1 /* $OpenBSD: ike.c,v 1.78 2013/08/25 23:15:20 mikeb Exp $ */ 2 /* 3 * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <sys/types.h> 19 #include <sys/socket.h> 20 #include <sys/stat.h> 21 #include <sys/queue.h> 22 #include <netinet/in.h> 23 #include <netdb.h> 24 #include <arpa/inet.h> 25 26 #include <err.h> 27 #include <fcntl.h> 28 #include <stdio.h> 29 #include <stdlib.h> 30 #include <string.h> 31 #include <unistd.h> 32 33 #include "ipsecctl.h" 34 35 static void ike_section_general(struct ipsec_rule *, FILE *); 36 static void ike_section_peer(struct ipsec_rule *, FILE *); 37 static void ike_section_ids(struct ipsec_rule *, FILE *); 38 static void ike_section_ipsec(struct ipsec_rule *, FILE *); 39 static int ike_section_p1(struct ipsec_rule *, FILE *); 40 static int ike_section_p2(struct ipsec_rule *, FILE *); 41 static void ike_section_p2ids(struct ipsec_rule *, FILE *); 42 static int ike_connect(struct ipsec_rule *, FILE *); 43 static int ike_gen_config(struct ipsec_rule *, FILE *); 44 static int ike_delete_config(struct ipsec_rule *, FILE *); 45 static void ike_setup_ids(struct ipsec_rule *); 46 47 int ike_print_config(struct ipsec_rule *, int); 48 int ike_ipsec_establish(int, struct ipsec_rule *, const char *); 49 50 #define SET "C set " 51 #define ADD "C add " 52 #define DELETE "C rms " 53 #define RMV "C rmv " 54 55 #define CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL 5 56 #define CONF_DFLT_DYNAMIC_CHECK_INTERVAL 30 57 58 char *ike_id_types[] = { 59 "", "", "IPV4_ADDR", "IPV6_ADDR", "FQDN", "USER_FQDN" 60 }; 61 62 static void 63 ike_section_general(struct ipsec_rule *r, FILE *fd) 64 { 65 if (r->ikemode == IKE_DYNAMIC) { 66 fprintf(fd, SET "[General]:Check-interval=%d force\n", 67 CONF_DFLT_DYNAMIC_CHECK_INTERVAL); 68 fprintf(fd, SET "[General]:DPD-check-interval=%d force\n", 69 CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL); 70 } 71 } 72 73 static void 74 ike_section_peer(struct ipsec_rule *r, FILE *fd) 75 { 76 if (r->peer) 77 fprintf(fd, SET "[Phase 1]:%s=%s force\n", r->peer->name, 78 r->p1name); 79 else 80 fprintf(fd, SET "[Phase 1]:Default=%s force\n", r->p1name); 81 fprintf(fd, SET "[%s]:Phase=1 force\n", r->p1name); 82 if (r->peer) 83 fprintf(fd, SET "[%s]:Address=%s force\n", r->p1name, 84 r->peer->name); 85 if (r->local) 86 fprintf(fd, SET "[%s]:Local-address=%s force\n", r->p1name, 87 r->local->name); 88 if (r->ikeauth->type == IKE_AUTH_PSK) 89 fprintf(fd, SET "[%s]:Authentication=%s force\n", r->p1name, 90 r->ikeauth->string); 91 } 92 93 static void 94 ike_section_ids(struct ipsec_rule *r, FILE *fd) 95 { 96 char myname[MAXHOSTNAMELEN]; 97 98 if (r->auth == NULL) 99 return; 100 101 if (r->ikemode == IKE_DYNAMIC && r->auth->srcid == NULL) { 102 if (gethostname(myname, sizeof(myname)) == -1) 103 err(1, "ike_section_ids: gethostname"); 104 if ((r->auth->srcid = strdup(myname)) == NULL) 105 err(1, "ike_section_ids: strdup"); 106 r->auth->srcid_type = ID_FQDN; 107 } 108 if (r->auth->srcid) { 109 fprintf(fd, SET "[%s]:ID=id-%s force\n", r->p1name, 110 r->auth->srcid); 111 fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->srcid, 112 ike_id_types[r->auth->srcid_type]); 113 if (r->auth->srcid_type == ID_IPV4 || 114 r->auth->srcid_type == ID_IPV6) 115 fprintf(fd, SET "[id-%s]:Address=%s force\n", 116 r->auth->srcid, r->auth->srcid); 117 else 118 fprintf(fd, SET "[id-%s]:Name=%s force\n", 119 r->auth->srcid, r->auth->srcid); 120 } 121 if (r->auth->dstid) { 122 fprintf(fd, SET "[%s]:Remote-ID=id-%s force\n", r->p1name, 123 r->auth->dstid); 124 fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->dstid, 125 ike_id_types[r->auth->dstid_type]); 126 if (r->auth->dstid_type == ID_IPV4 || 127 r->auth->dstid_type == ID_IPV6) 128 fprintf(fd, SET "[id-%s]:Address=%s force\n", 129 r->auth->dstid, r->auth->dstid); 130 else 131 fprintf(fd, SET "[id-%s]:Name=%s force\n", 132 r->auth->dstid, r->auth->dstid); 133 } 134 } 135 136 static void 137 ike_section_ipsec(struct ipsec_rule *r, FILE *fd) 138 { 139 fprintf(fd, SET "[%s]:Phase=2 force\n", r->p2name); 140 fprintf(fd, SET "[%s]:ISAKMP-peer=%s force\n", r->p2name, r->p1name); 141 fprintf(fd, SET "[%s]:Configuration=phase2-%s force\n", r->p2name, 142 r->p2name); 143 fprintf(fd, SET "[%s]:Local-ID=%s force\n", r->p2name, r->p2lid); 144 if (r->p2nid) 145 fprintf(fd, SET "[%s]:NAT-ID=%s force\n", r->p2name, r->p2nid); 146 fprintf(fd, SET "[%s]:Remote-ID=%s force\n", r->p2name, r->p2rid); 147 148 if (r->tag) 149 fprintf(fd, SET "[%s]:PF-Tag=%s force\n", r->p2name, r->tag); 150 } 151 152 static int 153 ike_section_p2(struct ipsec_rule *r, FILE *fd) 154 { 155 char *exchange_type, *key_length, *transform, *p; 156 char *enc_alg, *auth_alg, *group_desc, *encap; 157 int needauth = 1; 158 int num_print = 0; 159 160 switch (r->p2ie) { 161 case IKE_QM: 162 exchange_type = "QUICK_MODE"; 163 break; 164 default: 165 warnx("illegal phase 2 ike mode %d", r->p2ie); 166 return (-1); 167 } 168 169 fprintf(fd, SET "[phase2-%s]:EXCHANGE_TYPE=%s force\n", r->p2name, 170 exchange_type); 171 fprintf(fd, SET "[phase2-%s]:Suites=phase2-suite-%s force\n", r->p2name, 172 r->p2name); 173 174 fprintf(fd, SET "[phase2-suite-%s]:Protocols=phase2-protocol-%s " 175 "force\n", r->p2name, r->p2name); 176 177 fprintf(fd, SET "[phase2-protocol-%s]:PROTOCOL_ID=", r->p2name); 178 179 switch (r->satype) { 180 case IPSEC_ESP: 181 fprintf(fd, "IPSEC_ESP"); 182 break; 183 case IPSEC_AH: 184 fprintf(fd, "IPSEC_AH"); 185 break; 186 default: 187 warnx("illegal satype %d", r->satype); 188 return (-1); 189 } 190 fprintf(fd, " force\n"); 191 192 key_length = NULL; 193 enc_alg = NULL; 194 if (r->p2xfs && r->p2xfs->encxf) { 195 if (r->satype == IPSEC_ESP) { 196 switch (r->p2xfs->encxf->id) { 197 case ENCXF_3DES_CBC: 198 enc_alg = "3DES"; 199 break; 200 case ENCXF_DES_CBC: 201 enc_alg = "DES"; 202 break; 203 case ENCXF_AES: 204 enc_alg = "AES"; 205 key_length = "128,128:256"; 206 break; 207 case ENCXF_AES_128: 208 enc_alg = "AES"; 209 key_length = "128,128:128"; 210 break; 211 case ENCXF_AES_192: 212 enc_alg = "AES"; 213 key_length = "192,192:192"; 214 break; 215 case ENCXF_AES_256: 216 enc_alg = "AES"; 217 key_length = "256,256:256"; 218 break; 219 case ENCXF_AESCTR: 220 enc_alg = "AES_CTR"; 221 key_length = "128,128:128"; 222 break; 223 case ENCXF_AES_128_CTR: 224 enc_alg = "AES_CTR"; 225 key_length = "128,128:128"; 226 break; 227 case ENCXF_AES_192_CTR: 228 enc_alg = "AES_CTR"; 229 key_length = "192,192:192"; 230 break; 231 case ENCXF_AES_256_CTR: 232 enc_alg = "AES_CTR"; 233 key_length = "256,256:256"; 234 break; 235 case ENCXF_AES_128_GCM: 236 enc_alg = "AES_GCM_16"; 237 key_length = "128,128:128"; 238 needauth = 0; 239 break; 240 case ENCXF_AES_192_GCM: 241 enc_alg = "AES_GCM_16"; 242 key_length = "192,192:192"; 243 needauth = 0; 244 break; 245 case ENCXF_AES_256_GCM: 246 enc_alg = "AES_GCM_16"; 247 key_length = "256,256:256"; 248 needauth = 0; 249 break; 250 case ENCXF_AES_128_GMAC: 251 enc_alg = "AES_GMAC"; 252 key_length = "128,128:128"; 253 needauth = 0; 254 break; 255 case ENCXF_AES_192_GMAC: 256 enc_alg = "AES_GMAC"; 257 key_length = "192,192:192"; 258 needauth = 0; 259 break; 260 case ENCXF_AES_256_GMAC: 261 enc_alg = "AES_GMAC"; 262 key_length = "256,256:256"; 263 needauth = 0; 264 break; 265 case ENCXF_BLOWFISH: 266 enc_alg = "BLOWFISH"; 267 key_length = "128,96:192"; 268 break; 269 case ENCXF_CAST128: 270 enc_alg = "CAST"; 271 break; 272 case ENCXF_NULL: 273 enc_alg = "NULL"; 274 needauth = 0; 275 break; 276 default: 277 warnx("illegal transform %s", 278 r->p2xfs->encxf->name); 279 return (-1); 280 } 281 } else { 282 warnx("illegal transform %s", r->p2xfs->encxf->name); 283 return (-1); 284 } 285 } else if (r->satype == IPSEC_ESP) { 286 enc_alg = "AES"; 287 key_length = "128,128:256"; 288 } 289 290 switch (r->tmode) { 291 case IPSEC_TUNNEL: 292 encap = "TUNNEL"; 293 break; 294 case IPSEC_TRANSPORT: 295 encap = "TRANSPORT"; 296 break; 297 default: 298 warnx("illegal encapsulation mode %d", r->tmode); 299 return (-1); 300 } 301 302 auth_alg = NULL; 303 if (r->p2xfs && r->p2xfs->authxf) { 304 switch (r->p2xfs->authxf->id) { 305 case AUTHXF_HMAC_MD5: 306 auth_alg = "MD5"; 307 break; 308 case AUTHXF_HMAC_SHA1: 309 auth_alg = "SHA"; 310 break; 311 case AUTHXF_HMAC_RIPEMD160: 312 auth_alg = "RIPEMD"; 313 break; 314 case AUTHXF_HMAC_SHA2_256: 315 auth_alg = "SHA2_256"; 316 break; 317 case AUTHXF_HMAC_SHA2_384: 318 auth_alg = "SHA2_384"; 319 break; 320 case AUTHXF_HMAC_SHA2_512: 321 auth_alg = "SHA2_512"; 322 break; 323 default: 324 warnx("illegal transform %s", r->p2xfs->authxf->name); 325 return (-1); 326 } 327 } else if (needauth) 328 auth_alg = "SHA2_256"; 329 330 group_desc = NULL; 331 if (r->p2xfs && r->p2xfs->groupxf) { 332 switch (r->p2xfs->groupxf->id) { 333 case GROUPXF_NONE: 334 break; 335 case GROUPXF_768: 336 group_desc = "MODP_768"; 337 break; 338 case GROUPXF_1024: 339 group_desc = "MODP_1024"; 340 break; 341 case GROUPXF_1536: 342 group_desc = "MODP_1536"; 343 break; 344 case GROUPXF_2048: 345 group_desc = "MODP_2048"; 346 break; 347 case GROUPXF_3072: 348 group_desc = "MODP_3072"; 349 break; 350 case GROUPXF_4096: 351 group_desc = "MODP_4096"; 352 break; 353 case GROUPXF_6144: 354 group_desc = "MODP_6144"; 355 break; 356 case GROUPXF_8192: 357 group_desc = "MODP_8192"; 358 break; 359 default: 360 warnx("illegal group %s", r->p2xfs->groupxf->name); 361 return (-1); 362 } 363 } else 364 group_desc = "MODP_1024"; 365 366 /* the transform name must not include "," */ 367 if (key_length && (p = strchr(key_length, ',')) != NULL) 368 num_print = p - key_length; 369 /* 370 * create a unique transform name, otherwise we cannot have 371 * multiple transforms per p2name. 372 */ 373 if (asprintf(&transform, "phase2-transform-%s-%s%.*s-%s-%s-%s", 374 r->p2name, 375 enc_alg ? enc_alg : "NONE", 376 num_print, key_length ? key_length : "", 377 auth_alg ? auth_alg : "NONE", 378 group_desc ? group_desc : "NONE", 379 encap) == -1) 380 errx(1, "asprintf phase2-transform"); 381 382 fprintf(fd, SET "[phase2-protocol-%s]:Transforms=%s force\n", 383 r->p2name, transform); 384 385 fprintf(fd, SET "[%s]:TRANSFORM_ID=%s force\n", transform, 386 r->satype == IPSEC_AH ? auth_alg : enc_alg); 387 if (key_length) 388 fprintf(fd, SET "[%s]:KEY_LENGTH=%s force\n", transform, 389 key_length); 390 fprintf(fd, SET "[%s]:ENCAPSULATION_MODE=%s force\n", transform, encap); 391 if (auth_alg) 392 fprintf(fd, SET "[%s]:AUTHENTICATION_ALGORITHM=HMAC_%s force\n", 393 transform, auth_alg); 394 if (group_desc) 395 fprintf(fd, SET "[%s]:GROUP_DESCRIPTION=%s force\n", transform, 396 group_desc); 397 398 if (r->p2life && r->p2life->lt_seconds != -1) { 399 fprintf(fd, SET "[%s]:Life=%s-life force\n", 400 transform, transform); 401 fprintf(fd, SET "[%s-life]:LIFE_TYPE=SECONDS force\n", 402 transform); 403 fprintf(fd, SET "[%s-life]:LIFE_DURATION=%d force\n", 404 transform, r->p2life->lt_seconds); 405 } else 406 fprintf(fd, SET "[%s]:Life=LIFE_QUICK_MODE force\n", 407 transform); 408 409 free(transform); 410 return (0); 411 } 412 413 static int 414 ike_section_p1(struct ipsec_rule *r, FILE *fd) 415 { 416 char *exchange_type, *key_length, *transform, *p; 417 char *enc_alg, *auth_alg, *group_desc, *auth_method; 418 int num_print = 0; 419 420 switch (r->p1ie) { 421 case IKE_MM: 422 exchange_type = "ID_PROT"; 423 break; 424 case IKE_AM: 425 exchange_type = "AGGRESSIVE"; 426 break; 427 default: 428 warnx("illegal phase 1 ike mode %d", r->p1ie); 429 return (-1); 430 } 431 432 fprintf(fd, SET "[%s]:Configuration=phase1-%s force\n", r->p1name, 433 r->p1name); 434 fprintf(fd, SET "[phase1-%s]:EXCHANGE_TYPE=%s force\n", r->p1name, 435 exchange_type); 436 437 key_length = NULL; 438 if (r->p1xfs && r->p1xfs->encxf) { 439 switch (r->p1xfs->encxf->id) { 440 case ENCXF_3DES_CBC: 441 enc_alg = "3DES"; 442 break; 443 case ENCXF_DES_CBC: 444 enc_alg = "DES"; 445 break; 446 case ENCXF_AES: 447 enc_alg = "AES"; 448 key_length = "128,128:256"; 449 break; 450 case ENCXF_AES_128: 451 enc_alg = "AES"; 452 key_length = "128,128:128"; 453 break; 454 case ENCXF_AES_192: 455 enc_alg = "AES"; 456 key_length = "192,192:192"; 457 break; 458 case ENCXF_AES_256: 459 enc_alg = "AES"; 460 key_length = "256,256:256"; 461 break; 462 case ENCXF_BLOWFISH: 463 enc_alg = "BLOWFISH"; 464 key_length = "128,96:192"; 465 break; 466 case ENCXF_CAST128: 467 enc_alg = "CAST"; 468 break; 469 default: 470 warnx("illegal transform %s", r->p1xfs->encxf->name); 471 return (-1); 472 } 473 } else { 474 enc_alg = "AES"; 475 key_length = "128,128:256"; 476 } 477 478 if (r->p1xfs && r->p1xfs->authxf) { 479 switch (r->p1xfs->authxf->id) { 480 case AUTHXF_HMAC_MD5: 481 auth_alg = "MD5"; 482 break; 483 case AUTHXF_HMAC_SHA1: 484 auth_alg = "SHA"; 485 break; 486 case AUTHXF_HMAC_SHA2_256: 487 auth_alg = "SHA2_256"; 488 break; 489 case AUTHXF_HMAC_SHA2_384: 490 auth_alg = "SHA2_384"; 491 break; 492 case AUTHXF_HMAC_SHA2_512: 493 auth_alg = "SHA2_512"; 494 break; 495 default: 496 warnx("illegal transform %s", r->p1xfs->authxf->name); 497 return (-1); 498 } 499 } else 500 auth_alg = "SHA"; 501 502 if (r->p1xfs && r->p1xfs->groupxf) { 503 switch (r->p1xfs->groupxf->id) { 504 case GROUPXF_768: 505 group_desc = "MODP_768"; 506 break; 507 case GROUPXF_1024: 508 group_desc = "MODP_1024"; 509 break; 510 case GROUPXF_1536: 511 group_desc = "MODP_1536"; 512 break; 513 case GROUPXF_2048: 514 group_desc = "MODP_2048"; 515 break; 516 case GROUPXF_3072: 517 group_desc = "MODP_3072"; 518 break; 519 case GROUPXF_4096: 520 group_desc = "MODP_4096"; 521 break; 522 case GROUPXF_6144: 523 group_desc = "MODP_6144"; 524 break; 525 case GROUPXF_8192: 526 group_desc = "MODP_8192"; 527 break; 528 default: 529 warnx("illegal group %s", r->p1xfs->groupxf->name); 530 return (-1); 531 }; 532 } else 533 group_desc = "MODP_1024"; 534 535 switch (r->ikeauth->type) { 536 case IKE_AUTH_PSK: 537 auth_method = "PRE_SHARED"; 538 break; 539 case IKE_AUTH_RSA: 540 auth_method = "RSA_SIG"; 541 break; 542 default: 543 warnx("illegal authentication method %u", r->ikeauth->type); 544 return (-1); 545 } 546 547 /* the transform name must not include "," */ 548 if (key_length && (p = strchr(key_length, ',')) != NULL) 549 num_print = p - key_length; 550 /* create unique name for transform, see also ike_section_p2() */ 551 if (asprintf(&transform, "phase1-transform-%s-%s-%s-%s%.*s-%s", 552 r->p1name, auth_method, auth_alg, enc_alg, 553 num_print, key_length ? key_length : "", 554 group_desc) == -1) 555 errx(1, "asprintf phase1-transform"); 556 557 fprintf(fd, ADD "[phase1-%s]:Transforms=%s force\n", r->p1name, 558 transform); 559 fprintf(fd, SET "[%s]:AUTHENTICATION_METHOD=%s force\n", transform, 560 auth_method); 561 fprintf(fd, SET "[%s]:HASH_ALGORITHM=%s force\n", transform, auth_alg); 562 fprintf(fd, SET "[%s]:ENCRYPTION_ALGORITHM=%s_CBC force\n", transform, 563 enc_alg); 564 if (key_length) 565 fprintf(fd, SET "[%s]:KEY_LENGTH=%s force\n", transform, 566 key_length); 567 fprintf(fd, SET "[%s]:GROUP_DESCRIPTION=%s force\n", transform, 568 group_desc); 569 570 if (r->p1life && r->p1life->lt_seconds != -1) { 571 fprintf(fd, SET "[%s]:Life=%s-life force\n", 572 transform, transform); 573 fprintf(fd, SET "[%s-life]:LIFE_TYPE=SECONDS force\n", 574 transform); 575 fprintf(fd, SET "[%s-life]:LIFE_DURATION=%d force\n", 576 transform, r->p1life->lt_seconds); 577 } else 578 fprintf(fd, SET "[%s]:Life=LIFE_MAIN_MODE force\n", transform); 579 580 free(transform); 581 return (0); 582 } 583 584 static void 585 ike_section_p2ids_net(struct ipsec_addr *iamask, sa_family_t af, char *name, 586 char *p2xid, FILE *fd) 587 { 588 char mask[NI_MAXHOST], *network, *p; 589 struct sockaddr_storage sas; 590 struct sockaddr *sa = (struct sockaddr *)&sas; 591 592 bzero(&sas, sizeof(struct sockaddr_storage)); 593 bzero(mask, sizeof(mask)); 594 sa->sa_family = af; 595 switch (af) { 596 case AF_INET: 597 sa->sa_len = sizeof(struct sockaddr_in); 598 bcopy(&iamask->ipa, 599 &((struct sockaddr_in *)(sa))->sin_addr, 600 sizeof(struct in6_addr)); 601 break; 602 case AF_INET6: 603 sa->sa_len = sizeof(struct sockaddr_in6); 604 bcopy(&iamask->ipa, 605 &((struct sockaddr_in6 *)(sa))->sin6_addr, 606 sizeof(struct in6_addr)); 607 break; 608 } 609 if (getnameinfo(sa, sa->sa_len, mask, sizeof(mask), NULL, 0, 610 NI_NUMERICHOST)) 611 errx(1, "could not get a numeric mask"); 612 613 if ((network = strdup(name)) == NULL) 614 err(1, "ike_section_p2ids: strdup"); 615 if ((p = strrchr(network, '/')) != NULL) 616 *p = '\0'; 617 618 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR_SUBNET force\n", 619 p2xid, ((af == AF_INET) ? 4 : 6)); 620 fprintf(fd, SET "[%s]:Network=%s force\n", p2xid, network); 621 fprintf(fd, SET "[%s]:Netmask=%s force\n", p2xid, mask); 622 623 free(network); 624 } 625 626 static void 627 ike_section_p2ids(struct ipsec_rule *r, FILE *fd) 628 { 629 char *p; 630 struct ipsec_addr_wrap *src = r->src; 631 struct ipsec_addr_wrap *dst = r->dst; 632 633 if (src->netaddress) { 634 ike_section_p2ids_net(&src->mask, src->af, src->name, 635 r->p2lid, fd); 636 } else { 637 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 638 r->p2lid, ((src->af == AF_INET) ? 4 : 6)); 639 if ((p = strrchr(src->name, '/')) != NULL) 640 *p = '\0'; 641 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2lid, 642 src->name); 643 } 644 645 if (src->srcnat && src->srcnat->netaddress) { 646 ike_section_p2ids_net(&src->srcnat->mask, src->af, src->srcnat->name, 647 r->p2nid, fd); 648 } else if (src->srcnat) { 649 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 650 r->p2nid, ((src->af == AF_INET) ? 4 : 6)); 651 if ((p = strrchr(src->srcnat->name, '/')) != NULL) 652 *p = '\0'; 653 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2nid, 654 src->srcnat->name); 655 } 656 657 if (dst->netaddress) { 658 ike_section_p2ids_net(&dst->mask, dst->af, dst->name, 659 r->p2rid, fd); 660 } else { 661 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 662 r->p2rid, ((dst->af == AF_INET) ? 4 : 6)); 663 if ((p = strrchr(dst->name, '/')) != NULL) 664 *p = '\0'; 665 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2rid, 666 dst->name); 667 } 668 if (r->proto) { 669 fprintf(fd, SET "[%s]:Protocol=%d force\n", 670 r->p2lid, r->proto); 671 fprintf(fd, SET "[%s]:Protocol=%d force\n", 672 r->p2rid, r->proto); 673 } 674 if (r->sport) 675 fprintf(fd, SET "[%s]:Port=%d force\n", r->p2lid, 676 ntohs(r->sport)); 677 if (r->dport) 678 fprintf(fd, SET "[%s]:Port=%d force\n", r->p2rid, 679 ntohs(r->dport)); 680 } 681 682 static int 683 ike_connect(struct ipsec_rule *r, FILE *fd) 684 { 685 switch (r->ikemode) { 686 case IKE_ACTIVE: 687 case IKE_DYNAMIC: 688 fprintf(fd, ADD "[Phase 2]:Connections=%s\n", r->p2name); 689 break; 690 case IKE_PASSIVE: 691 fprintf(fd, ADD "[Phase 2]:Passive-Connections=%s\n", 692 r->p2name); 693 break; 694 default: 695 return (-1); 696 } 697 return (0); 698 } 699 700 static int 701 ike_gen_config(struct ipsec_rule *r, FILE *fd) 702 { 703 ike_setup_ids(r); 704 ike_section_general(r, fd); 705 ike_section_peer(r, fd); 706 if (ike_section_p1(r, fd) == -1) { 707 return (-1); 708 } 709 ike_section_ids(r, fd); 710 ike_section_ipsec(r, fd); 711 if (ike_section_p2(r, fd) == -1) { 712 return (-1); 713 } 714 ike_section_p2ids(r, fd); 715 716 if (ike_connect(r, fd) == -1) 717 return (-1); 718 return (0); 719 } 720 721 static int 722 ike_delete_config(struct ipsec_rule *r, FILE *fd) 723 { 724 ike_setup_ids(r); 725 #if 0 726 switch (r->ikemode) { 727 case IKE_ACTIVE: 728 case IKE_DYNAMIC: 729 fprintf(fd, "t %s\n", r->p2name); 730 break; 731 case IKE_PASSIVE: 732 fprintf(fd, DELETE "[Phase 2]\n"); 733 fprintf(fd, "t %s\n", r->p2name); 734 break; 735 default: 736 return (-1); 737 } 738 739 if (r->peer) { 740 fprintf(fd, DELETE "[%s]\n", r->p1name); 741 fprintf(fd, DELETE "[phase1-%s]\n", r->p1name); 742 } 743 if (r->auth) { 744 if (r->auth->srcid) 745 fprintf(fd, DELETE "[%s-ID]\n", r->auth->srcid); 746 if (r->auth->dstid) 747 fprintf(fd, DELETE "[%s-ID]\n", r->auth->dstid); 748 } 749 fprintf(fd, DELETE "[%s]\n", r->p2name); 750 fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); 751 fprintf(fd, DELETE "[%s]\n", r->p2lid); 752 fprintf(fd, DELETE "[%s]\n", r->p2rid); 753 #else 754 fprintf(fd, "t %s\n", r->p2name); 755 switch (r->ikemode) { 756 case IKE_ACTIVE: 757 case IKE_DYNAMIC: 758 fprintf(fd, RMV "[Phase 2]:Connections=%s\n", r->p2name); 759 break; 760 case IKE_PASSIVE: 761 fprintf(fd, RMV "[Phase 2]:Passive-Connections=%s\n", 762 r->p2name); 763 break; 764 default: 765 return (-1); 766 } 767 fprintf(fd, DELETE "[%s]\n", r->p2name); 768 fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); 769 #endif 770 771 return (0); 772 } 773 774 static void 775 ike_setup_ids(struct ipsec_rule *r) 776 { 777 char sproto[10], ssport[10], sdport[10]; 778 779 /* phase 1 name is peer and local address */ 780 if (r->peer) { 781 if (r->local) { 782 /* peer-dstaddr-local-srcaddr */ 783 if (asprintf(&r->p1name, "peer-%s-local-%s", 784 r->peer->name, r->local->name) == -1) 785 err(1, "ike_setup_ids"); 786 } else 787 /* peer-dstaddr */ 788 if (asprintf(&r->p1name, "peer-%s", 789 r->peer->name) == -1) 790 err(1, "ike_setup_ids"); 791 } else 792 if ((r->p1name = strdup("peer-default")) == NULL) 793 err(1, "ike_setup_ids"); 794 795 /* Phase 2 name is from and to network, protocol, port*/ 796 sproto[0] = ssport[0] = sdport[0] = 0; 797 if (r->proto) 798 snprintf(sproto, sizeof sproto, "=%u", r->proto); 799 if (r->sport) 800 snprintf(ssport, sizeof ssport, ":%u", ntohs(r->sport)); 801 if (r->dport) 802 snprintf(sdport, sizeof sdport, ":%u", ntohs(r->dport)); 803 /* from-network/masklen=proto:port */ 804 if (asprintf(&r->p2lid, "from-%s%s%s", r->src->name, sproto, ssport) 805 == -1) 806 err(1, "ike_setup_ids"); 807 /* to-network/masklen=proto:port */ 808 if (asprintf(&r->p2rid, "to-%s%s%s", r->dst->name, sproto, sdport) 809 == -1) 810 err(1, "ike_setup_ids"); 811 /* from-network/masklen=proto:port-to-network/masklen=proto:port */ 812 if (asprintf(&r->p2name, "%s-%s", r->p2lid , r->p2rid) == -1) 813 err(1, "ike_setup_ids"); 814 /* nat-network/masklen=proto:port */ 815 if (r->src->srcnat && r->src->srcnat->name) { 816 if (asprintf(&r->p2nid, "nat-%s%s%s", r->src->srcnat->name, sproto, 817 ssport) == -1) 818 err(1, "ike_setup_ids"); 819 } 820 } 821 822 int 823 ike_print_config(struct ipsec_rule *r, int opts) 824 { 825 if (opts & IPSECCTL_OPT_DELETE) 826 return (ike_delete_config(r, stdout)); 827 else 828 return (ike_gen_config(r, stdout)); 829 } 830 831 int 832 ike_ipsec_establish(int action, struct ipsec_rule *r, const char *fifo) 833 { 834 struct stat sb; 835 FILE *fdp; 836 int fd, ret = 0; 837 838 if ((fd = open(fifo, O_WRONLY)) == -1) 839 err(1, "ike_ipsec_establish: open(%s)", fifo); 840 if (fstat(fd, &sb) == -1) 841 err(1, "ike_ipsec_establish: fstat(%s)", fifo); 842 if (!S_ISFIFO(sb.st_mode)) 843 errx(1, "ike_ipsec_establish: %s not a fifo", fifo); 844 if ((fdp = fdopen(fd, "w")) == NULL) 845 err(1, "ike_ipsec_establish: fdopen(%s)", fifo); 846 847 switch (action) { 848 case ACTION_ADD: 849 ret = ike_gen_config(r, fdp); 850 break; 851 case ACTION_DELETE: 852 ret = ike_delete_config(r, fdp); 853 break; 854 default: 855 ret = -1; 856 } 857 858 fclose(fdp); 859 return (ret); 860 } 861