Annotation of src/share/ipsec/rc.vpn, Revision 1.17
1.1 provos 1: #!/bin/sh
1.17 ! markus 2: # $OpenBSD: rc.vpn,v 1.16 2002/12/04 15:03:56 markus Exp $
1.1 provos 3: #
4: # Richard Reiner, Ph.D., FSC Internet Corp.
5: # rreiner@fscinternet.com
6: # v0.81 / 26Jul98
7: #
1.3 ho 8: # Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
1.17 ! markus 9: # and Markus Friedl <markus@openbsd.org>
1.1 provos 10: #
1.15 angelos 11: # rc.vpn -- configure IPsec in tunnel mode for a mesh of N local and
1.3 ho 12: # M remote networks. (N x M mesh)
1.1 provos 13: #
1.4 ho 14: # For this to work, you will need to have these enabled (in /etc/sysctl.conf):
1.3 ho 15: # 'sysctl -w net.inet.ip.forwarding=1' (IP packet routing)
16: # 'sysctl -w net.inet.esp.enable=1' (IPsec ESP protocol)
17:
18: # XXX The configuration parameters should be moved to another file.
19:
20: # Uncomment to debug (and not execute) commands
21: #DEBUG=echo
22:
23: # Gateway adresses
24: GW_LOCAL=192.168.254.254
1.16 markus 25: GW_REMOTE=192.168.1.2
1.3 ho 26:
1.17 ! markus 27: # Local and remote networks
! 28: LOCAL_NETWORKS="192.168.254.0/24 192.168.253.0/24"
! 29: REMOTE_NETWORKS="192.168.1.0/24 192.168.2.0/24"
1.3 ho 30:
1.16 markus 31: # Optional, use for manual keying only
1.3 ho 32: # Crypto options and keys, note that key/iv lengths need to correspond
33: # to the selected encryption and authentication algorithms.
1.10 angelos 34: ENC=3des
1.3 ho 35: AUTH=sha1
36: SPI_OUT=1000
37: SPI_IN=1001
1.10 angelos 38: KEYFILE=/etc/esp-enc-key
39: AUTHKEYFILE=/etc/esp-auth-key
1.1 provos 40:
41: #############################################################################
42: ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
43: #############################################################################
44:
1.3 ho 45: ipsecadm=/sbin/ipsecadm
1.1 provos 46:
47: #
1.3 ho 48: # Sanity, be verbose about errors.
49: # XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
1.1 provos 50: #
51:
1.3 ho 52: abort=0
53: if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
1.17 ! markus 54: echo "$0: variable 'net.inet.esp.enable=0' (IPsec ESP protocol)"
1.16 markus 55: abort=1
1.3 ho 56: fi
57: if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
1.17 ! markus 58: echo "$0: variable 'net.inet.ip.forwarding=0' (IP forwarding/routing)"
1.16 markus 59: abort=1
1.3 ho 60: fi
61: if [ ${abort} = 1 ]; then
1.16 markus 62: echo "$0: must be enabled in /etc/sysctl.conf. Aborting VPN setup."
63: [ ! -n "${DEBUG}" ] && exit 0
1.3 ho 64: fi
1.1 provos 65:
1.16 markus 66: $DEBUG $ipsecadm flush
67:
68: #
69: # Setup the manual SAs
70: #
71:
72: if [ "$ENC" ]; then
73: $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_REMOTE \
74: -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
75: -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
76:
77: $DEBUG $ipsecadm new esp -src $GW_REMOTE -dst $GW_LOCAL \
78: -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
79: -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
80: fi
1.1 provos 81:
82: #
1.16 markus 83: # Setup the Flows, aka SPD
1.1 provos 84: #
85:
1.17 ! markus 86: # add the gateways
! 87: LOCAL_NETWORKS="${GW_LOCAL}/32 ${LOCAL_NETWORKS}"
! 88: REMOTE_NETWORKS="${GW_REMOTE}/32 ${REMOTE_NETWORKS}"
1.16 markus 89:
1.17 ! markus 90: FLOW="$DEBUG ${ipsecadm} flow -proto esp -src ${GW_LOCAL} -dst ${GW_REMOTE} -require"
1.16 markus 91:
92: # each local net to each remote net
1.17 ! markus 93: for local_net in ${LOCAL_NETWORKS}; do
! 94: for remote_net in ${REMOTE_NETWORKS}; do
! 95: $FLOW -out -addr $local_net $remote_net
! 96: $FLOW -in -addr $remote_net $local_net
1.1 provos 97: done
98: done
1.3 ho 99:
100: exit 0