph.D., FSC Internet Corp.
7: # rreiner@fscinternet.com
8: # v0.81 / 26Jul98
9: #
1.3 ho 10: # Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
1.1 provos 11: #
1.3 ho 12: # rc.vpn -- configure IPSec in tunnel mode for a mesh of N local and
13: # M remote networks. (N x M mesh)
1.1 provos 14: #
1.4 ho 15: # For this to work, you will need to have these enabled (in /etc/sysctl.conf):
1.3 ho 16: # 'sysctl -w net.inet.ip.forwarding=1' (IP packet routing)
17: # 'sysctl -w net.inet.esp.enable=1' (IPsec ESP protocol)
18:
19: # XXX The configuration parameters should be moved to another file.
20:
21: # Uncomment to debug (and not execute) commands
22: #DEBUG=echo
23:
24: # Gateway adresses
25: GW_LOCAL=192.168.254.254
26: GW_PEER=192.168.1.2
27:
1.7 ho 28: # Local and remote networks, numbered, syntax <network>/<mask>
1.8 angelos 29: LOCAL_NET_0=192.168.254.0/255.255.255.0
30: LOCAL_NET_1=192.168.253.0/255.255.255.0
31: REMOTE_NET_0=192.168.1.0/255.255.255.0
32: REMOTE_NET_1=192.168.2.0/255.255.255.0
1.3 ho 33:
34: # Crypto options and keys, note that key/iv lengths need to correspond
35: # to the selected encryption and authentication algorithms.
1.10 angelos 36: ENC=3des
1.3 ho 37: AUTH=sha1
38: SPI_OUT=1000
39: SPI_IN=1001
1.10 angelos 40: KEYFILE=/etc/esp-enc-key
41: AUTHKEYFILE=/etc/esp-auth-key
1.1 provos 42:
43: #############################################################################
44: ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
45: #############################################################################
46:
1.3 ho 47: ipsecadm=/sbin/ipsecadm
1.1 provos 48:
49: #
1.3 ho 50: # Sanity, be verbose about errors.
51: # XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
1.1 provos 52: #
53:
1.3 ho 54: abort=0
55: if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
56: echo " VPN: variable 'net.inet.esp.enable' (IPsec ESP protocol)"
57: abort=1
58: fi
59: if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
60: echo " VPN: variable 'net.inet.ip.forwarding' (IP forwarding/routing)"
61: abort=1
62: fi
63: if [ ${abort} = 1 ]; then
64: echo " VPN: must be enabled in /etc/sysctl.conf. Aborting VPN setup."
65: exit 0
66: fi
1.1 provos 67:
1.3 ho 68: [ ! -n "${DEBUG}" ] && echo " VPN "
1.1 provos 69:
70: #
1.3 ho 71: # Setup the SAs
1.1 provos 72: #
73:
1.3 ho 74: $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_PEER \
75: -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
1.10 angelos 76: -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
1.1 provos 77:
1.3 ho 78: $DEBUG $ipsecadm new esp -src $GW_PEER -dst $GW_LOCAL \
79: -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
1.10 angelos 80: -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
1.1 provos 81:
82: #
1.3 ho 83: # Create the flows
1.1 provos 84: #
85:
1.9 angelos 86: # Gateway to gateway (both egress and ingress flows)
1.12 ! angelos 87: $DEBUG $ipsecadm flow -proto esp -src $GW_LOCAL -dst $GW_PEER -spi $SPI_OUT \
1.11 angelos 88: -addr $GW_LOCAL 255.255.255.255 $GW_PEER 255.255.255.255 -out -require
1.12 ! angelos 89: $DEBUG $ipsecadm flow -proto esp -src $GW_LOCAL -dst $GW_PEER -spi $SPI_IN \
1.11 angelos 90: -addr $GW_PEER 255.255.255.255 $GW_LOCAL 255.255.255.255 -in -require
1.1 provos 91:
1.9 angelos 92: # Flows from each local to each remote subnet, and vice versa for
93: # ACL entries
1.1 provos 94: mycount=0
95: while :
96: do
1.3 ho 97: eval network=\$LOCAL_NET_${mycount}
1.7 ho 98: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 99: local_net=$1
100: local_mask=$2
101: if [ "${local_net}" != "0x0" ]; then
1.1 provos 102: peercount=0
103: while :
104: do
1.3 ho 105: eval network=\$REMOTE_NET_${peercount}
1.7 ho 106: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 107: remote_net=$1
108: remote_mask=$2
109: if [ "${remote_net}" != "0x0" ]; then
110: $DEBUG $ipsecadm flow \
1.12 ! angelos 111: -proto esp -src $GW_LOCAL -dst $GW_PEER -spi $SPI_OUT \
1.11 angelos 112: -addr $local_net $local_mask $remote_net $remote_mask \
113: -out -require
1.9 angelos 114:
115: $DEBUG $ipsecadm flow \
1.12 ! angelos 116: -proto esp -src $GW_LOCAL -dst $GW_PEER -spi $SPI_IN \
! 117: -in -require \
1.9 angelos 118: -addr $remote_net $remote_mask $local_net $local_mask
1.3 ho 119: peercount=$(($peercount + 1))
1.1 provos 120: else
1.3 ho 121: break;
1.1 provos 122: fi
123: done
1.3 ho 124: mycount=$(($mycount + 1))
1.1 provos 125: else
126: break;
127: fi
128: done
129:
1.3 ho 130: # XXX Stuff below is mainly for testing, may be removed later.
1.1 provos 131:
1.9 angelos 132: # Flows from local gw to each remote subnet, and vice versa
1.1 provos 133: peercount=0
134: while :
135: do
1.3 ho 136: eval network=\$REMOTE_NET_${peercount}
1.7 ho 137: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 138: remote_net=$1
139: remote_mask=$2
140: if [ "${remote_net}" != "0x0" ]; then
141: $DEBUG $ipsecadm flow \
1.11 angelos 142: -proto esp -dst $GW_PEER -spi $SPI_OUT -out -require \
143: -addr $GW_LOCAL 255.255.255.255 $remote_net $remote_mask \
1.9 angelos 144:
145: $DEBUG $ipsecadm flow \
1.12 ! angelos 146: -proto esp -dst $GW_PEER -spi $SPI_IN -in -require \
! 147: -src $GW_LOCAL
1.9 angelos 148: -addr $remote_net $remote_mask $GW_LOCAL 255.255.255.255
1.3 ho 149: peercount=$(($peercount + 1))
1.1 provos 150: else
151: break;
152: fi
153: done
154:
1.9 angelos 155: # Flows from local subnets to the remote gw and vice versa
1.1 provos 156: mycount=0
157: while :
158: do
1.3 ho 159: eval network=\$LOCAL_NET_${mycount}
1.7 ho 160: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 161: local_net=$1
162: local_mask=$2
163: if [ "${local_net}" != "0x0" ]; then
164: $DEBUG $ipsecadm flow \
1.11 angelos 165: -proto esp -dst $GW_PEER -spi $SPI_OUT -out -require \
1.12 ! angelos 166: -src $GW_LOCAL \
1.8 angelos 167: -addr $local_net $local_mask $GW_PEER 255.255.255.255
1.9 angelos 168:
169: $DEBUG $ipsecadm flow \
1.12 ! angelos 170: -proto esp -dst $GW_PEER -spi $SPI_IN -in -require \
! 171: -src $GW_LOCAL
1.9 angelos 172: -addr $GW_PEER 255.255.255.255 $local_net $local_mask
1.3 ho 173: mycount=$(($mycount + 1))
1.1 provos 174: else
175: break;
176: fi
177: done
1.3 ho 178:
179: exit 0