Annotation of src/share/ipsec/rc.vpn, Revision 1.3
1.1 provos 1: #!/bin/sh
2:
3: #
1.3 ! ho 4: # $OpenBSD$
1.1 provos 5: #
6: # Richard Reiner, Ph.D., FSC Internet Corp.
7: # rreiner@fscinternet.com
8: # v0.81 / 26Jul98
9: #
1.3 ! ho 10: # Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
1.1 provos 11: #
1.3 ! ho 12: # rc.vpn -- configure IPSec in tunnel mode for a mesh of N local and
! 13: # M remote networks. (N x M mesh)
1.1 provos 14: #
1.3 ! ho 15: # For this to work, you will need to have these enabled (in /etc/sysct.conf):
! 16: # 'sysctl -w net.inet.ip.forwarding=1' (IP packet routing)
! 17: # 'sysctl -w net.inet.esp.enable=1' (IPsec ESP protocol)
! 18:
! 19: # XXX The configuration parameters should be moved to another file.
! 20:
! 21: # Uncomment to debug (and not execute) commands
! 22: #DEBUG=echo
! 23:
! 24: # Gateway adresses
! 25: GW_LOCAL=192.168.254.254
! 26: GW_PEER=192.168.1.2
! 27:
! 28: # Local and remote networks, numbered, syntax <network>:<mask>
! 29: LOCAL_NET_0=192.168.254.0:0xffffff00
! 30: LOCAL_NET_1=192.168.253.0:0xffffff00
! 31: REMOTE_NET_0=192.168.1.0:0xffffff00
! 32: REMOTE_NET_1=192.168.2.0:0xffffff00
! 33:
! 34: # Crypto options and keys, note that key/iv lengths need to correspond
! 35: # to the selected encryption and authentication algorithms.
! 36: ENC=des
! 37: AUTH=sha1
! 38: SPI_OUT=1000
! 39: SPI_IN=1001
! 40: KEY=2ea140ac3911cb27
! 41: AUTHKEY=176cc284bc1631afbd1468fbe976fa729fcb4321
! 42: IV=c4b279f1a9bcd849
1.1 provos 43:
44: #############################################################################
45: ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
46: #############################################################################
47:
1.3 ! ho 48: ipsecadm=/sbin/ipsecadm
1.1 provos 49:
50: #
1.3 ! ho 51: # Sanity, be verbose about errors.
! 52: # XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
1.1 provos 53: #
54:
1.3 ! ho 55: abort=0
! 56: if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
! 57: echo " VPN: variable 'net.inet.esp.enable' (IPsec ESP protocol)"
! 58: abort=1
! 59: fi
! 60: if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
! 61: echo " VPN: variable 'net.inet.ip.forwarding' (IP forwarding/routing)"
! 62: abort=1
! 63: fi
! 64: if [ ${abort} = 1 ]; then
! 65: echo " VPN: must be enabled in /etc/sysctl.conf. Aborting VPN setup."
! 66: exit 0
! 67: fi
1.1 provos 68:
1.3 ! ho 69: [ ! -n "${DEBUG}" ] && echo " VPN "
1.1 provos 70:
71: #
1.3 ! ho 72: # Setup the SAs
1.1 provos 73: #
74:
1.3 ! ho 75: $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_PEER \
! 76: -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
! 77: -key $KEY -authkey $AUTHKEY
1.1 provos 78:
1.3 ! ho 79: $DEBUG $ipsecadm new esp -src $GW_PEER -dst $GW_LOCAL \
! 80: -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
! 81: -key $KEY -authkey $AUTHKEY
1.1 provos 82:
83: #
1.3 ! ho 84: # Create the flows
1.1 provos 85: #
86:
1.3 ! ho 87: # Gateway to gateway
! 88: $DEBUG ipsecadm flow -proto esp -dst $GW_PEER -spi $SPI_OUT \
! 89: -addr 0.0.0.0 0xffffffff $GW_PEER 0xffffffff
1.1 provos 90:
1.3 ! ho 91: # Flows from each local, to each remote, subnet
1.1 provos 92: mycount=0
93: while :
94: do
1.3 ! ho 95: eval network=\$LOCAL_NET_${mycount}
! 96: set `echo $network | sed 's/:/ /g'` 0x0 0x0
! 97: local_net=$1
! 98: local_mask=$2
! 99: if [ "${local_net}" != "0x0" ]; then
1.1 provos 100: peercount=0
101: while :
102: do
1.3 ! ho 103: eval network=\$REMOTE_NET_${peercount}
! 104: set `echo $network | sed 's/:/ /g'` 0x0 0x0
! 105: remote_net=$1
! 106: remote_mask=$2
! 107: if [ "${remote_net}" != "0x0" ]; then
! 108: $DEBUG $ipsecadm flow \
! 109: -proto esp -dst $GW_PEER -spi $SPI_OUT \
! 110: -addr $local_net $local_mask $remote_net $remote_mask
! 111: peercount=$(($peercount + 1))
1.1 provos 112: else
1.3 ! ho 113: break;
1.1 provos 114: fi
115: done
1.3 ! ho 116: mycount=$(($mycount + 1))
1.1 provos 117: else
118: break;
119: fi
120: done
121:
1.3 ! ho 122: # XXX Stuff below is mainly for testing, may be removed later.
1.1 provos 123:
1.3 ! ho 124: # Flows from local gw to each remote subnet
1.1 provos 125: peercount=0
126: while :
127: do
1.3 ! ho 128: eval network=\$REMOTE_NET_${peercount}
! 129: set `echo $network | sed 's/:/ /g'` 0x0 0x0
! 130: remote_net=$1
! 131: remote_mask=$2
! 132: if [ "${remote_net}" != "0x0" ]; then
! 133: $DEBUG $ipsecadm flow \
! 134: -proto esp -dst $GW_PEER -spi $SPI_OUT \
! 135: -addr 0.0.0.0 0xffffffff $remote_net $remote_mask
! 136: peercount=$(($peercount + 1))
1.1 provos 137: else
138: break;
139: fi
140: done
141:
1.3 ! ho 142: # Flows from local subnets to the remote gw
1.1 provos 143: mycount=0
144: while :
145: do
1.3 ! ho 146: eval network=\$LOCAL_NET_${mycount}
! 147: set `echo $network | sed 's/:/ /g'` 0x0 0x0
! 148: local_net=$1
! 149: local_mask=$2
! 150: if [ "${local_net}" != "0x0" ]; then
! 151: $DEBUG $ipsecadm flow \
! 152: -proto esp -dst $GW_PEER -spi $SPI_OUT \
! 153: -addr $local_net $local_mask $GW_PEER 0xffffffff
! 154: mycount=$(($mycount + 1))
1.1 provos 155: else
156: break;
157: fi
158: done
1.3 ! ho 159:
! 160: exit 0