#!/bin/sh
################################################################################
## ##
## Copyright (c) International Business Machines Corp., 2005 ##
## ##
## This program is free software; you can redistribute it and#or modify ##
## it under the terms of the GNU General Public License as published by ##
## the Free Software Foundation; either version 2 of the License, or ##
## (at your option) any later version. ##
## ##
## This program is distributed in the hope that it will be useful, but ##
## WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY ##
## or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ##
## for more details. ##
## ##
## You should have received a copy of the GNU General Public License ##
## along with this program; if not, write to the Free Software ##
## Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ##
## ##
## ##
################################################################################
#
# File:
# output_ipsec_conf
#
# Description:
# Output IPsec configuration
#
# Author:
# Mitsuru Chinen <mitch@jp.ibm.com>
#
# Exit Value:
# 0: Exit normally
# >0: Exit abnormally
#
# History:
# Oct 19 2005 - Created (Mitsuru Chinen)
#
#-----------------------------------------------------------------------
#Uncomment line below for debug output.
$trace_logic
# Encryption algorithm
EALGO="3des-cbc"
EALGO_KEY="_I_want_to_have_chicken_"
# Authentication algorithm
AALGO="hmac-sha1"
AALGO_KEY="beef_fish_pork_salad"
# Compression algorithm
CALGO="deflate"
#-----------------------------------------------------------------------
#
# Function: usage
#
# Description:
# Print the usage of this script, then exit
#
#-----------------------------------------------------------------------
usage(){
cat << EOD >&2
output_ipsec_conf flush
Flush the SAD and SPD entries.
output_ipsec_conf target protocol mode first_spi src_addr dst_addr
target: target of the configuration file ( src / dst )
protocol: ah / esp / ipcomp
mode: transport / tunnel
first_spi: the first spi value
src_addr: source IP address
dst_addr: destination IP address
EOD
exit 1
}
#-----------------------------------------------------------------------
#
# Main
#
#
# When argument is `flush', flush the SAD and SPD
if [ x$1 = x"flush" ]; then
echo "spdflush ;"
echo "flush ;"
exit 0
fi
# source/destination IP addresses
if [ $# -ne 6 ]; then
usage
fi
target=$1
protocol=$2
mode=$3
first_spi=$4
src_ipaddr=$5
dst_ipaddr=$6
# Algorithm options for each protocol
case $protocol in
ah)
algo_line="-A $AALGO \"$AALGO_KEY\""
;;
esp)
algo_line="-E $EALGO \"$EALGO_KEY\" -A $AALGO \"$AALGO_KEY\""
;;
ipcomp)
algo_line="-C $CALGO"
;;
*)
usage
;;
esac
# Write lines for adding an SAD entry
cat << EOD
add $src_ipaddr $dst_ipaddr $protocol $first_spi
-m $mode
$algo_line ;
add $dst_ipaddr $src_ipaddr $protocol `expr $first_spi + 1`
-m $mode
$algo_line ;
EOD
# Write lines for adding an SPD entry
case $target in
src)
direct1=out
direct2=in
;;
dst)
direct1=in
direct2=out
;;
*)
usage
;;
esac
case $mode in
transport)
cat << EOD
spdadd $src_ipaddr $dst_ipaddr any
-P $direct1 ipsec $protocol/transport//use ;
spdadd $dst_ipaddr $src_ipaddr any
-P $direct2 ipsec $protocol/transport//use ;
EOD
;;
tunnel)
cat << EOD
spdadd $src_ipaddr $dst_ipaddr any
-P $direct1 ipsec $protocol/tunnel/${src_ipaddr}-${dst_ipaddr}/use ;
spdadd $dst_ipaddr $src_ipaddr any
-P $direct2 ipsec $protocol/tunnel/${dst_ipaddr}-${src_ipaddr}/use ;
EOD
;;
esac
exit 0