#!/bin/sh # $OpenBSD: rc.vpn,v 1.16 2002/12/04 15:03:56 markus Exp $ # # Richard Reiner, Ph.D., FSC Internet Corp. # rreiner@fscinternet.com # v0.81 / 26Jul98 # # Modifications and cleanup by H. Olsson , 28Aug99 # # rc.vpn -- configure IPsec in tunnel mode for a mesh of N local and # M remote networks. (N x M mesh) # # For this to work, you will need to have these enabled (in /etc/sysctl.conf): # 'sysctl -w net.inet.ip.forwarding=1' (IP packet routing) # 'sysctl -w net.inet.esp.enable=1' (IPsec ESP protocol) # XXX The configuration parameters should be moved to another file. # Uncomment to debug (and not execute) commands #DEBUG=echo # Gateway adresses GW_LOCAL=192.168.254.254 GW_REMOTE=192.168.1.2 # Local and remote networks, numbered LOCAL_NET_0="192.168.254.0/24" LOCAL_NET_1="192.168.253.0/24" REMOTE_NET_0="192.168.1.0/24" REMOTE_NET_1="192.168.2.0/24" # Optional, use for manual keying only # Crypto options and keys, note that key/iv lengths need to correspond # to the selected encryption and authentication algorithms. ENC=3des AUTH=sha1 SPI_OUT=1000 SPI_IN=1001 KEYFILE=/etc/esp-enc-key AUTHKEYFILE=/etc/esp-auth-key ############################################################################# ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- ############# ############################################################################# ipsecadm=/sbin/ipsecadm # # Sanity, be verbose about errors. # XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary. # abort=0 if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then echo "$0: variable 'net.inet.esp.enable' (IPsec ESP protocol)" abort=1 fi if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then echo "$0: variable 'net.inet.ip.forwarding' (IP forwarding/routing)" abort=1 fi if [ ${abort} = 1 ]; then echo "$0: must be enabled in /etc/sysctl.conf. Aborting VPN setup." [ ! -n "${DEBUG}" ] && exit 0 fi $DEBUG $ipsecadm flush # # Setup the manual SAs # if [ "$ENC" ]; then $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_REMOTE \ -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \ -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE $DEBUG $ipsecadm new esp -src $GW_REMOTE -dst $GW_LOCAL \ -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \ -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE fi # # Setup the Flows, aka SPD # FLOW="$DEBUG $ipsecadm flow -proto esp -src $GW_LOCAL -dst $GW_REMOTE" FLOWIN="$FLOW -in -require -addr" FLOWOUT="$FLOW -out -require -addr" # local gateway to remote gateway $FLOWOUT ${GW_LOCAL}/32 ${GW_REMOTE}/32 $FLOWIN ${GW_REMOTE}/32 ${GW_LOCAL}/32 # each local net to each remote net localcount=0 while true; do local_net=`eval "echo \\\$LOCAL_NET_${localcount}"` if [ "x${local_net}" == "x" ]; then break; fi remotecount=0 while true; do remote_net=`eval "echo \\\$REMOTE_NET_${remotecount}"` if [ "x${remote_net}" == "x" ]; then break; fi $FLOWOUT $local_net $remote_net $FLOWIN $remote_net $local_net remotecount=$(($remotecount + 1)) done localcount=$(($localcount + 1)) done exit 0