#!/usr/bin/perl -w # # _azure, 2000 # # Helps configure ipsecadm startup scripts for a manually keyed, # 2-network IPSEC bridge with blowfish encryption and ingress # filtering. This script is designed for OpenBSD 2.8. Earlier # versions or different operating systems may require tweaking. # # WARNING: This script does not filter for non-IP traffic. # See brconfig(8) for information on filtering at bridge level. # ###################################################################### # print intro stuff { print " \n"; print "\n############################################################################\n"; print "\nThis program will construct a set of scripts to initialize an IPSEC"; print "\nbridge between two remote network interfaces. Blowfish will be used"; print "\nby default for encryption.\n"; print "\nYou will be asked to define:\n\n- one alias name \n- one internet address \n- one private interface\n- one SPI\n"; print "\nfor each gateway.\n"; print " \n"; } # take the user data we will use to setup the vpn { print " \n"; print "\nEnter the location where you will store your key directories: "; chomp ($rootdir = ); print "\nEnter an alias name for Gateway A: "; chomp ($aliasa = ); print "\nEnter the internet address for Gateway A: "; chomp ($interneta = ); print "\nEnter the interface name for the private side of Gateway A (i.e., xl0): "; chomp ($inta = ); print "\nEnter a SPI for Gateway A (i.e., 4242): "; chomp ($spia = ); print "\nEnter an alias name for Gateway B: "; chomp ($aliasb = ); print "\nEnter the internet address for Gateway B: "; chomp ($internetb = ); print "\nEnter the interface name for the private side of Gateway B (i.e., xl0): "; chomp ($intb = ); print "\nEnter a SPI for Gateway B (i.e., 4243): "; chomp ($spib = ); print " \n"; } # set some more variables $vpn = "$rootdir/keys.$aliasa-$aliasb"; $key = "$vpn/ipsec.key"; $authkey = "$vpn/ipsec.authkey"; # let's go print `/bin/mkdir $vpn`; # do the actual work # generate keys for the vpn print `openssl rand 20 | hexdump -e '20/1 "%02x"' > $key`; print `openssl rand 20 | hexdump -e '20/1 "%02x"' > $authkey`; # write the br-ipsec script for Gateway A { open (BRIPSECA, ">$vpn/br-ipsec.a"); # add interfaces to the bridge print BRIPSECA "\nbrconfig bridge0 add enc1 add $inta\n"; # block IP multicasts print BRIPSECA "\nbrconfig bridge0 link1\n"; # setup SAs print BRIPSECA "\nipsecadm new esp -spi $spia -dst $internetb -src $interneta -enc blf -auth sha1 -keyfile $key -authkeyfile $authkey\n"; print BRIPSECA "\nipsecadm new esp -spi $spib -dst $interneta -src $internetb -enc blf -auth sha1 -keyfile $key -authkeyfile $authkey\n"; # setup flow print BRIPSECA "\nipsecadm flow -dst $internetb -in -transport etherip -require -addr $interneta 255.255.255.255 $internetb 255.255.255.255\n"; # associate ENC with SAs print BRIPSECA "\nifconfig enc1 dstsa $internetb/$spia/esp\n"; print BRIPSECA "\nifconfig enc1 srcsa $interneta/$spib/esp\n"; # bring up interfaces and bridge print BRIPSECA "\nifconfig enc1 up\n"; print BRIPSECA "\nbrconfig bridge0 up\n"; close (BRIPSECA); } # write the br-ipsec script for Gateway B { open (BRIPSECB, ">$vpn/br-ipsec.b"); # add interfaces to the bridge print BRIPSECB "\nbrconfig bridge0 add enc1 add $intb\n"; # block IP multicasts print BRIPSECB "\nbrconfig link1\n"; # setup SAs print BRIPSECB "\nipsecadm new esp -spi $spia -dst $internetb -src $interneta -enc blf -auth sha1 -keyfile $key -authkeyfile $authkey\n"; print BRIPSECB "\nipsecadm new esp -spi $spib -dst $interneta -src $internetb -enc blf -auth sha1 -keyfile $key -authkeyfile $authkey\n"; # setup flows print BRIPSECB "\nipsecadm flow -dst $interneta -in -transport etherip -require -addr $internetb 255.255.255.255 $interneta 255.255.255.255\n"; # associate ENC with SAs print BRIPSECB "\nifconfig enc1 dstsa $interneta/$spib/esp\n"; print BRIPSECB "\nifconfig enc1 srcsa $internetb/$spia/esp\n"; # bring up interfaces and bridge print BRIPSECB "\nifconfig enc1 up\n"; print BRIPSECB "\nbrconfig bridge0 up\n"; close (BRIPSECB); } # be polite { print "\n##########################################################################\n"; print "\n_Finished_."; print "\nDon't forget to set your sysctl and firewall rules.\n"; print "\n\n##########################################################################\n"; print "\n\nCopy the contents of $vpn to $vpn on \nGateway A and execute $vpn/br-ipsec.a."; print "\n\nCopy the contents of $vpn to $vpn on \nGateway B and execute $vpn/br-ipsec.b.\n"; print "\n\nYou should now be able to pass traffic between the two private networks.\n\n\n"; }