summaryrefslogtreecommitdiff
path: root/share/ipsec/rc.vpn
blob: 7e18ffe58792fff17f72f004e5d3985a9d88febb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/bin/sh
#	$OpenBSD: rc.vpn,v 1.18 2003/01/20 12:25:45 markus Exp $
#
# Richard Reiner, Ph.D., FSC Internet Corp.
# rreiner@fscinternet.com
# v0.81 / 26Jul98
#
# Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
# and Markus Friedl <markus@openbsd.org>
#
# rc.vpn -- configure IPsec in tunnel mode for a mesh of N local and
#           M remote networks. (N x M mesh)
#
# For this to work, you will need to have these enabled (in /etc/sysctl.conf):
#   'sysctl -w net.inet.ip.forwarding=1'   (IP packet routing)
#   'sysctl -w net.inet.esp.enable=1'      (IPsec ESP protocol)

# XXX The configuration parameters should be moved to another file.

# Uncomment to debug (and not execute) commands
DEBUG=echo

# Gateway adresses
GW_LOCAL=192.168.254.254
GW_REMOTE=192.168.1.2

# Local and remote networks
LOCAL_NETWORKS="192.168.254.0/24 192.168.253.0/24"
REMOTE_NETWORKS="192.168.1.0/24 192.168.2.0/24"

# Optional, use for manual keying only
# Crypto options and keys, note that key/iv lengths need to correspond
# to the selected encryption and authentication algorithms.
ENC=3des
AUTH=sha1
SPI_OUT=1000
SPI_IN=1001
KEYFILE=/etc/esp-enc-key
AUTHKEYFILE=/etc/esp-auth-key

#############################################################################
############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
#############################################################################

ipsecadm=/sbin/ipsecadm

#
# Sanity, be verbose about errors.
# XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
#

abort=0
if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
	echo "$0: variable 'net.inet.esp.enable=0' (IPsec ESP protocol)"
	abort=1
fi
if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
	echo "$0: variable 'net.inet.ip.forwarding=0' (IP forwarding/routing)"
	abort=1
fi
if [ ${abort} = 1 ]; then
	echo "$0: must be enabled in /etc/sysctl.conf. Aborting VPN setup." 
	[ ! -n "${DEBUG}" ] && exit 0
fi

$DEBUG $ipsecadm flush

#
# Setup the manual SAs
#

if [ "$ENC" ]; then
	$DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_REMOTE \
		-forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
		-keyfile $KEYFILE -authkeyfile $AUTHKEYFILE

	$DEBUG $ipsecadm new esp -src $GW_REMOTE -dst $GW_LOCAL \
		-forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
		-keyfile $KEYFILE -authkeyfile $AUTHKEYFILE
fi

#
# Setup the Flows, aka SPD
#

# add the gateways
LOCAL_NETWORKS="${GW_LOCAL}/32 ${LOCAL_NETWORKS}"
REMOTE_NETWORKS="${GW_REMOTE}/32 ${REMOTE_NETWORKS}"
# but allow ESP in the clear
BYPASS="$DEBUG ${ipsecadm} flow -transport esp -src ${GW_LOCAL} -dst ${GW_REMOTE} -bypass"
$BYPASS -out -addr ${GW_LOCAL}/32  ${GW_REMOTE}/32
$BYPASS -in  -addr ${GW_REMOTE}/32 ${GW_LOCAL}/32

FLOW="$DEBUG ${ipsecadm} flow -proto esp -src ${GW_LOCAL} -dst ${GW_REMOTE} -require"

# each local net to each remote net
for local_net in ${LOCAL_NETWORKS}; do
	for remote_net in ${REMOTE_NETWORKS}; do
		$FLOW -out -addr $local_net  $remote_net
		$FLOW -in  -addr $remote_net $local_net
	done
done

exit 0