aboutsummaryrefslogtreecommitdiffstats
path: root/sysconfig/network-scripts/ifup-ipsec
diff options
context:
space:
mode:
authorBill Nottingham <notting@redhat.com>2003-07-01 06:46:19 +0000
committerBill Nottingham <notting@redhat.com>2003-07-01 06:46:19 +0000
commit96916cdd2cf4031dff4be16cc22d8e034d7735ec (patch)
tree3bcee2e7dc103bf06faa359711a7415984a26aa5 /sysconfig/network-scripts/ifup-ipsec
parente16932e092fb64e788f465d6c0d683c893a2bec0 (diff)
downloadinitscripts-96916cdd2cf4031dff4be16cc22d8e034d7735ec.tar
initscripts-96916cdd2cf4031dff4be16cc22d8e034d7735ec.tar.gz
initscripts-96916cdd2cf4031dff4be16cc22d8e034d7735ec.tar.bz2
initscripts-96916cdd2cf4031dff4be16cc22d8e034d7735ec.tar.xz
initscripts-96916cdd2cf4031dff4be16cc22d8e034d7735ec.zip
initial stuff. may not work. may not even parse.
Diffstat (limited to 'sysconfig/network-scripts/ifup-ipsec')
-rwxr-xr-xsysconfig/network-scripts/ifup-ipsec112
1 files changed, 112 insertions, 0 deletions
diff --git a/sysconfig/network-scripts/ifup-ipsec b/sysconfig/network-scripts/ifup-ipsec
new file mode 100755
index 00000000..0d882e74
--- /dev/null
+++ b/sysconfig/network-scripts/ifup-ipsec
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# ifup-ipsec
+#
+# Brings up ipsec interfaces
+#
+# Configuration parameters
+#
+# Manual keying:
+#
+# SRC = source address. Not required.
+# DST = destination address
+# SRCNET = source net (for tunneling)
+# DSTNET = destination network (for tunneling)
+# AH_PROTO = protocol to use for AH (defaults to HMAC-MD5)
+# ESP_PROTO = protocol to use for ESP (defaults to 3DES)
+# KEY_AH = AH key
+# KEY_ESP = ESP key
+# SPI[1..4] = SPIs to use
+#
+#
+
+if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then
+ KEYING=manual
+fi
+
+if [ -n "$IKE_PSK" ]; then
+ KEYING=automatic
+ IKE_METHOD=PSK
+fi
+
+if [ -n "$CERT_NAME" ]; then
+ KEYING=automatic
+ IKE_METHOD=X509
+fi
+
+if [ -n "$RSA_KEY" ]; then
+ KEYING=automatic
+ IKE_METHOD=RSA
+fi
+
+if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
+ MODE=tunnel
+else
+ MODE=host
+fi
+
+if [ "$KEYING" = "manual" ]; then
+ # Get source address
+ if [ -n "$SRC" ]; then
+ SRC=`ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|"`
+ fi
+
+ [ -z "$AH_PROTO" ] && AH_PROTO=hmac-md5
+ [ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc
+
+ if [ "$MODE" = "host" ]; then
+
+ /sbin/setkey -c << EOF
+deleteall $SRC $DST ah;
+deleteall $DST $SRC ah;
+deleteall $SRC $DST esp;
+deleteall $DST $SRC esp;
+spddelete $SRC $DST any -P out;
+spddelete $DST $SRC any -P in;
+
+# ESP
+add $DST $SRC esp $SPI3 -E $ESP_PROTO $KEY_ESP;
+add $SRC $DST esp $SPI4 -E $ESP_PROTO $KEY_ESP;
+
+# AH
+add $DST $SRC ah $SPI1 -A $AH_PROTO $KEY_AH;
+add $SRC $DST ah $SPI2 -A $AH_PROTO $KEY_AH;
+
+spdadd $SRC $DST any -P out ipsec
+ esp/transport//require
+ ah/transport//require;
+
+spdadd $DST $SRC any -P in ipsec
+ esp/transport//require
+ ah/transport//require;
+EOF
+ else
+ [ -n "$SRCNET" ] && SRCNET="$SRC/32"
+ [ -n "$DSTNET" ] && DSTNET="$DST/32"
+
+ /sbin/setkey -c << EOF
+deleteall $SRC $DST ah;
+deleteall $DST $SRC ah;
+deleteall $SRC $DST esp;
+deleteall $DST $SRC esp;
+spddelete $SRCNET $DSTNET any -P out;
+spddelete $DSTNET $SRCNET any -P in;
+
+# ESP
+add $DST $SRC esp $SPI3 -m tunnel -E $ESP_PROTO $KEY_ESP;
+add $SRC $DST esp $SPI4 -m tunnel -E $ESP_PROTO $KEY_ESP;
+
+# AH
+add $DST $SRC ah $SPI1 -m tunnel -A $AH_PROTO $KEY_AH;
+add $SRC $DST ah $SPI2 -m tunnel -A $AH_PROTO $KEY_AH;
+
+spdadd $SRCNET $DSTNET any -P out ipsec
+ esp/tunnel/$SRC-$DEST/require
+ ah/tunnel/$SRC-$DEST/require;
+
+spdadd $DSTNET $SRCNET any -P in ipsec
+ esp/tunnel/$DEST-$SRC/require
+ ah/tunnel/$DEST-$SRC/require;
+EOF
+ fi
+fi