6 files changed, 48 insertions, 22 deletions

diff --git a/sbin/ipsec/ipsecadm/ipsecadm.1 b/sbin/ipsec/ipsecadm/ipsecadm.1
index 6bd0fda59cf..f7c1d704792 100644
--- a/sbin/ipsec/ipsecadm/ipsecadm.1
+++ b/sbin/ipsec/ipsecadm/ipsecadm.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ipsecadm.1,v 1.1 1997/08/26 17:19:06 provos Exp $
+.\" $OpenBSD: ipsecadm.1,v 1.2 1997/09/23 21:40:59 angelos Exp $
 .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
 .\" All rights reserved.
 .\"
@@ -60,6 +60,7 @@ modifiers are:
 .Fl dst ,
 .Fl src ,
 .Fl spi ,
+.Fl tunnel ,
 .Fl enc ,
 .Fl auth ,
 .Fl iv 
@@ -71,6 +72,7 @@ encryption algorithmns can be applied. Allowed modifiers are:
 .Fl dst ,
 .Fl src ,
 .Fl spi ,
+.Fl tunnel ,
 .Fl enc ,
 .Fl iv 
 and
@@ -82,6 +84,7 @@ are:
 .Fl dst ,
 .Fl src ,
 .Fl spi ,
+.Fl tunnel ,
 .Fl auth ,
 and
 .Fl key .
@@ -91,6 +94,7 @@ hashes will be used for authentication. Allowed modifiers are:
 .Fl dst ,
 .Fl src ,
 .Fl spi ,
+.Fl tunnel ,
 .Fl auth ,
 and
 .Fl key .
@@ -121,6 +125,8 @@ The source IP address for the SPI.
 The destination IP address for the SPI.
 .It spi
 The unique Security Parameter Index (SPI).
+.It tunnel
+The source and destination IP addresses for the external IP header.
 .It enc
 The encryption algorithm to be used with the SPI. Possible values
 are:
diff --git a/sbin/ipsec/ipsecadm/ipsecadm.c b/sbin/ipsec/ipsecadm/ipsecadm.c
index 7d63744a716..084b7c05911 100644
--- a/sbin/ipsec/ipsecadm/ipsecadm.c
+++ b/sbin/ipsec/ipsecadm/ipsecadm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsecadm.c,v 1.7 1997/08/26 17:19:06 provos Exp $ */
+/* $OpenBSD: ipsecadm.c,v 1.8 1997/09/23 21:40:59 angelos Exp $ */
 /*
  * The author of this code is John Ioannidis, ji@tla.org,
  * 	(except when noted otherwise).
@@ -73,11 +73,13 @@ typedef struct {
 }       transform;
 
 int xf_esp_new __P((struct in_addr, struct in_addr, u_int32_t, int, int, 
-		    u_char *, u_char *));
+		    u_char *, u_char *, struct in_addr, struct in_addr));
 int xf_esp_old __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *,
-		    u_char *)); 
-int xf_ah_new __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *));
-int xf_ah_old __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *));
+		    u_char *, struct in_addr, struct in_addr)); 
+int xf_ah_new __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *,
+		   struct in_addr, struct in_addr));
+int xf_ah_old __P((struct in_addr, struct in_addr, u_int32_t, int, u_char *,
+		   struct in_addr, struct in_addr));
 
 int xf_delspi __P((struct in_addr, u_int32_t, int, int));
 int xf_grp __P((struct in_addr, u_int32_t, int, struct in_addr, u_int32_t, int));
@@ -126,6 +128,7 @@ usage()
 	      "\t\t-enc <alg>\t encryption algorithm\n"
 	      "\t\t-auth <alg>\t authentication algorithm\n"
 	      "\t\t-src <ip>\t source address to be used\n"
+              "\t\t-tunnel <ip> <ip> tunneling addresses\n"
 	      "\t\t-dst <ip>\t destination address to be used\n"
 	      "\t\t-spi <val>\t SPI to be used\n"
 	      "\t\t-key <val>\t key material to be used\n"
@@ -147,10 +150,10 @@ main(argc, argv)
 	int proto = IPPROTO_ESP, proto2 = IPPROTO_AH;
 	int chain = 0; 
 	u_int32_t spi = 0, spi2 = 0;
-	struct in_addr src, dst, dst2;
+	struct in_addr src, dst, dst2, osrc, odst;
 	u_char *ivp = NULL, *keyp = NULL;
 
-	src.s_addr = dst.s_addr = dst2.s_addr = 0;
+	osrc.s_addr = odst.s_addr = src.s_addr = dst.s_addr = dst2.s_addr = 0;
 
 	if (argc < 2) {
 		usage();
@@ -232,6 +235,11 @@ main(argc, argv)
 	     } else if (!strcmp(argv[i]+1, "src") && i+1 < argc) {
 		  src.s_addr = inet_addr(argv[i+1]);
 		  i++;
+	     } else if (!strcmp(argv[i]+1, "tunnel") && i+2 < argc) {
+		  osrc.s_addr = inet_addr(argv[i+1]);
+		  i++;
+		  odst.s_addr = inet_addr(argv[i+1]);
+		  i++;
 	     } else if (!strcmp(argv[i]+1, "dst") && i+1 < argc) {
 		  dst.s_addr = inet_addr(argv[i+1]);
 		  i++;
@@ -298,16 +306,16 @@ main(argc, argv)
 	if (isencauth(mode)) {
 	     switch(mode) {
 	     case ESP_NEW:
-		  xf_esp_new(src, dst, spi, enc, auth, ivp, keyp);
+		  xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, osrc, odst);
 		  break;
 	     case ESP_OLD:
-		  xf_esp_old(src, dst, spi, enc, ivp, keyp);
+		  xf_esp_old(src, dst, spi, enc, ivp, keyp, osrc, odst);
 		  break;
 	     case AH_NEW:
-		  xf_ah_new(src, dst, spi, auth, keyp);
+		  xf_ah_new(src, dst, spi, auth, keyp, osrc, odst);
 		  break;
 	     case AH_OLD:
-		  xf_ah_old(src, dst, spi, auth, keyp);
+		  xf_ah_old(src, dst, spi, auth, keyp, osrc, odst);
 		  break;
 	     }
 	} else {
diff --git a/sbin/ipsec/ipsecadm/xf_ah_new.c b/sbin/ipsec/ipsecadm/xf_ah_new.c
index fb0acb1a589..55c21e59653 100644
--- a/sbin/ipsec/ipsecadm/xf_ah_new.c
+++ b/sbin/ipsec/ipsecadm/xf_ah_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: xf_ah_new.c,v 1.1 1997/08/26 12:04:36 provos Exp $ */
+/* $OpenBSD: xf_ah_new.c,v 1.2 1997/09/23 21:41:00 angelos Exp $ */
 /*
  * The author of this code is John Ioannidis, ji@tla.org,
  * 	(except when noted otherwise).
@@ -58,11 +58,12 @@ int xf_set __P(( struct encap_msghdr *));
 int x2i __P((char *));
 
 int
-xf_ah_new(src, dst, spi, auth, keyp)
+xf_ah_new(src, dst, spi, auth, keyp, osrc, odst)
 struct in_addr src, dst;
 u_int32_t spi;
 int auth;
 u_char *keyp;
+struct in_addr osrc, odst;
 {
 	int klen, i;
 
@@ -79,13 +80,15 @@ u_char *keyp;
 	em->em_spi = spi;
 	em->em_src = src;
 	em->em_dst = dst;
+	em->em_osrc = osrc;
+	em->em_odst = odst;
 	em->em_alg = XF_NEW_AH;
 	em->em_sproto = IPPROTO_AH;
 
 	xd = (struct ah_new_xencap *)(em->em_dat);
 
 	xd->amx_hash_algorithm = auth;
-	xd->amx_wnd = 32;
+	xd->amx_wnd = -1;	/* Manual setup -- no sequence number */
 	xd->amx_keylen = klen;
 
 	bzero(xd->amx_key, klen);
diff --git a/sbin/ipsec/ipsecadm/xf_ah_old.c b/sbin/ipsec/ipsecadm/xf_ah_old.c
index d519fe348ea..bd58587e486 100644
--- a/sbin/ipsec/ipsecadm/xf_ah_old.c
+++ b/sbin/ipsec/ipsecadm/xf_ah_old.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: xf_ah_old.c,v 1.1 1997/08/26 12:04:37 provos Exp $ */
+/* $OpenBSD: xf_ah_old.c,v 1.2 1997/09/23 21:41:00 angelos Exp $ */
 /*
  * The author of this code is John Ioannidis, ji@tla.org,
  * 	(except when noted otherwise).
@@ -58,11 +58,12 @@ int xf_set __P(( struct encap_msghdr *));
 int x2i __P((char *));
 
 int
-xf_ah_old(src, dst, spi, auth, keyp)
+xf_ah_old(src, dst, spi, auth, keyp, osrc, odst)
 struct in_addr src, dst;
 u_int32_t spi;
 int auth;
 u_char *keyp;
+struct in_addr osrc, odst;
 {
 	int klen, i;
 
@@ -79,6 +80,8 @@ u_char *keyp;
 	em->em_spi = spi;
 	em->em_src = src;
 	em->em_dst = dst;
+	em->em_osrc = osrc;
+	em->em_odst = odst;
 	em->em_alg = XF_OLD_AH;
 	em->em_sproto = IPPROTO_AH;
 
diff --git a/sbin/ipsec/ipsecadm/xf_esp_new.c b/sbin/ipsec/ipsecadm/xf_esp_new.c
index 76eab053137..af7a05b83c7 100644
--- a/sbin/ipsec/ipsecadm/xf_esp_new.c
+++ b/sbin/ipsec/ipsecadm/xf_esp_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: xf_esp_new.c,v 1.1 1997/08/26 12:04:43 provos Exp $ */
+/* $OpenBSD: xf_esp_new.c,v 1.2 1997/09/23 21:41:01 angelos Exp $ */
 /*
  * The author of this code is John Ioannidis, ji@tla.org,
  * 	(except when noted otherwise).
@@ -58,11 +58,12 @@ int xf_set __P(( struct encap_msghdr *));
 int x2i __P((char *));
 
 int
-xf_esp_new(src, dst, spi, enc, auth, ivp, keyp)
+xf_esp_new(src, dst, spi, enc, auth, ivp, keyp, osrc, odst)
 struct in_addr src, dst;
 u_int32_t spi;
 int enc, auth;
 u_char *ivp, *keyp;
+struct in_addr osrc, odst;
 {
 	int i, klen, ivlen;
 
@@ -80,6 +81,8 @@ u_char *ivp, *keyp;
 	em->em_spi = spi;
 	em->em_src = src;
 	em->em_dst = dst;
+	em->em_osrc = osrc;
+	em->em_odst = odst;
 	em->em_alg = XF_NEW_ESP;
 	em->em_sproto = IPPROTO_ESP;
 
@@ -89,7 +92,7 @@ u_char *ivp, *keyp;
 	xd->edx_hash_algorithm = auth;
 	xd->edx_ivlen = ivlen;
 	xd->edx_keylen = klen;
-	xd->edx_wnd = 32;
+	xd->edx_wnd = -1;	/* Manual keying -- no seq */
 	xd->edx_flags = auth ? ESP_NEW_FLAG_AUTH : 0;
 
 	for (i = 0; i < ivlen; i++)
diff --git a/sbin/ipsec/ipsecadm/xf_esp_old.c b/sbin/ipsec/ipsecadm/xf_esp_old.c
index 98e2ad8b719..ec1ac975dcc 100644
--- a/sbin/ipsec/ipsecadm/xf_esp_old.c
+++ b/sbin/ipsec/ipsecadm/xf_esp_old.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: xf_esp_old.c,v 1.1 1997/08/26 12:04:44 provos Exp $ */
+/* $OpenBSD: xf_esp_old.c,v 1.2 1997/09/23 21:41:01 angelos Exp $ */
 /*
  * The author of this code is John Ioannidis, ji@tla.org,
  * 	(except when noted otherwise).
@@ -58,11 +58,12 @@ int xf_set __P(( struct encap_msghdr *));
 int x2i __P((char *));
 
 int
-xf_esp_old(src, dst, spi, enc, ivp, keyp)
+xf_esp_old(src, dst, spi, enc, ivp, keyp, osrc, odst)
 struct in_addr src, dst;
 u_int32_t spi;
 int enc;
 u_char *ivp, *keyp;
+struct in_addr osrc, odst;
 {
 	int i, ivlen, klen;
 
@@ -80,6 +81,8 @@ u_char *ivp, *keyp;
 	em->em_spi = spi;
 	em->em_src = src;
 	em->em_dst = dst;
+	em->em_osrc = osrc;
+	em->em_odst = odst;
 	em->em_alg = XF_OLD_ESP;
 	em->em_sproto = IPPROTO_ESP;