Annotation of src/share/ipsec/rc.vpn, Revision 1.14
1.1 provos 1: #!/bin/sh
2:
3: #
1.14 ! angelos 4: # $OpenBSD: rc.vpn,v 1.13 2000/09/27 04:36:55 angelos Exp $
1.1 provos 5: #
6: # Richard Reiner, Ph.D., FSC Internet Corp.
7: # rreiner@fscinternet.com
8: # v0.81 / 26Jul98
9: #
1.3 ho 10: # Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
1.1 provos 11: #
1.3 ho 12: # rc.vpn -- configure IPSec in tunnel mode for a mesh of N local and
13: # M remote networks. (N x M mesh)
1.1 provos 14: #
1.4 ho 15: # For this to work, you will need to have these enabled (in /etc/sysctl.conf):
1.3 ho 16: # 'sysctl -w net.inet.ip.forwarding=1' (IP packet routing)
17: # 'sysctl -w net.inet.esp.enable=1' (IPsec ESP protocol)
18:
19: # XXX The configuration parameters should be moved to another file.
20:
21: # Uncomment to debug (and not execute) commands
22: #DEBUG=echo
23:
24: # Gateway adresses
25: GW_LOCAL=192.168.254.254
26: GW_PEER=192.168.1.2
27:
1.7 ho 28: # Local and remote networks, numbered, syntax <network>/<mask>
1.8 angelos 29: LOCAL_NET_0=192.168.254.0/255.255.255.0
30: LOCAL_NET_1=192.168.253.0/255.255.255.0
31: REMOTE_NET_0=192.168.1.0/255.255.255.0
32: REMOTE_NET_1=192.168.2.0/255.255.255.0
1.3 ho 33:
34: # Crypto options and keys, note that key/iv lengths need to correspond
35: # to the selected encryption and authentication algorithms.
1.10 angelos 36: ENC=3des
1.3 ho 37: AUTH=sha1
38: SPI_OUT=1000
39: SPI_IN=1001
1.10 angelos 40: KEYFILE=/etc/esp-enc-key
41: AUTHKEYFILE=/etc/esp-auth-key
1.1 provos 42:
43: #############################################################################
44: ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
45: #############################################################################
46:
1.3 ho 47: ipsecadm=/sbin/ipsecadm
1.1 provos 48:
49: #
1.3 ho 50: # Sanity, be verbose about errors.
51: # XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
1.1 provos 52: #
53:
1.3 ho 54: abort=0
55: if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
56: echo " VPN: variable 'net.inet.esp.enable' (IPsec ESP protocol)"
57: abort=1
58: fi
59: if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
60: echo " VPN: variable 'net.inet.ip.forwarding' (IP forwarding/routing)"
61: abort=1
62: fi
63: if [ ${abort} = 1 ]; then
64: echo " VPN: must be enabled in /etc/sysctl.conf. Aborting VPN setup."
65: exit 0
66: fi
1.1 provos 67:
1.3 ho 68: [ ! -n "${DEBUG}" ] && echo " VPN "
1.1 provos 69:
70: #
1.3 ho 71: # Setup the SAs
1.1 provos 72: #
73:
1.3 ho 74: $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_PEER \
75: -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
1.10 angelos 76: -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
1.1 provos 77:
1.3 ho 78: $DEBUG $ipsecadm new esp -src $GW_PEER -dst $GW_LOCAL \
79: -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
1.10 angelos 80: -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
1.1 provos 81:
82: #
1.3 ho 83: # Create the flows
1.1 provos 84: #
85:
1.9 angelos 86: # Gateway to gateway (both egress and ingress flows)
1.14 ! angelos 87: $DEBUG $ipsecadm flow -proto esp -src $GW_LOCAL -dst $GW_PEER \
1.11 angelos 88: -addr $GW_LOCAL 255.255.255.255 $GW_PEER 255.255.255.255 -out -require
1.14 ! angelos 89: $DEBUG $ipsecadm flow -proto esp -src $GW_LOCAL -dst $GW_PEER \
1.11 angelos 90: -addr $GW_PEER 255.255.255.255 $GW_LOCAL 255.255.255.255 -in -require
1.1 provos 91:
1.9 angelos 92: # Flows from each local to each remote subnet, and vice versa for
93: # ACL entries
1.1 provos 94: mycount=0
95: while :
96: do
1.3 ho 97: eval network=\$LOCAL_NET_${mycount}
1.7 ho 98: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 99: local_net=$1
100: local_mask=$2
101: if [ "${local_net}" != "0x0" ]; then
1.1 provos 102: peercount=0
103: while :
104: do
1.3 ho 105: eval network=\$REMOTE_NET_${peercount}
1.7 ho 106: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 107: remote_net=$1
108: remote_mask=$2
109: if [ "${remote_net}" != "0x0" ]; then
110: $DEBUG $ipsecadm flow \
1.14 ! angelos 111: -proto esp -src $GW_LOCAL -dst $GW_PEER \
1.11 angelos 112: -addr $local_net $local_mask $remote_net $remote_mask \
113: -out -require
1.9 angelos 114:
115: $DEBUG $ipsecadm flow \
1.14 ! angelos 116: -proto esp -src $GW_LOCAL -dst $GW_PEER \
1.12 angelos 117: -in -require \
1.9 angelos 118: -addr $remote_net $remote_mask $local_net $local_mask
1.3 ho 119: peercount=$(($peercount + 1))
1.1 provos 120: else
1.3 ho 121: break;
1.1 provos 122: fi
123: done
1.3 ho 124: mycount=$(($mycount + 1))
1.1 provos 125: else
126: break;
127: fi
128: done
129:
1.3 ho 130: # XXX Stuff below is mainly for testing, may be removed later.
1.1 provos 131:
1.9 angelos 132: # Flows from local gw to each remote subnet, and vice versa
1.1 provos 133: peercount=0
134: while :
135: do
1.3 ho 136: eval network=\$REMOTE_NET_${peercount}
1.7 ho 137: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 138: remote_net=$1
139: remote_mask=$2
140: if [ "${remote_net}" != "0x0" ]; then
141: $DEBUG $ipsecadm flow \
1.14 ! angelos 142: -proto esp -dst $GW_PEER -out -require \
1.13 angelos 143: -src $GW_LOCAL \
1.11 angelos 144: -addr $GW_LOCAL 255.255.255.255 $remote_net $remote_mask \
1.9 angelos 145:
146: $DEBUG $ipsecadm flow \
1.14 ! angelos 147: -proto esp -dst $GW_PEER -in -require \
1.13 angelos 148: -src $GW_LOCAL \
1.9 angelos 149: -addr $remote_net $remote_mask $GW_LOCAL 255.255.255.255
1.3 ho 150: peercount=$(($peercount + 1))
1.1 provos 151: else
152: break;
153: fi
154: done
155:
1.9 angelos 156: # Flows from local subnets to the remote gw and vice versa
1.1 provos 157: mycount=0
158: while :
159: do
1.3 ho 160: eval network=\$LOCAL_NET_${mycount}
1.7 ho 161: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 162: local_net=$1
163: local_mask=$2
164: if [ "${local_net}" != "0x0" ]; then
165: $DEBUG $ipsecadm flow \
1.14 ! angelos 166: -proto esp -dst $GW_PEER -out -require \
1.12 angelos 167: -src $GW_LOCAL \
1.8 angelos 168: -addr $local_net $local_mask $GW_PEER 255.255.255.255
1.9 angelos 169:
170: $DEBUG $ipsecadm flow \
1.14 ! angelos 171: -proto esp -dst $GW_PEER -in -require \
1.13 angelos 172: -src $GW_LOCAL \
1.9 angelos 173: -addr $GW_PEER 255.255.255.255 $local_net $local_mask
1.3 ho 174: mycount=$(($mycount + 1))
1.1 provos 175: else
176: break;
177: fi
178: done
1.3 ho 179:
180: exit 0