2 # user interface to manual keying
3 # Copyright (C) 1998, 1999 Henry Spencer.
5 # This program is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU General Public License as published by the
7 # Free Software Foundation; either version 2 of the License, or (at your
8 # option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 # This program is distributed in the hope that it will be useful, but
11 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 # RCSID $Id: manual.in,v 1.1 2004/03/15 20:35:28 as Exp $
19 $me [--showonly] --{up|down|route|unroute} name
20 $me [--showonly] --{up|down|route|unroute} --union partname ...
22 other options: [--config ipsecconfigfile] [--other] [--show]
23 [--iam ipaddress@interface]"
25 # make sure outputs of (e.g.) ifconfig are in English
26 unset LANG LANGUAGE LC_ALL LC_MESSAGES
30 info
=/var
/run
/ipsec.info
41 --help) echo "$usage" ; exit 0 ;;
42 --version) echo "$me $IPSEC_VERSION" ; exit 0 ;;
44 --showonly) showonly
=yes ;;
47 --config) config
="--config $2" ; shift ;;
48 --noinclude) noinclude
=--noinclude ;;
49 --iam) interfs
="$2" ; shift ;;
50 --up|
--down|
--route|
--unroute)
59 -*) echo "$me: unknown option \`$1'" >&2 ; exit 2 ;;
65 case "$op$#:$union" in
66 [01]:*) echo "$usage" >&2 ; exit 2 ;;
67 2:0) echo "$me: warning: obsolete command syntax used" >&2
79 *) echo "$usage" >&2 ; exit 2 ;;
83 # --union obsolete-syntax case, op is last argument
84 echo "$me: warning: obsolete command syntax used" >&2
95 --up|
--down|
--route|
--unroute) ;;
96 *) echo "$usage" >&2 ; exit 2 ;;
100 '') interfs
="`ifconfig |
101 awk ' /^ipsec/ { interf = $1 ; next }
102 /^[^ \t]/ { interf = "" ; next }
116 ipsec _confread
$config $noinclude $names |
124 interfs = "'"$interfs"'"
125 ni = split(interfs, terfs, " ")
127 fail("no IPsec-enabled interfaces found")
128 for (i = 1; i <= ni; i++) {
129 nc = split(terfs[i], cpts, "@")
131 fail("internal error on " terfs[i])
132 interface[cpts[1]] = cpts[2]
134 draddr = "'"$defaultrouteaddr"'"
135 drnexthop = "'"$defaultroutenexthop"'"
140 maskbits[0] = "0.0.0.0"
141 maskbits[1] = "128.0.0.0"
142 maskbits[2] = "192.0.0.0"
143 maskbits[3] = "224.0.0.0"
144 maskbits[4] = "240.0.0.0"
145 maskbits[5] = "248.0.0.0"
146 maskbits[6] = "252.0.0.0"
147 maskbits[7] = "254.0.0.0"
148 maskbits[8] = "255.0.0.0"
149 maskbits[9] = "255.128.0.0"
150 maskbits[10] = "255.192.0.0"
151 maskbits[11] = "255.224.0.0"
152 maskbits[12] = "255.240.0.0"
153 maskbits[13] = "255.248.0.0"
154 maskbits[14] = "255.252.0.0"
155 maskbits[15] = "255.254.0.0"
156 maskbits[16] = "255.255.0.0"
157 maskbits[17] = "255.255.128.0"
158 maskbits[18] = "255.255.192.0"
159 maskbits[19] = "255.255.224.0"
160 maskbits[20] = "255.255.240.0"
161 maskbits[21] = "255.255.248.0"
162 maskbits[22] = "255.255.252.0"
163 maskbits[23] = "255.255.254.0"
164 maskbits[24] = "255.255.255.0"
165 maskbits[25] = "255.255.255.128"
166 maskbits[26] = "255.255.255.192"
167 maskbits[27] = "255.255.255.224"
168 maskbits[28] = "255.255.255.240"
169 maskbits[29] = "255.255.255.248"
170 maskbits[30] = "255.255.255.252"
171 maskbits[31] = "255.255.255.254"
172 maskbits[32] = "255.255.255.255"
183 fail("internal error, unknown type code \"" $1 "\"")
190 print myname ": fatal error in " q(names) ": " m |err
194 function swap(k, t, l, r) {
197 if ((l in s) && (r in s)) {
201 } else if (l in s) { # but not r
204 } else if (r in s) { # but not l
210 if ((k in s) && s[k] != "yes" && s[k] != "no")
211 fail("parameter \"" k "\" must be \"yes\" or \"no\"")
213 function default(k, v) {
219 fail("connection has no \"" k "\" parameter specified")
221 fail("parameter \"" k "\" value must be non-empty")
223 function integer(k) {
226 if (s[k] !~ /^[0-9]+$/)
227 fail("parameter \"" k "\" value must be integer")
229 function nexthopset(dir, val, k) {
232 fail("non-default value of " k " is being overridden")
238 function leftward( t) {
246 function rightward( t) {
254 function netfix(dir, n, t) {
259 fail(dir "subnet=" n " has no mask specified")
260 t = split(n, netfixarray, "/")
262 fail("bad syntax in " dir "subnet=" n)
263 s[dir "net"] = netfixarray[1]
264 s[dir "mask"] = mask(netfixarray[2])
269 if (!(m in maskbits))
270 fail("unknown mask syntax \"" m "\"")
273 function bidir(name, l, r) {
276 if (!(l in s) && (name in s))
278 if (!(r in s) && (name in s))
280 if ((l in s) != (r in s))
281 fail("must give both or neither \"" l "\" and \"" \
284 function espspi(src, dest, spi, dir) {
287 dir = (dest == me) ? "left" : "right"
288 print "ipsec spi --label", q(names), "--af inet",
289 "--said", ("esp" spi "@" dest), "\\"
290 print "\t--esp", s["esp"], "--src", src, "\\"
291 if ((dir "espauthkey") in s)
292 print "\t--authkey", s[dir "espauthkey"], "\\"
293 if ("espreplay_window" in s)
294 print "\t--replay_window", s["espreplay_window"], "\\"
295 if ((dir "espenckey") in s)
296 print "\t--enckey", s[dir "espenckey"], "&&"
300 function ahspi(src, dest, spi, dir) {
303 dir = (dest == me) ? "left" : "right"
304 if (!((dir "ahkey") in s))
305 fail("AH specified but no ahkey= given")
306 print "ipsec spi --label", q(names), "--af inet",
307 "--said", ("ah" spi "@" dest), "\\"
308 print "\t--ah", s["ah"], "--src", src, "\\"
309 if ("ahreplay_window" in s)
310 print "\t--replay_window", s["ahreplay_window"], "\\"
311 print "\t--authkey", s[dir "ahkey"], "&&"
313 # issue a suitable invocation of updown command
314 function updown(verb, suffix, cmd) {
315 if ("leftupdown" in s) {
316 cmd = s["leftupdown"]
317 if (s["leftfirewall"] == "yes")
318 fail("cannot specify both updown and firewall")
320 cmd = "ipsec _updown"
321 if (s["leftfirewall"] == "yes")
324 print "PLUTO_VERB=" verb verbsuf " " cmd " " suffix
330 default("type", "tunnel")
333 if (type == "transport") {
334 if ("leftsubnet" in s)
335 fail("type=transport incompatible with leftsubnet")
336 if ("rightsubnet" in s)
337 fail("type=transport incompatible with rightsubnet")
338 } else if (type == "passthrough") {
341 } else if (type == "drop" || type == "reject") {
344 } else if (type != "tunnel")
345 fail("only know how to do types tunnel/transport/passthrough")
347 if (("ah" in s) || ("esp" in s))
348 fail(type " connection may not specify AH or ESP")
350 if (!("ah" in s) && !("esp" in s))
351 fail("neither AH nor ESP specified for connection")
356 if (s["left"] == "%defaultroute") {
357 if (s["right"] == "%defaultroute")
358 fail("left and right cannot both be %defaultroute")
360 fail("%defaultroute requested but not known")
362 nexthopset("left", drnexthop)
363 } else if (s["right"] == "%defaultroute") {
365 fail("%defaultroute requested but not known")
367 nexthopset("right", drnexthop)
370 leftsub = ("leftsubnet" in s) ? 1 : 0
371 default("leftsubnet", s["left"] "/32")
372 rightsub = ("rightsubnet" in s) ? 1 : 0
373 default("rightsubnet", s["right"] "/32")
374 default("leftfirewall", "no")
375 default("rightfirewall", "no")
376 yesno("leftfirewall")
377 yesno("rightfirewall")
378 integer("espreplay_window")
379 if (("espreplay_window" in s) && s["espreplay_window"] == 0)
380 delete s["espreplay_window"]
381 integer("ahreplay_window")
382 if (("ahreplay_window" in s) && s["ahreplay_window"] == 0)
383 delete s["ahreplay_window"]
387 default("leftnexthop", s["right"])
388 default("rightnexthop", s["left"])
389 if (s["leftnexthop"] == s["left"])
390 fail("left and leftnexthop must not be the same")
391 if (s["rightnexthop"] == s["right"])
392 fail("right and rightnexthop must not be the same")
397 if ("spi" in s && "spibase" in s)
398 fail("cannot specify both spi and spibase")
400 if ("spibase" in s) {
402 if (b !~ /^0x[0-9a-fA-F]+0$/)
403 fail("bad syntax in spibase -- must be 0x...0")
404 spibase = substr(b, 1, length(b)-1)
407 if (s["spi"] !~ /^0x[0-9a-fA-F]+$/)
408 fail("bad syntax in spi -- must be 0x...")
416 for (addr in interface) {
417 if (addr == s["left"] || addr == s["right"]) {
419 fail("ambiguous: could be on \"" iface \
420 "\" or \"" interface[addr] "\"")
422 iface = interface[addr]
426 fail("cannot find interface for " s["left"] " or " s["right"])
430 else if (s["right"] == me)
433 havesubnet = leftsubnet
434 if (s["right"] == me) {
435 swap("") # swaps "left" and "right"
450 havesubnet = rightsubnet
454 if (s["leftnexthop"] == "%defaultroute") {
456 fail("%defaultroute requested but not known")
457 s["leftnexthop"] = drnexthop
461 if (type == "tunnel") {
466 if (s["rightespspi"] != "")
467 espi = s["rightespspi"]
469 if (s["leftespspi"] != "")
470 respi = s["leftespspi"]
479 if (s["rightahspi"] != "")
480 aspi = s["rightahspi"]
481 if (s["leftahspi"] != "")
482 raspi = s["leftahspi"]
484 routeid = "-net " s["rightnet"] " netmask " s["rightmask"]
485 if (s["rightmask"] == "255.255.255.255")
486 routeid = "-host " s["rightnet"]
488 print "PATH=\"'"$PATH"'\""
490 print "PLUTO_VERSION=1.1"
491 verbsuf = (havesubnet) ? "-client" : "-host"
492 print "PLUTO_CONNECTION=" q(names)
493 print "PLUTO_NEXT_HOP=" s["leftnexthop"]
494 print "PLUTO_INTERFACE=" iface
496 print "PLUTO_MY_CLIENT=" s["leftsubnet"]
497 print "PLUTO_MY_CLIENT_NET=" s["leftnet"]
498 print "PLUTO_MY_CLIENT_MASK=" s["leftmask"]
499 print "PLUTO_PEER=" him
500 print "PLUTO_PEER_CLIENT=" s["rightsubnet"]
501 print "PLUTO_PEER_CLIENT_NET=" s["rightnet"]
502 print "PLUTO_PEER_CLIENT_MASK=" s["rightmask"]
503 print "export PLUTO_VERSION PLUTO_CONNECTION PLUTO_NEXT_HOP"
504 print "export PLUTO_INTERFACE PLUTO_ME PLUTO_MY_CLIENT"
505 print "export PLUTO_MY_CLIENT_NET PLUTO_MY_CLIENT_MASK PLUTO_PEER"
506 print "export PLUTO_PEER_CLIENT PLUTO_PEER_CLIENT_NET"
507 print "export PLUTO_PEER_CLIENT_MASK"
511 # first, the outbound SAs
512 if (type == "tunnel") {
513 print "ipsec spi --label", q(names), "--af inet",
514 "--said", ("tun" tspi "@" him), "\\"
515 print "\t--ip4", "--src", me, "--dst", him, "&&"
517 espspi(me, him, espi)
521 printf "ipsec spigrp --label %s --said ", q(names)
522 if (type == "tunnel")
523 printf "tun%s@%s ", tspi, him
525 printf "esp%s@%s ", espi, him
527 printf "ah%s@%s ", aspi, him
531 if (type == "tunnel") {
532 print "ipsec spi --label", q(names), "--af inet",
533 "--said", ("tun" intspi "@" me), "\\"
534 print "\t--ip4", "--src", him, "--dst", me, "&&"
536 espspi(him, me, respi)
537 ahspi(him, me, raspi)
540 printf "ipsec spigrp --label %s --said ", q(names)
541 if (type == "tunnel")
542 printf "tun%s@%s ", intspi, me
544 printf "esp%s@%s ", respi, me
546 printf "ah%s@%s ", raspi, me
549 # with the SAs in place, eroute to them
550 print "ipsec eroute --label", q(names),
551 "--eraf inet --replace", "\\"
553 if (type == "tunnel")
555 else if (("esp" in s))
561 print "\t--src", s["leftsubnet"], "--dst", s["rightsubnet"],
563 # with the eroute in place, NOW we can route to it
564 #print "{ route del", routeid, "2>/dev/null ; true ; } &&"
565 updown("prepare", "&&")
566 #print "route add", routeid, "dev", iface, "gw",
567 # s["leftnexthop"], "&&"
568 updown("route", "&&")
569 # and with all processing in place, we can penetrate firewall
570 #if (s["leftfirewall"] == "yes") {
571 # print "ipfwadm -F -i accept -b -S", s["leftsubnet"],
572 # "-D", s["rightsubnet"], "&&"
577 } else if (op == "--route") {
578 #print "{ route del", routeid, "2>/dev/null ; true ; } &&"
579 updown("prepare", "&&")
580 #print "route add", routeid, "dev", iface, "gw",
584 } else if (op == "--unroute") {
585 #print "route del", routeid, "dev", iface, "gw",
592 # now do "down", unconditionally, since the desired output for "up"
593 # is { up && up && up && true } || { down ; down ; down }
594 # tear things down in fairly strict reverse order
595 #if (s["leftfirewall"] == "yes")
596 # print "ipfwadm -F -d accept -b -S", s["leftsubnet"],
597 # "-D", s["rightsubnet"]
599 #print "route del", routeid, "dev", iface, "gw", s["leftnexthop"]
600 print "# do not delete route"
601 print "ipsec eroute --label", q(names), "--eraf inet --del", "\\"
602 print "\t--src", s["leftsubnet"], "--dst", s["rightsubnet"]
604 # print "ipsec spi --label", q(names), "--af inet", "--del",
605 # "--said", ("ah" raspi "@" me)
608 # print "ipsec spi --label", q(names), "--af inet", "--del",
609 # "--said", ("esp" respi "@" me)
612 if (type == "tunnel")
614 else if (("esp" in s))
618 print "ipsec spi --label", q(names), "--af inet", "--del",
619 "--said", (p tspi "@" him),
621 print "ipsec spi --label", q(names), "--af inet", "--del",
622 "--said", (p intspi "@" me),
627 print "} 2>/dev/null"