afonso/core-extra
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
core-extra/gui/configs/sample9-vpn.imn
tgoff0 8562b2bfdc gui: Update the sample9-vpn.imn example.
2015-05-22 00:55:58 +00:00

1015 lines
36 KiB
Text
Raw Blame History

comments {
Sample scenario showing VPNClient and VPNServer service configuration.
This topology features an OpenVPN client and server for virtual private
networking. The client can access the private 10.0.6.0/24 network via the VPN
server. First wait until routing converges in the center routers (try using the
Adjacency Widget and wait for blue lines, meaning full adjacencies), then open
a shell on the vpnclient and try pinging the private address of the vpnserver:
vpnclient> ping 10.0.6.1
You can also access the other 10.0.6.* hosts behind the server. Try running
tcpudmp on one of the center routers, e.g. the n2 eth1/10.0.5.2 interface, and
you'll see UDP packets with TLS encrypted data instead of ICMP packets.
Keys are included as extra files in the VPNClient and VPNServer service
configuration.
}
node n1 {
type router
model router
network-config {
hostname n1
!
interface eth2
ip address 10.0.4.2/24
ipv6 address 2001:4::2/64
!
interface eth1
ip address 10.0.2.1/24
ipv6 address 2001:2::1/64
!
interface eth0
ip address 10.0.0.1/24
ipv6 address 2001:0::1/64
!
}
canvas c1
iconcoords {297.0 236.0}
labelcoords {297.0 264.0}
interface-peer {eth0 n6}
interface-peer {eth1 n2}
interface-peer {eth2 n3}
}
node n2 {
type router
model router
network-config {
hostname n2
!
interface eth1
ip address 10.0.5.2/24
ipv6 address 2001:5::2/64
!
interface eth0
ip address 10.0.2.2/24
ipv6 address 2001:2::2/64
!
}
canvas c1
iconcoords {298.0 432.0}
labelcoords {298.0 460.0}
interface-peer {eth0 n1}
interface-peer {eth1 n4}
}
node n3 {
type router
model router
network-config {
hostname n3
!
interface eth1
ip address 10.0.4.1/24
ipv6 address 2001:4::1/64
!
interface eth0
ip address 10.0.3.1/24
ipv6 address 2001:3::1/64
!
}
canvas c1
iconcoords {573.0 233.0}
labelcoords {573.0 261.0}
interface-peer {eth0 n4}
interface-peer {eth1 n1}
}
node n4 {
type router
model router
network-config {
hostname n4
!
interface eth2
ip address 10.0.5.1/24
ipv6 address 2001:5::1/64
!
interface eth1
ip address 10.0.3.2/24
ipv6 address 2001:3::2/64
!
interface eth0
ip address 10.0.1.1/24
ipv6 address 2001:1::1/64
!
}
canvas c1
iconcoords {574.0 429.0}
labelcoords {574.0 457.0}
interface-peer {eth0 n5}
interface-peer {eth1 n3}
interface-peer {eth2 n2}
}
node n5 {
type router
model host
network-config {
hostname vpnserver
!
interface eth1
ipv6 address 2001:6::10/64
ip address 10.0.6.1/24
!
interface eth0
ip address 10.0.1.10/24
ipv6 address 2001:1::10/64
!
}
canvas c1
iconcoords {726.0 511.0}
labelcoords {726.0 543.0}
interface-peer {eth0 n4}
interface-peer {eth1 n7}
custom-config {
custom-config-id service:VPNServer:vpnserver.pem
custom-command vpnserver.pem
config {
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=WA, O=core-dev/emailAddress=root@localhost
Validity
Not Before: May 19 02:09:57 2015 GMT
Not After : Apr 25 02:09:57 2115 GMT
Subject: C=US, ST=WA, O=core-dev, CN=vpnserver/emailAddress=root@localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d2:88:b2:9b:32:ac:38:ca:45:e0:6b:db:1c:92:
5d:9a:42:23:df:64:a0:3b:c2:c4:f2:3a:75:bb:d6:
54:12:61:6e:aa:ac:0f:a6:2e:d9:3b:63:dc:3d:48:
02:f1:36:c8:97:d3:ef:24:6f:7f:dd:b7:9a:9d:6d:
c1:c9:e2:11:49:1c:e0:67:d6:b0:b7:62:84:9a:f8:
c3:af:4f:f7:77:29:74:01:81:47:49:84:d6:1c:0c:
36:41:42:a2:3e:92:28:83:50:7a:9c:fd:f3:66:7c:
f8:d9:c7:f6:63:d2:59:d2:fd:9a:a4:9b:75:a6:16:
ec:37:de:05:dd:05:a2:31:65:79:66:eb:b3:82:41:
af:b9:e8:4a:bc:02:d6:a1:68:49:6c:09:e1:c5:9f:
3e:cf:52:76:d9:63:65:7a:a5:34:75:ee:ce:a3:c6:
92:f3:0d:2f:7f:b0:b4:12:fe:44:5f:77:10:25:98:
b2:45:af:69:c8:9b:13:fc:f9:de:c6:be:b5:cf:62:
06:01:32:71:d5:84:1d:14:b9:28:46:80:f6:98:35:
12:e4:c8:e4:7a:94:e5:99:a3:6b:34:de:be:33:fe:
63:21:a3:cc:c4:64:15:49:e0:9d:57:84:b9:11:e5:
05:79:ba:22:6e:e4:24:b0:64:f0:54:13:1a:f4:73:
8a:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
A5:A6:80:4D:3C:CD:E2:FE:AD:32:FD:9D:B2:7C:B6:00:76:16:C0:41
X509v3 Authority Key Identifier:
keyid:DB:D2:9C:8D:22:D9:D7:E2:38:A0:8D:6C:3B:BE:33:CE:8D:2A:BE:C8
DirName:/C=US/ST=WA/O=core-dev/emailAddress=root@localhost
serial:CE:78:96:91:DB:9B:84:FD
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
3b:40:af:3a:c0:95:10:bc:d4:63:4a:1b:0f:9d:af:9c:27:29:
34:c9:80:dc:c2:2d:72:40:0e:50:15:fe:b4:87:bc:59:56:de:
81:96:1f:4f:ec:1a:44:ce:23:ba:69:b1:f5:ed:4b:1a:22:cf:
16:17:29:f9:bb:69:12:3c:42:87:09:48:26:a2:b3:88:40:3e:
3c:06:92:e1:65:6e:c0:62:50:55:08:5d:a0:4b:3a:0f:ff:9d:
65:91:b9:bf:d3:69:b9:ac:27:83:2c:fd:5a:bd:58:d3:75:a0:
70:e6:21:e9:f0:0d:19:a6:5f:2b:2d:1f:c9:fb:72:73:06:40:
32:5a:f8:81:30:59:b7:cb:3a:a7:3e:6f:af:4c:4b:57:eb:4a:
d8:24:65:13:c3:86:fd:35:d3:6d:a0:3a:4b:63:40:9e:b4:98:
e0:a2:c7:f2:71:42:d5:08:72:95:fd:df:8f:05:e9:68:a8:f8:
13:db:e6:0a:ec:c2:df:29:65:33:52:57:52:e5:7e:1d:09:2c:
56:0b:cc:d3:2d:dd:46:72:f0:cb:8b:2d:53:c4:d3:9d:63:a6:
6e:9f:dd:1a:7c:b2:87:d1:9e:4e:a0:b2:36:85:4a:5e:89:f9:
01:82:94:3d:3a:86:17:84:48:d4:0c:c4:25:25:54:3f:d7:65:
6b:85:c2:44:b3:6a:f5:74:69:f4:be:b2:13:68:a0:99:82:88:
07:23:8e:a3:67:e0:88:07:fe:fd:ba:85:f8:8a:1f:ac:1e:7d:
ac:1e:f9:d1:3d:a8:fd:d9:91:9e:b2:3d:4f:f1:b4:80:9e:0b:
aa:bb:44:6a:20:08:68:a4:45:0e:21:21:4d:d1:5f:ab:a8:96:
5a:29:e1:0f:9a:ff:a4:58:c6:80:15:51:98:ac:3c:23:4e:9e:
8f:a2:34:c1:f6:4c:26:f0:33:8d:db:15:b9:30:03:a7:b3:17:
31:9f:9a:5a:e7:a1:10:5e:61:57:04:bf:9a:6f:ec:87:15:4e:
33:2a:0c:e4:4a:b0:66:ab:04:7a:32:4d:66:44:af:d9:ad:41:
a9:b1:05:c4:7d:2a:ba:2b:bb:c9:1e:5a:ff:cd:e0:e3:54:39:
b6:be:e2:70:6c:db:e6:71:dc:27:7e:ef:e9:11:1f:cb:fa:cd:
e1:57:a9:b9:ba:d6:69:fc:c0:d7:57:b0:51:4d:c4:2a:2f:1b:
99:fc:b7:65:11:99:fe:0b:58:4e:11:aa:06:c6:e1:53:20:c7:
56:0a:de:a6:65:c1:a6:41:e1:7b:1d:d7:17:45:b0:e4:66:50:
26:d8:85:c3:c3:93:2d:df:b0:35:6d:29:9a:6b:cc:cc:75:de:
cf:72:37:8b:2d:24:b2:45
-----BEGIN CERTIFICATE-----
MIIFQTCCAymgAwIBAgIBATANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCV0ExETAPBgNVBAoTCGNvcmUtZGV2MR0wGwYJKoZIhvcNAQkBFg5y
b290QGxvY2FsaG9zdDAgFw0xNTA1MTkwMjA5NTdaGA8yMTE1MDQyNTAyMDk1N1ow
YDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQKEwhjb3JlLWRldjES
MBAGA1UEAxMJdnBuc2VydmVyMR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9z
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANKIspsyrDjKReBr2xyS
XZpCI99koDvCxPI6dbvWVBJhbqqsD6Yu2Ttj3D1IAvE2yJfT7yRvf923mp1twcni
EUkc4GfWsLdihJr4w69P93cpdAGBR0mE1hwMNkFCoj6SKINQepz982Z8+NnH9mPS
WdL9mqSbdaYW7DfeBd0FojFleWbrs4JBr7noSrwC1qFoSWwJ4cWfPs9SdtljZXql
NHXuzqPGkvMNL3+wtBL+RF93ECWYskWvacibE/z53sa+tc9iBgEycdWEHRS5KEaA
9pg1EuTI5HqU5ZmjazTevjP+YyGjzMRkFUngnVeEuRHlBXm6Im7kJLBk8FQTGvRz
iv8CAwEAAaOCARYwggESMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMG
CWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNh
dGUwHQYDVR0OBBYEFKWmgE08zeL+rTL9nbJ8tgB2FsBBMHwGA1UdIwR1MHOAFNvS
nI0i2dfiOKCNbDu+M86NKr7IoVCkTjBMMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
V0ExETAPBgNVBAoTCGNvcmUtZGV2MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2Fs
aG9zdIIJAM54lpHbm4T9MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIF
oDANBgkqhkiG9w0BAQsFAAOCAgEAO0CvOsCVELzUY0obD52vnCcpNMmA3MItckAO
UBX+tIe8WVbegZYfT+waRM4jummx9e1LGiLPFhcp+btpEjxChwlIJqKziEA+PAaS
4WVuwGJQVQhdoEs6D/+dZZG5v9Npuawngyz9Wr1Y03WgcOYh6fANGaZfKy0fyfty
cwZAMlr4gTBZt8s6pz5vr0xLV+tK2CRlE8OG/TXTbaA6S2NAnrSY4KLH8nFC1Qhy
lf3fjwXpaKj4E9vmCuzC3yllM1JXUuV+HQksVgvM0y3dRnLwy4stU8TTnWOmbp/d
Gnyyh9GeTqCyNoVKXon5AYKUPTqGF4RI1AzEJSVUP9dla4XCRLNq9XRp9L6yE2ig
mYKIByOOo2fgiAf+/bqF+IofrB59rB750T2o/dmRnrI9T/G0gJ4LqrtEaiAIaKRF
DiEhTdFfq6iWWinhD5r/pFjGgBVRmKw8I06ej6I0wfZMJvAzjdsVuTADp7MXMZ+a
WuehEF5hVwS/mm/shxVOMyoM5EqwZqsEejJNZkSv2a1BqbEFxH0quiu7yR5a/83g
41Q5tr7icGzb5nHcJ37v6REfy/rN4VepubrWafzA11ewUU3EKi8bmfy3ZRGZ/gtY
ThGqBsbhUyDHVgrepmXBpkHhex3XF0Ww5GZQJtiFw8OTLd+wNW0pmmvMzHXez3I3
iy0kskU=
-----END CERTIFICATE-----
}
}
custom-config {
custom-config-id service:VPNServer:vpnserver.key
custom-command vpnserver.key
config {
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDSiLKbMqw4ykXg
a9sckl2aQiPfZKA7wsTyOnW71lQSYW6qrA+mLtk7Y9w9SALxNsiX0+8kb3/dt5qd
bcHJ4hFJHOBn1rC3YoSa+MOvT/d3KXQBgUdJhNYcDDZBQqI+kiiDUHqc/fNmfPjZ
x/Zj0lnS/Zqkm3WmFuw33gXdBaIxZXlm67OCQa+56Eq8AtahaElsCeHFnz7PUnbZ
Y2V6pTR17s6jxpLzDS9/sLQS/kRfdxAlmLJFr2nImxP8+d7GvrXPYgYBMnHVhB0U
uShGgPaYNRLkyOR6lOWZo2s03r4z/mMho8zEZBVJ4J1XhLkR5QV5uiJu5CSwZPBU
Exr0c4r/AgMBAAECggEATaktMUC09NHwisNedSCstI13TB2DWegT3EKiUWLTamBU
gVKtByE68sR4ZoacxzvtLMx555fVtATZXP8yv/TLaYvkX4l7cHo/7iabkJzP7T32
U+PLVxxQGtKKZPJehPRHS4ExaZ3n3kN1TGiNw+7BQapZFCVgdZ75DfaxdQFx/gQD
4htDr7SZL/jG1Sn08Cf7DRQ9U0rISecmm9nG9LV1LXMfnbdWTwvmm/z0a6wjDZ4n
Byfd5jOOI4cpgetHhAQCH+ksComY0GBf21MOsfQT/NzfuW/KFGag992Yub8tBUFa
AG+SlaNZBiLAPYfMegjCxR1jZeUCthlB2kdzYKcmyQKBgQD4lgbktGO/VKjnKnGD
SR8oJT82HvkfB16M/pSlTNOTmAAbbY9yMNj/zKPJDOhxHLhFxmXqVnvs70Ye+pfT
3o3v0NkAfdIhzNzqbFlUA15QqELhrXHaTtpU3/nyw+/lQhoiEof9yj9vuGBy4iDf
GdP1R8G7OWqJIDXwZd3s99XujQKBgQDY0CPvCe1j43wfG8MjI/bLeDWmxjGaLWJu
IKbMepEbqcaz9x+25Ey3E35DYtfLjeAQ+qRc5T4Cj6L9iG/mS89/ShPGj91xyFzQ
qoZf4lGB0/A80aTgmDiF4FxHFzWpXKaJPS1gTfWZ9Qs7r0LP8Uwni9dhO8LGPNAr
9Ky3jaHyuwKBgQDxml74yZpoyw+eHVJWFyuBCTJ2l4Po9HCg+I3gWtsICCOShNl2
UqOVen91WGZSCWfP6RQEvimUDrpIQaZu9U9eVc2S/LbOwx2zebsYPG3eVqsqTDjr
xNfOxiFYIbd3Ste7ZedmcrtVCg4zmjP4olGvgx53qUYyIGxMSbV4KyhxwQKBgQCQ
ba7SSLGrrdl8O5k1Knr3tb8/tp1KUFtWc0fJxQgu/lzQe5nT0qdL+Z9NsmWAQqV1
ihG9lDRHrnlsHNw19GBoMeeUiTeB2XACzOWwr+mN66oISbtkpeJZREkUTmC/zmld
2LQGiEhIY9U00B5YuSv62AwEyLOKLO6bqWT47U9piwKBgQDm2+ufGU+ZBr0qpyCf
TiZFngJ1fGK0tyVrERm1y83vWzbqaW9nX5hJilqYDB3jpHARvbY56+jWVSm4ADwG
dlqEpmPHBgDRYBkdLUl50TN5vINcXQCGlA0zOHAueAUESyL5nLnO7NsK/McSRDd5
XonR43XumudHzs3R6BwBTKv1gw==
-----END PRIVATE KEY-----
}
}
custom-config {
custom-config-id service:VPNServer:vpnserver.sh
custom-command vpnserver.sh
config {
#!/bin/sh
# custom VPN Server Configuration for service (security.py)
# -------- CUSTOMIZATION REQUIRED --------
#
# The VPNServer service sets up the OpenVPN server for building VPN tunnels
# that allow access via TUN/TAP device to private networks.
#
# note that the IPForward and DefaultRoute services should be enabled
# directory containing the certificate and key described below, in addition to
# a CA certificate and DH key
certdir=$SESSION_DIR/certs
keydir=$PWD
# the name used for a "$keyname.pem" certificate and "$keyname.key" private key.
keyname=vpnserver
# the VPN subnet address from which the client VPN IP (for the TUN/TAP)
# will be allocated
vpnsubnet=10.0.200.0
# public IP address of this vpn server (same as VPNClient vpnserver= setting)
vpnserver=10.0.1.10
# optional list of private subnets reachable behind this VPN server
# each subnet and next hop is separated by a space
# "<subnet1>,<nexthop1> <subnet2>,<nexthop2> ..."
privatenets="10.0.6.0,10.0.1.10"
# optional list of VPN clients, for statically assigning IP addresses to
# clients; also, an optional client subnet can be specified for adding static
# routes via the client
# Note: VPN addresses x.x.x.0-3 are reserved
# "<keyname>,<vpnIP>,<subnetIP> <keyname>,<vpnIP>,<subnetIP> ..."
#vpnclients="client1KeyFilename,10.0.200.5,10.0.0.0 client2KeyFilename,,"
vpnclients=""
# NOTE: you may need to enable the StaticRoutes service on nodes within the
# private subnet, in order to have routes back to the client.
# /sbin/ip ro add <vpnsubnet>/24 via <vpnServerRemoteInterface>
# /sbin/ip ro add <vpnClientSubnet>/24 via <vpnServerRemoteInterface>
# -------- END CUSTOMIZATION --------
echo > $PWD/vpnserver.log
rm -f -r $PWD/ccd
# validate key and certification files
check-key-file() {
if [ ! -e $1 ]; then
echo "ERROR: missing certification or key file: $1" >> $PWD/vpnserver.log
fi
}
check-key-file $keydir/$keyname.key
check-key-file $keydir/$keyname.pem
check-key-file $certdir/ca-cert.pem
check-key-file $certdir/dh2048.pem
# validate configuration IP addresses
checkip=0
if [ "$(dpkg -l | grep sipcalc)" = "" ]; then
echo "WARNING: ip validation disabled because package sipcalc not installed\
" >> $PWD/vpnserver.log
checkip=1
else
if [ "$(sipcalc "$vpnsubnet" "$vpnserver" | grep ERR)" != "" ]; then
echo "ERROR: invalid vpn subnet or server address \
$vpnsubnet or $vpnserver " >> $PWD/vpnserver.log
fi
fi
# create client vpn ip pool file
(
cat << EOF
EOF
)> $PWD/ippool.txt
# create server.conf file
(
cat << EOF
# openvpn server config
local $vpnserver
server $vpnsubnet 255.255.255.0
push redirect-gateway def1
EOF
)> $PWD/server.conf
# add routes to VPN server private subnets, and push these routes to clients
for privatenet in $privatenets; do
if [ $privatenet != "" ]; then
net=${privatenet%%,*}
nexthop=${privatenet##*,}
if [ $checkip = "0" ] &&
[ "$(sipcalc "$net" "$nexthop" | grep ERR)" != "" ]; then
echo "ERROR: invalid vpn server private net address \
$net or $nexthop " >> $PWD/vpnserver.log
fi
echo push route $net 255.255.255.0 >> $PWD/server.conf
fi
done
# allow subnet through this VPN, one route for each client subnet
for client in $vpnclients; do
if [ $client != "" ]; then
cSubnetIP=${client##*,}
cVpnIP=${client#*,}
cVpnIP=${cVpnIP%%,*}
cKeyFilename=${client%%,*}
if [ "$cSubnetIP" != "" ]; then
if [ $checkip = "0" ] &&
[ "$(sipcalc "$cSubnetIP" "$cVpnIP" | grep ERR)" != "" ]; then
echo "ERROR: invalid vpn client and subnet address \
$cSubnetIP or $cVpnIP " >> $PWD/vpnserver.log
fi
echo route $cSubnetIP 255.255.255.0 >> $PWD/server.conf
if ! test -d $PWD/ccd; then
mkdir -p $PWD/ccd
echo client-config-dir $PWD/ccd >> $PWD/server.conf
fi
if test -e $PWD/ccd/$cKeyFilename; then
echo iroute $cSubnetIP 255.255.255.0 >> $PWD/ccd/$cKeyFilename
else
echo iroute $cSubnetIP 255.255.255.0 > $PWD/ccd/$cKeyFilename
fi
fi
if [ "$cVpnIP" != "" ]; then
echo $cKeyFilename,$cVpnIP >> $PWD/ippool.txt
fi
fi
done
(
cat << EOF
keepalive 10 120
ca $certdir/ca-cert.pem
cert $keydir/$keyname.pem
key $keydir/$keyname.key
dh $certdir/dh2048.pem
cipher AES-256-CBC
status /var/log/openvpn-status.log
log /var/log/openvpn-server.log
ifconfig-pool-linear
ifconfig-pool-persist $PWD/ippool.txt
port 1194
proto udp
dev tun
verb 4
daemon
EOF
)>> $PWD/server.conf
# start vpn server
openvpn --config server.conf
}
}
custom-config {
custom-config-id service:VPNServer
custom-command VPNServer
config {
('vpnserver.sh', 'vpnserver.key', 'vpnserver.pem', )
50
('bash vpnserver.sh', )
('killall openvpn', )
('pidof openvpn', )
}
}
services {IPForward DefaultRoute SSH VPNServer}
}
node n6 {
type router
model PC
network-config {
hostname vpnclient
!
interface eth0
ip address 10.0.0.20/24
ipv6 address 2001:0::20/64
!
}
canvas c1
iconcoords {120.0 133.0}
labelcoords {120.0 165.0}
interface-peer {eth0 n1}
custom-config {
custom-config-id service:VPNClient:vpnclient.key
custom-command vpnclient.key
config {
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC6T+1XG/EQX8pj
vGSq5QMS6G8sqozjDPInZz8hSukeJCueE9Ib/nbg9wXLST6fAVA/VsY4eGXZzQNB
vl6BxVXjjj/UkY4R+RXchKjg85fq+I37uZnzUL3S2jIalswB4LsLSGusBbTTfe8v
0rMCPVUzojMSXhkOVJs1gzusmdNnqEg7TZ+W4Ov12jzACbRdGMA572sXvnXRPhdR
BI4CSfrsPRueWPO317oLDCECMrxzza9y65UFS3oPFvf2s6oR7FlAIEq0Z1YUQayx
LDH0kE1ZjhLxBmaqNO7hD0gCjYYX8XSHOpiq045N+OGmKcI3Th8ZsGkXKMMyQ1yN
a1c2PuehAgMBAAECggEAVVqYmPesEJxR1C9SzxfruJXTmNrpgHtF1NdwDIiNE8nu
UZUzBLAnNhj1BpSfo6iuYtYWKXi+8HEDtPLJyRnmp0Fb7L5iH8nFQilkVOpEBtmn
8lKtPNMYo6him9vJynJyPlEHQt+6X8mp8nbMm5INnoIIc7m4MOCB2poslH5EY4/j
/WTohzXVdx3nhYAJ5v5uVi/i6jeNHfY+6sj6pBKDq82OrfxgjrtABRj3/K5UcVd0
UBsaqXXObHxSvJkHFOSxK+qhVivuT3svZZlaYaleRB1oDmMx3uRNvtxdkhVz5zZY
zeEddu5/BQzHPpIwKR/HScpFes92fiQ639bJxIzGAQKBgQDtNoE7V2CVpvMVgTsX
3WsqjTZZOnH8jWfWrOMPgRWmDWSA7P7SNSL7dCIftqdMv3pPxCoYVzH7Skp18HGD
8EVRqrBUupfj7NXOWlG624qtlilWQsNwPkpjXWciQQapdAhEX+T+1/d5UrVR/mY9
gP4M6rnT87ShcPPi/Otvr/B6SQKBgQDJEWj0wR5GyCfDA0L8ez3OzAwkiWB3K+8b
usc0Cs/+ZFOjQd4Qxahoo6lL8G17TaIcSvdrULaWsQ/oeJ40M2xzsdlwrrtr6ueL
7q/mqsJeGLIN0h0I0i6DTUYWwzTR5CXCox967FZV46FQ8Jof3c7fsXCNUajHzcUh
zxqp+AdCmQKBgHeV5bqTxzZKrvtlZfQXBOKzw/VhuHs4kmOwTtvPGKnY0JUKZUB1
10fq+RUB0P+o/DFgVFRnCOSFRFqGt8NrCpcsNK7STqZyDCt2bwODkDsIm5hIGhzo
2jmTqd2j6Ibe3xgRO/GZ0MHSB2TpmoNhFzJN1xbaInLM7ba+CLcKfHI5AoGBAIaS
b3O4uSHYnrwnt7KybXi2Gr5tb7HzJrKhfOf5AKKb1VqkIBOLpx55wzp/LVdka0aS
aixaNgp/cU0/RWtcq453jzeayvf8nYKLexFgYnyF/M3BPguEWPsqQenENtrv3tH5
SX2FJnePxY0dq5n+Y5JV+SWsbNFliDYLniX6SimpAoGAR9ABECd9DMnhgi+WkhZs
55YBE8P8jFuSUASBIKVmke60nDn4oot0YD74kykb6TxasGXX5lC1vCje/olNBIGM
y687YmrudDfXWxEUwlHMoec5wrHDGIGCnBRAlt4whDoCREH1H+fp/9BgAThcjv58
NyNDfW+vGpDlkbwFvyhc4pY=
-----END PRIVATE KEY-----
}
}
custom-config {
custom-config-id service:VPNClient:vpnclient.pem
custom-command vpnclient.pem
config {
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=WA, O=core-dev/emailAddress=root@localhost
Validity
Not Before: May 19 02:09:57 2015 GMT
Not After : Apr 25 02:09:57 2115 GMT
Subject: C=US, ST=WA, O=core-dev, CN=vpnclient/emailAddress=root@localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:4f:ed:57:1b:f1:10:5f:ca:63:bc:64:aa:e5:
03:12:e8:6f:2c:aa:8c:e3:0c:f2:27:67:3f:21:4a:
e9:1e:24:2b:9e:13:d2:1b:fe:76:e0:f7:05:cb:49:
3e:9f:01:50:3f:56:c6:38:78:65:d9:cd:03:41:be:
5e:81:c5:55:e3:8e:3f:d4:91:8e:11:f9:15:dc:84:
a8:e0:f3:97:ea:f8:8d:fb:b9:99:f3:50:bd:d2:da:
32:1a:96:cc:01:e0:bb:0b:48:6b:ac:05:b4:d3:7d:
ef:2f:d2:b3:02:3d:55:33:a2:33:12:5e:19:0e:54:
9b:35:83:3b:ac:99:d3:67:a8:48:3b:4d:9f:96:e0:
eb:f5:da:3c:c0:09:b4:5d:18:c0:39:ef:6b:17:be:
75:d1:3e:17:51:04:8e:02:49:fa:ec:3d:1b:9e:58:
f3:b7:d7:ba:0b:0c:21:02:32:bc:73:cd:af:72:eb:
95:05:4b:7a:0f:16:f7:f6:b3:aa:11:ec:59:40:20:
4a:b4:67:56:14:41:ac:b1:2c:31:f4:90:4d:59:8e:
12:f1:06:66:aa:34:ee:e1:0f:48:02:8d:86:17:f1:
74:87:3a:98:aa:d3:8e:4d:f8:e1:a6:29:c2:37:4e:
1f:19:b0:69:17:28:c3:32:43:5c:8d:6b:57:36:3e:
e7:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
55:33:21:40:42:B6:63:7F:EA:A5:20:FA:18:21:C7:27:5B:6F:65:68
X509v3 Authority Key Identifier:
keyid:DB:D2:9C:8D:22:D9:D7:E2:38:A0:8D:6C:3B:BE:33:CE:8D:2A:BE:C8
DirName:/C=US/ST=WA/O=core-dev/emailAddress=root@localhost
serial:CE:78:96:91:DB:9B:84:FD
Signature Algorithm: sha256WithRSAEncryption
33:e5:aa:b3:19:63:ce:24:c7:ee:2f:11:18:5b:7b:1d:6b:4c:
71:2d:0b:ea:6f:9b:5e:43:11:45:50:a6:00:fc:19:11:50:46:
6a:d8:1d:38:eb:9f:3a:81:09:6e:dc:ae:b3:df:71:85:e2:16:
7e:b8:bf:4c:ec:36:97:ae:58:a6:d9:d1:64:47:cf:8b:e8:0e:
8c:41:2e:c3:a7:32:ef:a0:90:c2:5c:e5:6f:aa:03:ca:15:7f:
fb:ef:42:b1:22:28:47:fe:0a:df:58:b5:88:5b:a6:15:f8:13:
3f:7e:19:da:ec:3f:63:72:0b:e5:c6:94:9f:53:1c:99:60:48:
25:b5:b4:60:9a:4a:94:ab:68:be:5a:08:67:4c:c8:b5:7e:12:
32:2c:e9:e7:fb:d1:a2:40:a8:e6:68:0e:37:a1:48:99:17:b6:
40:f6:50:0a:f7:16:d1:90:e6:8a:3e:b0:c7:21:aa:9a:b9:79:
6a:69:5c:25:9b:4b:29:b7:0e:13:80:ea:e8:5c:6d:95:cd:5c:
69:de:20:69:d7:df:20:ec:6f:7b:9f:1d:61:c2:d1:59:6f:1e:
0a:45:01:f6:25:02:e5:be:fb:91:a9:82:08:c8:42:2a:3e:2c:
75:bb:4e:9c:0a:b6:07:24:52:e5:4f:f5:81:45:7b:77:ca:19:
38:56:7f:17:63:5e:1f:a4:be:03:7d:d3:48:fc:e9:43:5c:2b:
b1:d5:da:44:c0:0c:56:23:4a:7d:bf:c0:ac:c6:9c:93:6d:69:
9a:b9:02:3e:aa:1b:27:3e:b1:c8:6a:39:96:09:1d:c0:08:c8:
1c:a4:82:ea:d2:72:e7:e1:47:66:7f:76:ac:d5:8c:99:59:02:
25:ee:ec:ad:76:65:0f:8a:ba:5f:a7:33:ef:8e:34:71:d2:f5:
3c:63:b0:c4:b2:65:c2:55:2d:35:d7:13:04:9c:87:d2:76:6b:
af:37:ba:58:d2:63:e0:fb:9c:a4:3a:97:e4:e6:79:0f:ca:d4:
07:8c:39:80:4d:5e:d4:09:3a:09:1f:16:1a:58:c0:96:58:19:
e8:f7:56:bc:bd:fd:23:f4:4b:93:eb:a4:f2:22:7d:7c:d2:f3:
6b:5a:13:24:a6:b8:1a:33:0c:fa:cd:77:36:12:c8:c6:ac:e9:
0f:29:1a:4f:c3:3c:92:53:8c:af:80:04:ac:9b:2a:73:af:a8:
0f:ef:7d:9f:5e:7c:52:d3:03:2e:19:6f:25:b0:f7:17:ef:c9:
37:b9:50:ad:60:b0:c7:d9:ba:8f:9e:93:27:ba:52:27:70:b8:
ae:2b:9a:f7:33:2a:fd:a6:51:f5:e2:42:1a:e9:e6:08:5e:62:
75:e9:b2:1b:ca:ce:cd:d1
-----BEGIN CERTIFICATE-----
MIIE1TCCAr2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCV0ExETAPBgNVBAoTCGNvcmUtZGV2MR0wGwYJKoZIhvcNAQkBFg5y
b290QGxvY2FsaG9zdDAgFw0xNTA1MTkwMjA5NTdaGA8yMTE1MDQyNTAyMDk1N1ow
YDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQKEwhjb3JlLWRldjES
MBAGA1UEAxMJdnBuY2xpZW50MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9z
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALpP7Vcb8RBfymO8ZKrl
AxLobyyqjOMM8idnPyFK6R4kK54T0hv+duD3BctJPp8BUD9Wxjh4ZdnNA0G+XoHF
VeOOP9SRjhH5FdyEqODzl+r4jfu5mfNQvdLaMhqWzAHguwtIa6wFtNN97y/SswI9
VTOiMxJeGQ5UmzWDO6yZ02eoSDtNn5bg6/XaPMAJtF0YwDnvaxe+ddE+F1EEjgJJ
+uw9G55Y87fXugsMIQIyvHPNr3LrlQVLeg8W9/azqhHsWUAgSrRnVhRBrLEsMfSQ
TVmOEvEGZqo07uEPSAKNhhfxdIc6mKrTjk344aYpwjdOHxmwaRcowzJDXI1rVzY+
56ECAwEAAaOBqzCBqDAJBgNVHRMEAjAAMB0GA1UdDgQWBBRVMyFAQrZjf+qlIPoY
IccnW29laDB8BgNVHSMEdTBzgBTb0pyNItnX4jigjWw7vjPOjSq+yKFQpE4wTDEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMREwDwYDVQQKEwhjb3JlLWRldjEdMBsG
CSqGSIb3DQEJARYOcm9vdEBsb2NhbGhvc3SCCQDOeJaR25uE/TANBgkqhkiG9w0B
AQsFAAOCAgEAM+WqsxljziTH7i8RGFt7HWtMcS0L6m+bXkMRRVCmAPwZEVBGatgd
OOufOoEJbtyus99xheIWfri/TOw2l65YptnRZEfPi+gOjEEuw6cy76CQwlzlb6oD
yhV/++9CsSIoR/4K31i1iFumFfgTP34Z2uw/Y3IL5caUn1McmWBIJbW0YJpKlKto
vloIZ0zItX4SMizp5/vRokCo5mgON6FImRe2QPZQCvcW0ZDmij6wxyGqmrl5amlc
JZtLKbcOE4Dq6Fxtlc1cad4gadffIOxve58dYcLRWW8eCkUB9iUC5b77kamCCMhC
Kj4sdbtOnAq2ByRS5U/1gUV7d8oZOFZ/F2NeH6S+A33TSPzpQ1wrsdXaRMAMViNK
fb/ArMack21pmrkCPqobJz6xyGo5lgkdwAjIHKSC6tJy5+FHZn92rNWMmVkCJe7s
rXZlD4q6X6cz7440cdL1PGOwxLJlwlUtNdcTBJyH0nZrrze6WNJj4PucpDqX5OZ5
D8rUB4w5gE1e1Ak6CR8WGljAllgZ6PdWvL39I/RLk+uk8iJ9fNLza1oTJKa4GjMM
+s13NhLIxqzpDykaT8M8klOMr4AErJsqc6+oD+99n158UtMDLhlvJbD3F+/JN7lQ
rWCwx9m6j56TJ7pSJ3C4riua9zMq/aZR9eJCGunmCF5idemyG8rOzdE=
-----END CERTIFICATE-----
}
}
custom-config {
custom-config-id service:VPNClient:vpnclient.sh
custom-command vpnclient.sh
config {
#!/bin/sh
# custom VPN Client configuration for service (security.py)
# -------- CUSTOMIZATION REQUIRED --------
#
# The VPNClient service builds a VPN tunnel to the specified VPN server using
# OpenVPN software and a virtual TUN/TAP device.
# directory containing the certificate and key described below
certdir=$SESSION_DIR/certs
keydir=$PWD
# the name used for a "$keyname.pem" certificate and "$keyname.key" private key.
keyname=vpnclient
# the public IP address of the VPN server this client should connect with
vpnserver="10.0.1.10"
# optional next hop for adding a static route to reach the VPN server
nexthop=""
# --------- END CUSTOMIZATION --------
# validate addresses
if [ "$(dpkg -l | grep sipcalc)" = "" ]; then
echo "WARNING: ip validation disabled because package sipcalc not installed
" > $PWD/vpnclient.log
else
if [ "$(sipcalc "$vpnserver" "$nexthop" | grep ERR)" != "" ]; then
echo "ERROR: invalide address $vpnserver or $nexthop \
" > $PWD/vpnclient.log
fi
fi
# validate key and certification files
check-key-file() {
if [ ! -e $1 ]; then
echo "ERROR: missing certification or key file: $1" >> $PWD/vpnserver.log
fi
}
check-key-file $keydir/$keyname.key
check-key-file $keydir/$keyname.pem
check-key-file $certdir/ca-cert.pem
check-key-file $certdir/dh2048.pem
# if necessary, add a static route for reaching the VPN server IP via the IF
vpnservernet=${vpnserver%.*}.0/24
if [ "$nexthop" != "" ]; then
/sbin/ip route add $vpnservernet via $nexthop
fi
# create openvpn client.conf
(
cat << EOF
client
dev tun
proto udp
remote $vpnserver 1194
nobind
ca $certdir/ca-cert.pem
cert $keydir/$keyname.pem
key $keydir/$keyname.key
dh $certdir/dh2048.pem
cipher AES-256-CBC
log /var/log/openvpn-client.log
verb 4
daemon
EOF
) > client.conf
openvpn --config client.conf
}
}
custom-config {
custom-config-id service:VPNClient
custom-command VPNClient
config {
('vpnclient.sh', 'vpnclient.pem', 'vpnclient.key', )
60
('bash vpnclient.sh', )
('killall openvpn', )
('pidof openvpn', )
}
}
services {DefaultRoute VPNClient}
}
node n7 {
type lanswitch
network-config {
hostname n7
!
}
canvas c1
iconcoords {824.0 458.0}
labelcoords {824.0 482.0}
interface-peer {e0 n5}
interface-peer {e1 n8}
interface-peer {e2 n9}
interface-peer {e3 n10}
}
node n8 {
type router
model PC
network-config {
hostname n8
!
interface eth0
ip address 10.0.6.20/24
ipv6 address 2001:6::20/64
!
}
canvas c1
iconcoords {801.0 264.0}
labelcoords {801.0 296.0}
interface-peer {eth0 n7}
}
node n9 {
type router
model PC
network-config {
hostname n9
!
interface eth0
ip address 10.0.6.21/24
ipv6 address 2001:6::21/64
!
}
canvas c1
iconcoords {885.0 305.0}
labelcoords {885.0 337.0}
interface-peer {eth0 n7}
}
node n10 {
type router
model PC
network-config {
hostname n10
!
interface eth0
ip address 10.0.6.22/24
ipv6 address 2001:6::22/64
!
}
canvas c1
iconcoords {954.0 353.0}
labelcoords {954.0 385.0}
interface-peer {eth0 n7}
}
link l1 {
nodes {n6 n1}
bandwidth 0
}
link l2 {
nodes {n4 n5}
bandwidth 0
}
link l3 {
nodes {n1 n2}
bandwidth 0
}
link l4 {
nodes {n3 n4}
bandwidth 0
}
link l5 {
nodes {n3 n1}
bandwidth 0
}
link l6 {
nodes {n4 n2}
bandwidth 0
}
link l7 {
nodes {n5 n7}
bandwidth 0
}
link l8 {
nodes {n8 n7}
bandwidth 0
}
link l9 {
nodes {n9 n7}
bandwidth 0
}
link l10 {
nodes {n10 n7}
bandwidth 0
}
annotation a1 {
iconcoords {661.0 187.0 997.0 579.0}
type rectangle
label {private network}
labelcolor black
fontfamily {Arial}
fontsize 12
color #e9e9fe
width 0
border black
rad 25
effects {bold}
canvas c1
}
canvas c1 {
name {Canvas1}
}
hook 3:instantiation_hook.sh {
#!/bin/sh
# session hook script; write commands here to execute on the host at the
# specified state
CERT_DIR=$SESSION_DIR/certs
mkdir $CERT_DIR
cat > $CERT_DIR/dh2048.pem <<EOF
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAr4EyM7+wOHR5bZsHIGDEfrGLAKcLpt3Mfx2ZeyBVqjIfdFVjYHlu
6RtsmyjLCACeyaf9fGW6LcsHzuBIBLXIFEKLWOTjf5BS1Zs7xL/zB8JZhQOhG9FD
lPxCFpVAsfHii4RW/CJeEbNemrPWpzvelyrj2xcvTVo34U7mkNjZkkVkDba6RZWG
gAPCDc7cpGrjB59ggFiVDssBY2WJXUH380om6eMUiOICdibLs3H01YDboNeK/RlS
yV0V1QDPIwZWMq2enHPu1Gb70r43Y4+ttK3CCI1dNgBmYsc5nzOLEz5zmgkgNkx1
pCGJcYvfp9oQFkdWwv2ALv+Q4pDLpnw1KwIBAg==
-----END DH PARAMETERS-----
EOF
cat > $CERT_DIR/ca-cert.pem <<EOF
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14877806922217260285 (0xce789691db9b84fd)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=WA, O=core-dev/emailAddress=root@localhost
Validity
Not Before: May 19 02:09:57 2015 GMT
Not After : Apr 25 02:09:57 2115 GMT
Subject: C=US, ST=WA, O=core-dev/emailAddress=root@localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:bc:0a:6e:71:01:f7:e4:7d:4b:88:94:08:46:28:
9d:ee:f1:9d:10:b1:a2:9d:42:ab:71:f1:e1:bc:16:
a7:b8:6e:d6:30:e6:f3:b0:c0:b7:a9:8b:86:f3:13:
25:95:89:00:48:29:b7:83:f7:db:27:1d:b8:0a:bc:
b2:e3:a8:c7:4a:e6:89:6e:04:6d:fb:db:2e:de:48:
6a:4b:3b:82:2a:19:21:c6:8c:ab:7d:13:3e:79:93:
64:66:c0:85:82:be:af:76:e0:c8:f2:7f:67:62:25:
bb:d5:cc:e2:f0:f0:14:3a:9f:1e:62:d2:8b:df:72:
e0:bf:01:b9:28:da:8d:4e:f9:f2:94:7f:20:1c:cd:
8d:07:a0:b1:e9:47:a9:57:57:c0:75:29:d1:f9:11:
61:55:20:34:9f:5a:1d:01:d8:4a:53:44:08:f7:2d:
bc:0e:75:29:bb:94:be:47:17:65:bf:50:88:85:c7:
3b:12:bd:46:34:12:41:e5:55:b4:5b:59:67:8b:d9:
53:7d:2f:dc:34:78:b1:f9:b0:3c:e8:fe:fe:65:43:
6b:e4:00:06:e3:df:d8:0a:06:62:7c:6a:e4:68:e6:
68:88:98:49:59:c3:41:76:f1:fe:d7:0a:6d:a4:f4:
4d:0a:cb:2a:94:a9:b2:4b:b5:fb:10:bb:7d:31:83:
a2:42:e0:77:27:72:25:0e:55:19:c2:76:22:cd:ed:
9c:8e:8f:49:35:d2:ea:a1:5d:65:be:93:8b:e7:06:
d5:a0:51:d3:ad:c0:8b:81:64:89:81:e2:c0:6e:d6:
85:07:3c:22:8d:0b:c1:70:5f:c5:1d:62:03:3a:d3:
4b:f5:5d:83:15:fe:08:86:d1:c7:2a:a2:62:73:fb:
9e:f4:2f:cb:dd:55:1b:05:16:2c:0b:2b:b4:f2:78:
f5:59:f6:5a:34:62:6c:b8:f1:d4:b8:24:fe:b8:91:
99:ad:27:fc:52:05:60:45:11:dc:b0:63:b5:4e:3f:
c7:19:c4:93:a1:06:5f:b2:52:51:4e:17:b5:9a:49:
08:03:c0:0b:2f:10:8c:17:fb:76:e8:00:6f:f1:5f:
2b:c6:50:26:df:35:aa:f7:ba:67:65:10:43:b6:96:
1a:e7:42:22:a0:f3:67:00:74:6c:66:5e:61:ab:76:
f6:2e:98:a8:b5:03:eb:0b:c5:9c:ad:23:e8:b3:3a:
23:11:c1:28:58:88:a7:a8:ef:1c:69:0e:3a:37:29:
92:43:fb:64:5f:88:0c:ff:ee:76:55:51:55:0d:79:
89:63:a6:fd:33:d0:fc:34:d2:8c:fa:52:0b:f1:7f:
71:e1:e7:be:7e:31:d5:d9:3a:b7:2b:74:fe:d2:77:
28:22:19
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DB:D2:9C:8D:22:D9:D7:E2:38:A0:8D:6C:3B:BE:33:CE:8D:2A:BE:C8
X509v3 Authority Key Identifier:
keyid:DB:D2:9C:8D:22:D9:D7:E2:38:A0:8D:6C:3B:BE:33:CE:8D:2A:BE:C8
DirName:/C=US/ST=WA/O=core-dev/emailAddress=root@localhost
serial:CE:78:96:91:DB:9B:84:FD
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
9b:3e:53:96:8e:70:3d:b0:cb:95:11:e2:96:19:14:b4:39:80:
8f:55:6e:e5:51:3d:b3:a3:67:f5:58:a0:a4:11:86:99:38:22:
a2:64:27:8b:9b:e4:e4:12:1d:ca:74:23:24:a7:5d:7c:0d:9e:
6c:03:87:33:8f:63:98:12:f5:ce:29:6e:ff:26:fd:c9:e3:60:
35:21:41:1f:da:07:8c:3b:28:cf:34:d3:61:50:90:fe:3e:67:
a4:0d:77:6b:d2:f8:b4:72:3e:bf:b8:59:a0:dc:b6:cf:04:49:
47:da:dc:b1:2f:13:d2:6b:2d:c5:af:cc:e5:d1:68:ae:f4:b9:
7a:33:18:f3:6f:2a:d7:be:48:41:b3:30:e1:0a:f6:eb:c7:18:
ec:5f:0f:ee:a0:11:0e:0a:79:80:7e:2d:cb:9f:3e:e2:46:85:
c8:4a:97:5a:18:19:b9:1d:1d:2c:69:32:eb:c1:d1:06:98:e9:
fc:75:69:11:4b:28:2a:1c:c5:0d:91:2c:1f:40:79:f5:82:9e:
6f:16:d8:00:5e:c4:ec:e0:3f:34:25:9f:53:74:61:75:ea:03:
2f:2a:79:2f:cc:db:63:60:44:b1:e3:07:a3:30:37:83:77:b8:
03:f6:05:fd:89:b7:c7:f9:f9:d6:48:f1:29:52:c2:51:aa:9b:
ae:3d:e8:5f:17:a6:93:94:e5:18:06:02:fd:01:50:17:00:26:
27:e8:93:bc:09:a4:b6:47:ce:37:8b:d0:3d:0c:03:9c:a9:30:
80:12:64:84:ec:bd:7f:72:82:84:58:29:0d:26:dc:cc:da:c4:
d4:f5:2b:6a:75:a0:6e:88:f1:10:67:63:55:b3:24:f9:a7:4f:
92:94:65:5f:10:69:84:1a:26:e0:a9:d6:75:93:17:16:c4:1b:
49:71:c4:3c:0d:a1:27:92:bd:9a:7e:5b:71:96:b6:20:55:3b:
63:0c:7b:75:13:36:a4:bf:df:f7:5d:44:13:f2:89:12:0e:4a:
52:a5:7f:3e:6f:d5:2e:65:8e:20:07:94:0d:4e:cd:1c:a9:4f:
be:20:67:3c:b0:f9:15:84:62:1c:5f:09:9e:c4:78:95:4b:a8:
4d:24:e8:22:b0:bd:57:d7:00:ea:37:97:3e:35:02:89:51:fe:
13:d2:1c:e9:86:48:40:82:e1:ed:2f:fa:9c:6a:99:9e:82:9c:
15:b8:e1:ba:1e:0f:a6:bb:d2:23:4e:07:94:d6:99:b9:4b:36:
5b:f6:87:91:42:17:5e:7e:57:b0:e5:9a:d1:00:4d:f6:e0:f2:
af:02:c7:bf:0b:0d:3a:5f:02:e9:ff:c7:ca:7b:43:47:05:aa:
9c:4b:8f:7d:cb:e0:79:96
-----BEGIN CERTIFICATE-----
MIIF2TCCA8GgAwIBAgIJAM54lpHbm4T9MA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJXQTERMA8GA1UEChMIY29yZS1kZXYxHTAbBgkqhkiG
9w0BCQEWDnJvb3RAbG9jYWxob3N0MCAXDTE1MDUxOTAyMDk1N1oYDzIxMTUwNDI1
MDIwOTU3WjBMMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExETAPBgNVBAoTCGNv
cmUtZGV2MR0wGwYJKoZIhvcNAQkBFg5yb290QGxvY2FsaG9zdDCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBALwKbnEB9+R9S4iUCEYone7xnRCxop1Cq3Hx
4bwWp7hu1jDm87DAt6mLhvMTJZWJAEgpt4P32ycduAq8suOox0rmiW4EbfvbLt5I
aks7gioZIcaMq30TPnmTZGbAhYK+r3bgyPJ/Z2Ilu9XM4vDwFDqfHmLSi99y4L8B
uSjajU758pR/IBzNjQegselHqVdXwHUp0fkRYVUgNJ9aHQHYSlNECPctvA51KbuU
vkcXZb9QiIXHOxK9RjQSQeVVtFtZZ4vZU30v3DR4sfmwPOj+/mVDa+QABuPf2AoG
Ynxq5GjmaIiYSVnDQXbx/tcKbaT0TQrLKpSpsku1+xC7fTGDokLgdydyJQ5VGcJ2
Is3tnI6PSTXS6qFdZb6Ti+cG1aBR063Ai4FkiYHiwG7WhQc8Io0LwXBfxR1iAzrT
S/VdgxX+CIbRxyqiYnP7nvQvy91VGwUWLAsrtPJ49Vn2WjRibLjx1Lgk/riRma0n
/FIFYEUR3LBjtU4/xxnEk6EGX7JSUU4XtZpJCAPACy8QjBf7dugAb/FfK8ZQJt81
qve6Z2UQQ7aWGudCIqDzZwB0bGZeYat29i6YqLUD6wvFnK0j6LM6IxHBKFiIp6jv
HGkOOjcpkkP7ZF+IDP/udlVRVQ15iWOm/TPQ/DTSjPpSC/F/ceHnvn4x1dk6tyt0
/tJ3KCIZAgMBAAGjgbswgbgwHQYDVR0OBBYEFNvSnI0i2dfiOKCNbDu+M86NKr7I
MHwGA1UdIwR1MHOAFNvSnI0i2dfiOKCNbDu+M86NKr7IoVCkTjBMMQswCQYDVQQG
EwJVUzELMAkGA1UECBMCV0ExETAPBgNVBAoTCGNvcmUtZGV2MR0wGwYJKoZIhvcN
AQkBFg5yb290QGxvY2FsaG9zdIIJAM54lpHbm4T9MAwGA1UdEwQFMAMBAf8wCwYD
VR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQCbPlOWjnA9sMuVEeKWGRS0OYCP
VW7lUT2zo2f1WKCkEYaZOCKiZCeLm+TkEh3KdCMkp118DZ5sA4czj2OYEvXOKW7/
Jv3J42A1IUEf2geMOyjPNNNhUJD+PmekDXdr0vi0cj6/uFmg3LbPBElH2tyxLxPS
ay3Fr8zl0Wiu9Ll6MxjzbyrXvkhBszDhCvbrxxjsXw/uoBEOCnmAfi3Lnz7iRoXI
SpdaGBm5HR0saTLrwdEGmOn8dWkRSygqHMUNkSwfQHn1gp5vFtgAXsTs4D80JZ9T
dGF16gMvKnkvzNtjYESx4wejMDeDd7gD9gX9ibfH+fnWSPEpUsJRqpuuPehfF6aT
lOUYBgL9AVAXACYn6JO8CaS2R843i9A9DAOcqTCAEmSE7L1/coKEWCkNJtzM2sTU
9StqdaBuiPEQZ2NVsyT5p0+SlGVfEGmEGibgqdZ1kxcWxBtJccQ8DaEnkr2afltx
lrYgVTtjDHt1Ezakv9/3XUQT8okSDkpSpX8+b9UuZY4gB5QNTs0cqU++IGc8sPkV
hGIcXwmexHiVS6hNJOgisL1X1wDqN5c+NQKJUf4T0hzphkhAguHtL/qcapmegpwV
uOG6Hg+mu9IjTgeU1pm5SzZb9oeRQhdeflew5ZrRAE324PKvAse/Cw06XwLp/8fK
e0NHBaqcS499y+B5lg==
-----END CERTIFICATE-----
EOF
}
option global {
interface_names no
ip_addresses yes
ipv6_addresses no
node_labels yes
link_labels yes
ipsec_configs yes
exec_errors yes
show_api no
background_images no
annotations yes
grid yes
traffic_start 0
}
Reference in a new issue View git blame Copy permalink