korc/ssh-ike.sh

## ssh-ike.sh
#!/bin/sh

set -e
remote_ip="$1"
: ${remote_user:=root}
: ${key_type:=aes-ctr}
: ${key_len:=$((288*2/8))}
: ${spi_cache_dir:=$HOME/.cache/spi}

test -n "$remote_ip" || {
  cat >&2 <<EOF
Usage: ${0##*/} [<remote_user>@]<remote_ip>

WARNING: This tool does not change SPD rules.
To make use of IPSEC you need to define them, too.

EOF
  exit 1
}

case "$remote_ip" in
  *@*) remote_user="${remote_ip%@*}"; remote_ip="${remote_ip#*@}" ;;
esac

case "$remote_user" in root) ;; *) remote_sudo="sudo";; esac
test "x$(id -u)" = "x0" || local_sudo="sudo"

: ${my_ip:=$(ip r get $remote_ip | grep -o 'src [^[:space:]]*' | cut -f2 -d" ")}
: ${spi_cache:=$spi_cache_dir/$remote_ip}

: ${key1:=0x$(tr -dc 0-9a-f < /dev/urandom | fold -w $key_len | head -1)}
: ${key2:=0x$(tr -dc 0-9a-f < /dev/urandom | fold -w $key_len | head -1)}
test -n "$spi" || {
  if test -e "$spi_cache";then
    read spi < "$spi_cache"
  else
    spi="0x$(tr -dc 0-9a-f < /dev/urandom | fold -w 8 | head -1)"
    mkdir -p "${spi_cache%/*}"
    echo "$spi" >"$spi_cache"
  fi
}

d='$'

ssh $remote_user@$remote_ip sh <<EOS
read src_ip src_port dst_ip dst_port <<EOL
${d}SSH_CONNECTION
EOL
$remote_sudo setkey -c <<EOK
${d}($remote_sudo setkey -D | while read a b c d; do case "${d}c" in spi=*"($spi)") echo "delete ${d}src ${d}dst esp $spi;";;*) src="${d}a" dst="${d}b";;esac;done)
add ${d}src_ip ${d}dst_ip esp $spi -E $key_type $key1;
add ${d}dst_ip ${d}src_ip esp $spi -E $key_type $key2;
EOK
EOS

$local_sudo setkey -c <<EOK
deleteall $my_ip $remote_ip esp;
add $my_ip $remote_ip esp $spi -E $key_type $key1;
deleteall $remote_ip $my_ip esp;
add $remote_ip $my_ip esp $spi -E $key_type $key2;
EOK
	#!/bin/sh

	set -e
	remote_ip="$1"
	: ${remote_user:=root}
	: ${key_type:=aes-ctr}
	: ${key_len:=$((288*2/8))}
	: ${spi_cache_dir:=$HOME/.cache/spi}

	test -n "$remote_ip" \|\| {
	cat >&2 <<EOF
	Usage: ${0##*/} [<remote_user>@]<remote_ip>

	WARNING: This tool does not change SPD rules.
	To make use of IPSEC you need to define them, too.

	EOF
	exit 1
	}

	case "$remote_ip" in
	@) remote_user="${remote_ip%@}"; remote_ip="${remote_ip#@}" ;;
	esac

	case "$remote_user" in root) ;; *) remote_sudo="sudo";; esac
	test "x$(id -u)" = "x0" \|\| local_sudo="sudo"

	: ${my_ip:=$(ip r get $remote_ip \| grep -o 'src [^[:space:]]*' \| cut -f2 -d" ")}
	: ${spi_cache:=$spi_cache_dir/$remote_ip}

	: ${key1:=0x$(tr -dc 0-9a-f < /dev/urandom \| fold -w $key_len \| head -1)}
	: ${key2:=0x$(tr -dc 0-9a-f < /dev/urandom \| fold -w $key_len \| head -1)}
	test -n "$spi" \|\| {
	if test -e "$spi_cache";then
	read spi < "$spi_cache"
	else
	spi="0x$(tr -dc 0-9a-f < /dev/urandom \| fold -w 8 \| head -1)"
	mkdir -p "${spi_cache%/*}"
	echo "$spi" >"$spi_cache"
	fi
	}

	d='$'

	ssh $remote_user@$remote_ip sh <<EOS
	read src_ip src_port dst_ip dst_port <<EOL
	${d}SSH_CONNECTION
	EOL
	$remote_sudo setkey -c <<EOK
	${d}($remote_sudo setkey -D \| while read a b c d; do case "${d}c" in spi="($spi)") echo "delete ${d}src ${d}dst esp $spi;";;) src="${d}a" dst="${d}b";;esac;done)
	add ${d}src_ip ${d}dst_ip esp $spi -E $key_type $key1;
	add ${d}dst_ip ${d}src_ip esp $spi -E $key_type $key2;
	EOK
	EOS

	$local_sudo setkey -c <<EOK
	deleteall $my_ip $remote_ip esp;
	add $my_ip $remote_ip esp $spi -E $key_type $key1;
	deleteall $remote_ip $my_ip esp;
	add $remote_ip $my_ip esp $spi -E $key_type $key2;
	EOK