Date: Sat, 2 Dec 2000 13:06:24 +0800 (+0800) From: Michael Robinson <robinson@netrinsics.com> To: freebsd-security@freebsd.org Subject: Dialup access and KAME IPSEC Message-ID: <200012020506.eB256OP08066@netrinsics.com>
next in thread | raw e-mail | index | archive | help
A while ago I posted on the problem of creating dialup VPNs with KAME IPSEC
(because KAME has no facility to update SPD entries with dynamic IP addresses).
I heard from several other people with the same problem. I finally had to
hack together a fix, and I thought I should share it.
It's ugly but it works. There are two python scripts, "secmon" and "secping".
The "secmon" script sits on a port on the dedicated gateway waiting for a
"ping" from the "secping" script, and when it gets one, updates the SPD
entries accordingly. The "secping" script is run from /etc/ppp/ppp.linkup
on the dialup gateway before pipsecd (caveat: pipsecd will not work with a
kernel that has IPSEC enabled). There are rudimentary security features to
discourage DoS attacks (port and password checking).
These versions of the scripts are for my own requirements (a remote office
with a /23 subnet). The scripts are not intended to be plug and play, but
they should be trivial to hand customize to meet other requirements.
It would also be trivial to port these scripts to perl, for people who don't
install python.
-Michael Robinson
----------- Cut Here --------------
#!/usr/local/bin/python
#
# secmon script to update KAME IPSEC SPD entries for dialup VPNs
#
from socket import socket, AF_INET, SOCK_DGRAM
from popen2 import popen2
# change this config string to match your VPN configuration
config_base = """
spddelete 172.16.0.0/12 172.16.0.16 any -P out;
spddelete 172.16.0.16 172.16.0.0/12 any -P in;
spddelete 172.16.0.0/12 172.16.4.0/23 any -P out;
spddelete 172.16.4.0/23 172.16.0.0/12 any -P in;
add 216.136.204.21 %(address)s
esp 1010
-lh 36000 -ls 3600
-E blowfish-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeef ;
add %(address)s 216.136.204.21
esp 1010
-lh 36000 -ls 3600
-E blowfish-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeef ;
spdadd 172.16.0.0/12 172.16.0.16 any
-P out ipsec
esp/tunnel/216.136.204.21-%(address)s/require ;
spdadd 172.16.0.16 172.16.0.0/12 any
-P in ipsec
esp/tunnel/%(address)s-216.136.204.21/require ;
spdadd 172.16.0.0/12 172.16.4.0/23 any
-P out ipsec
esp/tunnel/216.136.204.21-%(address)s/require ;
spdadd 172.16.4.0/23 172.16.0.0/12 any
-P in ipsec
esp/tunnel/%(address)s-216.136.204.21/require ;
"""
# end config string
s = socket(AF_INET, SOCK_DGRAM)
s.bind(("216.136.204.21", 4884))
while 1:
(data, address) = s.recvfrom(1500)
if data == "Open Sesame" and address[1]==4884:
print "good ping: %s" % address[0]
config = config_base % {"address":address[0]}
(stdout, stdin) = popen2("/usr/sbin/setkey -c")
stdin.write(config)
stdin.close()
print stdout.read()
s.sendto("OK", address)
else:
print "bad ping: %s" % address[0]
s.sendto("BAD", address)
----------- Cut Here --------------
#!/usr/local/bin/python
#
# secping script to trigger secmon SPD update
# place in /etc/ppp/ppp.linkup
#
from socket import socket, AF_INET, SOCK_DGRAM
s = socket(AF_INET, SOCK_DGRAM)
s.bind(("0.0.0.0", 4884))
s.sendto("Open Sesame", ("216.136.204.21", 4884))
(data, address) = s.recvfrom(1500)
if data=="OK" and address[0]=="216.136.204.21" and address[1]==4884:
print "good reply"
else:
print "bad reply"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012020506.eB256OP08066>