dynamic IPSEC: Holy grail sighted

Christian Kratzer ck at cksoft.de
Mon Aug 18 08:10:03 PDT 2003 

Hi,

On Mon, 18 Aug 2003, The Anarcat wrote:
> I don't some of the attachments you intended to send (raccoon.conf?
> perl script?) didn't get through the list.
>
> I would be very interested to read those, if you don't mind sharing
> them...

we run following scripts

1. run lookup-peers.sh from cron every 3 minutes to resolve the peers
   listed in /usr/local/etc/peers.in

2. diff the results to the results fo the previous run and run update-ipsec.sh
   if changed to generate new ipsec.conf ipsec.conf.m4 using the m4 macro
   processor ( yes we use m4 for just about everything ;-) )

3. update-ipsec.sh installs the new policy but purposely keeps the
   already handshaked associations in place so as not to hang connections
   unnecessarily

you also need something else to update your dnsdns setup.
This is left as an excercise to the reader.

The following scripts are freshly pasted out of our live setup and
somewhat obfuscated so there might still be something missing.

Especially the ipsec.conf.m4 will need adapting to your setup and to
the specific host in question.

Greetings
Christian

--- peers.in ---
peera	peera.yourfavourite-dyndns-provider.com
peerb	peerb.yourfavourite-dyndns-provider.com
peerc	peerc.yourfavourite-dyndns-provider.com
--- peers.in ---

--- lookup-peers.sh ----
#!/bin/sh

SRC=/usr/local/etc/peers.in
DST=/tmp/peers.m4
TMP=/tmp/peers.tmp
DYNINT=tun0
AWK=/usr/bin/awk
IFCONFIG=/sbin/ifconfig
HOST=/usr/local/bin/host

if [ -f $TMP ]; then
        rm $TMP
fi

MYIP=`$IFCONFIG $DYNINT | $AWK '/inet /{ print $2 }'`
echo "define(\`MYIP',\`$MYIP')dnl" >> $TMP

while read name host; do
        addr=`$HOST -W 3 $host | awk '/address/{ print $4 }`
        if [ -n "$addr" ]; then
                echo "define(\`$name',\`$addr')dnl" >> $TMP
        fi
done < $SRC

if [ ! -f $DST ]; then
        touch $DST
fi

diff $DST $TMP 2> /dev/null > /dev/null
if [ $? -ne 0 ]; then
        # ip addresses of peers changed
        mv $TMP $DST

        # trigger actions here
        /usr/local/libexec/update-ipsec.sh
fi
--- lookup-peers.sh ----

--- update-ipsec.sh ---
#!/bin/sh
/usr/bin/m4 < /etc/ipsec.conf.m4 > /etc/ipsec.conf
/usr/sbin/setkey -f /etc/ipsec.conf
--- update-ipsec.sh ---

--- ipsec.conf.m4 --- (on host1)
define(`SRCNET1',`192.168.1.0/24')
define(`DSTNET2',`192.168.2.0/24')
define(`DSTNET3',`192.168.3.0/24')

# flush policy
spdflush;

# vpn tunnel from hosta to hostb

spdadd  SRCNET1 DSTNET2 any
        -P out ipsec esp/tunnel/MYIP-hostb/require ;

spdadd  DSTNET2 SRCNET1 any
        -P in ipsec esp/tunnel/hostb-MYIP/require ;

# vpn tunnel from hosta to hostc

spdadd  SRCNET1 DSTNET3 any
        -P out ipsec esp/tunnel/MYIP-hostc/require ;

spdadd  DSTNET3 SRCNET1 any
        -P in ipsec esp/tunnel/hostc-MYIP/require ;


--- ipsec.conf.m4 ---

Greetings
Christian

--
CK Software GmbH
Christian Kratzer,         Schwarzwaldstr. 31, 71131 Jettingen
Email: ck at cksoft.de
Phone: +49 7452 889-135    Open Software Solutions, Network Security
Fax:   +49 7452 889-136    FreeBSD spoken here!

More information about the freebsd-questions mailing list