auto.in

This a good VPN source

		} else if (t == "passthrough") {
			type_flags = "--pass"
		} else if (t == "drop") {
			type_flags = "--drop"
		} else if (t == "reject") {
			type_flags = "--reject"
		} else
			fail("unknown type " v(t))

		default("failureshunt", "none")
		t = s["failureshunt"]
		if (t == "passthrough")
			type_flags = type_flags " --failpass";
		else if (t == "drop")
			type_flags = type_flags " --faildrop";
		else if (t == "reject")
			type_flags = type_flags " --failreject";
		else if (t != "none")
			fail("unknown failureshunt value " v(t))

		need("left")
		need("right")
		if (s["left"] == "%defaultroute") {
			if (s["right"] == "%defaultroute")
				fail("left and right cannot both be %defaultroute")
			if (draddr == "")
				fail("%defaultroute requested but not known")
			s["left"] = draddr
			nexthopset("left", drnexthop)
		} else if (s["right"] == "%defaultroute") {
			if (draddr == "")
				fail("%defaultroute requested but not known")
			s["right"] = draddr
			nexthopset("right", drnexthop)
		}

		default("keyexchange", "ike")
		if (s["keyexchange"] != "ike")
			fail("only know how to do keyexchange=ike")
		default("auth", "esp")
		if (("auth" in s) && s["auth"] != "esp" && s["auth"] != "ah")
			fail("only know how to do auth=esp or auth=ah")

		yesno("pfs")
		default("pfs", "yes")

 		yesno("aggrmode")
 		default("aggrmode", "no")

                duration("dpddelay")
                duration("dpdtimeout")
                if(("dpddelay" in s) && !("dpdtimeout" in s))
                        default("dpdtimeout",120)
                if(!("dpddelay" in s) && ("dpdtimeout" in s))
                        default("dpddelay",30)
                default("dpdaction","hold")

		yesno("forceencaps")
		default("forceencaps", "no")
		yesno("xauth")
		default("xauth", "no")
		yesno("xauthserver")
		default("xauthserver", "no")
		yesno("xauthclient")
		default("xauthclient", "no")
		yesno("modecfgserver")
		default("modecfgserver", "no")
		yesno("modecfgclient")
		default("modecfgclient", "no")

		yesno("modecfgpull")
		default("modecfgpull", "no")

		yesno("compress")
		default("compress", "no")
		default("keylife", "8h")
		duration("keylife")
		yesno("rekey")
		default("rekey", "yes")
		default("rekeymargin", "9m")
		duration("rekeymargin")
		default("keyingtries", "%forever")
		if (s["keyingtries"] == "%forever")
			s["keyingtries"] = 0
		integer("keyingtries")
		if ("rekeyfuzz" in s) {
			if (s["rekeyfuzz"] !~ /%$/)
				fail("rekeyfuzz must be nnn%")
			r = s["rekeyfuzz"]
			s["rekeyfuzz"] = substr(r, 1, length(r)-1)
			integer("rekeyfuzz")
		}
		duration("ikelifetime")
		default("disablearrivalcheck", "no")

		default("leftsendcert", "always")
		default("rightsendcert", "always")

		default("leftnexthop", "%direct")
		default("rightnexthop", "%direct")
		if (s["leftnexthop"] == s["left"])
			fail("left and leftnexthop must not be the same")
		if (s["rightnexthop"] == s["right"])
			fail("right and rightnexthop must not be the same")
		if (s["leftnexthop"] == "%defaultroute") {
			if (drnexthop == "")
				fail("%defaultroute requested but not known")
			s["leftnexthop"] = drnexthop
		}
		if (s["rightnexthop"] == "%defaultroute") {
			if (drnexthop == "")
				fail("%defaultroute requested but not known")
			s["rightnexthop"] = drnexthop
		}

		default("leftupdown", "ipsec _updown")
		default("rightupdown", "ipsec _updown")
		default("authby", "rsasig")
		t = s["authby"]
		if (t == "rsasig" || t == "secret|rsasig" || t == "rsasig|secret") {
			authtype = "--rsasig"
			type_flags = "--encrypt " type_flags
			if (!("leftcert" in s)) {
				default("leftrsasigkey", "%dnsondemand")
				if (id("left") == "%any" &&
				    !(s["leftrsasigkey"] == "%cert" ||
				      s["leftrsasigkey"] == "0x00") )
					fail("ID " v(id("left")) " cannot have RSA key")
			}
			if (!("rightcert" in s)) {
				default("rightrsasigkey", "%dnsondemand")
				if (id("right") == "%any" &&
				    !(s["rightrsasigkey"] == "%cert" ||
				      s["rightrsasigkey"] == "0x00") )
					fail("ID " v(id("right")) " cannot have RSA key")
			}
			if (t != "rsasig")
				authtype = authtype " --psk"
 		} else if (t == "secret") {
			authtype = "--psk"
			type_flags = "--encrypt " type_flags
		} else if (t == "never") {
			authtype = ""
		} else {
			fail("unknown authby value " v(t))
		}

		settings = type_flags

                # BEGIN IPv6
                default("connaddrfamily", "ipv4")
                if (s["connaddrfamily"] == "ipv6") {
                        settings = settings " --ipv6"
                } else if (s["connaddrfamily"] != "ipv4") {
                        fail("unknown connaddrfamily value " s["connaddrfamily"])
                }
                # END IPv6

		if (s["ike"] != "")
			settings = settings " --ike " qs("ike")
		if (s["esp"] != "")
			settings = settings " --esp " qs("esp")

		if (s["auth"] == "ah")
			settings = settings " --authenticate"
		if (s["pfs"] == "yes") {
			settings = settings " --pfs"
			if (s["pfsgroup"] != "")
				settings = settings " --pfsgroup " qs("pfsgroup")
		}
 		if (s["aggrmode"] == "yes")
 			settings = settings " --aggrmode"

		if (s["forceencaps"] == "yes")
			settings = settings " --forceencaps"

		if (s["modecfgpull"] == "yes")
			settings = settings " --modecfgpull"

		if (s["compress"] == "yes")
			settings = settings " --compress"

                if (s["dpddelay"])
                        settings = settings " --dpddelay " qs("dpddelay")
                if (s["dpdtimeout"])
                        settings = settings " --dpdtimeout " qs("dpdtimeout")
                if (s["dpdaction"])
                        settings = settings " --dpdaction " qs("dpdaction")

		if (op == "--replace")
			settings = settings " --delete"
		if ("ikelifetime" in s)
			settings = settings " --ikelifetime " qs("ikelifetime")
		if (s["disablearrivalcheck"] == "yes")
			settings = settings " --disablearrivalcheck"
		settings = settings " " authtype

		lc = ""
		rc = ""
		if ("leftsubnet" in s)
			lc = "--client " qs("leftsubnet")
		if ("rightsubnet" in s)
			rc = "--client " qs("rightsubnet")
		if ("leftsubnetwithin" in s)
			lc = lc " --clientwithin " qs("leftsubnetwithin")
		if ("rightsubnetwithin" in s)
			rc = rc " --clientwithin " qs("rightsubnetwithin")
		lp = ""
		rp = ""
		if ("leftprotoport" in s)
			lp = "--clientprotoport " qs("leftprotoport")
		if ("rightprotoport" in s)
			rp = "--clientprotoport " qs("rightprotoport")
		lud = "--updown " qs("leftupdown")
		rud = "--updown " qs("rightupdown")
		lid = ""
		if ("leftid" in s)
			lid = "--id " qs("leftid")
		rid = ""
		if ("rightid" in s)
			rid = "--id " qs("rightid")

		lsip = ""
		if ("leftsourceip" in s)
		        lsip= "--srcip " qs("leftsourceip")

		rsip = ""
                if ("rightsourceip" in s)
                        rsip= "--srcip " qs("rightsourceip")

		if ("leftxauthserver" in s)
			lxauth = "--xauthserver" 
		if ("leftxauthclient" in s)
			lxauth = "--xauthclient" 

		if ("rightxauthserver" in s)
			rxauth = "--xauthserver" 
		if ("rightxauthclient" in s)
			rxauth = "--xauthclient" 

		if ("leftmodecfgserver" in s)
			lmodecfg = "--modecfgserver" 
		if ("leftmodecfgclient" in s)
			lmodecfg = "--modecfgclient" 

		if ("rightmodecfgserver" in s)
			rmodecfg = "--modecfgserver" 
		if ("rightmodecfgclient" in s)
			rmodecfg = "--modecfgclient" 

		if ("leftsendcert" in s)
			lscert = "--sendcert " qs("leftsendcert")
		if ("rightsendcert" in s)
			rscert = "--sendcert " qs("rightsendcert")

		lcert = ""
		if ("leftcert" in s)
			lcert = "--cert " qs("leftcert")
		rcert = ""
		if ("rightcert" in s)
			rcert = "--cert " qs("rightcert")

		lcerttype=""
		if ("leftcerttype" in s) {
		        lcerttype = "--certtype " qs("leftcerttype")
                }
		rcerttype=""
		if ("rightcerttype" in s) {
		        rcerttype = "--certtype " qs("rightcerttype")
                }
                        

		lca = ""
		if ("leftca" in s)
			lca = "--ca " qs("leftca")
		rca = ""
		if ("rightca" in s)
			rca = "--ca " qs("rightca")
                lgr = ""
                if ("leftgroups" in s)
                        lgr = "--groups " qs("leftgroups")
                rgr = ""
                if ("rightgroups" in s)
                        rgr = "--groups " qs("rightgroups")
		fuzz = ""
		if ("rekeyfuzz" in s)
			fuzz = "--rekeyfuzz " qs("rekeyfuzz")
		rk = ""
		if (s["rekey"] == "no")
			rk = "--dontrekey"
		pd = ""
		if ("_plutodevel" in s)
			pd = "--plutodevel " s["_plutodevel"]	# not qs()

		lkod = ""
		rkod = ""
		if (authtype != "--psk") {
			kod = ""
			whackkey("left", "rsasigkey", "")
			whackkey("left", "rsasigkey2", "--addkey")
			lkod = kod
			kod = ""
			whackkey("right", "rsasigkey", "")
			whackkey("right", "rsasigkey2", "--addkey")
			rkod = kod
		}
		print "ipsec whack --name", name, settings, "\\"
		print "\t--host", qs("left"), lc, lp, "--nexthop",
			qs("leftnexthop"), lud, lid, lkod, lcert, lscert, lcerttype,
			lca, lxauth, lmodecfg, lsip, lgr, "\\"
		print "\t--to", "--host", qs("right"), rc, rp, "--nexthop",
			qs("rightnexthop"), rud, rid, rkod, rcert,rscert, rcerttype,
			rca, rxauth, rmodecfg, rsip, rgr, "\\"
		print "\t--ipseclifetime", qs("keylife"),
			"--rekeymargin", qs("rekeymargin"), "\\"
		print "\t--keyingtries", qs("keyingtries"), fuzz, rk, pd, "\\"
		print "\t|| exit $?"
	}
	END {
		if (failed) {
			print "# fatal error discovered, force failure using \"false\" command"
			print "false"
			exit 1		# just on general principles
		}
		if (seensome)
			output()
	}' | runit