manual.in

ipsec vpn

#! /bin/sh
# user interface to manual keying
# Copyright (C) 1998, 1999  Henry Spencer.
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#
# RCSID $Id: manual.in,v 1.84.2.2 2006/02/15 04:05:05 paul Exp $

me='ipsec manual'
usage="Usage:
  $me [--showonly] --{up|down|route|unroute} name
  $me [--showonly] --{up|down|route|unroute} --union partname ... 

  other options: [--config ipsecconfigfile] [--other] [--show]
			[--iam ipaddress@interface]"

# make sure outputs of (e.g.) ifconfig are in English
unset LANG LANGUAGE LC_ALL LC_MESSAGES

showonly=
config=
info=/var/run/pluto/ipsec.info
shopts=
other=0
union=0
noinclude=
interfs=
op=

for dummy
do
	case "$1" in
	--help)		echo "$usage" ; exit 0	;;
	--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
	--show)		shopts=-x		;;
	--showonly)	showonly=yes		;;
	--other)	other=1			;;
	--union)	union=1			;;
	--config)	config="--config $2" ; shift	;;
	--noinclude)	noinclude=--noinclude	;;
	--iam)		interfs="$2" ; shift	;;
	--up|--down|--route|--unroute)
			if test " $op" != " "
			then
				echo "$usage" >&2
				exit 2
			fi
			op="$1"
			;;
	--)		shift ; break		;;
	-*)		echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
	*)		break			;;
	esac
	shift
done

case "$op$#:$union" in
[01]:*)		echo "$usage" >&2 ; exit 2	;;
2:0)		echo "$me: warning: obsolete command syntax used" >&2
		op="--$2"
		names="$1"
		;;
[0-9]*:1)	;;
--*)		if test $# -eq 0
		then
			echo "$usage" >&2
			exit 2
		fi
		names="$*"
		;;
*)		echo "$usage" >&2 ; exit 2	;;
esac
if test " $op" = " "
then
	# --union obsolete-syntax case, op is last argument
	echo "$me: warning: obsolete command syntax used" >&2
	names=
	prev=
	for arg
	do
		names="$names $prev"
		prev="$arg"
	done
	op="--$prev"
fi
case "$op" in
--up|--down|--route|--unroute)		;;
*)	echo "$usage" >&2 ; exit 2	;;
esac

case "$interfs" in
'')	interfs="`ifconfig |
		awk '	/^ipsec/ { interf = $1 ; next }
			/^[^ \t]/ { interf = "" ; next }
			/^[ \t]*inet addr/ {
				sub(/:/, " ", $0)
				if (interf != "") {
					printf "%s%s@%s", spacesep, $3, interf
					spacesep=" "
				}
			}'`"

	;;
esac

if test -s $info
then
	. $info
fi

ipsec _confread $config $noinclude $names |
awk '	BEGIN {
		FS = "\t"
		myname = "'"$me"'"
		err = "cat >&2"
		op = "'"$op"'"
		other = '"$other"'
		names = "'"$names"'"
		interfs = "'"$interfs"'"
		ni = split(interfs, terfs, " ")
		if (ni == 0)
			fail("no IPsec-enabled interfaces found")
		for (i = 1; i <= ni; i++) {
			nc = split(terfs[i], cpts, "@")
			if (nc != 2)
				fail("internal error on " terfs[i])
			interface[cpts[1]] = cpts[2]
		}
		draddr = "'"$defaultrouteaddr"'"
		drnexthop = "'"$defaultroutenexthop"'"
		s[""] = ""
		nlspi = 0
		nrspi = 0
		failed = 0
		maskbits[0] = "0.0.0.0"
		maskbits[1] = "128.0.0.0"
		maskbits[2] = "192.0.0.0"
		maskbits[3] = "224.0.0.0"
		maskbits[4] = "240.0.0.0"
		maskbits[5] = "248.0.0.0"
		maskbits[6] = "252.0.0.0"
		maskbits[7] = "254.0.0.0"
		maskbits[8] = "255.0.0.0"
		maskbits[9] = "255.128.0.0"
		maskbits[10] = "255.192.0.0"
		maskbits[11] = "255.224.0.0"
		maskbits[12] = "255.240.0.0"
		maskbits[13] = "255.248.0.0"
		maskbits[14] = "255.252.0.0"
		maskbits[15] = "255.254.0.0"
		maskbits[16] = "255.255.0.0"
		maskbits[17] = "255.255.128.0"
		maskbits[18] = "255.255.192.0"
		maskbits[19] = "255.255.224.0"
		maskbits[20] = "255.255.240.0"
		maskbits[21] = "255.255.248.0"
		maskbits[22] = "255.255.252.0"
		maskbits[23] = "255.255.254.0"
		maskbits[24] = "255.255.255.0"
		maskbits[25] = "255.255.255.128"
		maskbits[26] = "255.255.255.192"
		maskbits[27] = "255.255.255.224"
		maskbits[28] = "255.255.255.240"
		maskbits[29] = "255.255.255.248"
		maskbits[30] = "255.255.255.252"
		maskbits[31] = "255.255.255.254"
		maskbits[32] = "255.255.255.255"
	}
	$1 == "=" {
		next
	}
	$1 == "!" {
		if ($2 != "")
			fail($2)
		next
	}
	$1 != ":" {
		fail("internal error, unknown type code \"" $1 "\"")
	}
	{ s[$2] = $3 }
	function q(s) {
		return "\"" s "\""
	}
	function fail(m) {
		print myname ": fatal error in " q(names) ": " m   |err
		failed = 1
		exit
	}
	function swap(k,   t, l, r) {
		l = "left" k
		r = "right" k
		if ((l in s) && (r in s)) {
			t = s[l]
			s[l] = s[r]
			s[r] = t
		} else if (l in s) {	# but not r
			s[r] = s[l]
			delete s[l]
		} else if (r in s) {	# but not l
			s[l] = s[r]
			delete s[r]
		}
	}
	function yesno(k) {
		if ((k in s) && s[k] != "yes" && s[k] != "no")
			fail("parameter \"" k "\" must be \"yes\" or \"no\"")
	}
	function set_os_default(k, v) {
		if (!(k in s))
			s[k] = v
	}
	function need(k) {
		if (!(k in s))
			fail("connection has no \"" k "\" parameter specified")
		if (s[k] == "")
			fail("parameter \"" k "\" value must be non-empty")
	}
	function integer(k) {
		if (!(k in s))
			return
		if (s[k] !~ /^[0-9]+$/)
			fail("parameter \"" k "\" value must be integer")
	}
	function nexthopset(dir, val,   k) {
		k = dir "nexthop"
		if (k in s)
			fail("non-default value of " k " is being overridden")
		if (val != "")
			s[k] = val
		else if (k in s)
			delete s[k]
	}
	function leftward(   t) {
		nlspi++
		if ("spi" in s)
			return s["spi"]
		t = spibase spil
		spil += 2
		return t
	}
	function rightward(   t) {
		nrspi++
		if ("spi" in s)
			return s["spi"]
		t = spibase spir
		spir += 2
		return t
	}
	function netfix(dir,   n, t) {
		n = s[dir "subnet"]
		if (n == "%default")
			n = "0.0.0.0/0"
		if (n !~ /\//)
			fail(dir "subnet=" n " has no mask specified")
		t = split(n, netfixarray, "/")
		if (t != 2)
			fail("bad syntax in " dir "subnet=" n)
		s[dir "net"] = netfixarray[1]
		s[dir "mask"] = mask(netfixarray[2])
	}
	function mask(m) {
		if (m ~ /\./)
			return m
		if (!(m in maskbits))
			fail("unknown mask syntax \"" m "\"")
		return maskbits[m]
	}
	function bidir(name,   l, r) {
		l = "left" name
		r = "right" name
		if (!(l in s) && (name in s))
			s[l] = s[name]
		if (!(r in s) && (name in s))
			s[r] = s[name]
		if ((l in s) != (r in s))
			fail("must give both or neither \"" l "\" and \"" \
									r "\"")
	}
	function espspi(src, dest, spi,   dir) {
		if (!("esp" in s))
			return
		dir = (dest == me) ? "left" : "right"
		print "ipsec spi --label", q(names), "--af inet",
			"--said", ("esp" spi "@" dest), "\\"
		print "\t--esp", s["esp"], "--src", src, "\\"
		if ((dir "espauthkey") in s)
			print "\t--authkey", s[dir "espauthkey"], "\\"
		if ("espreplay_window" in s)
			print "\t--replay_window", s["espreplay_window"], "\\"
		if ((dir "espenckey") in s)
			print "\t--enckey", s[dir "espenckey"], "&&"
		else
			print "\t&&"
	}
	function ahspi(src, dest, spi,   dir) {
		if (!("ah" in s))
			return
		dir = (dest == me) ? "left" : "right"
		if (!((dir "ahkey") in s))
			fail("AH specified but no ahkey= given")
		print "ipsec spi --label", q(names), "--af inet",
			"--said", ("ah" spi "@" dest), "\\"
		print "\t--ah", s["ah"], "--src", src, "\\"
		if ("ahreplay_window" in s)
			print "\t--replay_window", s["ahreplay_window"], "\\"
		print "\t--authkey", s[dir "ahkey"], "&&"
	}
	# issue a suitable invocation of updown command
	function updown(verb, suffix,   cmd) {