#!/bin/sh ################################################################################ ## ## ## Copyright (c) International Business Machines Corp., 2005 ## ## ## ## This program is free software; you can redistribute it and#or modify ## ## it under the terms of the GNU General Public License as published by ## ## the Free Software Foundation; either version 2 of the License, or ## ## (at your option) any later version. ## ## ## ## This program is distributed in the hope that it will be useful, but ## ## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ## ## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ## ## for more details. ## ## ## ## You should have received a copy of the GNU General Public License ## ## along with this program; if not, write to the Free Software ## ## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ## ## ## ## ## ################################################################################ # # File: # output_ipsec_conf # # Description: # Output IPsec configuration # # Author: # Mitsuru Chinen # # Exit Value: # 0: Exit normally # >0: Exit abnormally # # History: # Oct 19 2005 - Created (Mitsuru Chinen) # #----------------------------------------------------------------------- #Uncomment line below for debug output. $trace_logic # Encryption algorithm EALGO="3des-cbc" EALGO_KEY="_I_want_to_have_chicken_" # Authentication algorithm AALGO="hmac-sha1" AALGO_KEY="beef_fish_pork_salad" # Compression algorithm CALGO="deflate" #----------------------------------------------------------------------- # # Function: usage # # Description: # Print the usage of this script, then exit # #----------------------------------------------------------------------- usage(){ cat << EOD >&2 output_ipsec_conf flush Flush the SAD and SPD entries. output_ipsec_conf target protocol mode first_spi src_addr dst_addr target: target of the configuration file ( src / dst ) protocol: ah / esp / ipcomp mode: transport / tunnel first_spi: the first spi value src_addr: source IP address dst_addr: destination IP address EOD exit 1 } #----------------------------------------------------------------------- # # Main # # # When argument is `flush', flush the SAD and SPD if [ x$1 = x"flush" ]; then echo "spdflush ;" echo "flush ;" exit 0 fi # source/destination IP addresses if [ $# -ne 6 ]; then usage fi target=$1 protocol=$2 mode=$3 first_spi=$4 src_ipaddr=$5 dst_ipaddr=$6 # Algorithm options for each protocol case $protocol in ah) algo_line="-A $AALGO \"$AALGO_KEY\"" ;; esp) algo_line="-E $EALGO \"$EALGO_KEY\" -A $AALGO \"$AALGO_KEY\"" ;; ipcomp) algo_line="-C $CALGO" ;; *) usage ;; esac # Write lines for adding an SAD entry cat << EOD add $src_ipaddr $dst_ipaddr $protocol $first_spi -m $mode $algo_line ; add $dst_ipaddr $src_ipaddr $protocol `expr $first_spi + 1` -m $mode $algo_line ; EOD # Write lines for adding an SPD entry case $target in src) direct1=out direct2=in ;; dst) direct1=in direct2=out ;; *) usage ;; esac case $mode in transport) cat << EOD spdadd $src_ipaddr $dst_ipaddr any -P $direct1 ipsec $protocol/transport//use ; spdadd $dst_ipaddr $src_ipaddr any -P $direct2 ipsec $protocol/transport//use ; EOD ;; tunnel) cat << EOD spdadd $src_ipaddr $dst_ipaddr any -P $direct1 ipsec $protocol/tunnel/${src_ipaddr}-${dst_ipaddr}/use ; spdadd $dst_ipaddr $src_ipaddr any -P $direct2 ipsec $protocol/tunnel/${dst_ipaddr}-${src_ipaddr}/use ; EOD ;; esac exit 0