diff --git a/data/templates/ipsec/charon.tmpl b/data/templates/ipsec/charon.tmpl
index 4d710921e..7e2936c0f 100644
--- a/data/templates/ipsec/charon.tmpl
+++ b/data/templates/ipsec/charon.tmpl
@@ -1,342 +1,341 @@
# Options for the charon IKE daemon.
charon {
# Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
- # accept_unencrypted_mainmode_messages = no
+ accept_unencrypted_mainmode_messages = {{ accept_unencrypted_mainmode_messages }}
# Maximum number of half-open IKE_SAs for a single peer IP.
# block_threshold = 5
# Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
# be saved under a unique file name derived from the public key of the
# Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or
# /etc/swanctl/x509crl (vici), respectively.
# cache_crls = no
# Whether relations in validated certificate chains should be cached in
# memory.
# cert_cache = yes
# Send Cisco Unity vendor ID payload (IKEv1 only).
- # cisco_unity = no
+ cisco_unity = {{ cisco_unity }}
# Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
# close_ike_on_child_failure = no
# Number of half-open IKE_SAs that activate the cookie mechanism.
# cookie_threshold = 10
# Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
# delete_rekeyed = no
# Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic
# strength.
# dh_exponent_ansi_x9_42 = yes
# Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal
# missing symbols immediately.
# dlopen_use_rtld_now = no
# DNS server assigned to peer via configuration payload (CP).
# dns1 =
# DNS server assigned to peer via configuration payload (CP).
# dns2 =
# Enable Denial of Service protection using cookies and aggressiveness
# checks.
# dos_protection = yes
# Compliance with the errata for RFC 4753.
# ecp_x_coordinate_only = yes
# Free objects during authentication (might conflict with plugins).
# flush_auth_cfg = no
# Whether to follow IKEv2 redirects (RFC 5685).
# follow_redirects = yes
# Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
# when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults
# to 1280 (use 0 for address family specific default values, which uses a
# lower value for IPv4). If specified this limit is used for both IPv4 and
# IPv6.
# fragment_size = 1280
# Name of the group the daemon changes to after startup.
# group =
# Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
# half_open_timeout = 30
# Enable hash and URL support.
# hash_and_url = no
# Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
# i_dont_care_about_security_and_use_aggressive_mode_psk = no
# Whether to ignore the traffic selectors from the kernel's acquire events
# for IKEv2 connections (they are not used for IKEv1).
# ignore_acquire_ts = no
# A space-separated list of routing tables to be excluded from route
# lookups.
# ignore_routing_tables =
# Maximum number of IKE_SAs that can be established at the same time before
# new connection attempts are blocked.
# ikesa_limit = 0
# Number of exclusively locked segments in the hash table.
- # ikesa_table_segments = 1
+ ikesa_table_segments = {{ ikesa_sa_segments }}
# Size of the IKE_SA hash table.
- # ikesa_table_size = 1
+ ikesa_table_size = {{ ikesa_sa_table_size }}
# Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
# inactivity_close_ike = no
# Limit new connections based on the current number of half open IKE_SAs,
# see IKE_SA_INIT DROPPING in strongswan.conf(5).
# init_limit_half_open = 0
# Limit new connections based on the number of queued jobs.
# init_limit_job_load = 0
# Causes charon daemon to ignore IKE initiation requests.
# initiator_only = no
# Install routes into a separate routing table for established IPsec
# tunnels.
install_routes = {{ install_routes }}
# Install virtual IP addresses.
- # install_virtual_ip = yes
+ install_virtual_ip = {{ install_virtual_ip }}
# The name of the interface on which virtual IP addresses should be
# installed.
# install_virtual_ip_on =
# Check daemon, libstrongswan and plugin integrity at startup.
# integrity_test = no
# A comma-separated list of network interfaces that should be ignored, if
# interfaces_use is specified this option has no effect.
# interfaces_ignore =
# A comma-separated list of network interfaces that should be used by
# charon. All other interfaces are ignored.
# interfaces_use =
# NAT keep alive interval.
# keep_alive = 20s
# Plugins to load in the IKE daemon charon.
# load =
# Determine plugins to load via each plugin's load option.
# load_modular = no
# Initiate IKEv2 reauthentication with a make-before-break scheme.
# make_before_break = no
# Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
# and track concurrently.
# max_ikev1_exchanges = 3
# Maximum packet size accepted by charon.
# max_packet = 10000
# Enable multiple authentication exchanges (RFC 4739).
# multiple_authentication = yes
# WINS servers assigned to peer via configuration payload (CP).
# nbns1 =
# WINS servers assigned to peer via configuration payload (CP).
# nbns2 =
# UDP port used locally. If set to 0 a random port will be allocated.
# port = 500
# UDP port used locally in case of NAT-T. If set to 0 a random port will be
# allocated. Has to be different from charon.port, otherwise a random port
# will be allocated.
# port_nat_t = 4500
# Prefer locally configured proposals for IKE/IPsec over supplied ones as
# responder (disabling this can avoid keying retries due to
# INVALID_KE_PAYLOAD notifies).
# prefer_configured_proposals = yes
# By default public IPv6 addresses are preferred over temporary ones (RFC
# 4941), to make connections more stable. Enable this option to reverse
# this.
# prefer_temporary_addrs = no
# Process RTM_NEWROUTE and RTM_DELROUTE events.
# process_route = yes
# Delay in ms for receiving packets, to simulate larger RTT.
# receive_delay = 0
# Delay request messages.
# receive_delay_request = yes
# Delay response messages.
# receive_delay_response = yes
# Specific IKEv2 message type to delay, 0 for any.
# receive_delay_type = 0
# Size of the AH/ESP replay window, in packets.
# replay_window = 32
# Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION
# in strongswan.conf(5).
# retransmit_base = 1.8
# Timeout in seconds before sending first retransmit.
# retransmit_timeout = 4.0
# Number of times to retransmit a packet before giving up.
# retransmit_tries = 5
# Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
# DNS resolution failed), 0 to disable retries.
# retry_initiate_interval = 0
# Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
# reuse_ikesa = yes
# Numerical routing table to install routes to.
# routing_table =
# Priority of the routing table.
# routing_table_prio =
# Delay in ms for sending packets, to simulate larger RTT.
# send_delay = 0
# Delay request messages.
# send_delay_request = yes
# Delay response messages.
# send_delay_response = yes
# Specific IKEv2 message type to delay, 0 for any.
# send_delay_type = 0
# Send strongSwan vendor ID payload
- # send_vendor_id = no
+ send_vendor_id = {{ strongSwan_id }}
# Whether to enable Signature Authentication as per RFC 7427.
# signature_authentication = yes
# Whether to enable constraints against IKEv2 signature schemes.
# signature_authentication_constraints = yes
# Number of worker threads in charon.
# threads = 16
# Name of the user the daemon changes to after startup.
# user =
crypto_test {
# Benchmark crypto algorithms and order them by efficiency.
# bench = no
# Buffer size used for crypto benchmark.
# bench_size = 1024
# Number of iterations to test each algorithm.
# bench_time = 50
# Test crypto algorithms during registration (requires test vectors
# provided by the test-vectors plugin).
# on_add = no
# Test crypto algorithms on each crypto primitive instantiation.
# on_create = no
# Strictly require at least one test vector to enable an algorithm.
# required = no
# Whether to test RNG with TRUE quality; requires a lot of entropy.
# rng_true = no
}
host_resolver {
# Maximum number of concurrent resolver threads (they are terminated if
# unused).
# max_threads = 3
# Minimum number of resolver threads to keep around.
# min_threads = 0
}
leak_detective {
# Includes source file names and line numbers in leak detective output.
# detailed = yes
# Threshold in bytes for leaks to be reported (0 to report all).
# usage_threshold = 10240
# Threshold in number of allocations for leaks to be reported (0 to
# report all).
# usage_threshold_count = 0
}
processor {
# Section to configure the number of reserved threads per priority class
# see JOB PRIORITY MANAGEMENT in strongswan.conf(5).
priority_threads {
}
}
# Section containing a list of scripts (name = path) that are executed when
# the daemon is started.
start-scripts {
}
# Section containing a list of scripts (name = path) that are executed when
# the daemon is terminated.
stop-scripts {
}
tls {
# List of TLS encryption ciphers.
# cipher =
# List of TLS key exchange methods.
# key_exchange =
# List of TLS MAC algorithms.
# mac =
# List of TLS cipher suites.
# suites =
}
x509 {
# Discard certificates with unsupported or unknown critical extensions.
# enforce_critical = yes
}
}
-
diff --git a/interface-definitions/ipsec-settings.xml b/interface-definitions/ipsec-settings.xml
index bc54baa27..520c6aab2 100644
--- a/interface-definitions/ipsec-settings.xml
+++ b/interface-definitions/ipsec-settings.xml
@@ -1,24 +1,66 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="vpn">
<children>
<node name="ipsec">
<children>
<node name="options" owner="${vyos_conf_scripts_dir}/ipsec-settings.py">
<properties>
<help>Global IPsec settings</help>
</properties>
<children>
+ <leafNode name="unencrypted-mainmode">
+ <properties>
+ <help>Accept unencrypted ID and Hash messages from legacy devices</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="ikesa-sa-segments">
+ <properties>
+ <help>The number of segments to breakup the IKE_SA hash table into</help>
+ <constraint>
+ <validator name="numeric" argument="--positive"/>
+ </constraint>
+ <constraintErrorMessage>must be positive integer</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ <leafNode name="ikesa-sa-table-size">
+ <properties>
+ <help>Size of the IKE_SA hash table</help>
+ <constraint>
+ <validator name="numeric" argument="--positive"/>
+ </constraint>
+ <constraintErrorMessage>table size must be positive integer</constraintErrorMessage>
+ </properties>
+ </leafNode>
<leafNode name="disable-route-autoinstall">
<properties>
<valueless/>
<help>Do not automatically install routes to remote networks</help>
</properties>
</leafNode>
+ <leafNode name="disable-virtual-ip-autoinstall">
+ <properties>
+ <valueless/>
+ <help>Do not automatically install virtual ip addresses to outbound interface</help>
+ </properties>
+ </leafNode>
+ <leafNode name="cisco-unity">
+ <properties>
+ <valueless/>
+ <help>Send Cisco Unity vendor ID payload (IKEv1 only)</help>
+ </properties>
+ </leafNode>
+ <leafNode name="strongSwan-id">
+ <properties>
+ <valueless/>
+ <help>Send strongSwan vendor ID payload</help>
+ </properties>
+ </leafNode>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/src/conf_mode/ipsec-settings.py b/src/conf_mode/ipsec-settings.py
index 921f20491..d1b288ea1 100755
--- a/src/conf_mode/ipsec-settings.py
+++ b/src/conf_mode/ipsec-settings.py
@@ -1,67 +1,93 @@
#!/usr/bin/env python3
#
# Copyright (C) 2018 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#
import os
import jinja2
import vyos.config
import vyos.defaults
from vyos import ConfigError
charon_conf_file = "/etc/strongswan.d/charon.conf"
def get_config():
config = vyos.config.Config()
- data = {"install_routes": "yes"}
+ data = {
+ "accept_unencrypted_mainmode_messages": "no",
+ "ikesa_sa_segments": "1",
+ "ikesa_sa_table_size": "1",
+ "install_routes": "yes",
+ "install_virtual_ip": "yes",
+ "cisco_unity": "no",
+ "strongSwan_id": "no"
+ }
+
+ if config.exists("vpn ipsec options unencrypted-mainmode"):
+ data["accept_unencrypted_mainmode_messages"] = "yes"
if config.exists("vpn ipsec options disable-route-autoinstall"):
data["install_routes"] = "no"
+ if config.exists("vpn ipsec options disable-virtual-ip-autoinstall"):
+ data["install_virtual_ip"] = "no"
+
+ if config.exists("vpn ipsec options cisco-unity"):
+ data["cisco_unity"] = "yes"
+
+ if config.exists("vpn ipsec options strongSwan-id"):
+ data["strongSwan_id"] = "yes"
+
+ if config.exists("vpn ipsec options ikesa-sa-table-size"):
+ data["ikesa_sa_table_size"] = config.return_value("vpn ipsec options ikesa-sa-table-size")
+
+ if config.exists("vpn ipsec options ikesa-sa-segments"):
+ data["ikesa_sa_segments"] = config.return_value("vpn ipsec options ikesa-sa-segments")
+
return data
def verify(data):
pass
def generate(data):
tmpl_path = os.path.join(vyos.defaults.directories["data"], "templates", "ipsec")
fs_loader = jinja2.FileSystemLoader(tmpl_path)
env = jinja2.Environment(loader=fs_loader)
charon_conf_tmpl = env.get_template("charon.tmpl")
charon_conf = charon_conf_tmpl.render(data)
with open(charon_conf_file, 'w') as f:
f.write(charon_conf)
def apply(data):
# Do nothing
# StrongSWAN should only be restarted when actual tunnels are configured
pass
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
sys.exit(1)