From f0580823e871ff0d92c2186df66cc1b89b49800e Mon Sep 17 00:00:00 2001 From: root Date: Wed, 29 Sep 2021 00:36:13 -0400 Subject: VICI style config works --- andy.brief.conf | 28 ++++++++++++++++++++++++++++ andy.conf | 5 +++-- ipsec.conf.empty | 5 +++++ keycopy.sh | 53 +++++++++++++++++++++++++++++++++++++++++++++++------ 4 files changed, 83 insertions(+), 8 deletions(-) create mode 100644 andy.brief.conf create mode 100644 ipsec.conf.empty diff --git a/andy.brief.conf b/andy.brief.conf new file mode 100644 index 0000000..977a546 --- /dev/null +++ b/andy.brief.conf @@ -0,0 +1,28 @@ +connections { + andy { + remote_addrs = 68.48.18.140 + vips = :: + local1 { + pubkeys = ssh_host_rsa_key.pub + auth = pubkey + id = dd6c:fbfd:eeb8:4709 + } + remote1 { + id = "68.48.18.140" + pubkeys = andy.pub + auth = pubkey + } + children { + child1 { + remote_ts = 0::0/0 + mode = tunnel + dpd_action = restart + } + } + } +} +secrets { + private1 { + file = ssh_host_rsa_key + } +} diff --git a/andy.conf b/andy.conf index 39f2337..ea5e71a 100644 --- a/andy.conf +++ b/andy.conf @@ -22,7 +22,7 @@ connections { # version = 0 # Local address(es) to use for IKE communication, comma separated. - local_addrs = %any + # local_addrs = %any # Remote address(es) to use for IKE communication, comma separated. remote_addrs = 68.48.18.140 @@ -180,6 +180,7 @@ connections { # IKE identity to expect for authentication round. #id = %any + id = "68.48.18.140" # Identity to use as peer identity during EAP authentication. # eap_id = id @@ -267,7 +268,7 @@ connections { # sha256_96 = no # Local traffic selectors to include in CHILD_SA. - local_ts = dynamic + # local_ts = dynamic # Remote selectors to include in CHILD_SA. remote_ts = 0::0/0 diff --git a/ipsec.conf.empty b/ipsec.conf.empty new file mode 100644 index 0000000..ff9cca2 --- /dev/null +++ b/ipsec.conf.empty @@ -0,0 +1,5 @@ +# basic configuration + +config setup + # strictcrlpolicy=yes + # uniqueids = no diff --git a/keycopy.sh b/keycopy.sh index 29f8423..f9ebbb9 100644 --- a/keycopy.sh +++ b/keycopy.sh @@ -4,12 +4,53 @@ n=andy key_basename=ssh_host_rsa_key input_key=/etc/ssh/$key_basename -openssl rsa -in "$input_key" -outform DER > /etc/swanctl/private/"$key_basename" -openssl rsa -in "$input_key" -pubout -outform DER > /etc/swanctl/pubkey/"$key_basename".pub -t=$(mktemp) -ssh-keyscan -trsa "$h" | while read hh rest; do [ "$h" = "$hh" ] && printf '%s\n' "$rest"; done +keycopy() +{ + openssl rsa -in "$input_key" -outform DER > /etc/swanctl/private/"$key_basename" + openssl rsa -in "$input_key" -pubout -outform DER > /etc/swanctl/pubkey/"$key_basename".pub -ssh-keygen -e -f rsa.scan.edit -m PEM | openssl rsa -RSAPublicKey_in -outform DER > /etc/swanctl/pubkey/"$n".pub + t=$(mktemp) + ssh-keyscan -trsa "$h" | while read hh rest; do [ "$h" = "$hh" ] && printf '%s\n' "$rest"; done + + ssh-keygen -e -f rsa.scan.edit -m PEM | openssl rsa -RSAPublicKey_in -outform DER > /etc/swanctl/pubkey/"$n".pub + + ls -l /etc/swanctl/private/"$key_basename" /etc/swanctl/pubkey/"$key_basename".pub /etc/swanctl/pubkey/"$n".pub +} + +nocomments() +{ + sed 's/#.*//; /^ *$/d' +} + + +test_old_config() +{ + ipsec stop + rm -f /etc/swanctl/conf.d/andy.conf + cp ipsec.conf /etc/ + nocomments < ipsec.conf + ipsec start + sleep 2 + ipsec listpubkeys + ipsec up andy + ipsec stop +} + +test_new_config() +{ + ipsec stop + cp -T ipsec.conf.empty /etc/ipsec.conf + cp andy.conf /etc/swanctl/conf.d/ + nocomments < andy.conf + ipsec start + sleep 2 + swanctl -c + ipsec listpubkeys + ipsec up andy + ipsec stop +} + +test_old_config +test_new_config -ls -l /etc/swanctl/private/"$key_basename" /etc/swanctl/pubkey/"$key_basename".pub /etc/swanctl/pubkey/"$n".pub -- cgit v1.2.3