summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-09-02 17:52:11 +0200
committerGitHub <noreply@github.com>2021-09-02 17:52:11 +0200
commit059855e57db620da72161ce1cadd86e4f577a2f8 (patch)
tree8acc9caea1054ba8ba95b2c31eb16cde93572c8d
parentaa7d7beea87c37ce5717ed89c0aba4388f0c3673 (diff)
parent8d47a10b472b595661cd97f2b0b837ebf03f3ffd (diff)
downloadvyos-1x-059855e57db620da72161ce1cadd86e4f577a2f8.tar.gz
vyos-1x-059855e57db620da72161ce1cadd86e4f577a2f8.zip
Merge pull request #990 from sever-sever/T3093
nipsec: T3093: Delete temporarily generated code
-rw-r--r--Makefile2
-rw-r--r--interface-definitions/vpn_ipsec.xml.in1167
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py67
3 files changed, 0 insertions, 1236 deletions
diff --git a/Makefile b/Makefile
index ce7b18e65..83020d59e 100644
--- a/Makefile
+++ b/Makefile
@@ -45,8 +45,6 @@ interface_definitions: $(config_xml_obj)
rm -f $(TMPL_DIR)/policy/node.def
rm -f $(TMPL_DIR)/system/node.def
rm -f $(TMPL_DIR)/vpn/node.def
- rm -f $(TMPL_DIR)/vpn/ipsec/node.def
- rm -rf $(TMPL_DIR)/vpn/nipsec
# XXX: T3781: migrate back to old iptables NAT implementation as we can not use nft
# which requires Kernel 5.10 for proper prefix translation support. Kernel 5.10
diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
deleted file mode 100644
index 426d7e71c..000000000
--- a/interface-definitions/vpn_ipsec.xml.in
+++ /dev/null
@@ -1,1167 +0,0 @@
-<?xml version="1.0"?>
-<interfaceDefinition>
- <node name="vpn">
- <children>
- <node name="nipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py">
- <properties>
- <help>VPN IP security (IPsec) parameters</help>
- </properties>
- <children>
- <leafNode name="auto-update">
- <properties>
- <help>Set auto-update interval for IPsec daemon</help>
- <valueHelp>
- <format>u32:30-65535</format>
- <description>Auto-update interval (s)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 30-65535"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="disable-uniqreqids">
- <properties>
- <help>Option to disable requirement for unique IDs in the Security Database</help>
- <valueless/>
- </properties>
- </leafNode>
- <tagNode name="esp-group">
- <properties>
- <help>Name of Encapsulating Security Payload (ESP) group</help>
- </properties>
- <children>
- <leafNode name="compression">
- <properties>
- <help>ESP compression</help>
- <completionHelp>
- <list>disable enable</list>
- </completionHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable ESP compression (default)</description>
- </valueHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable ESP compression</description>
- </valueHelp>
- <constraint>
- <regex>^(disable|enable)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="lifetime">
- <properties>
- <help>ESP lifetime</help>
- <valueHelp>
- <format>u32:30-86400</format>
- <description>ESP lifetime in seconds (default 3600)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 30-86400"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="mode">
- <properties>
- <help>ESP mode</help>
- <completionHelp>
- <list>tunnel transport</list>
- </completionHelp>
- <valueHelp>
- <format>tunnel</format>
- <description>Tunnel mode (default)</description>
- </valueHelp>
- <valueHelp>
- <format>transport</format>
- <description>Transport mode</description>
- </valueHelp>
- <constraint>
- <regex>^(tunnel|transport)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="pfs">
- <properties>
- <help>ESP Perfect Forward Secrecy</help>
- <completionHelp>
- <list>enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable PFS. Use ike-groups dh-group (default)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group1</format>
- <description>Enable PFS. Use Diffie-Hellman group 1 (modp768)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group2</format>
- <description>Enable PFS. Use Diffie-Hellman group 2 (modp1024)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group5</format>
- <description>Enable PFS. Use Diffie-Hellman group 5 (modp1536)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group14</format>
- <description>Enable PFS. Use Diffie-Hellman group 14 (modp2048)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group15</format>
- <description>Enable PFS. Use Diffie-Hellman group 15 (modp3072)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group16</format>
- <description>Enable PFS. Use Diffie-Hellman group 16 (modp4096)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group17</format>
- <description>Enable PFS. Use Diffie-Hellman group 17 (modp6144)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group18</format>
- <description>Enable PFS. Use Diffie-Hellman group 18 (modp8192)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group19</format>
- <description>Enable PFS. Use Diffie-Hellman group 19 (ecp256)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group20</format>
- <description>Enable PFS. Use Diffie-Hellman group 20 (ecp384)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group21</format>
- <description>Enable PFS. Use Diffie-Hellman group 21 (ecp521)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group22</format>
- <description>Enable PFS. Use Diffie-Hellman group 22 (modp1024s160)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group23</format>
- <description>Enable PFS. Use Diffie-Hellman group 23 (modp2048s224)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group24</format>
- <description>Enable PFS. Use Diffie-Hellman group 24 (modp2048s256)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group25</format>
- <description>Enable PFS. Use Diffie-Hellman group 25 (ecp192)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group26</format>
- <description>Enable PFS. Use Diffie-Hellman group 26 (ecp224)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group27</format>
- <description>Enable PFS. Use Diffie-Hellman group 27 (ecp224bp)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group28</format>
- <description>Enable PFS. Use Diffie-Hellman group 28 (ecp256bp)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group29</format>
- <description>Enable PFS. Use Diffie-Hellman group 29 (ecp384bp)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group30</format>
- <description>Enable PFS. Use Diffie-Hellman group 30 (ecp512bp)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group31</format>
- <description>Enable PFS. Use Diffie-Hellman group 31 (curve25519)</description>
- </valueHelp>
- <valueHelp>
- <format>dh-group32</format>
- <description>Enable PFS. Use Diffie-Hellman group 32 (curve448)</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable PFS</description>
- </valueHelp>
- <constraint>
- <regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <tagNode name="proposal">
- <properties>
- <help>ESP-group proposal [REQUIRED]</help>
- <valueHelp>
- <format>u32:1-65535</format>
- <description>ESP-group proposal number</description>
- </valueHelp>
- </properties>
- <children>
- #include <include/vpn-ipsec-encryption.xml.i>
- #include <include/vpn-ipsec-hash.xml.i>
- </children>
- </tagNode>
- </children>
- </tagNode>
- <tagNode name="ike-group">
- <properties>
- <help>Name of Internet Key Exchange (IKE) group</help>
- </properties>
- <children>
- <leafNode name="close-action">
- <properties>
- <help>close-action_help</help>
- <completionHelp>
- <list>none hold clear restart</list>
- </completionHelp>
- <valueHelp>
- <format>none</format>
- <description>Set action to none (default)</description>
- </valueHelp>
- <valueHelp>
- <format>hold</format>
- <description>Set action to hold</description>
- </valueHelp>
- <valueHelp>
- <format>clear</format>
- <description>Set action to clear</description>
- </valueHelp>
- <valueHelp>
- <format>restart</format>
- <description>Set action to restart</description>
- </valueHelp>
- <constraint>
- <regex>^(none|hold|clear|restart)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <node name="dead-peer-detection">
- <properties>
- <help>Dead Peer Detection (DPD)</help>
- </properties>
- <children>
- <leafNode name="action">
- <properties>
- <help>Keep-alive failure action</help>
- <completionHelp>
- <list>hold clear restart</list>
- </completionHelp>
- <valueHelp>
- <format>hold</format>
- <description>Set action to hold (default)</description>
- </valueHelp>
- <valueHelp>
- <format>clear</format>
- <description>Set action to clear</description>
- </valueHelp>
- <valueHelp>
- <format>restart</format>
- <description>Set action to restart</description>
- </valueHelp>
- <constraint>
- <regex>^(hold|clear|restart)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="interval">
- <properties>
- <help>Keep-alive interval</help>
- <valueHelp>
- <format>u32:2-86400</format>
- <description>Keep-alive interval in seconds (default 30)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 2-86400"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="timeout">
- <properties>
- <help>Dead-Peer-Detection keep-alive timeout (IKEv1 only)</help>
- <valueHelp>
- <format>u32:2-86400</format>
- <description>Keep-alive timeout in seconds (default 120)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 2-86400"/>
- </constraint>
- </properties>
- </leafNode>
- </children>
- </node>
- <leafNode name="ikev2-reauth">
- <properties>
- <help>ikev2-reauth_help</help>
- <completionHelp>
- <list>yes no</list>
- </completionHelp>
- <valueHelp>
- <format>yes</format>
- <description>Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug</description>
- </valueHelp>
- <valueHelp>
- <format>no</format>
- <description>Disable remote host re-authenticaton during an IKE rekey. (Default)</description>
- </valueHelp>
- <constraint>
- <regex>^(yes|no)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="key-exchange">
- <properties>
- <help>Key Exchange Version</help>
- <completionHelp>
- <list>ikev1 ikev2</list>
- </completionHelp>
- <valueHelp>
- <format>ikev1</format>
- <description>Use IKEv1 for Key Exchange [DEFAULT]</description>
- </valueHelp>
- <valueHelp>
- <format>ikev2</format>
- <description>Use IKEv2 for Key Exchange</description>
- </valueHelp>
- <constraint>
- <regex>^(ikev1|ikev2)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="lifetime">
- <properties>
- <help>IKE lifetime</help>
- <valueHelp>
- <format>u32:30-86400</format>
- <description>IKE lifetime in seconds (default 28800)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 30-86400"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="mobike">
- <properties>
- <help>Enable MOBIKE Support. MOBIKE is only available for IKEv2.</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable MOBIKE (default for IKEv2)</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable MOBIKE</description>
- </valueHelp>
- <constraint>
- <regex>^(enable|disable)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="mode">
- <properties>
- <help>IKEv1 Phase 1 Mode Selection</help>
- <completionHelp>
- <list>main aggressive</list>
- </completionHelp>
- <valueHelp>
- <format>main</format>
- <description>Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)</description>
- </valueHelp>
- <valueHelp>
- <format>aggressive</format>
- <description>Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.</description>
- </valueHelp>
- <constraint>
- <regex>^(main|aggressive)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <tagNode name="proposal">
- <properties>
- <help>proposal_help</help>
- <valueHelp>
- <format>u32:1-65535</format>
- <description>IKE-group proposal</description>
- </valueHelp>
- </properties>
- <children>
- <leafNode name="dh-group">
- <properties>
- <help>dh-grouphelp</help>
- <completionHelp>
- <list>1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32</list>
- </completionHelp>
- <valueHelp>
- <format>1</format>
- <description>Diffie-Hellman group 1 (modp768)</description>
- </valueHelp>
- <valueHelp>
- <format>2</format>
- <description>Diffie-Hellman group 2 (modp1024)</description>
- </valueHelp>
- <valueHelp>
- <format>5</format>
- <description>Diffie-Hellman group 5 (modp1536)</description>
- </valueHelp>
- <valueHelp>
- <format>14</format>
- <description>Diffie-Hellman group 14 (modp2048)</description>
- </valueHelp>
- <valueHelp>
- <format>15</format>
- <description>Diffie-Hellman group 15 (modp3072)</description>
- </valueHelp>
- <valueHelp>
- <format>16</format>
- <description>Diffie-Hellman group 16 (modp4096)</description>
- </valueHelp>
- <valueHelp>
- <format>17</format>
- <description>Diffie-Hellman group 17 (modp6144)</description>
- </valueHelp>
- <valueHelp>
- <format>18</format>
- <description>Diffie-Hellman group 18 (modp8192)</description>
- </valueHelp>
- <valueHelp>
- <format>19</format>
- <description>Diffie-Hellman group 19 (ecp256)</description>
- </valueHelp>
- <valueHelp>
- <format>20</format>
- <description>Diffie-Hellman group 20 (ecp384)</description>
- </valueHelp>
- <valueHelp>
- <format>21</format>
- <description>Diffie-Hellman group 21 (ecp521)</description>
- </valueHelp>
- <valueHelp>
- <format>22</format>
- <description>Diffie-Hellman group 22 (modp1024s160)</description>
- </valueHelp>
- <valueHelp>
- <format>23</format>
- <description>Diffie-Hellman group 23 (modp2048s224)</description>
- </valueHelp>
- <valueHelp>
- <format>24</format>
- <description>Diffie-Hellman group 24 (modp2048s256)</description>
- </valueHelp>
- <valueHelp>
- <format>25</format>
- <description>Diffie-Hellman group 25 (ecp192)</description>
- </valueHelp>
- <valueHelp>
- <format>26</format>
- <description>Diffie-Hellman group 26 (ecp224)</description>
- </valueHelp>
- <valueHelp>
- <format>27</format>
- <description>Diffie-Hellman group 27 (ecp224bp)</description>
- </valueHelp>
- <valueHelp>
- <format>28</format>
- <description>Diffie-Hellman group 28 (ecp256bp)</description>
- </valueHelp>
- <valueHelp>
- <format>29</format>
- <description>Diffie-Hellman group 29 (ecp384bp)</description>
- </valueHelp>
- <valueHelp>
- <format>30</format>
- <description>Diffie-Hellman group 30 (ecp512bp)</description>
- </valueHelp>
- <valueHelp>
- <format>31</format>
- <description>Diffie-Hellman group 31 (curve25519)</description>
- </valueHelp>
- <valueHelp>
- <format>32</format>
- <description>Diffie-Hellman group 32 (curve448)</description>
- </valueHelp>
- <constraint>
- <regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex>
- </constraint>
- </properties>
- </leafNode>
- #include <include/vpn-ipsec-encryption.xml.i>
- #include <include/vpn-ipsec-hash.xml.i>
- </children>
- </tagNode>
- </children>
- </tagNode>
- <leafNode name="include-ipsec-conf">
- <properties>
- <help>Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file</help>
- </properties>
- </leafNode>
- <leafNode name="include-ipsec-secrets">
- <properties>
- <help>Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.</help>
- </properties>
- </leafNode>
- <node name="ipsec-interfaces">
- <properties>
- <help>Interface to use for VPN [REQUIRED]</help>
- </properties>
- <children>
- <leafNode name="interface">
- <properties>
- <help>IPsec interface [REQUIRED]</help>
- <completionHelp>
- <script>${vyos_completion_dir}/list_interfaces.py</script>
- </completionHelp>
- <multi/>
- </properties>
- </leafNode>
- </children>
- </node>
- <node name="logging">
- <properties>
- <help>IPsec logging</help>
- </properties>
- <children>
- <leafNode name="log-level">
- <properties>
- <help>strongSwan Logger Level</help>
- <valueHelp>
- <format>u32:0-2</format>
- <description>Logger Verbosity Level (default 0)</description>
- </valueHelp>
- <constraint>
- <validator name="numeric" argument="--range 0-2"/>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="log-modes">
- <properties>
- <help>Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation</help>
- <completionHelp>
- <list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list>
- </completionHelp>
- <valueHelp>
- <format>dmn</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>mgr</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>ike</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>chd</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>job</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>cfg</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>knl</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>net</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>asn</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>enc</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>lib</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>esp</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>tls</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>tnc</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>imc</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>imv</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>pts</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <valueHelp>
- <format>any</format>
- <description>Debug log option for strongSwan</description>
- </valueHelp>
- <constraint>
- <regex>^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$</regex>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- </children>
- </node>
- <node name="nat-networks">
- <properties>
- <help>Network Address Translation (NAT) networks</help>
- </properties>
- <children>
- <tagNode name="allowed-network">
- <properties>
- <help>NAT networks to allow</help>
- <valueHelp>
- <format>ipv4net</format>
- <description>NAT networks to allow</description>
- </valueHelp>
- <constraint>
- <validator name="ip-prefix"/>
- </constraint>
- </properties>
- <children>
- <leafNode name="exclude">
- <properties>
- <help>NAT networks to exclude from allowed-networks</help>
- <valueHelp>
- <format>ipv4net</format>
- <description>NAT networks to exclude from allowed-networks</description>
- </valueHelp>
- <constraint>
- <validator name="ip-prefix"/>
- </constraint>
- <multi/>
- </properties>
- </leafNode>
- </children>
- </tagNode>
- </children>
- </node>
- <leafNode name="nat-traversal">
- <properties>
- <help>Network Address Translation (NAT) traversal</help>
- <completionHelp>
- <list>disable enable</list>
- </completionHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable NAT-T</description>
- </valueHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable NAT-T</description>
- </valueHelp>
- <constraint>
- <regex>^(disable|enable)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <node name="options">
- <properties>
- <help>Global IPsec settings</help>
- </properties>
- <children>
- <leafNode name="disable-route-autoinstall">
- <properties>
- <help>Do not automatically install routes to remote networks</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
- </node>
- <tagNode name="profile">
- <properties>
- <help>VPN IPSec Profile</help>
- </properties>
- <children>
- <node name="authentication">
- <properties>
- <help>Authentication [REQUIRED]</help>
- </properties>
- <children>
- <node name="mode">
- <properties>
- <help>Authentication mode</help>
- </properties>
- <children>
- <leafNode name="pre-shared-secret">
- <properties>
- <help>Use pre-shared secret key</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
- </node>
- <leafNode name="pre-shared-secret">
- <properties>
- <help>Pre-shared secret key</help>
- <valueHelp>
- <format>txt</format>
- <description>Pre-shared secret key</description>
- </valueHelp>
- </properties>
- </leafNode>
- </children>
- </node>
- <node name="bind">
- <properties>
- <help>DMVPN crypto configuration</help>
- </properties>
- <children>
- <leafNode name="bind_child">
- <properties>
- <help>bind_child_help</help>
- <valueless/>
- </properties>
- </leafNode>
- </children>
- </node>
- <leafNode name="esp-group">
- <properties>
- <help>Esp group name [REQUIRED]</help>
- <completionHelp>
- <path>vpn ipsec esp-group</path>
- </completionHelp>
- </properties>
- </leafNode>
- <leafNode name="ike-group">
- <properties>
- <help>Ike group name [REQUIRED]</help>
- <completionHelp>
- <path>vpn ipsec ike-group</path>
- </completionHelp>
- </properties>
- </leafNode>
- </children>
- </tagNode>
- <node name="site-to-site">
- <properties>
- <help>Site to site VPN</help>
- </properties>
- <children>
- <tagNode name="peer">
- <properties>
- <help>VPN peer</help>
- <valueHelp>
- <format>ipv4</format>
- <description>IPv4 address of the peer</description>
- </valueHelp>
- <valueHelp>
- <format>ipv6</format>
- <description>IPv6 address of the peer</description>
- </valueHelp>
- <valueHelp>
- <format>txt</format>
- <description>Hostname of the peer</description>
- </valueHelp>
- <valueHelp>
- <format>&lt;@text&gt;</format>
- <description>ID of the peer</description>
- </valueHelp>
- </properties>
- <children>
- <node name="authentication">
- <properties>
- <help>Peer authentication [REQUIRED]</help>
- </properties>
- <children>
- <leafNode name="id">
- <properties>
- <help>ID for peer authentication</help>
- <valueHelp>
- <format>txt</format>
- <description>ID used for peer authentication</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="mode">
- <properties>
- <help>Authentication mode</help>
- <completionHelp>
- <list>pre-shared-secret rsa x509</list>
- </completionHelp>
- <valueHelp>
- <format>pre-shared-secret</format>
- <description>pre-shared-secret_description</description>
- </valueHelp>
- <valueHelp>
- <format>rsa</format>
- <description>rsa_description</description>
- </valueHelp>
- <valueHelp>
- <format>x509</format>
- <description>x509_description</description>
- </valueHelp>
- <constraint>
- <regex>^(pre-shared-secret|rsa|x509)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="pre-shared-secret">
- <properties>
- <help>Pre-shared secret key</help>
- <valueHelp>
- <format>txt</format>
- <description>Pre-shared secret key</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="remote-id">
- <properties>
- <help>ID for remote authentication</help>
- <valueHelp>
- <format>txt</format>
- <description>ID used for peer authentication</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="rsa-key-name">
- <properties>
- <help>RSA key name</help>
- </properties>
- </leafNode>
- <leafNode name="use-x509-id">
- <properties>
- <help>Use certificate common name as ID</help>
- <valueless/>
- </properties>
- </leafNode>
- <node name="x509">
- <properties>
- <help>X.509 certificate</help>
- </properties>
- <children>
- #include <include/certificate.xml.i>
- #include <include/certificate-ca.xml.i>
- <leafNode name="crl-file">
- <properties>
- <help>File containing the X.509 Certificate Revocation List (CRL)</help>
- <valueHelp>
- <format>txt</format>
- <description>File in /config/auth</description>
- </valueHelp>
- </properties>
- </leafNode>
- <node name="key">
- <properties>
- <help>Key file and password to open it</help>
- </properties>
- <children>
- <leafNode name="file">
- <properties>
- <help>File containing the private key for the X.509 certificate for this host</help>
- <valueHelp>
- <format>txt</format>
- <description>File in /config/auth</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="password">
- <properties>
- <help>Password that protects the private key</help>
- <valueHelp>
- <format>txt</format>
- <description>Password that protects the private key</description>
- </valueHelp>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </node>
- </children>
- </node>
- <leafNode name="connection-type">
- <properties>
- <help>Connection type</help>
- <completionHelp>
- <list>initiate respond</list>
- </completionHelp>
- <valueHelp>
- <format>initiate</format>
- <description>initiate_description</description>
- </valueHelp>
- <valueHelp>
- <format>respond</format>
- <description>respond_description</description>
- </valueHelp>
- <constraint>
- <regex>^(initiate|respond)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="default-esp-group">
- <properties>
- <help>Defult ESP group name</help>
- </properties>
- </leafNode>
- <leafNode name="description">
- <properties>
- <help>VPN peer description</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="dhcp-interface">
- <properties>
- <help>DHCP interface to listen on</help>
- <valueless/>
- </properties>
- </leafNode>
- <leafNode name="force-encapsulation">
- <properties>
- <help>Force UDP Encapsulation for ESP Payloads</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>This endpoint will force UDP encapsulation for this peer</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>This endpoint will not force UDP encapsulation for this peer</description>
- </valueHelp>
- <constraint>
- <regex>^(enable|disable)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="ike-group">
- <properties>
- <help>Internet Key Exchange (IKE) group name [REQUIRED]</help>
- <completionHelp>
- <path>vpn ipsec ike-group</path>
- </completionHelp>
- </properties>
- </leafNode>
- <leafNode name="ikev2-reauth">
- <properties>
- <help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help>
- <completionHelp>
- <list>yes no inherit</list>
- </completionHelp>
- <valueHelp>
- <format>yes</format>
- <description>Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug</description>
- </valueHelp>
- <valueHelp>
- <format>no</format>
- <description>Disable remote host re-authenticaton during an IKE re-key.</description>
- </valueHelp>
- <valueHelp>
- <format>inherit</format>
- <description>Inherit the reauth configuration form your IKE-group (Default)</description>
- </valueHelp>
- <constraint>
- <regex>^(yes|no|inherit)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="local-address">
- <properties>
- <help>IPv4 or IPv6 address of a local interface to use for VPN</help>
- <completionHelp>
- <list>any</list>
- </completionHelp>
- <valueHelp>
- <format>ipv4</format>
- <description>IPv4 address of a local interface for VPN</description>
- </valueHelp>
- <valueHelp>
- <format>ipv6</format>
- <description>IPv6 address of a local interface for VPN</description>
- </valueHelp>
- <valueHelp>
- <format>any</format>
- <description>Allow any IPv4 address present on the system to be used for VPN</description>
- </valueHelp>
- <constraint>
- <validator name="ipv4-address"/>
- <validator name="ipv6-address"/>
- <regex>^(any)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <tagNode name="tunnel">
- <properties>
- <help>Peer tunnel [REQUIRED]</help>
- <valueHelp>
- <format>u32</format>
- <description>Peer tunnel [REQUIRED]</description>
- </valueHelp>
- </properties>
- <children>
- <leafNode name="allow-nat-networks">
- <properties>
- <help>Option to allow NAT networks</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable NAT networks</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable NAT networks (default)</description>
- </valueHelp>
- <constraint>
- <regex>^(enable|disable)$</regex>
- </constraint>
- </properties>
- </leafNode>
- <leafNode name="allow-public-networks">
- <properties>
- <help>Option to allow public networks</help>
- <completionHelp>
- <list>enable disable</list>
- </completionHelp>
- <valueHelp>
- <format>enable</format>
- <description>Enable public networks</description>
- </valueHelp>
- <valueHelp>
- <format>disable</format>
- <description>Disable public networks (default)</description>
- </valueHelp>
- <constraint>
- <regex>^(enable|disable)$</regex>
- </constraint>
- </properties>
- </leafNode>
- #include <include/generic-disable-node.xml.i>
- <leafNode name="esp-group">
- <properties>
- <help>ESP group name</help>
- <completionHelp>
- <path>vpn ipsec esp-group</path>
- </completionHelp>
- </properties>
- </leafNode>
- <node name="local">
- <properties>
- <help>Local parameters for interesting traffic</help>
- </properties>
- <children>
- <leafNode name="port">
- <properties>
- <help>Any TCP or UDP port</help>
- <valueHelp>
- <format>port name</format>
- <description>Named port (any name in /etc/services, e.g., http)</description>
- </valueHelp>
- <valueHelp>
- <format>u32:1-65535</format>
- <description>Numbered port</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="prefix">
- <properties>
- <help>Local IPv4 or IPv6 prefix</help>
- <valueHelp>
- <format>ipv4</format>
- <description>Local IPv4 prefix</description>
- </valueHelp>
- <valueHelp>
- <format>ipv6</format>
- <description>Local IPv6 prefix</description>
- </valueHelp>
- <constraint>
- <validator name="ipv4-prefix"/>
- <validator name="ipv6-prefix"/>
- </constraint>
- </properties>
- </leafNode>
- </children>
- </node>
- <leafNode name="protocol">
- <properties>
- <help>Protocol to encrypt</help>
- <valueless/>
- </properties>
- </leafNode>
- <node name="remote">
- <properties>
- <help>Remote parameters for interesting traffic</help>
- </properties>
- <children>
- <leafNode name="port">
- <properties>
- <help>Any TCP or UDP port</help>
- <valueHelp>
- <format>port name</format>
- <description>Named port (any name in /etc/services, e.g., http)</description>
- </valueHelp>
- <valueHelp>
- <format>u32:1-65535</format>
- <description>Numbered port</description>
- </valueHelp>
- </properties>
- </leafNode>
- <leafNode name="prefix">
- <properties>
- <help>Remote IPv4 or IPv6 prefix</help>
- <valueHelp>
- <format>ipv4</format>
- <description>Remote IPv4 prefix</description>
- </valueHelp>
- <valueHelp>
- <format>ipv6</format>
- <description>Remote IPv6 prefix</description>
- </valueHelp>
- <constraint>
- <validator name="ipv4-prefix"/>
- <validator name="ipv6-prefix"/>
- </constraint>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </tagNode>
- <node name="vti">
- <properties>
- <help>Virtual tunnel interface [REQUIRED]</help>
- </properties>
- <children>
- <leafNode name="bind">
- <properties>
- <help>VTI tunnel interface associated with this configuration [REQUIRED]</help>
- </properties>
- </leafNode>
- <leafNode name="esp-group">
- <properties>
- <help>ESP group name [REQUIRED]</help>
- <completionHelp>
- <path>vpn ipsec esp-group</path>
- </completionHelp>
- </properties>
- </leafNode>
- </children>
- </node>
- </children>
- </tagNode>
- </children>
- </node>
- </children>
- </node>
- </children>
- </node>
-</interfaceDefinition>
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
deleted file mode 100755
index 969266c30..000000000
--- a/src/conf_mode/vpn_ipsec.py
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2020 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-import os
-
-from sys import exit
-
-from vyos.config import Config
-from vyos.template import render
-from vyos.util import call
-from vyos.util import dict_search
-from vyos import ConfigError
-from vyos import airbag
-from pprint import pprint
-airbag.enable()
-
-def get_config(config=None):
- if config:
- conf = config
- else:
- conf = Config()
- base = ['vpn', 'nipsec']
- if not conf.exists(base):
- return None
-
- # retrieve common dictionary keys
- ipsec = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
- return ipsec
-
-def verify(ipsec):
- if not ipsec:
- return None
-
-def generate(ipsec):
- if not ipsec:
- return None
-
- return ipsec
-
-def apply(ipsec):
- if not ipsec:
- return None
-
- pprint(ipsec)
-
-if __name__ == '__main__':
- try:
- c = get_config()
- verify(c)
- generate(c)
- apply(c)
- except ConfigError as e:
- print(e)
- exit(1)