summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--andy.brief.conf28
-rw-r--r--andy.conf5
-rw-r--r--ipsec.conf.empty5
-rw-r--r--keycopy.sh53
4 files changed, 83 insertions, 8 deletions
diff --git a/andy.brief.conf b/andy.brief.conf
new file mode 100644
index 0000000..977a546
--- /dev/null
+++ b/andy.brief.conf
@@ -0,0 +1,28 @@
1connections {
2 andy {
3 remote_addrs = 68.48.18.140
4 vips = ::
5 local1 {
6 pubkeys = ssh_host_rsa_key.pub
7 auth = pubkey
8 id = dd6c:fbfd:eeb8:4709
9 }
10 remote1 {
11 id = "68.48.18.140"
12 pubkeys = andy.pub
13 auth = pubkey
14 }
15 children {
16 child1 {
17 remote_ts = 0::0/0
18 mode = tunnel
19 dpd_action = restart
20 }
21 }
22 }
23}
24secrets {
25 private1 {
26 file = ssh_host_rsa_key
27 }
28}
diff --git a/andy.conf b/andy.conf
index 39f2337..ea5e71a 100644
--- a/andy.conf
+++ b/andy.conf
@@ -22,7 +22,7 @@ connections {
22 # version = 0 22 # version = 0
23 23
24 # Local address(es) to use for IKE communication, comma separated. 24 # Local address(es) to use for IKE communication, comma separated.
25 local_addrs = %any 25 # local_addrs = %any
26 26
27 # Remote address(es) to use for IKE communication, comma separated. 27 # Remote address(es) to use for IKE communication, comma separated.
28 remote_addrs = 68.48.18.140 28 remote_addrs = 68.48.18.140
@@ -180,6 +180,7 @@ connections {
180 180
181 # IKE identity to expect for authentication round. 181 # IKE identity to expect for authentication round.
182 #id = %any 182 #id = %any
183 id = "68.48.18.140"
183 184
184 # Identity to use as peer identity during EAP authentication. 185 # Identity to use as peer identity during EAP authentication.
185 # eap_id = id 186 # eap_id = id
@@ -267,7 +268,7 @@ connections {
267 # sha256_96 = no 268 # sha256_96 = no
268 269
269 # Local traffic selectors to include in CHILD_SA. 270 # Local traffic selectors to include in CHILD_SA.
270 local_ts = dynamic 271 # local_ts = dynamic
271 272
272 # Remote selectors to include in CHILD_SA. 273 # Remote selectors to include in CHILD_SA.
273 remote_ts = 0::0/0 274 remote_ts = 0::0/0
diff --git a/ipsec.conf.empty b/ipsec.conf.empty
new file mode 100644
index 0000000..ff9cca2
--- /dev/null
+++ b/ipsec.conf.empty
@@ -0,0 +1,5 @@
1# basic configuration
2
3config setup
4 # strictcrlpolicy=yes
5 # uniqueids = no
diff --git a/keycopy.sh b/keycopy.sh
index 29f8423..f9ebbb9 100644
--- a/keycopy.sh
+++ b/keycopy.sh
@@ -4,12 +4,53 @@ n=andy
4 4
5key_basename=ssh_host_rsa_key 5key_basename=ssh_host_rsa_key
6input_key=/etc/ssh/$key_basename 6input_key=/etc/ssh/$key_basename
7openssl rsa -in "$input_key" -outform DER > /etc/swanctl/private/"$key_basename"
8openssl rsa -in "$input_key" -pubout -outform DER > /etc/swanctl/pubkey/"$key_basename".pub
9 7
10t=$(mktemp) 8keycopy()
11ssh-keyscan -trsa "$h" | while read hh rest; do [ "$h" = "$hh" ] && printf '%s\n' "$rest"; done 9{
10 openssl rsa -in "$input_key" -outform DER > /etc/swanctl/private/"$key_basename"
11 openssl rsa -in "$input_key" -pubout -outform DER > /etc/swanctl/pubkey/"$key_basename".pub
12 12
13ssh-keygen -e -f rsa.scan.edit -m PEM | openssl rsa -RSAPublicKey_in -outform DER > /etc/swanctl/pubkey/"$n".pub 13 t=$(mktemp)
14 ssh-keyscan -trsa "$h" | while read hh rest; do [ "$h" = "$hh" ] && printf '%s\n' "$rest"; done
15
16 ssh-keygen -e -f rsa.scan.edit -m PEM | openssl rsa -RSAPublicKey_in -outform DER > /etc/swanctl/pubkey/"$n".pub
17
18 ls -l /etc/swanctl/private/"$key_basename" /etc/swanctl/pubkey/"$key_basename".pub /etc/swanctl/pubkey/"$n".pub
19}
20
21nocomments()
22{
23 sed 's/#.*//; /^ *$/d'
24}
25
26
27test_old_config()
28{
29 ipsec stop
30 rm -f /etc/swanctl/conf.d/andy.conf
31 cp ipsec.conf /etc/
32 nocomments < ipsec.conf
33 ipsec start
34 sleep 2
35 ipsec listpubkeys
36 ipsec up andy
37 ipsec stop
38}
39
40test_new_config()
41{
42 ipsec stop
43 cp -T ipsec.conf.empty /etc/ipsec.conf
44 cp andy.conf /etc/swanctl/conf.d/
45 nocomments < andy.conf
46 ipsec start
47 sleep 2
48 swanctl -c
49 ipsec listpubkeys
50 ipsec up andy
51 ipsec stop
52}
53
54test_old_config
55test_new_config
14 56
15ls -l /etc/swanctl/private/"$key_basename" /etc/swanctl/pubkey/"$key_basename".pub /etc/swanctl/pubkey/"$n".pub