Index of /~torh/gencryptolists

      Name                    Last modified       Size  Description


[DIR] Parent Directory        17-Dec-2008 21:52      -  
[   ] gencryptolists.pl       03-Jul-2005 22:24    10k  

README v1.0

gencryptolists.pl v1.2 (c) Tor Houghton (torh@bogus.net) 1-Jul-2005

Keywords: Cisco IOS PIX IPSec Access Control List Generator

What is gencryptolists?
-----------------------
In short, it's a Perl program which generates access control lists (ACLs) for 
use with the Cisco IOS IPSec implementation.

Anyone who has worked with Cisco's implementation of IPSec on the IOS platform
(and indeed on the PIX platform) will understand what sort of a configuration
nightmare this can be - especially in an environment with a large number of
peers and networks.

                      10.0.0.0/24 - A --- B - 172.16.0.0/24
                     10.12.0.0/24    \   /    172.16.32.0/24
                                      \ /
                                       C
                                       |
                                 192.168.0.0/24
                                192.168.16.0/24

For the example network above, a fully meshed network with only 3 peers that
have 2 networks each will need the following ACL configuration in order for 
communications to take place between them (assuming that devices on all 
networks need the ability to communicate with each other):

For the router on site A:

    ip access-list extended CRYPTO-SITE-A
     ! from site-a to site-b
      permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
      permit ip 10.0.0.0 0.0.0.255 172.16.32.0 0.0.0.255
      permit ip 10.12.0.0 0.0.0.255 172.16.0.0 0.0.0.255
      permit ip 10.12.0.0 0.0.0.255 172.16.32.0 0.0.0.255
     ! from site-a to site-c
      permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
      permit ip 10.0.0.0 0.0.0.255 192.168.16.0 0.0.0.255
      permit ip 10.12.0.0 0.0.0.255 192.168.0.0 0.0.0.255
      permit ip 10.12.0.0 0.0.0.255 192.168.16.0 0.0.0.255

For the router on site B:

    ip access-list extended CRYPTO-SITE-B
     ! from site-b to site-a
      permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.0.0.255
      permit ip 172.16.0.0 0.0.0.255 10.12.0.0 0.0.0.255
      permit ip 172.16.32.0 0.0.0.255 10.0.0.0 0.0.0.255
      permit ip 172.16.32.0 0.0.0.255 10.12.0.0 0.0.0.255
     ! from site-b to site-c
      permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
      permit ip 172.16.0.0 0.0.0.255 192.168.16.0 0.0.0.255
      permit ip 172.16.32.0 0.0.0.255 192.168.0.0 0.0.0.255
      permit ip 172.16.32.0 0.0.0.255 192.168.16.0 0.0.0.255

For the router on site C:

    ip access-list extended CRYPTO-SITE-C
     ! from site-c to site-a
      permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
      permit ip 192.168.0.0 0.0.0.255 10.12.0.0 0.0.0.255
      permit ip 192.168.16.0 0.0.0.255 10.0.0.0 0.0.0.255
      permit ip 192.168.16.0 0.0.0.255 10.12.0.0 0.0.0.255
     ! from site-c to site-b
      permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
      permit ip 192.168.0.0 0.0.0.255 172.16.32.0 0.0.0.255
      permit ip 192.168.16.0 0.0.0.255 172.16.0.0 0.0.0.255
      permit ip 192.168.16.0 0.0.0.255 172.16.32.0 0.0.0.255

This configuration uses the IOS notion of network masks (the inverse mask). I 
seem to recall that the PIX uses the "regular" way of denoting network
masks. I'll correct myself[*] if I am wrong in the next version of this 
documentation!

As you can see, quite a few ACL entries are required for even a small IPSec 
network. Each site requires the "reverse" access list of the other peer too, 
which adds another level of complexity.

I'd say that this grows exponentially, but that's not quite true (it 
certainly feels like it does however, if you do this by hand!).

[*] Or you can! :-)


How do I use it?
----------------
After you've designed your IPSec topology (having a good idea what each node's 
internal address ranges are is a good starting point), create your 
configuration file(s). Gencryptolists supports the two main types of network 
topologies, hub-and-spoke ("star") and fully meshed ("mesh").

The hub-and-spoke network is usually chosen when the networking requirement 
states that many (2 or more) region offices need to talk to a central location 
such as a data centre. E.g. the region offices are not allowed or required to
talk to each other, but they all need to access to central data sources.

The configuration file for this topology uses the following structure:

	HUB hub-site-name {
		PEER ip.address ; this is optional, not supported in v1.2
		[+|-] hub.network.address hub.network.mask
    	...
    
	    SPOKE spoke-site-name {
    		PEER ip.address ; optional, not supported yet
    		[+|-] spoke.network.address spoke.network.mask
	    	...
   		}
    
	    SPOKE spoke-site2-name {
    		...
	    }
	}

Look at the example file "domains-hubspoke.cfg" for an actual example.

The special characters ";" and "#" may be used as comments. Anything entered 
after these characters will be ignored.

The "HUB" and "SPOKE" keywords denote that the site is the hub and spoke
in the network respectively. Only one hub site may exist in any configuration 
file, and each site name must be unique. Refer to the example file for site
name ideas.

The "PEER" keyword is not currently used, but will be in future versions.

Plus ("+") and minus ("-") are used to control which addresses should be passed
to the cryptomap.

Generate your lists by invoking the program with the "-c" (if omitted, the default
file "./domains.cfg" is used) and "-t" flags (if omitted, "mesh" is generated
by default).

The program writes each site's ACL configuration to file (or only prints them
to STDOUT if the switch "-d" is used).

e.g.

	./gencryptolists.pl -c myconfig.txt -t mesh
	./gencryptolists.pl -c myconfig.txt -d -t mesh
	./gencryptolists.pl -c mystarconfig.txt -t star

	./gencryptolists.pl -h
	

Pitfalls (and possible bugs)
----------------------------
When creating hub-and-spoke networks, it is important to understand that ONE
configuration file must be used per design. A configuration file with more than
one HUB will produce nonsensical access control list configuration.

Your version of IOS must support so-called "named" access lists. I think this
is fairly standard these days.


What are the future plans?
--------------------------
To allow the configuration file to be used for sitewide IPSec configurations,
including shared keys. A PIX specific version will probably be required too.


Where can I find updates or get help?
-------------------------------------
At the moment, your best bet is to email me (torh@bogus.net) or look for 
examples and updates at http://www.bogus.net/~torh/gencryptolists/ and
http://www.bogus.net/~torh/files/gencryptolists.tar.gz.


What type of licence is it released under?
------------------------------------------
This version (1.2) is released under the GPLv2 licence, find it at 
http://www.gnu.org/.

If this code helps you do your work in any way, I'd appreciate to hear about
it.