Re: dynamic IPSEC: Holy grail sighted

From: Christian Kratzer (ck-lists_at_cksoft.de)
Date: 08/18/03

  • Next message: Brett Glass: "Re: dynamic IPSEC: Holy grail sighted" 
    Date: Mon, 18 Aug 2003 17:16:10 +0200 (CEST)
To: freebsd-security@freebsd.org

    Date: Mon, 18 Aug 2003 17:09:54 +0200 (CEST)
    From: Christian Kratzer <ck@cksoft.de>
    To: The Anarcat <anarcat@anarcat.ath.cx>
    Cc: Kent Hauser <kent.hauser@verizon.net>, security@freebsd.org,
         questions@freebsd.org
    Subject: Re: dynamic IPSEC: Holy grail sighted

    Hi,

    On Mon, 18 Aug 2003, The Anarcat wrote:
    > I don't some of the attachments you intended to send (raccoon.conf?
    > perl script?) didn't get through the list.
    >
    > I would be very interested to read those, if you don't mind sharing
    > them...

    we run following scripts

    1. run lookup-peers.sh from cron every 3 minutes to resolve the peers
       listed in /usr/local/etc/peers.in

    2. diff the results to the results fo the previous run and run update-ipsec.sh
       if changed to generate new ipsec.conf ipsec.conf.m4 using the m4 macro
       processor ( yes we use m4 for just about everything ;-) )

    3. update-ipsec.sh installs the new policy but purposely keeps the
       already handshaked associations in place so as not to hang connections
       unnecessarily

    you also need something else to update your dnsdns setup.
    This is left as an excercise to the reader.

    The following scripts are freshly pasted out of our live setup and
    somewhat obfuscated so there might still be something missing.

    Especially the ipsec.conf.m4 will need adapting to your setup and to
    the specific host in question.

    Greetings
    Christian

    --- peers.in ---
    peera peera.yourfavourite-dyndns-provider.com
    peerb peerb.yourfavourite-dyndns-provider.com
    peerc peerc.yourfavourite-dyndns-provider.com
    --- peers.in ---

    --- lookup-peers.sh ----
    #!/bin/sh

    SRC=/usr/local/etc/peers.in
    DST=/tmp/peers.m4
    TMP=/tmp/peers.tmp
    DYNINT=tun0
    AWK=/usr/bin/awk
    IFCONFIG=/sbin/ifconfig
    HOST=/usr/local/bin/host

    if [ -f $TMP ]; then
            rm $TMP
    fi

    MYIP=`$IFCONFIG $DYNINT | $AWK '/inet /{ print $2 }'`
    echo "define(\`MYIP',\`$MYIP')dnl" >> $TMP

    while read name host; do
            addr=`$HOST -W 3 $host | awk '/address/{ print $4 }`
            if [ -n "$addr" ]; then
                    echo "define(\`$name',\`$addr')dnl" >> $TMP
            fi
    done < $SRC

    if [ ! -f $DST ]; then
            touch $DST
    fi

    diff $DST $TMP 2> /dev/null > /dev/null
    if [ $? -ne 0 ]; then
            # ip addresses of peers changed
            mv $TMP $DST

            # trigger actions here
            /usr/local/libexec/update-ipsec.sh
    fi
    --- lookup-peers.sh ----

    --- update-ipsec.sh ---
    #!/bin/sh
    /usr/bin/m4 < /etc/ipsec.conf.m4 > /etc/ipsec.conf
    /usr/sbin/setkey -f /etc/ipsec.conf
    --- update-ipsec.sh ---

    --- ipsec.conf.m4 --- (on host1)
    define(`SRCNET1',`192.168.1.0/24')
    define(`DSTNET2',`192.168.2.0/24')
    define(`DSTNET3',`192.168.3.0/24')

    # flush policy
    spdflush;

    # vpn tunnel from hosta to hostb

    spdadd SRCNET1 DSTNET2 any
            -P out ipsec esp/tunnel/MYIP-hostb/require ;

    spdadd DSTNET2 SRCNET1 any
            -P in ipsec esp/tunnel/hostb-MYIP/require ;

    # vpn tunnel from hosta to hostc

    spdadd SRCNET1 DSTNET3 any
            -P out ipsec esp/tunnel/MYIP-hostc/require ;

    spdadd DSTNET3 SRCNET1 any
            -P in ipsec esp/tunnel/hostc-MYIP/require ;

    --- ipsec.conf.m4 ---

    Greetings
    Christian 

    --
CK Software GmbH
Christian Kratzer,         Schwarzwaldstr. 31, 71131 Jettingen
Email: ck@cksoft.de
Phone: +49 7452 889-135    Open Software Solutions, Network Security
Fax:   +49 7452 889-136    FreeBSD spoken here!
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Brett Glass: "Re: dynamic IPSEC: Holy grail sighted"

    Relevant Pages

    • Re: dynamic IPSEC: Holy grail sighted
      ... we run following scripts ... you also need something else to update your dnsdns setup. ... spdadd SRCNET1 DSTNET2 any ... +49 7452 889-135 Open Software Solutions, ...
      (freebsd-questions)
    • Re: [Full-disclosure] Brute force attack - need your advice
      ... to setup properly" and as I stated nothing is foolproof or totally ... is more of a point that security is ever evolving. ... But as I said, this is pure populism, servers are here to serve, not ... there are e.g. scripts which evaluate failed logins from ...
      (Full-Disclosure)
    • Re: print setup saves the printer
      ... The printable area on US Letter for an HP ... You write/save your scripts to always print to "FileMaker Output" and the ... >>> is this normal behaviour and do i have to make a setup script for each ...
      (comp.databases.filemaker)
    • Re: Find components of "setup"?
      ... Most of these commands can be found by running pkgtool and selecting ... "setup" is not included in a Slackware install. ... shell script, so use your favorite text editor to read it. ... though IMHO much more powerful in shell scripts. ...
      (comp.os.linux.misc)
    • Re: Find components of "setup"?
      ... Most of these commands can be found by running pkgtool and selecting ... "setup" is not included in a Slackware install. ... shell script, so use your favorite text editor to read it. ... though IMHO much more powerful in shell scripts. ...
      (alt.os.linux)