diff options
author | root <root@samizdat> | 2021-09-29 00:36:13 -0400 |
---|---|---|
committer | root <root@samizdat> | 2021-09-29 01:10:46 -0400 |
commit | f0580823e871ff0d92c2186df66cc1b89b49800e (patch) | |
tree | 9f2b65d6239f5d4da4310be9bf1be9bb30877f84 | |
parent | df813656daa428d4bd631aa722bee575bd9d7321 (diff) |
-rw-r--r-- | andy.brief.conf | 28 | ||||
-rw-r--r-- | andy.conf | 5 | ||||
-rw-r--r-- | ipsec.conf.empty | 5 | ||||
-rw-r--r-- | keycopy.sh | 53 |
4 files changed, 83 insertions, 8 deletions
diff --git a/andy.brief.conf b/andy.brief.conf new file mode 100644 index 0000000..977a546 --- /dev/null +++ b/andy.brief.conf | |||
@@ -0,0 +1,28 @@ | |||
1 | connections { | ||
2 | andy { | ||
3 | remote_addrs = 68.48.18.140 | ||
4 | vips = :: | ||
5 | local1 { | ||
6 | pubkeys = ssh_host_rsa_key.pub | ||
7 | auth = pubkey | ||
8 | id = dd6c:fbfd:eeb8:4709 | ||
9 | } | ||
10 | remote1 { | ||
11 | id = "68.48.18.140" | ||
12 | pubkeys = andy.pub | ||
13 | auth = pubkey | ||
14 | } | ||
15 | children { | ||
16 | child1 { | ||
17 | remote_ts = 0::0/0 | ||
18 | mode = tunnel | ||
19 | dpd_action = restart | ||
20 | } | ||
21 | } | ||
22 | } | ||
23 | } | ||
24 | secrets { | ||
25 | private1 { | ||
26 | file = ssh_host_rsa_key | ||
27 | } | ||
28 | } | ||
@@ -22,7 +22,7 @@ connections { | |||
22 | # version = 0 | 22 | # version = 0 |
23 | 23 | ||
24 | # Local address(es) to use for IKE communication, comma separated. | 24 | # Local address(es) to use for IKE communication, comma separated. |
25 | local_addrs = %any | 25 | # local_addrs = %any |
26 | 26 | ||
27 | # Remote address(es) to use for IKE communication, comma separated. | 27 | # Remote address(es) to use for IKE communication, comma separated. |
28 | remote_addrs = 68.48.18.140 | 28 | remote_addrs = 68.48.18.140 |
@@ -180,6 +180,7 @@ connections { | |||
180 | 180 | ||
181 | # IKE identity to expect for authentication round. | 181 | # IKE identity to expect for authentication round. |
182 | #id = %any | 182 | #id = %any |
183 | id = "68.48.18.140" | ||
183 | 184 | ||
184 | # Identity to use as peer identity during EAP authentication. | 185 | # Identity to use as peer identity during EAP authentication. |
185 | # eap_id = id | 186 | # eap_id = id |
@@ -267,7 +268,7 @@ connections { | |||
267 | # sha256_96 = no | 268 | # sha256_96 = no |
268 | 269 | ||
269 | # Local traffic selectors to include in CHILD_SA. | 270 | # Local traffic selectors to include in CHILD_SA. |
270 | local_ts = dynamic | 271 | # local_ts = dynamic |
271 | 272 | ||
272 | # Remote selectors to include in CHILD_SA. | 273 | # Remote selectors to include in CHILD_SA. |
273 | remote_ts = 0::0/0 | 274 | remote_ts = 0::0/0 |
diff --git a/ipsec.conf.empty b/ipsec.conf.empty new file mode 100644 index 0000000..ff9cca2 --- /dev/null +++ b/ipsec.conf.empty | |||
@@ -0,0 +1,5 @@ | |||
1 | # basic configuration | ||
2 | |||
3 | config setup | ||
4 | # strictcrlpolicy=yes | ||
5 | # uniqueids = no | ||
@@ -4,12 +4,53 @@ n=andy | |||
4 | 4 | ||
5 | key_basename=ssh_host_rsa_key | 5 | key_basename=ssh_host_rsa_key |
6 | input_key=/etc/ssh/$key_basename | 6 | input_key=/etc/ssh/$key_basename |
7 | openssl rsa -in "$input_key" -outform DER > /etc/swanctl/private/"$key_basename" | ||
8 | openssl rsa -in "$input_key" -pubout -outform DER > /etc/swanctl/pubkey/"$key_basename".pub | ||
9 | 7 | ||
10 | t=$(mktemp) | 8 | keycopy() |
11 | ssh-keyscan -trsa "$h" | while read hh rest; do [ "$h" = "$hh" ] && printf '%s\n' "$rest"; done | 9 | { |
10 | openssl rsa -in "$input_key" -outform DER > /etc/swanctl/private/"$key_basename" | ||
11 | openssl rsa -in "$input_key" -pubout -outform DER > /etc/swanctl/pubkey/"$key_basename".pub | ||
12 | 12 | ||
13 | ssh-keygen -e -f rsa.scan.edit -m PEM | openssl rsa -RSAPublicKey_in -outform DER > /etc/swanctl/pubkey/"$n".pub | 13 | t=$(mktemp) |
14 | ssh-keyscan -trsa "$h" | while read hh rest; do [ "$h" = "$hh" ] && printf '%s\n' "$rest"; done | ||
15 | |||
16 | ssh-keygen -e -f rsa.scan.edit -m PEM | openssl rsa -RSAPublicKey_in -outform DER > /etc/swanctl/pubkey/"$n".pub | ||
17 | |||
18 | ls -l /etc/swanctl/private/"$key_basename" /etc/swanctl/pubkey/"$key_basename".pub /etc/swanctl/pubkey/"$n".pub | ||
19 | } | ||
20 | |||
21 | nocomments() | ||
22 | { | ||
23 | sed 's/#.*//; /^ *$/d' | ||
24 | } | ||
25 | |||
26 | |||
27 | test_old_config() | ||
28 | { | ||
29 | ipsec stop | ||
30 | rm -f /etc/swanctl/conf.d/andy.conf | ||
31 | cp ipsec.conf /etc/ | ||
32 | nocomments < ipsec.conf | ||
33 | ipsec start | ||
34 | sleep 2 | ||
35 | ipsec listpubkeys | ||
36 | ipsec up andy | ||
37 | ipsec stop | ||
38 | } | ||
39 | |||
40 | test_new_config() | ||
41 | { | ||
42 | ipsec stop | ||
43 | cp -T ipsec.conf.empty /etc/ipsec.conf | ||
44 | cp andy.conf /etc/swanctl/conf.d/ | ||
45 | nocomments < andy.conf | ||
46 | ipsec start | ||
47 | sleep 2 | ||
48 | swanctl -c | ||
49 | ipsec listpubkeys | ||
50 | ipsec up andy | ||
51 | ipsec stop | ||
52 | } | ||
53 | |||
54 | test_old_config | ||
55 | test_new_config | ||
14 | 56 | ||
15 | ls -l /etc/swanctl/private/"$key_basename" /etc/swanctl/pubkey/"$key_basename".pub /etc/swanctl/pubkey/"$n".pub | ||