Date: Mon, 18 Aug 2003 17:09:54 +0200 (CEST) From: Christian Kratzer <ck@cksoft.de> To: The Anarcat <anarcat@anarcat.ath.cx> Cc: security@freebsd.org Subject: Re: dynamic IPSEC: Holy grail sighted Message-ID: <20030818164456.O9493@majakka.cksoft.de> In-Reply-To: <20030818140805.GB518@inso.ath.cx> References: <200308110011.58180.kent.hauser@verizon.net> <200308152329.17393.kent.hauser@verizon.net> <20030818140805.GB518@inso.ath.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Mon, 18 Aug 2003, The Anarcat wrote: > I don't some of the attachments you intended to send (raccoon.conf? > perl script?) didn't get through the list. > > I would be very interested to read those, if you don't mind sharing > them... we run following scripts 1. run lookup-peers.sh from cron every 3 minutes to resolve the peers listed in /usr/local/etc/peers.in 2. diff the results to the results fo the previous run and run update-ipsec.sh if changed to generate new ipsec.conf ipsec.conf.m4 using the m4 macro processor ( yes we use m4 for just about everything ;-) ) 3. update-ipsec.sh installs the new policy but purposely keeps the already handshaked associations in place so as not to hang connections unnecessarily you also need something else to update your dnsdns setup. This is left as an excercise to the reader. The following scripts are freshly pasted out of our live setup and somewhat obfuscated so there might still be something missing. Especially the ipsec.conf.m4 will need adapting to your setup and to the specific host in question. Greetings Christian --- peers.in --- peera peera.yourfavourite-dyndns-provider.com peerb peerb.yourfavourite-dyndns-provider.com peerc peerc.yourfavourite-dyndns-provider.com --- peers.in --- --- lookup-peers.sh ---- #!/bin/sh SRC=/usr/local/etc/peers.in DST=/tmp/peers.m4 TMP=/tmp/peers.tmp DYNINT=tun0 AWK=/usr/bin/awk IFCONFIG=/sbin/ifconfig HOST=/usr/local/bin/host if [ -f $TMP ]; then rm $TMP fi MYIP=`$IFCONFIG $DYNINT | $AWK '/inet /{ print $2 }'` echo "define(\`MYIP',\`$MYIP')dnl" >> $TMP while read name host; do addr=`$HOST -W 3 $host | awk '/address/{ print $4 }` if [ -n "$addr" ]; then echo "define(\`$name',\`$addr')dnl" >> $TMP fi done < $SRC if [ ! -f $DST ]; then touch $DST fi diff $DST $TMP 2> /dev/null > /dev/null if [ $? -ne 0 ]; then # ip addresses of peers changed mv $TMP $DST # trigger actions here /usr/local/libexec/update-ipsec.sh fi --- lookup-peers.sh ---- --- update-ipsec.sh --- #!/bin/sh /usr/bin/m4 < /etc/ipsec.conf.m4 > /etc/ipsec.conf /usr/sbin/setkey -f /etc/ipsec.conf --- update-ipsec.sh --- --- ipsec.conf.m4 --- (on host1) define(`SRCNET1',`192.168.1.0/24') define(`DSTNET2',`192.168.2.0/24') define(`DSTNET3',`192.168.3.0/24') # flush policy spdflush; # vpn tunnel from hosta to hostb spdadd SRCNET1 DSTNET2 any -P out ipsec esp/tunnel/MYIP-hostb/require ; spdadd DSTNET2 SRCNET1 any -P in ipsec esp/tunnel/hostb-MYIP/require ; # vpn tunnel from hosta to hostc spdadd SRCNET1 DSTNET3 any -P out ipsec esp/tunnel/MYIP-hostc/require ; spdadd DSTNET3 SRCNET1 any -P in ipsec esp/tunnel/hostc-MYIP/require ; --- ipsec.conf.m4 --- Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030818164456.O9493>