File: [local] / src / share / ipsec / Attic / rc.vpn (download)
Revision 1.2, Wed Feb 24 23:33:11 1999 UTC (25 years, 3 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_5_BASE, OPENBSD_2_5 Changes since 1.1: +6 -9 lines
Update script.
|
#!/bin/sh
#
# rc.vpn -- configure IPSec in tunnel mode for M x N networks
#
# Richard Reiner, Ph.D., FSC Internet Corp.
# rreiner@fscinternet.com
# v0.81 / 26Jul98
#
echo ' VPN'
#############################################################################
#
# Configurable parameters
#
# Should all the commands executed be printed when the script runs?
# N.B. setting this to "YES" may reveal your keys to persons present
# at the console when your system boots.
VPN_DO_ECHO_COMMANDS="YES"
# My interfaces
VPN_MY_INT_IFACE="ep0"
VPN_MY_EXT_IFACE="ep1"
# External IP of my tunnel partner
VPN_PEER_EXT_IP="207.253.158.194"
# The internal IP(s) and mask(s) on the other end of the tunnel -- add as
# many sets as necessary, numbered from 0 upwards.
VPN_PEER_INT_IP_0="192.139.247.253"
VPN_PEER_INT_MASK_0="255.255.255.0"
# IP(s) and mask(s) for *additional* subnets on *our* end of the tunnel
# (the first one is automagically determined below) -- add as many sets
# as necessary, numbered from *1* upwards, or comment out if not needed.
VPN_MY_INT_IP_1="192.139.241.1"
VPN_MY_INT_MASK_1="255.255.255.0"
VPN_MY_INT_IP_2="192.139.243.1"
VPN_MY_INT_MASK_2="255.255.255.0"
# Crypto options and keys
VPN_ENC="des"
VPN_AUTH="sha1"
VPN_SPI_OUT="1000"
VPN_SPI_IN="1001"
VPN_KEY="2ea140ac3911cb27"
VPN_AUTHKEY="176cc284bc1631afbd1468fbe976fa729fcb4321"
VPN_IV="c4b279f1a9bcd849"
#############################################################################
############# #############
############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
############# #############
#############################################################################
#############################################################################
#
# Derived (automagically found) parameters
#
# Hostnames for ech of our interfaces
VPN_MY_EXT_NAME=`cut -d" " -f2 < /etc/hostname.$VPN_MY_EXT_IFACE`
VPN_MY_INT_NAME=`cut -d" " -f2 < /etc/hostname.$VPN_MY_INT_IFACE`
# Our internal IP and mask (extra subnets, if any, are configured above)
VPN_MY_INT_IP_0=`grep $VPN_MY_INT_NAME < /etc/hosts | cut -d" " -f1`
VPN_MY_INT_MASK_0=`cut -d" " -f3 < /etc/hostname.$VPN_MY_INT_IFACE`
# Our external IP and mask
VPN_MY_EXT_IP=`grep $VPN_MY_EXT_NAME < /etc/hosts | cut -d" " -f1`
VPN_MY_EXT_MASK=`cut -d" " -f3 < /etc/hostname.$VPN_MY_INT_IFACE`
#############################################################################
#
# Pseudo-constants
#
ipsecadm=/sbin/ipsecadm
#############################################################################
#
# Function definitions
#
eval_and_echo () {
if [ "$VPN_DO_ECHO_COMMANDS" = "YES" ]; then
echo "$*"
fi
eval "$*"
}
#############################################################################
#
# Executable setup statements
#
# Create the SAs
eval_and_echo "$ipsecadm new esp -src $VPN_MY_EXT_IP -dst $VPN_PEER_EXT_IP -forcetunnel -spi $VPN_SPI_OUT -enc $VPN_ENC -auth $VPN_AUTH -key $VPN_KEY -authkey $VPN_AUTHKEY"
eval_and_echo "$ipsecadm new esp -src $VPN_PEER_EXT_IP -dst $VPN_MY_EXT_IP -forcetunnel -spi $VPN_SPI_IN -enc $VPN_ENC -auth $VPN_AUTH -key $VPN_KEY -authkey $VPN_AUTHKEY"
#
# Create IPSec routes
#
# Route between the two external IPs
eval_and_echo "ipsecadm flow -proto esp -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $VPN_MY_EXT_IP 255.255.255.255 $VPN_PEER_EXT_IP 255.255.255.255 -local"
# Routes from each internal subnet, to each internal subnet on the far side
mycount=0
while :
do
eval next_my_ip=\$VPN_MY_INT_IP_${mycount}
eval next_my_mask=\$VPN_MY_INT_MASK_${mycount}
if [ -n "${next_my_ip}" ]; then
peercount=0
while :
do
eval next_peer_ip=\$VPN_PEER_INT_IP_${peercount}
eval next_peer_mask=\$VPN_PEER_INT_MASK_${peercount}
if [ -n "${next_peer_ip}" ]; then
# set an IPSec route for this pair of networks
eval_and_echo "$ipsecadm flow -proto esp -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $next_my_ip $next_my_mask $next_peer_ip $next_peer_mask"
peercount=`expr ${peercount} + 1`
else
break;
fi
done
mycount=`expr ${mycount} + 1`
else
break;
fi
done
# Routes to each remote internal subnet
peercount=0
while :
do
eval next_peer_ip=\$VPN_PEER_INT_IP_${peercount}
eval next_peer_mask=\$VPN_PEER_INT_MASK_${peercount}
if [ -n "${next_peer_ip}" ]; then
# Route from my ext IP to each remote internal subnet
eval_and_echo "$ipsecadm flow -proto esp -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $VPN_MY_EXT_IP 255.255.255.255 $next_peer_ip $next_peer_mask -local"
peercount=`expr ${peercount} + 1`
else
break;
fi
done
# Routes from each of my internal subnets to the remote external IP
mycount=0
while :
do
eval next_my_ip=\$VPN_MY_INT_IP_${mycount}
eval next_my_mask=\$VPN_MY_INT_MASK_${mycount}
if [ -n "${next_my_ip}" ]; then
eval_and_echo $ipsecadm flow -proto esp -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $next_my_ip $next_my_mask $VPN_PEER_EXT_IP 255.255.255.255
mycount=`expr ${mycount} + 1`
else
break;
fi
done