From owner-freebsd-questions@FreeBSD.ORG Mon Aug 18 08:10:03 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC1EE37B404; Mon, 18 Aug 2003 08:10:00 -0700 (PDT) Received: from ns1.cksoft.de (ns1.cksoft.de [62.111.66.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCFDB43FAF; Mon, 18 Aug 2003 08:09:58 -0700 (PDT) (envelope-from ck@cksoft.de) Received: from majakka.cksoft.de (p508A865D.dip0.t-ipconnect.de [80.138.134.93]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by ns1.cksoft.de (Postfix) with ESMTP id 4D91115C008; Mon, 18 Aug 2003 17:09:56 +0200 (CEST) Received: from majakka.cksoft.de (localhost [127.0.0.1]) by majakka.cksoft.de (Postfix) with ESMTP id 6CE0C44B31; Mon, 18 Aug 2003 17:09:55 +0200 (CEST) Received: by majakka.cksoft.de (Postfix, from userid 1000) id 9BBFE44AC6; Mon, 18 Aug 2003 17:09:54 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by majakka.cksoft.de (Postfix) with ESMTP id 9A26544AC5; Mon, 18 Aug 2003 17:09:54 +0200 (CEST) Date: Mon, 18 Aug 2003 17:09:54 +0200 (CEST) From: Christian Kratzer To: The Anarcat In-Reply-To: <20030818140805.GB518@inso.ath.cx> Message-ID: <20030818164456.O9493@majakka.cksoft.de> References: <200308110011.58180.kent.hauser@verizon.net> <200308152329.17393.kent.hauser@verizon.net> <20030818140805.GB518@inso.ath.cx> X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300-cksoft-02bz on majakka.cksoft.de cc: Kent Hauser cc: questions@freebsd.org cc: security@freebsd.org Subject: Re: dynamic IPSEC: Holy grail sighted X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Aug 2003 15:10:03 -0000 Hi, On Mon, 18 Aug 2003, The Anarcat wrote: > I don't some of the attachments you intended to send (raccoon.conf? > perl script?) didn't get through the list. > > I would be very interested to read those, if you don't mind sharing > them... we run following scripts 1. run lookup-peers.sh from cron every 3 minutes to resolve the peers listed in /usr/local/etc/peers.in 2. diff the results to the results fo the previous run and run update-ipsec.sh if changed to generate new ipsec.conf ipsec.conf.m4 using the m4 macro processor ( yes we use m4 for just about everything ;-) ) 3. update-ipsec.sh installs the new policy but purposely keeps the already handshaked associations in place so as not to hang connections unnecessarily you also need something else to update your dnsdns setup. This is left as an excercise to the reader. The following scripts are freshly pasted out of our live setup and somewhat obfuscated so there might still be something missing. Especially the ipsec.conf.m4 will need adapting to your setup and to the specific host in question. Greetings Christian --- peers.in --- peera peera.yourfavourite-dyndns-provider.com peerb peerb.yourfavourite-dyndns-provider.com peerc peerc.yourfavourite-dyndns-provider.com --- peers.in --- --- lookup-peers.sh ---- #!/bin/sh SRC=/usr/local/etc/peers.in DST=/tmp/peers.m4 TMP=/tmp/peers.tmp DYNINT=tun0 AWK=/usr/bin/awk IFCONFIG=/sbin/ifconfig HOST=/usr/local/bin/host if [ -f $TMP ]; then rm $TMP fi MYIP=`$IFCONFIG $DYNINT | $AWK '/inet /{ print $2 }'` echo "define(\`MYIP',\`$MYIP')dnl" >> $TMP while read name host; do addr=`$HOST -W 3 $host | awk '/address/{ print $4 }` if [ -n "$addr" ]; then echo "define(\`$name',\`$addr')dnl" >> $TMP fi done < $SRC if [ ! -f $DST ]; then touch $DST fi diff $DST $TMP 2> /dev/null > /dev/null if [ $? -ne 0 ]; then # ip addresses of peers changed mv $TMP $DST # trigger actions here /usr/local/libexec/update-ipsec.sh fi --- lookup-peers.sh ---- --- update-ipsec.sh --- #!/bin/sh /usr/bin/m4 < /etc/ipsec.conf.m4 > /etc/ipsec.conf /usr/sbin/setkey -f /etc/ipsec.conf --- update-ipsec.sh --- --- ipsec.conf.m4 --- (on host1) define(`SRCNET1',`192.168.1.0/24') define(`DSTNET2',`192.168.2.0/24') define(`DSTNET3',`192.168.3.0/24') # flush policy spdflush; # vpn tunnel from hosta to hostb spdadd SRCNET1 DSTNET2 any -P out ipsec esp/tunnel/MYIP-hostb/require ; spdadd DSTNET2 SRCNET1 any -P in ipsec esp/tunnel/hostb-MYIP/require ; # vpn tunnel from hosta to hostc spdadd SRCNET1 DSTNET3 any -P out ipsec esp/tunnel/MYIP-hostc/require ; spdadd DSTNET3 SRCNET1 any -P in ipsec esp/tunnel/hostc-MYIP/require ; --- ipsec.conf.m4 --- Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here!