[baffbf3] | 1 | #!/bin/sh -x |
---|
| 2 | |
---|
| 3 | if ! which racoon >/dev/null 2>&1 |
---|
| 4 | then |
---|
| 5 | echo "You have to install security/ipsec-tools from ports collection!" |
---|
| 6 | exit 1 |
---|
| 7 | fi |
---|
| 8 | |
---|
| 9 | IPSEC_REM_INT="10.10.1.1" |
---|
| 10 | IPSEC_REM_NET="10.10.1.0/24" |
---|
| 11 | IPSEC_REM_EXT="192.168.10.1" |
---|
| 12 | IPSEC_LOC_INT="172.24.0.1" |
---|
| 13 | IPSEC_LOC_NET="172.24.0.0/24" |
---|
| 14 | IPSEC_LOC_EXT="192.168.10.10" |
---|
| 15 | RACOON_PSK_FILE="/etc/racoon_psk.txt" |
---|
| 16 | RACOON_CONFIG_FILE="/etc/racoon.conf" |
---|
| 17 | SETKEY_CONF="/etc/setkey.conf" |
---|
| 18 | GIF="gif0" |
---|
| 19 | |
---|
| 20 | ifconfig $GIF create |
---|
| 21 | ifconfig $GIF $IPSEC_LOC_INT $IPSEC_REM_INT |
---|
| 22 | ifconfig $GIF tunnel $IPSEC_LOC_EXT $IPSEC_REM_EXT |
---|
| 23 | route add $IPSEC_REM_NET $IPSEC_REM_INT |
---|
| 24 | |
---|
| 25 | cat <<EOF > $RACOON_CONFIG_FILE |
---|
| 26 | path pre_shared_key "$RACOON_PSK_FILE"; |
---|
| 27 | log debug; |
---|
| 28 | |
---|
| 29 | padding # options are not to be changed |
---|
| 30 | { |
---|
| 31 | maximum_length 20; |
---|
| 32 | randomize off; |
---|
| 33 | strict_check off; |
---|
| 34 | exclusive_tail off; |
---|
| 35 | } |
---|
| 36 | |
---|
| 37 | listen # address [port] that racoon will listen on |
---|
| 38 | { |
---|
| 39 | isakmp $IPSEC_LOC_EXT [500]; |
---|
| 40 | } |
---|
| 41 | |
---|
| 42 | remote $IPSEC_REM_EXT [500] |
---|
| 43 | { |
---|
| 44 | exchange_mode main; |
---|
| 45 | my_identifier address $IPSEC_LOC_EXT; |
---|
| 46 | peers_identifier address $IPSEC_REM_EXT; |
---|
| 47 | proposal_check obey; |
---|
| 48 | |
---|
| 49 | proposal { |
---|
| 50 | encryption_algorithm 3des; |
---|
| 51 | hash_algorithm md5; |
---|
| 52 | authentication_method pre_shared_key; |
---|
| 53 | lifetime time 3600 sec; |
---|
| 54 | dh_group 2; |
---|
| 55 | } |
---|
| 56 | } |
---|
| 57 | |
---|
| 58 | sainfo (address $IPSEC_LOC_NET any address $IPSEC_REM_NET any) |
---|
| 59 | { |
---|
| 60 | pfs_group 2; |
---|
| 61 | lifetime time 28800 sec; |
---|
| 62 | encryption_algorithm 3des; |
---|
| 63 | authentication_algorithm hmac_md5; |
---|
| 64 | compression_algorithm deflate; |
---|
| 65 | } |
---|
| 66 | EOF |
---|
| 67 | |
---|
| 68 | cat <<EOF > $RACOON_PSK_FILE |
---|
| 69 | $IPSEC_REM_EXT mysecretkey |
---|
| 70 | EOF |
---|
| 71 | |
---|
| 72 | chmod 600 $RACOON_PSK_FILE |
---|
| 73 | |
---|
| 74 | cat <<EOF > $SETKEY_CONF |
---|
| 75 | flush; |
---|
| 76 | spdflush; |
---|
| 77 | spdadd $IPSEC_LOC_NET $IPSEC_REM_NET any -P out ipsec esp/tunnel/$IPSEC_LOC_EXT-$IPSEC_REM_EXT/use; |
---|
| 78 | spdadd $IPSEC_REM_NET $IPSEC_LOC_NET any -P in ipsec esp/tunnel/$IPSEC_REM_EXT-$IPSEC_LOC_EXT/use; |
---|
| 79 | EOF |
---|
| 80 | |
---|
| 81 | setkey -f /etc/setkey.conf |
---|
| 82 | racoon -F -f /etc/racoon.conf |
---|