blob: 818ce2d55785d13e708d9d0abe15209d42dc499b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
#!/bin/sh
# $OpenBSD: singlehost-setup.sh,v 1.5 2003/08/18 09:41:40 markus Exp $
# $EOM: singlehost-setup.sh,v 1.3 2000/11/23 12:24:43 niklas Exp $
# A script to test single-host VPNs
# For the 'pf' variable
. /etc/rc.conf
# Default paths
PFCTL=/sbin/pfctl
ISAKMPD=/sbin/isakmpd
do_routes()
{
/sbin/route $1 -net 192.168.11.0/24 192.168.11.1 -iface >/dev/null
/sbin/route $1 -net 192.168.12.0/24 192.168.12.1 -iface >/dev/null
/sbin/route $1 -net 10.1.0.0/16 10.1.0.11 -iface >/dev/null
}
# Called on script exit
cleanup () {
if [ "x${pf}" = "xYES" -a -f ${pf_rules} ]; then
${PFCTL} -R -f ${pf_rules}
else
${PFCTL} -qd
fi
USER=`id -p | grep ^login | cut -f2`
chown $USER singlehost-east.conf singlehost-west.conf policy
chmod 644 singlehost-east.conf singlehost-west.conf policy
[ -p east.fifo ] && echo "Q" >> east.fifo
[ -p west.fifo ] && echo "Q" >> west.fifo
rm -f east.fifo west.fifo
do_routes delete
}
# Start by initializing interfaces
/sbin/ifconfig lo2 192.168.11.1 netmask 0xffffff00 up
/sbin/ifconfig lo3 192.168.12.1 netmask 0xffffff00 up
/sbin/ifconfig lo4 10.1.0.11 netmask 0xffff0000 up
/sbin/ifconfig lo5 10.1.0.12 netmask 0xffff0000 up
# ... and by adding the required routes
do_routes add
# Add rules
(
cat <<EOF
pass out quick on lo2 proto 50 all
pass out quick on lo2 from 192.168.11.0/24 to any
pass out quick on lo3 proto 50 all
pass out quick on lo3 from 192.168.12.0/24 to any
block out on lo2 all
block out on lo3 all
EOF
if [ "x${pf}" = "xYES" -a -f ${pf_rules} ]; then
cat ${pf_rules} | egrep -v '^(scrub|rdr|binat|nat)'
else
pfctl -qe >/dev/null
fi
) | pfctl -R -f -
trap cleanup 1 2 3 15
# The configuration files needs proper owners and modes
USER=`id -p | grep ^uid | cut -f2`
chown $USER singlehost-east.conf singlehost-west.conf policy
chmod 600 singlehost-east.conf singlehost-west.conf policy
# Start the daemons
rm -f east.fifo west.fifo
${ISAKMPD} -c singlehost-east.conf -f east.fifo "$@"
${ISAKMPD} -c singlehost-west.conf -f west.fifo "$@"
# Give them some time to negotiate their stuff...
SECS=3
echo "Waiting $SECS seconds..."
sleep $SECS
echo "Running 'ping', using the tunnel..."
ping -I 192.168.11.1 -c 5 192.168.12.1
cleanup
|