README file for ras.py======================What is it?-----------This

1. README file for ras.py
2. ======================
3.  
4. What is it?
5. -----------
6. This script connects you to an IPsec RAS service.
7.  
8. Assumptions: The FreeS/WAN or openswan /etc/ipsec.conf and
9. /etc/ipsec.secrets config files are configured correctly and
10. contain the descriptions of the connections and the needed secrets.
11. The connections should be configured to be added, NOT started
12. on /etc/init.d/ipsec start, i.e. auto=add in ipsec.conf.
13. The script assumes that we are the left side of the connection.
14. Note: It might work for people with auto=start, but I haven't
15. tested this. Nor have I tested without private virtual IP.
16.  
17. This script should be executed setuid root.
18. It is configured by /etc/ras.config (or another cfg file specified)
19. which has the .ini file syntax as described below.
20.  
21. Configuration /etc/ras.config
22. -----------------------------
23. Lines that start with '#' are considered comments and disregarded.
24.  
25. The [global] section has the following keys (all optional!):
26. pinginterval: How many seconds to wait between pings (default: 15).
27. pingtimeout: How long (s) to wait for our peer to answer (default: 5).
28. pingfail: How many subsequent pings need to fail to make the script
29. assume that the connectivity is down (default: 6).
30. failholdoff: How long to sleep before trying to reconnect (def: 150).
31. maxconnect: How many seconds we may be connected in total
32. (default: empty => infinite).
33. virtip: virtual IP of your end of the IPsec connection
34. (default: empty => no virtual IP is used).
35. netdev: name of the NIC that's used to send out IPsec traffic
36. (default: empty => ipsec0 for KLIPS, netdev of defaultroute otherwise).
37. gateway: set to an empty string or 'via IP' to explicitly set routing GW
38. (default: if no netdev is specified take defroute gw, otherwise '').
39. authhost: Machine to telnet to for the opie auth session
40. (default: none => skip opie auth session).
41. authretry: How many times to try auth session if telnet times out.
42. 0 means infinity (default: 3).
43. logname: username to log in as into authhost
44. (default: user running the script).
45.  
46. Expert options are:
47. ipseccmd: Let's you override the command to control ipsec tunnels
48. with --up/--down/--status conn.name (default: /usr/sbin/ipsec auto)
49. ipsecinit: Let's you the command to call the ipsec init script
50. (default: /etc/init.d/ipsec)
51. ipsecconfread: Let's you override how to read FreeSWAN's ipsec.conf
52. (default: cat /etc/ipsec.conf)
53. ipcmd: The iproute2 command (default: /sbin/ip)
54. routeraw: How to get raw routing table (default: cat /proc/net/route)
55. netdevexist: How to determine existence of a network device
56. (default: test -e /proc/sys/net/ipv4/conf/)
57. The most common use for these expoert options is to prefix commands with
58. ssh -t to remote control another machine who handles the tunnels. This
59. can be more easily achieved by specifying
60. cmdprefix: Let's you prefix the commands ipseccmd, ipsecinit,
61. ipsecconfread, ipcmd, routeraw, and netdevexist.
62. Note that individual settings are not prefixed automatically.
63.  
64. The global section is mandatory, but it can be empty if the
65. defaults all work for you.
66.  
67. There are additional sections where the section name does specify
68. the name of the IPsec connection as given in ipsec.conf.
69. The following entries per section are supported:
70. route: The route that should be set, should be equal to the
71. other side's subnet, e.g. 10.0.0.0/8 (optional).
72. The route is taken from rightsubnet in ipsec.conf, but can be
73. overriden here.
74. The special word 'AUTO' here prevents ras.py to affect your routes
75. but assumes that the ipcseccmd has taken care of it.
76. pinghost: Machine to periodically send ping commands to (optional).
77.  
78. mtu: MTU for the route (optional, default 1428).
79.  
80. Multiple connections can be specified this way.
81. The script starts and stops them all.
82.  
83. Usage
84. -----
85. The script is verbose about success or failure, the return codes
86. roughly match the ones from LSB init scripts.
87.  
88. The program can be run in daemon mode, in which case it forks
89. a background process; subsequent calls of this program will connect
90. to the daemon by sending it signals.
91. The signals SIGTERM/SIGINT/SIGQUIT terminate the process/daemon,
92. the signal SIGUSR1 makes it log status information, and
93. the signal SIGUSR2 makes it close the connections, reread the config
94. file and reconnect. SIGHUP reacts like SIGUSR2 in daemon mode, and
95. like SIGTERM in foreground mode.
96.  
97. Usage: ras.py [options] action [cfg file]
98. options: -v (verbose), -q (quiet),
99. -d (daemonize), -D (Direct) -a (alreadyauthenticated)
100. action: (start|up|status|help|stop|down|
101. try-restart|condrestart|restart|reload|force-reload|probe)
102.  
103. Example configs
104. ---------------
105. 1. Minimal config
106. [global]
107. # Nothing needed
108.  
109. [myself-mycompany]
110. # Nothing needed
111.  
112. 2. Remote control another machine (router), ping
113. [global]
114. cmdprefix: ssh root@router
115. #telnetcmd: ssh -t root@router /usr/bin/telnet
116.  
117. [myself-mycompany1]
118. #route: 10.0.0.0/14
119. pinghost: 10.0.0.1
120. #pingfail: 6
121.  
122. [myself-mycompany2]
123. pinghost: 10.4.0.1
124. #route: 10.4.0.0/14
125.  
126. 3. With opie preauthentication and explicit virtual IP setting
127. and route override
128. [global]
129. authhost: ipsec-router-external-ip.company.com
130. virtip: 10.240.0.12
131. #logname: user
132.  
133. [myself-mycompany]
134. route: 10.0.0.0/9
135. pinghost: 10.0.0.1
136.  
137. You must have the connections myself-mycompany(1/2) configured
138. in /etc/ipsec.conf.