1#! /bin/bash 2# SPDX-License-Identifier: BSD-3-Clause 3 4CRYPTO_DEV=${CRYPTO_DEV:-'--vdev="crypto_aesni_mb0"'} 5 6#generate cfg file for ipsec-secgw 7config_secgw() 8{ 9 cat <<EOF > ${SGW_CFG_FILE} 10#sp in IPv4 rules 11sp ipv4 in esp protect 7 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ 12sport 0:65535 dport 0:65535 13sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 14 15#SP out IPv4 rules 16sp ipv4 out esp protect 7 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ 17sport 0:65535 dport 0:65535 18sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 19 20#sp in IPv6 rules 21sp ipv6 in esp protect 9 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ 22sport 0:65535 dport 0:65535 23sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 24 25#SP out IPv6 rules 26sp ipv6 out esp protect 9 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ 27sport 0:65535 dport 0:65535 28sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 29 30#SA in rules 31sa in 7 cipher_algo aes-128-cbc \ 32cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 33auth_algo sha1-hmac \ 34auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 35mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} ${SGW_CFG_XPRM_IN} 36 37sa in 9 cipher_algo aes-128-cbc \ 38cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 39auth_algo sha1-hmac \ 40auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 41mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} ${SGW_CFG_XPRM_IN} 42 43#SA out rules 44sa out 7 cipher_algo aes-128-cbc \ 45cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 46auth_algo sha1-hmac \ 47auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 48mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} ${SGW_CFG_XPRM_OUT} 49 50sa out 9 cipher_algo aes-128-cbc \ 51cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 52auth_algo sha1-hmac \ 53auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 54mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} ${SGW_CFG_XPRM_OUT} 55 56#Routing rules 57rt ipv4 dst ${REMOTE_IPV4}/32 port 0 58rt ipv4 dst ${LOCAL_IPV4}/32 port 1 59 60rt ipv6 dst ${REMOTE_IPV6}/128 port 0 61rt ipv6 dst ${LOCAL_IPV6}/128 port 1 62 63#neighbours 64neigh port 0 ${REMOTE_MAC} 65neigh port 1 ${LOCAL_MAC} 66EOF 67 68 cat ${SGW_CFG_FILE} 69} 70 71config_secgw_mixed() 72{ 73 cat <<EOF > ${SGW_CFG_FILE} 74#sp in IPv4 rules 75sp ipv4 in esp protect 6 pri 2 src ${REMOTE_IPV4}/32 dst ${LOCAL_IPV4}/32 \ 76sport 0:65535 dport 0:65535 77sp ipv4 in esp bypass pri 1 sport 0:65535 dport 0:65535 78 79#SP out IPv4 rules 80sp ipv4 out esp protect 6 pri 2 src ${LOCAL_IPV4}/32 dst ${REMOTE_IPV4}/32 \ 81sport 0:65535 dport 0:65535 82sp ipv4 out esp bypass pri 1 sport 0:65535 dport 0:65535 83 84#sp in IPv6 rules 85sp ipv6 in esp protect 8 pri 2 src ${REMOTE_IPV6}/128 dst ${LOCAL_IPV6}/128 \ 86sport 0:65535 dport 0:65535 87sp ipv6 in esp bypass pri 1 sport 0:65535 dport 0:65535 88 89#SP out IPv6 rules 90sp ipv6 out esp protect 8 pri 2 src ${LOCAL_IPV6}/128 dst ${REMOTE_IPV6}/128 \ 91sport 0:65535 dport 0:65535 92sp ipv6 out esp bypass pri 1 sport 0:65535 dport 0:65535 93 94#SA in rules 95sa in 8 cipher_algo aes-128-cbc \ 96cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 97auth_algo sha1-hmac \ 98auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 99mode ipv4-tunnel src ${REMOTE_IPV4} dst ${LOCAL_IPV4} 100 101sa in 6 cipher_algo aes-128-cbc \ 102cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 103auth_algo sha1-hmac \ 104auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 105mode ipv6-tunnel src ${REMOTE_IPV6} dst ${LOCAL_IPV6} 106 107#SA out rules 108sa out 8 cipher_algo aes-128-cbc \ 109cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 110auth_algo sha1-hmac \ 111auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 112mode ipv4-tunnel src ${LOCAL_IPV4} dst ${REMOTE_IPV4} 113 114sa out 6 cipher_algo aes-128-cbc \ 115cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 116auth_algo sha1-hmac \ 117auth_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ 118mode ipv6-tunnel src ${LOCAL_IPV6} dst ${REMOTE_IPV6} 119 120#Routing rules 121rt ipv4 dst ${REMOTE_IPV4}/32 port 0 122rt ipv4 dst ${LOCAL_IPV4}/32 port 1 123 124rt ipv6 dst ${REMOTE_IPV6}/128 port 0 125rt ipv6 dst ${LOCAL_IPV6}/128 port 1 126 127#neighbours 128neigh port 0 ${REMOTE_MAC} 129neigh port 1 ${LOCAL_MAC} 130EOF 131 132 cat ${SGW_CFG_FILE} 133} 134