README v1.0 gencryptolists.pl v1.2 (c) Tor Houghton (torh@bogus.net) 1-Jul-2005 Keywords: Cisco IOS PIX IPSec Access Control List Generator What is gencryptolists? ----------------------- In short, it's a Perl program which generates access control lists (ACLs) for use with the Cisco IOS IPSec implementation. Anyone who has worked with Cisco's implementation of IPSec on the IOS platform (and indeed on the PIX platform) will understand what sort of a configuration nightmare this can be - especially in an environment with a large number of peers and networks. 10.0.0.0/24 - A --- B - 172.16.0.0/24 10.12.0.0/24 \ / 172.16.32.0/24 \ / C | 192.168.0.0/24 192.168.16.0/24 For the example network above, a fully meshed network with only 3 peers that have 2 networks each will need the following ACL configuration in order for communications to take place between them (assuming that devices on all networks need the ability to communicate with each other): For the router on site A: ip access-list extended CRYPTO-SITE-A ! from site-a to site-b permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255 permit ip 10.0.0.0 0.0.0.255 172.16.32.0 0.0.0.255 permit ip 10.12.0.0 0.0.0.255 172.16.0.0 0.0.0.255 permit ip 10.12.0.0 0.0.0.255 172.16.32.0 0.0.0.255 ! from site-a to site-c permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255 permit ip 10.0.0.0 0.0.0.255 192.168.16.0 0.0.0.255 permit ip 10.12.0.0 0.0.0.255 192.168.0.0 0.0.0.255 permit ip 10.12.0.0 0.0.0.255 192.168.16.0 0.0.0.255 For the router on site B: ip access-list extended CRYPTO-SITE-B ! from site-b to site-a permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.0.0.255 permit ip 172.16.0.0 0.0.0.255 10.12.0.0 0.0.0.255 permit ip 172.16.32.0 0.0.0.255 10.0.0.0 0.0.0.255 permit ip 172.16.32.0 0.0.0.255 10.12.0.0 0.0.0.255 ! from site-b to site-c permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255 permit ip 172.16.0.0 0.0.0.255 192.168.16.0 0.0.0.255 permit ip 172.16.32.0 0.0.0.255 192.168.0.0 0.0.0.255 permit ip 172.16.32.0 0.0.0.255 192.168.16.0 0.0.0.255 For the router on site C: ip access-list extended CRYPTO-SITE-C ! from site-c to site-a permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 permit ip 192.168.0.0 0.0.0.255 10.12.0.0 0.0.0.255 permit ip 192.168.16.0 0.0.0.255 10.0.0.0 0.0.0.255 permit ip 192.168.16.0 0.0.0.255 10.12.0.0 0.0.0.255 ! from site-c to site-b permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255 permit ip 192.168.0.0 0.0.0.255 172.16.32.0 0.0.0.255 permit ip 192.168.16.0 0.0.0.255 172.16.0.0 0.0.0.255 permit ip 192.168.16.0 0.0.0.255 172.16.32.0 0.0.0.255 This configuration uses the IOS notion of network masks (the inverse mask). I seem to recall that the PIX uses the "regular" way of denoting network masks. I'll correct myself[*] if I am wrong in the next version of this documentation! As you can see, quite a few ACL entries are required for even a small IPSec network. Each site requires the "reverse" access list of the other peer too, which adds another level of complexity. I'd say that this grows exponentially, but that's not quite true (it certainly feels like it does however, if you do this by hand!). [*] Or you can! :-) How do I use it? ---------------- After you've designed your IPSec topology (having a good idea what each node's internal address ranges are is a good starting point), create your configuration file(s). Gencryptolists supports the two main types of network topologies, hub-and-spoke ("star") and fully meshed ("mesh"). The hub-and-spoke network is usually chosen when the networking requirement states that many (2 or more) region offices need to talk to a central location such as a data centre. E.g. the region offices are not allowed or required to talk to each other, but they all need to access to central data sources. The configuration file for this topology uses the following structure: HUB hub-site-name { PEER ip.address ; this is optional, not supported in v1.2 [+|-] hub.network.address hub.network.mask ... SPOKE spoke-site-name { PEER ip.address ; optional, not supported yet [+|-] spoke.network.address spoke.network.mask ... } SPOKE spoke-site2-name { ... } } Look at the example file "domains-hubspoke.cfg" for an actual example. The special characters ";" and "#" may be used as comments. Anything entered after these characters will be ignored. The "HUB" and "SPOKE" keywords denote that the site is the hub and spoke in the network respectively. Only one hub site may exist in any configuration file, and each site name must be unique. Refer to the example file for site name ideas. The "PEER" keyword is not currently used, but will be in future versions. Plus ("+") and minus ("-") are used to control which addresses should be passed to the cryptomap. Generate your lists by invoking the program with the "-c" (if omitted, the default file "./domains.cfg" is used) and "-t" flags (if omitted, "mesh" is generated by default). The program writes each site's ACL configuration to file (or only prints them to STDOUT if the switch "-d" is used). e.g. ./gencryptolists.pl -c myconfig.txt -t mesh ./gencryptolists.pl -c myconfig.txt -d -t mesh ./gencryptolists.pl -c mystarconfig.txt -t star ./gencryptolists.pl -h Pitfalls (and possible bugs) ---------------------------- When creating hub-and-spoke networks, it is important to understand that ONE configuration file must be used per design. A configuration file with more than one HUB will produce nonsensical access control list configuration. Your version of IOS must support so-called "named" access lists. I think this is fairly standard these days. What are the future plans? -------------------------- To allow the configuration file to be used for sitewide IPSec configurations, including shared keys. A PIX specific version will probably be required too. Where can I find updates or get help? ------------------------------------- At the moment, your best bet is to email me (torh@bogus.net) or look for examples and updates at http://www.bogus.net/~torh/gencryptolists/ and http://www.bogus.net/~torh/files/gencryptolists.tar.gz. What type of licence is it released under? ------------------------------------------ This version (1.2) is released under the GPLv2 licence, find it at http://www.gnu.org/. If this code helps you do your work in any way, I'd appreciate to hear about it.