1#!/bin/sh 2 3# 4# sa-down.sh local configuration for a new SA 5# 6 7PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin 8 9case `uname -s` in 10NetBSD) 11 DEFAULT_GW=`netstat -finet -rn | awk '($1 == "default"){print $2; exit}'` 12 ;; 13Linux) 14 DEFAULT_GW=`netstat --inet -rn | awk '($1 == "0.0.0.0"){print $2; exit}'` 15 ;; 16esac 17 18echo $@ 19echo "LOCAL_ADDR = ${LOCAL_ADDR}" 20echo "LOCAL_PORT = ${LOCAL_PORT}" 21echo "REMOTE_ADDR = ${REMOTE_ADDR}" 22echo "REMOTE_PORT = ${REMOTE_PORT}" 23echo "DEFAULT_GW = ${DEFAULT_GW}" 24echo "INTERNAL_NETMASK4 = ${INTERNAL_NETMASK4}" 25echo "INTERNAL_ADDR4 = ${INTERNAL_ADDR4}" 26echo "INTERNAL_DNS4 = ${INTERNAL_DNS4}" 27 28echo ${INTERNAL_ADDR4} | grep '[0-9]' > /dev/null || exit 0 29echo ${INTERNAL_NETMASK4} | grep '[0-9]' > /dev/null || exit 0 30echo ${DEFAULT_GW} | grep '[0-9]' > /dev/null || exit 0 31 32if [ -f /etc/resolv.conf.bak ]; then 33 rm -f /etc/resolv.conf 34 mv /etc/resolv.conf.bak /etc/resolv.conf 35fi 36 37case `uname -s` in 38NetBSD) 39 if=`netstat -finet -rn|awk '($1 == "default"){print $7; exit}'` 40 route delete default 41 route delete ${REMOTE_ADDR} 42 ifconfig ${if} delete ${INTERNAL_ADDR4} 43 route add default ${DEFAULT_GW} -ifa ${LOCAL_ADDR} 44 ;; 45Linux) 46 if=`netstat --inet -rn|awk '($1 == "0.0.0.0"){print $8; exit}'` 47 route delete default 48 route delete ${REMOTE_ADDR} 49 ifconfig ${if}:1 del ${INTERNAL_ADDR4} 50 route add default gw ${DEFAULT_GW} 51 52 # 53 # XXX This is a workaround because Linux seems to ignore 54 # the deleteall commands below. This is bad because it flushes 55 # any SAD instead of flushing what needs to be flushed. 56 # Someone using Linux please fix it 57 # 58 setkey -F 59 ;; 60esac 61 62LOCAL="${LOCAL_ADDR}" 63REMOTE="${REMOTE_ADDR}" 64if [ "x${LOCAL_PORT}" != "x500" ]; then 65 # NAT-T setup 66 LOCAL="${LOCAL}[${LOCAL_PORT}]" 67 REMOTE="${REMOTE}[${REMOTE_PORT}]" 68fi 69 70echo " 71deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp; 72deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; 73spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any 74 -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require; 75spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any 76 -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require; 77" | setkey -c 78 79