Annotation of src/share/ipsec/rc.vpn, Revision 1.20
1.1 provos 1: #!/bin/sh
1.20 ! jmc 2: # $OpenBSD: rc.vpn,v 1.19 2003/03/09 06:08:28 david Exp $
1.1 provos 3: #
4: # Richard Reiner, Ph.D., FSC Internet Corp.
5: # rreiner@fscinternet.com
6: # v0.81 / 26Jul98
7: #
1.3 ho 8: # Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
1.17 markus 9: # and Markus Friedl <markus@openbsd.org>
1.1 provos 10: #
1.15 angelos 11: # rc.vpn -- configure IPsec in tunnel mode for a mesh of N local and
1.3 ho 12: # M remote networks. (N x M mesh)
1.1 provos 13: #
1.4 ho 14: # For this to work, you will need to have these enabled (in /etc/sysctl.conf):
1.3 ho 15: # 'sysctl -w net.inet.ip.forwarding=1' (IP packet routing)
16: # 'sysctl -w net.inet.esp.enable=1' (IPsec ESP protocol)
17:
18: # XXX The configuration parameters should be moved to another file.
19:
20: # Uncomment to debug (and not execute) commands
1.18 markus 21: DEBUG=echo
1.3 ho 22:
1.20 ! jmc 23: # Gateway addresses
1.3 ho 24: GW_LOCAL=192.168.254.254
1.16 markus 25: GW_REMOTE=192.168.1.2
1.3 ho 26:
1.17 markus 27: # Local and remote networks
28: LOCAL_NETWORKS="192.168.254.0/24 192.168.253.0/24"
29: REMOTE_NETWORKS="192.168.1.0/24 192.168.2.0/24"
1.3 ho 30:
1.16 markus 31: # Optional, use for manual keying only
1.3 ho 32: # Crypto options and keys, note that key/iv lengths need to correspond
33: # to the selected encryption and authentication algorithms.
1.10 angelos 34: ENC=3des
1.3 ho 35: AUTH=sha1
36: SPI_OUT=1000
37: SPI_IN=1001
1.10 angelos 38: KEYFILE=/etc/esp-enc-key
39: AUTHKEYFILE=/etc/esp-auth-key
1.1 provos 40:
41: #############################################################################
42: ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
43: #############################################################################
44:
1.3 ho 45: ipsecadm=/sbin/ipsecadm
1.1 provos 46:
47: #
1.3 ho 48: # Sanity, be verbose about errors.
49: # XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
1.1 provos 50: #
51:
1.3 ho 52: abort=0
53: if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
1.17 markus 54: echo "$0: variable 'net.inet.esp.enable=0' (IPsec ESP protocol)"
1.16 markus 55: abort=1
1.3 ho 56: fi
57: if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
1.17 markus 58: echo "$0: variable 'net.inet.ip.forwarding=0' (IP forwarding/routing)"
1.16 markus 59: abort=1
1.3 ho 60: fi
61: if [ ${abort} = 1 ]; then
1.19 david 62: echo "$0: must be enabled in /etc/sysctl.conf. Aborting VPN setup."
1.16 markus 63: [ ! -n "${DEBUG}" ] && exit 0
1.3 ho 64: fi
1.1 provos 65:
1.16 markus 66: $DEBUG $ipsecadm flush
67:
68: #
69: # Setup the manual SAs
70: #
71:
72: if [ "$ENC" ]; then
73: $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_REMOTE \
74: -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
75: -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
76:
77: $DEBUG $ipsecadm new esp -src $GW_REMOTE -dst $GW_LOCAL \
78: -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
79: -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
80: fi
1.1 provos 81:
82: #
1.16 markus 83: # Setup the Flows, aka SPD
1.1 provos 84: #
85:
1.17 markus 86: # add the gateways
87: LOCAL_NETWORKS="${GW_LOCAL}/32 ${LOCAL_NETWORKS}"
88: REMOTE_NETWORKS="${GW_REMOTE}/32 ${REMOTE_NETWORKS}"
1.18 markus 89: # but allow ESP in the clear
90: BYPASS="$DEBUG ${ipsecadm} flow -transport esp -src ${GW_LOCAL} -dst ${GW_REMOTE} -bypass"
91: $BYPASS -out -addr ${GW_LOCAL}/32 ${GW_REMOTE}/32
92: $BYPASS -in -addr ${GW_REMOTE}/32 ${GW_LOCAL}/32
1.16 markus 93:
1.17 markus 94: FLOW="$DEBUG ${ipsecadm} flow -proto esp -src ${GW_LOCAL} -dst ${GW_REMOTE} -require"
1.16 markus 95:
96: # each local net to each remote net
1.17 markus 97: for local_net in ${LOCAL_NETWORKS}; do
98: for remote_net in ${REMOTE_NETWORKS}; do
99: $FLOW -out -addr $local_net $remote_net
100: $FLOW -in -addr $remote_net $local_net
1.1 provos 101: done
102: done
1.3 ho 103:
104: exit 0