#!/bin/perl $outside{'asa-frankfurt'} = "outside"; $outside{'asa-hosting'} = "outside"; $outside{'asa-vwd-1'} = "TG-TRANS"; $outside{'asa-admin-1'} = "outside"; $outside{'asa-voeb-1'} = "outside_Versatel"; $cryptomap{'asa-frankfurt'} = "CONET-Solutions_vpnmap"; $cryptomap{'asa-hosting'} = "outside_map3"; $cryptomap{'asa-vwd-1'} = "TG-TRANS_map0"; $cryptomap{'asa-admin-1'} = "outside_map1"; $cryptomap{'asa-voeb-1'} = "outside_Versatel_map2"; print "\n\nSite 2 Site Konfig erstellen\n\n"; uber ("Allgemeine Angaben"); $kunde = eingabe ("Kundenname"); $nr = eingabe ("Nummer (meist 1, da nur 1 Tunnel je Kunde)"); $peers = eingabe ("Anzahl Peers (1,2)"); if ($peers == 1 || $peers == 2) { $peer1 = eingabe("Peer 1"); $psk1 = eingabe("PSK 1"); if ($peers == 2) { $peer2 = eingabe("Peer 2"); $psk2 = eingabe("PSK 2"); } } else { ende("Nur 1 oder 2 erlaubt.", 1); } $asa = eingabe ("ASA Hostname"); if ($outside{$asa} eq "") { ende ("Kein externes Interface gefunden.", 1); } ausgabe ("outside", $outside{$asa}); if ($outside{$asa} eq "") { ende ("Keine crypto map gefunden.", 1); } ausgabe ("crypto map", $cryptomap{$asa}); $cmd = "/home/rancid/bin/clogin -f /home/rancid/.cloginrc -u \$SSHUSER -p \$SSHPASS -c 'sh run | i crypto map $cryptomap{$asa}' $asa | grep -v 'sh run' | grep -v ' interface ' | grep -o 'crypto map .* [0-9]*' | awk '{print \$4}' | sort -n | uniq | tr -d '\r' | tr '\n' ' '"; $str = `$cmd`; ausgabe("Verwendete crypto map Nummern", $str); @used=split " ", $str; for ($i = 1 ; $i++ ; $i <= 2000) { $match=0; foreach (@used) { if ($_ == $i) { $match=1; } } $cmnr = $i; last if not $match; } ausgabe ("Verwende crypto map Nummer", $cmnr); $inside = eingabe ("LAN Interface"); uber ("Phase 1"); $ike = eingabe ("IKE Version (1,2)"); if ($ike == 1 || $ike == 2) { $ike = "ikev" . $ike; } else { ende("Nur 1 oder 2 erlaubt.", 1); } $newpol = eingabe ("Neue Policy anlegen (1) oder bestehende verwenden (2)"); if ($newpol == 1) { $cmd = "/home/rancid/bin/clogin -f /home/rancid/.cloginrc -u \$SSHUSER -p \$SSHPASS -c 'sh run | i $ike policy' $asa | grep -v 'sh run' | grep -o 'crypto .* policy [0-9]*' | awk '{print \$4}' | sort -n | uniq | tr '\n' ' '"; $str = `$cmd`; ausgabe ("Diese Policynummern existieren", $str); @used=split " ", $str; for ($i = 1 ; $i++ ; $i <= 2000) { $match=0; foreach (@used) { if ($_ == $i) { $match=1; } } $pnr = $i; last if not $match; } ausgabe ("Verwende Policy Nummer", $pnr); #$pnr = eingabe ("Neue Policy Nummer eingeben"); $p1dh = eingabe ("DH Group (bspw 5, 14, 19, 20, 21)"); $p1life = eingabe ("Lifetime in Sekunden 3600(1h), 28800(8h), 86400(24h)"); $p1enc = eingabe ("Encryption (aes, aes-192, aes-256)"); $p1hash = eingabe ("Hash (sha, sha256, sha384, sha512)"); } elsif ($newpol == 2) { ; # nicht zu tun hier } else { ende ("Nur 1 oder 2 erlaubt", 1); } uber ("Phase 2"); $p2lifekb = eingabe ("Lifetime in Kilobytes (default 4608000, unlimited)"); $p2life = eingabe ("Lifetim in Sekunden (default 28800)"); $pfs = eingabe ("PFS verwenden (1) oder nicht (2)"); if ($pfs == 1) { $pfsdh = eingabe ("DH Group (bspw 5, 14, 19, 20, 21)"); } elsif ($pfs == 2) { ; # nicht zu tun hier } else { ende ("Nur 1 oder 2 erlaubt", 1); } $tsprop = "IPSec Proposal"; # ikev2 if ($ike eq "ikev1") { $tsprop = "Transform-Set"} $cmd = "/home/rancid/bin/clogin -f /home/rancid/.cloginrc -u \$SSHUSER -p \$SSHPASS -c 'sh run | i crypto ipsec $ike ipsec-proposal' $asa | grep -v 'sh run' | grep 'ipsec-proposal' | awk '{print \$5}' | sort -n | uniq | tr -d '\\r' | tr '\\n' ' '"; # ikev2 if ($ike eq "ikev1") { $cmd = "/home/rancid/bin/clogin -f /home/rancid/.cloginrc -u \$SSHUSER -p \$SSHPASS -c 'sh run | i crypto ipsec $ike transform-set' $asa | grep -v 'sh run' | grep 'transform-set' | awk '{print \$5}' | sort -n | uniq | tr -d '\\r' | tr '\\n' ' '"; } #ikev1 $str = `$cmd`; ausgabe ("Diese $tsprop existieren", $str); $newprop = eingabe ("Neues $tsprop (1) oder bestehendes (2)"); if ($newprop == 1) { $tspropname = eingabe ("Name für neues $tsprop"); if ($ike eq "ikev2") { $p2enc = eingabe ("Encryption (aes-192, aes-256, aes-gcm-192, aes-gcm-256, aes-gmac-192, aes-gmac-256)"); $p2hash = eingabe ("Hash (sha-256, sha-384, sha-512)"); } else { $p2enc = eingabe ("Encryption (esp-aes-192, esp-aes-256)"); $p2hash = eingabe ("Hash (esp-sha-hmac)"); } } elsif ($newprop == 2) { $tspropname = eingabe ("Welches $tsprop verwenden"); } else { ende ("Nur 1 oder 2 erlaubt", 1); } uber ("Keepalive"); $keepalive = eingabe ("Keepalive verwenden (1) oder nicht (2)"); if ($keepalive == 1) { $retry = eingabe ("Retry Intervall"); $threshold = eingabe ("Threshold"); } elsif ($keepalive == 2) { ; # nicht zu tun hier } else { ende ("Nur 1 oder 2 erlaubt", 1); } printf " ! Konfiguration Start "; # objekte printf " ! Netzwerkobjekte object network _CS_NO_%s_Lokal_net1 subnet 192.168.1.0 255.255.255.0 object-group network _CS_NG_%s_Lokal network-object object _CS_NO_%s_Lokal_net1 object network _CS_NO_%s_Remote_net1 subnet 192.168.2.0 255.255.255.0 object-group network _CS_NG_%s_Remote network-object object _CS_NO_%s_Remote_net1 ", $kunde, $kunde, $kunde, $kunde, $kunde, $kunde; printf " ! nat excemption nat (%s,%s) source static _CS_NG_%s_Lokal _CS_NG_%s_Lokal destination static _CS_NG_%s_Remote _CS_NG_%s_Remote no-proxy-arp route-lookup ", $inside, $outside{$asa}, $kunde, $kunde, $kunde, $kunde; # ike policy if ($newpol == 1) { print " ! Neue Policy"; if ($ike eq "ikev1") { printf " crypto ikev1 policy $pnr authentication pre-share encryption $p1enc hash $p1hash group $p1dh lifetime $p1life "; } if ($ike eq "ikev2") { printf " crypto ikev2 policy $pnr encryption $p1enc integrity $p1hash group $p1dh prf $p1hash lifetime $p1life "; } } else { printf " ! Bestehende %s Policies verwenden ", ($ike eq 'ikev1')? 'IKEv1':'IKEv2'; } # group policy 1 und 2 printf " ! Group %s group-policy %s_GroupPolicy_Tunnel-%s_Peer-1 internal group-policy %s_GroupPolicy_Tunnel-%s_Peer-1 attributes vpn-tunnel-protocol %s ", ($peers == 1)? 'Policy':'Policies', $kunde, $nr, $kunde, $nr, $ike; printf "group-policy %s_GroupPolicy_Tunnel-%s_Peer-2 internal group-policy %s_GroupPolicy_Tunnel-%s_Peer-2 attributes vpn-tunnel-protocol %s ", $kunde, $nr, $kunde, $nr, $ike if ($peers == 2"); # tunnel group if ($ike eq "ikev1") { # ikev1 printf " ! Tunnel %s tunnel-group %s type ipsec-l2l tunnel-group %s general-attributes default-group-policy %s_GroupPolicy_Tunnel-%s_Peer-1 tunnel-group %s ipsec-attributes ikev1 pre-shared-key %s ", ($peers == 1)? 'Group':'Groups', $peer1, $peer1, $kunde, $nr, $peer1, $psk1; printf "isakmp keepalive threshold %s retry %s ", $threshold, $retry if ($pfs == 1); # pfs an 1. tunnel? printf " tunnel-group %s type ipsec-l2l tunnel-group %s general-attributes default-group-policy %s_GroupPolicy_Tunnel-%s_Peer-2 tunnel-group %s ipsec-attributes ikev1 pre-shared-key %s ", $peer2, $peer2, $kunde, $nr, $peer2, $psk2 if ($peers == 2); # 2. tunnel? printf "isakmp keepalive threshold %s retry %s ", $threshold, $retry if ($peers ==2 and $pfs == 1); # pfs an 2. tunnel? } else { #ikev2 printf " ! Tunnel %s tunnel-group %s type ipsec-l2l tunnel-group %s general-attributes default-group-policy %s_GroupPolicy_Tunnel-%s_Peer-1 tunnel-group %s ipsec-attributes ikev2 remote-authentication pre-shared-key %s ikev2 local-authentication pre-shared-key %s ", ($peers == 1)? 'Group':'Groups', $peer1, $peer1, $kunde, $nr, $peer1, $psk1, $psk1; printf "isakmp keepalive threshold %s retry %s ", $threshold, $retry if ($pfs == 1); # pfs an 1. tunnel? printf " tunnel-group %s type ipsec-l2l tunnel-group %s general-attributes default-group-policy %s_GroupPolicy_Tunnel-%s_Peer-2 tunnel-group %s ipsec-attributes ikev2 remote-authentication pre-shared-key %s ikev2 local-authentication pre-shared-key %s ", $peer2, $peer2, $kunde, $nr, $peer2, $psk2, $psk2 if ($peers == 2); # 2. tunnel? printf "isakmp keepalive threshold %s retry %s ", $threshold, $retry if ($peers == 2 and $pfs == 1); # pfs an 2. tunnel? } print "\n"; printf " ! Crypto map ACL access-list %s_CryptoMap_Tunnel-%s extended permit ip object-group _CS_NG_%s_Lokal object-group _CS_NG_%s_Remote ", $kunde, $nr, $kunde, $kunde; printf " ! Crypto map "; printf "crypto map %s %s match address %s_CryptoMap_Tunnel-%s ", $cryptomap{$asa}, $cmnr, $kunde, $nr; printf "crypto map %s %s set pfs group%s ", $cryptomap{$asa}, $cmnr, $pfsdh if ($pfs == 1); printf "crypto map %s %s set peer %s %s ", $cryptomap{$asa}, $cmnr, $peer1, $peer2; printf "crypto map %s %s set ikev1 transform-set %s ", $cryptomap{$asa}, $cmnr, $tspropname; printf "crypto map %s %s set security-association lifetime seconds %s ", $cryptomap{$asa}, $cmnr, $p2life; printf "crypto map %s %s set security-association lifetime kilobytes %s ", $cryptomap{$asa}, $cmnr, $p2lifekb; printf " ! Konfiguration Ende ! Rollback Konfiguration Start"; printf " clear configure crypto map %s %s clear config tunnel-group %s", $cryptomap{$asa}, $cmnr, $peer1; printf " clear config tunnel-group %s", $peer2 if ($peers == 2); printf " clear config group-policy %s_GroupPolicy_Tunnel-%s_Peer-1", $kunde, $nr; printf " clear config group-policy %s_GroupPolicy_Tunnel-%s_Peer-2", $kunde, $nr if ($peers == 2); printf " clear configure access-list %s_CryptoMap_Tunnel-%s ! Rollback Konfiguration Ende ", $kunde, $nr; ende ("", 0); sub eingabe { printf "%-60s : ", $_[0]; $_ = ; chomp; return $_; } sub ausgabe { printf "%-60s : %s\n", $_[0], $_[1]; } sub uber { printf "\n=== %s === \n", $_[0]; } sub ende { print "\n$_[0]\nBye\n\n"; exit $_[1]; }