Adding a new VPN connection

[Aaron Burke]

SNIP
> In a FreeBSD router (5.4-stable), there are currently 50 IPSEC VPN
> connections running with 50 remote sites, now I need to add one more (new)
> vpn to it without resetting the existing VPN connection. Therefore I have
> created a script (new-vpn.sh):
>
> #!/bin/sh
>
> # Tunnel to kgportsmith
> /sbin/ifconfig gif108 destroy
> /sbin/ifconfig gif108 create
> /sbin/ifconfig gif108 tunnel 10.152.34.74 10.154.3.74
> /sbin/ifconfig gif108 inet 10.1.1.1 10.1.1.33 netmask 255.255.255.0
> /sbin/route delete 10.1.33.1/24
> /sbin/route delete 172.17.33.0/24
> /sbin/route add 10.1.33.1/24 10.1.1.33
> /sbin/route add 172.17.33.0/24 10.1.1.33
I love the gif interface, you may want to possible increase the default
TTL on each gif connection. They default MTU is 1280. My gif tunnels
have an MTU of 1472. 1474 requires fragmentation.

>
> setkey -c << EOF
>
> # Setup policies with kgportsmith
> spdadd 10.152.34.74 10.154.3.74 any -P out ipsec esp/tunnel/10.152.34.74-
> 10.154.3.74/require ;
> spdadd 10.154.3.74 10.152.34.74 any -P in  ipsec esp/tunnel/10.154.3.74-
> 10.152.34.74/require ;
> add 10.152.34.74 10.154.3.74 esp 2797 -m tunnel -E blowfish-cbc
> 0x11205611340CCEA4C816670A4A8DD2A67403F46A08169850DC0B8E2989C3C209
> 4CEF174297ECCF39644B6C4E28D5A3BD4C0861DD7094E398
> -A hmac-sha1 0x2C49F538BAF74917311382F7EE42CC43FBDBDA4B ;
> add 10.154.3.74 10.152.34.74 esp 4074 -m tunnel -E blowfish-cbc
> 0x82A7C78A8C1F8B0DF8EE75F4BEEA5A26D987C6237D43ED98EF3E2A18D2B7F2C9
> 4674E1E4B1FAFE645CCB2C18603646E20EB925B06AEC4F6B
> -A hmac-sha1 0xCE1D85113D11D43C061E499CFFECCD81D50A3530 ;
>
> EOF
>
> ### END OF SCRIPT ###
I dont see any reference to "spdflush;" or "flush;", therefore your should
be fine.

> Will this script (especially the command setkey -c) erase (reset) the
> existing VPN connection and security keys)? If it does, I will lose the
> connectino with all other sites.
I dont see any flush commands, therfore the existing keys should be fine.

SNIP

-- Aaron
aburke at nullplusone.net