diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2
index 58f0199fa..f38691884 100644
--- a/data/templates/ipsec/swanctl/peer.j2
+++ b/data/templates/ipsec/swanctl/peer.j2
@@ -1,166 +1,166 @@
{% macro conn(peer, peer_conf, ike_group, esp_group) %}
{% set name = peer.replace("@", "") | dot_colon_to_dash %}
{# peer needs to reference the global IKE configuration for certain values #}
{% set ike = ike_group[peer_conf.ike_group] %}
{{ name }} {
proposals = {{ ike | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }}
{% if peer_conf.virtual_address is vyos_defined %}
vips = {{ peer_conf.virtual_address | join(', ') }}
{% endif %}
- local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%any' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
+ local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%any' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} reset:{{ name }}
remote_addrs = {{ peer_conf.remote_address | join(",") if peer_conf.remote_address is vyos_defined and 'any' not in peer_conf.remote_address else '%any' }}
{% if peer_conf.authentication.mode is vyos_defined('x509') %}
send_cert = always
{% endif %}
{% if ike.dead_peer_detection is vyos_defined %}
dpd_timeout = {{ ike.dead_peer_detection.timeout }}
dpd_delay = {{ ike.dead_peer_detection.interval }}
{% endif %}
{% if ike.key_exchange is vyos_defined('ikev1') and ike.mode is vyos_defined('aggressive') %}
aggressive = yes
{% endif %}
rekey_time = {{ ike.lifetime }}s
mobike = {{ "no" if ike.disable_mobike is defined else "yes" }}
{% if peer[0:1] == '@' %}
keyingtries = 0
reauth_time = 0
{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
keyingtries = 0
{% elif peer_conf.connection_type is vyos_defined('respond') %}
keyingtries = 1
{% endif %}
{% if peer_conf.force_udp_encapsulation is vyos_defined %}
encap = yes
{% endif %}
local {
{% if peer_conf.authentication.local_id is vyos_defined %}
id = "{{ peer_conf.authentication.local_id }}"
{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{% if peer_conf.authentication.mode == 'x509' %}
certs = {{ peer_conf.authentication.x509.certificate }}.pem
{% elif peer_conf.authentication.mode == 'rsa' %}
pubkeys = {{ peer_conf.authentication.rsa.local_key }}.pem
{% endif %}
}
remote {
id = "{{ peer_conf.authentication.remote_id }}"
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
{% if peer_conf.authentication.mode == 'rsa' %}
pubkeys = {{ peer_conf.authentication.rsa.remote_key }}.pem
{% endif %}
}
children {
{% if peer_conf.vti.bind is vyos_defined and peer_conf.tunnel is not vyos_defined %}
{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is vyos_defined else esp_group[ peer_conf.default_esp_group ] %}
{{ name }}-vti {
esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }}
{% if vti_esp.life_bytes is vyos_defined %}
life_bytes = {{ vti_esp.life_bytes }}
{% endif %}
{% if vti_esp.life_packets is vyos_defined %}
life_packets = {{ vti_esp.life_packets }}
{% endif %}
life_time = {{ vti_esp.lifetime }}s
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
{# Thus we simply shift the key by one to also support a vti0 interface #}
{% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %}
if_id_in = {{ if_id }}
if_id_out = {{ if_id }}
ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined else 'no' }}
mode = {{ vti_esp.mode }}
{% if peer[0:1] == '@' %}
start_action = none
{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
start_action = start
{% elif peer_conf.connection_type is vyos_defined('respond') %}
start_action = trap
{% elif peer_conf.connection_type is vyos_defined('none') %}
start_action = none
{% endif %}
{% if ike.dead_peer_detection is vyos_defined %}
dpd_action = {{ ike.dead_peer_detection.action }}
{% endif %}
close_action = {{ ike.close_action }}
{% if peer_conf.replay_window is vyos_defined %}
replay_window = {{ peer_conf.replay_window }}
{% endif %}
}
{% elif peer_conf.tunnel is vyos_defined %}
{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is vyos_defined else peer_conf.default_esp_group %}
{% set tunnel_esp = esp_group[tunnel_esp_name] %}
{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is vyos_defined else '' %}
{% set local_port = tunnel_conf.local.port if tunnel_conf.local.port is vyos_defined else '' %}
{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %}
{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %}
{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
{{ name }}-tunnel-{{ tunnel_id }} {
esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }}
{% if tunnel_esp.life_bytes is vyos_defined %}
life_bytes = {{ tunnel_esp.life_bytes }}
{% endif %}
{% if tunnel_esp.life_packets is vyos_defined %}
life_packets = {{ tunnel_esp.life_packets }}
{% endif %}
life_time = {{ tunnel_esp.lifetime }}s
{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
{% if tunnel_conf.local.prefix is vyos_defined %}
{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }}
{% endif %}
{% if tunnel_conf.remote.prefix is vyos_defined %}
{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %}
remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }}
{% endif %}
{% if tunnel_conf.priority is vyos_defined %}
priority = {{ tunnel_conf.priority }}
{% endif %}
{% elif tunnel_esp.mode == 'transport' %}
local_ts = {{ peer_conf.local_address }}{{ local_suffix }}
remote_ts = {{ peer_conf.remote_address | join(",") }}{{ remote_suffix }}
{% endif %}
ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined else 'no' }}
mode = {{ tunnel_esp.mode }}
{% if peer[0:1] == '@' %}
start_action = none
{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %}
start_action = start
{% elif peer_conf.connection_type is vyos_defined('respond') %}
start_action = trap
{% elif peer_conf.connection_type is vyos_defined('none') %}
start_action = none
{% endif %}
{% if ike.dead_peer_detection is vyos_defined %}
dpd_action = {{ ike.dead_peer_detection.action }}
{% endif %}
close_action = {{ ike.close_action }}
{% if peer_conf.replay_window is vyos_defined %}
replay_window = {{ peer_conf.replay_window }}
{% endif %}
{% if peer_conf.vti.bind is vyos_defined %}
{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
{# Thus we simply shift the key by one to also support a vti0 interface #}
{% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %}
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
if_id_in = {{ if_id }}
if_id_out = {{ if_id }}
{% endif %}
}
{% if tunnel_conf.passthrough is vyos_defined %}
{{ name }}-tunnel-{{ tunnel_id }}-passthrough {
local_ts = {{ tunnel_conf.passthrough | join(",") }}
remote_ts = {{ tunnel_conf.passthrough | join(",") }}
start_action = trap
mode = pass
}
{% endif %}
{% endfor %}
{% endif %}
}
}
{% endmacro %}
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index af7f2994e..d1d6d2478 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -1,56 +1,56 @@
{% macro conn(name, rw_conf, ike_group, esp_group) %}
{# peer needs to reference the global IKE configuration for certain values #}
{% set ike = ike_group[rw_conf.ike_group] %}
{% set esp = esp_group[rw_conf.esp_group] %}
ra-{{ name }} {
remote_addrs = %any
- local_addrs = {{ rw_conf.local_address if rw_conf.local_address is not vyos_defined('any') else '%any' }} # dhcp:{{ rw_conf.dhcp_interface if rw_conf.dhcp_interface is vyos_defined else 'no' }}
+ local_addrs = {{ rw_conf.local_address if rw_conf.local_address is not vyos_defined('any') else '%any' }} # dhcp:{{ rw_conf.dhcp_interface if rw_conf.dhcp_interface is vyos_defined else 'no' }} reset:ra-{{ name }}
proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }}
send_certreq = no
rekey_time = {{ ike.lifetime }}s
keyingtries = 0
{% if rw_conf.unique is vyos_defined %}
unique = {{ rw_conf.unique }}
{% endif %}
{% if rw_conf.pool is vyos_defined %}
pools = {{ rw_conf.pool | join(',') }}
{% endif %}
local {
{% if rw_conf.authentication.local_id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %}
{# please use " quotes - else Apple iOS goes crazy #}
id = "{{ rw_conf.authentication.local_id }}"
{% endif %}
{% if rw_conf.authentication.server_mode == 'x509' %}
auth = pubkey
certs = {{ rw_conf.authentication.x509.certificate }}.pem
{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %}
auth = psk
{% endif %}
}
remote {
{% if rw_conf.authentication.client_mode == 'x509' %}
auth = pubkey
{% elif rw_conf.authentication.client_mode.startswith("eap") %}
auth = {{ rw_conf.authentication.client_mode }}
eap_id = %any
{% endif %}
}
children {
ikev2-vpn {
esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }}
rekey_time = {{ esp.lifetime }}s
rand_time = 540s
dpd_action = clear
inactivity = {{ rw_conf.timeout }}
{% if rw_conf.replay_window is vyos_defined %}
replay_window = {{ rw_conf.replay_window }}
{% endif %}
{% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %}
{% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %}
{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %}
local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }}
}
}
}
{% endmacro %}
diff --git a/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook b/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook
index e6edc1ac3..4dc52c6db 100755
--- a/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook
+++ b/src/etc/dhcp/dhclient-exit-hooks.d/99-ipsec-dhclient-hook
@@ -1,82 +1,73 @@
#!/bin/bash
#
# Copyright (C) 2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
if [ "$reason" == "REBOOT" ] || [ "$reason" == "EXPIRE" ]; then
return 0
fi
DHCP_HOOK_IFLIST="/tmp/ipsec_dhcp_waiting"
if [ -f $DHCP_HOOK_IFLIST ] && [ "$reason" == "BOUND" ]; then
if grep -qw $interface $DHCP_HOOK_IFLIST; then
sudo rm $DHCP_HOOK_IFLIST
sudo /usr/libexec/vyos/conf_mode/vpn_ipsec.py
return 0
fi
fi
if [ "$old_ip_address" == "$new_ip_address" ] && [ "$reason" == "BOUND" ]; then
return 0
fi
python3 - <<PYEND
import os
import re
from vyos.utils.process import call
from vyos.utils.process import cmd
from vyos.utils.file import read_file
from vyos.utils.file import write_file
SWANCTL_CONF="/etc/swanctl/swanctl.conf"
-def ipsec_down(ip_address):
- # This prevents the need to restart ipsec and kill all active connections, only the stale connection is closed
- status = cmd('sudo ipsec statusall')
- connection_name = None
- for line in status.split("\n"):
- if line.find(ip_address) > 0:
- regex_match = re.search(r'(peer_[^:\[]+)', line)
- if regex_match:
- connection_name = regex_match[1]
- break
- if connection_name:
- call(f'sudo ipsec down {connection_name}')
-
if __name__ == '__main__':
interface = os.getenv('interface')
new_ip = os.getenv('new_ip_address')
old_ip = os.getenv('old_ip_address')
if os.path.exists(SWANCTL_CONF):
- conf_lines = read_file(SWANCTL_CONF)
+ conf_lines = read_file(SWANCTL_CONF).split("\n")
found = False
+ reset_conns = set()
to_match = f'# dhcp:{interface}'
for i, line in enumerate(conf_lines):
if line.find(to_match) > 0:
conf_lines[i] = line.replace(old_ip, new_ip)
found = True
+ regex_match = re.search(r'#.* reset:([-_a-zA-Z0-9|@]+)', line)
+ if regex_match:
+ connection_name = regex_match[1]
+ reset_conns.add(connection_name)
if found:
- write_file(SWANCTL_CONF, conf_lines)
- ipsec_down(old_ip)
- call('sudo ipsec rereadall')
- call('sudo ipsec reload')
+ write_file(SWANCTL_CONF, "\n".join(conf_lines))
+ for connection_name in reset_conns:
+ call(f'sudo swanctl -t -i {connection_name}')
call('sudo swanctl -q')
exit(0)
PYEND