Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

Untitled

By: a guest on Apr 2nd, 2012  |  syntax: None  |  size: 5.46 KB  |  views: 31  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. README file for ras.py
  2. ======================
  3.  
  4. What is it?
  5. -----------
  6. This script connects you to an IPsec RAS service.
  7.  
  8. Assumptions: The FreeS/WAN or openswan /etc/ipsec.conf and
  9. /etc/ipsec.secrets config files are configured correctly and
  10. contain the descriptions of the connections and the needed secrets.
  11. The connections should be configured to be added, NOT started
  12. on /etc/init.d/ipsec start, i.e. auto=add in ipsec.conf.
  13. The script assumes that we are the left side of the connection.
  14.  Note: It might work for people with auto=start, but I haven't
  15.  tested this. Nor have I tested without private virtual IP.
  16.  
  17. This script should be executed setuid root.
  18. It is configured by /etc/ras.config (or another cfg file specified)
  19. which has the .ini file syntax as described below.
  20.  
  21. Configuration /etc/ras.config
  22. -----------------------------
  23. Lines that start with '#' are considered comments and disregarded.
  24.  
  25. The [global] section has the following keys (all optional!):
  26.  pinginterval: How many seconds to wait between pings (default: 15).
  27.  pingtimeout: How long (s) to wait for our peer to answer (default: 5).
  28.  pingfail: How many subsequent pings need to fail to make the script
  29.         assume that the connectivity is down (default: 6).
  30.  failholdoff: How long to sleep before trying to reconnect (def: 150).
  31.  maxconnect: How many seconds we may be connected in total
  32.         (default: empty => infinite).
  33.  virtip: virtual IP of your end of the IPsec connection
  34.         (default: empty => no virtual IP is used).
  35.  netdev: name of the NIC that's used to send out IPsec traffic
  36.         (default: empty => ipsec0 for KLIPS, netdev of defaultroute otherwise).
  37.  gateway: set to an empty string or 'via IP' to explicitly set routing GW
  38.         (default: if no netdev is specified take defroute gw, otherwise '').
  39.  authhost: Machine to telnet to for the opie auth session
  40.         (default: none => skip opie auth session).
  41.  authretry: How many times to try auth session if telnet times out.
  42.         0 means infinity (default: 3).
  43.  logname: username to log in as into authhost
  44.         (default: user running the script).
  45.  
  46. Expert options are:
  47.  ipseccmd: Let's you override the command to control ipsec tunnels
  48.         with --up/--down/--status conn.name (default: /usr/sbin/ipsec auto)
  49.  ipsecinit: Let's you the command to call the ipsec init script
  50.         (default: /etc/init.d/ipsec)
  51.  ipsecconfread: Let's you override how to read FreeSWAN's ipsec.conf
  52.         (default: cat /etc/ipsec.conf)
  53.  ipcmd: The iproute2 command (default: /sbin/ip)
  54.  routeraw: How to get raw routing table (default: cat /proc/net/route)
  55.  netdevexist: How to determine existence of a network device
  56.         (default: test -e /proc/sys/net/ipv4/conf/)
  57. The most common use for these expoert options is to prefix commands with
  58. ssh -t to remote control another machine who handles the tunnels. This
  59. can be more easily achieved by specifying
  60.  cmdprefix: Let's you prefix the commands ipseccmd, ipsecinit,
  61.         ipsecconfread, ipcmd, routeraw, and netdevexist.
  62.         Note that individual settings are not prefixed automatically.
  63.  
  64. The global section is mandatory, but it can be empty if the
  65. defaults all work for you.  
  66.  
  67. There are additional sections where the section name does specify
  68. the name of the IPsec connection as given in ipsec.conf.
  69. The following entries per section are supported:
  70. route: The route that should be set, should be equal to the
  71.         other side's subnet, e.g. 10.0.0.0/8 (optional).
  72.         The route is taken from rightsubnet in ipsec.conf, but can be
  73.         overriden here.
  74.         The special word 'AUTO' here prevents ras.py to affect your routes
  75.         but assumes that the ipcseccmd has taken care of it.
  76. pinghost: Machine to periodically send ping commands to (optional).
  77.  
  78. mtu: MTU for the route (optional, default 1428).
  79.  
  80. Multiple connections can be specified this way.
  81. The script starts and stops them all.
  82.  
  83. Usage
  84. -----
  85. The script is verbose about success or failure, the return codes
  86. roughly match the ones from LSB init scripts.
  87.  
  88. The program can be run in daemon mode, in which case it forks
  89. a background process; subsequent calls of this program will connect
  90. to the daemon by sending it signals.
  91. The signals SIGTERM/SIGINT/SIGQUIT terminate the process/daemon,
  92. the signal  SIGUSR1 makes it log status information, and
  93. the signal  SIGUSR2 makes it close the connections, reread the config
  94. file and reconnect. SIGHUP reacts like SIGUSR2 in daemon mode, and
  95. like SIGTERM in foreground mode.
  96.  
  97. Usage: ras.py [options] action [cfg file]
  98.  options: -v (verbose), -q (quiet),
  99.         -d (daemonize), -D (Direct) -a (alreadyauthenticated)
  100.  action: (start|up|status|help|stop|down|
  101.          try-restart|condrestart|restart|reload|force-reload|probe)
  102.  
  103. Example configs
  104. ---------------
  105. 1. Minimal config
  106. [global]
  107. # Nothing needed
  108.  
  109. [myself-mycompany]
  110. # Nothing needed
  111.  
  112. 2. Remote control another machine (router), ping
  113. [global]
  114. cmdprefix: ssh root@router
  115. #telnetcmd: ssh -t root@router /usr/bin/telnet
  116.  
  117. [myself-mycompany1]
  118. #route: 10.0.0.0/14
  119. pinghost: 10.0.0.1
  120. #pingfail: 6
  121.  
  122. [myself-mycompany2]
  123. pinghost: 10.4.0.1
  124. #route: 10.4.0.0/14
  125.  
  126. 3. With opie preauthentication and explicit virtual IP setting
  127.    and route override
  128. [global]
  129. authhost: ipsec-router-external-ip.company.com
  130. virtip: 10.240.0.12
  131. #logname: user
  132.  
  133. [myself-mycompany]
  134. route: 10.0.0.0/9
  135. pinghost: 10.0.0.1
  136.  
  137. You must have the connections myself-mycompany(1/2) configured
  138. in /etc/ipsec.conf.