scottk/wlan-lanforge-scripts
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-lanforge-scripts.git synced 2025-11-03 12:18:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
aa553915c103de41bf931f776a6caaafae61372f
wlan-lanforge-scripts/setup-concentrator.sh
Jed Reynolds 5ef27f558a adds scp of config files to station
2019-09-06 13:44:08 -07:00

359 lines
8.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -x
set -e
[ -f /root/strongswan-config ] && . /root/strongswan-config ||:
ETC=${ETC:=/etc/strongswan}
SWAND="$ETC/strongswan.d"
IPSECD="$ETC/ipsec.d"
SWANC="$ETC/swanctl"
NOWSEC=`date +%s`
SWAN_LIBX=${SWAN_LIBX:=/usr/libexec/strongswan}
[ -d $SWAN_LIBX ] || {
echo "SWAN_LIBX $SWAN_LIBX not found. Plese set SWAN_LIBX in /root/strongswan-config"
exit 1
}
export LD_LIBRARY_PATH="$SWAN_LIBX:$LD_LIBRARY_PATH"
WAN_IF=${WAN_IF:=eth1}
WAN_IP=${WAN_IP:=10.1.99.1}
WAN_CONCENTRATOR_IP=${WAN_CONCENTRATOR_IP:=10.1.99.1}
XIF_IP=${XIF_IP:=10.9.99.1}
function initialize_vrf() {
local WANDEV=$WAN_IF
local VRFID=$1
local VRFDEV=vrf$VRFID
local XFRMDEV=xfrm$VRFID
# do you need this?
#sysctl -w net.ipv4.ip_forward=1
#sysctl -w net.ipv4.conf.all.rp_filter=0
# setup vrf
ip link add $VRFDEV type vrf table $VRFID
ip link set dev $VRFDEV up
ip route add unreachable default metric 4278198272 vrf $VRFDEV
# create tunnel device
ip li del $XFRMDEV >/dev/null 2>&1
$SWAN_LIBX/xfrmi -n $XFRMDEV -i $VRFID -d $WANDEV
ip li set dev $XFRMDEV up
ip li set dev $XFRMDEV master $VRFDEV
ip add add 169.254.24.201/32 dev $XFRMDEV scope link
ip ro add default dev $XFRMDEV vrf $VRFDEV
ip -6 ro add default dev $XFRMDEV vrf $VRFDEV
}
function initialize_fake_client_netns() {
local VRFID=$1
sysctl net.ipv4.conf.all.rp_filter=0
sysctl net.ipv4.conf.default.rp_filter=0
ip netns add ts-vrf-${VRFID}
ip netns exec ts-vrf-${VRFID} ip li set dev lo up
ip li del ts-vrf-${VRFID}a
ip link add ts-vrf-${VRFID}a type veth peer name ts-vrf-${VRFID}b netns ts-vrf-${VRFID}
ip netns exec ts-vrf-${VRFID} ip link set dev ts-vrf-${VRFID}b up
ip netns exec ts-vrf-${VRFID} ip add add dev ts-vrf-${VRFID}b 10.0.201.2/24
ip netns exec ts-vrf-${VRFID} ip ro add default via 10.0.201.1
ip li set dev ts-vrf-${VRFID}a up
ip li set dev ts-vrf-${VRFID}a master vrf${VRFID}
ip add add 10.0.201.1/24 dev ts-vrf-${VRFID}a
}
function initialize() {
[ -d "$SWANC/peers-available" ] || mkdir "$SWANC/peers-available"
[ -d "$SWANC/peers-enabled" ] || mkdir "$SWANC/peers-enabled"
[ -f "$SWANC/secrets.conf" ] || touch "$SWANC/secrets.conf"
systemctl enable strongswan
systemctl daemon-reload
systemct start strongswan || {
journalctl -xe
}
}
function vrf_ping() {
local vrfid=$1
ip netns exec ts-vrf-$vrfid ping 10.0.201.2
}
function backup_keys() {
if [ -f $SWANC/secrets.conf ]; then
cp $SWANC/secrets.conf $SWANC/.secrets.conf.$NOWSEC
fi
}
function deactivate_peer() {
[ -e "$SWANC/peers-enabled/${1}.conf" ] || {
if [ -e "$SWANC/peers-available/${1}.conf" ]; then
echo "Peer $1 deactivated."
else
echo "No peer config at $SWANC/peers-available/${1}.conf"
fi
exit 0
}
echo -n "Deactivating $1..."
rm "$SWANC/peers-enabled/${1}.conf"
swanctl --load-all
echo "done"
}
function activate_peer() {
[ -f "$SWANC/peers-available/${1}.conf" ] || {
echo "No peer config at $SWANC/peers-available/${1}.conf"
exit 1
}
if [ -e "$SWANC/peers-enabled/${1}.conf" ]; then
echo "Peer $1 actiated."
else
echo -n "Activating $1..."
ln -s" $SWANC/peers-available/${1}.conf" "$SWANC/peers-enabled/"
swanctl --load-all
echo "done"
fi
}
function create_concentrator_peer() {
if [ -f "$SWANC/peers-available/${1}.conf" ]; then
echo "Peer $1 config already exists."
return;
fi
cat > "$SWANC/peers-available/${1}.conf" <<EOF
$1 {
local_addrs = %any
remote_addrs = %any
unique = replace
local {
auth = psk
id = @${1}-slave.loc # identifier, use VRF ID
}
remote {
auth = psk
id = @${1}-master.loc # remote id, use VRF ID
}
children {
${1}_sa {
local_ts = 0.0.0.0/0, ::/0
remote_ts = 0.0.0.0/0, ::/0
if_id_out = 1 # xfrm interface id, use VRF ID
if_id_in = 1 # xfrm interface id, use VRF ID
start_action = trap
life_time = 1h
rekey_time = 55m
esp_proposals = aes256gcm128-modp3072 # good for Intel HW
dpd_action = trap
}
}
keyingtries = 0
dpd_delay = 30
version = 2
mobike = yes
rekey_time = 23h
over_time = 1h
proposals = aes256-sha256-modp3072
}
EOF
}
function create_station_peer() {
if [ -f "$SWANC/peers-available/${1}.conf-remote" ]; then
echo "Peer $1 remote config already exists."
echo "Remove $SWANC/peers-available/${1}.conf-remote to continue."
exit 1;
fi
cat > "$SWANC/peers-available/${1}.conf-remote" <<EOF
$1 {
local_addrs = %any # use any local ip to connect to remote
remote_addrs = $WAN_CONCENTRATOR_IP
unique = replace
local {
auth = psk
id = @${1}-master.loc # identifier, use VRF ID
}
remote {
auth = psk
id = @${1}-slave.loc # remote id, use VRF ID
}
children {
${1}_sa {
local_ts = 0.0.0.0/0, ::/0
remote_ts = 0.0.0.0/0, ::/0
if_id_out = 1 # xfrm interface id, use VRF ID
if_id_in = 1 # xfrm interface id, use VRF ID
start_action = trap
life_time = 1h
rekey_time = 55m
esp_proposals = aes256gcm128-modp3072 # good for Intel HW
dpd_action = trap
}
}
keyingtries = 0
dpd_delay = 30
version = 2
mobike = yes
rekey_time = 23h
over_time = 1h
proposals = aes256-sha256-modp3072
}
EOF
}
function create_concentrator_key() {
[ -f "$SWANC/secrets.conf" ] || {
echo "$SWANC/secrets.conf not found!"
exit 1
}
backup_keys
k=`dd if=/dev/urandom bs=20 count=1 | base64`
cat >> "$SWANC/secrets.conf" <<EOF
ike-${1}-master {
id = ${1}-master.loc # use remote id specified in tunnel config
secret = "$k"
}
EOF
echo "created $1 key"
}
function create_station_key() {
[ -f "$SWANC/secrets.conf" ] || {
echo "$SWANC/secrets.conf not found!"
exit 1
}
backup_keys
local conc_keys=(`egrep -B4 "^ike-${1}-master \{" $SWANC/secrets.conf`)
local lines=()
local foundit=0
local line
for line in "${conc_keys[@]}"; do
echo "LINE $line"
[[ $line = *-master.loc ]] && {
line=${line/master.loc/slave.loc}
} ||:
lines+=($line)
done
for line in "${lines}"; do
echo "$line"
done > $SWANC/${1}-secrets.conf-remote
echo "created $SWANC/${1}-secrets.conf-remote"
}
function get_vrf_for_if() {
local ifmaster=`ip -o li show $1 | egrep -o '(master \S+)'`
[[ x$ifmaster = x ]] && echo "No master found for $1"
echo ${ifmaster#master }
}
function enable_ipsec_if() {
vrfnum=$(get_vrf_for_if $WAN_IF)
xif="xfrm${vrfnum}"
$SWAN_LIBX/xfrmi -n $xif -i ${vrfnum} -d $WAN_IF ||:
ip link set dev $xif up ||:
ip link set dev $xif master vrf${vrfnum} ||:
ip address add $XIF_IP/32 dev $xif scope link ||:
ip route add default dev $xif vrf $vrfnum ||:
ip route add 10.0.0.0/8 dev $xif vrf $vrfnum ||:
}
function check_arg() {
if [ ! -f "$SWANC/secrets.conf" ] ; then
echo "$SWANC/secrets.conf not found. Suggest running $0 -i, bye."
exit 1
fi
[[ z$1 != z ]] || {
echo "Please give me a peer name, bye."
exit 1
}
}
function activate_all() {
local f
for f in $SWANC/*.conf; do
echo "CONF $f"
f=`basename $f`
[[ $f = secrets.conf ]] && continue ||:
[[ $f = swanctl.conf ]] && continue ||:
[[ $f = *.conf ]] && f=${f%.conf}
echo "f now $f"
activate_peer $f
done
}
function copy_config() {
local vrf=`get_vrf_for_if $WAN_IF`
ip vrf exec $vrf scp $WAN_IP:$SWANC/${1}-secrets.conf-remote $SWANC/${1}-secrets.conf
ip vrf exec $vrf scp $WAN_IP:$SWANC/peers-available/${1}.conf-remote $SWANC/peers-available/${1}.conf
}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# M A I N
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
while getopts "a:c:d:f:p:v:behi" arg; do
case $arg in
a)
check_arg $OPTARG
echo "Activating $OPTARG"
activate_peer $OPTARG
;;
b)
enable_ipsec_if $WAN_IF
;;
c)
check_arg $OPTARG
echo "Creating $OPTARG"
create_concentrator_peer $OPTARG
create_station_peer $OPTARG
create_concentrator_key $OPTARG
create_station_key $OPTARG
;;
d)
check_arg $OPTARG
echo "Deactivating $OPTARG"
deactivate_peer $OPTARG
;;
e)
activate_all
;;
f)
check_arg $OPTARG
copy_config $OPTARG
;;
h)
cat <<EOF
$0 -i : initialize /etc/strongswan directories
-b : enable ipsec transform interface on [$WAN_IF]
-c peer : create_station_peer then create_station_key
-a peer : activate peer
-d peer : deactivate peer
-e : activate all peers
-f peer : copy config files from $WAN_IF:/etc/strongswan/swanctl/\$peer.conf-remote
-p : print peers
-v intf : get vrf for interface
-h : help
EOF
;;
i)
initialize
echo "Initialized."
exit 0;
;;
p)
#echo " print peers"
strongswan list
;;
v)
check_arg $OPTARG
get_vrf_for_if $OPTARG
;;
*) echo "Unknown option: $arg"
esac
done
Reference in New Issue View Git Blame Copy Permalink