1#!/bin/sh 2 3# 4# sa-up.sh local configuration for a new SA 5# 6PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin 7 8case `uname -s` in 9NetBSD) 10 DEFAULT_GW=`netstat -finet -rn | awk '($1 == "default"){print $2; exit}'` 11 ;; 12Linux) 13 DEFAULT_GW=`netstat --inet -rn | awk '($1 == "0.0.0.0"){print $2; exit}'` 14 ;; 15esac 16 17echo $@ 18echo "LOCAL_ADDR = ${LOCAL_ADDR}" 19echo "LOCAL_PORT = ${LOCAL_PORT}" 20echo "REMOTE_ADDR = ${REMOTE_ADDR}" 21echo "REMOTE_PORT = ${REMOTE_PORT}" 22echo "DEFAULT_GW = ${DEFAULT_GW}" 23echo "INTERNAL_ADDR4 = ${INTERNAL_ADDR4}" 24echo "INTERNAL_NETMASK4 = ${INTERNAL_NETMASK4}" 25echo "INTERNAL_DNS4 = ${INTERNAL_DNS4}" 26 27echo ${INTERNAL_ADDR4} | grep '[0-9]' > /dev/null || exit 0 28echo ${INTERNAL_NETMASK4} | grep '[0-9]' > /dev/null || exit 0 29echo ${DEFAULT_GW} | grep '[0-9]' > /dev/null || exit 0 30 31mv /etc/resolv.conf /etc/resolv.conf.bak 32( umask 22; touch /etc/resolv.conf ) 33echo "# Generated by racoon on `date`" >> /etc/resolv.conf 34echo "nameserver ${INTERNAL_DNS4}" >> /etc/resolv.conf 35 36case `uname -s` in 37NetBSD) 38 if=`netstat -finet -rn|awk '($1 == "default"){print $7; exit}'` 39 ifconfig ${if} alias ${INTERNAL_ADDR4} netmask ${INTERNAL_NETMASK4} 40 route delete default 41 route add default ${DEFAULT_GW} -ifa ${INTERNAL_ADDR4} 42 route add ${REMOTE_ADDR} ${DEFAULT_GW} 43 ;; 44Linux) 45 if=`netstat --inet -rn|awk '($1 == "0.0.0.0"){print $8; exit}'` 46 ifconfig ${if}:1 ${INTERNAL_ADDR4} 47 route delete default 48 route add ${REMOTE_ADDR} gw ${DEFAULT_GW} dev ${if} 49 route add default gw ${DEFAULT_GW} dev ${if}:1 50 ;; 51esac 52 53LOCAL="${LOCAL_ADDR}" 54REMOTE="${REMOTE_ADDR}" 55if [ "x${LOCAL_PORT}" != "x500" ]; then 56 # NAT-T setup 57 LOCAL="${LOCAL}[${LOCAL_PORT}]" 58 REMOTE="${REMOTE}[${REMOTE_PORT}]" 59fi 60 61 62echo " 63spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any 64 -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require; 65spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any 66 -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require; 67" | setkey -c 68 69# 70# XXX This is a workaround for Linux forward policies problem. 71# Someone familiar with forward policies please fix this properly. 72# 73case `uname -s` in 74Linux) 75 echo " 76 spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any 77 -P fwd ipsec esp/tunnel/${REMOTE}-${LOCAL}/require; 78 " | setkey -c 79 ;; 80esac 81