• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2
3#
4# sa-down.sh local configuration for a new SA
5#
6
7PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
8
9case `uname -s` in
10NetBSD)
11	DEFAULT_GW=`netstat -rn | awk '($1 == "default"){print $2}'`
12	;;
13Linux)
14	DEFAULT_GW=`netstat -rn | awk '($1 == "0.0.0.0"){print $2}'`
15	;;
16esac
17
18echo $@
19echo "LOCAL_ADDR = ${LOCAL_ADDR}"
20echo "LOCAL_PORT = ${LOCAL_PORT}"
21echo "REMOTE_ADDR = ${REMOTE_ADDR}"
22echo "REMOTE_PORT = ${REMOTE_PORT}"
23echo "DEFAULT_GW = ${DEFAULT_GW}"
24echo "INTERNAL_ADDR4 = ${INTERNAL_ADDR4}"
25echo "INTERNAL_DNS4 = ${INTERNAL_DNS4}"
26
27echo ${INTERNAL_ADDR4} | grep '[0-9]' > /dev/null || exit 0
28echo ${DEFAULT_GW} | grep '[0-9]' > /dev/null || exit 0
29
30test -f /etc/resolv.conf.bak && cp /etc/resolv.conf.bak /etc/resolv.conf
31
32case `uname -s` in
33NetBSD)
34	if=`netstat -rn|awk '($1 == "default"){print $7}'`
35	ifconfig ${if} delete ${INTERNAL_ADDR4}
36	route delete default
37	route delete ${REMOTE_ADDR}
38	route add default ${DEFAULT_GW} -ifa ${LOCAL_ADDR}
39	;;
40Linux)
41	if=`netstat -rn|awk '($1 == "0.0.0.0"){print $8}'`
42	route delete default
43	route delete ${REMOTE_ADDR}
44	ifconfig ${if}:1 del ${INTERNAL_ADDR4}
45	route add default gw ${DEFAULT_GW}
46
47	#
48	# XXX This is a workaround because Linux seems to ignore
49	# the deleteall commands below. This is bad because it flushes
50	# any SAD instead of flushing what needs to be flushed.
51	# Someone using Linux please fix it
52	#
53	setkey -F
54	;;
55esac
56
57# Use this for a NAT-T setup
58LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
59REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]"
60
61# Use this for a non NAT-T setup
62#LOCAL="${LOCAL_ADDR}"
63#REMOTE="${REMOTE_ADDR}"
64
65echo "
66deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
67deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;
68spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any
69	-P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require;
70spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any
71	-P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require;
72" | setkey -c
73
74