Imported Upstream version 0.13

6 files changed, 132 insertions, 0 deletions

diff --git a/etc/Makefile b/etc/Makefile
new file mode 100644
index 0000000..d9fdd8b
--- /dev/null
+++ b/etc/Makefile
@@ -0,0 +1,5 @@
+ETCFILES := opennhrp.conf opennhrp-script racoon-ph1down.sh racoon-ph1dead.sh
+
+install:
+	$(INSTALLDIR) $(DESTDIR)$(CONFDIR)
+	$(INSTALL) $(addprefix $(src)/,$(ETCFILES)) $(DESTDIR)$(CONFDIR)
diff --git a/etc/opennhrp-script b/etc/opennhrp-script
new file mode 100755
index 0000000..8d5e2d3
--- /dev/null
+++ b/etc/opennhrp-script
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+case $1 in
+interface-up)
+	ip route flush proto 42 dev $NHRP_INTERFACE
+	ip neigh flush dev $NHRP_INTERFACE
+	;;
+peer-register)
+	;;
+peer-up)
+	if [ -n "$NHRP_DESTMTU" ]; then
+		ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
+		ip route add $ARGS proto 42 mtu $NHRP_DESTMTU
+	fi
+	echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
+	racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
+	racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1 
+	;;
+peer-down)
+	echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
+	if [ "$NHRP_PEER_DOWN_REASON" != "lower-down" ]; then
+		racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
+	fi
+	ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42
+	;;
+route-up)
+	echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
+	ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE
+	ip route flush cache
+	;;
+route-down)
+	echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
+	ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42
+	ip route flush cache
+	;;
+esac
+
+exit 0
diff --git a/etc/opennhrp-script.cert b/etc/opennhrp-script.cert
new file mode 100755
index 0000000..d013511
--- /dev/null
+++ b/etc/opennhrp-script.cert
@@ -0,0 +1,71 @@
+#!/bin/sh
+#
+# This version of the script check the X509 certificate used to authenticate
+# the IPsec connection. It parses a special format subject field, and verifies
+# the claimed GRE is bound to that certificate, before allowing NHRP
+# registration or direct tunnel to succeed.
+#
+# It also reconfigure BGP filters according to certificate contents. This is
+# only useful for hub nodes.
+#
+# Example of certificate:
+#   subjectAltName: DirName:/OU=GRE=192.168.1.1/NET=10.1.0.0/16
+
+case $1 in
+interface-up)
+	ip route flush proto 42 dev $NHRP_INTERFACE
+	ip neigh flush dev $NHRP_INTERFACE
+	;;
+peer-register)
+	(
+		flock -x 200
+
+		CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
+		if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
+			echo "ERROR: IP $NHRP_DESTADDR at $NHRP_DESTNBMA NOT verified"
+			exit 1
+		fi
+
+		AS=`echo "$CERT" | grep "^AS=" | cut -b 4-`
+		vtysh -d bgpd -c "configure terminal" \
+			-c "router bgp $MY_AS" \
+			-c "neighbor $NHRP_DESTADDR remote-as $AS" \
+			-c "neighbor $NHRP_DESTADDR peer-group leaf" \
+			-c "neighbor $NHRP_DESTADDR prefix-list net-$AS-in in"
+
+		SEQ=5
+		(echo "$CERT" | grep "^NET=" | cut -b 5-) | while read NET; do
+			vtysh -d bgpd -c "configure terminal" \
+				-c "ip prefix-list net-$AS-in seq $SEQ permit $NET"
+			SEQ=$(($SEQ+5)
+		done
+	) 200>/var/lock/opennhrp-script.lock
+	;;
+peer-up)
+	echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
+	racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
+	racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1 
+
+	CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
+	if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
+		echo "ERROR: IP $NHRP_DESTADDR at $NHRP_DESTNBMA NOT verified"
+		exit 1
+	fi
+	;;
+peer-down)
+	echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
+	racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
+	;;
+route-up)
+	echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
+	ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE
+	ip route flush cache
+	;;
+route-down)
+	echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
+	ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42
+	ip route flush cache
+	;;
+esac
+
+exit 0
diff --git a/etc/opennhrp.conf b/etc/opennhrp.conf
new file mode 100644
index 0000000..6451cb0
--- /dev/null
+++ b/etc/opennhrp.conf
@@ -0,0 +1,9 @@
+interface gre1
+  map 10.255.255.1/24 192.168.200.1 register
+  cisco-authentication secret
+  shortcut
+  redirect
+  non-caching
+
+interface lo
+  shortcut-destination
diff --git a/etc/racoon-ph1dead.sh b/etc/racoon-ph1dead.sh
new file mode 100755
index 0000000..942e4c2
--- /dev/null
+++ b/etc/racoon-ph1dead.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+opennhrpctl cache lowerdown nbma $REMOTE_ADDR local-nbma $LOCAL_ADDR
diff --git a/etc/racoon-ph1down.sh b/etc/racoon-ph1down.sh
new file mode 100755
index 0000000..c98d985
--- /dev/null
+++ b/etc/racoon-ph1down.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+# Purge opennhrp entries only if this was the last ISAKMP phase1
+if [ -z "`racoonctl -ll show-sa isakmp | grep "$LOCAL_ADDR\.[0-9]* * $REMOTE_ADDR\.[0-9]* "`" ]; then
+	opennhrpctl cache purge nbma $REMOTE_ADDR local-nbma $LOCAL_ADDR
+fi