1 /* $OpenBSD: ike.c,v 1.69 2010/10/15 12:11:10 mikeb Exp $ */ 2 /* 3 * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <sys/types.h> 19 #include <sys/socket.h> 20 #include <sys/stat.h> 21 #include <sys/queue.h> 22 #include <netinet/in.h> 23 #include <netdb.h> 24 #include <arpa/inet.h> 25 26 #include <err.h> 27 #include <fcntl.h> 28 #include <stdio.h> 29 #include <stdlib.h> 30 #include <string.h> 31 #include <unistd.h> 32 33 #include "ipsecctl.h" 34 35 static void ike_section_general(struct ipsec_rule *, FILE *); 36 static void ike_section_peer(struct ipsec_rule *, FILE *); 37 static void ike_section_ids(struct ipsec_rule *, FILE *); 38 static void ike_section_ipsec(struct ipsec_rule *, FILE *); 39 static int ike_section_p1(struct ipsec_rule *, FILE *); 40 static int ike_section_p2(struct ipsec_rule *, FILE *); 41 static void ike_section_p2ids(struct ipsec_rule *, FILE *); 42 static int ike_connect(struct ipsec_rule *, FILE *); 43 static int ike_gen_config(struct ipsec_rule *, FILE *); 44 static int ike_delete_config(struct ipsec_rule *, FILE *); 45 static void ike_setup_ids(struct ipsec_rule *); 46 47 int ike_print_config(struct ipsec_rule *, int); 48 int ike_ipsec_establish(int, struct ipsec_rule *); 49 50 #define SET "C set " 51 #define ADD "C add " 52 #define DELETE "C rms " 53 #define RMV "C rmv " 54 55 #define ISAKMPD_FIFO "/var/run/isakmpd.fifo" 56 57 #define CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL 5 58 #define CONF_DFLT_DYNAMIC_CHECK_INTERVAL 30 59 60 char *ike_id_types[] = { 61 "", "", "IPV4_ADDR", "IPV6_ADDR", "FQDN", "USER_FQDN" 62 }; 63 64 static void 65 ike_section_general(struct ipsec_rule *r, FILE *fd) 66 { 67 if (r->ikemode == IKE_DYNAMIC) { 68 fprintf(fd, SET "[General]:Check-interval=%d force\n", 69 CONF_DFLT_DYNAMIC_CHECK_INTERVAL); 70 fprintf(fd, SET "[General]:DPD-check-interval=%d force\n", 71 CONF_DFLT_DYNAMIC_DPD_CHECK_INTERVAL); 72 } 73 if (r->p1life && r->p1life->lifetime != -1) 74 fprintf(fd, SET "[General]:Default-phase-1-lifetime=%d force\n", 75 r->p1life->lifetime); 76 if (r->p2life && r->p2life->lifetime != -1) 77 fprintf(fd, SET "[General]:Default-phase-2-lifetime=%d force\n", 78 r->p2life->lifetime); 79 } 80 81 static void 82 ike_section_peer(struct ipsec_rule *r, FILE *fd) 83 { 84 if (r->peer) 85 fprintf(fd, SET "[Phase 1]:%s=%s force\n", r->peer->name, 86 r->p1name); 87 else 88 fprintf(fd, SET "[Phase 1]:Default=%s force\n", r->p1name); 89 fprintf(fd, SET "[%s]:Phase=1 force\n", r->p1name); 90 if (r->peer) 91 fprintf(fd, SET "[%s]:Address=%s force\n", r->p1name, 92 r->peer->name); 93 if (r->local) 94 fprintf(fd, SET "[%s]:Local-address=%s force\n", r->p1name, 95 r->local->name); 96 if (r->ikeauth->type == IKE_AUTH_PSK) 97 fprintf(fd, SET "[%s]:Authentication=%s force\n", r->p1name, 98 r->ikeauth->string); 99 } 100 101 static void 102 ike_section_ids(struct ipsec_rule *r, FILE *fd) 103 { 104 char myname[MAXHOSTNAMELEN]; 105 106 if (r->auth == NULL) 107 return; 108 109 if (r->ikemode == IKE_DYNAMIC && r->auth->srcid == NULL) { 110 if (gethostname(myname, sizeof(myname)) == -1) 111 err(1, "ike_section_ids: gethostname"); 112 if ((r->auth->srcid = strdup(myname)) == NULL) 113 err(1, "ike_section_ids: strdup"); 114 r->auth->srcid_type = ID_FQDN; 115 } 116 if (r->auth->srcid) { 117 fprintf(fd, SET "[%s]:ID=id-%s force\n", r->p1name, 118 r->auth->srcid); 119 fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->srcid, 120 ike_id_types[r->auth->srcid_type]); 121 if (r->auth->srcid_type == ID_IPV4 || 122 r->auth->srcid_type == ID_IPV6) 123 fprintf(fd, SET "[id-%s]:Address=%s force\n", 124 r->auth->srcid, r->auth->srcid); 125 else 126 fprintf(fd, SET "[id-%s]:Name=%s force\n", 127 r->auth->srcid, r->auth->srcid); 128 } 129 if (r->auth->dstid) { 130 fprintf(fd, SET "[%s]:Remote-ID=id-%s force\n", r->p1name, 131 r->auth->dstid); 132 fprintf(fd, SET "[id-%s]:ID-type=%s force\n", r->auth->dstid, 133 ike_id_types[r->auth->dstid_type]); 134 if (r->auth->dstid_type == ID_IPV4 || 135 r->auth->dstid_type == ID_IPV6) 136 fprintf(fd, SET "[id-%s]:Address=%s force\n", 137 r->auth->dstid, r->auth->dstid); 138 else 139 fprintf(fd, SET "[id-%s]:Name=%s force\n", 140 r->auth->dstid, r->auth->dstid); 141 } 142 } 143 144 static void 145 ike_section_ipsec(struct ipsec_rule *r, FILE *fd) 146 { 147 fprintf(fd, SET "[%s]:Phase=2 force\n", r->p2name); 148 fprintf(fd, SET "[%s]:ISAKMP-peer=%s force\n", r->p2name, r->p1name); 149 fprintf(fd, SET "[%s]:Configuration=phase2-%s force\n", r->p2name, 150 r->p2name); 151 fprintf(fd, SET "[%s]:Local-ID=%s force\n", r->p2name, r->p2lid); 152 if (r->p2nid) 153 fprintf(fd, SET "[%s]:NAT-ID=%s force\n", r->p2name, r->p2nid); 154 fprintf(fd, SET "[%s]:Remote-ID=%s force\n", r->p2name, r->p2rid); 155 156 if (r->tag) 157 fprintf(fd, SET "[%s]:PF-Tag=%s force\n", r->p2name, r->tag); 158 } 159 160 static int 161 ike_section_p2(struct ipsec_rule *r, FILE *fd) 162 { 163 char *exchange_type, *sprefix; 164 int needauth = 1; 165 166 switch (r->p2ie) { 167 case IKE_QM: 168 exchange_type = "QUICK_MODE"; 169 sprefix = "QM"; 170 break; 171 default: 172 warnx("illegal phase 2 ike mode %d", r->p2ie); 173 return (-1); 174 } 175 176 fprintf(fd, SET "[phase2-%s]:EXCHANGE_TYPE=%s force\n", r->p2name, 177 exchange_type); 178 fprintf(fd, SET "[phase2-%s]:Suites=%s-", r->p2name, sprefix); 179 180 switch (r->satype) { 181 case IPSEC_ESP: 182 fprintf(fd, "ESP"); 183 break; 184 case IPSEC_AH: 185 fprintf(fd, "AH"); 186 break; 187 default: 188 warnx("illegal satype %d", r->satype); 189 return (-1); 190 } 191 fprintf(fd, "-"); 192 193 switch (r->tmode) { 194 case IPSEC_TUNNEL: 195 break; 196 case IPSEC_TRANSPORT: 197 fprintf(fd, "TRP-"); 198 break; 199 default: 200 warnx("illegal encapsulation mode %d", r->tmode); 201 return (-1); 202 } 203 204 if (r->p2xfs && r->p2xfs->encxf) { 205 if (r->satype == IPSEC_ESP) { 206 switch (r->p2xfs->encxf->id) { 207 case ENCXF_3DES_CBC: 208 fprintf(fd, "3DES"); 209 break; 210 case ENCXF_DES_CBC: 211 fprintf(fd, "DES"); 212 break; 213 case ENCXF_AES: 214 fprintf(fd, "AES"); 215 break; 216 case ENCXF_AES_128: 217 fprintf(fd, "AES-128"); 218 break; 219 case ENCXF_AES_192: 220 fprintf(fd, "AES-192"); 221 break; 222 case ENCXF_AES_256: 223 fprintf(fd, "AES-256"); 224 break; 225 case ENCXF_AESCTR: 226 fprintf(fd, "AESCTR"); 227 break; 228 case ENCXF_AES_128_GCM: 229 fprintf(fd, "AESGCM-128"); 230 needauth = 0; 231 break; 232 case ENCXF_AES_192_GCM: 233 fprintf(fd, "AESGCM-192"); 234 needauth = 0; 235 break; 236 case ENCXF_AES_256_GCM: 237 fprintf(fd, "AESGCM-256"); 238 needauth = 0; 239 break; 240 case ENCXF_AES_128_GMAC: 241 fprintf(fd, "AESGMAC-128"); 242 needauth = 0; 243 break; 244 case ENCXF_AES_192_GMAC: 245 fprintf(fd, "AESGMAC-192"); 246 needauth = 0; 247 break; 248 case ENCXF_AES_256_GMAC: 249 fprintf(fd, "AESGMAC-256"); 250 needauth = 0; 251 break; 252 case ENCXF_BLOWFISH: 253 fprintf(fd, "BLF"); 254 break; 255 case ENCXF_CAST128: 256 fprintf(fd, "CAST"); 257 break; 258 case ENCXF_NULL: 259 fprintf(fd, "NULL"); 260 needauth = 0; 261 break; 262 default: 263 warnx("illegal transform %s", 264 r->p2xfs->encxf->name); 265 return (-1); 266 } 267 fprintf(fd, "-"); 268 } else { 269 warnx("illegal transform %s", r->p2xfs->encxf->name); 270 return (-1); 271 } 272 } else if (r->satype == IPSEC_ESP) 273 fprintf(fd, "AES-"); 274 275 if (r->p2xfs && r->p2xfs->authxf) { 276 switch (r->p2xfs->authxf->id) { 277 case AUTHXF_HMAC_MD5: 278 fprintf(fd, "MD5"); 279 break; 280 case AUTHXF_HMAC_SHA1: 281 fprintf(fd, "SHA"); 282 break; 283 case AUTHXF_HMAC_RIPEMD160: 284 fprintf(fd, "RIPEMD"); 285 break; 286 case AUTHXF_HMAC_SHA2_256: 287 fprintf(fd, "SHA2-256"); 288 break; 289 case AUTHXF_HMAC_SHA2_384: 290 fprintf(fd, "SHA2-384"); 291 break; 292 case AUTHXF_HMAC_SHA2_512: 293 fprintf(fd, "SHA2-512"); 294 break; 295 default: 296 warnx("illegal transform %s", r->p2xfs->authxf->name); 297 return (-1); 298 } 299 fprintf(fd, "-"); 300 } else if (needauth) 301 fprintf(fd, "SHA2-256-"); 302 303 if (r->p2xfs && r->p2xfs->groupxf) { 304 switch (r->p2xfs->groupxf->id) { 305 case GROUPXF_NONE: 306 break; 307 case GROUPXF_768: 308 fprintf(fd, "PFS-GRP1-"); 309 break; 310 case GROUPXF_1024: 311 fprintf(fd, "PFS-GRP2-"); 312 break; 313 case GROUPXF_1536: 314 fprintf(fd, "PFS-GRP5-"); 315 break; 316 case GROUPXF_2048: 317 fprintf(fd, "PFS-GRP14-"); 318 break; 319 case GROUPXF_3072: 320 fprintf(fd, "PFS-GRP15-"); 321 break; 322 case GROUPXF_4096: 323 fprintf(fd, "PFS-GRP16-"); 324 break; 325 case GROUPXF_6144: 326 fprintf(fd, "PFS-GRP17-"); 327 break; 328 case GROUPXF_8192: 329 fprintf(fd, "PFS-GRP18-"); 330 break; 331 default: 332 warnx("illegal group %s", r->p2xfs->groupxf->name); 333 return (-1); 334 }; 335 } else 336 fprintf(fd, "PFS-"); 337 fprintf(fd, "SUITE force\n"); 338 339 return (0); 340 } 341 342 static int 343 ike_section_p1(struct ipsec_rule *r, FILE *fd) 344 { 345 char *exchange_type; 346 347 switch (r->p1ie) { 348 case IKE_MM: 349 exchange_type = "ID_PROT"; 350 break; 351 case IKE_AM: 352 exchange_type = "AGGRESSIVE"; 353 break; 354 default: 355 warnx("illegal phase 2 ike mode %d", r->p1ie); 356 return (-1); 357 } 358 359 fprintf(fd, SET "[%s]:Configuration=phase1-%s force\n", r->p1name, 360 r->p1name); 361 fprintf(fd, SET "[phase1-%s]:EXCHANGE_TYPE=%s force\n", r->p1name, 362 exchange_type); 363 fprintf(fd, ADD "[phase1-%s]:Transforms=", r->p1name); 364 365 if (r->p1xfs && r->p1xfs->encxf) { 366 switch (r->p1xfs->encxf->id) { 367 case ENCXF_3DES_CBC: 368 fprintf(fd, "3DES"); 369 break; 370 case ENCXF_DES_CBC: 371 fprintf(fd, "DES"); 372 break; 373 case ENCXF_AES: 374 fprintf(fd, "AES"); 375 break; 376 case ENCXF_AES_128: 377 fprintf(fd, "AES-128"); 378 break; 379 case ENCXF_AES_192: 380 fprintf(fd, "AES-192"); 381 break; 382 case ENCXF_AES_256: 383 fprintf(fd, "AES-256"); 384 break; 385 case ENCXF_BLOWFISH: 386 fprintf(fd, "BLF"); 387 break; 388 case ENCXF_CAST128: 389 fprintf(fd, "CAST"); 390 break; 391 default: 392 warnx("illegal transform %s", r->p1xfs->encxf->name); 393 return (-1); 394 } 395 } else 396 fprintf(fd, "AES"); 397 fprintf(fd, "-"); 398 399 if (r->p1xfs && r->p1xfs->authxf) { 400 switch (r->p1xfs->authxf->id) { 401 case AUTHXF_HMAC_MD5: 402 fprintf(fd, "MD5"); 403 break; 404 case AUTHXF_HMAC_SHA1: 405 fprintf(fd, "SHA"); 406 break; 407 case AUTHXF_HMAC_SHA2_256: 408 fprintf(fd, "SHA2-256"); 409 break; 410 case AUTHXF_HMAC_SHA2_384: 411 fprintf(fd, "SHA2-384"); 412 break; 413 case AUTHXF_HMAC_SHA2_512: 414 fprintf(fd, "SHA2-512"); 415 break; 416 default: 417 warnx("illegal transform %s", r->p1xfs->authxf->name); 418 return (-1); 419 } 420 } else 421 fprintf(fd, "SHA"); 422 423 if (r->p1xfs && r->p1xfs->groupxf) { 424 switch (r->p1xfs->groupxf->id) { 425 case GROUPXF_768: 426 fprintf(fd, "-GRP1"); 427 break; 428 case GROUPXF_1024: 429 fprintf(fd, "-GRP2"); 430 break; 431 case GROUPXF_1536: 432 fprintf(fd, "-GRP5"); 433 break; 434 case GROUPXF_2048: 435 fprintf(fd, "-GRP14"); 436 break; 437 case GROUPXF_3072: 438 fprintf(fd, "-GRP15"); 439 break; 440 case GROUPXF_4096: 441 fprintf(fd, "-GRP16"); 442 break; 443 case GROUPXF_6144: 444 fprintf(fd, "-GRP17"); 445 break; 446 case GROUPXF_8192: 447 fprintf(fd, "-GRP18"); 448 break; 449 default: 450 warnx("illegal group %s", r->p1xfs->groupxf->name); 451 return (-1); 452 }; 453 } 454 455 if (r->ikeauth->type == IKE_AUTH_RSA) 456 fprintf(fd, "-RSA_SIG"); 457 fprintf(fd, " force\n"); 458 459 return (0); 460 } 461 462 static void 463 ike_section_p2ids_net(struct ipsec_addr *iamask, sa_family_t af, char *name, 464 char *p2xid, FILE *fd) 465 { 466 char mask[NI_MAXHOST], *network, *p; 467 struct sockaddr_storage sas; 468 struct sockaddr *sa = (struct sockaddr *)&sas; 469 470 bzero(&sas, sizeof(struct sockaddr_storage)); 471 bzero(mask, sizeof(mask)); 472 sa->sa_family = af; 473 switch (af) { 474 case AF_INET: 475 sa->sa_len = sizeof(struct sockaddr_in); 476 bcopy(&iamask->ipa, 477 &((struct sockaddr_in *)(sa))->sin_addr, 478 sizeof(struct in6_addr)); 479 break; 480 case AF_INET6: 481 sa->sa_len = sizeof(struct sockaddr_in6); 482 bcopy(&iamask->ipa, 483 &((struct sockaddr_in6 *)(sa))->sin6_addr, 484 sizeof(struct in6_addr)); 485 break; 486 } 487 if (getnameinfo(sa, sa->sa_len, mask, sizeof(mask), NULL, 0, 488 NI_NUMERICHOST)) 489 errx(1, "could not get a numeric mask"); 490 491 if ((network = strdup(name)) == NULL) 492 err(1, "ike_section_p2ids: strdup"); 493 if ((p = strrchr(network, '/')) != NULL) 494 *p = '\0'; 495 496 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR_SUBNET force\n", 497 p2xid, ((af == AF_INET) ? 4 : 6)); 498 fprintf(fd, SET "[%s]:Network=%s force\n", p2xid, network); 499 fprintf(fd, SET "[%s]:Netmask=%s force\n", p2xid, mask); 500 501 free(network); 502 } 503 504 static void 505 ike_section_p2ids(struct ipsec_rule *r, FILE *fd) 506 { 507 char *p; 508 struct ipsec_addr_wrap *src = r->src; 509 struct ipsec_addr_wrap *dst = r->dst; 510 511 if (src->netaddress) { 512 ike_section_p2ids_net(&src->mask, src->af, src->name, 513 r->p2lid, fd); 514 } else { 515 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 516 r->p2lid, ((src->af == AF_INET) ? 4 : 6)); 517 if ((p = strrchr(src->name, '/')) != NULL) 518 *p = '\0'; 519 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2lid, 520 src->name); 521 } 522 523 if (src->srcnat && src->srcnat->netaddress) { 524 ike_section_p2ids_net(&src->srcnat->mask, src->af, src->srcnat->name, 525 r->p2nid, fd); 526 } else if (src->srcnat) { 527 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 528 r->p2nid, ((src->af == AF_INET) ? 4 : 6)); 529 if ((p = strrchr(src->srcnat->name, '/')) != NULL) 530 *p = '\0'; 531 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2nid, 532 src->srcnat->name); 533 } 534 535 if (dst->netaddress) { 536 ike_section_p2ids_net(&dst->mask, dst->af, dst->name, 537 r->p2rid, fd); 538 } else { 539 fprintf(fd, SET "[%s]:ID-type=IPV%d_ADDR force\n", 540 r->p2rid, ((dst->af == AF_INET) ? 4 : 6)); 541 if ((p = strrchr(dst->name, '/')) != NULL) 542 *p = '\0'; 543 fprintf(fd, SET "[%s]:Address=%s force\n", r->p2rid, 544 dst->name); 545 } 546 if (r->proto) { 547 fprintf(fd, SET "[%s]:Protocol=%d force\n", 548 r->p2lid, r->proto); 549 fprintf(fd, SET "[%s]:Protocol=%d force\n", 550 r->p2rid, r->proto); 551 } 552 if (r->sport) 553 fprintf(fd, SET "[%s]:Port=%d force\n", r->p2lid, 554 ntohs(r->sport)); 555 if (r->dport) 556 fprintf(fd, SET "[%s]:Port=%d force\n", r->p2rid, 557 ntohs(r->dport)); 558 } 559 560 static int 561 ike_connect(struct ipsec_rule *r, FILE *fd) 562 { 563 switch (r->ikemode) { 564 case IKE_ACTIVE: 565 case IKE_DYNAMIC: 566 fprintf(fd, ADD "[Phase 2]:Connections=%s\n", r->p2name); 567 break; 568 case IKE_PASSIVE: 569 fprintf(fd, ADD "[Phase 2]:Passive-Connections=%s\n", 570 r->p2name); 571 break; 572 default: 573 return (-1); 574 } 575 return (0); 576 } 577 578 static int 579 ike_gen_config(struct ipsec_rule *r, FILE *fd) 580 { 581 ike_setup_ids(r); 582 ike_section_general(r, fd); 583 ike_section_peer(r, fd); 584 if (ike_section_p1(r, fd) == -1) { 585 return (-1); 586 } 587 ike_section_ids(r, fd); 588 ike_section_ipsec(r, fd); 589 if (ike_section_p2(r, fd) == -1) { 590 return (-1); 591 } 592 ike_section_p2ids(r, fd); 593 594 if (ike_connect(r, fd) == -1) 595 return (-1); 596 return (0); 597 } 598 599 static int 600 ike_delete_config(struct ipsec_rule *r, FILE *fd) 601 { 602 ike_setup_ids(r); 603 #if 0 604 switch (r->ikemode) { 605 case IKE_ACTIVE: 606 case IKE_DYNAMIC: 607 fprintf(fd, "t %s\n", r->p2name); 608 break; 609 case IKE_PASSIVE: 610 fprintf(fd, DELETE "[Phase 2]\n"); 611 fprintf(fd, "t %s\n", r->p2name); 612 break; 613 default: 614 return (-1); 615 } 616 617 if (r->peer) { 618 fprintf(fd, DELETE "[%s]\n", r->p1name); 619 fprintf(fd, DELETE "[phase1-%s]\n", r->p1name); 620 } 621 if (r->auth) { 622 if (r->auth->srcid) 623 fprintf(fd, DELETE "[%s-ID]\n", r->auth->srcid); 624 if (r->auth->dstid) 625 fprintf(fd, DELETE "[%s-ID]\n", r->auth->dstid); 626 } 627 fprintf(fd, DELETE "[%s]\n", r->p2name); 628 fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); 629 fprintf(fd, DELETE "[%s]\n", r->p2lid); 630 fprintf(fd, DELETE "[%s]\n", r->p2rid); 631 #else 632 fprintf(fd, "t %s\n", r->p2name); 633 switch (r->ikemode) { 634 case IKE_ACTIVE: 635 case IKE_DYNAMIC: 636 fprintf(fd, RMV "[Phase 2]:Connections=%s\n", r->p2name); 637 break; 638 case IKE_PASSIVE: 639 fprintf(fd, RMV "[Phase 2]:Passive-Connections=%s\n", 640 r->p2name); 641 break; 642 default: 643 return (-1); 644 } 645 fprintf(fd, DELETE "[%s]\n", r->p2name); 646 fprintf(fd, DELETE "[phase2-%s]\n", r->p2name); 647 #endif 648 649 return (0); 650 } 651 652 static void 653 ike_setup_ids(struct ipsec_rule *r) 654 { 655 char sproto[10], ssport[10], sdport[10]; 656 657 /* phase 1 name is peer and local address */ 658 if (r->peer) { 659 if (r->local) { 660 /* peer-dstaddr-local-srcaddr */ 661 if (asprintf(&r->p1name, "peer-%s-local-%s", 662 r->peer->name, r->local->name) == -1) 663 err(1, "ike_setup_ids"); 664 } else 665 /* peer-dstaddr */ 666 if (asprintf(&r->p1name, "peer-%s", 667 r->peer->name) == -1) 668 err(1, "ike_setup_ids"); 669 } else 670 if ((r->p1name = strdup("peer-default")) == NULL) 671 err(1, "ike_setup_ids"); 672 673 /* Phase 2 name is from and to network, protocol, port*/ 674 sproto[0] = ssport[0] = sdport[0] = 0; 675 if (r->proto) 676 snprintf(sproto, sizeof sproto, "=%u", r->proto); 677 if (r->sport) 678 snprintf(ssport, sizeof ssport, ":%u", ntohs(r->sport)); 679 if (r->dport) 680 snprintf(sdport, sizeof sdport, ":%u", ntohs(r->dport)); 681 /* from-network/masklen=proto:port */ 682 if (asprintf(&r->p2lid, "from-%s%s%s", r->src->name, sproto, ssport) 683 == -1) 684 err(1, "ike_setup_ids"); 685 /* to-network/masklen=proto:port */ 686 if (asprintf(&r->p2rid, "to-%s%s%s", r->dst->name, sproto, sdport) 687 == -1) 688 err(1, "ike_setup_ids"); 689 /* from-network/masklen=proto:port-to-network/masklen=proto:port */ 690 if (asprintf(&r->p2name, "%s-%s", r->p2lid , r->p2rid) == -1) 691 err(1, "ike_setup_ids"); 692 /* nat-network/masklen=proto:port */ 693 if (r->src->srcnat && r->src->srcnat->name) { 694 if (asprintf(&r->p2nid, "nat-%s%s%s", r->src->srcnat->name, sproto, 695 ssport) == -1) 696 err(1, "ike_setup_ids"); 697 } 698 } 699 700 int 701 ike_print_config(struct ipsec_rule *r, int opts) 702 { 703 if (opts & IPSECCTL_OPT_DELETE) 704 return (ike_delete_config(r, stdout)); 705 else 706 return (ike_gen_config(r, stdout)); 707 } 708 709 int 710 ike_ipsec_establish(int action, struct ipsec_rule *r) 711 { 712 struct stat sb; 713 FILE *fdp; 714 int fd, ret = 0; 715 716 if ((fd = open(ISAKMPD_FIFO, O_WRONLY)) == -1) 717 err(1, "ike_ipsec_establish: open(%s)", ISAKMPD_FIFO); 718 if (fstat(fd, &sb) == -1) 719 err(1, "ike_ipsec_establish: fstat(%s)", ISAKMPD_FIFO); 720 if (!S_ISFIFO(sb.st_mode)) 721 errx(1, "ike_ipsec_establish: %s not a fifo", ISAKMPD_FIFO); 722 if ((fdp = fdopen(fd, "w")) == NULL) 723 err(1, "ike_ipsec_establish: fdopen(%s)", ISAKMPD_FIFO); 724 725 switch (action) { 726 case ACTION_ADD: 727 ret = ike_gen_config(r, fdp); 728 break; 729 case ACTION_DELETE: 730 ret = ike_delete_config(r, fdp); 731 break; 732 default: 733 ret = -1; 734 } 735 736 fclose(fdp); 737 return (ret); 738 } 739