From owner-freebsd-security Fri Dec 1 21: 4:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from public.bta.net.cn (public.bta.net.cn [202.96.0.97]) by hub.freebsd.org (Postfix) with SMTP id 82CD937B400 for ; Fri, 1 Dec 2000 21:04:46 -0800 (PST) Received: from netrinsics.com([202.106.5.60]) by public.bta.net.cn(JetMail 2.5.3.0) with SMTP id jm33a28963f; Sat, 2 Dec 2000 05:04:08 -0000 Received: (from robinson@localhost) by netrinsics.com (8.11.1/8.11.1) id eB256OP08066 for freebsd-security@freebsd.org; Sat, 2 Dec 2000 13:06:24 +0800 (+0800) (envelope-from robinson) Date: Sat, 2 Dec 2000 13:06:24 +0800 (+0800) From: Michael Robinson Message-Id: <200012020506.eB256OP08066@netrinsics.com> To: freebsd-security@freebsd.org Subject: Dialup access and KAME IPSEC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org A while ago I posted on the problem of creating dialup VPNs with KAME IPSEC (because KAME has no facility to update SPD entries with dynamic IP addresses). I heard from several other people with the same problem. I finally had to hack together a fix, and I thought I should share it. It's ugly but it works. There are two python scripts, "secmon" and "secping". The "secmon" script sits on a port on the dedicated gateway waiting for a "ping" from the "secping" script, and when it gets one, updates the SPD entries accordingly. The "secping" script is run from /etc/ppp/ppp.linkup on the dialup gateway before pipsecd (caveat: pipsecd will not work with a kernel that has IPSEC enabled). There are rudimentary security features to discourage DoS attacks (port and password checking). These versions of the scripts are for my own requirements (a remote office with a /23 subnet). The scripts are not intended to be plug and play, but they should be trivial to hand customize to meet other requirements. It would also be trivial to port these scripts to perl, for people who don't install python. -Michael Robinson ----------- Cut Here -------------- #!/usr/local/bin/python # # secmon script to update KAME IPSEC SPD entries for dialup VPNs # from socket import socket, AF_INET, SOCK_DGRAM from popen2 import popen2 # change this config string to match your VPN configuration config_base = """ spddelete 172.16.0.0/12 172.16.0.16 any -P out; spddelete 172.16.0.16 172.16.0.0/12 any -P in; spddelete 172.16.0.0/12 172.16.4.0/23 any -P out; spddelete 172.16.4.0/23 172.16.0.0/12 any -P in; add 216.136.204.21 %(address)s esp 1010 -lh 36000 -ls 3600 -E blowfish-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeef ; add %(address)s 216.136.204.21 esp 1010 -lh 36000 -ls 3600 -E blowfish-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeef ; spdadd 172.16.0.0/12 172.16.0.16 any -P out ipsec esp/tunnel/216.136.204.21-%(address)s/require ; spdadd 172.16.0.16 172.16.0.0/12 any -P in ipsec esp/tunnel/%(address)s-216.136.204.21/require ; spdadd 172.16.0.0/12 172.16.4.0/23 any -P out ipsec esp/tunnel/216.136.204.21-%(address)s/require ; spdadd 172.16.4.0/23 172.16.0.0/12 any -P in ipsec esp/tunnel/%(address)s-216.136.204.21/require ; """ # end config string s = socket(AF_INET, SOCK_DGRAM) s.bind(("216.136.204.21", 4884)) while 1: (data, address) = s.recvfrom(1500) if data == "Open Sesame" and address[1]==4884: print "good ping: %s" % address[0] config = config_base % {"address":address[0]} (stdout, stdin) = popen2("/usr/sbin/setkey -c") stdin.write(config) stdin.close() print stdout.read() s.sendto("OK", address) else: print "bad ping: %s" % address[0] s.sendto("BAD", address) ----------- Cut Here -------------- #!/usr/local/bin/python # # secping script to trigger secmon SPD update # place in /etc/ppp/ppp.linkup # from socket import socket, AF_INET, SOCK_DGRAM s = socket(AF_INET, SOCK_DGRAM) s.bind(("0.0.0.0", 4884)) s.sendto("Open Sesame", ("216.136.204.21", 4884)) (data, address) = s.recvfrom(1500) if data=="OK" and address[0]=="216.136.204.21" and address[1]==4884: print "good reply" else: print "bad reply" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message