Date: Mon, 18 Aug 2003 17:09:54 +0200 (CEST) From: Christian Kratzer <ck@cksoft.de> To: The Anarcat <anarcat@anarcat.ath.cx> Cc: security@freebsd.org Subject: Re: dynamic IPSEC: Holy grail sighted Message-ID: <20030818164456.O9493@majakka.cksoft.de> In-Reply-To: <20030818140805.GB518@inso.ath.cx> References: <200308110011.58180.kent.hauser@verizon.net> <200308152329.17393.kent.hauser@verizon.net> <20030818140805.GB518@inso.ath.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
On Mon, 18 Aug 2003, The Anarcat wrote:
> I don't some of the attachments you intended to send (raccoon.conf?
> perl script?) didn't get through the list.
>
> I would be very interested to read those, if you don't mind sharing
> them...
we run following scripts
1. run lookup-peers.sh from cron every 3 minutes to resolve the peers
listed in /usr/local/etc/peers.in
2. diff the results to the results fo the previous run and run update-ipsec.sh
if changed to generate new ipsec.conf ipsec.conf.m4 using the m4 macro
processor ( yes we use m4 for just about everything ;-) )
3. update-ipsec.sh installs the new policy but purposely keeps the
already handshaked associations in place so as not to hang connections
unnecessarily
you also need something else to update your dnsdns setup.
This is left as an excercise to the reader.
The following scripts are freshly pasted out of our live setup and
somewhat obfuscated so there might still be something missing.
Especially the ipsec.conf.m4 will need adapting to your setup and to
the specific host in question.
Greetings
Christian
--- peers.in ---
peera peera.yourfavourite-dyndns-provider.com
peerb peerb.yourfavourite-dyndns-provider.com
peerc peerc.yourfavourite-dyndns-provider.com
--- peers.in ---
--- lookup-peers.sh ----
#!/bin/sh
SRC=/usr/local/etc/peers.in
DST=/tmp/peers.m4
TMP=/tmp/peers.tmp
DYNINT=tun0
AWK=/usr/bin/awk
IFCONFIG=/sbin/ifconfig
HOST=/usr/local/bin/host
if [ -f $TMP ]; then
rm $TMP
fi
MYIP=`$IFCONFIG $DYNINT | $AWK '/inet /{ print $2 }'`
echo "define(\`MYIP',\`$MYIP')dnl" >> $TMP
while read name host; do
addr=`$HOST -W 3 $host | awk '/address/{ print $4 }`
if [ -n "$addr" ]; then
echo "define(\`$name',\`$addr')dnl" >> $TMP
fi
done < $SRC
if [ ! -f $DST ]; then
touch $DST
fi
diff $DST $TMP 2> /dev/null > /dev/null
if [ $? -ne 0 ]; then
# ip addresses of peers changed
mv $TMP $DST
# trigger actions here
/usr/local/libexec/update-ipsec.sh
fi
--- lookup-peers.sh ----
--- update-ipsec.sh ---
#!/bin/sh
/usr/bin/m4 < /etc/ipsec.conf.m4 > /etc/ipsec.conf
/usr/sbin/setkey -f /etc/ipsec.conf
--- update-ipsec.sh ---
--- ipsec.conf.m4 --- (on host1)
define(`SRCNET1',`192.168.1.0/24')
define(`DSTNET2',`192.168.2.0/24')
define(`DSTNET3',`192.168.3.0/24')
# flush policy
spdflush;
# vpn tunnel from hosta to hostb
spdadd SRCNET1 DSTNET2 any
-P out ipsec esp/tunnel/MYIP-hostb/require ;
spdadd DSTNET2 SRCNET1 any
-P in ipsec esp/tunnel/hostb-MYIP/require ;
# vpn tunnel from hosta to hostc
spdadd SRCNET1 DSTNET3 any
-P out ipsec esp/tunnel/MYIP-hostc/require ;
spdadd DSTNET3 SRCNET1 any
-P in ipsec esp/tunnel/hostc-MYIP/require ;
--- ipsec.conf.m4 ---
Greetings
Christian
--
CK Software GmbH
Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen
Email: ck@cksoft.de
Phone: +49 7452 889-135 Open Software Solutions, Network Security
Fax: +49 7452 889-136 FreeBSD spoken here!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030818164456.O9493>