Last active
February 16, 2017 12:11
-
-
Save korc/df72d99138b0626d091f7ddec07b9021 to your computer and use it in GitHub Desktop.
Replacement for IKE stack using /bin/sh and ssh. Use at your own risk.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -e | |
remote_ip="$1" | |
: ${remote_user:=root} | |
: ${key_type:=aes-ctr} | |
: ${key_len:=$((288*2/8))} | |
: ${spi_cache_dir:=$HOME/.cache/spi} | |
test -n "$remote_ip" || { | |
cat >&2 <<EOF | |
Usage: ${0##*/} [<remote_user>@]<remote_ip> | |
WARNING: This tool does not change SPD rules. | |
To make use of IPSEC you need to define them, too. | |
EOF | |
exit 1 | |
} | |
case "$remote_ip" in | |
*@*) remote_user="${remote_ip%@*}"; remote_ip="${remote_ip#*@}" ;; | |
esac | |
case "$remote_user" in root) ;; *) remote_sudo="sudo";; esac | |
test "x$(id -u)" = "x0" || local_sudo="sudo" | |
: ${my_ip:=$(ip r get $remote_ip | grep -o 'src [^[:space:]]*' | cut -f2 -d" ")} | |
: ${spi_cache:=$spi_cache_dir/$remote_ip} | |
: ${key1:=0x$(tr -dc 0-9a-f < /dev/urandom | fold -w $key_len | head -1)} | |
: ${key2:=0x$(tr -dc 0-9a-f < /dev/urandom | fold -w $key_len | head -1)} | |
test -n "$spi" || { | |
if test -e "$spi_cache";then | |
read spi < "$spi_cache" | |
else | |
spi="0x$(tr -dc 0-9a-f < /dev/urandom | fold -w 8 | head -1)" | |
mkdir -p "${spi_cache%/*}" | |
echo "$spi" >"$spi_cache" | |
fi | |
} | |
d='$' | |
ssh $remote_user@$remote_ip sh <<EOS | |
read src_ip src_port dst_ip dst_port <<EOL | |
${d}SSH_CONNECTION | |
EOL | |
$remote_sudo setkey -c <<EOK | |
${d}($remote_sudo setkey -D | while read a b c d; do case "${d}c" in spi=*"($spi)") echo "delete ${d}src ${d}dst esp $spi;";;*) src="${d}a" dst="${d}b";;esac;done) | |
add ${d}src_ip ${d}dst_ip esp $spi -E $key_type $key1; | |
add ${d}dst_ip ${d}src_ip esp $spi -E $key_type $key2; | |
EOK | |
EOS | |
$local_sudo setkey -c <<EOK | |
deleteall $my_ip $remote_ip esp; | |
add $my_ip $remote_ip esp $spi -E $key_type $key1; | |
deleteall $remote_ip $my_ip esp; | |
add $remote_ip $my_ip esp $spi -E $key_type $key2; | |
EOK |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment