Annotation of src/share/ipsec/rc.vpn, Revision 1.16
1.1 provos 1: #!/bin/sh
1.16 ! markus 2: # $OpenBSD: rc.vpn,v 1.15 2001/06/27 03:32:56 angelos Exp $
1.1 provos 3: #
4: # Richard Reiner, Ph.D., FSC Internet Corp.
5: # rreiner@fscinternet.com
6: # v0.81 / 26Jul98
7: #
1.3 ho 8: # Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
1.1 provos 9: #
1.15 angelos 10: # rc.vpn -- configure IPsec in tunnel mode for a mesh of N local and
1.3 ho 11: # M remote networks. (N x M mesh)
1.1 provos 12: #
1.4 ho 13: # For this to work, you will need to have these enabled (in /etc/sysctl.conf):
1.3 ho 14: # 'sysctl -w net.inet.ip.forwarding=1' (IP packet routing)
15: # 'sysctl -w net.inet.esp.enable=1' (IPsec ESP protocol)
16:
17: # XXX The configuration parameters should be moved to another file.
18:
19: # Uncomment to debug (and not execute) commands
20: #DEBUG=echo
21:
22: # Gateway adresses
23: GW_LOCAL=192.168.254.254
1.16 ! markus 24: GW_REMOTE=192.168.1.2
1.3 ho 25:
1.16 ! markus 26: # Local and remote networks, numbered
! 27: LOCAL_NET_0="192.168.254.0/24"
! 28: LOCAL_NET_1="192.168.253.0/24"
! 29: REMOTE_NET_0="192.168.1.0/24"
! 30: REMOTE_NET_1="192.168.2.0/24"
1.3 ho 31:
1.16 ! markus 32: # Optional, use for manual keying only
1.3 ho 33: # Crypto options and keys, note that key/iv lengths need to correspond
34: # to the selected encryption and authentication algorithms.
1.10 angelos 35: ENC=3des
1.3 ho 36: AUTH=sha1
37: SPI_OUT=1000
38: SPI_IN=1001
1.10 angelos 39: KEYFILE=/etc/esp-enc-key
40: AUTHKEYFILE=/etc/esp-auth-key
1.1 provos 41:
42: #############################################################################
43: ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
44: #############################################################################
45:
1.3 ho 46: ipsecadm=/sbin/ipsecadm
1.1 provos 47:
48: #
1.3 ho 49: # Sanity, be verbose about errors.
50: # XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
1.1 provos 51: #
52:
1.3 ho 53: abort=0
54: if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
1.16 ! markus 55: echo "$0: variable 'net.inet.esp.enable' (IPsec ESP protocol)"
! 56: abort=1
1.3 ho 57: fi
58: if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
1.16 ! markus 59: echo "$0: variable 'net.inet.ip.forwarding' (IP forwarding/routing)"
! 60: abort=1
1.3 ho 61: fi
62: if [ ${abort} = 1 ]; then
1.16 ! markus 63: echo "$0: must be enabled in /etc/sysctl.conf. Aborting VPN setup."
! 64: [ ! -n "${DEBUG}" ] && exit 0
1.3 ho 65: fi
1.1 provos 66:
1.16 ! markus 67: $DEBUG $ipsecadm flush
! 68:
! 69: #
! 70: # Setup the manual SAs
! 71: #
! 72:
! 73: if [ "$ENC" ]; then
! 74: $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_REMOTE \
! 75: -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
! 76: -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
! 77:
! 78: $DEBUG $ipsecadm new esp -src $GW_REMOTE -dst $GW_LOCAL \
! 79: -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
! 80: -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
! 81: fi
1.1 provos 82:
83: #
1.16 ! markus 84: # Setup the Flows, aka SPD
1.1 provos 85: #
86:
1.16 ! markus 87: FLOW="$DEBUG $ipsecadm flow -proto esp -src $GW_LOCAL -dst $GW_REMOTE"
! 88: FLOWIN="$FLOW -in -require -addr"
! 89: FLOWOUT="$FLOW -out -require -addr"
! 90:
! 91: # local gateway to remote gateway
! 92:
! 93: $FLOWOUT ${GW_LOCAL}/32 ${GW_REMOTE}/32
! 94: $FLOWIN ${GW_REMOTE}/32 ${GW_LOCAL}/32
! 95:
! 96: # each local net to each remote net
! 97:
! 98: localcount=0
! 99: while true; do
! 100: local_net=`eval "echo \\\$LOCAL_NET_${localcount}"`
! 101: if [ "x${local_net}" == "x" ]; then
1.3 ho 102: break;
1.16 ! markus 103: fi
! 104: remotecount=0
! 105: while true; do
! 106: remote_net=`eval "echo \\\$REMOTE_NET_${remotecount}"`
! 107: if [ "x${remote_net}" == "x" ]; then
! 108: break;
! 109: fi
! 110: $FLOWOUT $local_net $remote_net
! 111: $FLOWIN $remote_net $local_net
! 112: remotecount=$(($remotecount + 1))
1.1 provos 113: done
1.16 ! markus 114: localcount=$(($localcount + 1))
1.1 provos 115: done
1.3 ho 116:
117: exit 0