#!/usr/bin/perl -w
#
# _azure, 2000
#
# Helps configure ipsecadm startup scripts for a manually keyed, 
# 2-network vpn with blowfish encryption and ingress filtering. 
# This script is designed for OpenBSD 2.8.  Earlier versions or
# different operating systems may require tweaking.
#
######################################################################

# print intro stuff
{
print " \n";
print "\n############################################################################\n";
print "\nThis program will help you configure an ipsec/esp vpn between";
print "\ntwo gateways.  Blowfish will be used by default for encryption.\n";
print "\nYou will be asked to define:\n\n- one alias name \n- one private address \n- one internet address\n";
print "\nfor each gateway.\n";
print " \n";
}

# take the user data we will use to setup the vpn
{
print " \n";
print "\nEnter the location where you will store your key directories: ";
chomp ($rootdir = <STDIN>);
print "\nEnter an alias name for Gateway A: ";
chomp ($aliasa = <STDIN>);
print "\nEnter the internet address for Gateway A: ";
chomp ($interneta = <STDIN>);
print "\nEnter the private network for Gateway A (i.e., 192.168.0.0): ";
chomp ($privatea = <STDIN>);
print "\nEnter a SPI for Gateway A (i.e., 1000): ";
chomp ($spia = <STDIN>);
print "\nEnter an alias name for Gateway B: ";
chomp ($aliasb = <STDIN>);
print "\nEnter the internet address for Gateway B: ";
chomp ($internetb = <STDIN>);
print "\nEnter the private network for Gateway B (i.e., 192.168.1.0): ";
chomp ($privateb = <STDIN>);
print "\nEnter a SPI for Gateway B (i.e., 1001): ";
chomp ($spib = <STDIN>);
print " \n";
}

# set some more variables
$vpn = "$rootdir/keys.$aliasa-$aliasb";
$key = "$vpn/ipsec.key";
$authkey = "$vpn/ipsec.authkey";

# let's go
print `/bin/mkdir $vpn`;

# do the actual work

# generate keys for the vpn
print `openssl rand 20 | hexdump -e '20/1 "%02x"' > $key`;
print `openssl rand 20 | hexdump -e '20/1 "%02x"' > $authkey`;

# write the go-ipsec script for Gateway A
{
open (GOIPSEC1, ">$vpn/go-ipsec.a"); 
print GOIPSEC1 "\nipsecadm new esp -src $internetb -dst $interneta -forcetunnel -spi $spia -enc blf -auth sha1 -keyfile $key -authkeyfile $authkey\n";
print GOIPSEC1 "\nipsecadm new esp -src $interneta -dst $internetb -forcetunnel -spi $spib -enc blf -auth sha1 -keyfile $key -authkeyfile $authkey\n";
print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $interneta 255.255.255.255 $internetb 255.255.255.255 -out -require -src $interneta\n";
print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $privatea 255.255.255.0 $privateb 255.255.255.0 -require -out -src $interneta\n";
print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $interneta 255.255.255.255 $privateb 255.255.255.0 -require -out -src $interneta\n";
print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $privatea 255.255.255.0 $internetb 255.255.255.255 -require -out -src $interneta\n";
print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $internetb 255.255.255.255 $interneta 255.255.255.255 -require -in -src $interneta\n";
print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $privateb 255.255.255.0 $privatea 255.255.255.0 -require -in -src $interneta\n";
print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $internetb 255.255.255.255 $privatea 255.255.255.0 -require -in -src $interneta\n";
print GOIPSEC1 "\nipsecadm flow -dst $internetb -proto esp -addr $privateb 255.255.255.0 $interneta 255.255.255.255 -require -in -src $interneta\n"; 
close (GOIPSEC1);
}

# write the go-ipsec script for Gateway B
{
open (GOIPSEC2, ">$vpn/go-ipsec.b");
print GOIPSEC2 "\nipsecadm new esp -src $internetb -dst $interneta -forcetunnel -spi $spia -enc blf -auth sha1 -keyfile $key -authkeyfile $authkey\n";
print GOIPSEC2 "\nipsecadm new esp -src $interneta -dst $internetb -forcetunnel -spi $spib -enc blf -auth sha1 -keyfile $key -authkeyfile $authkey\n";
print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $internetb 255.255.255.255 $interneta 255.255.255.255 -require -out -src $internetb\n";
print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $privateb 255.255.255.0 $privatea 255.255.255.0 -require -out -src $internetb\n";
print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $internetb 255.255.255.255 $privatea 255.255.255.0 -require -out -src $internetb\n";
print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $privateb 255.255.255.0 $interneta 255.255.255.255 -require -out -src $internetb\n";
print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $interneta 255.255.255.255 $internetb 255.255.255.255 -require -in -src $internetb\n";
print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $privatea 255.255.255.0 $privateb 255.255.255.0 -require -in -src $privateb\n";
print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $interneta 255.255.255.255 $privateb 255.255.255.0 -require -in -src $privateb\n";
print GOIPSEC2 "\nipsecadm flow -dst $interneta -proto esp -addr $privatea 255.255.255.0 $internetb 255.255.255.255 -require -in -src $internetb\n";
close (GOIPSEC2);
}

# be polite
{
print "\n##########################################################################\n";
print "\n_Finished_.";
print "\nDon't forget to set your sysctl and firewall rules.\n";
print "\n\n##########################################################################\n";
print "\n\nCopy the contents of $vpn to $vpn on \nGateway A and execute $vpn/go-ipsec.a.";
print "\n\nCopy the contents of $vpn to $vpn on \nGateway B and execute $vpn/go-ipsec.b.\n";
print "\n\nYou should now be able to pass traffic between the two private networks.\n\n\n";
}