summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/samples/singlehost-setup.sh
blob: 818ce2d55785d13e708d9d0abe15209d42dc499b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/bin/sh
#	$OpenBSD: singlehost-setup.sh,v 1.5 2003/08/18 09:41:40 markus Exp $
#	$EOM: singlehost-setup.sh,v 1.3 2000/11/23 12:24:43 niklas Exp $

# A script to test single-host VPNs

# For the 'pf' variable
. /etc/rc.conf

# Default paths
PFCTL=/sbin/pfctl
ISAKMPD=/sbin/isakmpd

do_routes()
{
    /sbin/route $1 -net 192.168.11.0/24 192.168.11.1 -iface >/dev/null
    /sbin/route $1 -net 192.168.12.0/24 192.168.12.1 -iface >/dev/null
    /sbin/route $1 -net 10.1.0.0/16     10.1.0.11    -iface >/dev/null
}

# Called on script exit
cleanup () {
    if [ "x${pf}" = "xYES" -a -f ${pf_rules} ]; then
	${PFCTL} -R -f ${pf_rules}
    else
	${PFCTL} -qd
    fi

    USER=`id -p | grep ^login | cut -f2`
    chown $USER singlehost-east.conf singlehost-west.conf policy
    chmod 644   singlehost-east.conf singlehost-west.conf policy

    [ -p east.fifo ] && echo "Q" >> east.fifo
    [ -p west.fifo ] && echo "Q" >> west.fifo
    rm -f east.fifo west.fifo

    do_routes delete
}

# Start by initializing interfaces
/sbin/ifconfig lo2 192.168.11.1 netmask 0xffffff00 up
/sbin/ifconfig lo3 192.168.12.1 netmask 0xffffff00 up
/sbin/ifconfig lo4 10.1.0.11 netmask 0xffff0000 up
/sbin/ifconfig lo5 10.1.0.12 netmask 0xffff0000 up
# ... and by adding the required routes
do_routes add

# Add rules
(
    cat <<EOF
pass out quick on lo2 proto 50 all
pass out quick on lo2 from 192.168.11.0/24 to any
pass out quick on lo3 proto 50 all
pass out quick on lo3 from 192.168.12.0/24 to any
block out on lo2 all
block out on lo3 all
EOF
    if [ "x${pf}" = "xYES" -a -f ${pf_rules} ]; then
	cat ${pf_rules} | egrep -v '^(scrub|rdr|binat|nat)'
    else
	pfctl -qe >/dev/null
    fi
) | pfctl -R -f -

trap cleanup 1 2 3 15

# The configuration files needs proper owners and modes
USER=`id -p | grep ^uid | cut -f2`
chown $USER singlehost-east.conf singlehost-west.conf policy
chmod 600   singlehost-east.conf singlehost-west.conf policy

# Start the daemons
rm -f east.fifo west.fifo
${ISAKMPD} -c singlehost-east.conf -f east.fifo "$@"
${ISAKMPD} -c singlehost-west.conf -f west.fifo "$@"

# Give them some time to negotiate their stuff...
SECS=3
echo "Waiting $SECS seconds..."
sleep $SECS
echo "Running 'ping', using the tunnel..."
ping -I 192.168.11.1 -c 5 192.168.12.1

cleanup