Return to rc.vpn CVS log

Up to [local] / src / share / ipsec

Annotation of src/share/ipsec/rc.vpn, Revision 1.17

1.1       provos      1: #!/bin/sh
1.17    ! markus      2: #      $OpenBSD: rc.vpn,v 1.16 2002/12/04 15:03:56 markus Exp $
1.1       provos      3: #
                      4: # Richard Reiner, Ph.D., FSC Internet Corp.
                      5: # rreiner@fscinternet.com
                      6: # v0.81 / 26Jul98
                      7: #
1.3       ho          8: # Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
1.17    ! markus      9: # and Markus Friedl <markus@openbsd.org>
1.1       provos     10: #
1.15      angelos    11: # rc.vpn -- configure IPsec in tunnel mode for a mesh of N local and
1.3       ho         12: #           M remote networks. (N x M mesh)
1.1       provos     13: #
1.4       ho         14: # For this to work, you will need to have these enabled (in /etc/sysctl.conf):
1.3       ho         15: #   'sysctl -w net.inet.ip.forwarding=1'   (IP packet routing)
                     16: #   'sysctl -w net.inet.esp.enable=1'      (IPsec ESP protocol)
                     17:
                     18: # XXX The configuration parameters should be moved to another file.
                     19:
                     20: # Uncomment to debug (and not execute) commands
                     21: #DEBUG=echo
                     22:
                     23: # Gateway adresses
                     24: GW_LOCAL=192.168.254.254
1.16      markus     25: GW_REMOTE=192.168.1.2
1.3       ho         26:
1.17    ! markus     27: # Local and remote networks
        !            28: LOCAL_NETWORKS="192.168.254.0/24 192.168.253.0/24"
        !            29: REMOTE_NETWORKS="192.168.1.0/24 192.168.2.0/24"
1.3       ho         30:
1.16      markus     31: # Optional, use for manual keying only
1.3       ho         32: # Crypto options and keys, note that key/iv lengths need to correspond
                     33: # to the selected encryption and authentication algorithms.
1.10      angelos    34: ENC=3des
1.3       ho         35: AUTH=sha1
                     36: SPI_OUT=1000
                     37: SPI_IN=1001
1.10      angelos    38: KEYFILE=/etc/esp-enc-key
                     39: AUTHKEYFILE=/etc/esp-auth-key
1.1       provos     40:
                     41: #############################################################################
                     42: ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
                     43: #############################################################################
                     44:
1.3       ho         45: ipsecadm=/sbin/ipsecadm
1.1       provos     46:
                     47: #
1.3       ho         48: # Sanity, be verbose about errors.
                     49: # XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
1.1       provos     50: #
                     51:
1.3       ho         52: abort=0
                     53: if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
1.17    ! markus     54:        echo "$0: variable 'net.inet.esp.enable=0' (IPsec ESP protocol)"
1.16      markus     55:        abort=1
1.3       ho         56: fi
                     57: if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
1.17    ! markus     58:        echo "$0: variable 'net.inet.ip.forwarding=0' (IP forwarding/routing)"
1.16      markus     59:        abort=1
1.3       ho         60: fi
                     61: if [ ${abort} = 1 ]; then
1.16      markus     62:        echo "$0: must be enabled in /etc/sysctl.conf. Aborting VPN setup."
                     63:        [ ! -n "${DEBUG}" ] && exit 0
1.3       ho         64: fi
1.1       provos     65:
1.16      markus     66: $DEBUG $ipsecadm flush
                     67:
                     68: #
                     69: # Setup the manual SAs
                     70: #
                     71:
                     72: if [ "$ENC" ]; then
                     73:        $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_REMOTE \
                     74:                -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
                     75:                -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
                     76:
                     77:        $DEBUG $ipsecadm new esp -src $GW_REMOTE -dst $GW_LOCAL \
                     78:                -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
                     79:                -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
                     80: fi
1.1       provos     81:
                     82: #
1.16      markus     83: # Setup the Flows, aka SPD
1.1       provos     84: #
                     85:
1.17    ! markus     86: # add the gateways
        !            87: LOCAL_NETWORKS="${GW_LOCAL}/32 ${LOCAL_NETWORKS}"
        !            88: REMOTE_NETWORKS="${GW_REMOTE}/32 ${REMOTE_NETWORKS}"
1.16      markus     89:
1.17    ! markus     90: FLOW="$DEBUG ${ipsecadm} flow -proto esp -src ${GW_LOCAL} -dst ${GW_REMOTE} -require"
1.16      markus     91:
                     92: # each local net to each remote net
1.17    ! markus     93: for local_net in ${LOCAL_NETWORKS}; do
        !            94:        for remote_net in ${REMOTE_NETWORKS}; do
        !            95:                $FLOW -out -addr $local_net  $remote_net
        !            96:                $FLOW -in  -addr $remote_net $local_net
1.1       provos     97:        done
                     98: done
1.3       ho         99:
                    100: exit 0