summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorroot <root@samizdat>2021-09-28 23:31:38 -0400
committerroot <root@samizdat>2021-09-28 23:31:38 -0400
commita1880f4ff17c1224f4f56bb78d5b161483de61e7 (patch)
treec993f4d2f8351f8205982a5e6c1862cac9d69faa
parent7189cefd81bbdb1d0caf0dad887c7cc0d8181089 (diff)
more
-rw-r--r--andy.conf579
-rw-r--r--gai.conf65
-rw-r--r--keycopy.sh15
3 files changed, 659 insertions, 0 deletions
diff --git a/andy.conf b/andy.conf
new file mode 100644
index 0000000..39f2337
--- /dev/null
+++ b/andy.conf
@@ -0,0 +1,579 @@
1# conn andy
2# type=tunnel
3# auto=add
4#
5# left=%any
6# leftsourceip=%config
7# leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz"
8# leftid=dd6c:fbfd:eeb8:4709
9# right=%any
10# right=68.48.18.140
11# #rightsubnet=2601:401:8200:2d4c::1/64
12# rightsubnet=0::0/0
13# rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt"
14
15# Section defining IKE connection configurations.
16connections {
17
18 # Section for an IKE connection named andy.
19 andy {
20
21 # IKE major version to use for connection.
22 # version = 0
23
24 # Local address(es) to use for IKE communication, comma separated.
25 local_addrs = %any
26
27 # Remote address(es) to use for IKE communication, comma separated.
28 remote_addrs = 68.48.18.140
29
30 # Local UDP port for IKE communication.
31 # local_port = 500
32
33 # Remote UDP port for IKE communication.
34 # remote_port = 500
35
36 # Comma separated proposals to accept for IKE.
37 # proposals = default
38
39 # Virtual IPs to request in configuration payload / Mode Config.
40 vips = ::
41
42 # Use Aggressive Mode in IKEv1.
43 # aggressive = no
44
45 # Set the Mode Config mode to use.
46 # pull = yes
47
48 # Differentiated Services Field Codepoint to set on outgoing IKE packets
49 # (six binary digits).
50 # dscp = 000000
51
52 # Enforce UDP encapsulation by faking NAT-D payloads.
53 # encap = no
54
55 # Enables MOBIKE on IKEv2 connections.
56 # mobike = yes
57
58 # Interval of liveness checks (DPD).
59 # dpd_delay = 0s
60
61 # Timeout for DPD checks (IKEV1 only).
62 # dpd_timeout = 0s
63
64 # Use IKE UDP datagram fragmentation (yes, accept, no or force).
65 # fragmentation = yes
66
67 # Use childless IKE_SA initiation (allow, force or never).
68 # childless = allow
69
70 # Send certificate requests payloads (yes or no).
71 # send_certreq = yes
72
73 # Send certificate payloads (always, never or ifasked).
74 # send_cert = ifasked
75
76 # String identifying the Postquantum Preshared Key (PPK) to be used.
77 # ppk_id =
78
79 # Whether a Postquantum Preshared Key (PPK) is required for this
80 # connection.
81 # ppk_required = no
82
83 # Number of retransmission sequences to perform during initial connect.
84 # keyingtries = 1
85
86 # Connection uniqueness policy (never, no, keep or replace).
87 # unique = no
88
89 # Time to schedule IKE reauthentication.
90 # reauth_time = 0s
91
92 # Time to schedule IKE rekeying.
93 # rekey_time = 4h
94
95 # Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
96 # over_time = 10% of rekey_time/reauth_time
97
98 # Range of random time to subtract from rekey/reauth times.
99 # rand_time = over_time
100
101 # Comma separated list of named IP pools.
102 # pools =
103
104 # Default inbound XFRM interface ID for children.
105 # if_id_in = 0
106
107 # Default outbound XFRM interface ID for children.
108 # if_id_out = 0
109
110 # Whether this connection is a mediation connection.
111 # mediation = no
112
113 # The name of the connection to mediate this connection through.
114 # mediated_by =
115
116 # Identity under which the peer is registered at the mediation server.
117 # mediation_peer =
118
119 # Section for a local authentication round.
120 local1 {
121
122 # Optional numeric identifier by which authentication rounds are
123 # sorted. If not specified rounds are ordered by their position in
124 # the config file/VICI message.
125 # round = 0
126
127 # Comma separated list of certificate candidates to use for
128 # authentication.
129 # certs =
130
131 # Section for a certificate candidate to use for authentication.
132 # cert<suffix> =
133
134 # Comma separated list of raw public key candidates to use for
135 # authentication.
136 pubkeys = ssh_host_rsa_key.pub
137
138 # Authentication to perform locally (pubkey, psk, xauth[-backend] or
139 # eap[-method]).
140 auth = pubkey
141
142 # IKE identity to use for authentication round.
143 id = dd6c:fbfd:eeb8:4709
144
145 # Client EAP-Identity to use in EAP-Identity exchange and the EAP
146 # method.
147 # eap_id = id
148
149 # Server side EAP-Identity to expect in the EAP method.
150 # aaa_id = remote-id
151
152 # Client XAuth username used in the XAuth exchange.
153 # xauth_id = id
154
155 # cert<suffix> {
156
157 # Absolute path to the certificate to load.
158 # file =
159
160 # Hex-encoded CKA_ID of the certificate on a token.
161 # handle =
162
163 # Optional slot number of the token that stores the certificate.
164 # slot =
165
166 # Optional PKCS#11 module name.
167 # module =
168
169 # }
170
171 }
172
173 # Section for a remote authentication round.
174 remote1 {
175
176 # Optional numeric identifier by which authentication rounds are
177 # sorted. If not specified rounds are ordered by their position in
178 # the config file/VICI message.
179 # round = 0
180
181 # IKE identity to expect for authentication round.
182 #id = %any
183
184 # Identity to use as peer identity during EAP authentication.
185 # eap_id = id
186
187 # Authorization group memberships to require.
188 # groups =
189
190 # Certificate policy OIDs the peer's certificate must have.
191 # cert_policy =
192
193 # Comma separated list of certificate to accept for authentication.
194 # certs =
195
196 # Section for a certificate to accept for authentication.
197 # cert<suffix> =
198
199 # Comma separated list of CA certificates to accept for
200 # authentication.
201 # cacerts =
202
203 # Section for a CA certificate to accept for authentication.
204 # cacert<suffix> =
205
206 # Identity in CA certificate to accept for authentication.
207 # ca_id =
208
209 # Comma separated list of raw public keys to accept for
210 # authentication.
211 pubkeys = andy.pub
212
213 # Certificate revocation policy, (strict, ifuri or relaxed).
214 # revocation = relaxed
215
216 # Authentication to expect from remote (pubkey, psk, xauth[-backend]
217 # or eap[-method]).
218 auth = pubkey
219
220 # cert<suffix> {
221
222 # Absolute path to the certificate to load.
223 # file =
224
225 # Hex-encoded CKA_ID of the certificate on a token.
226 # handle =
227
228 # Optional slot number of the token that stores the certificate.
229 # slot =
230
231 # Optional PKCS#11 module name.
232 # module =
233
234 # }
235
236 # cacert<suffix> {
237
238 # Absolute path to the certificate to load.
239 # file =
240
241 # Hex-encoded CKA_ID of the CA certificate on a token.
242 # handle =
243
244 # Optional slot number of the token that stores the CA
245 # certificate.
246 # slot =
247
248 # Optional PKCS#11 module name.
249 # module =
250
251 # }
252
253 }
254
255 children {
256
257 # CHILD_SA configuration sub-section.
258 child1 {
259
260 # AH proposals to offer for the CHILD_SA.
261 # ah_proposals =
262
263 # ESP proposals to offer for the CHILD_SA.
264 # esp_proposals = default
265
266 # Use incorrect 96-bit truncation for HMAC-SHA-256.
267 # sha256_96 = no
268
269 # Local traffic selectors to include in CHILD_SA.
270 local_ts = dynamic
271
272 # Remote selectors to include in CHILD_SA.
273 remote_ts = 0::0/0
274
275 # Time to schedule CHILD_SA rekeying.
276 # rekey_time = 1h
277
278 # Maximum lifetime before CHILD_SA gets closed, as time.
279 # life_time = rekey_time + 10%
280
281 # Range of random time to subtract from rekey_time.
282 # rand_time = life_time - rekey_time
283
284 # Number of bytes processed before initiating CHILD_SA rekeying.
285 # rekey_bytes = 0
286
287 # Maximum bytes processed before CHILD_SA gets closed.
288 # life_bytes = rekey_bytes + 10%
289
290 # Range of random bytes to subtract from rekey_bytes.
291 # rand_bytes = life_bytes - rekey_bytes
292
293 # Number of packets processed before initiating CHILD_SA
294 # rekeying.
295 # rekey_packets = 0
296
297 # Maximum number of packets processed before CHILD_SA gets
298 # closed.
299 # life_packets = rekey_packets + 10%
300
301 # Range of random packets to subtract from packets_bytes.
302 # rand_packets = life_packets - rekey_packets
303
304 # Updown script to invoke on CHILD_SA up and down events.
305 # updown =
306
307 # Hostaccess variable to pass to updown script.
308 # hostaccess = no
309
310 # IPsec Mode to establish (tunnel, transport, transport_proxy,
311 # beet, pass or drop).
312 mode = tunnel
313
314 # Whether to install IPsec policies or not.
315 # policies = yes
316
317 # Whether to install outbound FWD IPsec policies or not.
318 # policies_fwd_out = no
319
320 # Action to perform on DPD timeout (clear, trap or restart).
321 dpd_action = restart
322
323 # Enable IPComp compression before encryption.
324 # ipcomp = no
325
326 # Timeout before closing CHILD_SA after inactivity.
327 # inactivity = 0s
328
329 # Fixed reqid to use for this CHILD_SA.
330 # reqid = 0
331
332 # Optional fixed priority for IPsec policies.
333 # priority = 0
334
335 # Optional interface name to restrict IPsec policies.
336 # interface =
337
338 # Netfilter mark and mask for input traffic.
339 # mark_in = 0/0x00000000
340
341 # Whether to set *mark_in* on the inbound SA.
342 # mark_in_sa = no
343
344 # Netfilter mark and mask for output traffic.
345 # mark_out = 0/0x00000000
346
347 # Netfilter mark applied to packets after the inbound IPsec SA
348 # processed them.
349 # set_mark_in = 0/0x00000000
350
351 # Netfilter mark applied to packets after the outbound IPsec SA
352 # processed them.
353 # set_mark_out = 0/0x00000000
354
355 # Inbound XFRM interface ID.
356 # if_id_in = 0
357
358 # Outbound XFRM interface ID.
359 # if_id_out = 0
360
361 # Traffic Flow Confidentiality padding.
362 # tfc_padding = 0
363
364 # IPsec replay window to configure for this CHILD_SA.
365 # replay_window = 32
366
367 # Enable hardware offload for this CHILD_SA, if supported by the
368 # IPsec implementation.
369 # hw_offload = no
370
371 # Whether to copy the DF bit to the outer IPv4 header in tunnel
372 # mode.
373 # copy_df = yes
374
375 # Whether to copy the ECN header field to/from the outer IP
376 # header in tunnel mode.
377 # copy_ecn = yes
378
379 # Whether to copy the DSCP header field to/from the outer IP
380 # header in tunnel mode.
381 # copy_dscp = out
382
383 # Action to perform after loading the configuration (none, trap,
384 # start).
385 # start_action = none
386
387 # Action to perform after a CHILD_SA gets closed (none, trap,
388 # start).
389 # close_action = none
390
391 }
392
393 }
394
395 }
396
397}
398
399# Section defining secrets for IKE/EAP/XAuth authentication and private key
400# decryption.
401secrets {
402
403 # EAP secret section for a specific secret.
404 # eap<suffix> {
405
406 # Value of the EAP/XAuth secret.
407 # secret =
408
409 # Identity the EAP/XAuth secret belongs to.
410 # id<suffix> =
411
412 # }
413
414 # XAuth secret section for a specific secret.
415 # xauth<suffix> {
416
417 # }
418
419 # NTLM secret section for a specific secret.
420 # ntlm<suffix> {
421
422 # Value of the NTLM secret.
423 # secret =
424
425 # Identity the NTLM secret belongs to.
426 # id<suffix> =
427
428 # }
429
430 # IKE preshared secret section for a specific secret.
431 # ike<suffix> {
432
433 # Value of the IKE preshared secret.
434 # secret =
435
436 # IKE identity the IKE preshared secret belongs to.
437 # id<suffix> =
438
439 # }
440
441 # Postquantum Preshared Key (PPK) section for a specific secret.
442 # ppk<suffix> {
443
444 # Value of the PPK.
445 # secret =
446
447 # PPK identity the PPK belongs to.
448 # id<suffix> =
449
450 # }
451
452 # Private key decryption passphrase for a key in the private folder.
453 private1 {
454
455 # File name in the private folder for which this passphrase should be
456 # used.
457 file = ssh_host_rsa_key
458
459 # Value of decryption passphrase for private key.
460 # secret =
461
462 }
463
464 # Private key decryption passphrase for a key in the rsa folder.
465 # rsa<suffix> {
466
467 # File name in the rsa folder for which this passphrase should be used.
468 # file =
469
470 # Value of decryption passphrase for RSA key.
471 # secret =
472
473 # }
474
475 # Private key decryption passphrase for a key in the ecdsa folder.
476 # ecdsa<suffix> {
477
478 # File name in the ecdsa folder for which this passphrase should be
479 # used.
480 # file =
481
482 # Value of decryption passphrase for ECDSA key.
483 # secret =
484
485 # }
486
487 # Private key decryption passphrase for a key in the pkcs8 folder.
488 # pkcs8<suffix> {
489
490 # File name in the pkcs8 folder for which this passphrase should be
491 # used.
492 # file =
493
494 # Value of decryption passphrase for PKCS#8 key.
495 # secret =
496
497 # }
498
499 # PKCS#12 decryption passphrase for a container in the pkcs12 folder.
500 # pkcs12<suffix> {
501
502 # File name in the pkcs12 folder for which this passphrase should be
503 # used.
504 # file =
505
506 # Value of decryption passphrase for PKCS#12 container.
507 # secret =
508
509 # }
510
511 # Definition for a private key that's stored on a token/smartcard.
512 # token<suffix> {
513
514 # Hex-encoded CKA_ID of the private key on the token.
515 # handle =
516
517 # Optional slot number to access the token.
518 # slot =
519
520 # Optional PKCS#11 module name to access the token.
521 # module =
522
523 # Optional PIN required to access the key on the token. If none is
524 # provided the user is prompted during an interactive --load-creds call.
525 # pin =
526
527 # }
528
529}
530
531# Section defining named pools.
532# pools {
533
534 # Section defining a single pool with a unique name.
535 # <name> {
536
537 # Addresses allocated in pool.
538 # addrs =
539
540 # Comma separated list of additional attributes from type <attr>.
541 # <attr> =
542
543 # }
544
545# }
546
547# Section defining attributes of certification authorities.
548# authorities {
549
550 # Section defining a certification authority with a unique name.
551 # <name> {
552
553 # CA certificate belonging to the certification authority.
554 # cacert =
555
556 # Absolute path to the certificate to load.
557 # file =
558
559 # Hex-encoded CKA_ID of the CA certificate on a token.
560 # handle =
561
562 # Optional slot number of the token that stores the CA certificate.
563 # slot =
564
565 # Optional PKCS#11 module name.
566 # module =
567
568 # Comma-separated list of CRL distribution points.
569 # crl_uris =
570
571 # Comma-separated list of OCSP URIs.
572 # ocsp_uris =
573
574 # Defines the base URI for the Hash and URL feature supported by IKEv2.
575 # cert_uri_base =
576
577 # }
578
579# }
diff --git a/gai.conf b/gai.conf
new file mode 100644
index 0000000..1a1770b
--- /dev/null
+++ b/gai.conf
@@ -0,0 +1,65 @@
1# Configuration for getaddrinfo(3).
2#
3# So far only configuration for the destination address sorting is needed.
4# RFC 3484 governs the sorting. But the RFC also says that system
5# administrators should be able to overwrite the defaults. This can be
6# achieved here.
7#
8# All lines have an initial identifier specifying the option followed by
9# up to two values. Information specified in this file replaces the
10# default information. Complete absence of data of one kind causes the
11# appropriate default information to be used. The supported commands include:
12#
13# reload <yes|no>
14# If set to yes, each getaddrinfo(3) call will check whether this file
15# changed and if necessary reload. This option should not really be
16# used. There are possible runtime problems. The default is no.
17#
18# label <mask> <value>
19# Add another rule to the RFC 3484 label table. See section 2.1 in
20# RFC 3484. The default is:
21#
22#label ::1/128 0
23#label ::/0 1
24#label 2002::/16 2
25#label ::/96 3
26#label ::ffff:0:0/96 4
27#label fec0::/10 5
28#label fc00::/7 6
29#label 2001:0::/32 7
30#
31# This default differs from the tables given in RFC 3484 by handling
32# (now obsolete) site-local IPv6 addresses and Unique Local Addresses.
33# The reason for this difference is that these addresses are never
34# NATed while IPv4 site-local addresses most probably are. Given
35# the precedence of IPv6 over IPv4 (see below) on machines having only
36# site-local IPv4 and IPv6 addresses a lookup for a global address would
37# see the IPv6 be preferred. The result is a long delay because the
38# site-local IPv6 addresses cannot be used while the IPv4 address is
39# (at least for the foreseeable future) NATed. We also treat Teredo
40# tunnels special.
41#
42# precedence <mask> <value>
43# Add another rule to the RFC 3484 precedence table. See section 2.1
44# and 10.3 in RFC 3484. The default is:
45#
46precedence ::1/128 50
47precedence ::/0 40
48precedence 2002::/16 30
49precedence ::/96 20
50#precedence ::ffff:0:0/96 10
51#
52# For sites which prefer IPv4 connections change the last line to
53#
54precedence ::ffff:0:0/96 100
55
56#
57# scopev4 <mask> <value>
58# Add another rule to the RFC 6724 scope table for IPv4 addresses.
59# By default the scope IDs described in section 3.2 in RFC 6724 are
60# used. Changing these defaults should hardly ever be necessary.
61# The defaults are equivalent to:
62#
63#scopev4 ::ffff:169.254.0.0/112 2
64#scopev4 ::ffff:127.0.0.0/104 2
65#scopev4 ::ffff:0.0.0.0/96 14
diff --git a/keycopy.sh b/keycopy.sh
new file mode 100644
index 0000000..29f8423
--- /dev/null
+++ b/keycopy.sh
@@ -0,0 +1,15 @@
1#!/bin/sh
2h=marble.tj5tzswz7isfavggdjsiwxdjswrg6tadlzuf3j3q.ed25519.cryptonomic.net
3n=andy
4
5key_basename=ssh_host_rsa_key
6input_key=/etc/ssh/$key_basename
7openssl rsa -in "$input_key" -outform DER > /etc/swanctl/private/"$key_basename"
8openssl rsa -in "$input_key" -pubout -outform DER > /etc/swanctl/pubkey/"$key_basename".pub
9
10t=$(mktemp)
11ssh-keyscan -trsa "$h" | while read hh rest; do [ "$h" = "$hh" ] && printf '%s\n' "$rest"; done
12
13ssh-keygen -e -f rsa.scan.edit -m PEM | openssl rsa -RSAPublicKey_in -outform DER > /etc/swanctl/pubkey/"$n".pub
14
15ls -l /etc/swanctl/private/"$key_basename" /etc/swanctl/pubkey/"$key_basename".pub /etc/swanctl/pubkey/"$n".pub