tech-net: Re: Using IKE with one fixed end and one dynamic end

Subject: Re: Using IKE with one fixed end and one dynamic end
To: Darren Reed <darrenr@reed.wattle.id.au>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 10/30/2001 12:54:10

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Darren" == Darren Reed <darrenr@reed.wattle.id.au> writes:
    Darren> Hi, Does anyone have any suggestions on how to configure IKE
    Darren> (racoon) for access to a LAN from cable internet (DHCP) ?  Can
    Darren> you assume you know nothing about the remote IP address ?
    Darren> Particularly, what should the SPDs look like.

  You'll either have to use RSA keys (which I've not yet determined how
to do) or use psk with aggressive mode. 

Server side:
       Make sure that you have "generate_policy on;" on the "remote anonymous"
       definition. 
  
Client side:
       You'll want to generate the SA from your dhcp script. I use, which
       I connect to /etc/dhclient-exit-hooks.

% cat /etc/dhclient-exit-hooks

echo
echo Exit hooks

gotip() {
	echo $$ >/var/run/dhclient-exit-hooks.pid

	while [ ! -f /var/run/bootdone ]
	do
		sleep 5
 	done

	if [ x$new_ip_address != x ] ; then

	  # take "$new_ip_address" and look for scripts to run
	  # in /etc/dhclient/when-conf and /etc/dhclient/when-notconf

	  if [ -f /etc/dhclient/when-conf/$new_ip_address ]
	  then
		echo Running /etc/dhclient/when-conf/$new_ip_address
		sh /etc/dhclient/when-conf/$new_ip_address $new_ip_address
	  fi

	  /bin/ls /etc/dhclient/when-notconf | grep -v $new_ip_address | while read conf
	  do
		echo Running /etc/dhclient/when-notconf/$conf
		sh /etc/dhclient/when-notconf/$conf $new_ip_address
	  done
	fi
}

case $reason in
	BOUND)  gotip &;;
	REBOOT) gotip &;;
esac

% cat /etc/dhclient/when-notconf/A.B.C.20
#!/bin/sh

case $1 in
	A.B.C..20) ;;
	192.168.*.*) ;;
	*) sh /etc/racoon/ipsec-istari.sh $1;
	   sh /etc/configstf $1;;
esac

% cat /etc/racoon/ipsec-istari.sh
#!/bin/sh

PATH=/usr/sbin:/sbin:$PATH export PATH
set -x

myip=$1
if [ -z "$myip" ]
then
	exit 0;
fi

route delete -host A.B.C.30
route add -host A.B.C.30 -ifa A.B.C.20 -mtu 1400 A.B.C.65

echo MYIP: "]$myip["

ifconfig -a

(
	echo "spdadd A.B.C.20/32 A.B.C.30/32 any -P out ipsec esp/tunnel/${myip}-A.B.C.18/require;"
	echo "spdadd A.B.C.30/32 A.B.C.20/32 any -P in ipsec  esp/tunnel/A.B.C.18-${myip}/require;"
) | tee /var/run/spd.istari.boot | setkey -c




-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBO97pQIqHRg3pndX9AQGOKwP8DTEJE0BOddzjb9LS0E2Fg4JDDffoOd4J
jb0cpKvibaY9bsnCQMTxOB/0Xumjwzp5yTWT2XdmWiJMO+viXhUZs5k2CcLM7Lq0
x2O02dtrsTfmUQYvC2DsWG7NJlxCo61bC53ikQgTzyN2++ag+l7ZiTZL0E7y0fSS
SMByIG+cpwE=
=rmo6
-----END PGP SIGNATURE-----