summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNiels Provos <provos@cvs.openbsd.org>1998-07-30 08:14:39 +0000
committerNiels Provos <provos@cvs.openbsd.org>1998-07-30 08:14:39 +0000
commit78194b8d1ab41b6f00eba281ef9d90f67ab59309 (patch)
treef8c131bb0d1891c03a28d6202ffbad087f331039
parentabcd8213828520013c8a306bce86c7d5b64963c1 (diff)
Add a script to configure static VPNs in a NxM fashion, provided by
Richard Reiner <rreiner@fscinternet.com> (Canada) - the script requires -current.
-rw-r--r--share/ipsec/Makefile4
-rw-r--r--share/ipsec/rc.vpn177
2 files changed, 179 insertions, 2 deletions
diff --git a/share/ipsec/Makefile b/share/ipsec/Makefile
index 1a53b8beba2..b725427fb23 100644
--- a/share/ipsec/Makefile
+++ b/share/ipsec/Makefile
@@ -1,7 +1,7 @@
#
-# $OpenBSD: Makefile,v 1.2 1997/10/09 14:17:23 deraadt Exp $
+# $OpenBSD: Makefile,v 1.3 1998/07/30 08:14:36 provos Exp $
#
-FILES= *.conf *.startup
+FILES= *.conf *.startup rc.vpn
NOOBJ= noobj
all clean cleandir depend lint tags:
diff --git a/share/ipsec/rc.vpn b/share/ipsec/rc.vpn
new file mode 100644
index 00000000000..03ec509e01b
--- /dev/null
+++ b/share/ipsec/rc.vpn
@@ -0,0 +1,177 @@
+#!/bin/sh
+
+#
+# rc.vpn -- configure IPSec in tunnel mode for M x N networks
+#
+# Richard Reiner, Ph.D., FSC Internet Corp.
+# rreiner@fscinternet.com
+# v0.81 / 26Jul98
+#
+
+echo ' VPN'
+
+
+#############################################################################
+#
+# Configurable parameters
+#
+
+# Should all the commands executed be printed when the script runs?
+# N.B. setting this to "YES" may reveal your keys to persons present
+# at the console when your system boots.
+VPN_DO_ECHO_COMMANDS="YES"
+
+# My interfaces
+VPN_MY_INT_IFACE="ep0"
+VPN_MY_EXT_IFACE="ep1"
+
+# External IP of my tunnel partner
+VPN_PEER_EXT_IP="207.253.158.194"
+
+# The internal IP(s) and mask(s) on the other end of the tunnel -- add as
+# many sets as necessary, numbered from 0 upwards.
+VPN_PEER_INT_IP_0="192.139.247.253"
+VPN_PEER_INT_MASK_0="255.255.255.0"
+
+# IP(s) and mask(s) for *additional* subnets on *our* end of the tunnel
+# (the first one is automagically determined below) -- add as many sets
+# as necessary, numbered from *1* upwards, or comment out if not needed.
+VPN_MY_INT_IP_1="192.139.241.1"
+VPN_MY_INT_MASK_1="255.255.255.0"
+VPN_MY_INT_IP_2="192.139.243.1"
+VPN_MY_INT_MASK_2="255.255.255.0"
+
+# Crypto options and keys
+VPN_ENC="des"
+VPN_AUTH="sha1"
+VPN_SPI_OUT="1000"
+VPN_SPI_IN="1001"
+VPN_KEY="2ea140ac3911cb27"
+VPN_AUTHKEY="176cc284bc1631afbd1468fbe976fa729fcb4321"
+VPN_IV="c4b279f1a9bcd849"
+
+
+
+#############################################################################
+############# #############
+############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
+############# #############
+#############################################################################
+
+
+
+#############################################################################
+#
+# Derived (automagically found) parameters
+#
+# Hostnames for ech of our interfaces
+VPN_MY_EXT_NAME=`cut -d" " -f2 < /etc/hostname.$VPN_MY_EXT_IFACE`
+VPN_MY_INT_NAME=`cut -d" " -f2 < /etc/hostname.$VPN_MY_INT_IFACE`
+
+# Our internal IP and mask (extra subnets, if any, are configured above)
+VPN_MY_INT_IP_0=`grep $VPN_MY_INT_NAME < /etc/hosts | cut -d" " -f1`
+VPN_MY_INT_MASK_0=`cut -d" " -f3 < /etc/hostname.$VPN_MY_INT_IFACE`
+
+# Our external IP and mask
+VPN_MY_EXT_IP=`grep $VPN_MY_EXT_NAME < /etc/hosts | cut -d" " -f1`
+VPN_MY_EXT_MASK=`cut -d" " -f3 < /etc/hostname.$VPN_MY_INT_IFACE`
+
+
+#############################################################################
+#
+# Pseudo-constants
+#
+ipsecadm=/sbin/ipsecadm
+
+
+#############################################################################
+#
+# Function definitions
+#
+eval_and_echo () {
+ if [ "$VPN_DO_ECHO_COMMANDS" = "YES" ]; then
+ echo "$*"
+ fi
+ eval "$*"
+}
+
+
+#############################################################################
+#
+# Executable setup statements
+#
+
+# Create the SAs
+eval_and_echo "$ipsecadm new esp -src $VPN_MY_EXT_IP -dst $VPN_PEER_EXT_IP -tunnel $VPN_MY_EXT_IP $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -enc $VPN_ENC -auth $VPN_AUTH -iv $VPN_IV -key $VPN_KEY -authkey $VPN_AUTHKEY"
+
+eval_and_echo "$ipsecadm new esp -src $VPN_PEER_EXT_IP -dst $VPN_MY_EXT_IP -tunnel $VPN_PEER_EXT_IP $VPN_MY_EXT_IP -spi $VPN_SPI_IN -enc $VPN_ENC -auth $VPN_AUTH -iv $VPN_IV -key $VPN_KEY -authkey $VPN_AUTHKEY"
+
+
+#
+# Create IPSec routes
+#
+
+# Route between the two external IPs
+eval_and_echo "ipsecadm flow -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $VPN_MY_EXT_IP 255.255.255.255 $VPN_PEER_EXT_IP 255.255.255.255 -local"
+
+# Routes from each internal subnet, to each internal subnet on the far side
+mycount=0
+while :
+do
+ eval next_my_ip=\$VPN_MY_INT_IP_${mycount}
+ eval next_my_mask=\$VPN_MY_INT_MASK_${mycount}
+ if [ -n "${next_my_ip}" ]; then
+
+ peercount=0
+ while :
+ do
+ eval next_peer_ip=\$VPN_PEER_INT_IP_${peercount}
+ eval next_peer_mask=\$VPN_PEER_INT_MASK_${peercount}
+ if [ -n "${next_peer_ip}" ]; then
+ # set an IPSec route for this pair of networks
+ eval_and_echo "$ipsecadm flow -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $next_my_ip $next_my_mask $next_peer_ip $next_peer_mask"
+ peercount=`expr ${peercount} + 1`
+ else
+ break;
+ fi
+ done
+ mycount=`expr ${mycount} + 1`
+ else
+ break;
+ fi
+done
+
+
+# Routes to each remote internal subnet
+peercount=0
+while :
+do
+ eval next_peer_ip=\$VPN_PEER_INT_IP_${peercount}
+ eval next_peer_mask=\$VPN_PEER_INT_MASK_${peercount}
+ if [ -n "${next_peer_ip}" ]; then
+
+ # Route from my ext IP to each remote internal subnet
+ eval_and_echo "$ipsecadm flow -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $VPN_MY_EXT_IP 255.255.255.255 $next_peer_ip $next_peer_mask -local"
+ peercount=`expr ${peercount} + 1`
+ else
+ break;
+ fi
+done
+
+
+# Routes from each of my internal subnets to the remote external IP
+mycount=0
+while :
+do
+ eval next_my_ip=\$VPN_MY_INT_IP_${mycount}
+ eval next_my_mask=\$VPN_MY_INT_MASK_${mycount}
+ if [ -n "${next_my_ip}" ]; then
+ eval_and_echo $ipsecadm flow -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $next_my_ip $next_my_mask $VPN_PEER_EXT_IP 255.255.255.255
+ mycount=`expr ${mycount} + 1`
+ else
+ break;
+ fi
+done
+
+
+