VyOS command definitions, scripts, and utilities (mirror of https://github.com/marekm72/vyos-1x.git) https://git.amelek.net/marekm72/vyos-1x.git/atom?h=sagitta 2024-08-01T05:52:33+00:00 2024-08-01T05:52:33+00:00 Lucas Christian lucas@lucasec.com 2024-07-30T06:22:05+00:00 urn:sha1:ca12e0bc07ea31d1a6515c0352ae732cfc3674be (cherry picked from commit e97d86e619e134f4dfda06efb7df4a3296d17b95) 2024-07-22T10:28:04+00:00 Lucas Christian lucas@lucasec.com 2024-07-21T02:29:14+00:00 urn:sha1:4d82c1862172bea03c9be7482b8ed3bbddf5b395 Also adds support for life_bytes, life_packets, and DPD for remote-access connections. Changes behavior of remote-access esp-group lifetime setting to have parity with site-to-site connections. (cherry picked from commit fd5d7ff0b4fd69b248ecb29c6ec1f3cf844c41cf) 2024-06-10T08:28:55+00:00 Christian Breunig christian@breunig.cc 2024-06-09T12:39:45+00:00 urn:sha1:4485aa56a8bc5e37a1ecc7caaab10eeb354c76ab In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed support for multiple CAs when dealing with the generation of Apple IOS profiles. This commit extends support to properly include the common name of the server certificate issuer and all it's paren't CAs. A list of parent CAs is automatically generated from the "PKI" subsystem content and embedded into the resulting profile. (cherry picked from commit d65f43589612c30dfaa5ce30aca5b8b48bf73211) 2024-05-30T14:36:40+00:00 Christian Breunig christian@breunig.cc 2024-05-30T09:20:56+00:00 urn:sha1:55ae2ca0b17fa1d4cd19563289466c5e8dbbcf84 Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates") added support for multiple CA certificates which broke the OP mode command to generate the IPSec profiles as it did not expect a list and was rather working on a string. Now multiple CAs can be rendered into the Apple IOS profile. (cherry picked from commit e6fe6e50a5c817e18c453e7bc42bb2e1c4b17671) 2024-04-22T05:00:34+00:00 Alex W embezzle.dev@proton.me 2024-04-21T20:59:56+00:00 urn:sha1:162a0f0d746f7789a676332ec04dba65fefd6d4e (cherry picked from commit 78ea623df20b44309cc6ac9848ed18e97fc4ed03) 2024-04-12T09:13:38+00:00 Lucas Christian lucas@lucasec.com 2023-12-29T06:08:36+00:00 urn:sha1:7100a5797bce50678be6bb001d4d847b26ff9eca (cherry picked from commit ecc83562b4d756cc50910561a3f52ec260aeb478) 2024-03-28T16:09:40+00:00 Lucas Christian lucas@lucasec.com 2024-03-10T18:39:19+00:00 urn:sha1:71fe258f6a4dfc0ead8f8ee46821f9dd965d141a (cherry picked from commit 679b78356cbda4de15f96a7f22d4a98037dbeea4) 2024-03-28T16:09:39+00:00 Lucas Christian lucas@lucasec.com 2024-02-09T06:04:16+00:00 urn:sha1:781807e732da80b967019649cd79d4721e19f26d (cherry picked from commit cd8ef21f280f726955f537132e3fab2bcb3c286f) 2024-03-28T16:09:39+00:00 Lucas Christian lucas@lucasec.com 2023-12-29T06:11:26+00:00 urn:sha1:5a722cf8491436b0091c8fd5522e8c1074569ef1 (cherry picked from commit f7834324d3d9edd7e161e7f2f3868452997c9c81) 2024-02-03T20:05:04+00:00 Christian Breunig christian@breunig.cc 2024-02-02T19:44:29+00:00 urn:sha1:4edc0611ec0ab39147c136d769a9e8a0f50847e6 The replay_window for child SA will always be 32 (hence enabled). Add a CLI node to explicitly change this. * set vpn ipsec site-to-site peer <name> replay-window <0-2040> (cherry picked from commit 4d943d8fbf1253154897179b0e3ea2d93b898197)