File: [local] / src / share / ipsec / Attic / rc.vpn (download)
Revision 1.16, Wed Dec 4 15:03:56 2002 UTC (21 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.15: +56 -119 lines
general cleanup, including:
removal of extra flows for gateway to network; make manual keying
optional, allows 'acquire' with isakmpd; no need for sed;
add ipsecadm flush; ok ho@
|
#!/bin/sh
# $OpenBSD: rc.vpn,v 1.16 2002/12/04 15:03:56 markus Exp $
#
# Richard Reiner, Ph.D., FSC Internet Corp.
# rreiner@fscinternet.com
# v0.81 / 26Jul98
#
# Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
#
# rc.vpn -- configure IPsec in tunnel mode for a mesh of N local and
# M remote networks. (N x M mesh)
#
# For this to work, you will need to have these enabled (in /etc/sysctl.conf):
# 'sysctl -w net.inet.ip.forwarding=1' (IP packet routing)
# 'sysctl -w net.inet.esp.enable=1' (IPsec ESP protocol)
# XXX The configuration parameters should be moved to another file.
# Uncomment to debug (and not execute) commands
#DEBUG=echo
# Gateway adresses
GW_LOCAL=192.168.254.254
GW_REMOTE=192.168.1.2
# Local and remote networks, numbered
LOCAL_NET_0="192.168.254.0/24"
LOCAL_NET_1="192.168.253.0/24"
REMOTE_NET_0="192.168.1.0/24"
REMOTE_NET_1="192.168.2.0/24"
# Optional, use for manual keying only
# Crypto options and keys, note that key/iv lengths need to correspond
# to the selected encryption and authentication algorithms.
ENC=3des
AUTH=sha1
SPI_OUT=1000
SPI_IN=1001
KEYFILE=/etc/esp-enc-key
AUTHKEYFILE=/etc/esp-auth-key
#############################################################################
############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
#############################################################################
ipsecadm=/sbin/ipsecadm
#
# Sanity, be verbose about errors.
# XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
#
abort=0
if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
echo "$0: variable 'net.inet.esp.enable' (IPsec ESP protocol)"
abort=1
fi
if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
echo "$0: variable 'net.inet.ip.forwarding' (IP forwarding/routing)"
abort=1
fi
if [ ${abort} = 1 ]; then
echo "$0: must be enabled in /etc/sysctl.conf. Aborting VPN setup."
[ ! -n "${DEBUG}" ] && exit 0
fi
$DEBUG $ipsecadm flush
#
# Setup the manual SAs
#
if [ "$ENC" ]; then
$DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_REMOTE \
-forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
-keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
$DEBUG $ipsecadm new esp -src $GW_REMOTE -dst $GW_LOCAL \
-forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
-keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
fi
#
# Setup the Flows, aka SPD
#
FLOW="$DEBUG $ipsecadm flow -proto esp -src $GW_LOCAL -dst $GW_REMOTE"
FLOWIN="$FLOW -in -require -addr"
FLOWOUT="$FLOW -out -require -addr"
# local gateway to remote gateway
$FLOWOUT ${GW_LOCAL}/32 ${GW_REMOTE}/32
$FLOWIN ${GW_REMOTE}/32 ${GW_LOCAL}/32
# each local net to each remote net
localcount=0
while true; do
local_net=`eval "echo \\\$LOCAL_NET_${localcount}"`
if [ "x${local_net}" == "x" ]; then
break;
fi
remotecount=0
while true; do
remote_net=`eval "echo \\\$REMOTE_NET_${remotecount}"`
if [ "x${remote_net}" == "x" ]; then
break;
fi
$FLOWOUT $local_net $remote_net
$FLOWIN $remote_net $local_net
remotecount=$(($remotecount + 1))
done
localcount=$(($localcount + 1))
done
exit 0