1 /* $OpenBSD: ike.c,v 1.73 2012/07/10 13:58:33 lteo Exp $ */ 2 /* 3 * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <sys/types.h> 19 #include <sys/socket.h> 20 #include <sys/stat.h> 21 #include <sys/queue.h> 22 #include <netinet/in.h> 23 #include <netdb.h> 24 #include <arpa/inet.h> 25 26 #include <err.h> 27 #include <fcntl.h> 28 #include <stdio.h> 29 #include <stdlib.h> 30 #include <string.h> 31 #include <unistd.h> 32 33 #include "ipsecctl.h" 34 35 static void ike_section_general(struct ipsec_rule *, FILE *); 36 static void ike_section_peer(struct ipsec_rule *, FILE *); 37 static void ike_section_ids(struct ipsec_rule *, FILE *); 38 static void ike_section_ipsec(struct ipsec_rule *, FILE *); 39 static int ike_section_p1(struct ipsec_rule *, FILE *); 40 static int ike_section_p2(struct ipsec_rule *, FILE *); 41 static void ike_section_p2ids(struct ipsec_rule *, FILE *); 42 static int ike_connect(struct ipsec_rule *, FILE *); 43 static int ike_gen_config(struct ipsec_rule *, FILE *); 44 static int ike_delete_config(struct ipsec_rule *, FILE *); 45 static void ike_setup_ids(struct ipsec_rule *); 46 47 int ike_print_config(struct ipsec_rule *, int); 48 int ike_ipsec_establish(int, struct ipsec_rule *, const char *); 49 50 #define SET "C set " 51 #define ADD "C add " 52 #define DELETE "C rms " 53 #define RMV "C rmv " 54 55 #define CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL 5 56 #define CONF_DFLT_DYNAMIC_CHECK_INTERVAL 30 57 58 char *ike_id_types[] = { 59 "", "", "IPV4_ADDR", "IPV6_ADDR", "FQDN", "USER_FQDN" 60 }; 61 62 static void 63 ike_section_general(struct ipsec_rule *r, FILE *fd) 64 { 65 if (r->ikemode == IKE_DYNAMIC) { 66 fprintf(fd, SET "[General]:Check-interval=%d force\n", 67 CONF_DFLT_DYNAMIC_CHECK_INTERVAL); 68 fprintf(fd, SET "[General]:DPD-check-interval=%d force\n", 69 CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL); 70 } 71 if (r->p1life && r->p1life->lt_seconds != -1) 72 fprintf(fd, SET "[General]:Default-phase-1-lifetime=%d force\n", 73 r->p1life->lt_seconds); 74 if (r->p2life && r->p2life->lt_seconds != -1) 75 fprintf(fd, SET "[General]:Default-phase-2-lifetime=%d force\n", 76 r->p2life->lt_seconds); 77 } 78 79 static void 80 ike_section_peer(struct ipsec_rule *r, FILE *fd) 81 { 82 if (r->peer) 83 fprintf(fd, SET "[Phase 1]:%s=%s force\n", r->peer->name, 84 r->p1name); 85 else 86 fprintf(fd, SET "[Phase 1]:Default=%s force\n", r->p1name); 87 fprintf(fd, SET "[%s]:Phase=1 force\n", r->p1name); 88 if (r->peer) 89 fprintf(fd, SET "[%s]:Address=%s force\n", r->p1name, 90 r->peer->name); 91 if (r->local) 92 fprintf(fd, SET "[%s]:Local-address=%s force\n", r->p1name, 93 r->local->name); 94 if (r->ikeauth->type == IKE_AUTH_PSK) 95 fprintf(fd, SET "[%s]:Authentication=%s force\n", r->p1name, 96 r->ikeauth->string); 97 } 98 99 static void 100 ike_section_ids(struct ipsec_rule *r, FILE *fd) 101 { 102 char myname[MAXHOSTNAMELEN]; 103 104 if (r->auth == NULL) 105 return; 106 107 if (r->ikemode == IKE_DYNAMIC && r->auth->srcid == NULL) { 108 if (gethostname(myname, sizeof(myname)) == -1) 109 err(1, "ike_section_ids: gethostname"); 110 if ((r->auth->srcid = strdup(myname)) == NULL) 111 err(1, "ike_section_ids: strdup"); 112 r->auth->srcid_type = ID_FQDN; 113 } 114 if (r->auth->srcid) { 115 fprintf(fd, SET "[%s]:ID=id-%s force\n", r->p1name, 116 r->auth->srcid); 117 fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->srcid, 118 ike_id_types[r->auth->srcid_type]); 119 if (r->auth->srcid_type == ID_IPV4 || 120 r->auth->srcid_type == ID_IPV6) 121 fprintf(fd, SET "[id-%s]:Address=%s force\n", 122 r->auth->srcid, r->auth->srcid); 123 else 124 fprintf(fd, SET "[id-%s]:Name=%s force\n", 125 r->auth->srcid, r->auth->srcid); 126 } 127 if (r->auth->dstid) { 128 fprintf(fd, SET "[%s]:Remote-ID=id-%s force\n", r->p1name, 129 r->auth->dstid); 130 fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->dstid, 131 ike_id_types[r->auth->dstid_type]); 132 if (r->auth->dstid_type == ID_IPV4 || 133 r->auth->dstid_type == ID_IPV6) 134 fprintf(fd, SET "[id-%s]:Address=%s force\n", 135 r->auth->dstid, r->auth->dstid); 136 else 137 fprintf(fd, SET "[id-%s]:Name=%s force\n", 138 r->auth->dstid, r->auth->dstid); 139 } 140 } 141 142 static void 143 ike_section_ipsec(struct ipsec_rule *r, FILE *fd) 144 { 145 fprintf(fd, SET "[%s]:Phase=2 force\n", r->p2name); 146 fprintf(fd, SET "[%s]:ISAKMP-peer=%s force\n", r->p2name, r->p1name); 147 fprintf(fd, SET "[%s]:Configuration=phase2-%s force\n", r->p2name, 148 r->p2name); 149 fprintf(fd, SET "[%s]:Local-ID=%s force\n", r->p2name, r->p2lid); 150 if (r->p2nid) 151 fprintf(fd, SET "[%s]:NAT-ID=%s force\n", r->p2name, r->p2nid); 152 fprintf(fd, SET "[%s]:Remote-ID=%s force\n", r->p2name, r->p2rid); 153 154 if (r->tag) 155 fprintf(fd, SET "[%s]:PF-Tag=%s force\n", r->p2name, r->tag); 156 } 157 158 static int 159 ike_section_p2(struct ipsec_rule *r, FILE *fd) 160 { 161 char *exchange_type, *sprefix; 162 int needauth = 1; 163 164 switch (r->p2ie) { 165 case IKE_QM: 166 exchange_type = "QUICK_MODE"; 167 sprefix = "QM"; 168 break; 169 default: 170 warnx("illegal phase 2 ike mode %d", r->p2ie); 171 return (-1); 172 } 173 174 fprintf(fd, SET "[phase2-%s]:EXCHANGE_TYPE=%s force\n", r->p2name, 175 exchange_type); 176 fprintf(fd, SET "[phase2-%s]:Suites=%s-", r->p2name, sprefix); 177 178 switch (r->satype) { 179 case IPSEC_ESP: 180 fprintf(fd, "ESP"); 181 break; 182 case IPSEC_AH: 183 fprintf(fd, "AH"); 184 break; 185 default: 186 warnx("illegal satype %d", r->satype); 187 return (-1); 188 } 189 fprintf(fd, "-"); 190 191 switch (r->tmode) { 192 case IPSEC_TUNNEL: 193 break; 194 case IPSEC_TRANSPORT: 195 fprintf(fd, "TRP-"); 196 break; 197 default: 198 warnx("illegal encapsulation mode %d", r->tmode); 199 return (-1); 200 } 201 202 if (r->p2xfs && r->p2xfs->encxf) { 203 if (r->satype == IPSEC_ESP) { 204 switch (r->p2xfs->encxf->id) { 205 case ENCXF_3DES_CBC: 206 fprintf(fd, "3DES"); 207 break; 208 case ENCXF_DES_CBC: 209 fprintf(fd, "DES"); 210 break; 211 case ENCXF_AES: 212 fprintf(fd, "AES"); 213 break; 214 case ENCXF_AES_128: 215 fprintf(fd, "AES-128"); 216 break; 217 case ENCXF_AES_192: 218 fprintf(fd, "AES-192"); 219 break; 220 case ENCXF_AES_256: 221 fprintf(fd, "AES-256"); 222 break; 223 case ENCXF_AESCTR: 224 fprintf(fd, "AESCTR"); 225 break; 226 case ENCXF_AES_128_CTR: 227 fprintf(fd, "AESCTR-128"); 228 break; 229 case ENCXF_AES_192_CTR: 230 fprintf(fd, "AESCTR-192"); 231 break; 232 case ENCXF_AES_256_CTR: 233 fprintf(fd, "AESCTR-256"); 234 break; 235 case ENCXF_AES_128_GCM: 236 fprintf(fd, "AESGCM-128"); 237 needauth = 0; 238 break; 239 case ENCXF_AES_192_GCM: 240 fprintf(fd, "AESGCM-192"); 241 needauth = 0; 242 break; 243 case ENCXF_AES_256_GCM: 244 fprintf(fd, "AESGCM-256"); 245 needauth = 0; 246 break; 247 case ENCXF_AES_128_GMAC: 248 fprintf(fd, "AESGMAC-128"); 249 needauth = 0; 250 break; 251 case ENCXF_AES_192_GMAC: 252 fprintf(fd, "AESGMAC-192"); 253 needauth = 0; 254 break; 255 case ENCXF_AES_256_GMAC: 256 fprintf(fd, "AESGMAC-256"); 257 needauth = 0; 258 break; 259 case ENCXF_BLOWFISH: 260 fprintf(fd, "BLF"); 261 break; 262 case ENCXF_CAST128: 263 fprintf(fd, "CAST"); 264 break; 265 case ENCXF_NULL: 266 fprintf(fd, "NULL"); 267 needauth = 0; 268 break; 269 default: 270 warnx("illegal transform %s", 271 r->p2xfs->encxf->name); 272 return (-1); 273 } 274 fprintf(fd, "-"); 275 } else { 276 warnx("illegal transform %s", r->p2xfs->encxf->name); 277 return (-1); 278 } 279 } else if (r->satype == IPSEC_ESP) 280 fprintf(fd, "AES-"); 281 282 if (r->p2xfs && r->p2xfs->authxf) { 283 switch (r->p2xfs->authxf->id) { 284 case AUTHXF_HMAC_MD5: 285 fprintf(fd, "MD5"); 286 break; 287 case AUTHXF_HMAC_SHA1: 288 fprintf(fd, "SHA"); 289 break; 290 case AUTHXF_HMAC_RIPEMD160: 291 fprintf(fd, "RIPEMD"); 292 break; 293 case AUTHXF_HMAC_SHA2_256: 294 fprintf(fd, "SHA2-256"); 295 break; 296 case AUTHXF_HMAC_SHA2_384: 297 fprintf(fd, "SHA2-384"); 298 break; 299 case AUTHXF_HMAC_SHA2_512: 300 fprintf(fd, "SHA2-512"); 301 break; 302 default: 303 warnx("illegal transform %s", r->p2xfs->authxf->name); 304 return (-1); 305 } 306 fprintf(fd, "-"); 307 } else if (needauth) 308 fprintf(fd, "SHA2-256-"); 309 310 if (r->p2xfs && r->p2xfs->groupxf) { 311 switch (r->p2xfs->groupxf->id) { 312 case GROUPXF_NONE: 313 break; 314 case GROUPXF_768: 315 fprintf(fd, "PFS-GRP1-"); 316 break; 317 case GROUPXF_1024: 318 fprintf(fd, "PFS-GRP2-"); 319 break; 320 case GROUPXF_1536: 321 fprintf(fd, "PFS-GRP5-"); 322 break; 323 case GROUPXF_2048: 324 fprintf(fd, "PFS-GRP14-"); 325 break; 326 case GROUPXF_3072: 327 fprintf(fd, "PFS-GRP15-"); 328 break; 329 case GROUPXF_4096: 330 fprintf(fd, "PFS-GRP16-"); 331 break; 332 case GROUPXF_6144: 333 fprintf(fd, "PFS-GRP17-"); 334 break; 335 case GROUPXF_8192: 336 fprintf(fd, "PFS-GRP18-"); 337 break; 338 default: 339 warnx("illegal group %s", r->p2xfs->groupxf->name); 340 return (-1); 341 }; 342 } else 343 fprintf(fd, "PFS-"); 344 fprintf(fd, "SUITE force\n"); 345 346 return (0); 347 } 348 349 static int 350 ike_section_p1(struct ipsec_rule *r, FILE *fd) 351 { 352 char *exchange_type; 353 354 switch (r->p1ie) { 355 case IKE_MM: 356 exchange_type = "ID_PROT"; 357 break; 358 case IKE_AM: 359 exchange_type = "AGGRESSIVE"; 360 break; 361 default: 362 warnx("illegal phase 1 ike mode %d", r->p1ie); 363 return (-1); 364 } 365 366 fprintf(fd, SET "[%s]:Configuration=phase1-%s force\n", r->p1name, 367 r->p1name); 368 fprintf(fd, SET "[phase1-%s]:EXCHANGE_TYPE=%s force\n", r->p1name, 369 exchange_type); 370 fprintf(fd, ADD "[phase1-%s]:Transforms=", r->p1name); 371 372 if (r->p1xfs && r->p1xfs->encxf) { 373 switch (r->p1xfs->encxf->id) { 374 case ENCXF_3DES_CBC: 375 fprintf(fd, "3DES"); 376 break; 377 case ENCXF_DES_CBC: 378 fprintf(fd, "DES"); 379 break; 380 case ENCXF_AES: 381 fprintf(fd, "AES"); 382 break; 383 case ENCXF_AES_128: 384 fprintf(fd, "AES-128"); 385 break; 386 case ENCXF_AES_192: 387 fprintf(fd, "AES-192"); 388 break; 389 case ENCXF_AES_256: 390 fprintf(fd, "AES-256"); 391 break; 392 case ENCXF_BLOWFISH: 393 fprintf(fd, "BLF"); 394 break; 395 case ENCXF_CAST128: 396 fprintf(fd, "CAST"); 397 break; 398 default: 399 warnx("illegal transform %s", r->p1xfs->encxf->name); 400 return (-1); 401 } 402 } else 403 fprintf(fd, "AES"); 404 fprintf(fd, "-"); 405 406 if (r->p1xfs && r->p1xfs->authxf) { 407 switch (r->p1xfs->authxf->id) { 408 case AUTHXF_HMAC_MD5: 409 fprintf(fd, "MD5"); 410 break; 411 case AUTHXF_HMAC_SHA1: 412 fprintf(fd, "SHA"); 413 break; 414 case AUTHXF_HMAC_SHA2_256: 415 fprintf(fd, "SHA2-256"); 416 break; 417 case AUTHXF_HMAC_SHA2_384: 418 fprintf(fd, "SHA2-384"); 419 break; 420 case AUTHXF_HMAC_SHA2_512: 421 fprintf(fd, "SHA2-512"); 422 break; 423 default: 424 warnx("illegal transform %s", r->p1xfs->authxf->name); 425 return (-1); 426 } 427 } else 428 fprintf(fd, "SHA"); 429 430 if (r->p1xfs && r->p1xfs->groupxf) { 431 switch (r->p1xfs->groupxf->id) { 432 case GROUPXF_768: 433 fprintf(fd, "-GRP1"); 434 break; 435 case GROUPXF_1024: 436 fprintf(fd, "-GRP2"); 437 break; 438 case GROUPXF_1536: 439 fprintf(fd, "-GRP5"); 440 break; 441 case GROUPXF_2048: 442 fprintf(fd, "-GRP14"); 443 break; 444 case GROUPXF_3072: 445 fprintf(fd, "-GRP15"); 446 break; 447 case GROUPXF_4096: 448 fprintf(fd, "-GRP16"); 449 break; 450 case GROUPXF_6144: 451 fprintf(fd, "-GRP17"); 452 break; 453 case GROUPXF_8192: 454 fprintf(fd, "-GRP18"); 455 break; 456 default: 457 warnx("illegal group %s", r->p1xfs->groupxf->name); 458 return (-1); 459 }; 460 } 461 462 if (r->ikeauth->type == IKE_AUTH_RSA) 463 fprintf(fd, "-RSA_SIG"); 464 fprintf(fd, " force\n"); 465 466 return (0); 467 } 468 469 static void 470 ike_section_p2ids_net(struct ipsec_addr *iamask, sa_family_t af, char *name, 471 char *p2xid, FILE *fd) 472 { 473 char mask[NI_MAXHOST], *network, *p; 474 struct sockaddr_storage sas; 475 struct sockaddr *sa = (struct sockaddr *)&sas; 476 477 bzero(&sas, sizeof(struct sockaddr_storage)); 478 bzero(mask, sizeof(mask)); 479 sa->sa_family = af; 480 switch (af) { 481 case AF_INET: 482 sa->sa_len = sizeof(struct sockaddr_in); 483 bcopy(&iamask->ipa, 484 &((struct sockaddr_in *)(sa))->sin_addr, 485 sizeof(struct in6_addr)); 486 break; 487 case AF_INET6: 488 sa->sa_len = sizeof(struct sockaddr_in6); 489 bcopy(&iamask->ipa, 490 &((struct sockaddr_in6 *)(sa))->sin6_addr, 491 sizeof(struct in6_addr)); 492 break; 493 } 494 if (getnameinfo(sa, sa->sa_len, mask, sizeof(mask), NULL, 0, 495 NI_NUMERICHOST)) 496 errx(1, "could not get a numeric mask"); 497 498 if ((network = strdup(name)) == NULL) 499 err(1, "ike_section_p2ids: strdup"); 500 if ((p = strrchr(network, '/')) != NULL) 501 *p = '\0'; 502 503 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR_SUBNET force\n", 504 p2xid, ((af == AF_INET) ? 4 : 6)); 505 fprintf(fd, SET "[%s]:Network=%s force\n", p2xid, network); 506 fprintf(fd, SET "[%s]:Netmask=%s force\n", p2xid, mask); 507 508 free(network); 509 } 510 511 static void 512 ike_section_p2ids(struct ipsec_rule *r, FILE *fd) 513 { 514 char *p; 515 struct ipsec_addr_wrap *src = r->src; 516 struct ipsec_addr_wrap *dst = r->dst; 517 518 if (src->netaddress) { 519 ike_section_p2ids_net(&src->mask, src->af, src->name, 520 r->p2lid, fd); 521 } else { 522 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 523 r->p2lid, ((src->af == AF_INET) ? 4 : 6)); 524 if ((p = strrchr(src->name, '/')) != NULL) 525 *p = '\0'; 526 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2lid, 527 src->name); 528 } 529 530 if (src->srcnat && src->srcnat->netaddress) { 531 ike_section_p2ids_net(&src->srcnat->mask, src->af, src->srcnat->name, 532 r->p2nid, fd); 533 } else if (src->srcnat) { 534 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 535 r->p2nid, ((src->af == AF_INET) ? 4 : 6)); 536 if ((p = strrchr(src->srcnat->name, '/')) != NULL) 537 *p = '\0'; 538 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2nid, 539 src->srcnat->name); 540 } 541 542 if (dst->netaddress) { 543 ike_section_p2ids_net(&dst->mask, dst->af, dst->name, 544 r->p2rid, fd); 545 } else { 546 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 547 r->p2rid, ((dst->af == AF_INET) ? 4 : 6)); 548 if ((p = strrchr(dst->name, '/')) != NULL) 549 *p = '\0'; 550 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2rid, 551 dst->name); 552 } 553 if (r->proto) { 554 fprintf(fd, SET "[%s]:Protocol=%d force\n", 555 r->p2lid, r->proto); 556 fprintf(fd, SET "[%s]:Protocol=%d force\n", 557 r->p2rid, r->proto); 558 } 559 if (r->sport) 560 fprintf(fd, SET "[%s]:Port=%d force\n", r->p2lid, 561 ntohs(r->sport)); 562 if (r->dport) 563 fprintf(fd, SET "[%s]:Port=%d force\n", r->p2rid, 564 ntohs(r->dport)); 565 } 566 567 static int 568 ike_connect(struct ipsec_rule *r, FILE *fd) 569 { 570 switch (r->ikemode) { 571 case IKE_ACTIVE: 572 case IKE_DYNAMIC: 573 fprintf(fd, ADD "[Phase 2]:Connections=%s\n", r->p2name); 574 break; 575 case IKE_PASSIVE: 576 fprintf(fd, ADD "[Phase 2]:Passive-Connections=%s\n", 577 r->p2name); 578 break; 579 default: 580 return (-1); 581 } 582 return (0); 583 } 584 585 static int 586 ike_gen_config(struct ipsec_rule *r, FILE *fd) 587 { 588 ike_setup_ids(r); 589 ike_section_general(r, fd); 590 ike_section_peer(r, fd); 591 if (ike_section_p1(r, fd) == -1) { 592 return (-1); 593 } 594 ike_section_ids(r, fd); 595 ike_section_ipsec(r, fd); 596 if (ike_section_p2(r, fd) == -1) { 597 return (-1); 598 } 599 ike_section_p2ids(r, fd); 600 601 if (ike_connect(r, fd) == -1) 602 return (-1); 603 return (0); 604 } 605 606 static int 607 ike_delete_config(struct ipsec_rule *r, FILE *fd) 608 { 609 ike_setup_ids(r); 610 #if 0 611 switch (r->ikemode) { 612 case IKE_ACTIVE: 613 case IKE_DYNAMIC: 614 fprintf(fd, "t %s\n", r->p2name); 615 break; 616 case IKE_PASSIVE: 617 fprintf(fd, DELETE "[Phase 2]\n"); 618 fprintf(fd, "t %s\n", r->p2name); 619 break; 620 default: 621 return (-1); 622 } 623 624 if (r->peer) { 625 fprintf(fd, DELETE "[%s]\n", r->p1name); 626 fprintf(fd, DELETE "[phase1-%s]\n", r->p1name); 627 } 628 if (r->auth) { 629 if (r->auth->srcid) 630 fprintf(fd, DELETE "[%s-ID]\n", r->auth->srcid); 631 if (r->auth->dstid) 632 fprintf(fd, DELETE "[%s-ID]\n", r->auth->dstid); 633 } 634 fprintf(fd, DELETE "[%s]\n", r->p2name); 635 fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); 636 fprintf(fd, DELETE "[%s]\n", r->p2lid); 637 fprintf(fd, DELETE "[%s]\n", r->p2rid); 638 #else 639 fprintf(fd, "t %s\n", r->p2name); 640 switch (r->ikemode) { 641 case IKE_ACTIVE: 642 case IKE_DYNAMIC: 643 fprintf(fd, RMV "[Phase 2]:Connections=%s\n", r->p2name); 644 break; 645 case IKE_PASSIVE: 646 fprintf(fd, RMV "[Phase 2]:Passive-Connections=%s\n", 647 r->p2name); 648 break; 649 default: 650 return (-1); 651 } 652 fprintf(fd, DELETE "[%s]\n", r->p2name); 653 fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); 654 #endif 655 656 return (0); 657 } 658 659 static void 660 ike_setup_ids(struct ipsec_rule *r) 661 { 662 char sproto[10], ssport[10], sdport[10]; 663 664 /* phase 1 name is peer and local address */ 665 if (r->peer) { 666 if (r->local) { 667 /* peer-dstaddr-local-srcaddr */ 668 if (asprintf(&r->p1name, "peer-%s-local-%s", 669 r->peer->name, r->local->name) == -1) 670 err(1, "ike_setup_ids"); 671 } else 672 /* peer-dstaddr */ 673 if (asprintf(&r->p1name, "peer-%s", 674 r->peer->name) == -1) 675 err(1, "ike_setup_ids"); 676 } else 677 if ((r->p1name = strdup("peer-default")) == NULL) 678 err(1, "ike_setup_ids"); 679 680 /* Phase 2 name is from and to network, protocol, port*/ 681 sproto[0] = ssport[0] = sdport[0] = 0; 682 if (r->proto) 683 snprintf(sproto, sizeof sproto, "=%u", r->proto); 684 if (r->sport) 685 snprintf(ssport, sizeof ssport, ":%u", ntohs(r->sport)); 686 if (r->dport) 687 snprintf(sdport, sizeof sdport, ":%u", ntohs(r->dport)); 688 /* from-network/masklen=proto:port */ 689 if (asprintf(&r->p2lid, "from-%s%s%s", r->src->name, sproto, ssport) 690 == -1) 691 err(1, "ike_setup_ids"); 692 /* to-network/masklen=proto:port */ 693 if (asprintf(&r->p2rid, "to-%s%s%s", r->dst->name, sproto, sdport) 694 == -1) 695 err(1, "ike_setup_ids"); 696 /* from-network/masklen=proto:port-to-network/masklen=proto:port */ 697 if (asprintf(&r->p2name, "%s-%s", r->p2lid , r->p2rid) == -1) 698 err(1, "ike_setup_ids"); 699 /* nat-network/masklen=proto:port */ 700 if (r->src->srcnat && r->src->srcnat->name) { 701 if (asprintf(&r->p2nid, "nat-%s%s%s", r->src->srcnat->name, sproto, 702 ssport) == -1) 703 err(1, "ike_setup_ids"); 704 } 705 } 706 707 int 708 ike_print_config(struct ipsec_rule *r, int opts) 709 { 710 if (opts & IPSECCTL_OPT_DELETE) 711 return (ike_delete_config(r, stdout)); 712 else 713 return (ike_gen_config(r, stdout)); 714 } 715 716 int 717 ike_ipsec_establish(int action, struct ipsec_rule *r, const char *fifo) 718 { 719 struct stat sb; 720 FILE *fdp; 721 int fd, ret = 0; 722 723 if ((fd = open(fifo, O_WRONLY)) == -1) 724 err(1, "ike_ipsec_establish: open(%s)", fifo); 725 if (fstat(fd, &sb) == -1) 726 err(1, "ike_ipsec_establish: fstat(%s)", fifo); 727 if (!S_ISFIFO(sb.st_mode)) 728 errx(1, "ike_ipsec_establish: %s not a fifo", fifo); 729 if ((fdp = fdopen(fd, "w")) == NULL) 730 err(1, "ike_ipsec_establish: fdopen(%s)", fifo); 731 732 switch (action) { 733 case ACTION_ADD: 734 ret = ike_gen_config(r, fdp); 735 break; 736 case ACTION_DELETE: 737 ret = ike_delete_config(r, fdp); 738 break; 739 default: 740 ret = -1; 741 } 742 743 fclose(fdp); 744 return (ret); 745 } 746