#!/usr/bin/perl -w # # _azure, 2000 # # Helps configure ipsecadm startup scripts for a manually keyed, # 2-network vpn with blowfish encryption and ingress filtering. # This script is designed for OpenBSD 2.8. Earlier versions or # different operating systems may require tweaking. # ###################################################################### # print intro stuff { print " \n"; print "\n############################################################################\n"; print "\nThis program will help you configure an ipsec/esp vpn between"; print "\ntwo gateways. Blowfish will be used by default for encryption.\n"; print "\nYou will be asked to define:\n\n- one alias name \n- one private address \n- one internet address\n"; print "\nfor each gateway.\n"; print " \n"; } # take the user data we will use to setup the vpn { print " \n"; print "\nEnter the location where you will store your key directories: "; chomp ($rootdir = ); print "\nEnter an alias name for Gateway A: "; chomp ($aliasa = ); print "\nEnter the internet address for Gateway A: "; chomp ($interneta = ); print "\nEnter the private network for Gateway A (i.e., 192.168.0.0): "; chomp ($privatea = ); print "\nEnter a SPI for Gateway A (i.e., 1000): "; chomp ($spia = ); print "\nEnter an alias name for Gateway B: "; chomp ($aliasb = ); print "\nEnter the internet address for Gateway B: "; chomp ($internetb = ); print "\nEnter the private network for Gateway B (i.e., 192.168.1.0): "; chomp ($privateb = ); print "\nEnter a SPI for Gateway B (i.e., 1001): "; chomp ($spib = ); print " \n"; } # set some more variables $vpn = "$rootdir/keys.$aliasa-$aliasb"; $key = "$vpn/ipsec.key"; $authkey = "$vpn/ipsec.authkey"; # let's go print `/bin/mkdir $vpn`; # do the actual work # generate keys for the vpn print `openssl rand 20 | hexdump -e '20/1 "%02x"' > $key`; print `openssl rand 20 | hexdump -e '20/1 "%02x"' > $authkey`; # write the go-ipsec script for Gateway A { open (GOIPSEC1, ">$vpn/go-ipsec.a"); print GOIPSEC1 "\nipsecadm new esp -src $internetb -dst $interneta -forcetunnel -spi $spia -enc blf -auth sha1 -keyfile $key -authkeyfile $authkey\n"; print GOIPSEC1 "\nipsecadm new esp -src $interneta -dst $internetb -forcetunnel -spi $spib -enc blf -auth sha1 -keyfile $key -authkeyfile $authkey\n"; print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $interneta 255.255.255.255 $internetb 255.255.255.255 -out -require -src $interneta\n"; print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $privatea 255.255.255.0 $privateb 255.255.255.0 -require -out -src $interneta\n"; print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $interneta 255.255.255.255 $privateb 255.255.255.0 -require -out -src $interneta\n"; print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $privatea 255.255.255.0 $internetb 255.255.255.255 -require -out -src $interneta\n"; print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $internetb 255.255.255.255 $interneta 255.255.255.255 -require -in -src $interneta\n"; print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $privateb 255.255.255.0 $privatea 255.255.255.0 -require -in -src $interneta\n"; print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $internetb 255.255.255.255 $privatea 255.255.255.0 -require -in -src $interneta\n"; print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $privateb 255.255.255.0 $interneta 255.255.255.255 -require -in -src $interneta\n"; close (GOIPSEC1); } # write the go-ipsec script for Gateway B { open (GOIPSEC2, ">$vpn/go-ipsec.b"); print GOIPSEC2 "\nipsecadm new esp -src $internetb -dst $interneta -forcetunnel -spi $spia -enc blf -auth sha1 -keyfile $key -authkeyfile $authkey\n"; print GOIPSEC2 "\nipsecadm new esp -src $interneta -dst $internetb -forcetunnel -spi $spib -enc blf -auth sha1 -keyfile $key -authkeyfile $authkey\n"; print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $internetb 255.255.255.255 $interneta 255.255.255.255 -require -out -src $internetb\n"; print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $privateb 255.255.255.0 $privatea 255.255.255.0 -require -out -src $internetb\n"; print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $internetb 255.255.255.255 $privatea 255.255.255.0 -require -out -src $internetb\n"; print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $privateb 255.255.255.0 $interneta 255.255.255.255 -require -out -src $internetb\n"; print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $interneta 255.255.255.255 $internetb 255.255.255.255 -require -in -src $internetb\n"; print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $privatea 255.255.255.0 $privateb 255.255.255.0 -require -in -src $privateb\n"; print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $interneta 255.255.255.255 $privateb 255.255.255.0 -require -in -src $privateb\n"; print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $privatea 255.255.255.0 $internetb 255.255.255.255 -require -in -src $internetb\n"; close (GOIPSEC2); } # be polite { print "\n##########################################################################\n"; print "\n_Finished_."; print "\nDon't forget to set your sysctl and firewall rules.\n"; print "\n\n##########################################################################\n"; print "\n\nCopy the contents of $vpn to $vpn on \nGateway A and execute $vpn/go-ipsec.a."; print "\n\nCopy the contents of $vpn to $vpn on \nGateway B and execute $vpn/go-ipsec.b.\n"; print "\n\nYou should now be able to pass traffic between the two private networks.\n\n\n"; }