All of the template files can be downloaded from the file gallery. The file gallery contains individual files and a zip file with everything.
|
/etc/dnscheck.awk |
Restart Dynamic DNS peer VPN tunnel if the peer's IP address changes. This AWK script is called from /etc/dyntunnels. Cron runs /etc/dyntunnels every 10 minutes.
This script is key to the Dynamic part of the SOHO VPN project. /etc/dnscheck.awk is a Do While loop that reads every row in /tmp/olddns.txt. This script restarts individual VPN tunnels when a peer's current IP address does not match one from 10 minutes ago.
|
1 . #Restart Dynamic DNS Peer VPN tunnel if the peer's IP
2 . #address changes.
3 . #Compare a DNS lookup from x minutes ago to the current value.
4 . #Restart the tunnel if the current lookup does not match
5 . #the saved lookup.
6 . #awk script
7 . BEGIN {
8 . "/usr/sbin/nvram get wan_hostname" | getline hostname
9 . }
10 .
11 . {
12 . fqdn=$1
13 . ipaddr=$2
14 . split(fqdn, fqdna, ".")
15 . "/etc/dynlookup2 " $fqdn | getline newipaddr
16 . conn="net-" hostname "--net-" fqdna[1]
17 . print " "
18 . if ( ipaddr !~ newipaddr )
19 . {
20 . print "IPAddress Changed"
21 . print conn
22 . #Resart Tunnel
23 . creplace="/usr/sbin/ipsec auto --replace " conn
24 . cadd="/usr/sbin/ipsec auto --add " conn
25 . cupp="/usr/sbin/ipsec auto --up " conn
26 . print creplace
27 . print cadd
28 . print cupp
29 . system(creplace)
30 . system(cadd)
31 . system(cupp)
32 . }
33 . else
34 . {
35 . print "IP Address is the SAME"
36 . }
37 . print "hostname: " hostname " fqdn: " fqdn " ipaddr: -" ipaddr "- newipaddr: -" newipaddr "-"
38 . print "fqdna1: " fqdna[1]
39 . print "conn name: " conn
40 . }
41 .
42 . END {
43 . }
|
|
/etc/dnsmasq.conf |
DHCP and DNS configuration file.
Notice that filterwin2k is commented out since we are using Windows OS with Active Directory. |
1 . #filter what we send upstream
2 . #domain-needed # Never forward plain names (without a dot or domain part)
3 . #bogus-priv # Never forward addresses in the non-routed address spaces.
4 . #filterwin2k #filter useless windows-originated DNS requests
5 . localise-queries
6 .
7 . # Forward DNS requests for internal domains to
8 . # internal DNS servers.
9 . server=/location-a.com/192.168.10.10
10 . server=/location-b.com/192.168.20.10
11 . server=//192.168.10.10
12 .
13 . # allow /etc/hosts and dhcp lookups via *.lan
14 . # local=/lan/
15 . domain=location-a.com
16 . expand-hosts
17 . no-negcache
18 . resolv-file=/tmp/resolv.conf.auto
19 .
20 . # enable dhcp (start,end,netmask,leasetime)
21 . dhcp-authoritative
22 . dhcp-range=192.168.224.100,192.168.224.120,255.255.255.128,12h
23 . dhcp-leasefile=/tmp/dhcp.leases
24 .
25 . ## Location-A DHCP Options
26 . dhcp-option=2,-18000
27 . dhcp-option=4,172.17.10.19
28 . dhcp-option=42,172.17.10.19
29 . dhcp-option=44,172.17.10.10
30 . dhcp-option=46,0x8
31 . dhcp-option=66,"172.17.10.19"
32 . dhcp-option=150,172.17.10.19
33 .
34 .
35 . # use /etc/ethers for static hosts; same format as --dhcp-host
36 . # <hwaddr> <ipaddr>
37 . read-ethers
38 .
39 . # other useful options:
40 . # default route(s): dhcp-option=3,192.168.1.1,192.168.1.2
41 . # dns server(s): dhcp-option=6,192.168.1.1,192.168.1.2
|
|
/etc/dnspeers.conf |
List of DNS peers participating in the full-mesh SOHO VPN. This list contains all locations except for the home office at location-a and location-b. The /etc/dynlookup script uses this list to create the /tmp/dnstable.txt file. The /etc/dynlookup script is called from the /etc/dyninit.awk script. The /etc/dyninit.awk script is called from /etc/init.d/S55dnstable at startup and once every ten minutes from /etc/crontabs/root.
|
1 . soho-user-a.dyndns.info
2 . soho-user-b.dyndns.info
3 . soho-user-c.dyndns.info
4 . soho-user-d.dyndns.info
5 . soho-user-e.dyndns.info
6 . soho-user-f.dyndns.info
7 . soho-user-g.dyndns.info
8 . soho-user-h.dyndns.info
9 . soho-user-i.dyndns.info
10 . soho-user-j.dyndns.info
11 . soho-user-k.dyndns.info
12 . soho-user-l.dyndns.info
13 . soho-user-m.dyndns.info
14 . soho-user-n.dyndns.info
15 . soho-user-o.dyndns.info
16 . soho-user-p.dyndns.info
17 . soho-user-q.dyndns.info
18 . soho-user-r.dyndns.info
19 . soho-user-s.dyndns.info
20 . soho-user-t.dyndns.info
21 . soho-user-u.dyndns.info
22 . soho-user-v.dyndns.info
23 . soho-user-w.dyndns.info
24 . soho-user-x.dyndns.info
25 . soho-user-y.dyndns.info
26 . soho-user-z.dyndns.info
27 . soho-user-aa.dyndns.info
28 . soho-user-ba.dyndns.info
29 . soho-user-ca.dyndns.info
30 . soho-user-da.dyndns.info
31 . soho-user-ea.dyndns.info
32 . soho-user-fa.dyndns.info
|
|
/etc/dyninit.awk |
Create /tmp/dnstable.txt. /etc/dynlookup reads the domain names in the /etc/dnspeers.conf file and writes the domain names and corresponding IP addresses to the /tmp/dnstable.txt file.
/etc/dyninit.awk is a Do While that executes /etc/dynlookup once for every row in /etc/dnspeers.conf.
|
1 . # Build IP Lookup table
2 . # awk script
3 . BEGIN {
4 .
5 . dnstable="test -r /tmp/dnstable.txt"
6 .
7 . if ( system(dnstable) == 0 )
8 .
9 . {
10 . movednstable="mv /tmp/dnstable.txt /tmp/olddnstable.txt"
11 . system(movednstable)
12 . }
13 .
14 . }
15 .
16 . {
17 . lookup = "/etc/dynlookup " $1
18 . system(lookup)
19 . }
20 .
21 . END {
22 .
23 . }
|
|
/etc/dynlookup |
This script is called from /etc/dyninit.awk once for every row in /etc/dnspeers.conf. This script builds the /tmp/dnstable.txt file. The /tmp/dnstable.txt file is moved to /tmp/olddnstable.txt after 10 minutes. The values in /tmp/olddnstable.txt are compared to the current values to determin if a peer SOHO VPN router's IP address has changed.
Cron runs the /etc/dyntunnels script every ten minutes. The /etc/dyntunnels script runs the /etc/dnscheck.awk script against every row in the /tmp/olddnstable.txt file. The /etc/dnscheck.awk script resets individual VPN tunnels when the current IP address is different than the IP address in /tmp/olddnstable.txt.
|
1 . # Lookup DynDNS Peers and save the results to a file
2 . # Used by the /etc/dyninit.awk script
3 . ipaddr=`nslookup $1 | grep "Address:" | awk '{ print $2 }' | sed /127.0.0.1/d`
4 . echo $1 $ipaddr >> /tmp/dnstable.txt
|
|
/etc/dynlookup2 |
This script is used by the /etc/dnscheck.awk script to lookup the current IP address.
|
1 . # Lookup DynDNS Peers
2 . # Used by the /etc/dnscheck.awk script
3 . newipaddr=`nslookup $1 | grep "Address:" | awk '{ print $2 }' | sed /127.0.0.1/d`
4 . echo $newipaddr
|
|
/etc/dyntunnels |
This script monitors Dynamic DNS Peers for IP Changes. This script runs once every 10 minutes and calls the awk scripts that do most of the work to implement a full mesh VPN among the SOHO VPN peer routers.
|
1 . #Monitor Dynamic DNS Peers for IP Changes
2 . #Restart Individual Dynamic DNS Peer VPN Tunnels
3 . #when a peer's IP address changes.
4 . #
5 . #Run this script from cron every 5 to 10 minutes.
6 . #
7 . # Turn on White SES LED
8 . echo "1" > /proc/diag/led/ses_white
9 . awk -f /etc/dyninit.awk /etc/dnspeers.conf
10 . awk -f /etc/dnscheck.awk /tmp/olddnstable.txt
11 . # Turn off White SES LED
12 . echo "0" > /proc/diag/led/ses_white
|
|
/etc/qos.conf |
QoS User Configuration File.
The key to getting QoS working on OpenWRT is testing. Test the bandwidth at each location using a utility at DSLReports.com or similar sites. Enter conservative results in the UPLOAD= and DOWNLOAD= lines.
Take a look at DSCP_EXPR=. You may want to configure your IP Phone to mark traffic with DSCP.
DHCP Reservations can be used with IP_EXPR="" to assign your IP phone a higher priority.
|
1 . #####################################################
2 . ##
3 . ## User configuration of the QoS script
4 . ##
5 . ## At a minimum, set the DOWNLOAD and UPLOAD variables below. Setting these
6 . ## slightly slower than the actual line speeds is critical to good QoS
7 . ## performance. With download and upload speeds set too high, the traffic queues
8 . ## in the modem (upload) and on the ISP side (download) will quickly fill up. As
9 . ## these queues can be very long --on the order of several seconds-- filling
10 . ## them will prohibit any meaningful traffic shaping.
11 . ##
12 . ## The default configuration, with the proper upload and download speeds set,
13 . ## should be adequate for most situations to separate out low-priority peer-to
14 . ## -peer traffic (eMule, Bittorrent, etc.) from interactive traffic such as web
15 . ## browsing and SSH sessions.
16 . ##
17 . ## The configuration can be refined by modifying the settings below. As an
18 . ## example, consider including support for VoIP. This may be accomplished by
19 . ## adding the IP address of a VoIP adapter to the IP_EXPR variable (e.g.
20 . ## IP_EXPR="192.168.1.10"). Doing so will elevate the status of traffic to and
21 . ## from the VoIP box to 'express'.
22 . ##
23 . ## In general, the configuration of the QoS script requires the setting of
24 . ## several variables. Most variables expect a space separated list of elements
25 . ## (ports, IP addresses, protocols). Adding an element to a list will, based on
26 . ## the variable name, either promote a certain connection to 'express' (highest
27 . ## priority) or 'priority' status, or demote it to 'bulk' status. The default
28 . ## status for all traffic is 'normal'. An example of setting a configuration
29 . ## variable to classify traffic is the statement
30 . ##
31 . ## TCP_PRIO="80 443"
32 . ##
33 . ## Including this line in the configuration will ensure that all TCP traffic to
34 . ## the listed ports (in this particular case for the http and https protocols)
35 . ## will be treated as 'priority' traffic.
36 . ##
37 . ## Another example (from the default configuration) is:
38 . ##
39 . ## TCP_BULK="1024: 21"
40 . ##
41 . ## which adds port 21 (the port used for ftp) and all ports 1024 and up to the
42 . ## list of destination ports for 'bulk' traffic. The result is that ftp
43 . ## downloads get a low priority, as does traffic to non-reserved ports (mostly
44 . ## peer-to-peer protocols). The notation '1024:' indicates a port range, in this
45 . ## case including all ports 1024 and higher. Another example of a port range is
46 . ## ':10' which means all ports from 0 to 10. A range from 10 to 20 is denoted as
47 . ## '10:20'.
48 . ##
49 . ## It is important to note that some variables take precedence over others. This
50 . ## becomes significant in cases where the same traffic is identified by
51 . ## different rules. An example is adding a UDP game port above 1024 to the
52 . ## express list. In the default configuration, all high ports (1024:) are
53 . ## included in the UDP_BULK variable. Without knowing the order of the rules, it
54 . ## is not possible to determine what the status of traffic to the game port will
55 . ## be. It turns out, the traffic will be classified as priority, since UDP_EXPR
56 . ## takes precedence over UDP_BULK.
57 . ##
58 . ## The order of the variables is (lowest precedence first): L7_BULK, L7_PRIO,
59 . ## L7_EXPR, IPP2P_BULK, IPP2P_PRIO, IPP2P_EXPR, TCP_BULK, UDP_BULK, TCP_PRIO,
60 . ## UDP_PRIO, TCP_EXPR, UDP_EXPR, TOS_BULK, TOS_PRIO, TOS_EXPR, DSCP_BULK,
61 . ## DSCP_PRIO, DSCP_EXPR, IP_BULK, IP_PRIO, IP_EXPR
62 . ##
63 . ##################################################################
64 .
65 . # Download speed in kilobits per second
66 . # Set 5% - 10% lower than *measured* line speed (set to zero to disable)
67 . #
68 . # 4121 kbps is 85% of tested 4849kbps on Comcast Cable Internet
69 . DOWNLOAD=4095
70 .
71 . # Upload speed in kilobits per second
72 . # Set 5% - 10% lower than *measured* line speed (set to zero to disable)
73 . #
74 . # 310 kbps is 85% of tested 365 kbps on Comcast Cable Internet
75 . UPLOAD=325
76 .
77 . # Bulk, prio and express Layer 7 protocol matches
78 . L7_BULK=""
79 . L7_PRIO=""
80 . L7_EXPR=""
81 .
82 . # IPP2P protocol matches
83 . # Default 'ipp2p' includes all well-knows peer-to-peer protocols
84 . IPP2P_BULK="ipp2p"
85 . IPP2P_PRIO=""
86 . IPP2P_EXPR=""
87 .
88 . # Destination ports for classifying 'bulk' traffic
89 . TCP_BULK="1024: 21"
90 . UDP_BULK="1024:"
91 .
92 . # Destination ports for classifying 'priority' traffic
93 . # This setting may help with Unisun
94 . TCP_PRIO="22 23"
95 . UDP_PRIO=""
96 .
97 . # Destination ports for classifying 'express' traffic
98 . TCP_EXPR="53 5900:5901"
99 . UDP_EXPR="53"
100 .
101 . # ToS (Type of Service) matches (egress only)
102 . #TOS_BULK="0x02"
103 . #TOS_PRIO=""
104 . #TOS_EXPR="0x10"
105 .
106 . # DSCP (Differentiated Services Code Point) matches (egress only)
107 . DSCP_BULK=""
108 . DSCP_PRIO=""
109 . DSCP_EXPR="46"
110 .
111 . # LAN IP addresses for 'bulk', 'priority' and 'express' traffic
112 . # IP address can include a port number or range, such as 192.168.1.1:80 or
113 . # 192.168.1.1:5900:5910. To include all ports, specify the IP address only.
114 . IP_BULK=""
115 . IP_PRIO=""
116 . IP_EXPR=""
117 .
118 . # Define custom QoS interface. Defaults to wan interface.
119 . #QOS_IF=ipsec0
120 . #QOS_IF=br0
121 . QOS_IF=ipsec0
122 .
123 . # Enable 'small UDP packets get priority' feature.
124 . # Sets the maximum length for priority UDP packets.
125 . # Wireshark measured 278 bytes for the ESP packets
126 . #UDP_LENGTH=256
127 .
128 . # Set to 1 to enable logging of packets to syslog
129 . DEBUG=0
|
|
/etc/TZ |
Set the time zone.
|
|
|
/etc/updatecrls |
Download new CRLs from web server at location-a and location-b.
There is a scheduled task on the web server that converts the Check Point CRL's into a format that can be used by Openswan.
|
1 . #Download new CRLs
2 .
3 . wget http://12.10.20.6:8080/location-a/ICA_CRL0.pem -O /etc/ipsec.d/crls/location-a.ICA_CRL0.pem
4 . wget http://12.10.20.6:8080/location-a/ICA_CRL1.pem -O /etc/ipsec.d/crls/location-a.ICA_CRL1.pem
5 . wget http://12.11.22.6:8080/location-b/ICA_CRL0.pem -O /etc/ipsec.d/crls/location-b.ICA_CRL0.pem
6 . wget http://12.11.22.6:8080/location-b/ICA_CRL1.pem -O /etc/ipsec.d/crls/location-b.ICA_CRL1.pem
|
|
/etc/crontabs/root |
Crontab runs scheduled tasks in Linux. /etc/dyntunnels is set to run every 10 minutes. /etc/updatecrls is set to run every night at 12:30. ipsec-restart.sh runs every night according to a schedule based on the IP address. The idea is to only allow one SOHO VPN peer router to restart at once.
|
1 . */10 * * * * /etc/dyntunnels
2 . 30 0 * * * /etc/updatecrls
3 . 0 2 * * * /etc/ipsec.d/scripts/ipsec-restart.sh
|
|
/etc/hotplug.d/iface/10-ez-ipupdate |
The last line of the script launches the newlease4ipsec.sh script whenever DHCP assigns the router a new IP address. The newlease4ipsec.sh script restarts all IPSec tunnels if the WAN IP address changed.
|
1 . . /etc/functions.sh
2 . NAME=ez-ipupdate
3 . CONFIG=/etc/$NAME.conf
4 . COMMAND=/usr/sbin/$NAME
5 . [ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ] && {
6 . [ -x $COMMAND ] && [ -r $CONFIG ] && {
7 . IFNAME=$(nvram get ${INTERFACE}_ifname)
8 . $COMMAND -c $CONFIG -i $IFNAME 2>&1 | logger -t $NAME
9 . } &
10 . }
11 . /etc/ipsec.d/scripts/newlease4ipsec.sh
|
|
/etc/hotplug.d/iface/20-qos |
This script manages QoS and should not normally be changed. (I don't remember what I changed on this so I'll have to compare this to the original and then update the documentation.)
|
1 . #!/bin/sh
2 .
3 . # qos-script v1.05
4 .
5 . ## Please modify user configuration in /etc/qos.conf
6 . ## To start QoS without reboot, use "ifdown wan && ifup wan"
7 .
8 . # User configuration
9 . [ -f /etc/qos.conf ] && . /etc/qos.conf
10 .
11 . # If no interface defined, use WAN interface
12 . [ "$QOS_IF" ] || QOS_IF=$(nvram get wan_ifname)
13 .
14 . # Get the LAN interface name
15 . LAN_IF=$(nvram get lan_ifname)
16 .
17 . # Get the LAN IP Address
18 . LAN_IPADDR=$(nvram get lan_ipaddr)
19 . LAN_DSCP="${LAN_IPADDR}0"
20 .
21 . # Find out interface of hotplug event
22 . HOTPLUG_IF=$(nvram get ${INTERFACE}_ifname)
23 .
24 . # Script can be activated by hotplug event on qos interface or passing "qosstart" in $INTERFACE
25 . if [ "$ACTION" = "ifup" -a \( "$HOTPLUG_IF" = "$QOS_IF" -o "$INTERFACE" = "qosstart" \) ]; then
26 .
27 . # Length of burst buffers in ms (must be larger than kernel jiffy of 10ms)
28 . DBURST_D=10
29 . DBURST_U=10
30 .
31 . MTU=1600
32 .
33 . # Minimum class rate as percentage of full line rate
34 . MIN_RATE=10
35 .
36 . # The following packages are required for the modules:
37 . # kmod-sched
38 . # kmod-ipt-conntrack
39 . # iptables-mod-conntrack
40 . # kmod-ipt-ipopt
41 . # iptables-mod-ipopt
42 . # kmod-ipt-extra
43 . # iptables-mod-extra
44 . # ip
45 . # kmod-imq
46 . # iptables-mod-imq
47 . # kmod-ipt-filter
48 . # iptables-mod-filter
49 .
50 . insmod cls_fw >&- 2>&-
51 . insmod sch_htb >&- 2>&-
52 . insmod sch_sfq >&- 2>&-
53 . insmod ipt_CONNMARK >&- 2>&-
54 . insmod ipt_length >&- 2>&-
55 . insmod imq numdevs=1 >&- 2>&-
56 . insmod ipt_IMQ >&- 2>&-
57 . insmod ipt_ipp2p >&- 2>&-
58 . insmod ipt_layer7 >&- 2>&-
59 . insmod ipt_tos >&- 2>&-
60 . insmod ipt_TOS >&- 2>&-
61 . insmod ipt_dscp >&- 2>&-
62 . insmod ipt_DSCP >&- 2>&-
63 . insmod sch_red >&- 2>&-
64 .
65 . # To enable logging (requires iptables-mod-extra package)
66 . [ "$DEBUG" -eq 1 ] && insmod ipt_LOG >&- 2>&-
67 .
68 . iptables -t mangle -F
69 . iptables -t mangle -X
70 .
71 . # Set up the InterMediate Queuing device (IMQ)
72 . ip link set imq0 up
73 .
74 . # Remove queuing disciplines from all interfaces
75 . sed -n 's/ *\(.*\):.*/\1/p' /proc/net/dev | while read INTERFACE; do
76 . tc qdisc del dev $INTERFACE root >&- 2>&-
77 . done
78 .
79 . [ $UPLOAD -ne 0 ] && {
80 . # Calculate buffer lengths in bytes
81 . BURST_U=$(($DBURST_U*$UPLOAD/8))
82 .
83 . # Make sure burst buffer size is at least MTU
84 . [ $BURST_U -lt $((1*$MTU)) ] && BURST_U=$((1*$MTU))
85 .
86 . # Calculate r2q for htb discipline
87 . RTOQ_U=$(($MIN_RATE*$UPLOAD*10/(8*$MTU)))
88 . [ $RTOQ_U -gt 20 ] && RTOQ_U=20
89 . [ $RTOQ_U -eq 0 ] && RTOQ_U=1
90 .
91 . # Attach egress queuing discipline to QoS interface
92 . tc qdisc add dev $QOS_IF root handle 1: htb default 40 r2q $RTOQ_U
93 . tc class add dev $QOS_IF parent 1: classid 1:1 htb rate ${UPLOAD}kbit ceil ${UPLOAD}kbit burst $(($BURST_U*3)) cburst $(($BURST_U*3)) mtu $MTU
94 . tc class add dev $QOS_IF parent 1:1 classid 1:10 htb rate $(($UPLOAD*5/10))kbit ceil ${UPLOAD}kbit burst $(($BURST_U*1)) cburst $(($BURST_U*1)) prio 1 mtu $MTU
95 . tc class add dev $QOS_IF parent 1:1 classid 1:20 htb rate $(($UPLOAD*2/10))kbit ceil ${UPLOAD}kbit burst $(($BURST_U*1)) cburst $(($BURST_U*1)) prio 2 mtu $MTU
96 . tc class add dev $QOS_IF parent 1:1 classid 1:30 htb rate $(($UPLOAD*2/10))kbit ceil ${UPLOAD}kbit burst $(($BURST_U*1)) cburst $(($BURST_U*1)) prio 3 mtu $MTU
97 . tc class add dev $QOS_IF parent 1:1 classid 1:40 htb rate $(($UPLOAD*1/10))kbit ceil ${UPLOAD}kbit burst $(($BURST_U*1)) cburst $(($BURST_U*1)) prio 4 mtu $MTU
98 .
99 . tc qdisc add dev $QOS_IF parent 1:10 sfq quantum $MTU perturb 10
100 . tc qdisc add dev $QOS_IF parent 1:20 sfq quantum $MTU perturb 10
101 . tc qdisc add dev $QOS_IF parent 1:30 sfq quantum $MTU perturb 10
102 . tc qdisc add dev $QOS_IF parent 1:40 sfq quantum $MTU perturb 10
103 .
104 . tc filter add dev $QOS_IF parent 1: prio 1 protocol ip handle 1 fw flowid 1:10
105 . tc filter add dev $QOS_IF parent 1: prio 2 protocol ip handle 2 fw flowid 1:20
106 . tc filter add dev $QOS_IF parent 1: prio 3 protocol ip handle 3 fw flowid 1:30
107 . tc filter add dev $QOS_IF parent 1: prio 4 protocol ip handle 4 fw flowid 1:40
108 . }
109 .
110 . [ $DOWNLOAD -ne 0 ] && {
111 . # Calculate buffer lengths in bytes
112 . BURST_D=$(($DBURST_D*$DOWNLOAD/8))
113 .
114 . # Make sure burst buffer size is at least MTU
115 . [ $BURST_D -lt $((1*$MTU)) ] && BURST_D=$((1*$MTU))
116 .
117 . # Calculate r2q for htb discipline
118 . RTOQ_D=$(($MIN_RATE*$DOWNLOAD*10/(8*$MTU)))
119 . [ $RTOQ_D -gt 20 ] && RTOQ_D=20
120 . [ $RTOQ_D -eq 0 ] && RTOQ_D=1
121 .
122 . # Attach ingress queuing discipline to IMQ interface
123 . # htb qdisc without default: all unmarked (mark 0) packages pass unlimited
124 . # htb with non-existing default: unmarked packages get dropped
125 . tc qdisc add dev imq0 root handle 1: htb default 40 r2q $RTOQ_D
126 . tc class add dev imq0 parent 1: classid 1:1 htb rate ${DOWNLOAD}kbit ceil ${DOWNLOAD}kbit burst $((BURST_D*3)) cburst $((BURST_D*3)) mtu $MTU
127 . tc class add dev imq0 parent 1:1 classid 1:10 htb rate $(($DOWNLOAD*5/10))kbit ceil ${DOWNLOAD}kbit burst $((BURST_D*1)) cburst $((BURST_D*1)) prio 1 mtu $MTU
128 . tc class add dev imq0 parent 1:1 classid 1:20 htb rate $(($DOWNLOAD*2/10))kbit ceil ${DOWNLOAD}kbit burst $((BURST_D*1)) cburst $((BURST_D*1)) prio 2 mtu $MTU
129 . tc class add dev imq0 parent 1:1 classid 1:30 htb rate $(($DOWNLOAD*2/10))kbit ceil ${DOWNLOAD}kbit burst $((BURST_D*1)) cburst $((BURST_D*1)) prio 3 mtu $MTU
130 . tc class add dev imq0 parent 1:1 classid 1:40 htb rate $(($DOWNLOAD*1/10))kbit ceil $(($DOWNLOAD*3/4))kbit burst $((BURST_D*1)) cburst $((BURST_D*1)) prio 4 mtu $MTU
131 .
132 . tc qdisc add dev imq0 parent 1:10 red limit $((40*$MTU)) min $((5*$MTU)) max $((20*$MTU)) avpkt $(($MTU*6/10)) burst 16 probability 0.015
133 . tc qdisc add dev imq0 parent 1:20 red limit $((40*$MTU)) min $((5*$MTU)) max $((20*$MTU)) avpkt $(($MTU*6/10)) burst 16 probability 0.015
134 . tc qdisc add dev imq0 parent 1:30 red limit $((40*$MTU)) min $((5*$MTU)) max $((20*$MTU)) avpkt $(($MTU*6/10)) burst 16 probability 0.015
135 . tc qdisc add dev imq0 parent 1:40 red limit $((40*$MTU)) min $((5*$MTU)) max $((20*$MTU)) avpkt $(($MTU*6/10)) burst 16 probability 0.015
136 .
137 . tc filter add dev imq0 parent 1: prio 1 protocol ip handle 1 fw flowid 1:10
138 . tc filter add dev imq0 parent 1: prio 2 protocol ip handle 2 fw flowid 1:20
139 . tc filter add dev imq0 parent 1: prio 3 protocol ip handle 3 fw flowid 1:30
140 . tc filter add dev imq0 parent 1: prio 4 protocol ip handle 4 fw flowid 1:40
141 . }
142 .
143 . iptables -t mangle -N mark_chain
144 . iptables -t mangle -N egress_chain
145 . iptables -t mangle -N ingress_chain
146 .
147 . # Mark ICMP Packets with DSCP
148 . iptables -t mangle -A PREROUTING -p ICMP -i $LAN_IF -j DSCP --set-dscp 0x2e
149 .
150 . # Mark packets from a specific IP Address with DSCP
151 . iptables -t mangle -A PREROUTING -s $LAN_DSCP -j DSCP --set-dscp 0x2e
152 .
153 . # Extra DSCP Marks
154 . iptables -t mangle -A PREROUTING -p tcp --dport 5900 -j DSCP --set-dscp 0x2e
155 . iptables -t mangle -A PREROUTING -p tcp --dport 5901 -j DSCP --set-dscp 0x2e
156 .
157 . # Set up egress marking chain
158 . iptables -t mangle -A POSTROUTING -o $QOS_IF -j egress_chain
159 .
160 . # Mark ingress in FORWARD and INPUT chains to make sure any DNAT (virt. server) is taken into account
161 . # Mark ingress in FORWARD chain for LAN and send through the IMQ device
162 . iptables -t mangle -A FORWARD -i $QOS_IF -j ingress_chain
163 . iptables -t mangle -A FORWARD -i $QOS_IF -j IMQ --todev 0
164 .
165 . # Mark ingress in INPUT chain for this router and send through the IMQ device
166 . iptables -t mangle -A INPUT -i $QOS_IF -j ingress_chain
167 . iptables -t mangle -A INPUT -i $QOS_IF -j IMQ --todev 0
168 .
169 . #################################### FUNCTION DEFINITIONS #################################
170 . mark_addr_in()
171 . {
172 . # Set up ingress rules based on ip_address[:port[:range]]
173 . # $1 is a list of ip:port elements
174 . # $2 is the priority
175 .
176 . for ADDR in $1; do
177 . IP_PART=`echo $ADDR | sed -n 's/\([^:]*\):.*/\1/p'`
178 . if [ "$IP_PART" ]; then
179 . PORT_PART=`echo $ADDR | sed -n 's/[^:]*:\(.*\)/\1/p'`
180 . iptables -t mangle -A ingress_chain -d $IP_PART -p tcp --dport $PORT_PART -j MARK --set-mark $2
181 . iptables -t mangle -A ingress_chain -d $IP_PART -p udp --dport $PORT_PART -j MARK --set-mark $2
182 . else
183 . iptables -t mangle -A ingress_chain -d $ADDR -j MARK --set-mark $2
184 . fi
185 . done
186 . }
187 .
188 . mark_addr_out()
189 . {
190 . # Set up egress rules based on ip_address[:port[:range]]
191 . # $1 is a list of ip:port elements
192 . # $2 is the priority
193 .
194 . for ADDR in $1; do
195 . IP_PART=`echo $ADDR | sed -n 's/\([^:]*\):.*/\1/p'`
196 . if [ "$IP_PART" ]; then
197 . PORT_PART=`echo $ADDR | sed -n 's/[^:]*:\(.*\)/\1/p'`
198 . iptables -t mangle -A egress_chain -s $IP_PART -p tcp --dport $PORT_PART -j MARK --set-mark $2
199 . iptables -t mangle -A egress_chain -s $IP_PART -p udp --dport $PORT_PART -j MARK --set-mark $2
200 . else
201 . iptables -t mangle -A egress_chain -s $ADDR -j MARK --set-mark $2
202 . fi
203 . done
204 . }
205 . ##########################################################################
206 .
207 . ###################################### MARK CHAIN ########################
208 . # Restore any saved connection mark if not already marked
209 . iptables -t mangle -A mark_chain -m mark --mark 0 -j CONNMARK --restore-mark
210 .
211 . # Mark expr packets based on port numbers and protocol
212 . for PORT in $UDP_EXPR; do
213 . iptables -t mangle -A mark_chain -m mark --mark 0 -p udp --dport $PORT -j MARK --set-mark 1
214 . done
215 . for PORT in $TCP_EXPR; do
216 . iptables -t mangle -A mark_chain -m mark --mark 0 -p tcp --dport $PORT -j MARK --set-mark 1
217 . done
218 .
219 . # Mark prio packets based on port numbers and protocol
220 . for PORT in $UDP_PRIO; do
221 . iptables -t mangle -A mark_chain -m mark --mark 0 -p udp --dport $PORT -j MARK --set-mark 2
222 . done
223 . for PORT in $TCP_PRIO; do
224 . iptables -t mangle -A mark_chain -m mark --mark 0 -p tcp --dport $PORT -j MARK --set-mark 2
225 . done
226 .
227 . # Mark bulk packets based on port numbers and protocol
228 . for PORT in $UDP_BULK; do
229 . iptables -t mangle -A mark_chain -m mark --mark 0 -p udp --dport $PORT -j MARK --set-mark 4
230 . done
231 . for PORT in $TCP_BULK; do
232 . iptables -t mangle -A mark_chain -m mark --mark 0 -p tcp --dport $PORT -j MARK --set-mark 4
233 . done
234 .
235 . # Mark expr packets based on ipp2p match
236 . ALL_PROTOS=""
237 . for PROTO in $IPP2P_EXPR; do
238 . ALL_PROTOS="${ALL_PROTOS}--$PROTO "
239 . done
240 . [ "$ALL_PROTOS" ] && iptables -t mangle -A mark_chain -m mark --mark 0 -m ipp2p $ALL_PROTOS -j MARK --set-mark 1
241 .
242 . # Mark prio packets based on ipp2p match
243 . ALL_PROTOS=""
244 . for PROTO in $IPP2P_PRIO; do
245 . ALL_PROTOS="${ALL_PROTOS}--$PROTO "
246 . done
247 . [ "$ALL_PROTOS" ] && iptables -t mangle -A mark_chain -m mark --mark 0 -m ipp2p $ALL_PROTOS -j MARK --set-mark 2
248 .
249 . # Mark bulk packets based on ipp2p match
250 . ALL_PROTOS=""
251 . for PROTO in $IPP2P_BULK; do
252 . ALL_PROTOS="${ALL_PROTOS}--$PROTO "
253 . done
254 . [ "$ALL_PROTOS" ] && iptables -t mangle -A mark_chain -m mark --mark 0 -m ipp2p $ALL_PROTOS -j MARK --set-mark 4
255 .
256 . # Mark expr packets based on layer7 match
257 . for PROTO in $L7_EXPR; do
258 . iptables -t mangle -A mark_chain -m mark --mark 0 -m layer7 --l7proto $PROTO -j MARK --set-mark 1
259 . done
260 .
261 . # Mark prio packets based on layer7 match
262 . for PROTO in $L7_PRIO; do
263 . iptables -t mangle -A mark_chain -m mark --mark 0 -m layer7 --l7proto $PROTO -j MARK --set-mark 2
264 . done
265 .
266 . # Mark bulk packets based on layer7 match
267 . for PROTO in $L7_BULK; do
268 . iptables -t mangle -A mark_chain -m mark --mark 0 -m layer7 --l7proto $PROTO -j MARK --set-mark 4
269 . done
270 .
271 . # Default is normal priority (to make sure every packet on WAN interface gets marked)
272 . iptables -t mangle -A mark_chain -m mark --mark 0 -j MARK --set-mark 3
273 .
274 . # Save mark onto connection
275 . iptables -t mangle -A mark_chain -j CONNMARK --save-mark
276 .
277 . # ICMP gets high priority (impress friends)
278 . iptables -t mangle -A mark_chain -p icmp -j MARK --set-mark 1
279 . iptables -t mangle -A mark_chain -p ipv6-icmp -j MARK --set-mark 1
280 .
281 . # Small UDP packets (most likely games) get high priority
282 . [ "$UDP_LENGTH" -gt 0 ] && iptables -t mangle -A mark_chain -p udp -m length --length :$UDP_LENGTH -j MARK --set-mark 1
283 . ###############################################################################
284 .
285 . ###################################### INGRESS CHAIN ##########################
286 . # Mark bulk packets based on destination LAN ip address and port number
287 . mark_addr_in "$IP_BULK" 4
288 .
289 . # Mark prio packets based on destination LAN ip address and port number
290 . mark_addr_in "$IP_PRIO" 2
291 .
292 . # Mark expr packets based on destination LAN ip address and port number
293 . mark_addr_in "$IP_EXPR" 1
294 .
295 . # Call mark_chain
296 . iptables -t mangle -A ingress_chain -j mark_chain
297 . ###########################################################################
298 .
299 . ######################################## EGRESS CHAIN ######################
300 . # Mark bulk packets based on tos match (egress only)
301 . for PROTO in $TOS_BULK; do
302 . iptables -t mangle -A egress_chain -m tos --tos $PROTO -j MARK --set-mark 4
303 . done
304 .
305 . # Mark prio packets based on tos match (egress only)
306 . for PROTO in $TOS_PRIO; do
307 . iptables -t mangle -A egress_chain -m tos --tos $PROTO -j MARK --set-mark 2
308 . done
309 .
310 . # Mark expr packets based on tos match (egress only)
311 . for PROTO in $TOS_EXPR; do
312 . iptables -t mangle -A egress_chain -m tos --tos $PROTO -j MARK --set-mark 1
313 . done
314 .
315 . # Mark bulk packets based on dscp match (egress only)
316 . for PROTO in $DSCP_BULK; do
317 . iptables -t mangle -A egress_chain -m dscp --dscp $PROTO -j MARK --set-mark 4
318 . done
319 .
320 . # Mark prio packets based on dscp match (egress only)
321 . for PROTO in $DSCP_PRIO; do
322 . iptables -t mangle -A egress_chain -m dscp --dscp $PROTO -j MARK --set-mark 2
323 . done
324 .
325 . # Mark expr packets based on dscp match (egress only)
326 . for PROTO in $DSCP_EXPR; do
327 . iptables -t mangle -A egress_chain -m dscp --dscp $PROTO -j MARK --set-mark 1
328 . done
329 .
330 . # Mark bulk packets based on source LAN ip address and port number
331 . mark_addr_out "$IP_BULK" 4
332 .
333 . # Mark prio packets based on source LAN ip address and port number
334 . mark_addr_out "$IP_PRIO" 2
335 .
336 . # Mark expr packets based on source LAN ip address and port number
337 . mark_addr_out "$IP_EXPR" 1
338 .
339 . # Call mark_chain
340 . iptables -t mangle -A egress_chain -j mark_chain
341 .
342 . # Make sure ACK packets get priority (to avoid upload speed limiting our download speed)
343 . iptables -t mangle -A egress_chain -p tcp -m length --length :128 --tcp-flags SYN,RST,ACK ACK -j MARK --set-mark 1
344 . ################################################################################
345 .
346 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A egress_chain -m mark --mark 0 -j LOG --log-prefix egress_0::
347 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A egress_chain -m mark --mark 0 -j ACCEPT
348 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A egress_chain -m mark --mark 1 -j LOG --log-prefix egress_1::
349 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A egress_chain -m mark --mark 1 -j ACCEPT
350 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A egress_chain -m mark --mark 2 -j LOG --log-prefix egress_2::
351 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A egress_chain -m mark --mark 2 -j ACCEPT
352 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A egress_chain -m mark --mark 3 -j LOG --log-prefix egress_3::
353 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A egress_chain -m mark --mark 3 -j ACCEPT
354 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A egress_chain -m mark --mark 4 -j LOG --log-prefix egress_4::
355 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A egress_chain -m mark --mark 4 -j ACCEPT
356 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A egress_chain -j LOG --log-prefix egress_other::
357 .
358 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A ingress_chain -m mark --mark 0 -j LOG --log-prefix ingress_0::
359 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A ingress_chain -m mark --mark 0 -j ACCEPT
360 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A ingress_chain -m mark --mark 1 -j LOG --log-prefix ingress_1::
361 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A ingress_chain -m mark --mark 1 -j ACCEPT
362 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A ingress_chain -m mark --mark 2 -j LOG --log-prefix ingress_2::
363 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A ingress_chain -m mark --mark 2 -j ACCEPT
364 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A ingress_chain -m mark --mark 3 -j LOG --log-prefix ingress_3::
365 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A ingress_chain -m mark --mark 3 -j ACCEPT
366 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A ingress_chain -m mark --mark 4 -j LOG --log-prefix ingress_4::
367 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A ingress_chain -m mark --mark 4 -j ACCEPT
368 . [ "$DEBUG" -eq 1 ] && iptables -t mangle -A ingress_chain -j LOG --log-prefix ingress_other::
369 .
370 . fi
371 . exit 0
|
|
/etc/init.d/S10boot |
Added a line to turn on the Orange LED behind the SES button.
|
1 . #!/bin/sh
2 . [ -f /proc/jffs2_bbc ] && echo "S" > /proc/jffs2_bbc
3 .
4 . mkdir -p /var/run
5 . mkdir -p /var/log
6 . touch /var/log/wtmp
7 . touch /var/log/lastlog
8 .
9 . sed 's/^[^#]/insmod &/' /etc/modules /etc/modules.d/* 2>&-|ash
10 .
11 . ifconfig lo 127.0.0.1 up
12 . ifconfig eth0 promisc
13 .
14 . # configure the switch based on nvram
15 . [ -d /proc/switch/eth0 ] && {
16 . for nr in $(seq 0 15); do
17 . vp="$(nvram get vlan${nr}ports)"
18 . [ -z "$vp" -o -z "$(nvram get vlan${nr}hwname)" ] || {
19 . echo "$vp" > /proc/switch/eth0/vlan/$nr/ports
20 . }
21 . done
22 . }
23 .
24 . HOSTNAME=$(nvram get wan_hostname)
25 . HOSTNAME=${HOSTNAME%%.*}
26 . echo ${HOSTNAME:=OpenWrt}>/proc/sys/kernel/hostname
27 .
28 . vconfig set_name_type VLAN_PLUS_VID_NO_PAD
29 .
30 . # Turn on Orange SES LED to indicate boot start
31 . echo "1" > /proc/diag/led/ses_orange
|
|
/etc/init.d/S51setdate |
This script downloads a text file with the current date and time from a web server at location-a. This script sets the date and the approximate time in case rdate fails. The VPN certificates need the date and approximate time set. (Really the time just needs to be set to a date when the certificates are valid. The VPN will fail if the date is set before the certificates were created.)
|
1 . #Download and set the date in case rdate does not work.
2 . sleep 15
3 . cd /tmp
4 . wget http://12.10.20.6/date/strDate.txt
5 . date=`cat /tmp/strDate.txt`
6 . date $date
|
|
/etc/init.d/S52rdate |
Set the date and time from an NTP server. Be warned: rdate is flaky.
|
1 . #!/bin/sh
2 . # Added a second server as a backup.
3 . # The time must be set for the VPN to work.
4 . sleep 10
5 . rm /tmp/rdate1
6 . rm /tmp/rdate2
7 . /usr/sbin/rdate time.nist.gov > /tmp/rdate1
8 . /usr/sbin/rdate time.nist.gov > /tmp/rdate2
|
|
/etc/init.d/S55dnstable |
Launch the AWK script that creates the /tmp/dnstable.txt file from the /etc/dnspeers.conf file.
|
1 . #!/bin/sh
2 . #
3 . # Build the initial dnstable based on the /etc/dnspeers.conf file.
4 . awk -f dyninit.awk /etc/dnspeers.conf
|
|
/etc/init.d/S65qos |
Make sure QoS gets started. Normally QoS would start on its own.
|
1 . #QoS is normally started from hotplug
2 . #The ipsec0 interface is not available when hotplug starts QoS
3 . /usr/bin/qos-start
|
|
/etc/init.d/S99done |
Added a line to turn off the orange SES light. The orange SES light turns on when the router reaches S10boot and then turns off when the router reaches S99done. It can take a WRT54GL router several minutes to run the startup scripts and then several more minutes to bring up the VPN tunnels.
|
1 . #!/bin/sh
2 . . /etc/functions.sh
3 .
4 . sysctl -p >&-
5 .
6 . # automagically run firstboot
7 . [ "$(nvram get no_root_swap)" != 1 ] && {
8 . [ -d /tmp/root ] && {
9 . lock /tmp/.switch2jffs
10 . firstboot switch2jffs
11 . lock -u /tmp/.switch2jffs
12 . }
13 . }
14 .
15 . # set leds to normal state
16 . set_state done
17 . # Turn off Orange SES LED to indicate boot finish
18 . echo "0" > /proc/diag/led/ses_orange
|
|
/etc/ipsec.d/scripts/newlease4ipsec.sh |
This script restarts all IPSec tunnels when the WAN IP address changes. Openswan does not know when the WAN IP Address changes. The ipsec0 interface retains the old IP address after DHCP assigns a new IP address. This script is launched when the OS detects an IP address change. This script is launched from the 10-ez-ipupdate script. The 10-ez-ipupdate script is launched from the /etc/hotplug.d/iface directory.
This script needs updated to automatically select the correct WAN interface instead of using vlan1 all the time. For example, the WAN interface on the WRTSL54GS router is eth0 instead of vlan1.
|
1 . sleep 4
2 . YDATE=`date +%Y`
3 . IPSEC=`which ipsec`
4 . IFCONFIG=`which ifconfig`
5 . GREP=`which grep`
6 . CAT=`which cat`
7 . CUT=`which cut`
8 . IP=`$IFCONFIG vlan1 |$GREP "inet addr" |$CUT -f 2 -d ":" |$CUT -f 1 -d " "`
9 . IPTUNNEL=`$IFCONFIG ipsec0 |$GREP "inet addr"|$CUT -f 2 -d ":" |$CUT -f 1 -d " "`
10 . UPMINS=$((`cut -f1 -d' ' /proc/uptime | cut -f1 -d.` / 60))
11 . UPWAIT=10
12 . echo $UPMINS:$UPWAIT
13 . if [ $UPMINS -gt $UPWAIT ]
14 . then
15 . if [ $YDATE -lt 2007 ]
16 . then
17 . echo "Set Date and Time"
18 . /etc/init.d/S51setdate
19 . fi
20 . if [ ! -e /tmp/dnstable.txt ]
21 . then
22 . echo "Create new dnstable"
23 . /etc/init.d/S55dnstable
24 . fi
25 . if [ $IP != $IPTUNNEL ]
26 . then
27 . echo "IPSec restart required -- different IP Addresses"
28 . $IPSEC setup --stop
29 . $IPSEC setup --start
30 . else
31 . echo "IPSec OK -- same IP addresses"
32 . fi
33 . else
34 . echo "Fresh reboot -- Let S60ipsec start IPSec"
35 . fi
|
|
/etc/ipsec.d/scripts/ipsec-restart.sh |
This script restarts IPSec once a day. It is possible that the tunnels might get "out of synch" due to peer IP address changes not being handled properly by /etc/dnscheck.awk. Running the startup scripts during an Internet outage (DSL modem is unplugged while the router is pluged in) is one way to get the tunnels out of synch.
|
1 . # Restart IPSec
2 .
3 . if [ -e /tmp/ipsec-restart.txt ]
4 . then
5 . #echo File Exists
6 . rm /tmp/ipsec-restart.txt
7 . #else
8 . #echo File Not Found
9 . fi
10 .
11 . echo Daily IPSec Restart >> /tmp/ipsec-restart.txt
12 . echo Date: `date` >> /tmp/ipsec-restart.txt
13 . /etc/init.d/S60ipsec --restart
14 . echo IPSec Restart Complete >> /tmp/ipsec-restart.txt
|
|
/etc/ipsec.conf |
This is the main Openswan configuration file.
This configuration file contains general settings as well as configuration for tunnels to location-a, a branch office connected to location-a, and location-b.
This file contains VPN configuration for VPN gateways that are not considered a peer. Non-peeer's include Check Point gateways, Cisco gateways, and any network connected to either location-a or location-b through VPN routing.
The VPN configuration for Linksys routers running Openswan is contained in /etc/dyndns.info.peers.conf.
The following values might not be configured correctly. I remember experimenting with different values. You might have better luck using values that exactly match the Check Point gateway settings.
- ikelifetime=1340m
- keylife=3500s
- keyingtries=%forever
The strictcrlpolicy=yes can be changed to no if the CRL's are not being updated.
Check Point does auto-summarization on subnets by default. Let's assume location-a has two subnets behind their Check Point gateway. Subnet A is 172.17.10.0/24. Subnet B is 172.17.11.0/24. The correct Openswan configuration will be leftsubnet=172.17.10.0/23. Check Point has at least one KB article about this.
|
1 . # /etc/ipsec.conf - Openswan IPsec configuration file
2 . # RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $
3 .
4 . # This file: /usr/share/doc/openswan/ipsec.conf-sample
5 . #
6 . # Manual: ipsec.conf.5
7 .
8 .
9 . version 2.0 # conforms to second version of ipsec.conf specification
10 .
11 . # basic configuration
12 . config setup
13 . # plutodebug / klipsdebug = "all", "none" or a combation from below:
14 . # "raw crypt parsing emitting control klips pfkey natt x509 private"
15 . # eg:
16 . # plutodebug="control parsing"
17 . #
18 . # Only enable klipsdebug=all if you are a developer
19 . #
20 . # NAT-TRAVERSAL support, see README.NAT-Traversal
21 . nat_traversal=yes
22 . # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
23 . #
24 . # enable this if you see "failed to find any available worker"
25 . nhelpers=0
26 . # Copy DSCP Mark to Encrypted packets
27 . hidetos=no
28 . # Require updated CRL's
29 . strictcrlpolicy=yes
30 .
31 .
32 . # Add connections here
33 .
34 . conn %default
35 . type=tunnel
36 . keyexchange=ike
37 . auth=esp
38 . auto=start
39 . authby=rsasig
40 . # Optional specify encryption/hash methods for phase 1 & 2
41 . ike=3des-md5-modp1024
42 . esp=aes128-md5
43 . # Disable Perfect Forward Secrecy
44 . pfs=no
45 . # Optional enable compression (if working)
46 . compress=no
47 . ikelifetime=1340m
48 . keylife=3500s
49 . keyingtries=%forever
50 .
51 . include /etc/dyndns.info.peers.conf
52 .
53 . conn net-soho-user-m--locationb-net
54 . also=net-soho-user-m--locationb
55 . leftsubnet=172.17.20.0/23
56 .
57 . conn net-soho-user-m--locationb
58 . # Left side is Check Point
59 . left=12.11.22.5
60 . leftnexthop=12.11.22.1
61 . leftid=12.11.22.5
62 . leftcert=location-b/locationb.pem
63 . leftrsasigkey=%cert
64 . # Right side is Openswan
65 . right=soho-user-m.dyndns.info
66 . rightid=@soho-user-m.dyndns.info
67 . rightcert=location-b/soho-user-m.dyndns.info.pem
68 . rightrsasigkey=%cert
69 . rightsubnet=192.168.236.0/24
70 . rightsourceip=192.168.236.1 # Required for DNS forwarding
71 .
72 . conn net-soho-user-m--locationa-net
73 . also=net-soho-user-m--locationa
74 . leftsubnet=172.17.10.0/23
75 .
76 . # Connect to Location-A, Branch-A through Location-A's GW using VPN Routing
77 . conn net-soho-user-m--locationa2locationabrancha-net
78 . also=net-soho-user-m--locationa
79 . leftsubnet=172.17.12.0/23
80 .
81 . conn net-soho-user-m--locationa
82 . # Left side is Check Point
83 . left=12.10.20.5
84 . leftnexthop=12.10.20.1
85 . leftid=12.10.20.5
86 . leftcert=location-b/locationb.pem
87 . leftrsasigkey=%cert
88 . # Right side is Openswan
89 . right=soho-user-m.dyndns.info
90 . rightid=@soho-user-m.dyndns.info
91 . rightcert=location-a/soho-user-m.dyndns.info.pem
92 . rightrsasigkey=%cert
93 . rightsubnet=192.168.236.0/24
94 . rightsourceip=192.168.236.1 # Required for DNS forwarding
95 .
96 . #Disable Opportunistic Encryption
97 . include /etc/ipsec.d/examples/no_oe.conf
|
|
/etc/ipsec.secrets |
Openswan configuration file. This file contains the RSA private keys for location-a and location-b.
|
1 . # Define RSA key
2 . : RSA location-b/soho-user-m.dyndns.info.key "password"
3 . : RSA location-a/soho-user-m.dyndns.info.key "password"
|
|
/etc/ez-ipupdate.conf |
ez-ipupdate configuration file. This script contains the account information and settings to update IP address changes with www.dyndns.org.
|
1 . service-type=dyndns
2 . user=your-username:your-password
3 . host=soho-user-m.dyndns.info
4 . # interface=vlan1
5 . quiet
6 .
7 . # Do not change the lines below
8 . cache-file=/tmp/ez-ipupdate.cache
9 . pid-file=/var/run/ez-ipupdate.pid
|
|
/etc/firewall.user |
IPTables configuration file.
There are several important modifications to this file.
- Open port 22 to the WAN
- Allow WAN to accept IPSec protocol.
- Allow WAN to accept ISAKMP (udp port 500)
- Allow all traffic between location-a's (or location-b) LAN and the SOHO VPN Router's LAN.
|
1 . #!/bin/sh
2 . . /etc/functions.sh
3 .
4 . WAN=$(nvram get wan_ifname)
5 . LAN=$(nvram get lan_ifname)
6 .
7 . iptables -F input_rule
8 . iptables -F output_rule
9 . iptables -F forwarding_rule
10 . iptables -t nat -F prerouting_rule
11 . iptables -t nat -F postrouting_rule
12 .
13 . ### BIG FAT DISCLAIMER
14 . ## The "-i $WAN" is used to match packets that come in via the $WAN interface.
15 . ## it WILL NOT MATCH packets sent from the $WAN ip address -- you won't be able
16 . ## to see the effects from within the LAN.
17 .
18 . ### Open port to WAN
19 . ## -- This allows port 22 to be answered by (dropbear on) the router
20 . iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
21 . iptables -A input_rule -i $WAN -p tcp --dport 22 -j ACCEPT
22 .
23 . ### Port forwarding
24 . ## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
25 . # iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80
26 . # iptables -A forwarding_rule -i $WAN -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
27 .
28 . ## Forward udp 5100 for Yahoo Webcam
29 . iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 5100 -j DNAT --to 192.168.140.242:5100
30 . iptables -A forwarding_rule -i $WAN -p udp --dport 5100 -d 192.168.140.242 -j ACCEPT
31 .
32 .
33 . # Forward 5900 and 5500 for VNC and reverse VNC
34 . #iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 5900 -j DNAT --to 192.168.67.217:5900
35 . #iptables -A forwarding_rule -i $WAN -p tcp --dport 5900 -d 192.168.67.217 -j ACCEPT
36 . #iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 5500 -j DNAT --to 192.168.67.217:5500
37 . #iptables -A forwarding_rule -i $WAN -p tcp --dport 5500 -d 192.168.67.217 -j ACCEPT
38 .
39 . ### DMZ
40 . ## -- Connections to ports not handled above will be forwarded to 192.168.1.2
41 . # iptables -t nat -A prerouting_rule -i $WAN -j DNAT --to 192.168.1.2
42 . # iptables -A forwarding_rule -i $WAN -d 192.168.1.2 -j ACCEPT
43 .
44 . # Modified by Kevin Palmer from this point forward.
45 . #
46 . # IPTables options Explained:
47 . # -A = Append a new rule to a chain
48 . # -j ACCEPT = Jump to ACCEPT
49 . # -t nat = New table named nat
50 . #
51 . # View IP Tables Status:
52 . # iptables --list #List port filters
53 . # iptables --list -t nat #List NAT filters
54 .
55 . iptables -A input_rule -p esp -i $WAN -j ACCEPT # Allow IPSec
56 . iptables -A input_rule -p udp --dport 500 -i $WAN -j ACCEPT # Allow ISAKMP
57 .
58 . # Send traffic to specified destination witout NAT?
59 . # Doesn't this happen even without the rule?
60 . iptables -t nat -A postrouting_rule -d 192.168.140.0/24 -j ACCEPT
61 . iptables -t nat -A postrouting_rule -d 192.168.132.0/24 -j ACCEPT
62 .
63 . # Allow any traffic between road warrior LAN and central LAN
64 . iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
65 . iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT
66 .
67 .
68 . # Marking packets with rules in firewall.user is not working yet.
69 . #
70 . # Mark ICMP Packets DSCP value EF (Expedited Forwarding)
71 . # EF Diffserv hexadecimal: 0xb8
72 . # EF DSCP hexadecimal: 0x2e
73 . # EF DSCP decimal: 46
74 .
75 . #iptables -t mangle -A PREROUTING -p ICMP -i $LAN -j DSCP --set-dscp 0x2e
76 .
77 . # Mark all packets from a specific IP address DSCP EF
78 . # Use /etc/ethers to create a DHCP reservation for your IP Phone
79 . # if necessary.
80 . #iptables -t mangle -A PREROUTING -s 192.168.139.10 -j DSCP --set-dscp 0x2e
|
|
/etc/dyndns.info.peers.conf |
This is an include file for /etc/ipsec.conf. This ipsec.conf include file contains the configuration for all of the peer to peer VPN tunnels. This file is designed to be a template that can be easily customised using search and replace.
|
1 . # Connections to Linksys/OpenWRT/OpenSWAN peers
2 . # SOHO User-M
3 . # soho-user-m.dyndns.info
4 .
5 .
6 . conn net-soho-user-m--net-soho-user-a
7 . # Left side is OpenSwan on Linksys
8 . left=soho-user-m.dyndns.info
9 . leftnexthop=%defaultroute
10 . leftcert=location-a/soho-user-m.dyndns.info.pem
11 . leftid=@soho-user-m.dyndns.info
12 . leftrsasigkey=%cert
13 . leftsubnet=192.168.236.0/24
14 . leftsourceip=192.168.236.1 # Required for DNS forwarding
15 . # Right side is Openswan
16 . right=soho-user-a.dyndns.info
17 . rightcert=location-a/soho-user-a.dyndns.info.pem
18 . rightid=@soho-user-a.dyndns.info
19 . rightrsasigkey=%cert
20 . rightsubnet=192.168.224.0/24
21 .
22 . conn net-soho-user-m--net-soho-user-b
23 . # Left side is OpenSwan on Linksys
24 . left=soho-user-m.dyndns.info
25 . leftnexthop=%defaultroute
26 . leftcert=location-a/soho-user-m.dyndns.info.pem
27 . leftid=@soho-user-m.dyndns.info
28 . leftrsasigkey=%cert
29 . leftsubnet=192.168.236.0/24
30 . leftsourceip=192.168.236.1 # Required for DNS forwarding
31 . # Right side is Openswan
32 . right=soho-user-b.dyndns.info
33 . rightcert=location-a/soho-user-b.dyndns.info.pem
34 . rightid=@soho-user-b.dyndns.info
35 . rightrsasigkey=%cert
36 . rightsubnet=192.168.225.0/24
37 .
38 . conn net-soho-user-m--net-soho-user-c
39 . # Left side is OpenSwan on Linksys
40 . left=soho-user-m.dyndns.info
41 . leftnexthop=%defaultroute
42 . leftcert=location-a/soho-user-m.dyndns.info.pem
43 . leftid=@soho-user-m.dyndns.info
44 . leftrsasigkey=%cert
45 . leftsubnet=192.168.236.0/24
46 . leftsourceip=192.168.236.1 # Required for DNS forwarding
47 . # Right side is Openswan
48 . right=soho-user-c.dyndns.info
49 . rightcert=location-a/soho-user-c.dyndns.info.pem
50 . rightid=@soho-user-c.dyndns.info
51 . rightrsasigkey=%cert
52 . rightsubnet=192.168.226.0/24
53 .
54 . conn net-soho-user-m--net-soho-user-d
55 . # Left side is OpenSwan on Linksys
56 . left=soho-user-m.dyndns.info
57 . leftnexthop=%defaultroute
58 . leftcert=location-a/soho-user-m.dyndns.info.pem
59 . leftid=@soho-user-m.dyndns.info
60 . leftrsasigkey=%cert
61 . leftsubnet=192.168.236.0/24
62 . leftsourceip=192.168.236.1 # Required for DNS forwarding
63 . # Right side is Openswan
64 . right=soho-user-d.dyndns.info
65 . rightcert=location-a/soho-user-d.dyndns.info.pem
66 . rightid=@soho-user-d.dyndns.info
67 . rightrsasigkey=%cert
68 . rightsubnet=192.168.227.0/24
69 .
70 . conn net-soho-user-m--net-soho-user-e
71 . # Left side is OpenSwan on Linksys
72 . left=soho-user-m.dyndns.info
73 . leftnexthop=%defaultroute
74 . leftcert=location-a/soho-user-m.dyndns.info.pem
75 . leftid=@soho-user-m.dyndns.info
76 . leftrsasigkey=%cert
77 . leftsubnet=192.168.236.0/24
78 . leftsourceip=192.168.236.1 # Required for DNS forwarding
79 . # Right side is Openswan
80 . right=soho-user-e.dyndns.info
81 . rightcert=location-a/soho-user-e.dyndns.info.pem
82 . rightid=@soho-user-e.dyndns.info
83 . rightrsasigkey=%cert
84 . rightsubnet=192.168.228.0/24
85 .
86 . conn net-soho-user-m--net-soho-user-f
87 . # Left side is OpenSwan on Linksys
88 . left=soho-user-m.dyndns.info
89 . leftnexthop=%defaultroute
90 . leftcert=location-a/soho-user-m.dyndns.info.pem
91 . leftid=@soho-user-m.dyndns.info
92 . leftrsasigkey=%cert
93 . leftsubnet=192.168.236.0/24
94 . leftsourceip=192.168.236.1 # Required for DNS forwarding
95 . # Right side is Openswan
96 . right=soho-user-f.dyndns.info
97 . rightcert=location-a/soho-user-f.dyndns.info.pem
98 . rightid=@soho-user-f.dyndns.info
99 . rightrsasigkey=%cert
100 . rightsubnet=192.168.229.0/24
101 .
102 . conn net-soho-user-m--net-soho-user-g
103 . # Left side is OpenSwan on Linksys
104 . left=soho-user-m.dyndns.info
105 . leftnexthop=%defaultroute
106 . leftcert=location-a/soho-user-m.dyndns.info.pem
107 . leftid=@soho-user-m.dyndns.info
108 . leftrsasigkey=%cert
109 . leftsubnet=192.168.236.0/24
110 . leftsourceip=192.168.236.1 # Required for DNS forwarding
111 . # Right side is Openswan
112 . right=soho-user-g.dyndns.info
113 . rightcert=location-a/soho-user-g.dyndns.info.pem
114 . rightid=@soho-user-g.dyndns.info
115 . rightrsasigkey=%cert
116 . rightsubnet=192.168.230.0/24
117 .
118 . conn net-soho-user-m--net-soho-user-h
119 . # Left side is OpenSwan on Linksys
120 . left=soho-user-m.dyndns.info
121 . leftnexthop=%defaultroute
122 . leftcert=location-a/soho-user-m.dyndns.info.pem
123 . leftid=@soho-user-m.dyndns.info
124 . leftrsasigkey=%cert
125 . leftsubnet=192.168.236.0/24
126 . leftsourceip=192.168.236.1 # Required for DNS forwarding
127 . # Right side is Openswan
128 . right=soho-user-h.dyndns.info
129 . rightcert=location-a/soho-user-h.dyndns.info.pem
130 . rightid=@soho-user-h.dyndns.info
131 . rightrsasigkey=%cert
132 . rightsubnet=192.168.231.0/24
133 .
134 . conn net-soho-user-m--net-soho-user-i
135 . # Left side is OpenSwan on Linksys
136 . left=soho-user-m.dyndns.info
137 . leftnexthop=%defaultroute
138 . leftcert=location-a/soho-user-m.dyndns.info.pem
139 . leftid=@soho-user-m.dyndns.info
140 . leftrsasigkey=%cert
141 . leftsubnet=192.168.236.0/24
142 . leftsourceip=192.168.236.1 # Required for DNS forwarding
143 . # Right side is Openswan
144 . right=soho-user-i.dyndns.info
145 . rightcert=location-a/soho-user-i.dyndns.info.pem
146 . rightid=@soho-user-i.dyndns.info
147 . rightrsasigkey=%cert
148 . rightsubnet=192.168.232.0/24
149 .
150 . conn net-soho-user-m--net-soho-user-j
151 . # Left side is OpenSwan on Linksys
152 . left=soho-user-m.dyndns.info
153 . leftnexthop=%defaultroute
154 . leftcert=location-a/soho-user-m.dyndns.info.pem
155 . leftid=@soho-user-m.dyndns.info
156 . leftrsasigkey=%cert
157 . leftsubnet=192.168.236.0/24
158 . leftsourceip=192.168.236.1 # Required for DNS forwarding
159 . # Right side is Openswan
160 . right=soho-user-j.dyndns.info
161 . rightcert=location-a/soho-user-j.dyndns.info.pem
162 . rightid=@soho-user-j.dyndns.info
163 . rightrsasigkey=%cert
164 . rightsubnet=192.168.233.0/24
165 .
166 . conn net-soho-user-m--net-soho-user-k
167 . # Left side is OpenSwan on Linksys
168 . left=soho-user-m.dyndns.info
169 . leftnexthop=%defaultroute
170 . leftcert=location-a/soho-user-m.dyndns.info.pem
171 . leftid=@soho-user-m.dyndns.info
172 . leftrsasigkey=%cert
173 . leftsubnet=192.168.236.0/24
174 . leftsourceip=192.168.236.1 # Required for DNS forwarding
175 . # Right side is Openswan
176 . right=soho-user-k.dyndns.info
177 . rightcert=location-a/soho-user-k.dyndns.info.pem
178 . rightid=@soho-user-k.dyndns.info
179 . rightrsasigkey=%cert
180 . rightsubnet=192.168.234.0/24
181 .
182 . conn net-soho-user-m--net-soho-user-l
183 . # Left side is OpenSwan on Linksys
184 . left=soho-user-m.dyndns.info
185 . leftnexthop=%defaultroute
186 . leftcert=location-a/soho-user-m.dyndns.info.pem
187 . leftid=@soho-user-m.dyndns.info
188 . leftrsasigkey=%cert
189 . leftsubnet=192.168.236.0/24
190 . leftsourceip=192.168.236.1 # Required for DNS forwarding
191 . # Right side is Openswan
192 . right=soho-user-l.dyndns.info
193 . rightcert=location-a/soho-user-l.dyndns.info.pem
194 . rightid=@soho-user-l.dyndns.info
195 . rightrsasigkey=%cert
196 . rightsubnet=192.168.235.0/24
197 .
198 . #conn net-soho-user-m--net-soho-user-m
199 . # # Left side is OpenSwan on Linksys
200 . # left=soho-user-m.dyndns.info
201 . # leftnexthop=%defaultroute
202 . # leftcert=location-a/soho-user-m.dyndns.info.pem
203 . # leftid=@soho-user-m.dyndns.info
204 . # leftrsasigkey=%cert
205 . # leftsubnet=192.168.236.0/24
206 . # leftsourceip=192.168.236.1 # Required for DNS forwarding
207 . # # Right side is Openswan
208 . # right=soho-user-m.dyndns.info
209 . # rightcert=location-a/soho-user-m.dyndns.info.pem
210 . # rightid=@soho-user-m.dyndns.info
211 . # rightrsasigkey=%cert
212 . # rightsubnet=192.168.236.0/24
213 .
214 . conn net-soho-user-m--soho-user-n
215 . # Left side is OpenSwan on Linksys
216 . left=soho-user-m.dyndns.info
217 . leftnexthop=%defaultroute
218 . leftcert=location-a/soho-user-m.dyndns.info.pem
219 . leftid=@soho-user-m.dyndns.info
220 . leftrsasigkey=%cert
221 . leftsubnet=192.168.236.0/24
222 . leftsourceip=192.168.236.1 # Required for DNS forwarding
223 . # Right side is Openswan
224 . right=soho-user-n.dyndns.info
225 . rightcert=location-a/soho-user-n.dyndns.info.pem
226 . rightid=@soho-user-n.dyndns.info
227 . rightrsasigkey=%cert
228 . rightsubnet=192.168.237.0/24
229 .
230 . # Un Comment this section if Location-A, Branch-A is using OpenSwan instead of CheckPoint
231 . #
232 . #conn net-soho-user-m--soho-user-o
233 . # # Left side is OpenSwan on Linksys
234 . # left=soho-user-m.dyndns.info
235 . # leftnexthop=%defaultroute
236 . # leftcert=location-a/soho-user-m.dyndns.info.pem
237 . # leftid=@soho-user-m.dyndns.info
238 . # leftrsasigkey=%cert
239 . # leftsubnet=192.168.236.0/24
240 . # leftsourceip=192.168.236.1 # Required for DNS forwarding
241 . # # Right side is Openswan
242 . # right=soho-user-o.dyndns.info
243 . # rightcert=location-a/soho-user-o.dyndns.info.pem
244 . # rightid=@soho-user-o.dyndns.info
245 . # rightrsasigkey=%cert
246 . # rightsubnet=172.17.12.0/23
247 .
248 . conn net-soho-user-m--soho-user-p
249 . # Left side is OpenSwan on Linksys
250 . left=soho-user-m.dyndns.info
251 . leftnexthop=%defaultroute
252 . leftcert=location-a/soho-user-m.dyndns.info.pem
253 . leftid=@soho-user-m.dyndns.info
254 . leftrsasigkey=%cert
255 . leftsubnet=192.168.236.0/24
256 . leftsourceip=192.168.236.1 # Required for DNS forwarding
257 . # Right side is Openswan
258 . right=soho-user-p.dyndns.info
259 . rightcert=location-a/soho-user-p.dyndns.info.pem
260 . rightid=@soho-user-p.dyndns.info
261 . rightrsasigkey=%cert
262 . rightsubnet=192.168.239.0/24
263 .
264 . conn net-soho-user-m--soho-user-q
265 . # Left side is OpenSwan on Linksys
266 . left=soho-user-m.dyndns.info
267 . leftnexthop=%defaultroute
268 . leftcert=location-a/soho-user-m.dyndns.info.pem
269 . leftid=@soho-user-m.dyndns.info
270 . leftrsasigkey=%cert
271 . leftsubnet=192.168.236.0/24
272 . leftsourceip=192.168.236.1 # Required for DNS forwarding
273 . # Right side is Openswan
274 . right=soho-user-q.dyndns.info
275 . rightcert=location-a/soho-user-q.dyndns.info.pem
276 . rightid=@soho-user-q.dyndns.info
277 . rightrsasigkey=%cert
278 . rightsubnet=192.168.240.0/24
279 .
280 . conn net-soho-user-m--soho-user-r
281 . # Left side is OpenSwan on Linksys
282 . left=soho-user-m.dyndns.info
283 . leftnexthop=%defaultroute
284 . leftcert=location-a/soho-user-m.dyndns.info.pem
285 . leftid=@soho-user-m.dyndns.info
286 . leftrsasigkey=%cert
287 . leftsubnet=192.168.236.0/24
288 . leftsourceip=192.168.236.1 # Required for DNS forwarding
289 . # Right side is Openswan
290 . right=soho-user-r.dyndns.info
291 . rightcert=location-a/soho-user-r.dyndns.info.pem
292 . rightid=@soho-user-r.dyndns.info
293 . rightrsasigkey=%cert
294 . rightsubnet=192.168.241.0/24
295 .
296 . conn net-soho-user-m--soho-user-s
297 . # Left side is OpenSwan on Linksys
298 . left=soho-user-m.dyndns.info
299 . leftnexthop=%defaultroute
300 . leftcert=location-a/soho-user-m.dyndns.info.pem
301 . leftid=@soho-user-m.dyndns.info
302 . leftrsasigkey=%cert
303 . leftsubnet=192.168.236.0/24
304 . leftsourceip=192.168.236.1 # Required for DNS forwarding
305 . # Right side is Openswan
306 . right=soho-user-s.dyndns.info
307 . rightcert=location-a/soho-user-s.dyndns.info.pem
308 . rightid=@soho-user-s.dyndns.info
309 . rightrsasigkey=%cert
310 . rightsubnet=192.168.242.0/24
311 .
312 . conn net-soho-user-m--soho-user-t
313 . # Left side is OpenSwan on Linksys
314 . left=soho-user-m.dyndns.info
315 . leftnexthop=%defaultroute
316 . leftcert=location-a/soho-user-m.dyndns.info.pem
317 . leftid=@soho-user-m.dyndns.info
318 . leftrsasigkey=%cert
319 . leftsubnet=192.168.236.0/24
320 . leftsourceip=192.168.236.1 # Required for DNS forwarding
321 . # Right side is Openswan
322 . right=soho-user-t.dyndns.info
323 . rightcert=location-a/soho-user-t.dyndns.info.pem
324 . rightid=@soho-user-t.dyndns.info
325 . rightrsasigkey=%cert
326 . rightsubnet=192.168.243.0/24
327 .
328 . conn net-soho-user-m--soho-user-u
329 . # Left side is OpenSwan on Linksys
330 . left=soho-user-m.dyndns.info
331 . leftnexthop=%defaultroute
332 . leftcert=location-a/soho-user-m.dyndns.info.pem
333 . leftid=@soho-user-m.dyndns.info
334 . leftrsasigkey=%cert
335 . leftsubnet=192.168.236.0/24
336 . leftsourceip=192.168.236.1 # Required for DNS forwarding
337 . # Right side is Openswan
338 . right=soho-user-u.dyndns.info
339 . rightcert=location-a/soho-user-u.dyndns.info.pem
340 . rightid=@soho-user-u.dyndns.info
341 . rightrsasigkey=%cert
342 . rightsubnet=192.168.244.0/24
343 .
344 . conn net-soho-user-m--soho-user-v
345 . # Left side is OpenSwan on Linksys
346 . left=soho-user-m.dyndns.info
347 . leftnexthop=%defaultroute
348 . leftcert=location-a/soho-user-m.dyndns.info.pem
349 . leftid=@soho-user-m.dyndns.info
350 . leftrsasigkey=%cert
351 . leftsubnet=192.168.236.0/24
352 . leftsourceip=192.168.236.1 # Required for DNS forwarding
353 . # Right side is Openswan
354 . right=soho-user-v.dyndns.info
355 . rightcert=location-a/soho-user-v.dyndns.info.pem
356 . rightid=@soho-user-v.dyndns.info
357 . rightrsasigkey=%cert
358 . rightsubnet=192.168.245.0/24
359 .
360 . conn net-soho-user-m--soho-user-w
361 . # Left side is OpenSwan on Linksys
362 . left=soho-user-m.dyndns.info
363 . leftnexthop=%defaultroute
364 . leftcert=location-a/soho-user-m.dyndns.info.pem
365 . leftid=@soho-user-m.dyndns.info
366 . leftrsasigkey=%cert
367 . leftsubnet=192.168.236.0/24
368 . leftsourceip=192.168.236.1 # Required for DNS forwarding
369 . # Right side is Openswan
370 . right=soho-user-w.dyndns.info
371 . rightcert=location-a/soho-user-w.dyndns.info.pem
372 . rightid=@soho-user-w.dyndns.info
373 . rightrsasigkey=%cert
374 . rightsubnet=192.168.246.0/24
375 .
376 . conn net-soho-user-m--soho-user-x
377 . # Left side is OpenSwan on Linksys
378 . left=soho-user-m.dyndns.info
379 . leftnexthop=%defaultroute
380 . leftcert=location-a/soho-user-m.dyndns.info.pem
381 . leftid=@soho-user-m.dyndns.info
382 . leftrsasigkey=%cert
383 . leftsubnet=192.168.236.0/24
384 . leftsourceip=192.168.236.1 # Required for DNS forwarding
385 . # Right side is Openswan
386 . right=soho-user-x.dyndns.info
387 . rightcert=location-a/soho-user-x.dyndns.info.pem
388 . rightid=@soho-user-x.dyndns.info
389 . rightrsasigkey=%cert
390 . rightsubnet=192.168.247.0/24
391 .
392 . conn net-soho-user-m--soho-user-y
393 . # Left side is OpenSwan on Linksys
394 . left=soho-user-m.dyndns.info
395 . leftnexthop=%defaultroute
396 . leftcert=location-a/soho-user-m.dyndns.info.pem
397 . leftid=@soho-user-m.dyndns.info
398 . leftrsasigkey=%cert
399 . leftsubnet=192.168.236.0/24
400 . leftsourceip=192.168.236.1 # Required for DNS forwarding
401 . # Right side is Openswan
402 . right=soho-user-y.dyndns.info
403 . rightcert=location-a/soho-user-y.dyndns.info.pem
404 . rightid=@soho-user-y.dyndns.info
405 . rightrsasigkey=%cert
406 . rightsubnet=192.168.248.0/24
407 .
408 . conn net-soho-user-m--soho-user-z
409 . # Left side is OpenSwan on Linksys
410 . left=soho-user-m.dyndns.info
411 . leftnexthop=%defaultroute
412 . leftcert=location-a/soho-user-m.dyndns.info.pem
413 . leftid=@soho-user-m.dyndns.info
414 . leftrsasigkey=%cert
415 . leftsubnet=192.168.236.0/24
416 . leftsourceip=192.168.236.1 # Required for DNS forwarding
417 . # Right side is Openswan
418 . right=soho-user-z.dyndns.info
419 . rightcert=location-a/soho-user-z.dyndns.info.pem
420 . rightid=@soho-user-z.dyndns.info
421 . rightrsasigkey=%cert
422 . rightsubnet=192.168.249.0/24
423 .
424 . conn net-soho-user-m--soho-user-aa
425 . # Left side is OpenSwan on Linksys
426 . left=soho-user-m.dyndns.info
427 . leftnexthop=%defaultroute
428 . leftcert=location-a/soho-user-m.dyndns.info.pem
429 . leftid=@soho-user-m.dyndns.info
430 . leftrsasigkey=%cert
431 . leftsubnet=192.168.236.0/24
432 . leftsourceip=192.168.236.1 # Required for DNS forwarding
433 . # Right side is Openswan
434 . right=soho-user-aa.dyndns.info
435 . rightcert=location-a/soho-user-aa.dyndns.info.pem
436 . rightid=@soho-user-aa.dyndns.info
437 . rightrsasigkey=%cert
438 . rightsubnet=192.168.250.0/24
439 .
440 . conn net-soho-user-m--soho-user-ba
441 . # Left side is OpenSwan on Linksys
442 . left=soho-user-m.dyndns.info
443 . leftnexthop=%defaultroute
|
![[hide]](javascript:icntoggle('mod-mnu_application_menu','mo.png');)
Wiki