[Openswan Users] about "ipsec eroute"

[Marco Berizzi]

Paul Wouters wrote:

> On Mon, 10 Dec 2007, kelvin wrote:
>
> > hello everyone:
> > how to get ipsec eroute working when i use netkey? o
>
> You don't. You use 'ip xfrm state' and 'ip xfrm policy'.
>
> Documentation on those commands is scarce.

Try this. I replace the 'look' file shipped with
openswan with this script: so when I run 'ipsec look'
I get a similar output.
It is a slightly modified version of Ken's eroute.pl
You also need to compile setkey, from ipsec-tools.

#!/usr/bin/perl
#
# (c) Xelerance <ken at xelerance.com>
#
# I whipped this up in 15 minutes after switching my laptop to 2.6
# so it's ugly, and could use some major improvement.  setkey output is
# ugly to parse

open(SETKEY,"setkey -PD|");

while(<SETKEY>) {

 if ( m/any/) {
  ($dst,$src, $any) = split(" ",$_);
  $src =~ s/\[any\]//g;
  $dst =~ s/\[any\]//g;
 }

 if ( m/ipsec/ ) {
  ($dir,$dummy) = split(" ",$_);
 }

 if ( m/ipcomp.*use/ || m/ipcomp.*unique/ || m/esp\/tunnel.*unique/ ) {
  ($proto,$type,$tunnel,$dummy) = split("/",$_);
  ($net1,$net2) = split("-",$tunnel);
  if($dir eq "out" ) {
   $remotegw=$net2;
   $local=$net1;
   $temp = $src;
   $src=$dst;
   $dst=$temp;

  }
  if ($dir eq "in")  {
   $remotegw=$net1;
   $local=$net2;

  }
  if ($dir eq "fwd")  {
   $remotegw=$net1;
   $local=$net2;
  }
 }

 if ( m/spid/ ) {
  ($spidstr,$seqstr, $pidstr) = split(" ",$_);
  ($tmp,$spi) = split("\=",$spidstr);
  if ($spi ne "" && $tunnel ne "" ) {
   for ($src) {
    if (!  m/\// ) {
     $src .= "/32";
    }
   }
   for ($dst) {
    if (!  m/\// ) {
     $dst .= "/32";
    }
   }
   printf("%3s %-18s -> %-18s =>
tun0x%s@%s\n",$dir,$src,$dst,$spi,$remotegw);
   # Reset
   $tunnel = "";
   $spi = "";
   $dir = "";
  }
 }
}

close(SETKEY);