andre/scripts-conlxsyslog03
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
conetadm
2024-11-14 21:11:06 +01:00
commit 5718e70f15
657 changed files with 9401652 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

375
conetadm/vpn-config/vpn-config.pl Normal file
View File

@@ -0,0 +1,375 @@
#!/bin/perl
$outside{'asa-frankfurt'} = "outside";
$outside{'asa-hosting'} = "outside";
$outside{'asa-vwd-1'} = "TG-TRANS";
$outside{'asa-admin-1'} = "outside";
$outside{'asa-voeb-1'} = "outside_Versatel";
$cryptomap{'asa-frankfurt'} = "CONET-Solutions_vpnmap";
$cryptomap{'asa-hosting'} = "outside_map3";
$cryptomap{'asa-vwd-1'} = "TG-TRANS_map0";
$cryptomap{'asa-admin-1'} = "outside_map1";
$cryptomap{'asa-voeb-1'} = "outside_Versatel_map2";
print "\n\nSite 2 Site Konfig erstellen\n\n";
uber ("Allgemeine Angaben");
$kunde = eingabe ("Kundenname");
$nr = eingabe ("Nummer (meist 1, da nur 1 Tunnel je Kunde)");
$peers = eingabe ("Anzahl Peers (1,2)");
if ($peers == 1 || $peers == 2) {
$peer1 = eingabe("Peer 1");
$psk1 = eingabe("PSK 1");
if ($peers == 2) {
$peer2 = eingabe("Peer 2");
$psk2 = eingabe("PSK 2");
}
} else {
ende("Nur 1 oder 2 erlaubt.", 1);
}
$asa = eingabe ("ASA Hostname");
if ($outside{$asa} eq "") {
ende ("Kein externes Interface gefunden.", 1);
}
ausgabe ("outside", $outside{$asa});
if ($outside{$asa} eq "") {
ende ("Keine crypto map gefunden.", 1);
}
ausgabe ("crypto map", $cryptomap{$asa});
$cmd = "/home/rancid/bin/clogin -f /home/rancid/.cloginrc -u \$SSHUSER -p \$SSHPASS -c 'sh run | i crypto map $cryptomap{$asa}' $asa | grep -v 'sh run' | grep -v ' interface ' | grep -o 'crypto map .* [0-9]*' | awk '{print \$4}' | sort -n | uniq | tr -d '\r' | tr '\n' ' '";
$str = `$cmd`;
ausgabe("Verwendete crypto map Nummern", $str);
@used=split " ", $str;
for ($i = 1 ; $i++ ; $i <= 2000) {
$match=0;
foreach (@used) {
if ($_ == $i) {
$match=1;
}
}
$cmnr = $i;
last if not $match;
}
ausgabe ("Verwende crypto map Nummer", $cmnr);
$inside = eingabe ("LAN Interface");
uber ("Phase 1");
$ike = eingabe ("IKE Version (1,2)");
if ($ike == 1 || $ike == 2) {
$ike = "ikev" . $ike;
} else {
ende("Nur 1 oder 2 erlaubt.", 1);
}
$newpol = eingabe ("Neue Policy anlegen (1) oder bestehende verwenden (2)");
if ($newpol == 1) {
$cmd = "/home/rancid/bin/clogin -f /home/rancid/.cloginrc -u \$SSHUSER -p \$SSHPASS -c 'sh run | i $ike policy' $asa | grep -v 'sh run' | grep -o 'crypto .* policy [0-9]*' | awk '{print \$4}' | sort -n | uniq | tr '\n' ' '";
$str = `$cmd`;
ausgabe ("Diese Policynummern existieren", $str);
@used=split " ", $str;
for ($i = 1 ; $i++ ; $i <= 2000) {
$match=0;
foreach (@used) {
if ($_ == $i) {
$match=1;
}
}
$pnr = $i;
last if not $match;
}
ausgabe ("Verwende Policy Nummer", $pnr);
#$pnr = eingabe ("Neue Policy Nummer eingeben");
$p1dh = eingabe ("DH Group (bspw 5, 14, 19, 20, 21)");
$p1life = eingabe ("Lifetime in Sekunden 3600(1h), 28800(8h), 86400(24h)");
$p1enc = eingabe ("Encryption (aes, aes-192, aes-256)");
$p1hash = eingabe ("Hash (sha, sha256, sha384, sha512)");
} elsif ($newpol == 2) {
; # nicht zu tun hier
} else {
ende ("Nur 1 oder 2 erlaubt", 1);
}
uber ("Phase 2");
$p2lifekb = eingabe ("Lifetime in Kilobytes (default 4608000, unlimited)");
$p2life = eingabe ("Lifetim in Sekunden (default 28800)");
$pfs = eingabe ("PFS verwenden (1) oder nicht (2)");
if ($pfs == 1) {
$pfsdh = eingabe ("DH Group (bspw 5, 14, 19, 20, 21)");
} elsif ($pfs == 2) {
; # nicht zu tun hier
} else {
ende ("Nur 1 oder 2 erlaubt", 1);
}
$tsprop = "IPSec Proposal"; # ikev2
if ($ike eq "ikev1") { $tsprop = "Transform-Set"}
$cmd = "/home/rancid/bin/clogin -f /home/rancid/.cloginrc -u \$SSHUSER -p \$SSHPASS -c 'sh run | i crypto ipsec $ike ipsec-proposal' $asa | grep -v 'sh run' | grep 'ipsec-proposal' | awk '{print \$5}' | sort -n | uniq | tr -d '\\r' | tr '\\n' ' '"; # ikev2
if ($ike eq "ikev1") {
$cmd = "/home/rancid/bin/clogin -f /home/rancid/.cloginrc -u \$SSHUSER -p \$SSHPASS -c 'sh run | i crypto ipsec $ike transform-set' $asa | grep -v 'sh run' | grep 'transform-set' | awk '{print \$5}' | sort -n | uniq | tr -d '\\r' | tr '\\n' ' '";
} #ikev1
$str = `$cmd`;
ausgabe ("Diese $tsprop existieren", $str);
$newprop = eingabe ("Neues $tsprop (1) oder bestehendes (2)");
if ($newprop == 1) {
$tspropname = eingabe ("Name für neues $tsprop");
if ($ike eq "ikev2") {
$p2enc = eingabe ("Encryption (aes-192, aes-256, aes-gcm-192, aes-gcm-256, aes-gmac-192, aes-gmac-256)");
$p2hash = eingabe ("Hash (sha-256, sha-384, sha-512)");
} else {
$p2enc = eingabe ("Encryption (esp-aes-192, esp-aes-256)");
$p2hash = eingabe ("Hash (esp-sha-hmac)");
}
} elsif ($newprop == 2) {
$tspropname = eingabe ("Welches $tsprop verwenden");
} else {
ende ("Nur 1 oder 2 erlaubt", 1);
}
uber ("Keepalive");
$keepalive = eingabe ("Keepalive verwenden (1) oder nicht (2)");
if ($keepalive == 1) {
$retry = eingabe ("Retry Intervall");
$threshold = eingabe ("Threshold");
} elsif ($keepalive == 2) {
; # nicht zu tun hier
} else {
ende ("Nur 1 oder 2 erlaubt", 1);
}
printf "
! Konfiguration Start
";
# objekte
printf "
! Netzwerkobjekte
object network _CS_NO_%s_Lokal_net1
subnet 192.168.1.0 255.255.255.0
object-group network _CS_NG_%s_Lokal
network-object object _CS_NO_%s_Lokal_net1
object network _CS_NO_%s_Remote_net1
subnet 192.168.2.0 255.255.255.0
object-group network _CS_NG_%s_Remote
network-object object _CS_NO_%s_Remote_net1
", $kunde, $kunde, $kunde, $kunde, $kunde, $kunde;
printf "
! nat excemption
nat (%s,%s) source static _CS_NG_%s_Lokal _CS_NG_%s_Lokal destination static _CS_NG_%s_Remote _CS_NG_%s_Remote no-proxy-arp route-lookup
", $inside, $outside{$asa}, $kunde, $kunde, $kunde, $kunde;
# ike policy
if ($newpol == 1) {
print "
! Neue Policy";
if ($ike eq "ikev1") {
printf "
crypto ikev1 policy $pnr
authentication pre-share
encryption $p1enc
hash $p1hash
group $p1dh
lifetime $p1life
";
}
if ($ike eq "ikev2") {
printf "
crypto ikev2 policy $pnr
encryption $p1enc
integrity $p1hash
group $p1dh
prf $p1hash
lifetime $p1life
";
}
} else {
printf "
! Bestehende %s Policies verwenden
", ($ike eq 'ikev1')? 'IKEv1':'IKEv2';
}
# group policy 1 und 2
printf "
! Group %s
group-policy %s_GroupPolicy_Tunnel-%s_Peer-1 internal
group-policy %s_GroupPolicy_Tunnel-%s_Peer-1 attributes
vpn-tunnel-protocol %s
", ($peers == 1)? 'Policy':'Policies', $kunde, $nr, $kunde, $nr, $ike;
printf "group-policy %s_GroupPolicy_Tunnel-%s_Peer-2 internal
group-policy %s_GroupPolicy_Tunnel-%s_Peer-2 attributes
vpn-tunnel-protocol %s
", $kunde, $nr, $kunde, $nr, $ike if ($peers == 2");
# tunnel group
if ($ike eq "ikev1") { # ikev1
printf "
! Tunnel %s
tunnel-group %s type ipsec-l2l
tunnel-group %s general-attributes
default-group-policy %s_GroupPolicy_Tunnel-%s_Peer-1
tunnel-group %s ipsec-attributes
ikev1 pre-shared-key %s
", ($peers == 1)? 'Group':'Groups', $peer1, $peer1, $kunde, $nr, $peer1, $psk1;
printf "isakmp keepalive threshold %s retry %s
", $threshold, $retry if ($pfs == 1); # pfs an 1. tunnel?
printf "
tunnel-group %s type ipsec-l2l
tunnel-group %s general-attributes
default-group-policy %s_GroupPolicy_Tunnel-%s_Peer-2
tunnel-group %s ipsec-attributes
ikev1 pre-shared-key %s
", $peer2, $peer2, $kunde, $nr, $peer2, $psk2 if ($peers == 2); # 2. tunnel?
printf "isakmp keepalive threshold %s retry %s
", $threshold, $retry if ($peers ==2 and $pfs == 1); # pfs an 2. tunnel?
} else { #ikev2
printf "
! Tunnel %s
tunnel-group %s type ipsec-l2l
tunnel-group %s general-attributes
default-group-policy %s_GroupPolicy_Tunnel-%s_Peer-1
tunnel-group %s ipsec-attributes
ikev2 remote-authentication pre-shared-key %s
ikev2 local-authentication pre-shared-key %s
", ($peers == 1)? 'Group':'Groups', $peer1, $peer1, $kunde, $nr, $peer1, $psk1, $psk1;
printf "isakmp keepalive threshold %s retry %s
", $threshold, $retry if ($pfs == 1); # pfs an 1. tunnel?
printf "
tunnel-group %s type ipsec-l2l
tunnel-group %s general-attributes
default-group-policy %s_GroupPolicy_Tunnel-%s_Peer-2
tunnel-group %s ipsec-attributes
ikev2 remote-authentication pre-shared-key %s
ikev2 local-authentication pre-shared-key %s
", $peer2, $peer2, $kunde, $nr, $peer2, $psk2, $psk2 if ($peers == 2); # 2. tunnel?
printf "isakmp keepalive threshold %s retry %s
", $threshold, $retry if ($peers == 2 and $pfs == 1); # pfs an 2. tunnel?
}
print "\n";
printf "
! Crypto map ACL
access-list %s_CryptoMap_Tunnel-%s extended permit ip object-group _CS_NG_%s_Lokal object-group _CS_NG_%s_Remote
", $kunde, $nr, $kunde, $kunde;
printf "
! Crypto map
";
printf "crypto map %s %s match address %s_CryptoMap_Tunnel-%s
", $cryptomap{$asa}, $cmnr, $kunde, $nr;
printf "crypto map %s %s set pfs group%s
", $cryptomap{$asa}, $cmnr, $pfsdh if ($pfs == 1);
printf "crypto map %s %s set peer %s %s
", $cryptomap{$asa}, $cmnr, $peer1, $peer2;
printf "crypto map %s %s set ikev1 transform-set %s
", $cryptomap{$asa}, $cmnr, $tspropname;
printf "crypto map %s %s set security-association lifetime seconds %s
", $cryptomap{$asa}, $cmnr, $p2life;
printf "crypto map %s %s set security-association lifetime kilobytes %s
", $cryptomap{$asa}, $cmnr, $p2lifekb;
printf "
! Konfiguration Ende
! Rollback Konfiguration Start";
printf "
clear configure crypto map %s %s
clear config tunnel-group %s", $cryptomap{$asa}, $cmnr, $peer1;
printf "
clear config tunnel-group %s", $peer2 if ($peers == 2);
printf "
clear config group-policy %s_GroupPolicy_Tunnel-%s_Peer-1", $kunde, $nr;
printf "
clear config group-policy %s_GroupPolicy_Tunnel-%s_Peer-2", $kunde, $nr if ($peers == 2);
printf "
clear configure access-list %s_CryptoMap_Tunnel-%s
! Rollback Konfiguration Ende
", $kunde, $nr;
ende ("", 0);
sub eingabe {
printf "%-60s : ", $_[0];
$_ = <STDIN>; chomp;
return $_;
}
sub ausgabe {
printf "%-60s : %s\n", $_[0], $_[1];
}
sub uber {
printf "\n=== %s === \n", $_[0];
}
sub ende {
print "\n$_[0]\nBye\n\n";
exit $_[1];
}