Extract VPN Concentrator information
From Internetworkpro
[edit] Introduction
The perl script takes an unencrypted VPN concentrator configuration file and extracts all relevant group and user data. This is helpful if you plan to migrate locally stored user and group information from a VPN concentrator to a PIX/ASA.
The output is generated to STDOUT, csv formatted. An example of how to output native PIX/ASA configuration is shown at the end of the script.
User and Group attributes are arranged in the form:
[user <user index>.<attribute number a>] value=<attribute a value> [user <user index>.<attribute number b>] value=<attribute b value>
There seems no obvious distinction between users and groups in the config file (at least i havent found any key), both are listed with [user] sections.
Because only users have groups assigned, it is possible to use the attribute 25 (Group) as a key to distinguish between users and groups. If a [user <user index>.25] exists and contains a non-empty value, it is very certain that the linked <user index> number is a real user definition.
#!/usr/bin/perl
# convert VPN user and group attributes from CIsco VPN 3k Concentrator to PIX/ASA
use strict;
use warnings;
if ($#ARGV != 0) {
print("Config file not specified\n");
print("usage: $0 <config file>\n");
die("exiting now!\n");
};
open (CONFIG, "$ARGV[0]") or die("Cannot open config file $ARGV[0]\n");
my %conf;
# read through config file
while (<CONFIG>) {
#cycle until [user ...] field
next if !($_ =~ m/\[user [0-9]+\.[0-9]+]/);
# read [user ...] field and determine user number and value
my @line = split (/\./, $_);
$line[0] =~ s/\[user //;
my $user = $line[0];
my $key = $line[1];
$user =~ s/\.\]\r\n$//;
$key =~ s/\]\r\n$//;
my $second_line = <CONFIG>;
my @s_line = split (/=/, $second_line);
my $val = $s_line[1];
$val =~ s/\r\n$//;
if ($val =~ m/^$/) { $val = "EMPTY"; };
$conf{$user}{$key} = $val;
}
close (CONFIG);
my %meaning = (
1 => "Name",
2 => "Password",
8 => "IP",
9 => "Mask",
11 => "Filter",
22 => "default route",
25 => "Group",
27 => "Maximum connect time",
28 => "Idle Timeout",
4098 => "Simultaneous Logins",
4099 => "Minumum Password Length",
4100 => "allow alphabetic-only passwords",
4101 => "primary DNS",
4102 => "secondary DNS",
4103 => "primary WINS",
4104 => "secondary WINS",
4105 => "SEP Card Assignment",
4106 => "SEP Priority",
4107 => "Tunneling Protocols",
4108 => "IPSec SA",
4109 => "Authentication",
4112 => "Password Storage",
4113 => "use client specified address",
4123 => "Split Tunnel Network List",
4124 => "DNS name",
4126 => "Tunnel type",
4127 => "Mode Config",
4129 => "Group Lock",
4129 => "IPSec over UDP",
4130 => "UDP port",
);
# get all previously seen attributes
foreach my $ke ( sort keys %conf ) {
foreach my $val ( sort keys %{ $conf{$ke} } ) {
$meaning{$val} = "UNKNOWN" if !(exists $meaning{$val});
}
}
# print used attributes (heading output)
foreach my $val ( sort keys %meaning) {
print "$val:$meaning{$val};";
}
print "\n";
# print each user/group with its configured values, ";" separated
foreach my $ke ( sort keys %conf ) {
foreach my $val ( sort keys %meaning) {
if (exists $conf{$ke}{$val}) {
print "$conf{$ke}{$val};";
} else {
print "n/a;"
}
}
print "\n";
}
# generate and print out ASA user configuration
#foreach my $ke ( sort keys %conf ) {
#
# # only Users have a Group value assigned
# if (exists $conf{$ke}{"25"}) {
#
# print "username $conf{$ke}{1} password $conf{$ke}{2}\n";
# print "username $conf{$ke}{1} attributes\n";
# print "\tvpn-group-policy $conf{$ke}{25}\n";
# print "\tvpn-framed-ip-address $conf{$ke}{8} $conf{$ke}{9}\n";
# print "\tvpn-simultaneous-logins $conf{$ke}{4098}\n" if exists ($conf{$ke}{4098});
# print "\tvpn-idle-timeout $conf{$ke}{28}\n" if exists ($conf{$ke}{28});
# print "\tvpn-session-timeout $conf{$ke}{27}\n" if exists ($conf{$ke}{27});
# print "\tvpn-group-lock value $conf{$ke}{25}\n";
# print "\tvpn-group-lock value $conf{$ke}{25}\n" if exists ($conf{$ke}{4129});
# print "\tpassword-storage enable\n" if ( exists ($conf{$ke}{4112}) ) and ($conf{$ke}{4112} == "1");
#
# print "!\n";
# }
#}
