From a1880f4ff17c1224f4f56bb78d5b161483de61e7 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 28 Sep 2021 23:31:38 -0400 Subject: more --- andy.conf | 579 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ gai.conf | 65 +++++++ keycopy.sh | 15 ++ 3 files changed, 659 insertions(+) create mode 100644 andy.conf create mode 100644 gai.conf create mode 100644 keycopy.sh diff --git a/andy.conf b/andy.conf new file mode 100644 index 0000000..39f2337 --- /dev/null +++ b/andy.conf @@ -0,0 +1,579 @@ +# conn andy +# type=tunnel +# auto=add +# +# left=%any +# leftsourceip=%config +# leftsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQC8b9n1/1p5HposHmP1xbrKCOP+3PSnaycQvIbcB3ugYBFgTfUoVZ0c6pUzpw8uR93iQ/mSyeEvjaUDctBASg67jxyeSU78p9qJ/y/Eg2uBiMNx1fUljVryqXCbQRebjtVWNjIhr99qowzYrV+ztTNpQ2oI/VhQ9C+cbDLKySoR5L8wrkSPqvYH4oZJtyKQmv7lN3/MKFONZlTo1RMw2+4214uaQJF1dcwW3erHh15SpqoQ7LidqNH2Q6SInzVdJbZtQSWjFM29m4nQMv55g6VlUK8NfcGJuIKghO0urZvYQpdeBe05Lr/y/n3wqJb97Eh5hzQc9Jx5kKQZeueHWEkz" +# leftid=dd6c:fbfd:eeb8:4709 +# right=%any +# right=68.48.18.140 +# #rightsubnet=2601:401:8200:2d4c::1/64 +# rightsubnet=0::0/0 +# rightsigkey="ssh:0sAAAAB3NzaC1yc2EAAAADAQABAAABAQD0v/20UNR7vpib9amq1xMrJSiyIWXjpiHq1O2BIrzZ2nuilSxn1dYVhelUTR2siDKAxoo3sX0GDWayMekHtzPr1DBXQ/eu9PNhp9Q0QvkgRSay9HggelpGukxP8N72kbthggmCkWufaM/OoDOVHBYngJFbrwOwhDKJyL+q8f3u1LFOErRxVJ7f7/C1o+NLkWXayfwOK8kk4Hc9tcy1MXk5jLx927evsyOYXV2Lbzf9qwXSV6MjUlFDhqhW/v2IOBCxXG7GhpoHTmpdtv0JxDLnc5zYBxgleiS74DmC5GKU5EgU63e7FNnPSvVnYO+S3mO+Y4PwNv4BYnKSpSGe/0tt" + +# Section defining IKE connection configurations. +connections { + + # Section for an IKE connection named andy. + andy { + + # IKE major version to use for connection. + # version = 0 + + # Local address(es) to use for IKE communication, comma separated. + local_addrs = %any + + # Remote address(es) to use for IKE communication, comma separated. + remote_addrs = 68.48.18.140 + + # Local UDP port for IKE communication. + # local_port = 500 + + # Remote UDP port for IKE communication. + # remote_port = 500 + + # Comma separated proposals to accept for IKE. + # proposals = default + + # Virtual IPs to request in configuration payload / Mode Config. + vips = :: + + # Use Aggressive Mode in IKEv1. + # aggressive = no + + # Set the Mode Config mode to use. + # pull = yes + + # Differentiated Services Field Codepoint to set on outgoing IKE packets + # (six binary digits). + # dscp = 000000 + + # Enforce UDP encapsulation by faking NAT-D payloads. + # encap = no + + # Enables MOBIKE on IKEv2 connections. + # mobike = yes + + # Interval of liveness checks (DPD). + # dpd_delay = 0s + + # Timeout for DPD checks (IKEV1 only). + # dpd_timeout = 0s + + # Use IKE UDP datagram fragmentation (yes, accept, no or force). + # fragmentation = yes + + # Use childless IKE_SA initiation (allow, force or never). + # childless = allow + + # Send certificate requests payloads (yes or no). + # send_certreq = yes + + # Send certificate payloads (always, never or ifasked). + # send_cert = ifasked + + # String identifying the Postquantum Preshared Key (PPK) to be used. + # ppk_id = + + # Whether a Postquantum Preshared Key (PPK) is required for this + # connection. + # ppk_required = no + + # Number of retransmission sequences to perform during initial connect. + # keyingtries = 1 + + # Connection uniqueness policy (never, no, keep or replace). + # unique = no + + # Time to schedule IKE reauthentication. + # reauth_time = 0s + + # Time to schedule IKE rekeying. + # rekey_time = 4h + + # Hard IKE_SA lifetime if rekey/reauth does not complete, as time. + # over_time = 10% of rekey_time/reauth_time + + # Range of random time to subtract from rekey/reauth times. + # rand_time = over_time + + # Comma separated list of named IP pools. + # pools = + + # Default inbound XFRM interface ID for children. + # if_id_in = 0 + + # Default outbound XFRM interface ID for children. + # if_id_out = 0 + + # Whether this connection is a mediation connection. + # mediation = no + + # The name of the connection to mediate this connection through. + # mediated_by = + + # Identity under which the peer is registered at the mediation server. + # mediation_peer = + + # Section for a local authentication round. + local1 { + + # Optional numeric identifier by which authentication rounds are + # sorted. If not specified rounds are ordered by their position in + # the config file/VICI message. + # round = 0 + + # Comma separated list of certificate candidates to use for + # authentication. + # certs = + + # Section for a certificate candidate to use for authentication. + # cert = + + # Comma separated list of raw public key candidates to use for + # authentication. + pubkeys = ssh_host_rsa_key.pub + + # Authentication to perform locally (pubkey, psk, xauth[-backend] or + # eap[-method]). + auth = pubkey + + # IKE identity to use for authentication round. + id = dd6c:fbfd:eeb8:4709 + + # Client EAP-Identity to use in EAP-Identity exchange and the EAP + # method. + # eap_id = id + + # Server side EAP-Identity to expect in the EAP method. + # aaa_id = remote-id + + # Client XAuth username used in the XAuth exchange. + # xauth_id = id + + # cert { + + # Absolute path to the certificate to load. + # file = + + # Hex-encoded CKA_ID of the certificate on a token. + # handle = + + # Optional slot number of the token that stores the certificate. + # slot = + + # Optional PKCS#11 module name. + # module = + + # } + + } + + # Section for a remote authentication round. + remote1 { + + # Optional numeric identifier by which authentication rounds are + # sorted. If not specified rounds are ordered by their position in + # the config file/VICI message. + # round = 0 + + # IKE identity to expect for authentication round. + #id = %any + + # Identity to use as peer identity during EAP authentication. + # eap_id = id + + # Authorization group memberships to require. + # groups = + + # Certificate policy OIDs the peer's certificate must have. + # cert_policy = + + # Comma separated list of certificate to accept for authentication. + # certs = + + # Section for a certificate to accept for authentication. + # cert = + + # Comma separated list of CA certificates to accept for + # authentication. + # cacerts = + + # Section for a CA certificate to accept for authentication. + # cacert = + + # Identity in CA certificate to accept for authentication. + # ca_id = + + # Comma separated list of raw public keys to accept for + # authentication. + pubkeys = andy.pub + + # Certificate revocation policy, (strict, ifuri or relaxed). + # revocation = relaxed + + # Authentication to expect from remote (pubkey, psk, xauth[-backend] + # or eap[-method]). + auth = pubkey + + # cert { + + # Absolute path to the certificate to load. + # file = + + # Hex-encoded CKA_ID of the certificate on a token. + # handle = + + # Optional slot number of the token that stores the certificate. + # slot = + + # Optional PKCS#11 module name. + # module = + + # } + + # cacert { + + # Absolute path to the certificate to load. + # file = + + # Hex-encoded CKA_ID of the CA certificate on a token. + # handle = + + # Optional slot number of the token that stores the CA + # certificate. + # slot = + + # Optional PKCS#11 module name. + # module = + + # } + + } + + children { + + # CHILD_SA configuration sub-section. + child1 { + + # AH proposals to offer for the CHILD_SA. + # ah_proposals = + + # ESP proposals to offer for the CHILD_SA. + # esp_proposals = default + + # Use incorrect 96-bit truncation for HMAC-SHA-256. + # sha256_96 = no + + # Local traffic selectors to include in CHILD_SA. + local_ts = dynamic + + # Remote selectors to include in CHILD_SA. + remote_ts = 0::0/0 + + # Time to schedule CHILD_SA rekeying. + # rekey_time = 1h + + # Maximum lifetime before CHILD_SA gets closed, as time. + # life_time = rekey_time + 10% + + # Range of random time to subtract from rekey_time. + # rand_time = life_time - rekey_time + + # Number of bytes processed before initiating CHILD_SA rekeying. + # rekey_bytes = 0 + + # Maximum bytes processed before CHILD_SA gets closed. + # life_bytes = rekey_bytes + 10% + + # Range of random bytes to subtract from rekey_bytes. + # rand_bytes = life_bytes - rekey_bytes + + # Number of packets processed before initiating CHILD_SA + # rekeying. + # rekey_packets = 0 + + # Maximum number of packets processed before CHILD_SA gets + # closed. + # life_packets = rekey_packets + 10% + + # Range of random packets to subtract from packets_bytes. + # rand_packets = life_packets - rekey_packets + + # Updown script to invoke on CHILD_SA up and down events. + # updown = + + # Hostaccess variable to pass to updown script. + # hostaccess = no + + # IPsec Mode to establish (tunnel, transport, transport_proxy, + # beet, pass or drop). + mode = tunnel + + # Whether to install IPsec policies or not. + # policies = yes + + # Whether to install outbound FWD IPsec policies or not. + # policies_fwd_out = no + + # Action to perform on DPD timeout (clear, trap or restart). + dpd_action = restart + + # Enable IPComp compression before encryption. + # ipcomp = no + + # Timeout before closing CHILD_SA after inactivity. + # inactivity = 0s + + # Fixed reqid to use for this CHILD_SA. + # reqid = 0 + + # Optional fixed priority for IPsec policies. + # priority = 0 + + # Optional interface name to restrict IPsec policies. + # interface = + + # Netfilter mark and mask for input traffic. + # mark_in = 0/0x00000000 + + # Whether to set *mark_in* on the inbound SA. + # mark_in_sa = no + + # Netfilter mark and mask for output traffic. + # mark_out = 0/0x00000000 + + # Netfilter mark applied to packets after the inbound IPsec SA + # processed them. + # set_mark_in = 0/0x00000000 + + # Netfilter mark applied to packets after the outbound IPsec SA + # processed them. + # set_mark_out = 0/0x00000000 + + # Inbound XFRM interface ID. + # if_id_in = 0 + + # Outbound XFRM interface ID. + # if_id_out = 0 + + # Traffic Flow Confidentiality padding. + # tfc_padding = 0 + + # IPsec replay window to configure for this CHILD_SA. + # replay_window = 32 + + # Enable hardware offload for this CHILD_SA, if supported by the + # IPsec implementation. + # hw_offload = no + + # Whether to copy the DF bit to the outer IPv4 header in tunnel + # mode. + # copy_df = yes + + # Whether to copy the ECN header field to/from the outer IP + # header in tunnel mode. + # copy_ecn = yes + + # Whether to copy the DSCP header field to/from the outer IP + # header in tunnel mode. + # copy_dscp = out + + # Action to perform after loading the configuration (none, trap, + # start). + # start_action = none + + # Action to perform after a CHILD_SA gets closed (none, trap, + # start). + # close_action = none + + } + + } + + } + +} + +# Section defining secrets for IKE/EAP/XAuth authentication and private key +# decryption. +secrets { + + # EAP secret section for a specific secret. + # eap { + + # Value of the EAP/XAuth secret. + # secret = + + # Identity the EAP/XAuth secret belongs to. + # id = + + # } + + # XAuth secret section for a specific secret. + # xauth { + + # } + + # NTLM secret section for a specific secret. + # ntlm { + + # Value of the NTLM secret. + # secret = + + # Identity the NTLM secret belongs to. + # id = + + # } + + # IKE preshared secret section for a specific secret. + # ike { + + # Value of the IKE preshared secret. + # secret = + + # IKE identity the IKE preshared secret belongs to. + # id = + + # } + + # Postquantum Preshared Key (PPK) section for a specific secret. + # ppk { + + # Value of the PPK. + # secret = + + # PPK identity the PPK belongs to. + # id = + + # } + + # Private key decryption passphrase for a key in the private folder. + private1 { + + # File name in the private folder for which this passphrase should be + # used. + file = ssh_host_rsa_key + + # Value of decryption passphrase for private key. + # secret = + + } + + # Private key decryption passphrase for a key in the rsa folder. + # rsa { + + # File name in the rsa folder for which this passphrase should be used. + # file = + + # Value of decryption passphrase for RSA key. + # secret = + + # } + + # Private key decryption passphrase for a key in the ecdsa folder. + # ecdsa { + + # File name in the ecdsa folder for which this passphrase should be + # used. + # file = + + # Value of decryption passphrase for ECDSA key. + # secret = + + # } + + # Private key decryption passphrase for a key in the pkcs8 folder. + # pkcs8 { + + # File name in the pkcs8 folder for which this passphrase should be + # used. + # file = + + # Value of decryption passphrase for PKCS#8 key. + # secret = + + # } + + # PKCS#12 decryption passphrase for a container in the pkcs12 folder. + # pkcs12 { + + # File name in the pkcs12 folder for which this passphrase should be + # used. + # file = + + # Value of decryption passphrase for PKCS#12 container. + # secret = + + # } + + # Definition for a private key that's stored on a token/smartcard. + # token { + + # Hex-encoded CKA_ID of the private key on the token. + # handle = + + # Optional slot number to access the token. + # slot = + + # Optional PKCS#11 module name to access the token. + # module = + + # Optional PIN required to access the key on the token. If none is + # provided the user is prompted during an interactive --load-creds call. + # pin = + + # } + +} + +# Section defining named pools. +# pools { + + # Section defining a single pool with a unique name. + # { + + # Addresses allocated in pool. + # addrs = + + # Comma separated list of additional attributes from type . + # = + + # } + +# } + +# Section defining attributes of certification authorities. +# authorities { + + # Section defining a certification authority with a unique name. + # { + + # CA certificate belonging to the certification authority. + # cacert = + + # Absolute path to the certificate to load. + # file = + + # Hex-encoded CKA_ID of the CA certificate on a token. + # handle = + + # Optional slot number of the token that stores the CA certificate. + # slot = + + # Optional PKCS#11 module name. + # module = + + # Comma-separated list of CRL distribution points. + # crl_uris = + + # Comma-separated list of OCSP URIs. + # ocsp_uris = + + # Defines the base URI for the Hash and URL feature supported by IKEv2. + # cert_uri_base = + + # } + +# } diff --git a/gai.conf b/gai.conf new file mode 100644 index 0000000..1a1770b --- /dev/null +++ b/gai.conf @@ -0,0 +1,65 @@ +# Configuration for getaddrinfo(3). +# +# So far only configuration for the destination address sorting is needed. +# RFC 3484 governs the sorting. But the RFC also says that system +# administrators should be able to overwrite the defaults. This can be +# achieved here. +# +# All lines have an initial identifier specifying the option followed by +# up to two values. Information specified in this file replaces the +# default information. Complete absence of data of one kind causes the +# appropriate default information to be used. The supported commands include: +# +# reload +# If set to yes, each getaddrinfo(3) call will check whether this file +# changed and if necessary reload. This option should not really be +# used. There are possible runtime problems. The default is no. +# +# label +# Add another rule to the RFC 3484 label table. See section 2.1 in +# RFC 3484. The default is: +# +#label ::1/128 0 +#label ::/0 1 +#label 2002::/16 2 +#label ::/96 3 +#label ::ffff:0:0/96 4 +#label fec0::/10 5 +#label fc00::/7 6 +#label 2001:0::/32 7 +# +# This default differs from the tables given in RFC 3484 by handling +# (now obsolete) site-local IPv6 addresses and Unique Local Addresses. +# The reason for this difference is that these addresses are never +# NATed while IPv4 site-local addresses most probably are. Given +# the precedence of IPv6 over IPv4 (see below) on machines having only +# site-local IPv4 and IPv6 addresses a lookup for a global address would +# see the IPv6 be preferred. The result is a long delay because the +# site-local IPv6 addresses cannot be used while the IPv4 address is +# (at least for the foreseeable future) NATed. We also treat Teredo +# tunnels special. +# +# precedence +# Add another rule to the RFC 3484 precedence table. See section 2.1 +# and 10.3 in RFC 3484. The default is: +# +precedence ::1/128 50 +precedence ::/0 40 +precedence 2002::/16 30 +precedence ::/96 20 +#precedence ::ffff:0:0/96 10 +# +# For sites which prefer IPv4 connections change the last line to +# +precedence ::ffff:0:0/96 100 + +# +# scopev4 +# Add another rule to the RFC 6724 scope table for IPv4 addresses. +# By default the scope IDs described in section 3.2 in RFC 6724 are +# used. Changing these defaults should hardly ever be necessary. +# The defaults are equivalent to: +# +#scopev4 ::ffff:169.254.0.0/112 2 +#scopev4 ::ffff:127.0.0.0/104 2 +#scopev4 ::ffff:0.0.0.0/96 14 diff --git a/keycopy.sh b/keycopy.sh new file mode 100644 index 0000000..29f8423 --- /dev/null +++ b/keycopy.sh @@ -0,0 +1,15 @@ +#!/bin/sh +h=marble.tj5tzswz7isfavggdjsiwxdjswrg6tadlzuf3j3q.ed25519.cryptonomic.net +n=andy + +key_basename=ssh_host_rsa_key +input_key=/etc/ssh/$key_basename +openssl rsa -in "$input_key" -outform DER > /etc/swanctl/private/"$key_basename" +openssl rsa -in "$input_key" -pubout -outform DER > /etc/swanctl/pubkey/"$key_basename".pub + +t=$(mktemp) +ssh-keyscan -trsa "$h" | while read hh rest; do [ "$h" = "$hh" ] && printf '%s\n' "$rest"; done + +ssh-keygen -e -f rsa.scan.edit -m PEM | openssl rsa -RSAPublicKey_in -outform DER > /etc/swanctl/pubkey/"$n".pub + +ls -l /etc/swanctl/private/"$key_basename" /etc/swanctl/pubkey/"$key_basename".pub /etc/swanctl/pubkey/"$n".pub -- cgit v1.2.3