-
Notifications
You must be signed in to change notification settings - Fork 1
/
applyvpn.sh
153 lines (139 loc) · 5.08 KB
/
applyvpn.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#!/bin/bash
# Fill the variables from CF output
key=`aws cloudformation describe-stacks --stack-name fortigate-vpn --output text | awk '/myKeyPair/ {print $3}'`
output01=`echo $HOME/fortigate-vpn_output`
vpnid=`aws cloudformation describe-stacks --stack-name vpc-vpn --output text | awk '/VPNID/ {print $3}'`
instance=`aws cloudformation describe-stacks --stack-name vpc-vpn --output text | awk '/InstancesPublicIp/ {print $3}'`
lgw=`aws cloudformation describe-stacks --stack-name fortigate-vpn --output text | awk '/MyInstanceOutsideIp/ {print $3}'`
remip01=`aws ec2 describe-vpn-connections --filters "Name=vpn-connection-id,Values=$vpnid" | grep -oPm1 "(?<=<ip_address>)[^<]+" | awk 'NR==4'`
remip02=`aws ec2 describe-vpn-connections --filters "Name=vpn-connection-id,Values=$vpnid" | grep -oPm1 "(?<=<ip_address>)[^<]+" | awk 'NR==8'`
locip01=`aws ec2 describe-vpn-connections --filters "Name=vpn-connection-id,Values=$vpnid" | grep -oPm1 "(?<=<ip_address>)[^<]+" | awk 'NR==2'`
locip02=`aws ec2 describe-vpn-connections --filters "Name=vpn-connection-id,Values=$vpnid" | grep -oPm1 "(?<=<ip_address>)[^<]+" | awk 'NR==6'`
remgw01=`aws ec2 describe-vpn-connections --filters "Name=vpn-connection-id,Values=$vpnid" | grep -oPm1 "(?<=<ip_address>)[^<]+" | awk 'NR==3'`
remgw02=`aws ec2 describe-vpn-connections --filters "Name=vpn-connection-id,Values=$vpnid" | grep -oPm1 "(?<=<ip_address>)[^<]+" | awk 'NR==7'`
secret01=`aws ec2 describe-vpn-connections --filters "Name=vpn-connection-id,Values=$vpnid" | grep -oPm1 "(?<=<pre_shared_key>)[^<]+" | awk 'NR==1'`
secret02=`aws ec2 describe-vpn-connections --filters "Name=vpn-connection-id,Values=$vpnid" | grep -oPm1 "(?<=<pre_shared_key>)[^<]+" | awk 'NR==2'`
localasn=`aws ec2 describe-vpn-connections --filters "Name=vpn-connection-id,Values=$vpnid" | grep -oPm1 "(?<=<asn>)[^<]+" | awk 'NR==1'`
remoteasn=`aws ec2 describe-vpn-connections --filters "Name=vpn-connection-id,Values=$vpnid" | grep -oPm1 "(?<=<asn>)[^<]+" | awk 'NR==2'`
host=`aws cloudformation describe-stacks --stack-name fortigate-vpn --output text | awk '/OutsideEIP/ {print $4}'`
port2=`aws cloudformation describe-stacks --stack-name fortigate-vpn --output text | awk '/MyInstanceInsideIp/ {print $3}'`
# Echo the fortigate commands into a file
echo "
config vpn ipsec phase1-interface
edit "vpn-0"
set interface "port1"
set local-gw $lgw
set keylife 28800
set peertype any
set proposal aes128-sha1
set dpd on-idle
set dhgrp 2
set remote-gw $remgw01
set psksecret $secret01
set dpd-retryinterval 10
next
edit "vpn-1"
set interface "port1"
set local-gw $lgw
set keylife 28800
set peertype any
set proposal aes128-sha1
set dpd on-idle
set dhgrp 2
set remote-gw $remgw02
set psksecret $secret02
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "vpn-0"
set phase1name "vpn-0"
set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 3600
next
edit "vpn-1"
set phase1name "vpn-1"
set proposal aes128-sha1
set dhgrp 2
set keylifeseconds 3600
next
end
config system interface
edit "vpn-0"
set vdom "root"
set ip $locip01 255.255.255.255
set allowaccess ping
set type tunnel
set tcp-mss 1379
set remote-ip $remip01 255.255.255.255
set interface "port1"
next
edit "vpn-1"
set vdom "root"
set ip $locip02 255.255.255.255
set allowaccess ping
set type tunnel
set tcp-mss 1379
set remote-ip $remip02 255.255.255.255
set interface "port1"
next
end
config system zone
edit "VPN"
set interface "vpn-0" "vpn-1"
next
end
config router bgp
set as $localasn
set router-id $lgw
config neighbor
edit "$remip01"
set description "vpn_0"
set remote-as $remoteasn
next
edit "$remip02"
set description "vpn_1"
set remote-as $remoteasn
next
end
config network
edit 1
set prefix 192.168.0.0 255.255.0.0
next
end
end
config firewall policy
edit 0
set srcintf "VPN"
set dstintf "port2"
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 0
set srcintf "port2"
set dstintf "VPN"
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ALL
next
end
" > $output01
# Echo filename and apply commands using ssh. Make sure key matches the one used in CF
echo "
The following files were created:
1. $output01
Now applying the commands...
"
ssh -oStrictHostKeyChecking=no -T -i ~/.ssh/$key.pem admin@$host < $output01
echo "
VPN Config added. Check output above in case of errors.
Now login to test instance and confirm you can ping the inside IP of the firewall
ssh -oStrictHostKeyChecking=no -i ~/.ssh/$key.pem ec2-user@$instance
ping $port2
"