Commit | Line | Data |
---|---|---|
d3bafc0a P |
1 | #!/bin/sh |
2 | # pipsecd2ipsectools - outil d'aide à la migration de pipsecd vers ipsec-tools | |
3 | # Copyright ©2011 Agence universitaire de la Francophonie | |
4 | # http://www.auf.org/ | |
5 | # Licence : GNU General Public License, version 3 | |
6 | # Auteur : Progfou <jean-christophe.andre@auf.org> | |
7 | # Création : 2011-02-15 | |
8 | # Mise à jour : 2011-02-16 | |
9 | LOCALGW="210.245.61.206" | |
10 | LOCALIP="10.230.0.254" | |
11 | LOCALNET="10.230.0.0/20" | |
12 | ||
13 | cat << __EOF__ | |
14 | ||
15 | # REMARQUES : | |
16 | # - l'ordre des règles spdadd est important et doit correspondre à l'ordre | |
17 | # des routes les plus précises vers les routes les plus générales | |
18 | ||
19 | # ne pas utiliser IPsec en réseau local | |
20 | ||
21 | spdadd $LOCALNET $LOCALNET any -P out none ; | |
22 | spdadd $LOCALNET $LOCALNET any -P in none ; | |
23 | ||
24 | __EOF__ | |
25 | ||
26 | ( | |
27 | # pré-traitement de la liste des réseaux dans /etc/pipsecd/startup | |
28 | awk ' | |
29 | /^ifconfig / { | |
30 | IF=substr($2,6) | |
31 | REMOTENET=$5; split(REMOTENET,N,"\.") | |
32 | REMOTEMASK=$7; split(REMOTEMASK,M,"\.") | |
33 | REMOTENET=N[1]"."N[2]"."N[3]".0" # incorrect mais plus simple pour le moment | |
34 | REMOTECIDR=32-log(256^4-(M[1]*256^3+M[2]*256^2+M[3]*256+M[4]))/log(2) | |
35 | printf("remotenet %s %s\n", IF, REMOTENET"/"REMOTECIDR) | |
36 | } | |
37 | ' /etc/pipsecd/startup | |
38 | # envoi du contenu de /etc/pipsecd/pipsecd.conf | |
39 | sed -e '/^[^#]/s/ *= */=/g' /etc/pipsecd/pipsecd.conf | |
40 | ) | awk -v LOCALGW="$LOCALGW" -v LOCALIP="$LOCALIP" -v LOCALNET="$LOCALNET" ' | |
41 | /^remotenet / { | |
42 | IF=$2; REMOTENET[IF]=$3 | |
43 | #printf("# IF=%s REMOTENET=%s\n", IF, REMOTENET[IF]) | |
44 | } | |
45 | /^#/ { | |
46 | LASTCOMMENT=$0 | |
47 | } | |
48 | /^sa / { | |
49 | SPI=substr($3,5) | |
50 | ENC=substr($4,5); EKEY=substr($5,6); gsub("_","-",ENC) | |
51 | AUTH=substr($6,6); AKEY=substr($7,6); gsub("_","-",AUTH) | |
52 | if (AUTH=="hmac-md5-96") { AUTH="hmac-md5" } | |
53 | if ($8 != "") { | |
54 | OSPI=SPI; OENC=ENC; OEKEY=EKEY; OAUTH=AUTH; OAKEY=AKEY | |
55 | REMOTEGW=substr($8,6) | |
56 | } else { | |
57 | ISPI=SPI; IENC=ENC; IEKEY=EKEY; IAUTH=AUTH; IAKEY=AKEY | |
58 | } | |
59 | } | |
60 | /^if / { | |
61 | IF=$2; LSPI=substr($3,10); RSPI=substr($4,11) | |
62 | IPROUTE="ip route add "REMOTENET[IF]" via "LOCALGW" src "LOCALIP | |
63 | printf("%s\n#%s\n\n", LASTCOMMENT, IPROUTE) | |
64 | printf("spdadd %s %s any -P out ipsec\n", LOCALNET, REMOTENET[IF]) | |
65 | printf(" esp/tunnel/%s-%s/require ;\n", LOCALGW, REMOTEGW) | |
66 | printf("spdadd %s %s any -P in ipsec\n", REMOTENET[IF], LOCALNET) | |
67 | printf(" esp/tunnel/%s-%s/require ;\n\n", REMOTEGW, LOCALGW) | |
68 | printf("add %s %s esp-old %s -m tunnel\n", LOCALGW, REMOTEGW, OSPI) | |
69 | printf(" -E %s 0x%s\n -A %s 0x%s ;\n", OENC, OEKEY, OAUTH, OAKEY) | |
70 | printf("add %s %s esp-old %s -m tunnel\n", REMOTEGW, LOCALGW, ISPI) | |
71 | printf(" -E %s 0x%s\n -A %s 0x%s ;\n\n", IENC, IEKEY, IAUTH, IAKEY) | |
72 | EMPTYLINE=0 | |
73 | } | |
74 | /^[ ]*$/ { | |
75 | if (EMPTYLINE!=1) { print ""; EMPTYLINE=1 } | |
76 | } | |
77 | ' |