src/share/ipsec/rc.vpn - view

Return to rc.vpn CVS log

Up to [local] / src / share / ipsec

File: [local] / src / share / ipsec / Attic / rc.vpn (download)

Revision 1.12, Wed Sep 27 04:11:21 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
Changes since 1.11: +11 -7 lines

Fix example, add -src.

#!/bin/sh

#
#    $OpenBSD: rc.vpn,v 1.12 2000/09/27 04:11:21 angelos Exp $
#
# Richard Reiner, Ph.D., FSC Internet Corp.
# rreiner@fscinternet.com
# v0.81 / 26Jul98
#
# Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
#
# rc.vpn -- configure IPSec in tunnel mode for a mesh of N local and
#           M remote networks. (N x M mesh)
#
# For this to work, you will need to have these enabled (in /etc/sysctl.conf):
#   'sysctl -w net.inet.ip.forwarding=1'   (IP packet routing)
#   'sysctl -w net.inet.esp.enable=1'      (IPsec ESP protocol)

# XXX The configuration parameters should be moved to another file.

# Uncomment to debug (and not execute) commands
#DEBUG=echo

# Gateway adresses
GW_LOCAL=192.168.254.254
GW_PEER=192.168.1.2

# Local and remote networks, numbered, syntax <network>/<mask>
LOCAL_NET_0=192.168.254.0/255.255.255.0
LOCAL_NET_1=192.168.253.0/255.255.255.0
REMOTE_NET_0=192.168.1.0/255.255.255.0
REMOTE_NET_1=192.168.2.0/255.255.255.0

# Crypto options and keys, note that key/iv lengths need to correspond
# to the selected encryption and authentication algorithms.
ENC=3des
AUTH=sha1
SPI_OUT=1000
SPI_IN=1001
KEYFILE=/etc/esp-enc-key
AUTHKEYFILE=/etc/esp-auth-key

#############################################################################
############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
#############################################################################

ipsecadm=/sbin/ipsecadm

#
# Sanity, be verbose about errors.
# XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
#

abort=0
if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
    echo " VPN: variable 'net.inet.esp.enable' (IPsec ESP protocol)"
    abort=1
fi
if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
    echo " VPN: variable 'net.inet.ip.forwarding' (IP forwarding/routing)"
    abort=1
fi
if [ ${abort} = 1 ]; then
    echo " VPN: must be enabled in /etc/sysctl.conf. Aborting VPN setup." 
    exit 0
fi

[ ! -n "${DEBUG}" ] && echo " VPN "

#
# Setup the SAs
#

$DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_PEER \
    -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
    -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE

$DEBUG $ipsecadm new esp -src $GW_PEER -dst $GW_LOCAL \
    -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
    -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE

#
# Create the flows
#

# Gateway to gateway (both egress and ingress flows)
$DEBUG $ipsecadm flow -proto esp -src $GW_LOCAL -dst $GW_PEER -spi $SPI_OUT \
    -addr $GW_LOCAL 255.255.255.255 $GW_PEER 255.255.255.255 -out -require
$DEBUG $ipsecadm flow -proto esp -src $GW_LOCAL -dst $GW_PEER -spi $SPI_IN \
    -addr $GW_PEER 255.255.255.255 $GW_LOCAL 255.255.255.255 -in -require

# Flows from each local to each remote subnet, and vice versa for
# ACL entries
mycount=0
while :
do
    eval network=\$LOCAL_NET_${mycount}
    set `echo $network | sed 's%/% %g'` 0x0 0x0
    local_net=$1
    local_mask=$2
    if [ "${local_net}" != "0x0" ]; then
	peercount=0
	while :
	do
	    eval network=\$REMOTE_NET_${peercount}
	    set `echo $network | sed 's%/% %g'` 0x0 0x0
	    remote_net=$1
	    remote_mask=$2
	    if [ "${remote_net}" != "0x0" ]; then
		$DEBUG $ipsecadm flow \
		    -proto esp -src $GW_LOCAL -dst $GW_PEER -spi $SPI_OUT \
		    -addr $local_net $local_mask $remote_net $remote_mask \
		    -out -require

		$DEBUG $ipsecadm flow \
		    -proto esp -src $GW_LOCAL -dst $GW_PEER -spi $SPI_IN \
                    -in -require \
		    -addr $remote_net $remote_mask $local_net $local_mask
		peercount=$(($peercount + 1))
	    else
		break;
	    fi
	done
	mycount=$(($mycount + 1))
    else
	break;
    fi
done

# XXX Stuff below is mainly for testing, may be removed later.

# Flows from local gw to each remote subnet, and vice versa
peercount=0
while :
do
    eval network=\$REMOTE_NET_${peercount}
    set `echo $network | sed 's%/% %g'` 0x0 0x0
    remote_net=$1
    remote_mask=$2
    if [ "${remote_net}" != "0x0" ]; then
	$DEBUG $ipsecadm flow \
	    -proto esp -dst $GW_PEER -spi $SPI_OUT -out -require \
	    -addr $GW_LOCAL 255.255.255.255 $remote_net $remote_mask \

	$DEBUG $ipsecadm flow \
	    -proto esp -dst $GW_PEER -spi $SPI_IN -in -require \
            -src $GW_LOCAL
	    -addr $remote_net $remote_mask $GW_LOCAL 255.255.255.255 
	peercount=$(($peercount + 1))
    else
	break;
    fi
done

# Flows from local subnets to the remote gw and vice versa
mycount=0
while :
do
    eval network=\$LOCAL_NET_${mycount}
    set `echo $network | sed 's%/% %g'` 0x0 0x0
    local_net=$1
    local_mask=$2
    if [ "${local_net}" != "0x0" ]; then
	$DEBUG $ipsecadm flow \
	    -proto esp -dst $GW_PEER -spi $SPI_OUT -out -require \
            -src $GW_LOCAL \
	    -addr $local_net $local_mask $GW_PEER 255.255.255.255

	$DEBUG $ipsecadm flow \
	    -proto esp -dst $GW_PEER -spi $SPI_IN -in -require \
            -src $GW_LOCAL
	    -addr $GW_PEER 255.255.255.255 $local_net $local_mask 
	mycount=$(($mycount + 1))
    else
	break;
    fi
done

exit 0