221 lines
5.6 KiB
Bash
221 lines
5.6 KiB
Bash
#!/bin/sh
|
|
|
|
# Things that this script gets (from ipsec_pluto(8) man page)
|
|
#
|
|
# PLUTO_VERB
|
|
# specifies the name of the operation to be performed
|
|
# (prepare-host, prepare-client, up-host, up-client,
|
|
# down-host, or down-client). If the address family
|
|
# for security gateway to security gateway
|
|
# communications is IPv6, then a suffix of -v6 is added
|
|
# to the verb.
|
|
#
|
|
# PLUTO_CONNECTION
|
|
# is the name of the connection for which we are
|
|
# routing.
|
|
#
|
|
# PLUTO_CONNECTION_TYPE
|
|
# is type of the connection, "tunnel" or "transport".
|
|
#
|
|
# PLUTO_CONN_POLICY
|
|
# the policy of the connection, as in:
|
|
# RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC
|
|
# +failureDROP+lKOD+rKOD
|
|
#
|
|
# CAT=YES|
|
|
# if client address translation inside IPsec stack is enabled
|
|
#
|
|
# PLUTO_NEXT_HOP
|
|
# is the next hop to which packets bound for the peer
|
|
# must be sent.
|
|
#
|
|
# PLUTO_INTERFACE
|
|
# is the name of the real interface used by encrypted traffic and IKE traffic
|
|
#
|
|
# PLUTO_ME
|
|
# is the IP address of our host.
|
|
#
|
|
# PLUTO_MY_ID
|
|
# is our ID.
|
|
#
|
|
# PLUTO_METRIC
|
|
# is the metric to set for the route
|
|
#
|
|
# PLUTO_MTU
|
|
# is the mtu to set for the route
|
|
#
|
|
# PLUTO_ADD_TIME
|
|
# Time the IPsec SA was added to the kernel
|
|
#
|
|
# PLUTO_MOBIKE_EVENT
|
|
# wether the connection is underdoing MOBIKE migration
|
|
#
|
|
# PLUTO_MY_CLIENT
|
|
# is the IP address / count of our client subnet. If
|
|
# the client is just the host, this will be the
|
|
# host's own IP address / mask (where max is 32 for
|
|
# IPv4 and 128 for IPv6).
|
|
#
|
|
# PLUTO_MY_CLIENT_NET
|
|
# is the IP address of our client net. If the client
|
|
# is just the host, this will be the host's own IP
|
|
# address.
|
|
#
|
|
# PLUTO_MY_CLIENT_MASK
|
|
# is the mask for our client net. If the client is
|
|
# just the host, this will be 255.255.255.255.
|
|
#
|
|
# PLUTO_MY_SOURCEIP
|
|
# if non-empty, then the source address for the route will be
|
|
# set to this IP address.
|
|
#
|
|
# PLUTO_MY_PROTOCOL
|
|
# is the protocol for this connection. Useful for
|
|
# firewalling.
|
|
#
|
|
# PLUTO_MY_PORT
|
|
# is the port. Useful for firewalling.
|
|
#
|
|
# PLUTO_PEER
|
|
# is the IP address of our peer.
|
|
#
|
|
# PLUTO_PEER_ID
|
|
# is the ID of our peer.
|
|
#
|
|
# PLUTO_PEER_CLIENT
|
|
# is the IP address / count of the peer's client subnet.
|
|
# If the client is just the peer, this will be
|
|
# the peer's own IP address / mask (where max is 32
|
|
# for IPv4 and 128 for IPv6).
|
|
#
|
|
# PLUTO_PEER_CLIENT_NET
|
|
# is the IP address of the peer's client net. If the
|
|
# client is just the peer, this will be the peer's
|
|
# own IP address.
|
|
#
|
|
# PLUTO_PEER_CLIENT_MASK
|
|
# is the mask for the peer's client net. If the
|
|
# client is just the peer, this will be
|
|
# 255.255.255.255.
|
|
#
|
|
# PLUTO_PEER_PROTOCOL
|
|
# is the protocol set for remote end with port
|
|
# selector.
|
|
#
|
|
# PLUTO_PEER_PORT
|
|
# is the peer's port. Useful for firewalling.
|
|
#
|
|
# PLUTO_PEER_CA
|
|
# is the DN of the peer's CA that signed its certificate
|
|
#
|
|
# PLUTO_CFG_CLIENT=0|1
|
|
# is MODECFG or IKEv2 Config client.
|
|
#
|
|
# PLUTO_CFG_SERVER=0|1
|
|
# is MODECFG or IKEv2 Config server.
|
|
#
|
|
# PLUTO_PEER_DNS_INFO
|
|
# The peer's supplied DNS information (IKEv1 and IKEv2)
|
|
#
|
|
# PLUTO_PEER_DOMAIN_INFO
|
|
# The peer's supplied domain list for local resolving (IKEv2 only)
|
|
#
|
|
# PLUTO_PEER_BANNER
|
|
# is the peer's provided banner
|
|
#
|
|
# PLUTO_NM_CONFIGURED=0|1
|
|
# is NetworkManager used for resolv.conf update
|
|
#
|
|
# PLUTO_CONN_ADDRFAMILY
|
|
# is the family type, "ipv4" or "ipv6"
|
|
#
|
|
# PLUTO_CONN_KIND
|
|
# is the "kind" of connection (CK_PERMANENT, CK_INSTANCE, etc)
|
|
#
|
|
# PLUTO_STACK
|
|
# is the local IPsec kernel stack used, eg XFRM, BSDKAME, NOSTACK
|
|
#
|
|
# PLUTO_IS_PEER_CISCO=0|1
|
|
# remote server type is cisco. Add support for cisco extensions
|
|
# when used with xauth.
|
|
#
|
|
# PLUTO_SA_REQID
|
|
# When using KAME or XFRM, the IPsec SA reqid base value.
|
|
# ESP/AH out is base, ESP/AH in = base + 1
|
|
# IPCOMP is base + 2 plus for inbound + 1
|
|
#
|
|
# PLUTO_XFRMI_FWMARK
|
|
# use outgoing mark
|
|
#
|
|
# PLUTO_SA_TYPE
|
|
# The type of IPsec SA (ESP or AH)
|
|
#
|
|
# PLUTO_USERNAME
|
|
# The username (XAUTH or GSSAPI) that was authenticated (if any)
|
|
# for this SA
|
|
#
|
|
# PLUTO_VIRT_INTERFACE
|
|
# is the name of ipsec interface used by clear traffic in/out
|
|
#
|
|
# INTERFACE_IP
|
|
# The IP to configure / expect on the interface? Currently is never set
|
|
#
|
|
# PLUTO_XFRM_ROUTE
|
|
# if an XFRM (ipsec-device) has been specified, value will be "yes"
|
|
#
|
|
# XAUTH_FAILED
|
|
# If xauthfail=soft this will be set to 1 if XAUTH authentication
|
|
# failed. If xauthfail=hard, the updown scripts never run.
|
|
#
|
|
# CONNMARK
|
|
# If mark= is set on the connection, this variable will be
|
|
# set with the value. It can be used for iptables or VTI.
|
|
#
|
|
# CONNMARK_IN
|
|
# the incoming mark to use
|
|
#
|
|
# CONNMARK_OUT
|
|
# the outgoing mark to use
|
|
#
|
|
# VTI_IFACE=iface
|
|
# Name of VTI interface to create
|
|
#
|
|
# VTI_ROUTING=yes|no
|
|
# Whether or not to perform ip rule and ip route commands
|
|
# covering the IPsec SA address ranges to route those packets
|
|
# into the VTI_IFACE interface. This should be enabled unless
|
|
# the IPsec SA covers 0.0.0.0/0 <-> 0.0.0.0/0
|
|
#
|
|
# VTI_SHARED=yes|no
|
|
# Whether or not more conns (or instances) share a VTI device.
|
|
# If not shared, the VTI device is deleted when tunnel goes down.
|
|
#
|
|
# VTI_IP
|
|
# The IP to configure on the VTI device
|
|
#
|
|
# SPI_IN / SPI_OUT
|
|
# The inbound and outbound SPI's of the connection.
|
|
#
|
|
# PLUTO_INBYTES
|
|
# total bytes received
|
|
#
|
|
# PLUTO_OUTBYTES
|
|
# total bytes sent
|
|
#
|
|
# NFLOG
|
|
# is the nflog group to use
|
|
#
|
|
|
|
case "${PLUTO_VERB}" in
|
|
prepare-host|prepare-host-v6) ;;
|
|
prepare-client|prepare-client-v6) ;;
|
|
route-host|route-host-v6) ;;
|
|
unroute-host|unroute-host-v6) ;;
|
|
route-client|route-client-v6) ;;
|
|
unroute-client|unroute-client-v6) ;;
|
|
up-host|up-host-v6) ;;
|
|
down-host|down-host-v6) ;;
|
|
up-client|up-client-v6) ;;
|
|
down-client|down-client-v6) ;;
|
|
esac
|