VyOS command definitions, scripts, and utilities (mirror of https://github.com/marekm72/vyos-1x.git) https://git.amelek.net/marekm72/vyos-1x.git/atom?h=1.4.0-epa2 2024-02-03T20:05:04+00:00 2024-02-03T20:05:04+00:00 Christian Breunig christian@breunig.cc 2024-02-02T19:44:29+00:00 urn:sha1:4edc0611ec0ab39147c136d769a9e8a0f50847e6 The replay_window for child SA will always be 32 (hence enabled). Add a CLI node to explicitly change this. * set vpn ipsec site-to-site peer <name> replay-window <0-2040> (cherry picked from commit 4d943d8fbf1253154897179b0e3ea2d93b898197) 2024-01-17T17:38:11+00:00 aapostoliuk a.apostoliuk@vyos.io 2024-01-17T15:46:38+00:00 urn:sha1:e6713a7e861dbe3ec8af1761f1c0a3d1ad725cac Changed the value from 'hold' to 'trap' in the 'close-action' option in the IKE group. Changed the value from 'restart' to 'start' in the 'close-action' option in the IKE group. (cherry picked from commit 8870fabf1b4358618fca7db459515106653214b5) 2024-01-16T15:46:28+00:00 aapostoliuk a.apostoliuk@vyos.io 2024-01-16T14:26:26+00:00 urn:sha1:3e35719a272956a16171e889e5dc0c8a3b47977e Renamed DPD action value from 'hold' to 'trap' (cherry picked from commit 9f4aee5778eefa0a17d4795430d50e4a046e88b0) 2023-12-30T21:58:26+00:00 Lucas Christian lucas@lucasec.com 2023-12-29T06:07:07+00:00 urn:sha1:6cfcef98b8a8fbfa107ecfbb741cfb268ea8340f (cherry picked from commit 656934e85cee799dba5b495d143f6be445ac22d5) 2023-02-15T11:57:25+00:00 sarthurdev 965089+sarthurdev@users.noreply.github.com 2023-02-15T11:57:25+00:00 urn:sha1:45b16864b11ea49087ce4a279e2c0e741a97c0ee Not supported with swanctl 2023-01-26T11:28:03+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2023-01-17T11:04:08+00:00 urn:sha1:7ae0b404ad9fdefa856c7e450b224b47d854a4eb Rewrite strongswan IPsec authentication to reflect structure from swanctl.conf The most important change is that more than one local/remote ID in the same auth entry should be allowed replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' => 'ipsec authentication psk <tag> secret xxx' set vpn ipsec authentication psk <tag> id '192.0.2.1' set vpn ipsec authentication psk <tag> id '192.0.2.2' set vpn ipsec authentication psk <tag> secret 'xxx' set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1' set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2' Add template filter for Jinja2 'generate_uuid4' 2023-01-12T17:47:53+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2023-01-12T13:00:05+00:00 urn:sha1:01386606982352de7eb51f55acc11c6a58ed4cef If IPsec "peer <tag> authentication remote-id" is not set it should be "%any" by default https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote Set XML default value in use it in the python vpn_ipsec.py script 2022-11-21T18:42:41+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-11-21T18:42:41+00:00 urn:sha1:2ac4a8a5fed9db471b7ffac0f54e6741c6f87834 Remote TS for transport mode GRE must be remote-address and not peer name 2022-10-31T14:10:39+00:00 Christian Poessinger christian@poessinger.com 2022-10-31T14:09:58+00:00 urn:sha1:22c3dcbb01d731f0dab0ffefa2e5a0be7009baf1 This enabled users to also use 2FA/MFA authentication with a radius backend as there is enough time to enter the second factor. 2022-09-28T17:35:48+00:00 Christian Poessinger christian@poessinger.com 2022-09-28T17:33:40+00:00 urn:sha1:d5e84fab2e66fb4452516e3a5adc00c6ed772de1 Commit bd4588827b ("ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer") changed the CLI syntax of ipsec. This resulted in a node not renamed in the op-mode generator when generating IKEv2 IPSec iOS configuration profiles.