dynamic-router-config

#!/bin/bash -
#===============================================================================
#
#          FILE: dynamic-router-config
#
#         USAGE: ./dynamic-router-config vpn-XXXXXX.txt
#
#   DESCRIPTION: Generate Mikrotik ipsec config to connect to AWS VPC
#
#       OPTIONS:
#  REQUIREMENTS:
#          BUGS: ---
#         NOTES: Based on same purpose script from Mate-Laszlo Lang <mate@smartup.io> available in https://github.com/smartupio/aws-vpn-mikrotik
#        AUTHOR: Fernando Augusto Medeiros Silva (fams), fams@linuxplace.com.br
#  ORGANIZATION: Linuxplace
#       CREATED: 21/09/2016 16:24
#      REVISION:  0.1
#===============================================================================

#set -o nounset                              # Treat unset variables as an error

set -e

AWS_GENERIC_CONFIG_FILE=$1

if [ x == x$AWS_GENERIC_CONFIG_FILE ];
then
  echo "You should provide an AWS generated config file"
  exit 1
fi

VPN_CONNECTION_ID=$(grep 'Your\ VPN\ Connection\ ID.*:' $1 | sed 's/.*: \(.*\)$/\1/')
read -a VPN_CONNECTION_ID <<< $VPN_CONNECTION_ID

AWS_ADDRESSES_TO_USE=$(grep --color -A2 'Address' $1 | sed 's/.*:\ \(.*\)$/\1/' | grep '^[0-9].*$' | sed 's/^\(.*\)\/.*$/\1/')
read -a AWS_ADDRESSES_TO_USE <<< $AWS_ADDRESSES_TO_USE

AWS_SECRETS_TO_USE=$(grep 'Pre-Shared\ Key.*:' $1 | sed 's/.*: \(.*\)$/\1/')
read -a AWS_SECRETS_TO_USE <<< $AWS_SECRETS_TO_USE

AWS_CUSTOMER_ASN_TO_USE=$(grep 'Customer.*Gateway.*ASN'  $1  |awk -F: '{print $2}'| sed -e 's/[\t\  ]//g')
read -a AWS_CUSTOMER_ASN_TO_USE <<< $AWS_CUSTOMER_ASN_TO_USE

AWS_VIRTUAL_GATEWAY_ASN_TO_USE=$(grep 'Virtual.*Private.*Gateway.*ASN'  $1 |awk -F: '{print $2}'| sed -e 's/[\t\  ]//g')
read -a AWS_VIRTUAL_GATEWAY_ASN_TO_USE <<< $AWS_VIRTUAL_GATEWAY_ASN_TO_USE


# Tunnel 1 details
AWS_TUNNEL1_PUBLIC_ADDR="${AWS_ADDRESSES_TO_USE[1]}"
AWS_TUNNEL1_INSIDE_CUSTOMER_GATEWAY_ADDR="${AWS_ADDRESSES_TO_USE[2]}"
AWS_TUNNEL1_INSIDE_VIRTUAL_GATEWAY_ADDR="${AWS_ADDRESSES_TO_USE[3]}"
AWS_TUNNEL1_INSIDE_NETWORK=$(echo $AWS_TUNNEL1_INSIDE_VIRTUAL_GATEWAY_ADDR | sed 's/\(^.*\..*\..*\.\).*$/\10/')
AWS_TUNNEL1_SHARED_SECRET="${AWS_SECRETS_TO_USE[0]}"

AWS_TUNNEL1_CUSTOMER_ASN="${AWS_CUSTOMER_ASN_TO_USE[0]}"
AWS_TUNNEL1_VIRTUAL_GATEWAY_ASN="${AWS_VIRTUAL_GATEWAY_ASN_TO_USE[0]}"

# Tunnel 2 details
AWS_TUNNEL2_PUBLIC_ADDR="${AWS_ADDRESSES_TO_USE[7]}"
AWS_TUNNEL2_INSIDE_CUSTOMER_GATEWAY_ADDR="${AWS_ADDRESSES_TO_USE[8]}"
AWS_TUNNEL2_INSIDE_VIRTUAL_GATEWAY_ADDR="${AWS_ADDRESSES_TO_USE[9]}"
AWS_TUNNEL2_INSIDE_NETWORK=$(echo $AWS_TUNNEL2_INSIDE_VIRTUAL_GATEWAY_ADDR | sed 's/\(^.*\..*\..*\.\).*$/\10/')
AWS_TUNNEL2_SHARED_SECRET="${AWS_SECRETS_TO_USE[1]}"

AWS_TUNNEL2_CUSTOMER_ASN="${AWS_CUSTOMER_ASN_TO_USE[1]}"
AWS_TUNNEL2_VIRTUAL_GATEWAY_ASN="${AWS_VIRTUAL_GATEWAY_ASN_TO_USE[1]}"

# Home Network Configuration
CUSTOMER_PUBLIC_ADDR="${AWS_ADDRESSES_TO_USE[0]}"

# Network Detail
DEFAULT_LOCAL_NET="192.168.0.0/24"
echo -n "Type in local network CIDR (Enter to use guessed $DEFAULT_LOCAL_NET): "
read LOCAL_NET
if [ x == x$LOCAL_NET ];
then
  LOCAL_NET=$DEFAULT_LOCAL_NET
fi

DEFAULT_LOCAL_INTERFACE="ether1-local"
echo -n "Type in local MKT interface (Enter to use guessed $DEFAULT_LOCAL_INTERFACE): "
read LOCAL_INTERFACE
if [ x == x$LOCAL_INTERFACE ];
then
  LOCAL_INTERFACE=$DEFAULT_LOCAL_INTERFACE
fi

DEFAULT_PUBLIC_INTERFACE="ether2-internet"
echo -n "Type in PUBLIC MKT interface (Enter to use guessed $DEFAULT_PUBLIC_INTERFACE): "
read PUBLIC_INTERFACE
if [ x == x$PUBLIC_INTERFACE ];
then
  PUBLIC_INTERFACE=$DEFAULT_PUBLIC_INTERFACE
fi


# VPC Details
echo -n "Type in your VPC CIDR [10.0.0.0/16]):"
read VPC_NET
if [ x == x$VPC_NET ];
then
  VPC_NET="10.0.0.0/16"
fi

echo
echo "Your configuration will be created by using the following values"
echo "Your public adddress: $CUSTOMER_PUBLIC_ADDR"
echo "Your local network CIDR: $LOCAL_NET"
echo "Your VPC's CIDR: $VPC_NET"
echo

echo "AWS Tunnel #1 - Public Address: $AWS_TUNNEL1_PUBLIC_ADDR"
echo "AWS Tunnel #1 - Inside Customer Gateway Address: $AWS_TUNNEL1_INSIDE_CUSTOMER_GATEWAY_ADDR"
echo "AWS Tunnel #1 - Inside Virtual Gateway Address: $AWS_TUNNEL1_INSIDE_VIRTUAL_GATEWAY_ADDR"
echo "AWS Tunnel #1 - Secret: $AWS_TUNNEL1_SHARED_SECRET"
echo "AWS Tunnel #1 - Customer ASN: $AWS_TUNNEL1_CUSTOMER_ASN"
echo "AWS Tunnel #1 - Virtual Gateway ASN: $AWS_TUNNEL1_VIRTUAL_GATEWAY_ASN"
echo

echo "AWS Tunnel #2 - Public Address: $AWS_TUNNEL2_PUBLIC_ADDR"
echo "AWS Tunnel #2 - Inside Customer Gateway Address: $AWS_TUNNEL2_INSIDE_CUSTOMER_GATEWAY_ADDR"
echo "AWS Tunnel #2 - Inside Virtual Gateway Address: $AWS_TUNNEL2_INSIDE_VIRTUAL_GATEWAY_ADDR"
echo "AWS Tunnel #2 - Secret: $AWS_TUNNEL2_SHARED_SECRET"
echo "AWS Tunnel #2 - Customer ASN: $AWS_TUNNEL2_CUSTOMER_ASN"
echo "AWS Tunnel #2 - Virtual Gateway ASN: $AWS_TUNNEL2_VIRTUAL_GATEWAY_ASN"
echo

echo -n "Is this correct(y/n)? "
read CONFIRM
if [ xy != x$CONFIRM ];
then
  echo "You backed out. Exiting."
  exit 0
fi

echo -n "Generate the config file in [./mikrotik-aws-config]:"
read CONFIG_FILE_PATH
if [ x == x$CONFIG_FILE_PATH ];
then
  CONFIG_FILE_PATH="mikrotik-aws-config"
fi
cat >$CONFIG_FILE_PATH <<EOF
/ip addr
  add address=$AWS_TUNNEL1_INSIDE_CUSTOMER_GATEWAY_ADDR/30 interface=$PUBLIC_INTERFACE comment="awsvpc1-$VPN_CONNECTION_ID"
  add address=$AWS_TUNNEL2_INSIDE_CUSTOMER_GATEWAY_ADDR/30 interface=$PUBLIC_INTERFACE comment="awsvpc2-$VPN_CONNECTION_ID"

/ip ipsec proposal
  add auth-algorithms=sha1 comment="AWS PROPOSAL" enc-algorithms=aes-128-cbc lifetime=01:00:00 name=aws pfs-group=modp1024

/ip ipsec policy
  add src-address=0.0.0.0/0  src-port=any dst-address=$VPC_NET dst-port=any  protocol=all action=encrypt level=require   ipsec-protocols=esp  tunnel=yes sa-src-address=$CUSTOMER_PUBLIC_ADDR sa-dst-address=$AWS_TUNNEL1_PUBLIC_ADDR  proposal=aws

  add src-address=0.0.0.0/0  src-port=any dst-address=$VPC_NET dst-port=any  protocol=all action=encrypt level=require    ipsec-protocols=esp  tunnel=yes sa-src-address=$CUSTOMER_PUBLIC_ADDR sa-dst-address=$AWS_TUNNEL2_PUBLIC_ADDR proposal=aws

  add src-address=0.0.0.0/0  src-port=any dst-address=$AWS_TUNNEL1_INSIDE_VIRTUAL_GATEWAY_ADDR/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp  tunnel=yes sa-src-address=$CUSTOMER_PUBLIC_ADDR sa-dst-address=$AWS_TUNNEL1_PUBLIC_ADDR  proposal=aws

  add src-address=0.0.0.0/0  src-port=any dst-address=$AWS_TUNNEL2_INSIDE_VIRTUAL_GATEWAY_ADDR/32 dst-port=any  protocol=all action=encrypt level=require ipsec-protocols=esp  tunnel=yes sa-src-address=$CUSTOMER_PUBLIC_ADDR sa-dst-address=$AWS_TUNNEL2_PUBLIC_ADDR  proposal=aws

/ip ipsec profile
  add name="aws" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=8h proposal-check=obey nat-traversal=yes dpd-interval=10s dpd-maximum-failures=3

/ip ipsec peer
  add name=awsvpc1-$VPN_CONNECTION_ID address=$AWS_TUNNEL1_PUBLIC_ADDR/32 local-address=$CUSTOMER_PUBLIC_ADDR profile=aws passive=no port=500 exchange-mode=main send-initial-contact=yes 

  add name=awsvpc2-$VPN_CONNECTION_ID address=$AWS_TUNNEL2_PUBLIC_ADDR/32 local-address=$CUSTOMER_PUBLIC_ADDR profile=aws passive=no port=500 exchange-mode=main send-initial-contact=yes

/ip ipsec identity
  add peer=awsvpc1-$VPN_CONNECTION_ID auth-method=pre-shared-key secret="$AWS_TUNNEL1_SHARED_SECRET" generate-policy=no 
  
  add peer=awsvpc2-$VPN_CONNECTION_ID auth-method=pre-shared-key secret="$AWS_TUNNEL2_SHARED_SECRET" generate-policy=no  

/ip firewall filter
  add chain=input action=accept protocol=ipsec-esp src-address=$AWS_TUNNEL1_PUBLIC_ADDR dst-address=$CUSTOMER_PUBLIC_ADDR in-interface=$PUBLIC_INTERFACE \
  place-before=1

  add chain=input action=accept protocol=udp src-address=$AWS_TUNNEL2_PUBLIC_ADDR dst-address=$CUSTOMER_PUBLIC_ADDR in-interface=$PUBLIC_INTERFACE src-port=500  dst-port=500 \
  place-before=1

  add chain=input action=accept protocol=ipsec-esp src-address=$AWS_TUNNEL1_PUBLIC_ADDR dst-address=$CUSTOMER_PUBLIC_ADDR in-interface=$PUBLIC_INTERFACE \
  place-before=1

  add chain=input action=accept protocol=udp src-address=$AWS_TUNNEL2_PUBLIC_ADDR dst-address=$CUSTOMER_PUBLIC_ADDR in-interface=$PUBLIC_INTERFACE src-port=500 dst-port=500 \
  place-before=1

  add chain=input action=accept protocol=tcp src-address=$AWS_TUNNEL1_INSIDE_VIRTUAL_GATEWAY_ADDR dst-address=$AWS_TUNNEL1_INSIDE_CUSTOMER_GATEWAY_ADDR dst-port=179 \
  place-before=1

  add chain=input action=accept protocol=tcp src-address=$AWS_TUNNEL2_INSIDE_VIRTUAL_GATEWAY_ADDR dst-address=$AWS_TUNNEL2_INSIDE_CUSTOMER_GATEWAY_ADDR dst-port=179\
  place-before=1

  add chain=forward action=accept src-address=$VPC_NET in-interface=$PUBLIC_INTERFACE
  add chain=forward action=accept dst-address=$VPC_NET in-interface=$LOCAL_INTERFACE
/ip firewall nat
  add chain=srcnat action=src-nat to-addresses=$LOCAL_NET dst-address=$VPC_NET place-before=0
  add chain=dstnat action=accept src-address=$VPC_NET in-interface=$PUBLIC_INTERFACE place-before=0

/routing bgp instance
  set default disabled=yes
  add as=$AWS_TUNNEL1_CUSTOMER_ASN client-to-client-reflection=no name=vgw-1 redistribute-static=yes router-id=$AWS_TUNNEL1_INSIDE_CUSTOMER_GATEWAY_ADDR
  add as=$AWS_TUNNEL2_CUSTOMER_ASN client-to-client-reflection=no name=vgw-2 redistribute-static=yes router-id=$AWS_TUNNEL2_INSIDE_CUSTOMER_GATEWAY_ADDR

/routing bgp network
  add network=$LOCAL_NET

/routing bgp peer
  add hold-time=30s instance=vgw-1 name=awsvpc1-$VPN_CONNECTION_ID remote-address=$AWS_TUNNEL1_INSIDE_VIRTUAL_GATEWAY_ADDR remote-as=$AWS_TUNNEL1_VIRTUAL_GATEWAY_ASN route-reflect=yes ttl=default update-source=$AWS_TUNNEL1_INSIDE_CUSTOMER_GATEWAY_ADDR
  add hold-time=30s instance=vgw-2 name=awsvpc2-$VPN_CONNECTION_ID remote-address=$AWS_TUNNEL2_INSIDE_VIRTUAL_GATEWAY_ADDR remote-as=$AWS_TUNNEL2_VIRTUAL_GATEWAY_ASN route-reflect=yes ttl=default update-source=$AWS_TUNNEL2_INSIDE_CUSTOMER_GATEWAY_ADDR
EOF