diff --git a/data/templates/ipsec/interfaces_use.conf.tmpl b/data/templates/ipsec/interfaces_use.conf.tmpl
index 3d285b9be..a77102396 100644
--- a/data/templates/ipsec/interfaces_use.conf.tmpl
+++ b/data/templates/ipsec/interfaces_use.conf.tmpl
@@ -1,6 +1,5 @@
-{% if ipsec_interfaces is defined and 'interface' in ipsec_interfaces %}
-{% set interfaces = ipsec_interfaces['interface'] %}
+{% if interface is defined %}
charon {
- interfaces_use = {{ ', '.join(interfaces) if interfaces is not string else interfaces }}
+ interfaces_use = {{ ', '.join(interface) }}
}
{% endif %}
\ No newline at end of file
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 8399cf7f4..9dbebdc0f 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -1,1094 +1,1088 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="vpn">
<properties>
<help>Virtual Private Network (VPN)</help>
</properties>
<children>
<node name="ipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py">
<properties>
<help>VPN IP security (IPsec) parameters</help>
<priority>901</priority>
</properties>
<children>
<leafNode name="auto-update">
<properties>
<help>Set auto-update interval for IPsec daemon</help>
<valueHelp>
<format>u32:30-65535</format>
<description>Auto-update interval (s)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 30-65535"/>
</constraint>
</properties>
</leafNode>
<leafNode name="disable-uniqreqids">
<properties>
<help>Option to disable requirement for unique IDs in the Security Database</help>
<valueless/>
</properties>
</leafNode>
<tagNode name="esp-group">
<properties>
<help>Name of Encapsulating Security Payload (ESP) group</help>
</properties>
<children>
<leafNode name="compression">
<properties>
<help>ESP compression</help>
<completionHelp>
<list>disable enable</list>
</completionHelp>
<valueHelp>
<format>disable</format>
<description>Disable ESP compression (default)</description>
</valueHelp>
<valueHelp>
<format>enable</format>
<description>Enable ESP compression</description>
</valueHelp>
<constraint>
<regex>^(disable|enable)$</regex>
</constraint>
</properties>
+ <defaultValue>disable</defaultValue>
</leafNode>
<leafNode name="lifetime">
<properties>
<help>ESP lifetime</help>
<valueHelp>
<format>u32:30-86400</format>
<description>ESP lifetime in seconds (default 3600)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 30-86400"/>
</constraint>
</properties>
<defaultValue>3600</defaultValue>
</leafNode>
<leafNode name="mode">
<properties>
<help>ESP mode</help>
<completionHelp>
<list>tunnel transport</list>
</completionHelp>
<valueHelp>
<format>tunnel</format>
<description>Tunnel mode (default)</description>
</valueHelp>
<valueHelp>
<format>transport</format>
<description>Transport mode</description>
</valueHelp>
<constraint>
<regex>^(tunnel|transport)$</regex>
</constraint>
</properties>
<defaultValue>tunnel</defaultValue>
</leafNode>
<leafNode name="pfs">
<properties>
<help>ESP Perfect Forward Secrecy</help>
<completionHelp>
<list>enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
<description>Use Diffie-Hellman group 2 (modp1024) - default</description>
</valueHelp>
<valueHelp>
<format>dh-group1</format>
<description>Use Diffie-Hellman group 1 (modp768)</description>
</valueHelp>
<valueHelp>
<format>dh-group2</format>
<description>Use Diffie-Hellman group 2 (modp1024)</description>
</valueHelp>
<valueHelp>
<format>dh-group5</format>
<description>Use Diffie-Hellman group 5 (modp1536)</description>
</valueHelp>
<valueHelp>
<format>dh-group14</format>
<description>Use Diffie-Hellman group 14 (modp2048)</description>
</valueHelp>
<valueHelp>
<format>dh-group15</format>
<description>Use Diffie-Hellman group 15 (modp3072)</description>
</valueHelp>
<valueHelp>
<format>dh-group16</format>
<description>Use Diffie-Hellman group 16 (modp4096)</description>
</valueHelp>
<valueHelp>
<format>dh-group17</format>
<description>Use Diffie-Hellman group 17 (modp6144)</description>
</valueHelp>
<valueHelp>
<format>dh-group18</format>
<description>Use Diffie-Hellman group 18 (modp8192)</description>
</valueHelp>
<valueHelp>
<format>dh-group19</format>
<description>Use Diffie-Hellman group 19 (ecp256)</description>
</valueHelp>
<valueHelp>
<format>dh-group20</format>
<description>Use Diffie-Hellman group 20 (ecp384)</description>
</valueHelp>
<valueHelp>
<format>dh-group21</format>
<description>Use Diffie-Hellman group 21 (ecp521)</description>
</valueHelp>
<valueHelp>
<format>dh-group22</format>
<description>Use Diffie-Hellman group 22 (modp1024s160)</description>
</valueHelp>
<valueHelp>
<format>dh-group23</format>
<description>Use Diffie-Hellman group 23 (modp2048s224)</description>
</valueHelp>
<valueHelp>
<format>dh-group24</format>
<description>Use Diffie-Hellman group 24 (modp2048s256)</description>
</valueHelp>
<valueHelp>
<format>dh-group25</format>
<description>Use Diffie-Hellman group 25 (ecp192)</description>
</valueHelp>
<valueHelp>
<format>dh-group26</format>
<description>Use Diffie-Hellman group 26 (ecp224)</description>
</valueHelp>
<valueHelp>
<format>dh-group27</format>
<description>Use Diffie-Hellman group 27 (ecp224bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group28</format>
<description>Use Diffie-Hellman group 28 (ecp256bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group29</format>
<description>Use Diffie-Hellman group 29 (ecp384bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group30</format>
<description>Use Diffie-Hellman group 30 (ecp512bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group31</format>
<description>Use Diffie-Hellman group 31 (curve25519)</description>
</valueHelp>
<valueHelp>
<format>dh-group32</format>
<description>Use Diffie-Hellman group 32 (curve448)</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>Disable PFS</description>
</valueHelp>
<constraint>
<regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex>
</constraint>
</properties>
<defaultValue>enable</defaultValue>
</leafNode>
<tagNode name="proposal">
<properties>
<help>ESP-group proposal [REQUIRED]</help>
<valueHelp>
<format>u32:1-65535</format>
<description>ESP-group proposal number</description>
</valueHelp>
</properties>
<children>
#include <include/vpn-ipsec-encryption.xml.i>
#include <include/vpn-ipsec-hash.xml.i>
</children>
</tagNode>
</children>
</tagNode>
<tagNode name="ike-group">
<properties>
<help>Name of Internet Key Exchange (IKE) group</help>
</properties>
<children>
<leafNode name="close-action">
<properties>
<help>close-action_help</help>
<completionHelp>
<list>none hold clear restart</list>
</completionHelp>
<valueHelp>
<format>none</format>
<description>Set action to none (default)</description>
</valueHelp>
<valueHelp>
<format>hold</format>
<description>Set action to hold</description>
</valueHelp>
<valueHelp>
<format>clear</format>
<description>Set action to clear</description>
</valueHelp>
<valueHelp>
<format>restart</format>
<description>Set action to restart</description>
</valueHelp>
<constraint>
<regex>^(none|hold|clear|restart)$</regex>
</constraint>
</properties>
</leafNode>
<node name="dead-peer-detection">
<properties>
<help>Dead Peer Detection (DPD)</help>
</properties>
<children>
<leafNode name="action">
<properties>
<help>Keep-alive failure action</help>
<completionHelp>
<list>hold clear restart</list>
</completionHelp>
<valueHelp>
<format>hold</format>
<description>Set action to hold (default)</description>
</valueHelp>
<valueHelp>
<format>clear</format>
<description>Set action to clear</description>
</valueHelp>
<valueHelp>
<format>restart</format>
<description>Set action to restart</description>
</valueHelp>
<constraint>
<regex>^(hold|clear|restart)$</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="interval">
<properties>
<help>Keep-alive interval</help>
<valueHelp>
<format>u32:2-86400</format>
<description>Keep-alive interval in seconds (default 30)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 2-86400"/>
</constraint>
</properties>
</leafNode>
<leafNode name="timeout">
<properties>
<help>Dead-Peer-Detection keep-alive timeout (IKEv1 only)</help>
<valueHelp>
<format>u32:2-86400</format>
<description>Keep-alive timeout in seconds (default 120)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 2-86400"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
<leafNode name="ikev2-reauth">
<properties>
<help>ikev2-reauth_help</help>
<completionHelp>
<list>yes no</list>
</completionHelp>
<valueHelp>
<format>yes</format>
<description>Enable remote host re-authentication during an IKE rekey. Currently broken due to a strongswan bug</description>
</valueHelp>
<valueHelp>
<format>no</format>
<description>Disable remote host re-authenticaton during an IKE rekey. (Default)</description>
</valueHelp>
<constraint>
<regex>^(yes|no)$</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="key-exchange">
<properties>
<help>Key Exchange Version</help>
<completionHelp>
<list>ikev1 ikev2</list>
</completionHelp>
<valueHelp>
<format>ikev1</format>
<description>Use IKEv1 for Key Exchange [DEFAULT]</description>
</valueHelp>
<valueHelp>
<format>ikev2</format>
<description>Use IKEv2 for Key Exchange</description>
</valueHelp>
<constraint>
<regex>^(ikev1|ikev2)$</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="lifetime">
<properties>
<help>IKE lifetime</help>
<valueHelp>
<format>u32:30-86400</format>
<description>IKE lifetime in seconds (default 28800)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 30-86400"/>
</constraint>
</properties>
<defaultValue>28800</defaultValue>
</leafNode>
<leafNode name="mobike">
<properties>
<help>Enable MOBIKE Support. MOBIKE is only available for IKEv2.</help>
<completionHelp>
<list>enable disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
<description>Enable MOBIKE (default for IKEv2)</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>Disable MOBIKE</description>
</valueHelp>
<constraint>
<regex>^(enable|disable)$</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="mode">
<properties>
<help>IKEv1 Phase 1 Mode Selection</help>
<completionHelp>
<list>main aggressive</list>
</completionHelp>
<valueHelp>
<format>main</format>
<description>Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)</description>
</valueHelp>
<valueHelp>
<format>aggressive</format>
<description>Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.</description>
</valueHelp>
<constraint>
<regex>^(main|aggressive)$</regex>
</constraint>
</properties>
</leafNode>
<tagNode name="proposal">
<properties>
<help>proposal_help</help>
<valueHelp>
<format>u32:1-65535</format>
<description>IKE-group proposal</description>
</valueHelp>
</properties>
<children>
<leafNode name="dh-group">
<defaultValue>2</defaultValue>
<properties>
<help>dh-grouphelp</help>
<completionHelp>
<list>1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32</list>
</completionHelp>
<valueHelp>
<format>1</format>
<description>Diffie-Hellman group 1 (modp768)</description>
</valueHelp>
<valueHelp>
<format>2</format>
<description>Diffie-Hellman group 2 (modp1024)</description>
</valueHelp>
<valueHelp>
<format>5</format>
<description>Diffie-Hellman group 5 (modp1536)</description>
</valueHelp>
<valueHelp>
<format>14</format>
<description>Diffie-Hellman group 14 (modp2048)</description>
</valueHelp>
<valueHelp>
<format>15</format>
<description>Diffie-Hellman group 15 (modp3072)</description>
</valueHelp>
<valueHelp>
<format>16</format>
<description>Diffie-Hellman group 16 (modp4096)</description>
</valueHelp>
<valueHelp>
<format>17</format>
<description>Diffie-Hellman group 17 (modp6144)</description>
</valueHelp>
<valueHelp>
<format>18</format>
<description>Diffie-Hellman group 18 (modp8192)</description>
</valueHelp>
<valueHelp>
<format>19</format>
<description>Diffie-Hellman group 19 (ecp256)</description>
</valueHelp>
<valueHelp>
<format>20</format>
<description>Diffie-Hellman group 20 (ecp384)</description>
</valueHelp>
<valueHelp>
<format>21</format>
<description>Diffie-Hellman group 21 (ecp521)</description>
</valueHelp>
<valueHelp>
<format>22</format>
<description>Diffie-Hellman group 22 (modp1024s160)</description>
</valueHelp>
<valueHelp>
<format>23</format>
<description>Diffie-Hellman group 23 (modp2048s224)</description>
</valueHelp>
<valueHelp>
<format>24</format>
<description>Diffie-Hellman group 24 (modp2048s256)</description>
</valueHelp>
<valueHelp>
<format>25</format>
<description>Diffie-Hellman group 25 (ecp192)</description>
</valueHelp>
<valueHelp>
<format>26</format>
<description>Diffie-Hellman group 26 (ecp224)</description>
</valueHelp>
<valueHelp>
<format>27</format>
<description>Diffie-Hellman group 27 (ecp224bp)</description>
</valueHelp>
<valueHelp>
<format>28</format>
<description>Diffie-Hellman group 28 (ecp256bp)</description>
</valueHelp>
<valueHelp>
<format>29</format>
<description>Diffie-Hellman group 29 (ecp384bp)</description>
</valueHelp>
<valueHelp>
<format>30</format>
<description>Diffie-Hellman group 30 (ecp512bp)</description>
</valueHelp>
<valueHelp>
<format>31</format>
<description>Diffie-Hellman group 31 (curve25519)</description>
</valueHelp>
<valueHelp>
<format>32</format>
<description>Diffie-Hellman group 32 (curve448)</description>
</valueHelp>
<constraint>
<regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex>
</constraint>
</properties>
</leafNode>
#include <include/vpn-ipsec-encryption.xml.i>
#include <include/vpn-ipsec-hash.xml.i>
</children>
</tagNode>
</children>
</tagNode>
<leafNode name="include-ipsec-conf">
<properties>
<help>Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file</help>
</properties>
</leafNode>
<leafNode name="include-ipsec-secrets">
<properties>
<help>Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.</help>
</properties>
</leafNode>
- <node name="ipsec-interfaces">
+ <leafNode name="interface">
<properties>
- <help>Interface to use for VPN [REQUIRED]</help>
+ <help>Onterface used for IPsec communication</help>
+ <completionHelp>
+ <script>${vyos_completion_dir}/list_interfaces.py</script>
+ </completionHelp>
+ <multi/>
</properties>
- <children>
- <leafNode name="interface">
- <properties>
- <help>IPsec interface [REQUIRED]</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
- </completionHelp>
- <multi/>
- </properties>
- </leafNode>
- </children>
- </node>
+ </leafNode>
<node name="log">
<properties>
<help>IPsec logging</help>
</properties>
<children>
<leafNode name="level">
<properties>
<help>strongSwan Logger Level</help>
<valueHelp>
<format>u32:0</format>
<description>Very basic auditing logs e.g. SA up/SA down (default)</description>
</valueHelp>
<valueHelp>
<format>u32:1</format>
<description>Generic control flow with errors, a good default to see whats going on</description>
</valueHelp>
<valueHelp>
<format>u32:2</format>
<description>More detailed debugging control flow</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-2"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
<leafNode name="subsystem">
<properties>
<help>Subsystem in the daemon the log comes from</help>
<completionHelp>
<list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list>
</completionHelp>
<valueHelp>
<format>dmn</format>
<description>Main daemon setup/cleanup/signal handling</description>
</valueHelp>
<valueHelp>
<format>mgr</format>
<description>IKE_SA manager, handling synchronization for IKE_SA access</description>
</valueHelp>
<valueHelp>
<format>ike</format>
<description>IKE_SA/ISAKMP SA</description>
</valueHelp>
<valueHelp>
<format>chd</format>
<description>CHILD_SA/IPsec SA</description>
</valueHelp>
<valueHelp>
<format>job</format>
<description>Jobs queuing/processing and thread pool management</description>
</valueHelp>
<valueHelp>
<format>cfg</format>
<description>Configuration management and plugins</description>
</valueHelp>
<valueHelp>
<format>knl</format>
<description>IPsec/Networking kernel interface</description>
</valueHelp>
<valueHelp>
<format>net</format>
<description>IKE network communication</description>
</valueHelp>
<valueHelp>
<format>asn</format>
<description>Low-level encoding/decoding (ASN.1, X.509 etc.)</description>
</valueHelp>
<valueHelp>
<format>enc</format>
<description>Packet encoding/decoding encryption/decryption operations</description>
</valueHelp>
<valueHelp>
<format>lib</format>
<description>libstrongswan library messages</description>
</valueHelp>
<valueHelp>
<format>esp</format>
<description>libipsec library messages</description>
</valueHelp>
<valueHelp>
<format>tls</format>
<description> libtls library messages</description>
</valueHelp>
<valueHelp>
<format>tnc</format>
<description>Trusted Network Connect</description>
</valueHelp>
<valueHelp>
<format>imc</format>
<description>Integrity Measurement Collector</description>
</valueHelp>
<valueHelp>
<format>imv</format>
<description>Integrity Measurement Verifier</description>
</valueHelp>
<valueHelp>
<format>pts</format>
<description> Platform Trust Service</description>
</valueHelp>
<valueHelp>
<format>any</format>
<description>Any subsystem</description>
</valueHelp>
<constraint>
<regex>^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$</regex>
</constraint>
<multi/>
</properties>
</leafNode>
</children>
</node>
<node name="options">
<properties>
<help>Global IPsec settings</help>
</properties>
<children>
<leafNode name="disable-route-autoinstall">
<properties>
<help>Do not automatically install routes to remote networks</help>
<valueless/>
</properties>
</leafNode>
<node name="remote-access">
<properties>
<help>remote-access global options</help>
</properties>
<children>
<node name="dhcp-pool">
<properties>
<help>DHCP pool options for remote-access</help>
</properties>
<children>
<leafNode name="interface">
<properties>
<help>Interface with DHCP server to use</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces.py</script>
</completionHelp>
</properties>
</leafNode>
<leafNode name="server">
<properties>
<help>DHCP server address</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address of the DHCP server</description>
</valueHelp>
</properties>
</leafNode>
</children>
</node>
</children>
</node>
</children>
</node>
<tagNode name="profile">
<properties>
<help>VPN IPSec Profile</help>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
<node name="authentication">
<properties>
<help>Authentication [REQUIRED]</help>
</properties>
<children>
<leafNode name="mode">
<properties>
<help>Authentication mode</help>
<completionHelp>
<list>pre-shared-secret</list>
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
<description>Use pre shared secret key</description>
</valueHelp>
</properties>
</leafNode>
#include <include/ipsec/authentication-pre-shared-secret.xml.i>
</children>
</node>
<node name="bind">
<properties>
<help>DMVPN crypto configuration</help>
</properties>
<children>
<leafNode name="tunnel">
<properties>
<help>Tunnel interface associated with this configuration profile</help>
<completionHelp>
<path>interfaces tunnel</path>
</completionHelp>
<valueHelp>
<format>txt</format>
<description>Associated interface to this configuration profile</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
</children>
</node>
#include <include/ipsec/esp-group.xml.i>
#include <include/ipsec/ike-group.xml.i>
</children>
</tagNode>
<tagNode name="remote-access">
<properties>
<help>Remote access IKEv2 VPN </help>
</properties>
<children>
<node name="authentication">
<properties>
<help>Authentication for remote access</help>
</properties>
<children>
#include <include/ipsec/authentication-id.xml.i>
#include <include/ipsec/authentication-x509.xml.i>
<leafNode name="client-mode">
<properties>
<help>Client authentication mode</help>
<completionHelp>
<list>eap-tls eap-mschapv2</list>
</completionHelp>
<valueHelp>
<format>eap-tls</format>
<description>EAP-TLS</description>
</valueHelp>
<valueHelp>
<format>eap-mschapv2</format>
<description>EAP-MSCHAPv2</description>
</valueHelp>
<constraint>
<regex>^(eap-tls|eap-mschapv2)$</regex>
</constraint>
</properties>
<defaultValue>eap-mschapv2</defaultValue>
</leafNode>
<node name="local-users">
<properties>
<help>Local user authentication for PPPoE server</help>
</properties>
<children>
<tagNode name="username">
<properties>
<help>User name for authentication</help>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
<leafNode name="password">
<properties>
<help>Password for authentication</help>
</properties>
</leafNode>
</children>
</tagNode>
</children>
</node>
<leafNode name="server-mode">
<properties>
<help>Server authentication mode</help>
<completionHelp>
<list>pre-shared-secret x509</list>
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
<description>pre-shared-secret_description</description>
</valueHelp>
<valueHelp>
<format>x509</format>
<description>x509_description</description>
</valueHelp>
<constraint>
<regex>^(pre-shared-secret|x509)$</regex>
</constraint>
</properties>
<defaultValue>x509</defaultValue>
</leafNode>
#include <include/ipsec/authentication-pre-shared-secret.xml.i>
</children>
</node>
#include <include/generic-description.xml.i>
#include <include/generic-disable-node.xml.i>
#include <include/ipsec/esp-group.xml.i>
#include <include/ipsec/ike-group.xml.i>
#include <include/ipsec/local-address.xml.i>
#include <include/ipsec/local-traffic-selector.xml.i>
<node name="pool">
<properties>
<help>IP address pool for remote-access users</help>
</properties>
<children>
<leafNode name="dhcp-enable">
<properties>
<help>Enable DHCP pool for clients on this connection</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="exclude">
<properties>
<help>Local IPv4 or IPv6 pool prefix exclusions</help>
<valueHelp>
<format>ipv4</format>
<description>Local IPv4 pool prefix exclusion</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Local IPv6 pool prefix exclusion</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ipv6-prefix"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="prefix">
<properties>
<help>Local IPv4 or IPv6 pool prefix</help>
<valueHelp>
<format>ipv4</format>
<description>Local IPv4 pool prefix</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Local IPv6 pool prefix</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ipv6-prefix"/>
</constraint>
</properties>
</leafNode>
<!-- Include Accel-PPP definition here, maybe time for a rename? -->
#include <include/accel-ppp/name-server.xml.i>
</children>
</node>
<leafNode name="timeout">
<properties>
<help>Timeout to close connection if no data is transmitted</help>
<valueHelp>
<format>u32:10-86400</format>
<description>Timeout in seconds (default 28800)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 10-86400"/>
</constraint>
</properties>
<defaultValue>28800</defaultValue>
</leafNode>
</children>
</tagNode>
<node name="site-to-site">
<properties>
<help>Site-to-site VPN</help>
</properties>
<children>
<tagNode name="peer">
<properties>
<help>VPN peer</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address of the peer</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address of the peer</description>
</valueHelp>
<valueHelp>
<format>txt</format>
<description>Hostname of the peer</description>
</valueHelp>
<valueHelp>
<format><@text></format>
<description>ID of the peer</description>
</valueHelp>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
<node name="authentication">
<properties>
<help>Peer authentication [REQUIRED]</help>
</properties>
<children>
#include <include/ipsec/authentication-id.xml.i>
#include <include/ipsec/authentication-rsa.xml.i>
#include <include/ipsec/authentication-x509.xml.i>
<leafNode name="mode">
<properties>
<help>Authentication mode</help>
<completionHelp>
<list>pre-shared-secret rsa x509</list>
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
<description>pre-shared-secret_description</description>
</valueHelp>
<valueHelp>
<format>rsa</format>
<description>rsa_description</description>
</valueHelp>
<valueHelp>
<format>x509</format>
<description>x509_description</description>
</valueHelp>
<constraint>
<regex>^(pre-shared-secret|rsa|x509)$</regex>
</constraint>
</properties>
</leafNode>
#include <include/ipsec/authentication-pre-shared-secret.xml.i>
<leafNode name="remote-id">
<properties>
<help>ID for remote authentication</help>
<valueHelp>
<format>txt</format>
<description>ID used for peer authentication</description>
</valueHelp>
</properties>
</leafNode>
<leafNode name="use-x509-id">
<properties>
<help>Use certificate common name as ID</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
<leafNode name="connection-type">
<properties>
<help>Connection type</help>
<completionHelp>
<list>initiate respond</list>
</completionHelp>
<valueHelp>
<format>initiate</format>
<description>initiate_description</description>
</valueHelp>
<valueHelp>
<format>respond</format>
<description>respond_description</description>
</valueHelp>
<constraint>
<regex>^(initiate|respond)$</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="default-esp-group">
<properties>
<help>Defult ESP group name</help>
<completionHelp>
<path>vpn ipsec esp-group</path>
</completionHelp>
</properties>
</leafNode>
#include <include/generic-description.xml.i>
#include <include/dhcp-interface.xml.i>
<leafNode name="force-encapsulation">
<properties>
<help>Force UDP Encapsulation for ESP Payloads</help>
<completionHelp>
<list>enable disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
<description>This endpoint will force UDP encapsulation for this peer</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>This endpoint will not force UDP encapsulation for this peer</description>
</valueHelp>
<constraint>
<regex>^(enable|disable)$</regex>
</constraint>
</properties>
</leafNode>
#include <include/ipsec/ike-group.xml.i>
<leafNode name="ikev2-reauth">
<properties>
<help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help>
<completionHelp>
<list>yes no inherit</list>
</completionHelp>
<valueHelp>
<format>yes</format>
<description>Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug</description>
</valueHelp>
<valueHelp>
<format>no</format>
<description>Disable remote host re-authenticaton during an IKE re-key.</description>
</valueHelp>
<valueHelp>
<format>inherit</format>
<description>Inherit the reauth configuration form your IKE-group (Default)</description>
</valueHelp>
<constraint>
<regex>^(yes|no|inherit)$</regex>
</constraint>
</properties>
</leafNode>
#include <include/ipsec/local-address.xml.i>
<tagNode name="tunnel">
<properties>
<help>Peer tunnel [REQUIRED]</help>
<valueHelp>
<format>u32</format>
<description>Peer tunnel [REQUIRED]</description>
</valueHelp>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
#include <include/ipsec/esp-group.xml.i>
#include <include/ipsec/local-traffic-selector.xml.i>
#include <include/ip-protocol.xml.i>
<node name="remote">
<properties>
<help>Remote parameters for interesting traffic</help>
</properties>
<children>
#include <include/port-number.xml.i>
<leafNode name="prefix">
<properties>
<help>Remote IPv4 or IPv6 prefix</help>
<valueHelp>
<format>ipv4</format>
<description>Remote IPv4 prefix</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Remote IPv6 prefix</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ipv6-prefix"/>
</constraint>
<multi/>
</properties>
</leafNode>
</children>
</node>
</children>
</tagNode>
<node name="vti">
<properties>
<help>Virtual tunnel interface [REQUIRED]</help>
</properties>
<children>
<leafNode name="bind">
<properties>
<help>VTI tunnel interface associated with this configuration</help>
<completionHelp>
<path>interfaces vti</path>
</completionHelp>
</properties>
</leafNode>
#include <include/ipsec/esp-group.xml.i>
</children>
</node>
</children>
</tagNode>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/smoketest/scripts/cli/test_protocols_nhrp.py b/smoketest/scripts/cli/test_protocols_nhrp.py
index 8389e42e9..aa0ac268d 100755
--- a/smoketest/scripts/cli/test_protocols_nhrp.py
+++ b/smoketest/scripts/cli/test_protocols_nhrp.py
@@ -1,97 +1,97 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.util import call, process_named_running, read_file
tunnel_path = ['interfaces', 'tunnel']
nhrp_path = ['protocols', 'nhrp']
vpn_path = ['vpn', 'ipsec']
class TestProtocolsNHRP(VyOSUnitTestSHIM.TestCase):
def tearDown(self):
self.cli_delete(nhrp_path)
self.cli_delete(tunnel_path)
self.cli_commit()
def test_config(self):
self.cli_delete(nhrp_path)
self.cli_delete(tunnel_path)
# Tunnel
self.cli_set(tunnel_path + ["tun100", "address", "172.16.253.134/29"])
self.cli_set(tunnel_path + ["tun100", "encapsulation", "gre"])
self.cli_set(tunnel_path + ["tun100", "source-address", "192.0.2.1"])
self.cli_set(tunnel_path + ["tun100", "multicast", "enable"])
self.cli_set(tunnel_path + ["tun100", "parameters", "ip", "key", "1"])
# NHRP
self.cli_set(nhrp_path + ["tunnel", "tun100", "cisco-authentication", "secret"])
self.cli_set(nhrp_path + ["tunnel", "tun100", "holding-time", "300"])
self.cli_set(nhrp_path + ["tunnel", "tun100", "multicast", "dynamic"])
self.cli_set(nhrp_path + ["tunnel", "tun100", "redirect"])
self.cli_set(nhrp_path + ["tunnel", "tun100", "shortcut"])
# IKE/ESP Groups
self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "compression", "disable"])
self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "lifetime", "1800"])
self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "mode", "transport"])
self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "pfs", "dh-group2"])
self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "proposal", "1", "encryption", "aes256"])
self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "proposal", "1", "hash", "sha1"])
self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "proposal", "2", "encryption", "3des"])
self.cli_set(vpn_path + ["esp-group", "ESP-HUB", "proposal", "2", "hash", "md5"])
self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "ikev2-reauth", "no"])
self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "key-exchange", "ikev1"])
self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "lifetime", "3600"])
self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "proposal", "1", "dh-group", "2"])
self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "proposal", "1", "encryption", "aes256"])
self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "proposal", "1", "hash", "sha1"])
self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "proposal", "2", "dh-group", "2"])
self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "proposal", "2", "encryption", "aes128"])
self.cli_set(vpn_path + ["ike-group", "IKE-HUB", "proposal", "2", "hash", "sha1"])
# Profile - Not doing full DMVPN checks here, just want to verify the profile name in the output
- self.cli_set(vpn_path + ["ipsec-interfaces", "interface", "eth0"])
+ self.cli_set(vpn_path + ["interface", "eth0"])
self.cli_set(vpn_path + ["profile", "NHRPVPN", "authentication", "mode", "pre-shared-secret"])
self.cli_set(vpn_path + ["profile", "NHRPVPN", "authentication", "pre-shared-secret", "secret"])
self.cli_set(vpn_path + ["profile", "NHRPVPN", "bind", "tunnel", "tun100"])
self.cli_set(vpn_path + ["profile", "NHRPVPN", "esp-group", "ESP-HUB"])
self.cli_set(vpn_path + ["profile", "NHRPVPN", "ike-group", "IKE-HUB"])
self.cli_commit()
opennhrp_lines = [
'interface tun100 #hub NHRPVPN',
'cisco-authentication secret',
'holding-time 300',
'shortcut',
'multicast dynamic',
'redirect'
]
tmp_opennhrp_conf = read_file('/run/opennhrp/opennhrp.conf')
for line in opennhrp_lines:
self.assertIn(line, tmp_opennhrp_conf)
self.assertTrue(process_named_running('opennhrp'))
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py
index fda8b74b1..a34387dc9 100755
--- a/smoketest/scripts/cli/test_vpn_ipsec.py
+++ b/smoketest/scripts/cli/test_vpn_ipsec.py
@@ -1,377 +1,377 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.util import call
from vyos.util import process_named_running
from vyos.util import read_file
ethernet_path = ['interfaces', 'ethernet']
tunnel_path = ['interfaces', 'tunnel']
vti_path = ['interfaces', 'vti']
nhrp_path = ['protocols', 'nhrp']
base_path = ['vpn', 'ipsec']
dhcp_waiting_file = '/tmp/ipsec_dhcp_waiting'
swanctl_file = '/etc/swanctl/swanctl.conf'
peer_ip = '203.0.113.45'
interface = 'eth1'
vif = '100'
esp_group = 'MyESPGroup'
ike_group = 'MyIKEGroup'
secret = 'MYSECRETKEY'
ca_pem = """
MIIDSzCCAjOgAwIBAgIUQHK+ZgTUYZksvXY2/MyW+Jiels4wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNjE0MTk0NTI3WhcNMzEw
NjEyMTk0NTI3WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAKCAzpatA8yywXhGunWD//6Qg9EMJMb+7didNr10
DuYPPGyTOXwG4Xicbr0FJ6cNkWg4wj3ZXEqqBzgS1Z9u78yuYPt5LE9eM8Wtawp7
qIUCMTlSu4uD3/4A3c1xfHDpTOEl1BDvxMtQxQZcMNQVUG5ZMdcWQvqvQG6F7Nak
+jgkaQ+Gyhwq++KVTEHJsA6+POuD0uaqAJv3tLGrRf4y4zdOn4thuTQ9swIBjKW6
ci78Dk0F4u24YYV2BHKsPEPIyCQxKSRrMvqVWWljX9HmNsGawyEhLvW34aphj0aD
JL/n1kWm+DnGyM+Rp6pXQz5y3xAnmKeYziaQNnvHoQi+gY0CAwEAAaOBkDCBjTAd
BgNVHQ4EFgQUy43jkjE+CORrxeddqofQztZ9UxYwUQYDVR0jBEowSIAUy43jkjE+
CORrxeddqofQztZ9UxahGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRAcr5m
BNRhmSy9djb8zJb4mJ6WzjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAQEALHdd1JXq6EUF9dSUijPLEiDVwn2TTIBIxvQqFzpWDDHg
EWLzRJESyNUbIiwuUGwvqcVki0TmQcFR9XwmcDFDotlXz9OQISBlCW+Twuf4/XAL
11njH8qXSaWF/wPbF35NOPhV5xOOCZ6K7Vilp3tK6LeOWvz2AUtwiVE1prNV3cIA
B2ham0JASS0HIkfrcjpZNcx4NlSBaFf4MK5A11p13zPqMqzdEqn6n8fbYEADfVzy
TfdqX1dPVc9zaM8uwyh5VyYBMDV7DoL384ZHJZYLENK/pT4kbl+sM/Cnhvyu0UCe
RVqJGQtCdChZpDAVkzJRQYw3/FR8Mj+M+8GrgOrJ0w==
"""
peer_cert = """
MIIDZjCCAk6gAwIBAgIRAKHpoE0rTcB/YXhnFpeckngwDQYJKoZIhvcNAQELBQAw
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjEwNjE0MjAwNDQ3WhcNMjQwNTI5
MjAwNDQ3WjAQMQ4wDAYDVQQDDAVwZWVyMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALNwjDC1Lj2ojfCi1TESsyD0MLuqUVLTBZaXCXFtQdB/Aw3b3eBc
J8+FUYQ6xMplmklXcjJEyXSMvqENpLX6xEDNWWvqTf22eEWt36QTfBeyFyDKtXnm
4Y+ufXAHl3sLtyZN/7q+Xl4ubYvtAHVRLYzkXAtj1tVdaYEZQy8x/F3ZFFUsCfxR
RqJBKTxcENP8STpIz9X8dS9iif9SBA42C0eHqMWv1tYW1IHO9gQxYFS3cvoPDPlD
AJ3ihu5x3fO892S7FtZLVN/GsN1TKRKL217eVPyW0+QcnUwbrXWc7fnmm1btXVmh
9YKPdtX8WnEeOtMCVZGKqdydnI3iAqvPmd0CAwEAAaOBtDCBsTAJBgNVHRMEAjAA
MB0GA1UdDgQWBBQGsAPY4cHnTNUv7l+l8OYRSqcX8jBRBgNVHSMESjBIgBTLjeOS
MT4I5GvF512qh9DO1n1TFqEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFEBy
vmYE1GGZLL12NvzMlviYnpbOMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQE
AwIFoDAQBgNVHREECTAHggVwZWVyMTANBgkqhkiG9w0BAQsFAAOCAQEAdJr+11eG
FvChxu/LkwsXe2V+OZzGRq+hmQlaK3kG/AyI5hVA/IVHJkDe281wbBNKBWYxeSMn
lAKbwuhPluO99oldzY9ZVkSiRmLh3r27wy/y+1plvoNxyTN7644Hvtk/8P/LV67R
amXvVgkhpvIQSBfgifXzqUs+BV/x7TSeN3isxNOB8FP6imODsw8lF0Ir1Ze34emr
TMNo5wNR5xp2dUa9OkzjRpgpifh20zM3UeVOixIPoq78IDjT0aZP8Lve2/g4Ccc6
RHNF31r/2UL8rZfQRUAMijVdAvIINCk0kRBhNcr9MCi3czmmgiXXMGwLWLvSkfnE
W06wKX1lpPSptg==
"""
peer_key = """
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCzcIwwtS49qI3w
otUxErMg9DC7qlFS0wWWlwlxbUHQfwMN293gXCfPhVGEOsTKZZpJV3IyRMl0jL6h
DaS1+sRAzVlr6k39tnhFrd+kE3wXshcgyrV55uGPrn1wB5d7C7cmTf+6vl5eLm2L
7QB1US2M5FwLY9bVXWmBGUMvMfxd2RRVLAn8UUaiQSk8XBDT/Ek6SM/V/HUvYon/
UgQONgtHh6jFr9bWFtSBzvYEMWBUt3L6Dwz5QwCd4obucd3zvPdkuxbWS1TfxrDd
UykSi9te3lT8ltPkHJ1MG611nO355ptW7V1ZofWCj3bV/FpxHjrTAlWRiqncnZyN
4gKrz5ndAgMBAAECggEACvAya4mv3uxWcrPKYSptpvWbvuTb/juE3LAqUDLDz0ze
x8p+VP3pI1pSJMhcVKYq6IufF3df/G3T9Qda4gj+S6D48X4f8PZdkInP1zWk2+Ds
TgBtXZf4agTN+rVLw6FsMbaRfzW5lO4pmV0CKSSgrTUCc2NLpkgCdW8vzEG0y5ek
15uBOyvuydWM4CFgZT/cUvnu4UtPFL1vaTdD4Lw0FfZq4iS8SWsGbbMoTPKkJRlS
k9oMEOvhA1WIfSgiG0FyaidoNEormB6J1SKVo27P8SOYu2etiFdF9SJUYg9cBzM3
z3HcAsXeSh2kpc8Fc2yOS6zI5AsC0Len2SQmKQD8YQKBgQDlgg5cZV5AY2Ji6b+T
nTHjna7dg/kzUOYs0AmK9DHHziZJ2SKucJlB9smynPLjY/MQbKcNWQ1Cad+olDNP
Ts4lLhs4kbITkmgPQME3it1fGstHy/sGcF0m+YRsSxfwt5bxLXH86+d067C0XMhg
URMgGv9ZBTe/P1LuhIUTEjYzlQKBgQDIJvl7sSXHRRB0k7NU/uV3Tut3NTqIzXiz
pq9hMyF+3aIqaA7kdjIIJczv1grVYz+RUdX3Gu1FyHMl8ynoEz5NNWsbe+Ay/moa
ztijak3UH3M+d6WsxSRehdYl6DaMstHwWfKZvWNJCGyl7ckz9gGjc3DY/qYqZDrx
p3LlZsY7KQKBgQCj3ur2GgLkIpI7Yf9CHPlkNlCHJhYnB9pxoNFPf/CTY6R/EiTr
PMaRDO8TM3FR3ynMTmgw5abMBuCFc9v3AqO6dGNHTvBBfUYDrg7H48UQhQckaocA
H/bDP2HIGQ4s+Ek0R2ieWKpZF3iCL8V60CjBwcUVAN6/FS3X1JNX/KbqyQKBgQDA
8dlk5PN/MlPXnZ6t2/7G0bxpsVVZFYI65P+CGvE6RFuUt7VLhalbc10pAtR0unVI
GHTD/iAnOkHOnqeSQiK3+TvkRbluTxVn/GiYt9yJFTxaRqrebzlNKYW0CzOy1JtP
MNaOYCS6/bUHC7//KDKSJ7HsbScwDGlKFVrMTBPiaQKBgQCjkIJDZ4pC3er7QiC3
RXWPyxIG5iTjn4fizphaBt6+pkBAlBh0V6inmleAWa5DJSpgU4jQv4mZsAQs6ctq
usmoy47ke8pTXPHgQ8ZUwsfM4IztqOm+w0X6mSZi6HdJCnMdxCZBBpO225UvonSR
rgiyCHemtMepq57Pl1Nmj49eEA==
"""
class TestVPNIPsec(VyOSUnitTestSHIM.TestCase):
def setUp(self):
- self.cli_set(base_path + ['ipsec-interfaces', 'interface', f'{interface}.{vif}'])
+ self.cli_set(base_path + ['interface', f'{interface}.{vif}'])
# Set IKE/ESP Groups
self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'encryption', 'aes128'])
self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '1', 'hash', 'sha1'])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'dh-group', '2'])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'encryption', 'aes128'])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '1', 'hash', 'sha1'])
def tearDown(self):
# Check for running process
self.assertTrue(process_named_running('charon'))
self.cli_delete(base_path)
self.cli_delete(nhrp_path)
self.cli_delete(tunnel_path)
self.cli_delete(vti_path)
self.cli_delete(ethernet_path)
self.cli_commit()
# Check for no longer running process
self.assertFalse(process_named_running('charon'))
def test_01_dhcp_fail_handling(self):
# Interface for dhcp-interface
self.cli_set(ethernet_path + [interface, 'vif', vif, 'address', 'dhcp']) # Use VLAN to avoid getting IP from qemu dhcp server
# Site to site
peer_base_path = base_path + ['site-to-site', 'peer', peer_ip]
self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret'])
self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret])
self.cli_set(peer_base_path + ['ike-group', ike_group])
self.cli_set(peer_base_path + ['default-esp-group', esp_group])
self.cli_set(peer_base_path + ['dhcp-interface', f'{interface}.{vif}'])
self.cli_set(peer_base_path + ['tunnel', '1', 'protocol', 'gre'])
self.cli_commit()
self.assertTrue(os.path.exists(dhcp_waiting_file))
dhcp_waiting = read_file(dhcp_waiting_file)
self.assertIn(f'{interface}.{vif}', dhcp_waiting) # Ensure dhcp-failed interface was added for dhclient hook
def test_02_site_to_site(self):
self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2'])
# Site to site
local_address = '192.0.2.10'
peer_base_path = base_path + ['site-to-site', 'peer', peer_ip]
self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret'])
self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret])
self.cli_set(peer_base_path + ['ike-group', ike_group])
self.cli_set(peer_base_path + ['default-esp-group', esp_group])
self.cli_set(peer_base_path + ['local-address', local_address])
self.cli_set(peer_base_path + ['tunnel', '1', 'protocol', 'tcp'])
self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.10.0/24'])
self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.11.0/24'])
self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'port', '443'])
self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.10.0/24'])
self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.11.0/24'])
self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'port', '443'])
self.cli_commit()
# Verify strongSwan configuration
swanctl_conf = read_file(swanctl_file)
swanctl_conf_lines = [
f'version = 2',
f'auth = psk',
f'proposals = aes128-sha1-modp1024',
f'esp_proposals = aes128-sha1-modp1024',
f'local_addrs = {local_address} # dhcp:no',
f'remote_addrs = {peer_ip}',
f'mode = tunnel',
f'local_ts = 172.16.10.0/24[tcp/443],172.16.11.0/24[tcp/443]',
f'remote_ts = 172.17.10.0/24[tcp/443],172.17.11.0/24[tcp/443]'
]
for line in swanctl_conf_lines:
self.assertIn(line, swanctl_conf)
swanctl_secrets_lines = [
f'id-local = {local_address} # dhcp:no',
f'id-remote = {peer_ip}',
f'secret = "{secret}"'
]
for line in swanctl_secrets_lines:
self.assertIn(line, swanctl_conf)
def test_03_site_to_site_vti(self):
local_address = '192.0.2.10'
vti = 'vti10'
# VTI interface
self.cli_set(vti_path + [vti, 'address', '10.1.1.1/24'])
self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2'])
# Site to site
peer_base_path = base_path + ['site-to-site', 'peer', peer_ip]
self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret'])
self.cli_set(peer_base_path + ['authentication', 'pre-shared-secret', secret])
self.cli_set(peer_base_path + ['ike-group', ike_group])
self.cli_set(peer_base_path + ['default-esp-group', esp_group])
self.cli_set(peer_base_path + ['local-address', local_address])
self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.10.0/24'])
self.cli_set(peer_base_path + ['tunnel', '1', 'local', 'prefix', '172.16.11.0/24'])
self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.10.0/24'])
self.cli_set(peer_base_path + ['tunnel', '1', 'remote', 'prefix', '172.17.11.0/24'])
self.cli_set(peer_base_path + ['vti', 'bind', vti])
self.cli_set(peer_base_path + ['vti', 'esp-group', esp_group])
self.cli_commit()
swanctl_conf = read_file(swanctl_file)
swanctl_conf_lines = [
f'version = 2',
f'auth = psk',
f'proposals = aes128-sha1-modp1024',
f'esp_proposals = aes128-sha1-modp1024',
f'local_addrs = {local_address} # dhcp:no',
f'remote_addrs = {peer_ip}',
f'mode = tunnel',
f'local_ts = 172.16.10.0/24,172.16.11.0/24',
f'remote_ts = 172.17.10.0/24,172.17.11.0/24',
f'if_id_in = {vti.lstrip("vti")}', # will be 10 for vti10
f'if_id_out = {vti.lstrip("vti")}',
f'updown = "/etc/ipsec.d/vti-up-down {vti} no"'
]
for line in swanctl_conf_lines:
self.assertIn(line, swanctl_conf)
swanctl_secrets_lines = [
f'id-local = {local_address} # dhcp:no',
f'id-remote = {peer_ip}',
f'secret = "{secret}"'
]
for line in swanctl_secrets_lines:
self.assertIn(line, swanctl_conf)
def test_04_dmvpn(self):
tunnel_if = 'tun100'
nhrp_secret = 'secret'
# Tunnel
self.cli_set(tunnel_path + [tunnel_if, 'address', '172.16.253.134/29'])
self.cli_set(tunnel_path + [tunnel_if, 'encapsulation', 'gre'])
self.cli_set(tunnel_path + [tunnel_if, 'source-address', '192.0.2.1'])
self.cli_set(tunnel_path + [tunnel_if, 'multicast', 'enable'])
self.cli_set(tunnel_path + [tunnel_if, 'parameters', 'ip', 'key', '1'])
# NHRP
self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'cisco-authentication', nhrp_secret])
self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'holding-time', '300'])
self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'multicast', 'dynamic'])
self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'redirect'])
self.cli_set(nhrp_path + ['tunnel', tunnel_if, 'shortcut'])
# IKE/ESP Groups
self.cli_set(base_path + ['esp-group', esp_group, 'compression', 'disable'])
self.cli_set(base_path + ['esp-group', esp_group, 'lifetime', '1800'])
self.cli_set(base_path + ['esp-group', esp_group, 'mode', 'transport'])
self.cli_set(base_path + ['esp-group', esp_group, 'pfs', 'dh-group2'])
self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2', 'encryption', 'aes256'])
self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '2', 'hash', 'sha1'])
self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '3', 'encryption', '3des'])
self.cli_set(base_path + ['esp-group', esp_group, 'proposal', '3', 'hash', 'md5'])
self.cli_set(base_path + ['ike-group', ike_group, 'ikev2-reauth', 'no'])
self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev1'])
self.cli_set(base_path + ['ike-group', ike_group, 'lifetime', '3600'])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'dh-group', '2'])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'encryption', 'aes256'])
self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'hash', 'sha1'])
# Profile
self.cli_set(base_path + ['profile', 'NHRPVPN', 'authentication', 'mode', 'pre-shared-secret'])
self.cli_set(base_path + ['profile', 'NHRPVPN', 'authentication', 'pre-shared-secret', nhrp_secret])
self.cli_set(base_path + ['profile', 'NHRPVPN', 'bind', 'tunnel', tunnel_if])
self.cli_set(base_path + ['profile', 'NHRPVPN', 'esp-group', esp_group])
self.cli_set(base_path + ['profile', 'NHRPVPN', 'ike-group', ike_group])
self.cli_commit()
swanctl_conf = read_file(swanctl_file)
swanctl_lines = [
f'proposals = aes128-sha1-modp1024,aes256-sha1-modp1024',
f'version = 1',
f'rekey_time = 3600s',
f'esp_proposals = aes128-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024',
f'local_ts = dynamic[gre]',
f'remote_ts = dynamic[gre]',
f'mode = transport',
f'secret = {nhrp_secret}'
]
for line in swanctl_lines:
self.assertIn(line, swanctl_conf)
def test_05_x509_site2site(self):
# Enable PKI
peer_name = 'peer1'
ca_name = 'MyVyOS-CA'
self.cli_set(['pki', 'ca', ca_name, 'certificate', ca_pem.replace('\n','')])
self.cli_set(['pki', 'certificate', peer_name, 'certificate', peer_cert.replace('\n','')])
self.cli_set(['pki', 'certificate', peer_name, 'private', 'key', peer_key.replace('\n','')])
vti = 'vti20'
self.cli_set(vti_path + [vti, 'address', '192.168.0.1/31'])
peer_ip = '172.18.254.202'
local_address = '172.18.254.201'
peer_base_path = base_path + ['site-to-site', 'peer', peer_ip]
self.cli_set(peer_base_path + ['authentication', 'id', peer_name])
self.cli_set(peer_base_path + ['authentication', 'mode', 'x509'])
self.cli_set(peer_base_path + ['authentication', 'remote-id', 'peer2'])
self.cli_set(peer_base_path + ['authentication', 'x509', 'ca-certificate', ca_name])
self.cli_set(peer_base_path + ['authentication', 'x509', 'certificate', peer_name])
self.cli_set(peer_base_path + ['connection-type', 'initiate'])
self.cli_set(peer_base_path + ['ike-group', ike_group])
self.cli_set(peer_base_path + ['ikev2-reauth', 'inherit'])
self.cli_set(peer_base_path + ['local-address', local_address])
self.cli_set(peer_base_path + ['vti', 'bind', vti])
self.cli_set(peer_base_path + ['vti', 'esp-group', esp_group])
self.cli_commit()
swanctl_conf = read_file(swanctl_file)
tmp = peer_ip.replace('.', '-')
swanctl_lines = [
f'peer_{tmp}',
f'version = 0', # key-exchange not set - defaulting to 0 for ikev1 and ikev2
f'send_cert = always',
f'mobike = yes',
f'keyingtries = 0',
f'id = "{peer_name}"',
f'auth = pubkey',
f'certs = {peer_name}.pem',
f'proposals = aes128-sha1-modp1024',
f'esp_proposals = aes128-sha1-modp1024',
f'local_addrs = {local_address} # dhcp:no',
f'remote_addrs = {peer_ip}',
f'local_ts = 0.0.0.0/0,::/0',
f'remote_ts = 0.0.0.0/0,::/0',
f'updown = "/etc/ipsec.d/vti-up-down {vti} no"',
f'if_id_in = {vti.lstrip("vti")}', # will be 10 for vti10
f'if_id_out = {vti.lstrip("vti")}',
f'ipcomp = no',
f'mode = tunnel',
f'start_action = start',
]
for line in swanctl_lines:
self.assertIn(line, swanctl_conf)
swanctl_secrets_lines = [
f'peer_{tmp}',
f'file = {peer_name}.pem',
]
for line in swanctl_secrets_lines:
self.assertIn(line, swanctl_conf)
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
deleted file mode 100755
index 645108a8f..000000000
--- a/src/conf_mode/vpn_ipsec.py
+++ /dev/null
@@ -1,531 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2021 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-import ipaddress
-import os
-
-from sys import exit
-from time import sleep
-from time import time
-
-from vyos.config import Config
-from vyos.configdict import leaf_node_changed
-from vyos.configverify import verify_interface_exists
-from vyos.configdict import dict_merge
-from vyos.ifconfig import Interface
-from vyos.pki import encode_public_key
-from vyos.pki import load_private_key
-from vyos.pki import wrap_certificate
-from vyos.pki import wrap_crl
-from vyos.pki import wrap_public_key
-from vyos.pki import wrap_private_key
-from vyos.template import ip_from_cidr
-from vyos.template import render
-from vyos.validate import is_ipv6_link_local
-from vyos.util import call
-from vyos.util import dict_search_args
-from vyos.util import run
-from vyos.xml import defaults
-from vyos import ConfigError
-from vyos import airbag
-airbag.enable()
-
-dhcp_wait_attempts = 2
-dhcp_wait_sleep = 1
-
-swanctl_dir = '/etc/swanctl'
-ipsec_conf = '/etc/ipsec.conf'
-ipsec_secrets = '/etc/ipsec.secrets'
-charon_conf = '/etc/strongswan.d/charon.conf'
-charon_dhcp_conf = '/etc/strongswan.d/charon/dhcp.conf'
-interface_conf = '/etc/strongswan.d/interfaces_use.conf'
-swanctl_conf = f'{swanctl_dir}/swanctl.conf'
-
-default_install_routes = 'yes'
-
-vici_socket = '/var/run/charon.vici'
-
-CERT_PATH = f'{swanctl_dir}/x509/'
-PUBKEY_PATH = f'{swanctl_dir}/pubkey/'
-KEY_PATH = f'{swanctl_dir}/private/'
-CA_PATH = f'{swanctl_dir}/x509ca/'
-CRL_PATH = f'{swanctl_dir}/x509crl/'
-
-DHCP_BASE = '/var/lib/dhcp/dhclient'
-DHCP_HOOK_IFLIST = '/tmp/ipsec_dhcp_waiting'
-
-def get_config(config=None):
- if config:
- conf = config
- else:
- conf = Config()
- base = ['vpn', 'ipsec']
- l2tp_base = ['vpn', 'l2tp', 'remote-access', 'ipsec-settings']
- if not conf.exists(base):
- return None
-
- # retrieve common dictionary keys
- ipsec = conf.get_config_dict(base, key_mangling=('-', '_'),
- get_first_key=True, no_tag_node_value_mangle=True)
-
- # We have gathered the dict representation of the CLI, but there are default
- # options which we need to update into the dictionary retrived.
- default_values = defaults(base)
- # XXX: T2665: we must safely remove default values for tag nodes, those are
- # added in a more fine grained way later on
- del default_values['esp_group']
- del default_values['ike_group']
- del default_values['remote_access']
- ipsec = dict_merge(default_values, ipsec)
-
- if 'esp_group' in ipsec:
- default_values = defaults(base + ['esp-group'])
- for group in ipsec['esp_group']:
- ipsec['esp_group'][group] = dict_merge(default_values,
- ipsec['esp_group'][group])
- if 'ike_group' in ipsec:
- default_values = defaults(base + ['ike-group'])
- for group in ipsec['ike_group']:
- ipsec['ike_group'][group] = dict_merge(default_values,
- ipsec['ike_group'][group])
- if 'remote_access' in ipsec:
- default_values = defaults(base + ['remote-access'])
- for rw in ipsec['remote_access']:
- ipsec['remote_access'][rw] = dict_merge(default_values,
- ipsec['remote_access'][rw])
-
- ipsec['dhcp_no_address'] = {}
- ipsec['install_routes'] = 'no' if conf.exists(base + ["options", "disable-route-autoinstall"]) else default_install_routes
- ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces',
- 'interface'])
- ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel'])
- ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),
- get_first_key=True,
- no_tag_node_value_mangle=True)
-
- ipsec['l2tp'] = conf.get_config_dict(l2tp_base, key_mangling=('-', '_'),
- get_first_key=True,
- no_tag_node_value_mangle=True)
- if ipsec['l2tp']:
- l2tp_defaults = defaults(l2tp_base)
- ipsec['l2tp'] = dict_merge(l2tp_defaults, ipsec['l2tp'])
- ipsec['l2tp_outside_address'] = conf.return_value(['vpn', 'l2tp', 'remote-access', 'outside-address'])
- ipsec['l2tp_ike_default'] = 'aes256-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024'
- ipsec['l2tp_esp_default'] = 'aes256-sha1,3des-sha1'
-
- return ipsec
-
-def get_dhcp_address(iface):
- addresses = Interface(iface).get_addr()
- if not addresses:
- return None
- for address in addresses:
- if not is_ipv6_link_local(address):
- return ip_from_cidr(address)
- return None
-
-def verify_pki_x509(pki, x509_conf):
- if not pki or 'ca' not in pki or 'certificate' not in pki:
- raise ConfigError(f'PKI is not configured')
-
- ca_cert_name = x509_conf['ca_certificate']
- cert_name = x509_conf['certificate']
-
- if not dict_search_args(pki, 'ca', ca_cert_name, 'certificate'):
- raise ConfigError(f'Missing CA certificate on specified PKI CA certificate "{ca_cert_name}"')
-
- if not dict_search_args(pki, 'certificate', cert_name, 'certificate'):
- raise ConfigError(f'Missing certificate on specified PKI certificate "{cert_name}"')
-
- if not dict_search_args(pki, 'certificate', cert_name, 'private', 'key'):
- raise ConfigError(f'Missing private key on specified PKI certificate "{cert_name}"')
-
- return True
-
-def verify_pki_rsa(pki, rsa_conf):
- if not pki or 'key_pair' not in pki:
- raise ConfigError(f'PKI is not configured')
-
- local_key = rsa_conf['local_key']
- remote_key = rsa_conf['remote_key']
-
- if not dict_search_args(pki, 'key_pair', local_key, 'private', 'key'):
- raise ConfigError(f'Missing private key on specified local-key "{local_key}"')
-
- if not dict_search_args(pki, 'key_pair', remote_key, 'public', 'key'):
- raise ConfigError(f'Missing public key on specified remote-key "{remote_key}"')
-
- return True
-
-def verify(ipsec):
- if not ipsec:
- return None
-
- if 'ipsec_interfaces' in ipsec and 'interface' in ipsec['ipsec_interfaces']:
- interfaces = ipsec['ipsec_interfaces']['interface']
- if isinstance(interfaces, str):
- interfaces = [interfaces]
-
- for ifname in interfaces:
- verify_interface_exists(ifname)
-
- if ipsec['l2tp']:
- if 'esp_group' in ipsec['l2tp']:
- if 'esp_group' not in ipsec or ipsec['l2tp']['esp_group'] not in ipsec['esp_group']:
- raise ConfigError(f"Invalid esp-group on L2TP remote-access config")
-
- if 'ike_group' in ipsec['l2tp']:
- if 'ike_group' not in ipsec or ipsec['l2tp']['ike_group'] not in ipsec['ike_group']:
- raise ConfigError(f"Invalid ike-group on L2TP remote-access config")
-
- if 'authentication' not in ipsec['l2tp']:
- raise ConfigError(f'Missing authentication settings on L2TP remote-access config')
-
- if 'mode' not in ipsec['l2tp']['authentication']:
- raise ConfigError(f'Missing authentication mode on L2TP remote-access config')
-
- if not ipsec['l2tp_outside_address']:
- raise ConfigError(f'Missing outside-address on L2TP remote-access config')
-
- if ipsec['l2tp']['authentication']['mode'] == 'pre-shared-secret':
- if 'pre_shared_secret' not in ipsec['l2tp']['authentication']:
- raise ConfigError(f'Missing pre shared secret on L2TP remote-access config')
-
- if ipsec['l2tp']['authentication']['mode'] == 'x509':
- if 'x509' not in ipsec['l2tp']['authentication']:
- raise ConfigError(f'Missing x509 settings on L2TP remote-access config')
-
- x509 = ipsec['l2tp']['authentication']['x509']
-
- if 'ca_certificate' not in x509 or 'certificate' not in x509:
- raise ConfigError(f'Missing x509 certificates on L2TP remote-access config')
-
- verify_pki_x509(ipsec['pki'], x509)
-
- if 'profile' in ipsec:
- for profile, profile_conf in ipsec['profile'].items():
- if 'esp_group' in profile_conf:
- if 'esp_group' not in ipsec or profile_conf['esp_group'] not in ipsec['esp_group']:
- raise ConfigError(f"Invalid esp-group on {profile} profile")
- else:
- raise ConfigError(f"Missing esp-group on {profile} profile")
-
- if 'ike_group' in profile_conf:
- if 'ike_group' not in ipsec or profile_conf['ike_group'] not in ipsec['ike_group']:
- raise ConfigError(f"Invalid ike-group on {profile} profile")
- else:
- raise ConfigError(f"Missing ike-group on {profile} profile")
-
- if 'authentication' not in profile_conf:
- raise ConfigError(f"Missing authentication on {profile} profile")
-
- if 'remote_access' in ipsec:
- for name, ra_conf in ipsec['remote_access'].items():
- if 'esp_group' in ra_conf:
- if 'esp_group' not in ipsec or ra_conf['esp_group'] not in ipsec['esp_group']:
- raise ConfigError(f"Invalid esp-group on {name} remote-access config")
- else:
- raise ConfigError(f"Missing esp-group on {name} remote-access config")
-
- if 'ike_group' in ra_conf:
- if 'ike_group' not in ipsec or ra_conf['ike_group'] not in ipsec['ike_group']:
- raise ConfigError(f"Invalid ike-group on {name} remote-access config")
- else:
- raise ConfigError(f"Missing ike-group on {name} remote-access config")
-
- if 'authentication' not in ra_conf:
- raise ConfigError(f"Missing authentication on {name} remote-access config")
-
- if ra_conf['authentication']['server_mode'] == 'x509':
- if 'x509' not in ra_conf['authentication']:
- raise ConfigError(f"Missing x509 settings on {name} remote-access config")
-
- x509 = ra_conf['authentication']['x509']
-
- if 'ca_certificate' not in x509 or 'certificate' not in x509:
- raise ConfigError(f"Missing x509 certificates on {name} remote-access config")
-
- verify_pki_x509(ipsec['pki'], x509)
- elif ra_conf['authentication']['server_mode'] == 'pre-shared-secret':
- if 'pre_shared_secret' not in ra_conf['authentication']:
- raise ConfigError(f"Missing pre-shared-key on {name} remote-access config")
-
- if 'site_to_site' in ipsec and 'peer' in ipsec['site_to_site']:
- for peer, peer_conf in ipsec['site_to_site']['peer'].items():
- has_default_esp = False
- if 'default_esp_group' in peer_conf:
- has_default_esp = True
- if 'esp_group' not in ipsec or peer_conf['default_esp_group'] not in ipsec['esp_group']:
- raise ConfigError(f"Invalid esp-group on site-to-site peer {peer}")
-
- if 'ike_group' in peer_conf:
- if 'ike_group' not in ipsec or peer_conf['ike_group'] not in ipsec['ike_group']:
- raise ConfigError(f"Invalid ike-group on site-to-site peer {peer}")
- else:
- raise ConfigError(f"Missing ike-group on site-to-site peer {peer}")
-
- if 'authentication' not in peer_conf or 'mode' not in peer_conf['authentication']:
- raise ConfigError(f"Missing authentication on site-to-site peer {peer}")
-
- if peer_conf['authentication']['mode'] == 'x509':
- if 'x509' not in peer_conf['authentication']:
- raise ConfigError(f"Missing x509 settings on site-to-site peer {peer}")
-
- x509 = peer_conf['authentication']['x509']
-
- if 'ca_certificate' not in x509 or 'certificate' not in x509:
- raise ConfigError(f"Missing x509 certificates on site-to-site peer {peer}")
-
- verify_pki_x509(ipsec['pki'], x509)
- elif peer_conf['authentication']['mode'] == 'rsa':
- if 'rsa' not in peer_conf['authentication']:
- raise ConfigError(f"Missing RSA settings on site-to-site peer {peer}")
-
- rsa = peer_conf['authentication']['rsa']
-
- if 'local_key' not in rsa:
- raise ConfigError(f"Missing RSA local-key on site-to-site peer {peer}")
-
- if 'remote_key' not in rsa:
- raise ConfigError(f"Missing RSA remote-key on site-to-site peer {peer}")
-
- verify_pki_rsa(ipsec['pki'], rsa)
-
- if 'local_address' not in peer_conf and 'dhcp_interface' not in peer_conf:
- raise ConfigError(f"Missing local-address or dhcp-interface on site-to-site peer {peer}")
-
- if 'dhcp_interface' in peer_conf:
- dhcp_interface = peer_conf['dhcp_interface']
-
- verify_interface_exists(dhcp_interface)
-
- if not os.path.exists(f'{DHCP_BASE}_{dhcp_interface}.conf'):
- raise ConfigError(f"Invalid dhcp-interface on site-to-site peer {peer}")
-
- address = get_dhcp_address(dhcp_interface)
- count = 0
- while not address and count < dhcp_wait_attempts:
- address = get_dhcp_address(dhcp_interface)
- count += 1
- sleep(dhcp_wait_sleep)
-
- if not address:
- ipsec['dhcp_no_address'][peer] = dhcp_interface
- print(f"Failed to get address from dhcp-interface on site-to-site peer {peer} -- skipped")
- continue
-
- if 'vti' in peer_conf:
- if 'local_address' in peer_conf and 'dhcp_interface' in peer_conf:
- raise ConfigError(f"A single local-address or dhcp-interface is required when using VTI on site-to-site peer {peer}")
-
- if 'bind' in peer_conf['vti']:
- vti_interface = peer_conf['vti']['bind']
- if not os.path.exists(f'/sys/class/net/{vti_interface}'):
- raise ConfigError(f'VTI interface {vti_interface} for site-to-site peer {peer} does not exist!')
-
- if 'vti' not in peer_conf and 'tunnel' not in peer_conf:
- raise ConfigError(f"No VTI or tunnel specified on site-to-site peer {peer}")
-
- if 'tunnel' in peer_conf:
- for tunnel, tunnel_conf in peer_conf['tunnel'].items():
- if 'esp_group' not in tunnel_conf and not has_default_esp:
- raise ConfigError(f"Missing esp-group on tunnel {tunnel} for site-to-site peer {peer}")
-
- esp_group_name = tunnel_conf['esp_group'] if 'esp_group' in tunnel_conf else peer_conf['default_esp_group']
-
- if esp_group_name not in ipsec['esp_group']:
- raise ConfigError(f"Invalid esp-group on tunnel {tunnel} for site-to-site peer {peer}")
-
- esp_group = ipsec['esp_group'][esp_group_name]
-
- if 'mode' in esp_group and esp_group['mode'] == 'transport':
- if 'protocol' in tunnel_conf and ((peer in ['any', '0.0.0.0']) or ('local_address' not in peer_conf or peer_conf['local_address'] in ['any', '0.0.0.0'])):
- raise ConfigError(f"Fixed local-address or peer required when a protocol is defined with ESP transport mode on tunnel {tunnel} for site-to-site peer {peer}")
-
- if ('local' in tunnel_conf and 'prefix' in tunnel_conf['local']) or ('remote' in tunnel_conf and 'prefix' in tunnel_conf['remote']):
- raise ConfigError(f"Local/remote prefix cannot be used with ESP transport mode on tunnel {tunnel} for site-to-site peer {peer}")
-
-def cleanup_pki_files():
- for path in [CERT_PATH, CA_PATH, CRL_PATH, KEY_PATH, PUBKEY_PATH]:
- if not os.path.exists(path):
- continue
- for file in os.listdir(path):
- file_path = os.path.join(path, file)
- if os.path.isfile(file_path):
- os.unlink(file_path)
-
-def generate_pki_files_x509(pki, x509_conf):
- ca_cert_name = x509_conf['ca_certificate']
- ca_cert_data = dict_search_args(pki, 'ca', ca_cert_name, 'certificate')
- ca_cert_crls = dict_search_args(pki, 'ca', ca_cert_name, 'crl') or []
- crl_index = 1
-
- cert_name = x509_conf['certificate']
- cert_data = dict_search_args(pki, 'certificate', cert_name, 'certificate')
- key_data = dict_search_args(pki, 'certificate', cert_name, 'private', 'key')
- protected = 'passphrase' in x509_conf
-
- with open(os.path.join(CA_PATH, f'{ca_cert_name}.pem'), 'w') as f:
- f.write(wrap_certificate(ca_cert_data))
-
- for crl in ca_cert_crls:
- with open(os.path.join(CRL_PATH, f'{ca_cert_name}_{crl_index}.pem'), 'w') as f:
- f.write(wrap_crl(crl))
- crl_index += 1
-
- with open(os.path.join(CERT_PATH, f'{cert_name}.pem'), 'w') as f:
- f.write(wrap_certificate(cert_data))
-
- with open(os.path.join(KEY_PATH, f'x509_{cert_name}.pem'), 'w') as f:
- f.write(wrap_private_key(key_data, protected))
-
-def generate_pki_files_rsa(pki, rsa_conf):
- local_key_name = rsa_conf['local_key']
- local_key_data = dict_search_args(pki, 'key_pair', local_key_name, 'private', 'key')
- protected = 'passphrase' in rsa_conf
- remote_key_name = rsa_conf['remote_key']
- remote_key_data = dict_search_args(pki, 'key_pair', remote_key_name, 'public', 'key')
-
- local_key = load_private_key(local_key_data, rsa_conf['passphrase'] if protected else None)
-
- with open(os.path.join(KEY_PATH, f'rsa_{local_key_name}.pem'), 'w') as f:
- f.write(wrap_private_key(local_key_data, protected))
-
- with open(os.path.join(PUBKEY_PATH, f'{local_key_name}.pem'), 'w') as f:
- f.write(encode_public_key(local_key.public_key()))
-
- with open(os.path.join(PUBKEY_PATH, f'{remote_key_name}.pem'), 'w') as f:
- f.write(wrap_public_key(remote_key_data))
-
-def generate(ipsec):
- cleanup_pki_files()
-
- if not ipsec:
- for config_file in [ipsec_conf, ipsec_secrets, charon_dhcp_conf, interface_conf, swanctl_conf]:
- if os.path.isfile(config_file):
- os.unlink(config_file)
- render(charon_conf, 'ipsec/charon.tmpl', {'install_routes': default_install_routes})
- return
-
- if ipsec['dhcp_no_address']:
- with open(DHCP_HOOK_IFLIST, 'w') as f:
- f.write(" ".join(ipsec['dhcp_no_address'].values()))
-
- for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH, PUBKEY_PATH]:
- if not os.path.exists(path):
- os.mkdir(path, mode=0o755)
-
- if not os.path.exists(KEY_PATH):
- os.mkdir(KEY_PATH, mode=0o700)
-
- if ipsec['l2tp']:
- if 'authentication' in ipsec['l2tp'] and 'x509' in ipsec['l2tp']['authentication']:
- generate_pki_files_x509(ipsec['pki'], ipsec['l2tp']['authentication']['x509'])
-
- if 'remote_access' in ipsec:
- for rw, rw_conf in ipsec['remote_access'].items():
- if 'authentication' in rw_conf and 'x509' in rw_conf['authentication']:
- generate_pki_files_x509(ipsec['pki'], rw_conf['authentication']['x509'])
-
- if 'site_to_site' in ipsec and 'peer' in ipsec['site_to_site']:
- for peer, peer_conf in ipsec['site_to_site']['peer'].items():
- if peer in ipsec['dhcp_no_address']:
- continue
-
- if peer_conf['authentication']['mode'] == 'x509':
- generate_pki_files_x509(ipsec['pki'], peer_conf['authentication']['x509'])
- elif peer_conf['authentication']['mode'] == 'rsa':
- generate_pki_files_rsa(ipsec['pki'], peer_conf['authentication']['rsa'])
-
- local_ip = ''
- if 'local_address' in peer_conf:
- local_ip = peer_conf['local_address']
- elif 'dhcp_interface' in peer_conf:
- local_ip = get_dhcp_address(peer_conf['dhcp_interface'])
-
- ipsec['site_to_site']['peer'][peer]['local_address'] = local_ip
-
- if 'tunnel' in peer_conf:
- for tunnel, tunnel_conf in peer_conf['tunnel'].items():
- local_prefixes = dict_search_args(tunnel_conf, 'local', 'prefix')
- remote_prefixes = dict_search_args(tunnel_conf, 'remote', 'prefix')
-
- if not local_prefixes or not remote_prefixes:
- continue
-
- passthrough = []
-
- for local_prefix in local_prefixes:
- for remote_prefix in remote_prefixes:
- local_net = ipaddress.ip_network(local_prefix)
- remote_net = ipaddress.ip_network(remote_prefix)
- if local_net.overlaps(remote_net):
- passthrough.append(local_prefix)
-
- ipsec['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough
-
-
- render(ipsec_conf, 'ipsec/ipsec.conf.tmpl', ipsec)
- render(ipsec_secrets, 'ipsec/ipsec.secrets.tmpl', ipsec)
- render(charon_conf, 'ipsec/charon.tmpl', ipsec)
- render(charon_dhcp_conf, 'ipsec/charon/dhcp.conf.tmpl', ipsec)
- render(interface_conf, 'ipsec/interfaces_use.conf.tmpl', ipsec)
- render(swanctl_conf, 'ipsec/swanctl.conf.tmpl', ipsec)
-
-def resync_nhrp(ipsec):
- if ipsec and not ipsec['nhrp_exists']:
- return
-
- tmp = run('/usr/libexec/vyos/conf_mode/protocols_nhrp.py')
- if tmp > 0:
- print('ERROR: failed to reapply NHRP settings!')
-
-def wait_for_vici_socket(timeout=5, sleep_interval=0.1):
- start_time = time()
- test_command = f'sudo socat -u OPEN:/dev/null UNIX-CONNECT:{vici_socket}'
- while True:
- if (start_time + timeout) < time():
- return None
- result = run(test_command)
- if result == 0:
- return True
- sleep(sleep_interval)
-
-def apply(ipsec):
- if not ipsec:
- call('sudo ipsec stop')
- else:
- args = ''
- if 'auto_update' in ipsec:
- args = '--auto-update ' + ipsec['auto_update']
- call(f'sudo ipsec restart {args}')
- call('sudo ipsec rereadall')
- call('sudo ipsec reload')
-
- if wait_for_vici_socket():
- call('sudo swanctl -q')
-
- resync_nhrp(ipsec)
-
-if __name__ == '__main__':
- try:
- ipsec = get_config()
- verify(ipsec)
- generate(ipsec)
- apply(ipsec)
- except ConfigError as e:
- print(e)
- exit(1)
diff --git a/src/migration-scripts/ipsec/5-to-6 b/src/migration-scripts/ipsec/5-to-6
index ba5ce0fca..76ee9ecba 100755
--- a/src/migration-scripts/ipsec/5-to-6
+++ b/src/migration-scripts/ipsec/5-to-6
@@ -1,82 +1,88 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Remove deprecated strongSwan options from VyOS CLI
# - vpn ipsec nat-traversal enable
# - vpn ipsec nat-networks allowed-network
from sys import argv
from sys import exit
from vyos.configtree import ConfigTree
if (len(argv) < 1):
print("Must specify file name!")
exit(1)
file_name = argv[1]
with open(file_name, 'r') as f:
config_file = f.read()
base = ['vpn', 'ipsec']
config = ConfigTree(config_file)
if not config.exists(base):
# Nothing to do
exit(0)
# Delete CLI nodes whose config options got removed by strongSwan
for cli_node in ['nat-traversal', 'nat-networks']:
if config.exists(base + [cli_node]):
config.delete(base + [cli_node])
# Remove options only valid in Openswan
if config.exists(base + ['site-to-site', 'peer']):
for peer in config.list_nodes(base + ['site-to-site', 'peer']):
if not config.exists(base + ['site-to-site', 'peer', peer, 'tunnel']):
continue
for tunnel in config.list_nodes(base + ['site-to-site', 'peer', peer, 'tunnel']):
# allow-public-networks - Sets a value in ipsec.conf that was only ever valid in Openswan on kernel 2.6
nat_networks = base + ['site-to-site', 'peer', peer, 'tunnel', tunnel, 'allow-nat-networks']
if config.exists(nat_networks):
config.delete(nat_networks)
# allow-nat-networks - Also sets a value only valid in Openswan
public_networks = base + ['site-to-site', 'peer', peer, 'tunnel', tunnel, 'allow-public-networks']
if config.exists(public_networks):
config.delete(public_networks)
# Rename "logging log-level" and "logging log-modes" to something more human friendly
log = base + ['logging']
if config.exists(log):
config.rename(log, 'log')
log = base + ['log']
log_level = log + ['log-level']
if config.exists(log_level):
config.rename(log_level, 'level')
log_mode = log + ['log-modes']
if config.exists(log_mode):
config.rename(log_mode, 'subsystem')
+# Rename "ipsec-interfaces interface" to "interface"
+base_interfaces = base + ['ipsec-interfaces', 'interface']
+if config.exists(base_interfaces):
+ config.copy(base_interfaces, base + ['interface'])
+ config.delete(base_interfaces)
+
try:
with open(file_name, 'w') as f:
f.write(config.to_string())
except OSError as e:
print(f'Failed to save the modified config: {e}')
exit(1)