1 | #!/bin/sh -x |
---|
2 | |
---|
3 | if ! which racoon >/dev/null 2>&1 |
---|
4 | then |
---|
5 | echo "You have to install security/ipsec-tools from ports collection!" |
---|
6 | exit 1 |
---|
7 | fi |
---|
8 | |
---|
9 | IPSEC_REM_INT="10.10.1.1" |
---|
10 | IPSEC_REM_NET="10.10.1.0/24" |
---|
11 | IPSEC_REM_EXT="192.168.10.1" |
---|
12 | IPSEC_LOC_INT="172.24.0.1" |
---|
13 | IPSEC_LOC_NET="172.24.0.0/24" |
---|
14 | IPSEC_LOC_EXT="192.168.10.10" |
---|
15 | RACOON_PSK_FILE="/etc/racoon_psk.txt" |
---|
16 | RACOON_CONFIG_FILE="/etc/racoon.conf" |
---|
17 | SETKEY_CONF="/etc/setkey.conf" |
---|
18 | GIF="gif0" |
---|
19 | |
---|
20 | ifconfig $GIF create |
---|
21 | ifconfig $GIF $IPSEC_LOC_INT $IPSEC_REM_INT |
---|
22 | ifconfig $GIF tunnel $IPSEC_LOC_EXT $IPSEC_REM_EXT |
---|
23 | route add $IPSEC_REM_NET $IPSEC_REM_INT |
---|
24 | |
---|
25 | cat <<EOF > $RACOON_CONFIG_FILE |
---|
26 | path pre_shared_key "$RACOON_PSK_FILE"; |
---|
27 | log debug; |
---|
28 | |
---|
29 | padding # options are not to be changed |
---|
30 | { |
---|
31 | maximum_length 20; |
---|
32 | randomize off; |
---|
33 | strict_check off; |
---|
34 | exclusive_tail off; |
---|
35 | } |
---|
36 | |
---|
37 | listen # address [port] that racoon will listen on |
---|
38 | { |
---|
39 | isakmp $IPSEC_LOC_EXT [500]; |
---|
40 | } |
---|
41 | |
---|
42 | remote $IPSEC_REM_EXT [500] |
---|
43 | { |
---|
44 | exchange_mode main; |
---|
45 | my_identifier address $IPSEC_LOC_EXT; |
---|
46 | peers_identifier address $IPSEC_REM_EXT; |
---|
47 | proposal_check obey; |
---|
48 | |
---|
49 | proposal { |
---|
50 | encryption_algorithm 3des; |
---|
51 | hash_algorithm md5; |
---|
52 | authentication_method pre_shared_key; |
---|
53 | lifetime time 3600 sec; |
---|
54 | dh_group 2; |
---|
55 | } |
---|
56 | } |
---|
57 | |
---|
58 | sainfo (address $IPSEC_LOC_NET any address $IPSEC_REM_NET any) |
---|
59 | { |
---|
60 | pfs_group 2; |
---|
61 | lifetime time 28800 sec; |
---|
62 | encryption_algorithm 3des; |
---|
63 | authentication_algorithm hmac_md5; |
---|
64 | compression_algorithm deflate; |
---|
65 | } |
---|
66 | EOF |
---|
67 | |
---|
68 | cat <<EOF > $RACOON_PSK_FILE |
---|
69 | $IPSEC_REM_EXT mysecretkey |
---|
70 | EOF |
---|
71 | |
---|
72 | chmod 600 $RACOON_PSK_FILE |
---|
73 | |
---|
74 | cat <<EOF > $SETKEY_CONF |
---|
75 | flush; |
---|
76 | spdflush; |
---|
77 | spdadd $IPSEC_LOC_NET $IPSEC_REM_NET any -P out ipsec esp/tunnel/$IPSEC_LOC_EXT-$IPSEC_REM_EXT/use; |
---|
78 | spdadd $IPSEC_REM_NET $IPSEC_LOC_NET any -P in ipsec esp/tunnel/$IPSEC_REM_EXT-$IPSEC_LOC_EXT/use; |
---|
79 | EOF |
---|
80 | |
---|
81 | setkey -f /etc/setkey.conf |
---|
82 | racoon -F -f /etc/racoon.conf |
---|