Annotation of src/share/ipsec/rc.vpn, Revision 1.8
1.1 provos 1: #!/bin/sh
2:
3: #
1.8 ! angelos 4: # $OpenBSD: rc.vpn,v 1.7 1999/12/14 19:59:39 ho Exp $
1.1 provos 5: #
6: # Richard Reiner, Ph.D., FSC Internet Corp.
7: # rreiner@fscinternet.com
8: # v0.81 / 26Jul98
9: #
1.3 ho 10: # Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
1.1 provos 11: #
1.3 ho 12: # rc.vpn -- configure IPSec in tunnel mode for a mesh of N local and
13: # M remote networks. (N x M mesh)
1.1 provos 14: #
1.4 ho 15: # For this to work, you will need to have these enabled (in /etc/sysctl.conf):
1.3 ho 16: # 'sysctl -w net.inet.ip.forwarding=1' (IP packet routing)
17: # 'sysctl -w net.inet.esp.enable=1' (IPsec ESP protocol)
18:
19: # XXX The configuration parameters should be moved to another file.
20:
21: # Uncomment to debug (and not execute) commands
22: #DEBUG=echo
23:
24: # Gateway adresses
25: GW_LOCAL=192.168.254.254
26: GW_PEER=192.168.1.2
27:
1.7 ho 28: # Local and remote networks, numbered, syntax <network>/<mask>
1.8 ! angelos 29: LOCAL_NET_0=192.168.254.0/255.255.255.0
! 30: LOCAL_NET_1=192.168.253.0/255.255.255.0
! 31: REMOTE_NET_0=192.168.1.0/255.255.255.0
! 32: REMOTE_NET_1=192.168.2.0/255.255.255.0
1.3 ho 33:
34: # Crypto options and keys, note that key/iv lengths need to correspond
35: # to the selected encryption and authentication algorithms.
36: ENC=des
37: AUTH=sha1
38: SPI_OUT=1000
39: SPI_IN=1001
40: KEY=2ea140ac3911cb27
41: AUTHKEY=176cc284bc1631afbd1468fbe976fa729fcb4321
42: IV=c4b279f1a9bcd849
1.1 provos 43:
44: #############################################################################
45: ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
46: #############################################################################
47:
1.3 ho 48: ipsecadm=/sbin/ipsecadm
1.1 provos 49:
50: #
1.3 ho 51: # Sanity, be verbose about errors.
52: # XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
1.1 provos 53: #
54:
1.3 ho 55: abort=0
56: if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
57: echo " VPN: variable 'net.inet.esp.enable' (IPsec ESP protocol)"
58: abort=1
59: fi
60: if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
61: echo " VPN: variable 'net.inet.ip.forwarding' (IP forwarding/routing)"
62: abort=1
63: fi
64: if [ ${abort} = 1 ]; then
65: echo " VPN: must be enabled in /etc/sysctl.conf. Aborting VPN setup."
66: exit 0
67: fi
1.1 provos 68:
1.3 ho 69: [ ! -n "${DEBUG}" ] && echo " VPN "
1.1 provos 70:
71: #
1.3 ho 72: # Setup the SAs
1.1 provos 73: #
74:
1.3 ho 75: $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_PEER \
76: -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
77: -key $KEY -authkey $AUTHKEY
1.1 provos 78:
1.3 ho 79: $DEBUG $ipsecadm new esp -src $GW_PEER -dst $GW_LOCAL \
80: -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
81: -key $KEY -authkey $AUTHKEY
1.1 provos 82:
83: #
1.3 ho 84: # Create the flows
1.1 provos 85: #
86:
1.3 ho 87: # Gateway to gateway
1.5 ho 88: $DEBUG $ipsecadm flow -proto esp -dst $GW_PEER -spi $SPI_OUT \
1.8 ! angelos 89: -addr $GW_LOCAL 255.255.255.255 $GW_PEER 255.255.255.255
1.1 provos 90:
1.3 ho 91: # Flows from each local, to each remote, subnet
1.1 provos 92: mycount=0
93: while :
94: do
1.3 ho 95: eval network=\$LOCAL_NET_${mycount}
1.7 ho 96: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 97: local_net=$1
98: local_mask=$2
99: if [ "${local_net}" != "0x0" ]; then
1.1 provos 100: peercount=0
101: while :
102: do
1.3 ho 103: eval network=\$REMOTE_NET_${peercount}
1.7 ho 104: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 105: remote_net=$1
106: remote_mask=$2
107: if [ "${remote_net}" != "0x0" ]; then
108: $DEBUG $ipsecadm flow \
109: -proto esp -dst $GW_PEER -spi $SPI_OUT \
110: -addr $local_net $local_mask $remote_net $remote_mask
111: peercount=$(($peercount + 1))
1.1 provos 112: else
1.3 ho 113: break;
1.1 provos 114: fi
115: done
1.3 ho 116: mycount=$(($mycount + 1))
1.1 provos 117: else
118: break;
119: fi
120: done
121:
1.3 ho 122: # XXX Stuff below is mainly for testing, may be removed later.
1.1 provos 123:
1.3 ho 124: # Flows from local gw to each remote subnet
1.1 provos 125: peercount=0
126: while :
127: do
1.3 ho 128: eval network=\$REMOTE_NET_${peercount}
1.7 ho 129: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 130: remote_net=$1
131: remote_mask=$2
132: if [ "${remote_net}" != "0x0" ]; then
133: $DEBUG $ipsecadm flow \
134: -proto esp -dst $GW_PEER -spi $SPI_OUT \
1.8 ! angelos 135: -addr $GW_LOCAL 255.255.255.255 $remote_net $remote_mask
1.3 ho 136: peercount=$(($peercount + 1))
1.1 provos 137: else
138: break;
139: fi
140: done
141:
1.3 ho 142: # Flows from local subnets to the remote gw
1.1 provos 143: mycount=0
144: while :
145: do
1.3 ho 146: eval network=\$LOCAL_NET_${mycount}
1.7 ho 147: set `echo $network | sed 's%/% %g'` 0x0 0x0
1.3 ho 148: local_net=$1
149: local_mask=$2
150: if [ "${local_net}" != "0x0" ]; then
151: $DEBUG $ipsecadm flow \
152: -proto esp -dst $GW_PEER -spi $SPI_OUT \
1.8 ! angelos 153: -addr $local_net $local_mask $GW_PEER 255.255.255.255
1.3 ho 154: mycount=$(($mycount + 1))
1.1 provos 155: else
156: break;
157: fi
158: done
1.3 ho 159:
160: exit 0