diff options
-rw-r--r-- | share/ipsec/rc.vpn | 214 |
1 files changed, 100 insertions, 114 deletions
diff --git a/share/ipsec/rc.vpn b/share/ipsec/rc.vpn index 7dc22c5d0a7..dca773d0d21 100644 --- a/share/ipsec/rc.vpn +++ b/share/ipsec/rc.vpn @@ -1,174 +1,160 @@ #!/bin/sh # -# rc.vpn -- configure IPSec in tunnel mode for M x N networks +# $OpenBSD: rc.vpn,v 1.3 1999/08/28 12:10:37 ho Exp $ # # Richard Reiner, Ph.D., FSC Internet Corp. # rreiner@fscinternet.com # v0.81 / 26Jul98 # - -echo ' VPN' - - -############################################################################# +# Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99 # -# Configurable parameters +# rc.vpn -- configure IPSec in tunnel mode for a mesh of N local and +# M remote networks. (N x M mesh) # - -# Should all the commands executed be printed when the script runs? -# N.B. setting this to "YES" may reveal your keys to persons present -# at the console when your system boots. -VPN_DO_ECHO_COMMANDS="YES" - -# My interfaces -VPN_MY_INT_IFACE="ep0" -VPN_MY_EXT_IFACE="ep1" - -# External IP of my tunnel partner -VPN_PEER_EXT_IP="207.253.158.194" - -# The internal IP(s) and mask(s) on the other end of the tunnel -- add as -# many sets as necessary, numbered from 0 upwards. -VPN_PEER_INT_IP_0="192.139.247.253" -VPN_PEER_INT_MASK_0="255.255.255.0" - -# IP(s) and mask(s) for *additional* subnets on *our* end of the tunnel -# (the first one is automagically determined below) -- add as many sets -# as necessary, numbered from *1* upwards, or comment out if not needed. -VPN_MY_INT_IP_1="192.139.241.1" -VPN_MY_INT_MASK_1="255.255.255.0" -VPN_MY_INT_IP_2="192.139.243.1" -VPN_MY_INT_MASK_2="255.255.255.0" - -# Crypto options and keys -VPN_ENC="des" -VPN_AUTH="sha1" -VPN_SPI_OUT="1000" -VPN_SPI_IN="1001" -VPN_KEY="2ea140ac3911cb27" -VPN_AUTHKEY="176cc284bc1631afbd1468fbe976fa729fcb4321" -VPN_IV="c4b279f1a9bcd849" - - +# For this to work, you will need to have these enabled (in /etc/sysct.conf): +# 'sysctl -w net.inet.ip.forwarding=1' (IP packet routing) +# 'sysctl -w net.inet.esp.enable=1' (IPsec ESP protocol) + +# XXX The configuration parameters should be moved to another file. + +# Uncomment to debug (and not execute) commands +#DEBUG=echo + +# Gateway adresses +GW_LOCAL=192.168.254.254 +GW_PEER=192.168.1.2 + +# Local and remote networks, numbered, syntax <network>:<mask> +LOCAL_NET_0=192.168.254.0:0xffffff00 +LOCAL_NET_1=192.168.253.0:0xffffff00 +REMOTE_NET_0=192.168.1.0:0xffffff00 +REMOTE_NET_1=192.168.2.0:0xffffff00 + +# Crypto options and keys, note that key/iv lengths need to correspond +# to the selected encryption and authentication algorithms. +ENC=des +AUTH=sha1 +SPI_OUT=1000 +SPI_IN=1001 +KEY=2ea140ac3911cb27 +AUTHKEY=176cc284bc1631afbd1468fbe976fa729fcb4321 +IV=c4b279f1a9bcd849 ############################################################################# -############# ############# ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- ############# -############# ############# -############################################################################# - - - ############################################################################# -# -# Derived (automagically found) parameters -# -# Hostnames for ech of our interfaces -VPN_MY_EXT_NAME=`cut -d" " -f2 < /etc/hostname.$VPN_MY_EXT_IFACE` -VPN_MY_INT_NAME=`cut -d" " -f2 < /etc/hostname.$VPN_MY_INT_IFACE` - -# Our internal IP and mask (extra subnets, if any, are configured above) -VPN_MY_INT_IP_0=`grep $VPN_MY_INT_NAME < /etc/hosts | cut -d" " -f1` -VPN_MY_INT_MASK_0=`cut -d" " -f3 < /etc/hostname.$VPN_MY_INT_IFACE` - -# Our external IP and mask -VPN_MY_EXT_IP=`grep $VPN_MY_EXT_NAME < /etc/hosts | cut -d" " -f1` -VPN_MY_EXT_MASK=`cut -d" " -f3 < /etc/hostname.$VPN_MY_INT_IFACE` - -############################################################################# -# -# Pseudo-constants -# ipsecadm=/sbin/ipsecadm - -############################################################################# # -# Function definitions +# Sanity, be verbose about errors. +# XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary. # -eval_and_echo () { - if [ "$VPN_DO_ECHO_COMMANDS" = "YES" ]; then - echo "$*" - fi - eval "$*" -} +abort=0 +if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then + echo " VPN: variable 'net.inet.esp.enable' (IPsec ESP protocol)" + abort=1 +fi +if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then + echo " VPN: variable 'net.inet.ip.forwarding' (IP forwarding/routing)" + abort=1 +fi +if [ ${abort} = 1 ]; then + echo " VPN: must be enabled in /etc/sysctl.conf. Aborting VPN setup." + exit 0 +fi + +[ ! -n "${DEBUG}" ] && echo " VPN " -############################################################################# # -# Executable setup statements +# Setup the SAs # -# Create the SAs -eval_and_echo "$ipsecadm new esp -src $VPN_MY_EXT_IP -dst $VPN_PEER_EXT_IP -forcetunnel -spi $VPN_SPI_OUT -enc $VPN_ENC -auth $VPN_AUTH -key $VPN_KEY -authkey $VPN_AUTHKEY" - -eval_and_echo "$ipsecadm new esp -src $VPN_PEER_EXT_IP -dst $VPN_MY_EXT_IP -forcetunnel -spi $VPN_SPI_IN -enc $VPN_ENC -auth $VPN_AUTH -key $VPN_KEY -authkey $VPN_AUTHKEY" +$DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_PEER \ + -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \ + -key $KEY -authkey $AUTHKEY +$DEBUG $ipsecadm new esp -src $GW_PEER -dst $GW_LOCAL \ + -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \ + -key $KEY -authkey $AUTHKEY # -# Create IPSec routes +# Create the flows # -# Route between the two external IPs -eval_and_echo "ipsecadm flow -proto esp -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $VPN_MY_EXT_IP 255.255.255.255 $VPN_PEER_EXT_IP 255.255.255.255 -local" +# Gateway to gateway +$DEBUG ipsecadm flow -proto esp -dst $GW_PEER -spi $SPI_OUT \ + -addr 0.0.0.0 0xffffffff $GW_PEER 0xffffffff -# Routes from each internal subnet, to each internal subnet on the far side +# Flows from each local, to each remote, subnet mycount=0 while : do - eval next_my_ip=\$VPN_MY_INT_IP_${mycount} - eval next_my_mask=\$VPN_MY_INT_MASK_${mycount} - if [ -n "${next_my_ip}" ]; then - + eval network=\$LOCAL_NET_${mycount} + set `echo $network | sed 's/:/ /g'` 0x0 0x0 + local_net=$1 + local_mask=$2 + if [ "${local_net}" != "0x0" ]; then peercount=0 while : do - eval next_peer_ip=\$VPN_PEER_INT_IP_${peercount} - eval next_peer_mask=\$VPN_PEER_INT_MASK_${peercount} - if [ -n "${next_peer_ip}" ]; then - # set an IPSec route for this pair of networks - eval_and_echo "$ipsecadm flow -proto esp -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $next_my_ip $next_my_mask $next_peer_ip $next_peer_mask" - peercount=`expr ${peercount} + 1` + eval network=\$REMOTE_NET_${peercount} + set `echo $network | sed 's/:/ /g'` 0x0 0x0 + remote_net=$1 + remote_mask=$2 + if [ "${remote_net}" != "0x0" ]; then + $DEBUG $ipsecadm flow \ + -proto esp -dst $GW_PEER -spi $SPI_OUT \ + -addr $local_net $local_mask $remote_net $remote_mask + peercount=$(($peercount + 1)) else - break; + break; fi done - mycount=`expr ${mycount} + 1` + mycount=$(($mycount + 1)) else break; fi done +# XXX Stuff below is mainly for testing, may be removed later. -# Routes to each remote internal subnet +# Flows from local gw to each remote subnet peercount=0 while : do - eval next_peer_ip=\$VPN_PEER_INT_IP_${peercount} - eval next_peer_mask=\$VPN_PEER_INT_MASK_${peercount} - if [ -n "${next_peer_ip}" ]; then - - # Route from my ext IP to each remote internal subnet - eval_and_echo "$ipsecadm flow -proto esp -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $VPN_MY_EXT_IP 255.255.255.255 $next_peer_ip $next_peer_mask -local" - peercount=`expr ${peercount} + 1` + eval network=\$REMOTE_NET_${peercount} + set `echo $network | sed 's/:/ /g'` 0x0 0x0 + remote_net=$1 + remote_mask=$2 + if [ "${remote_net}" != "0x0" ]; then + $DEBUG $ipsecadm flow \ + -proto esp -dst $GW_PEER -spi $SPI_OUT \ + -addr 0.0.0.0 0xffffffff $remote_net $remote_mask + peercount=$(($peercount + 1)) else break; fi done - -# Routes from each of my internal subnets to the remote external IP +# Flows from local subnets to the remote gw mycount=0 while : do - eval next_my_ip=\$VPN_MY_INT_IP_${mycount} - eval next_my_mask=\$VPN_MY_INT_MASK_${mycount} - if [ -n "${next_my_ip}" ]; then - eval_and_echo $ipsecadm flow -proto esp -dst $VPN_PEER_EXT_IP -spi $VPN_SPI_OUT -addr $next_my_ip $next_my_mask $VPN_PEER_EXT_IP 255.255.255.255 - mycount=`expr ${mycount} + 1` + eval network=\$LOCAL_NET_${mycount} + set `echo $network | sed 's/:/ /g'` 0x0 0x0 + local_net=$1 + local_mask=$2 + if [ "${local_net}" != "0x0" ]; then + $DEBUG $ipsecadm flow \ + -proto esp -dst $GW_PEER -spi $SPI_OUT \ + -addr $local_net $local_mask $GW_PEER 0xffffffff + mycount=$(($mycount + 1)) else break; fi done + +exit 0 |