summaryrefslogtreecommitdiff
path: root/share/ipsec/rc.vpn
blob: 30ed6b9153a3cf6a769dc29d7b5e21e00e217975 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
#!/bin/sh

#
#    $OpenBSD: rc.vpn,v 1.10 2000/04/22 01:57:17 angelos Exp $
#
# Richard Reiner, Ph.D., FSC Internet Corp.
# rreiner@fscinternet.com
# v0.81 / 26Jul98
#
# Modifications and cleanup by H. Olsson <ho@openbsd.org>, 28Aug99
#
# rc.vpn -- configure IPSec in tunnel mode for a mesh of N local and
#           M remote networks. (N x M mesh)
#
# For this to work, you will need to have these enabled (in /etc/sysctl.conf):
#   'sysctl -w net.inet.ip.forwarding=1'   (IP packet routing)
#   'sysctl -w net.inet.esp.enable=1'      (IPsec ESP protocol)

# XXX The configuration parameters should be moved to another file.

# Uncomment to debug (and not execute) commands
#DEBUG=echo

# Gateway adresses
GW_LOCAL=192.168.254.254
GW_PEER=192.168.1.2

# Local and remote networks, numbered, syntax <network>/<mask>
LOCAL_NET_0=192.168.254.0/255.255.255.0
LOCAL_NET_1=192.168.253.0/255.255.255.0
REMOTE_NET_0=192.168.1.0/255.255.255.0
REMOTE_NET_1=192.168.2.0/255.255.255.0

# Crypto options and keys, note that key/iv lengths need to correspond
# to the selected encryption and authentication algorithms.
ENC=3des
AUTH=sha1
SPI_OUT=1000
SPI_IN=1001
KEYFILE=/etc/esp-enc-key
AUTHKEYFILE=/etc/esp-auth-key

#############################################################################
############# -- NO CHANGES SHOULD BE NEEDED BELOW THIS LINE -- #############
#############################################################################

ipsecadm=/sbin/ipsecadm

#
# Sanity, be verbose about errors.
# XXX In a 1 x M mesh, ip.forwarding may not be strictly necessary.
#

abort=0
if [ `/usr/sbin/sysctl -n net.inet.esp.enable` == 0 ]; then
    echo " VPN: variable 'net.inet.esp.enable' (IPsec ESP protocol)"
    abort=1
fi
if [ `/usr/sbin/sysctl -n net.inet.ip.forwarding` == 0 ]; then
    echo " VPN: variable 'net.inet.ip.forwarding' (IP forwarding/routing)"
    abort=1
fi
if [ ${abort} = 1 ]; then
    echo " VPN: must be enabled in /etc/sysctl.conf. Aborting VPN setup." 
    exit 0
fi

[ ! -n "${DEBUG}" ] && echo " VPN "

#
# Setup the SAs
#

$DEBUG $ipsecadm new esp -src $GW_LOCAL -dst $GW_PEER \
    -forcetunnel -spi $SPI_OUT -enc $ENC -auth $AUTH \
    -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE

$DEBUG $ipsecadm new esp -src $GW_PEER -dst $GW_LOCAL \
    -forcetunnel -spi $SPI_IN -enc $ENC -auth $AUTH \
    -keyfile $KEYFILE -authkeyfile $AUTHKEYFILE

#
# Create the flows
#

# Gateway to gateway (both egress and ingress flows)
$DEBUG $ipsecadm flow -proto esp -dst $GW_PEER -spi $SPI_OUT \
    -addr $GW_LOCAL 255.255.255.255 $GW_PEER 255.255.255.255
$DEBUG $ipsecadm flow -proto esp -dst $GW_LOCAL -spi $SPI_IN \
    -addr $GW_PEER 255.255.255.255 $GW_LOCAL 255.255.255.255 -ingress

# Flows from each local to each remote subnet, and vice versa for
# ACL entries
mycount=0
while :
do
    eval network=\$LOCAL_NET_${mycount}
    set `echo $network | sed 's%/% %g'` 0x0 0x0
    local_net=$1
    local_mask=$2
    if [ "${local_net}" != "0x0" ]; then
	peercount=0
	while :
	do
	    eval network=\$REMOTE_NET_${peercount}
	    set `echo $network | sed 's%/% %g'` 0x0 0x0
	    remote_net=$1
	    remote_mask=$2
	    if [ "${remote_net}" != "0x0" ]; then
		$DEBUG $ipsecadm flow \
		    -proto esp -dst $GW_PEER -spi $SPI_OUT \
		    -addr $local_net $local_mask $remote_net $remote_mask

		$DEBUG $ipsecadm flow \
		    -proto esp -dst $GW_LOCAL -spi $SPI_IN -ingress \
		    -addr $remote_net $remote_mask $local_net $local_mask
		peercount=$(($peercount + 1))
	    else
		break;
	    fi
	done
	mycount=$(($mycount + 1))
    else
	break;
    fi
done

# XXX Stuff below is mainly for testing, may be removed later.

# Flows from local gw to each remote subnet, and vice versa
peercount=0
while :
do
    eval network=\$REMOTE_NET_${peercount}
    set `echo $network | sed 's%/% %g'` 0x0 0x0
    remote_net=$1
    remote_mask=$2
    if [ "${remote_net}" != "0x0" ]; then
	$DEBUG $ipsecadm flow \
	    -proto esp -dst $GW_PEER -spi $SPI_OUT \
	    -addr $GW_LOCAL 255.255.255.255 $remote_net $remote_mask

	$DEBUG $ipsecadm flow \
	    -proto esp -dst $GW_LOCAL -spi $SPI_IN -ingress\
	    -addr $remote_net $remote_mask $GW_LOCAL 255.255.255.255 
	peercount=$(($peercount + 1))
    else
	break;
    fi
done

# Flows from local subnets to the remote gw and vice versa
mycount=0
while :
do
    eval network=\$LOCAL_NET_${mycount}
    set `echo $network | sed 's%/% %g'` 0x0 0x0
    local_net=$1
    local_mask=$2
    if [ "${local_net}" != "0x0" ]; then
	$DEBUG $ipsecadm flow \
	    -proto esp -dst $GW_PEER -spi $SPI_OUT \
	    -addr $local_net $local_mask $GW_PEER 255.255.255.255

	$DEBUG $ipsecadm flow \
	    -proto esp -dst $GW_LOCAL -spi $SPI_IN -ingress\
	    -addr $GW_PEER 255.255.255.255 $local_net $local_mask 
	mycount=$(($mycount + 1))
    else
	break;
    fi
done

exit 0