blob: 8a311afeb1942040beedc5f0c5296015566d0498 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
#!/bin/sh
#
# ifup-ipsec
#
# Brings up ipsec interfaces
#
# Configuration parameters
#
# Manual keying:
#
# SRC = source address. Not required.
# DST = destination address
# SRCNET = source net (for tunneling)
# DSTNET = destination network (for tunneling)
# AH_PROTO = protocol to use for AH (defaults to HMAC-MD5)
# ESP_PROTO = protocol to use for ESP (defaults to 3DES)
# KEY_AH = AH key
# KEY_ESP = ESP key
# SPI[1..4] = SPIs to use
#
#
if [ -n "$KEY_AH" -o -n "$KEY_ESP" ]; then
KEYING=manual
fi
if [ -z "$KEY_AH_IN" -a -n "$KEY_AH" ]; then
KEY_AH_IN=$KEY_AH
fi
if [ -z "$KEY_AH_OUT" -a -n "$KEY_AH" ]; then
KEY_AH_OUT=$KEY_AH
fi
if [ -z "$KEY_ESP_IN" -a -n "$KEY_ESP" ]; then
KEY_ESP_IN=$KEY_ESP
fi
if [ -z "$KEY_ESP_OUT" -a -n "$KEY_ESP" ]; then
KEY_ESP_OUT=$KEY_ESP
fi
if [ -n "$IKE_PSK" ]; then
KEYING=automatic
IKE_METHOD=PSK
fi
if [ -n "$CERT_NAME" ]; then
KEYING=automatic
IKE_METHOD=X509
fi
if [ -n "$RSA_KEY" ]; then
KEYING=automatic
IKE_METHOD=RSA
fi
if [ -n "$SRCNET" -o -n "$DSTNET" ]; then
MODE=tunnel
else
MODE=host
fi
if [ "$KEYING" = "manual" ]; then
# Get source address
if [ -n "$SRC" ]; then
SRC=`ip -o route get to $DST | sed "s|.*src \([^ ]*\).*|\1|"`
fi
[ -z "$AH_PROTO" ] && AH_PROTO=hmac-md5
[ -z "$ESP_PROTO" ] && ESP_PROTO=3des-cbc
if [ "$MODE" = "host" ]; then
/sbin/setkey -c << EOF
deleteall $SRC $DST ah;
deleteall $DST $SRC ah;
deleteall $SRC $DST esp;
deleteall $DST $SRC esp;
spddelete $SRC $DST any -P out;
spddelete $DST $SRC any -P in;
# ESP
${KEY_ESP_IN:+add $DST $SRC esp $SPI3 -E $ESP_PROTO $KEY_ESP_IN;}
${KEY_ESP_OUT:+add $SRC $DST esp $SPI4 -E $ESP_PROTO $KEY_ESP_OUT;}
# AH
${KEY_AH_IN:+add $DST $SRC ah $SPI1 -A $AH_PROTO $KEY_AH_IN;}
${KEY_AH_OUT:+add $SRC $DST ah $SPI2 -A $AH_PROTO $KEY_AH_OUT;}
spdadd $SRC $DST any -P out ipsec
${KEY_ESP_OUT:+esp/transport//require}
${KEY_AH_OUT:+ah/transport//require}
;
spdadd $DST $SRC any -P in ipsec
${KEY_ESP_IN:+esp/transport//require}
${KEY_AH_IN:+ah/transport//require}
;
EOF
else
[ -n "$SRCNET" ] && SRCNET="$SRC/32"
[ -n "$DSTNET" ] && DSTNET="$DST/32"
/sbin/setkey -c << EOF
deleteall $SRC $DST ah;
deleteall $DST $SRC ah;
deleteall $SRC $DST esp;
deleteall $DST $SRC esp;
spddelete $SRCNET $DSTNET any -P out;
spddelete $DSTNET $SRCNET any -P in;
# ESP
${KEY_ESP_IN:+add $DST $SRC esp $SPI3 -m tunnel -E $ESP_PROTO $KEY_ESP_IN;}
${KEY_ESP_OUT:+add $SRC $DST esp $SPI4 -m tunnel -E $ESP_PROTO $KEY_ESP_OUT;}
# AH
${KEY_AH_IN:+add $DST $SRC ah $SPI1 -m tunnel -A $AH_PROTO $KEY_AH_IN;}
${KEY_AH_OUT:+add $SRC $DST ah $SPI2 -m tunnel -A $AH_PROTO $KEY_AH_OUT;}
spdadd $SRCNET $DSTNET any -P out ipsec
${KEY_ESP_OUT:+esp/tunnel/$SRC-$DEST/require}
${KEY_AH_OUT:+ah/tunnel/$SRC-$DEST/require}
;
spdadd $DSTNET $SRCNET any -P in ipsec
${KEY_ESP_IN:+esp/tunnel/$DEST-$SRC/require}
${KEY_AH_IN:+ah/tunnel/$DEST-$SRC/require}
;
EOF
fi
fi
|