diff --git a/data/templates/zabbix-agent/zabbix-agent.conf.j2 b/data/templates/zabbix-agent/zabbix-agent.conf.j2
index e6dcef872..b8df2d177 100644
--- a/data/templates/zabbix-agent/zabbix-agent.conf.j2
+++ b/data/templates/zabbix-agent/zabbix-agent.conf.j2
@@ -1,77 +1,90 @@
# Generated by ${vyos_conf_scripts_dir}/service_monitoring_zabbix-agent.py
PidFile=/run/zabbix/zabbix_agent2.pid
LogFile=/var/log/zabbix/zabbix_agent2.log
ControlSocket=/run/zabbix/agent.sock
{% if log is vyos_defined %}
{% if log.size is vyos_defined %}
### Option: LogFileSize
# Maximum size of log file in MB.
# 0 - disable automatic log rotation.
#
# Range: 0-1024
LogFileSize={{ log.size }}
{% endif %}
{% if log.remote_commands is vyos_defined %}
LogRemoteCommands=1
{% endif %}
{% if log.debug_level is vyos_defined %}
{% set mapping = {
'basic': 0,
'critical': 1,
'error': 2,
'warning': 3,
'debug': 4,
'extended-debug': 5
} %}
DebugLevel={{ mapping[log.debug_level] }}
{% endif %}
{% endif %}
{% if server is vyos_defined %}
Server={{ server | bracketize_ipv6 | join(',') }}
{% endif %}
{% if server_active is vyos_defined %}
{% set servers = [] %}
{% for key, value in server_active.items() %}
{% if value.port %}
{% set serv_item = key | bracketize_ipv6 + ':' + value.port %}
{% set _ = servers.append(serv_item) %}
{% else %}
{% set _ = servers.append(key | bracketize_ipv6) %}
{% endif %}
{% endfor %}
ServerActive={{ servers | join(',') }}
{% endif %}
{% if host_name is vyos_defined %}
Hostname={{ host_name }}
{% endif %}
{% if port is vyos_defined %}
ListenPort={{ port }}
{% endif %}
{% if listen_address is vyos_defined %}
ListenIP={{ listen_address | join(',') }}
{% endif %}
{% if limits is vyos_defined %}
{% if limits.buffer_flush_interval is vyos_defined %}
BufferSend={{ limits.buffer_flush_interval }}
{% endif %}
{% if limits.buffer_size is vyos_defined %}
BufferSize={{ limits.buffer_size }}
{% endif %}
{% endif %}
{% if directory is vyos_defined %}
### Option: Include
# You may include individual files or all files in a directory in the configuration file.
Include={{ directory }}/*.conf
{% endif %}
{% if timeout is vyos_defined %}
Timeout={{ timeout }}
{% endif %}
+{% if authentication is vyos_defined and authentication.mode is vyos_defined %}
+{% if authentication.mode == "pre-shared-secret" %}
+TLSConnect=psk
+TLSAccept=psk
+{% endif %}
+{% if authentication.psk.secret is vyos_defined %}
+TLSPSKFile={{ service_psk_file }}
+{% endif %}
+{% if authentication.psk.id is vyos_defined %}
+TLSPSKIdentity={{ authentication.psk.id }}
+{% endif %}
+{% endif %}
+
diff --git a/interface-definitions/include/auth-mode-pre-shared-secret.xml.i b/interface-definitions/include/auth-mode-pre-shared-secret.xml.i
new file mode 100644
index 000000000..cf1003917
--- /dev/null
+++ b/interface-definitions/include/auth-mode-pre-shared-secret.xml.i
@@ -0,0 +1,14 @@
+<!-- include start from auth-mode-pre-shared-secret.xml.i -->
+<leafNode name="mode">
+ <properties>
+ <help>Authentication mode</help>
+ <completionHelp>
+ <list>pre-shared-secret</list>
+ </completionHelp>
+ <valueHelp>
+ <format>pre-shared-secret</format>
+ <description>Use a pre-shared secret key</description>
+ </valueHelp>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/auth-psk-id.xml.i b/interface-definitions/include/auth-psk-id.xml.i
new file mode 100644
index 000000000..ab2451045
--- /dev/null
+++ b/interface-definitions/include/auth-psk-id.xml.i
@@ -0,0 +1,11 @@
+<!-- include start from auth-psk-id.xml.i -->
+<leafNode name="id">
+ <properties>
+ <help>ID for authentication</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>ID used for authentication</description>
+ </valueHelp>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/auth-psk-secret.xml.i b/interface-definitions/include/auth-psk-secret.xml.i
new file mode 100644
index 000000000..24257dcab
--- /dev/null
+++ b/interface-definitions/include/auth-psk-secret.xml.i
@@ -0,0 +1,15 @@
+<!-- include start from auth-psk-secret.xml.i -->
+<leafNode name="secret">
+ <properties>
+ <help>pre-shared secret key</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>16byte pre-shared-secret key (32 character hexadecimal key)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="psk-secret"/>
+ </constraint>
+ <constraintErrorMessage>Pre-Shared-Keys must be at leas 16 bytes long, which implies at least 32 characterss</constraintErrorMessage>
+ </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/stunnel/psk.xml.i b/interface-definitions/include/stunnel/psk.xml.i
index db11a93d3..a8226c866 100644
--- a/interface-definitions/include/stunnel/psk.xml.i
+++ b/interface-definitions/include/stunnel/psk.xml.i
@@ -1,30 +1,11 @@
<!-- include start from stunnel/psk.xml.i -->
<tagNode name="psk">
<properties>
<help>Pre-shared key name</help>
</properties>
<children>
- <leafNode name="id">
- <properties>
- <help>ID for authentication</help>
- <valueHelp>
- <format>txt</format>
- <description>ID used for authentication</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="secret">
- <properties>
- <help>pre-shared secret key</help>
- <valueHelp>
- <format>txt</format>
- <description>pre-shared secret key are required to be at least 16 bytes long, which implies at least 32 characters for hexadecimal key</description>
- </valueHelp>
- <constraint>
- <validator name="psk-secret"/>
- </constraint>
- </properties>
- </leafNode>
+ #include <include/auth-psk-id.xml.i>
+ #include <include/auth-psk-secret.xml.i>
</children>
</tagNode>
<!-- include end -->
diff --git a/interface-definitions/service_monitoring_zabbix-agent.xml.in b/interface-definitions/service_monitoring_zabbix-agent.xml.in
index e44b31312..122e61e8b 100644
--- a/interface-definitions/service_monitoring_zabbix-agent.xml.in
+++ b/interface-definitions/service_monitoring_zabbix-agent.xml.in
@@ -1,195 +1,212 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="service">
<children>
<node name="monitoring">
<children>
<node name="zabbix-agent" owner="${vyos_conf_scripts_dir}/service_monitoring_zabbix-agent.py">
<properties>
<help>Zabbix-agent settings</help>
<priority>1280</priority>
</properties>
<children>
+ <node name="authentication">
+ <properties>
+ <help>Authentication</help>
+ </properties>
+ <children>
+ #include <include/auth-mode-pre-shared-secret.xml.i>
+ <node name="psk">
+ <properties>
+ <help>Pre-shared key</help>
+ </properties>
+ <children>
+ #include <include/auth-psk-id.xml.i>
+ #include <include/auth-psk-secret.xml.i>
+ </children>
+ </node>
+ </children>
+ </node>
<leafNode name="directory">
<properties>
<help>Folder containing individual Zabbix-agent configuration files</help>
<constraint>
<validator name="file-path" argument="--directory"/>
</constraint>
</properties>
</leafNode>
<leafNode name="host-name">
<properties>
<help>Zabbix agent hostname</help>
<constraint>
#include <include/constraint/host-name.xml.i>
</constraint>
<constraintErrorMessage>Host-name must be alphanumeric and can contain hyphens</constraintErrorMessage>
</properties>
</leafNode>
<node name="limits">
<properties>
<help>Limit settings</help>
</properties>
<children>
<leafNode name="buffer-flush-interval">
<properties>
<help>Do not keep data longer than N seconds in buffer</help>
<valueHelp>
<format>u32:1-3600</format>
<description>Seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-3600"/>
</constraint>
<constraintErrorMessage>buffer-flush-interval must be between 1 and 3600 seconds</constraintErrorMessage>
</properties>
<defaultValue>5</defaultValue>
</leafNode>
<leafNode name="buffer-size">
<properties>
<help>Maximum number of values in a memory buffer</help>
<valueHelp>
<format>u32:2-65535</format>
<description>Maximum number of values in a memory buffer</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 2-65535"/>
</constraint>
<constraintErrorMessage>Buffer-size must be between 2 and 65535</constraintErrorMessage>
</properties>
<defaultValue>100</defaultValue>
</leafNode>
</children>
</node>
<node name="log">
<properties>
<help>Log settings</help>
</properties>
<children>
<leafNode name="debug-level">
<properties>
<help>Debug level</help>
<completionHelp>
<list>basic critical error warning debug extended-debug</list>
</completionHelp>
<valueHelp>
<format>basic</format>
<description>Basic information</description>
</valueHelp>
<valueHelp>
<format>critical</format>
<description>Critical information</description>
</valueHelp>
<valueHelp>
<format>error</format>
<description>Error information</description>
</valueHelp>
<valueHelp>
<format>warning</format>
<description>Warnings</description>
</valueHelp>
<valueHelp>
<format>debug</format>
<description>Debug information</description>
</valueHelp>
<valueHelp>
<format>extended-debug</format>
<description>Extended debug information</description>
</valueHelp>
<constraint>
<regex>(basic|critical|error|warning|debug|extended-debug)</regex>
</constraint>
</properties>
<defaultValue>warning</defaultValue>
</leafNode>
<leafNode name="remote-commands">
<properties>
<help>Enable logging of executed shell commands as warnings</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="size">
<properties>
<help>Log file size in megabytes</help>
<valueHelp>
<format>u32:0-1024</format>
<description>Megabytes</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-1024"/>
</constraint>
<constraintErrorMessage>Size must be between 0 and 1024 Megabytes</constraintErrorMessage>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
</children>
</node>
#include <include/listen-address.xml.i>
<leafNode name="listen-address">
<defaultValue>0.0.0.0</defaultValue>
</leafNode>
#include <include/port-number.xml.i>
<leafNode name="port">
<defaultValue>10050</defaultValue>
</leafNode>
<leafNode name="server">
<properties>
<help>Remote server to connect to</help>
<valueHelp>
<format>ipv4</format>
<description>Server IPv4 address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Server IPv6 address</description>
</valueHelp>
<valueHelp>
<format>hostname</format>
<description>Server hostname/FQDN</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
<tagNode name="server-active">
<properties>
<help>Remote server address to get active checks from</help>
<valueHelp>
<format>ipv4</format>
<description>Server IPv4 address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Server IPv6 address</description>
</valueHelp>
<valueHelp>
<format>hostname</format>
<description>Server hostname/FQDN</description>
</valueHelp>
</properties>
<children>
#include <include/port-number.xml.i>
</children>
</tagNode>
<leafNode name="timeout">
<properties>
<help>Item processing timeout in seconds</help>
<valueHelp>
<format>u32:1-30</format>
<description>Item processing timeout</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-30"/>
</constraint>
<constraintErrorMessage>Timeout must be between 1 and 30 seconds</constraintErrorMessage>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
#include <include/interface/vrf.xml.i>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 5540021e2..0cf526fad 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -1,1268 +1,1257 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="vpn">
<properties>
<help>Virtual Private Network (VPN)</help>
</properties>
<children>
<node name="ipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py">
<properties>
<help>VPN IP security (IPsec) parameters</help>
<priority>901</priority>
</properties>
<children>
<node name="authentication">
<properties>
<help>Authentication</help>
</properties>
<children>
<tagNode name="psk">
<properties>
<help>Pre-shared key name</help>
</properties>
<children>
#include <include/dhcp-interface-multi.xml.i>
<leafNode name="id">
<properties>
<help>ID for authentication</help>
<valueHelp>
<format>txt</format>
<description>ID used for authentication</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
<leafNode name="secret">
<properties>
<help>IKE pre-shared secret key</help>
<valueHelp>
<format>txt</format>
<description>IKE pre-shared secret key</description>
</valueHelp>
</properties>
</leafNode>
<leafNode name="secret-type">
<properties>
<help>Secret type</help>
<completionHelp>
<list>base64 plaintext</list>
</completionHelp>
<constraint>
<regex>(base64|plaintext)</regex>
</constraint>
</properties>
<defaultValue>plaintext</defaultValue>
</leafNode>
</children>
</tagNode>
</children>
</node>
<leafNode name="disable-uniqreqids">
<properties>
<help>Disable requirement for unique IDs in the Security Database</help>
<valueless/>
</properties>
</leafNode>
<tagNode name="esp-group">
<properties>
<help>Encapsulating Security Payload (ESP) group name</help>
</properties>
<children>
<leafNode name="compression">
<properties>
<help>Enable ESP compression</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="lifetime">
<properties>
<help>Security Association time to expire</help>
<valueHelp>
<format>u32:30-86400</format>
<description>SA lifetime in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 30-86400"/>
</constraint>
</properties>
<defaultValue>3600</defaultValue>
</leafNode>
<leafNode name="life-bytes">
<properties>
<help>Security Association byte count to expire</help>
<valueHelp>
<format>u32:1024-26843545600000</format>
<description>SA life in bytes</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1024-26843545600000"/>
</constraint>
</properties>
</leafNode>
<leafNode name="life-packets">
<properties>
<help>Security Association packet count to expire</help>
<valueHelp>
<format>u32:1000-26843545600000</format>
<description>SA life in packets</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1000-26843545600000"/>
</constraint>
</properties>
</leafNode>
<leafNode name="disable-rekey">
<properties>
<help>Do not locally initiate a re-key of the SA, remote peer must re-key before expiration</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="mode">
<properties>
<help>ESP mode</help>
<completionHelp>
<list>tunnel transport</list>
</completionHelp>
<valueHelp>
<format>tunnel</format>
<description>Tunnel mode</description>
</valueHelp>
<valueHelp>
<format>transport</format>
<description>Transport mode</description>
</valueHelp>
<constraint>
<regex>(tunnel|transport)</regex>
</constraint>
</properties>
<defaultValue>tunnel</defaultValue>
</leafNode>
<leafNode name="pfs">
<properties>
<help>ESP Perfect Forward Secrecy</help>
<completionHelp>
<list>enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable</list>
</completionHelp>
<valueHelp>
<format>enable</format>
<description>Inherit Diffie-Hellman group from the IKE group</description>
</valueHelp>
<valueHelp>
<format>dh-group1</format>
<description>Use Diffie-Hellman group 1 (modp768)</description>
</valueHelp>
<valueHelp>
<format>dh-group2</format>
<description>Use Diffie-Hellman group 2 (modp1024)</description>
</valueHelp>
<valueHelp>
<format>dh-group5</format>
<description>Use Diffie-Hellman group 5 (modp1536)</description>
</valueHelp>
<valueHelp>
<format>dh-group14</format>
<description>Use Diffie-Hellman group 14 (modp2048)</description>
</valueHelp>
<valueHelp>
<format>dh-group15</format>
<description>Use Diffie-Hellman group 15 (modp3072)</description>
</valueHelp>
<valueHelp>
<format>dh-group16</format>
<description>Use Diffie-Hellman group 16 (modp4096)</description>
</valueHelp>
<valueHelp>
<format>dh-group17</format>
<description>Use Diffie-Hellman group 17 (modp6144)</description>
</valueHelp>
<valueHelp>
<format>dh-group18</format>
<description>Use Diffie-Hellman group 18 (modp8192)</description>
</valueHelp>
<valueHelp>
<format>dh-group19</format>
<description>Use Diffie-Hellman group 19 (ecp256)</description>
</valueHelp>
<valueHelp>
<format>dh-group20</format>
<description>Use Diffie-Hellman group 20 (ecp384)</description>
</valueHelp>
<valueHelp>
<format>dh-group21</format>
<description>Use Diffie-Hellman group 21 (ecp521)</description>
</valueHelp>
<valueHelp>
<format>dh-group22</format>
<description>Use Diffie-Hellman group 22 (modp1024s160)</description>
</valueHelp>
<valueHelp>
<format>dh-group23</format>
<description>Use Diffie-Hellman group 23 (modp2048s224)</description>
</valueHelp>
<valueHelp>
<format>dh-group24</format>
<description>Use Diffie-Hellman group 24 (modp2048s256)</description>
</valueHelp>
<valueHelp>
<format>dh-group25</format>
<description>Use Diffie-Hellman group 25 (ecp192)</description>
</valueHelp>
<valueHelp>
<format>dh-group26</format>
<description>Use Diffie-Hellman group 26 (ecp224)</description>
</valueHelp>
<valueHelp>
<format>dh-group27</format>
<description>Use Diffie-Hellman group 27 (ecp224bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group28</format>
<description>Use Diffie-Hellman group 28 (ecp256bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group29</format>
<description>Use Diffie-Hellman group 29 (ecp384bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group30</format>
<description>Use Diffie-Hellman group 30 (ecp512bp)</description>
</valueHelp>
<valueHelp>
<format>dh-group31</format>
<description>Use Diffie-Hellman group 31 (curve25519)</description>
</valueHelp>
<valueHelp>
<format>dh-group32</format>
<description>Use Diffie-Hellman group 32 (curve448)</description>
</valueHelp>
<valueHelp>
<format>disable</format>
<description>Disable PFS</description>
</valueHelp>
<constraint>
<regex>(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)</regex>
</constraint>
</properties>
<defaultValue>enable</defaultValue>
</leafNode>
<tagNode name="proposal">
<properties>
<help>ESP group proposal</help>
<valueHelp>
<format>u32:1-65535</format>
<description>ESP group proposal number</description>
</valueHelp>
</properties>
<children>
#include <include/vpn-ipsec-encryption.xml.i>
#include <include/vpn-ipsec-hash.xml.i>
</children>
</tagNode>
</children>
</tagNode>
<tagNode name="ike-group">
<properties>
<help>Internet Key Exchange (IKE) group name</help>
</properties>
<children>
<leafNode name="close-action">
<properties>
<help>Action to take if a child SA is unexpectedly closed</help>
<completionHelp>
<list>none trap start</list>
</completionHelp>
<valueHelp>
<format>none</format>
<description>Do nothing</description>
</valueHelp>
<valueHelp>
<format>trap</format>
<description>Attempt to re-negotiate when matching traffic is seen</description>
</valueHelp>
<valueHelp>
<format>start</format>
<description>Attempt to re-negotiate the connection immediately</description>
</valueHelp>
<constraint>
<regex>(none|trap|start)</regex>
</constraint>
</properties>
<defaultValue>none</defaultValue>
</leafNode>
<node name="dead-peer-detection">
<properties>
<help>Dead Peer Detection (DPD)</help>
</properties>
<children>
<leafNode name="action">
<properties>
<help>Keep-alive failure action</help>
<completionHelp>
<list>trap clear restart</list>
</completionHelp>
<valueHelp>
<format>trap</format>
<description>Attempt to re-negotiate the connection when matching traffic is seen</description>
</valueHelp>
<valueHelp>
<format>clear</format>
<description>Remove the connection immediately</description>
</valueHelp>
<valueHelp>
<format>restart</format>
<description>Attempt to re-negotiate the connection immediately</description>
</valueHelp>
<constraint>
<regex>(trap|clear|restart)</regex>
</constraint>
</properties>
<defaultValue>clear</defaultValue>
</leafNode>
<leafNode name="interval">
<properties>
<help>Keep-alive interval</help>
<valueHelp>
<format>u32:2-86400</format>
<description>Keep-alive interval in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 2-86400"/>
</constraint>
</properties>
<defaultValue>30</defaultValue>
</leafNode>
<leafNode name="timeout">
<properties>
<help>Dead Peer Detection keep-alive timeout (IKEv1 only)</help>
<valueHelp>
<format>u32:2-86400</format>
<description>Keep-alive timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 2-86400"/>
</constraint>
</properties>
<defaultValue>120</defaultValue>
</leafNode>
</children>
</node>
<leafNode name="ikev2-reauth">
<properties>
<help>Re-authentication of the remote peer during an IKE re-key (IKEv2 only)</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="key-exchange">
<properties>
<help>IKE version</help>
<completionHelp>
<list>ikev1 ikev2</list>
</completionHelp>
<valueHelp>
<format>ikev1</format>
<description>Use IKEv1 for key exchange</description>
</valueHelp>
<valueHelp>
<format>ikev2</format>
<description>Use IKEv2 for key exchange</description>
</valueHelp>
<constraint>
<regex>(ikev1|ikev2)</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="lifetime">
<properties>
<help>IKE lifetime</help>
<valueHelp>
<format>u32:0-86400</format>
<description>IKE lifetime in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-86400"/>
</constraint>
</properties>
<defaultValue>28800</defaultValue>
</leafNode>
<leafNode name="disable-mobike">
<properties>
<help>Disable MOBIKE Support (IKEv2 only)</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="mode">
<properties>
<help>IKEv1 phase 1 mode</help>
<completionHelp>
<list>main aggressive</list>
</completionHelp>
<valueHelp>
<format>main</format>
<description>Use the main mode (recommended)</description>
</valueHelp>
<valueHelp>
<format>aggressive</format>
<description>Use the aggressive mode (insecure, not recommended)</description>
</valueHelp>
<constraint>
<regex>(main|aggressive)</regex>
</constraint>
</properties>
<defaultValue>main</defaultValue>
</leafNode>
<tagNode name="proposal">
<properties>
<help>IKE proposal</help>
<valueHelp>
<format>u32:1-65535</format>
<description>IKE group proposal</description>
</valueHelp>
</properties>
<children>
<leafNode name="dh-group">
<properties>
<help>dh-grouphelp</help>
<completionHelp>
<list>1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32</list>
</completionHelp>
<valueHelp>
<format>1</format>
<description>Diffie-Hellman group 1 (modp768)</description>
</valueHelp>
<valueHelp>
<format>2</format>
<description>Diffie-Hellman group 2 (modp1024)</description>
</valueHelp>
<valueHelp>
<format>5</format>
<description>Diffie-Hellman group 5 (modp1536)</description>
</valueHelp>
<valueHelp>
<format>14</format>
<description>Diffie-Hellman group 14 (modp2048)</description>
</valueHelp>
<valueHelp>
<format>15</format>
<description>Diffie-Hellman group 15 (modp3072)</description>
</valueHelp>
<valueHelp>
<format>16</format>
<description>Diffie-Hellman group 16 (modp4096)</description>
</valueHelp>
<valueHelp>
<format>17</format>
<description>Diffie-Hellman group 17 (modp6144)</description>
</valueHelp>
<valueHelp>
<format>18</format>
<description>Diffie-Hellman group 18 (modp8192)</description>
</valueHelp>
<valueHelp>
<format>19</format>
<description>Diffie-Hellman group 19 (ecp256)</description>
</valueHelp>
<valueHelp>
<format>20</format>
<description>Diffie-Hellman group 20 (ecp384)</description>
</valueHelp>
<valueHelp>
<format>21</format>
<description>Diffie-Hellman group 21 (ecp521)</description>
</valueHelp>
<valueHelp>
<format>22</format>
<description>Diffie-Hellman group 22 (modp1024s160)</description>
</valueHelp>
<valueHelp>
<format>23</format>
<description>Diffie-Hellman group 23 (modp2048s224)</description>
</valueHelp>
<valueHelp>
<format>24</format>
<description>Diffie-Hellman group 24 (modp2048s256)</description>
</valueHelp>
<valueHelp>
<format>25</format>
<description>Diffie-Hellman group 25 (ecp192)</description>
</valueHelp>
<valueHelp>
<format>26</format>
<description>Diffie-Hellman group 26 (ecp224)</description>
</valueHelp>
<valueHelp>
<format>27</format>
<description>Diffie-Hellman group 27 (ecp224bp)</description>
</valueHelp>
<valueHelp>
<format>28</format>
<description>Diffie-Hellman group 28 (ecp256bp)</description>
</valueHelp>
<valueHelp>
<format>29</format>
<description>Diffie-Hellman group 29 (ecp384bp)</description>
</valueHelp>
<valueHelp>
<format>30</format>
<description>Diffie-Hellman group 30 (ecp512bp)</description>
</valueHelp>
<valueHelp>
<format>31</format>
<description>Diffie-Hellman group 31 (curve25519)</description>
</valueHelp>
<valueHelp>
<format>32</format>
<description>Diffie-Hellman group 32 (curve448)</description>
</valueHelp>
<constraint>
<regex>(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)</regex>
</constraint>
</properties>
<defaultValue>2</defaultValue>
</leafNode>
<leafNode name="prf">
<properties>
<help>Pseudo-Random Functions</help>
<completionHelp>
<list>prfmd5 prfsha1 prfaesxcbc prfaescmac prfsha256 prfsha384 prfsha512</list>
</completionHelp>
<valueHelp>
<format>prfmd5</format>
<description>MD5 PRF</description>
</valueHelp>
<valueHelp>
<format>prfsha1</format>
<description>SHA1 PRF</description>
</valueHelp>
<valueHelp>
<format>prfaesxcbc</format>
<description>AES XCBC PRF</description>
</valueHelp>
<valueHelp>
<format>prfaescmac</format>
<description>AES CMAC PRF</description>
</valueHelp>
<valueHelp>
<format>prfsha256</format>
<description>SHA2_256 PRF</description>
</valueHelp>
<valueHelp>
<format>prfsha384</format>
<description>SHA2_384 PRF</description>
</valueHelp>
<valueHelp>
<format>prfsha512</format>
<description>SHA2_512 PRF</description>
</valueHelp>
<constraint>
<regex>(prfmd5|prfsha1|prfaesxcbc|prfaescmac|prfsha256|prfsha384|prfsha512)</regex>
</constraint>
</properties>
</leafNode>
#include <include/vpn-ipsec-encryption.xml.i>
#include <include/vpn-ipsec-hash.xml.i>
</children>
</tagNode>
</children>
</tagNode>
#include <include/generic-interface-multi.xml.i>
<node name="log">
<properties>
<help>IPsec logging</help>
</properties>
<children>
<leafNode name="level">
<properties>
<help>Global IPsec logging Level</help>
<valueHelp>
<format>0</format>
<description>Very basic auditing logs (e.g., SA up/SA down)</description>
</valueHelp>
<valueHelp>
<format>1</format>
<description>Generic control flow with errors, a good default to see whats going on</description>
</valueHelp>
<valueHelp>
<format>2</format>
<description>More detailed debugging control flow</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-2"/>
</constraint>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
<leafNode name="subsystem">
<properties>
<help>Subsystem logging levels</help>
<completionHelp>
<list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list>
</completionHelp>
<valueHelp>
<format>dmn</format>
<description>Main daemon setup/cleanup/signal handling</description>
</valueHelp>
<valueHelp>
<format>mgr</format>
<description>IKE_SA manager, handling synchronization for IKE_SA access</description>
</valueHelp>
<valueHelp>
<format>ike</format>
<description>IKE_SA/ISAKMP SA</description>
</valueHelp>
<valueHelp>
<format>chd</format>
<description>CHILD_SA/IPsec SA</description>
</valueHelp>
<valueHelp>
<format>job</format>
<description>Jobs queuing/processing and thread pool management</description>
</valueHelp>
<valueHelp>
<format>cfg</format>
<description>Configuration management and plugins</description>
</valueHelp>
<valueHelp>
<format>knl</format>
<description>IPsec/Networking kernel interface</description>
</valueHelp>
<valueHelp>
<format>net</format>
<description>IKE network communication</description>
</valueHelp>
<valueHelp>
<format>asn</format>
<description>Low-level encoding/decoding (ASN.1, X.509 etc.)</description>
</valueHelp>
<valueHelp>
<format>enc</format>
<description>Packet encoding/decoding encryption/decryption operations</description>
</valueHelp>
<valueHelp>
<format>lib</format>
<description>libstrongswan library messages</description>
</valueHelp>
<valueHelp>
<format>esp</format>
<description>libipsec library messages</description>
</valueHelp>
<valueHelp>
<format>tls</format>
<description> libtls library messages</description>
</valueHelp>
<valueHelp>
<format>tnc</format>
<description>Trusted Network Connect</description>
</valueHelp>
<valueHelp>
<format>imc</format>
<description>Integrity Measurement Collector</description>
</valueHelp>
<valueHelp>
<format>imv</format>
<description>Integrity Measurement Verifier</description>
</valueHelp>
<valueHelp>
<format>pts</format>
<description> Platform Trust Service</description>
</valueHelp>
<valueHelp>
<format>any</format>
<description>Any subsystem</description>
</valueHelp>
<constraint>
<regex>(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)</regex>
</constraint>
<multi/>
</properties>
</leafNode>
</children>
</node>
<node name="options">
<properties>
<help>Global IPsec settings</help>
</properties>
<children>
<leafNode name="disable-route-autoinstall">
<properties>
<help>Do not automatically install routes to remote networks</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="flexvpn">
<properties>
<help>Allow FlexVPN vendor ID payload (IKEv2 only)</help>
<valueless/>
</properties>
</leafNode>
#include <include/generic-interface.xml.i>
<leafNode name="virtual-ip">
<properties>
<help>Allow install virtual-ip addresses</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
<tagNode name="profile">
<properties>
<help>VPN IPsec profile</help>
<valueHelp>
<format>txt</format>
<description>Profile name</description>
</valueHelp>
<constraint>
<regex>[a-zA-Z][0-9a-zA-Z_-]+</regex>
</constraint>
<constraintErrorMessage>Profile name must be alphanumeric and can contain hyphen(s) and underscore(s)</constraintErrorMessage>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
<node name="authentication">
<properties>
<help>Authentication</help>
</properties>
<children>
- <leafNode name="mode">
- <properties>
- <help>Authentication mode</help>
- <completionHelp>
- <list>pre-shared-secret</list>
- </completionHelp>
- <valueHelp>
- <format>pre-shared-secret</format>
- <description>Use a pre-shared secret key</description>
- </valueHelp>
- </properties>
- </leafNode>
+ #include <include/auth-mode-pre-shared-secret.xml.i>
#include <include/ipsec/authentication-pre-shared-secret.xml.i>
</children>
</node>
<node name="bind">
<properties>
<help>DMVPN tunnel configuration</help>
</properties>
<children>
<leafNode name="tunnel">
<properties>
<help>Tunnel interface associated with this profile</help>
<completionHelp>
<path>interfaces tunnel</path>
</completionHelp>
<valueHelp>
<format>txt</format>
<description>Associated interface to this profile</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
</children>
</node>
#include <include/ipsec/esp-group.xml.i>
#include <include/ipsec/ike-group.xml.i>
</children>
</tagNode>
<node name="remote-access">
<properties>
<help>IKEv2 remote access VPN</help>
</properties>
<children>
<tagNode name="connection">
<properties>
<help>IKEv2 VPN connection name</help>
<valueHelp>
<format>txt</format>
<description>Connection name</description>
</valueHelp>
<constraint>
<regex>[a-zA-Z][0-9a-zA-Z_-]+</regex>
</constraint>
<constraintErrorMessage>Profile name must be alphanumeric and can contain hyphen(s) and underscore(s)</constraintErrorMessage>
</properties>
<children>
<node name="authentication">
<properties>
<help>Authentication for remote access</help>
</properties>
<children>
#include <include/ipsec/authentication-id.xml.i>
#include <include/ipsec/authentication-x509.xml.i>
<leafNode name="eap-id">
<properties>
<help>Remote EAP ID for client authentication</help>
<valueHelp>
<format>txt</format>
<description>Remote EAP ID for client authentication</description>
</valueHelp>
<completionHelp>
<list>any</list>
</completionHelp>
<valueHelp>
<format>any</format>
<description>Allow any EAP ID</description>
</valueHelp>
<constraint>
<regex>[[:ascii:]]{1,64}</regex>
</constraint>
</properties>
<defaultValue>any</defaultValue>
</leafNode>
<leafNode name="client-mode">
<properties>
<help>Client authentication mode</help>
<completionHelp>
<list>x509 eap-tls eap-mschapv2 eap-radius</list>
</completionHelp>
<valueHelp>
<format>x509</format>
<description>Use IPsec x.509 certificate authentication</description>
</valueHelp>
<valueHelp>
<format>eap-tls</format>
<description>Use EAP-TLS authentication</description>
</valueHelp>
<valueHelp>
<format>eap-mschapv2</format>
<description>Use EAP-MSCHAPv2 authentication</description>
</valueHelp>
<valueHelp>
<format>eap-radius</format>
<description>Use EAP-RADIUS authentication</description>
</valueHelp>
<constraint>
<regex>(x509|eap-tls|eap-mschapv2|eap-radius)</regex>
</constraint>
</properties>
<defaultValue>eap-mschapv2</defaultValue>
</leafNode>
#include <include/auth-local-users.xml.i>
<leafNode name="server-mode">
<properties>
<help>Server authentication mode</help>
<completionHelp>
<list>pre-shared-secret x509</list>
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
<description>Use a pre-shared secret key</description>
</valueHelp>
<valueHelp>
<format>x509</format>
<description>Use x.509 certificate</description>
</valueHelp>
<constraint>
<regex>(pre-shared-secret|x509)</regex>
</constraint>
</properties>
<defaultValue>x509</defaultValue>
</leafNode>
#include <include/ipsec/authentication-pre-shared-secret.xml.i>
</children>
</node>
#include <include/generic-description.xml.i>
#include <include/generic-disable-node.xml.i>
#include <include/ipsec/esp-group.xml.i>
#include <include/ipsec/ike-group.xml.i>
#include <include/ipsec/local-address.xml.i>
#include <include/dhcp-interface.xml.i>
#include <include/ipsec/local-traffic-selector.xml.i>
#include <include/ipsec/replay-window.xml.i>
#include <include/ipsec/bind.xml.i>
<leafNode name="timeout">
<properties>
<help>Timeout to close connection if no data is transmitted</help>
<valueHelp>
<format>u32:0</format>
<description>Disable inactivity checks</description>
</valueHelp>
<valueHelp>
<format>u32:1-86400</format>
<description>Timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-86400"/>
</constraint>
</properties>
<defaultValue>28800</defaultValue>
</leafNode>
<leafNode name="pool">
<properties>
<help>IP address pool</help>
<completionHelp>
<path>vpn ipsec remote-access pool</path>
<list>dhcp radius</list>
</completionHelp>
<valueHelp>
<format>txt</format>
<description>Predefined IP pool name</description>
</valueHelp>
<valueHelp>
<format>dhcp</format>
<description>Forward requests for virtual IP addresses to a DHCP server</description>
</valueHelp>
<valueHelp>
<format>radius</format>
<description>Forward requests for virtual IP addresses to a RADIUS server</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
<leafNode name="unique">
<properties>
<help>Connection uniqueness enforcement policy</help>
<completionHelp>
<list>never keep replace</list>
</completionHelp>
<valueHelp>
<format>never</format>
<description>Never enforce connection uniqueness</description>
</valueHelp>
<valueHelp>
<format>keep</format>
<description>Reject new connection attempts if the same user already has an active connection</description>
</valueHelp>
<valueHelp>
<format>replace</format>
<description>Delete any existing connection if a new one for the same user gets established</description>
</valueHelp>
<constraint>
<regex>(never|keep|replace)</regex>
</constraint>
</properties>
</leafNode>
</children>
</tagNode>
<node name="dhcp">
<properties>
<help>DHCP pool options for remote access</help>
</properties>
<children>
#include <include/generic-interface.xml.i>
<leafNode name="server">
<properties>
<help>DHCP server address</help>
<valueHelp>
<format>ipv4</format>
<description>DHCP server IPv4 address</description>
</valueHelp>
<constraint>
<validator name="ipv4-address"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
<tagNode name="pool">
<properties>
<help>IP address pool for remote access users</help>
</properties>
<children>
<leafNode name="exclude">
<properties>
<help>Local IPv4 or IPv6 pool prefix exclusions</help>
<valueHelp>
<format>ipv4net</format>
<description>Local IPv4 pool prefix exclusion</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>Local IPv6 pool prefix exclusion</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ipv6-prefix"/>
</constraint>
<multi/>
</properties>
</leafNode>
<leafNode name="prefix">
<properties>
<help>Local IPv4 or IPv6 pool prefix</help>
<valueHelp>
<format>ipv4net</format>
<description>Local IPv4 pool prefix</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>Local IPv6 pool prefix</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ipv6-prefix"/>
</constraint>
</properties>
</leafNode>
<node name="range">
<properties>
<help>Local IPv4 or IPv6 pool range</help>
</properties>
<children>
<leafNode name="start">
<properties>
<help>First IP address for local pool range</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 start address of pool</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 start address of pool</description>
</valueHelp>
<constraint>
<validator name="ip-address"/>
</constraint>
</properties>
</leafNode>
<leafNode name="stop">
<properties>
<help>Last IP address for local pool range</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 end address of pool</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 end address of pool</description>
</valueHelp>
<constraint>
<validator name="ip-address"/>
</constraint>
</properties>
</leafNode>
</children>
</node>
#include <include/name-server-ipv4-ipv6.xml.i>
</children>
</tagNode>
#include <include/radius-auth-server-ipv4.xml.i>
<node name="radius">
<children>
#include <include/radius-nas-identifier.xml.i>
#include <include/radius-timeout.xml.i>
<tagNode name="server">
<children>
#include <include/accel-ppp/radius-additions-disable-accounting.xml.i>
</children>
</tagNode>
</children>
</node>
</children>
</node>
<node name="site-to-site">
<properties>
<help>Site-to-site VPN</help>
</properties>
<children>
<tagNode name="peer">
<properties>
<help>Connection name of the peer</help>
<valueHelp>
<format>txt</format>
<description>Connection name of the peer</description>
</valueHelp>
<constraint>
<regex>[-_a-zA-Z0-9|@]+</regex>
</constraint>
<constraintErrorMessage>Peer connection name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
<node name="authentication">
<properties>
<help>Peer authentication</help>
</properties>
<children>
#include <include/ipsec/authentication-id.xml.i>
#include <include/ipsec/authentication-rsa.xml.i>
#include <include/ipsec/authentication-x509.xml.i>
<leafNode name="mode">
<properties>
<help>Authentication mode</help>
<completionHelp>
<list>pre-shared-secret rsa x509</list>
</completionHelp>
<valueHelp>
<format>pre-shared-secret</format>
<description>Use pre-shared secret key</description>
</valueHelp>
<valueHelp>
<format>rsa</format>
<description>Use RSA key</description>
</valueHelp>
<valueHelp>
<format>x509</format>
<description>Use x.509 certificate</description>
</valueHelp>
<constraint>
<regex>(pre-shared-secret|rsa|x509)</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="remote-id">
<properties>
<help>ID for remote authentication</help>
<valueHelp>
<format>txt</format>
<description>ID used for peer authentication</description>
</valueHelp>
</properties>
<defaultValue>%any</defaultValue>
</leafNode>
<leafNode name="use-x509-id">
<properties>
<help>Use certificate common name as ID</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
<leafNode name="connection-type">
<properties>
<help>Connection type</help>
<completionHelp>
<list>initiate respond none</list>
</completionHelp>
<valueHelp>
<format>initiate</format>
<description>Bring the connection up immediately</description>
</valueHelp>
<valueHelp>
<format>respond</format>
<description>Wait for the peer to initiate the connection</description>
</valueHelp>
<valueHelp>
<format>none</format>
<description>Load the connection only</description>
</valueHelp>
<constraint>
<regex>(initiate|respond|none)</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="default-esp-group">
<properties>
<help>Defult ESP group name</help>
<completionHelp>
<path>vpn ipsec esp-group</path>
</completionHelp>
</properties>
</leafNode>
#include <include/generic-description.xml.i>
#include <include/dhcp-interface.xml.i>
<leafNode name="force-udp-encapsulation">
<properties>
<help>Force UDP encapsulation</help>
<valueless/>
</properties>
</leafNode>
#include <include/ipsec/ike-group.xml.i>
<leafNode name="ikev2-reauth">
<properties>
<help>Re-authentication of the remote peer during an IKE re-key (IKEv2 only)</help>
<completionHelp>
<list>yes no inherit</list>
</completionHelp>
<valueHelp>
<format>yes</format>
<description>Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug</description>
</valueHelp>
<valueHelp>
<format>no</format>
<description>Disable remote host re-authenticaton during an IKE re-key.</description>
</valueHelp>
<valueHelp>
<format>inherit</format>
<description>Inherit the reauth configuration form your IKE-group</description>
</valueHelp>
<constraint>
<regex>(yes|no|inherit)</regex>
</constraint>
</properties>
</leafNode>
#include <include/ipsec/local-address.xml.i>
#include <include/ipsec/remote-address.xml.i>
#include <include/ipsec/replay-window.xml.i>
<tagNode name="tunnel">
<properties>
<help>Peer tunnel</help>
<valueHelp>
<format>u32</format>
<description>Peer tunnel</description>
</valueHelp>
</properties>
<children>
#include <include/generic-disable-node.xml.i>
#include <include/ipsec/esp-group.xml.i>
#include <include/ipsec/local-traffic-selector.xml.i>
#include <include/ip-protocol.xml.i>
<leafNode name="priority">
<properties>
<help>Priority for IPsec policy (lowest value more preferable)</help>
<valueHelp>
<format>u32:1-100</format>
<description>Priority for IPsec policy (lowest value more preferable)</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-100"/>
</constraint>
</properties>
</leafNode>
<node name="remote">
<properties>
<help>Match remote addresses</help>
</properties>
<children>
#include <include/port-number.xml.i>
<leafNode name="prefix">
<properties>
<help>Remote IPv4 or IPv6 prefix</help>
<valueHelp>
<format>ipv4net</format>
<description>Remote IPv4 prefix</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>Remote IPv6 prefix</description>
</valueHelp>
<constraint>
<validator name="ipv4-prefix"/>
<validator name="ipv6-prefix"/>
</constraint>
<multi/>
</properties>
</leafNode>
</children>
</node>
</children>
</tagNode>
<leafNode name="virtual-address">
<properties>
<help>Initiator request virtual-address from peer</help>
<valueHelp>
<format>ipv4</format>
<description>Request IPv4 address from peer</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Request IPv6 address from peer</description>
</valueHelp>
<multi/>
</properties>
</leafNode>
<node name="vti">
<properties>
<help>Virtual tunnel interface</help>
</properties>
<children>
#include <include/ipsec/bind.xml.i>
#include <include/ipsec/esp-group.xml.i>
</children>
</node>
</children>
</tagNode>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/op-mode-definitions/generate-psk.xml.in b/op-mode-definitions/generate-psk.xml.in
new file mode 100644
index 000000000..69963f5be
--- /dev/null
+++ b/op-mode-definitions/generate-psk.xml.in
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="generate">
+ <children>
+ <node name="psk">
+ <properties>
+ <help>Generate PSK key</help>
+ </properties>
+ <children>
+ <node name="random">
+ <properties>
+ <help>Generate random hex PSK key</help>
+ </properties>
+ <command>${vyos_op_scripts_dir}/generate_psk.py</command>
+ <children>
+ <tagNode name="size">
+ <properties>
+ <help>Key size in bytes</help>
+ </properties>
+ <command>${vyos_op_scripts_dir}/generate_psk.py --hex_size "$5"</command>
+ </tagNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py b/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py
index a60dae0a0..522f9df0f 100755
--- a/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py
+++ b/smoketest/scripts/cli/test_service_monitoring_zabbix-agent.py
@@ -1,87 +1,108 @@
#!/usr/bin/env python3
#
# Copyright (C) 2023-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.utils.process import process_named_running
from vyos.utils.file import read_file
PROCESS_NAME = 'zabbix_agent2'
ZABBIX_AGENT_CONF = '/run/zabbix/zabbix-agent2.conf'
+ZABBIX_PSK_FILE = f'/run/zabbix/zabbix-agent2.psk'
base_path = ['service', 'monitoring', 'zabbix-agent']
class TestZabbixAgent(VyOSUnitTestSHIM.TestCase):
def tearDown(self):
# Check for running process
self.assertTrue(process_named_running(PROCESS_NAME))
self.cli_delete(base_path)
self.cli_commit()
# Process must be terminated after deleting the config
self.assertFalse(process_named_running(PROCESS_NAME))
def test_01_zabbix_agent(self):
directory = '/tmp'
buffer_send = '8'
buffer_size = '120'
log_level = {'warning': '3'}
log_size = '1'
servers = ['192.0.2.1', '2001:db8::1']
servers_active = {'192.0.2.5': {'port': '10051'}, '2001:db8::123': {'port': '10052'}}
port = '10050'
timeout = '5'
listen_ip = '0.0.0.0'
hostname = 'r-vyos'
self.cli_set(base_path + ['directory', directory])
self.cli_set(base_path + ['limits', 'buffer-flush-interval', buffer_send])
self.cli_set(base_path + ['limits', 'buffer-size', buffer_size])
self.cli_set(base_path + ['log', 'debug-level', next(iter(log_level))])
self.cli_set(base_path + ['log', 'size', log_size])
for server in servers:
self.cli_set(base_path + ['server', server])
for server_active, server_config in servers_active.items():
self.cli_set(base_path + ['server-active', server_active, 'port', server_config['port']])
self.cli_set(base_path + ['timeout', timeout])
self.cli_set(base_path + ['host-name', hostname])
# commit changes
self.cli_commit()
config = read_file(ZABBIX_AGENT_CONF)
self.assertIn(f'LogFileSize={log_size}', config)
self.assertIn(f'DebugLevel={log_level.get("warning")}', config)
self.assertIn(f'Server={",".join(sorted(servers))}', config)
tmp = 'ServerActive=192.0.2.5:10051,[2001:db8::123]:10052'
self.assertIn(tmp, config)
self.assertIn(f'ListenPort={port}', config)
self.assertIn(f'ListenIP={listen_ip}', config)
self.assertIn(f'BufferSend={buffer_send}', config)
self.assertIn(f'BufferSize={buffer_size}', config)
self.assertIn(f'Include={directory}/*.conf', config)
self.assertIn(f'Timeout={timeout}', config)
self.assertIn(f'Hostname={hostname}', config)
+ def test_02_zabbix_agent_psk_auth(self):
+ secret = '8703ce4cb3f51279acba895e1421d69d8a7e2a18546d013d564ad87ac3957f29'
+ self.cli_set(base_path + ['server', '127.0.0.1'])
+ self.cli_set(base_path + ['authentication', 'mode', 'pre-shared-secret'])
+ self.cli_set(base_path + ['authentication', 'psk', 'id', 'smoke_test'])
+ self.cli_set(base_path + ['authentication', 'psk', 'secret', secret])
+ self.cli_commit()
+
+ config = read_file(ZABBIX_AGENT_CONF)
+ self.assertIn('TLSConnect=psk', config)
+ self.assertIn('TLSAccept=psk', config)
+ self.assertIn('TLSPSKIdentity=smoke_test', config)
+ self.assertIn(f'TLSPSKFile={ZABBIX_PSK_FILE}', config)
+ self.assertEqual(secret, read_file(ZABBIX_PSK_FILE))
+
+ secret = '8703ce4cb3f51279acba895e1421d69d8a7e2a18546d013d564ad87ac3957f88'
+ self.cli_set(base_path + ['authentication', 'psk', 'secret', secret])
+ self.cli_commit()
+ self.assertEqual(secret, read_file(ZABBIX_PSK_FILE))
+
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/service_monitoring_zabbix-agent.py b/src/conf_mode/service_monitoring_zabbix-agent.py
index 98d8a32ca..f17146a8d 100755
--- a/src/conf_mode/service_monitoring_zabbix-agent.py
+++ b/src/conf_mode/service_monitoring_zabbix-agent.py
@@ -1,98 +1,119 @@
#!/usr/bin/env python3
#
# Copyright (C) 2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from vyos.config import Config
from vyos.template import render
+from vyos.utils.dict import dict_search
+from vyos.utils.file import write_file
from vyos.utils.process import call
from vyos import ConfigError
from vyos import airbag
airbag.enable()
service_name = 'zabbix-agent2'
service_conf = f'/run/zabbix/{service_name}.conf'
+service_psk_file = f'/run/zabbix/{service_name}.psk'
systemd_override = r'/run/systemd/system/zabbix-agent2.service.d/10-override.conf'
def get_config(config=None):
if config:
conf = config
else:
conf = Config()
base = ['service', 'monitoring', 'zabbix-agent']
if not conf.exists(base):
return None
config = conf.get_config_dict(base, key_mangling=('-', '_'),
get_first_key=True,
no_tag_node_value_mangle=True,
with_recursive_defaults=True)
# Cut the / from the end, /tmp/ => /tmp
if 'directory' in config and config['directory'].endswith('/'):
config['directory'] = config['directory'][:-1]
+ config['service_psk_file'] = service_psk_file
+
return config
def verify(config):
# bail out early - looks like removal from running config
if config is None:
return
if 'server' not in config:
raise ConfigError('Server is required!')
+ if 'authentication' in config and dict_search("authentication.mode",
+ config) == 'pre_shared_secret':
+ if 'id' not in config['authentication']['psk']:
+ raise ConfigError(
+ 'PSK identity is required for pre-shared-secret authentication mode')
+
+ if 'secret' not in config['authentication']['psk']:
+ raise ConfigError(
+ 'PSK secret is required for pre-shared-secret authentication mode')
+
def generate(config):
# bail out early - looks like removal from running config
if config is None:
# Remove old config and return
- config_files = [service_conf, systemd_override]
+ config_files = [service_conf, systemd_override, service_psk_file]
for file in config_files:
if os.path.isfile(file):
os.unlink(file)
return None
+ if not dict_search("authentication.psk.secret", config):
+ if os.path.isfile(service_psk_file):
+ os.unlink(service_psk_file)
+ else:
+ write_file(service_psk_file, config["authentication"]["psk"]["secret"])
+
# Write configuration file
render(service_conf, 'zabbix-agent/zabbix-agent.conf.j2', config)
render(systemd_override, 'zabbix-agent/10-override.conf.j2', config)
return None
def apply(config):
call('systemctl daemon-reload')
if config:
call(f'systemctl restart {service_name}.service')
else:
call(f'systemctl stop {service_name}.service')
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
exit(1)
diff --git a/src/op_mode/generate_psk.py b/src/op_mode/generate_psk.py
new file mode 100644
index 000000000..d51293712
--- /dev/null
+++ b/src/op_mode/generate_psk.py
@@ -0,0 +1,45 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import argparse
+
+from vyos.utils.process import cmd
+
+
+def validate_hex_size(value):
+ """Validate that the hex_size is between 32 and 512."""
+ try:
+ value = int(value)
+ except ValueError:
+ raise argparse.ArgumentTypeError("hex_size must be integer.")
+
+ if value < 32 or value > 512:
+ raise argparse.ArgumentTypeError("hex_size must be between 32 and 512.")
+ return value
+
+
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser()
+ parser.add_argument(
+ "--hex_size",
+ type=validate_hex_size,
+ help='PKS value size in hex format. Default is 32 bytes.',
+ default=32,
+
+ required=False,
+ )
+ args = parser.parse_args()
+
+ print(cmd(f'openssl rand -hex {args.hex_size}'))
\ No newline at end of file