From d3bafc0a20398158ffb9ad0f9edcfe1d86fbec35 Mon Sep 17 00:00:00 2001
From: Progfou <jean-christophe.andre@auf.org>
Date: Wed, 16 Feb 2011 17:21:56 +0700
Subject: [PATCH] =?utf8?q?Outil=20d'aide=20=C3=A0=20la=20migration=20de=20pi?=
 =?utf8?q?psecd=20vers=20ipsec-tools.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

---
 sysadmin/pipsecd2ipsectools |   77 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100755 sysadmin/pipsecd2ipsectools

diff --git a/sysadmin/pipsecd2ipsectools b/sysadmin/pipsecd2ipsectools
new file mode 100755
index 0000000..4ad48eb
--- /dev/null
+++ b/sysadmin/pipsecd2ipsectools
@@ -0,0 +1,77 @@
+#!/bin/sh
+# pipsecd2ipsectools - outil d'aide à la migration de pipsecd vers ipsec-tools
+# Copyright ©2011  Agence universitaire de la Francophonie
+#                  http://www.auf.org/
+# Licence : GNU General Public License, version 3
+# Auteur : Progfou <jean-christophe.andre@auf.org>
+# Création : 2011-02-15
+# Mise à jour : 2011-02-16
+LOCALGW="210.245.61.206"
+LOCALIP="10.230.0.254"
+LOCALNET="10.230.0.0/20"
+
+cat << __EOF__
+
+# REMARQUES :
+# - l'ordre des règles spdadd est important et doit correspondre à l'ordre
+#   des routes les plus précises vers les routes les plus générales
+
+# ne pas utiliser IPsec en réseau local
+
+spdadd $LOCALNET $LOCALNET any -P out none ;
+spdadd $LOCALNET $LOCALNET any -P in none ;
+
+__EOF__
+
+(
+# pré-traitement de la liste des réseaux dans /etc/pipsecd/startup
+awk '
+/^ifconfig / {
+  IF=substr($2,6)
+  REMOTENET=$5; split(REMOTENET,N,"\.")
+  REMOTEMASK=$7; split(REMOTEMASK,M,"\.")
+  REMOTENET=N[1]"."N[2]"."N[3]".0" # incorrect mais plus simple pour le moment
+  REMOTECIDR=32-log(256^4-(M[1]*256^3+M[2]*256^2+M[3]*256+M[4]))/log(2)
+  printf("remotenet %s %s\n", IF, REMOTENET"/"REMOTECIDR)
+}
+' /etc/pipsecd/startup
+# envoi du contenu de /etc/pipsecd/pipsecd.conf
+sed -e '/^[^#]/s/ *= */=/g' /etc/pipsecd/pipsecd.conf
+) | awk -v LOCALGW="$LOCALGW" -v LOCALIP="$LOCALIP" -v LOCALNET="$LOCALNET" '
+/^remotenet / {
+  IF=$2; REMOTENET[IF]=$3
+  #printf("# IF=%s REMOTENET=%s\n", IF, REMOTENET[IF])
+}
+/^#/ {
+  LASTCOMMENT=$0
+}
+/^sa / {
+  SPI=substr($3,5)
+  ENC=substr($4,5); EKEY=substr($5,6); gsub("_","-",ENC)
+  AUTH=substr($6,6); AKEY=substr($7,6); gsub("_","-",AUTH)
+  if (AUTH=="hmac-md5-96") { AUTH="hmac-md5" }
+  if ($8 != "") {
+    OSPI=SPI; OENC=ENC; OEKEY=EKEY; OAUTH=AUTH; OAKEY=AKEY
+    REMOTEGW=substr($8,6)
+  } else {
+    ISPI=SPI; IENC=ENC; IEKEY=EKEY; IAUTH=AUTH; IAKEY=AKEY
+  }
+}
+/^if / {
+  IF=$2; LSPI=substr($3,10); RSPI=substr($4,11)
+  IPROUTE="ip route add "REMOTENET[IF]" via "LOCALGW" src "LOCALIP
+  printf("%s\n#%s\n\n", LASTCOMMENT, IPROUTE)
+  printf("spdadd %s %s any -P out ipsec\n", LOCALNET, REMOTENET[IF])
+  printf("  esp/tunnel/%s-%s/require ;\n", LOCALGW, REMOTEGW)
+  printf("spdadd %s %s any -P in ipsec\n", REMOTENET[IF], LOCALNET)
+  printf("  esp/tunnel/%s-%s/require ;\n\n", REMOTEGW, LOCALGW)
+  printf("add %s %s esp-old %s -m tunnel\n", LOCALGW, REMOTEGW, OSPI)
+  printf("  -E %s 0x%s\n  -A %s 0x%s ;\n", OENC, OEKEY, OAUTH, OAKEY)
+  printf("add %s %s esp-old %s -m tunnel\n", REMOTEGW, LOCALGW, ISPI)
+  printf("  -E %s 0x%s\n  -A %s 0x%s ;\n\n", IENC, IEKEY, IAUTH, IAKEY)
+  EMPTYLINE=0
+}
+/^[ 	]*$/ {
+  if (EMPTYLINE!=1) { print ""; EMPTYLINE=1 }
+}
+'
-- 
1.7.10.4