| #!/bin/sh |
| |
| ################################################################################ |
| ## ## |
| ## Copyright (c) International Business Machines Corp., 2005 ## |
| ## ## |
| ## This program is free software; you can redistribute it and#or modify ## |
| ## it under the terms of the GNU General Public License as published by ## |
| ## the Free Software Foundation; either version 2 of the License, or ## |
| ## (at your option) any later version. ## |
| ## ## |
| ## This program is distributed in the hope that it will be useful, but ## |
| ## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## |
| ## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## |
| ## for more details. ## |
| ## ## |
| ## You should have received a copy of the GNU General Public License ## |
| ## along with this program; if not, write to the Free Software ## |
| ## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ## |
| ## ## |
| ## ## |
| ################################################################################ |
| # |
| # File: |
| # output_ipsec_conf |
| # |
| # Description: |
| # Output IPsec configuration |
| # |
| # Author: |
| # Mitsuru Chinen <mitch@jp.ibm.com> |
| # |
| # Exit Value: |
| # 0: Exit normally |
| # >0: Exit abnormally |
| # |
| # History: |
| # Oct 19 2005 - Created (Mitsuru Chinen) |
| # |
| #----------------------------------------------------------------------- |
| #Uncomment line below for debug output. |
| $trace_logic |
| |
| # Encryption algorithm |
| EALGO="3des-cbc" |
| EALGO_KEY="_I_want_to_have_chicken_" |
| |
| # Authentication algorithm |
| AALGO="hmac-sha1" |
| AALGO_KEY="beef_fish_pork_salad" |
| |
| # Compression algorithm |
| CALGO="deflate" |
| |
| |
| #----------------------------------------------------------------------- |
| # |
| # Function: usage |
| # |
| # Description: |
| # Print the usage of this script, then exit |
| # |
| #----------------------------------------------------------------------- |
| usage(){ |
| cat << EOD >&2 |
| output_ipsec_conf flush |
| Flush the SAD and SPD entries. |
| |
| output_ipsec_conf target protocol mode first_spi src_addr dst_addr |
| target: target of the configuration file ( src / dst ) |
| protocol: ah / esp / ipcomp |
| mode: transport / tunnel |
| first_spi: the first spi value |
| src_addr: source IP address |
| dst_addr: destination IP address |
| EOD |
| |
| exit 1 |
| } |
| |
| |
| |
| #----------------------------------------------------------------------- |
| # |
| # Main |
| # |
| # |
| |
| # When argument is `flush', flush the SAD and SPD |
| if [ x$1 = x"flush" ]; then |
| echo "spdflush ;" |
| echo "flush ;" |
| exit 0 |
| fi |
| |
| # source/destination IP addresses |
| if [ $# -ne 6 ]; then |
| usage |
| fi |
| target=$1 |
| protocol=$2 |
| mode=$3 |
| first_spi=$4 |
| src_ipaddr=$5 |
| dst_ipaddr=$6 |
| |
| # Algorithm options for each protocol |
| case $protocol in |
| ah) |
| algo_line="-A $AALGO \"$AALGO_KEY\"" |
| ;; |
| esp) |
| algo_line="-E $EALGO \"$EALGO_KEY\" -A $AALGO \"$AALGO_KEY\"" |
| ;; |
| ipcomp) |
| algo_line="-C $CALGO" |
| ;; |
| *) |
| usage |
| ;; |
| esac |
| |
| # Write lines for adding an SAD entry |
| cat << EOD |
| add $src_ipaddr $dst_ipaddr $protocol $first_spi |
| -m $mode |
| $algo_line ; |
| |
| add $dst_ipaddr $src_ipaddr $protocol `expr $first_spi + 1` |
| -m $mode |
| $algo_line ; |
| |
| EOD |
| |
| # Write lines for adding an SPD entry |
| case $target in |
| src) |
| direct1=out |
| direct2=in |
| ;; |
| dst) |
| direct1=in |
| direct2=out |
| ;; |
| *) |
| usage |
| ;; |
| esac |
| |
| case $mode in |
| transport) |
| cat << EOD |
| spdadd $src_ipaddr $dst_ipaddr any |
| -P $direct1 ipsec $protocol/transport//use ; |
| |
| spdadd $dst_ipaddr $src_ipaddr any |
| -P $direct2 ipsec $protocol/transport//use ; |
| EOD |
| ;; |
| |
| tunnel) |
| cat << EOD |
| spdadd $src_ipaddr $dst_ipaddr any |
| -P $direct1 ipsec $protocol/tunnel/${src_ipaddr}-${dst_ipaddr}/use ; |
| |
| spdadd $dst_ipaddr $src_ipaddr any |
| -P $direct2 ipsec $protocol/tunnel/${dst_ipaddr}-${src_ipaddr}/use ; |
| EOD |
| ;; |
| esac |
| |
| exit 0 |