67 lines
2.2 KiB
Bash
67 lines
2.2 KiB
Bash
#!/bin/bash
|
|
|
|
# Copyright 2020 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# https://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# originally published at
|
|
# https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan
|
|
|
|
set -o nounset
|
|
set -o errexit
|
|
|
|
IP=$(which ip)
|
|
|
|
PLUTO_MARK_OUT_ARR=(${PLUTO_MARK_OUT//// })
|
|
PLUTO_MARK_IN_ARR=(${PLUTO_MARK_IN//// })
|
|
|
|
VTI_TUNNEL_ID=${1}
|
|
VTI_REMOTE=${2}
|
|
VTI_LOCAL=${3}
|
|
|
|
LOCAL_IF="${PLUTO_INTERFACE}"
|
|
VTI_IF="vti${VTI_TUNNEL_ID}"
|
|
# GCP's MTU is 1460
|
|
GCP_MTU="1460"
|
|
# ipsec overhead is 73 bytes, we need to compute new mtu.
|
|
VTI_MTU=$((GCP_MTU-73))
|
|
|
|
case "${PLUTO_VERB}" in
|
|
up-client)
|
|
sudo ${IP} link add ${VTI_IF} type vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
|
|
sudo ${IP} addr add ${VTI_LOCAL} remote ${VTI_REMOTE} dev "${VTI_IF}"
|
|
sudo ${IP} link set ${VTI_IF} up mtu ${VTI_MTU}
|
|
|
|
# Disable IPSEC Policy
|
|
sudo /sbin/sysctl -w net.ipv4.conf.${VTI_IF}.disable_policy=1
|
|
|
|
# Enable loosy source validation, if possible. Otherwise disable validation.
|
|
sudo /sbin/sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=2 || sysctl -w net.ipv4.conf.${VTI_IF}.rp_filter=0
|
|
|
|
# If you would like to use VTI for policy-based you shoud take care of routing by yourselv, e.x.
|
|
if [[ "${PLUTO_PEER_CLIENT}" != "0.0.0.0/0" ]]; then
|
|
${IP} r add "${PLUTO_PEER_CLIENT}" dev "${VTI_IF}"
|
|
fi
|
|
;;
|
|
down-client)
|
|
sudo ${IP} tunnel del "${VTI_IF}"
|
|
;;
|
|
esac
|
|
|
|
# Enable IPv4 forwarding
|
|
sudo /sbin/sysctl -w net.ipv4.ip_forward=1
|
|
|
|
# Disable IPSEC Encryption on local net
|
|
sudo /sbin/sysctl -w net.ipv4.conf.${LOCAL_IF}.disable_xfrm=1
|
|
sudo /sbin/sysctl -w net.ipv4.conf.${LOCAL_IF}.disable_policy=1
|