projets / progfou.git / blame
| Commit | Line | Data |
|---|---|---|
| d3bafc0a P |
1 | #!/bin/sh |
| 2 | # pipsecd2ipsectools - outil d'aide à la migration de pipsecd vers ipsec-tools | |
| 3 | # Copyright ©2011 Agence universitaire de la Francophonie | |
| 4 | # http://www.auf.org/ | |
| 5 | # Licence : GNU General Public License, version 3 | |
| 6 | # Auteur : Progfou <jean-christophe.andre@auf.org> | |
| 7 | # Création : 2011-02-15 | |
| 8 | # Mise à jour : 2011-02-16 | |
| 9 | LOCALGW="210.245.61.206" | |
| 10 | LOCALIP="10.230.0.254" | |
| 11 | LOCALNET="10.230.0.0/20" | |
| 12 | ||
| 13 | cat << __EOF__ | |
| 14 | ||
| 15 | # REMARQUES : | |
| 16 | # - l'ordre des règles spdadd est important et doit correspondre à l'ordre | |
| 17 | # des routes les plus précises vers les routes les plus générales | |
| 18 | ||
| 19 | # ne pas utiliser IPsec en réseau local | |
| 20 | ||
| 21 | spdadd $LOCALNET $LOCALNET any -P out none ; | |
| 22 | spdadd $LOCALNET $LOCALNET any -P in none ; | |
| 23 | ||
| 24 | __EOF__ | |
| 25 | ||
| 26 | ( | |
| 27 | # pré-traitement de la liste des réseaux dans /etc/pipsecd/startup | |
| 28 | awk ' | |
| 29 | /^ifconfig / { | |
| 30 | IF=substr($2,6) | |
| 31 | REMOTENET=$5; split(REMOTENET,N,"\.") | |
| 32 | REMOTEMASK=$7; split(REMOTEMASK,M,"\.") | |
| 33 | REMOTENET=N[1]"."N[2]"."N[3]".0" # incorrect mais plus simple pour le moment | |
| 34 | REMOTECIDR=32-log(256^4-(M[1]*256^3+M[2]*256^2+M[3]*256+M[4]))/log(2) | |
| 35 | printf("remotenet %s %s\n", IF, REMOTENET"/"REMOTECIDR) | |
| 36 | } | |
| 37 | ' /etc/pipsecd/startup | |
| 38 | # envoi du contenu de /etc/pipsecd/pipsecd.conf | |
| 39 | sed -e '/^[^#]/s/ *= */=/g' /etc/pipsecd/pipsecd.conf | |
| 40 | ) | awk -v LOCALGW="$LOCALGW" -v LOCALIP="$LOCALIP" -v LOCALNET="$LOCALNET" ' | |
| 41 | /^remotenet / { | |
| 42 | IF=$2; REMOTENET[IF]=$3 | |
| 43 | #printf("# IF=%s REMOTENET=%s\n", IF, REMOTENET[IF]) | |
| 44 | } | |
| 45 | /^#/ { | |
| 46 | LASTCOMMENT=$0 | |
| 47 | } | |
| 48 | /^sa / { | |
| 49 | SPI=substr($3,5) | |
| 50 | ENC=substr($4,5); EKEY=substr($5,6); gsub("_","-",ENC) | |
| 51 | AUTH=substr($6,6); AKEY=substr($7,6); gsub("_","-",AUTH) | |
| 52 | if (AUTH=="hmac-md5-96") { AUTH="hmac-md5" } | |
| 53 | if ($8 != "") { | |
| 54 | OSPI=SPI; OENC=ENC; OEKEY=EKEY; OAUTH=AUTH; OAKEY=AKEY | |
| 55 | REMOTEGW=substr($8,6) | |
| 56 | } else { | |
| 57 | ISPI=SPI; IENC=ENC; IEKEY=EKEY; IAUTH=AUTH; IAKEY=AKEY | |
| 58 | } | |
| 59 | } | |
| 60 | /^if / { | |
| 61 | IF=$2; LSPI=substr($3,10); RSPI=substr($4,11) | |
| 62 | IPROUTE="ip route add "REMOTENET[IF]" via "LOCALGW" src "LOCALIP | |
| 63 | printf("%s\n#%s\n\n", LASTCOMMENT, IPROUTE) | |
| 64 | printf("spdadd %s %s any -P out ipsec\n", LOCALNET, REMOTENET[IF]) | |
| 65 | printf(" esp/tunnel/%s-%s/require ;\n", LOCALGW, REMOTEGW) | |
| 66 | printf("spdadd %s %s any -P in ipsec\n", REMOTENET[IF], LOCALNET) | |
| 67 | printf(" esp/tunnel/%s-%s/require ;\n\n", REMOTEGW, LOCALGW) | |
| 68 | printf("add %s %s esp-old %s -m tunnel\n", LOCALGW, REMOTEGW, OSPI) | |
| 69 | printf(" -E %s 0x%s\n -A %s 0x%s ;\n", OENC, OEKEY, OAUTH, OAKEY) | |
| 70 | printf("add %s %s esp-old %s -m tunnel\n", REMOTEGW, LOCALGW, ISPI) | |
| 71 | printf(" -E %s 0x%s\n -A %s 0x%s ;\n\n", IENC, IEKEY, IAUTH, IAKEY) | |
| 72 | EMPTYLINE=0 | |
| 73 | } | |
| 74 | /^[ ]*$/ { | |
| 75 | if (EMPTYLINE!=1) { print ""; EMPTYLINE=1 } | |
| 76 | } | |
| 77 | ' |