#!/bin/sh # # $OpenBSD: rc.vpn,v 1.10 2000/04/22 01:57:17 angelos Exp $ # # Richard Reiner, Ph.D., FSC Internet Corp. # rreiner@fscinternet.com # v0.81 / 26Jul98 # # Modifications and cleanup by H. Olsson , 28Aug99 # # rc.vpn -- configure IPSec in tunnel mode for a mesh of N local and # M remote networks. (N x M mesh) # # For this to work, you will need to have these enabled (in /etc/sysctl.conf): # 'sysctl -w net.inet.ip.forwarding=1' (IP packet routing) # 'sysctl -w net.inet.esp.enable=1' (IPsec ESP protocol) # XXX The configuration parameters should be moved to another file. # Uncomment to debug (and not execute) commands #DEBUG=echo # Gateway adresses GW_LOCAL=192.168.254.254 GW_PEER=192.168.1.2 # Local and remote networks, numbered, syntax / LOCAL_NET_0=192.168.254.0/255.255.255.0 LOCAL_NET_1=192.168.253.0/255.255.255.0 REMOTE_NET_0=192.168.1.0/255.255.255.0 REMOTE_NET_1=192.168.2.0/255.255.255.0 # Crypto options and keys, note that key/iv lengths need to correspond # to the selected encryption and authentication algorithms. ENC=3des AUTH=sha1 SPI_OUT=1000 SPI_IN=1001 KEYFILE=/etc/esp-enc-key AUTHKEYFILE=/etc/esp-auth-key ############################################################################# ############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- ############# ############################################################################# ipsecadm=/sbin/ipsecadm # # Sanity, be verbose about errors. # XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary. # abort=0 if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then echo " VPN: variable 'net.inet.esp.enable' (IPsec ESP protocol)" abort=1 fi if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then echo " VPN: variable 'net.inet.ip.forwarding' (IP forwarding/routing)" abort=1 fi if [ ${abort} = 1 ]; then echo " VPN: must be enabled in /etc/sysctl.conf. Aborting VPN setup." exit 0 fi [ ! -n "${DEBUG}" ] && echo " VPN " # # Setup the SAs # $DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_PEER \ -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \ -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE $DEBUG $ipsecadm new esp -src $GW_PEER -dst $GW_LOCAL \ -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \ -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE # # Create the flows # # Gateway to gateway (both egress and ingress flows) $DEBUG $ipsecadm flow -proto esp -dst $GW_PEER -spi $SPI_OUT \ -addr $GW_LOCAL 255.255.255.255 $GW_PEER 255.255.255.255 $DEBUG $ipsecadm flow -proto esp -dst $GW_LOCAL -spi $SPI_IN \ -addr $GW_PEER 255.255.255.255 $GW_LOCAL 255.255.255.255 -ingress # Flows from each local to each remote subnet, and vice versa for # ACL entries mycount=0 while : do eval network=\$LOCAL_NET_${mycount} set `echo $network | sed 's%/% %g'` 0x0 0x0 local_net=$1 local_mask=$2 if [ "${local_net}" != "0x0" ]; then peercount=0 while : do eval network=\$REMOTE_NET_${peercount} set `echo $network | sed 's%/% %g'` 0x0 0x0 remote_net=$1 remote_mask=$2 if [ "${remote_net}" != "0x0" ]; then $DEBUG $ipsecadm flow \ -proto esp -dst $GW_PEER -spi $SPI_OUT \ -addr $local_net $local_mask $remote_net $remote_mask $DEBUG $ipsecadm flow \ -proto esp -dst $GW_LOCAL -spi $SPI_IN -ingress \ -addr $remote_net $remote_mask $local_net $local_mask peercount=$(($peercount + 1)) else break; fi done mycount=$(($mycount + 1)) else break; fi done # XXX Stuff below is mainly for testing, may be removed later. # Flows from local gw to each remote subnet, and vice versa peercount=0 while : do eval network=\$REMOTE_NET_${peercount} set `echo $network | sed 's%/% %g'` 0x0 0x0 remote_net=$1 remote_mask=$2 if [ "${remote_net}" != "0x0" ]; then $DEBUG $ipsecadm flow \ -proto esp -dst $GW_PEER -spi $SPI_OUT \ -addr $GW_LOCAL 255.255.255.255 $remote_net $remote_mask $DEBUG $ipsecadm flow \ -proto esp -dst $GW_LOCAL -spi $SPI_IN -ingress\ -addr $remote_net $remote_mask $GW_LOCAL 255.255.255.255 peercount=$(($peercount + 1)) else break; fi done # Flows from local subnets to the remote gw and vice versa mycount=0 while : do eval network=\$LOCAL_NET_${mycount} set `echo $network | sed 's%/% %g'` 0x0 0x0 local_net=$1 local_mask=$2 if [ "${local_net}" != "0x0" ]; then $DEBUG $ipsecadm flow \ -proto esp -dst $GW_PEER -spi $SPI_OUT \ -addr $local_net $local_mask $GW_PEER 255.255.255.255 $DEBUG $ipsecadm flow \ -proto esp -dst $GW_LOCAL -spi $SPI_IN -ingress\ -addr $GW_PEER 255.255.255.255 $local_net $local_mask mycount=$(($mycount + 1)) else break; fi done exit 0