zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/docker-images/strongswan/ipsec-vti.sh

67 lines
2.2 KiB
Bash
Raw Blame History

#!/bin/bash
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# originally published at
# https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan
set -o nounset
set -o errexit
IP=$(which ip)
PLUTO_MARK_OUT_ARR=(${PLUTO_MARK_OUT//// })
PLUTO_MARK_IN_ARR=(${PLUTO_MARK_IN//// })
VTI_TUNNEL_ID=${1}
VTI_REMOTE=${2}
VTI_LOCAL=${3}
LOCAL_IF="${PLUTO_INTERFACE}"
VTI_IF="vti${VTI_TUNNEL_ID}"
# GCP's MTU is 1460
GCP_MTU="1460"
# ipsec overhead is 73 bytes, we need to compute new mtu.
VTI_MTU=$((GCP_MTU-73))
case "${PLUTO_VERB}" in
up-client)
sudo ${IP} link add ${VTI_IF} type vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
sudo ${IP} addr add ${VTI_LOCAL} remote ${VTI_REMOTE} dev "${VTI_IF}"
sudo ${IP} link set ${VTI_IF} up mtu ${VTI_MTU}
# Disable IPSEC Policy
sudo /sbin/sysctl -w net.ipv4.conf.${VTI_IF}.disable_policy=1
# Enable loosy source validation, if possible. Otherwise disable validation.
sudo /sbin/sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=2 || sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=0
# If you would like to use VTI for policy-based you shoud take care of routing by yourselv, e.x.
if [[ "${PLUTO_PEER_CLIENT}" != "0.0.0.0/0" ]]; then
${IP} r add "${PLUTO_PEER_CLIENT}" dev "${VTI_IF}"
fi
;;
down-client)
sudo ${IP} tunnel del "${VTI_IF}"
;;
esac
# Enable IPv4 forwarding
sudo /sbin/sysctl -w net.ipv4.ip_forward=1
# Disable IPSEC Encryption on local net
sudo /sbin/sysctl -w net.ipv4.conf.${LOCAL_IF}.disable_xfrm=1
sudo /sbin/sysctl -w net.ipv4.conf.${LOCAL_IF}.disable_policy=1
Reference in New Issue View Git Blame Copy Permalink