diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-09-02 17:52:11 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-02 17:52:11 +0200 |
commit | 059855e57db620da72161ce1cadd86e4f577a2f8 (patch) | |
tree | 8acc9caea1054ba8ba95b2c31eb16cde93572c8d | |
parent | aa7d7beea87c37ce5717ed89c0aba4388f0c3673 (diff) | |
parent | 8d47a10b472b595661cd97f2b0b837ebf03f3ffd (diff) | |
download | vyos-1x-059855e57db620da72161ce1cadd86e4f577a2f8.tar.gz vyos-1x-059855e57db620da72161ce1cadd86e4f577a2f8.zip |
Merge pull request #990 from sever-sever/T3093
nipsec: T3093: Delete temporarily generated code
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 1167 | ||||
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 67 |
3 files changed, 0 insertions, 1236 deletions
@@ -45,8 +45,6 @@ interface_definitions: $(config_xml_obj) rm -f $(TMPL_DIR)/policy/node.def rm -f $(TMPL_DIR)/system/node.def rm -f $(TMPL_DIR)/vpn/node.def - rm -f $(TMPL_DIR)/vpn/ipsec/node.def - rm -rf $(TMPL_DIR)/vpn/nipsec # XXX: T3781: migrate back to old iptables NAT implementation as we can not use nft # which requires Kernel 5.10 for proper prefix translation support. Kernel 5.10 diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in deleted file mode 100644 index 426d7e71c..000000000 --- a/interface-definitions/vpn_ipsec.xml.in +++ /dev/null @@ -1,1167 +0,0 @@ -<?xml version="1.0"?> -<interfaceDefinition> - <node name="vpn"> - <children> - <node name="nipsec" owner="${vyos_conf_scripts_dir}/vpn_ipsec.py"> - <properties> - <help>VPN IP security (IPsec) parameters</help> - </properties> - <children> - <leafNode name="auto-update"> - <properties> - <help>Set auto-update interval for IPsec daemon</help> - <valueHelp> - <format>u32:30-65535</format> - <description>Auto-update interval (s)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 30-65535"/> - </constraint> - </properties> - </leafNode> - <leafNode name="disable-uniqreqids"> - <properties> - <help>Option to disable requirement for unique IDs in the Security Database</help> - <valueless/> - </properties> - </leafNode> - <tagNode name="esp-group"> - <properties> - <help>Name of Encapsulating Security Payload (ESP) group</help> - </properties> - <children> - <leafNode name="compression"> - <properties> - <help>ESP compression</help> - <completionHelp> - <list>disable enable</list> - </completionHelp> - <valueHelp> - <format>disable</format> - <description>Disable ESP compression (default)</description> - </valueHelp> - <valueHelp> - <format>enable</format> - <description>Enable ESP compression</description> - </valueHelp> - <constraint> - <regex>^(disable|enable)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="lifetime"> - <properties> - <help>ESP lifetime</help> - <valueHelp> - <format>u32:30-86400</format> - <description>ESP lifetime in seconds (default 3600)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 30-86400"/> - </constraint> - </properties> - </leafNode> - <leafNode name="mode"> - <properties> - <help>ESP mode</help> - <completionHelp> - <list>tunnel transport</list> - </completionHelp> - <valueHelp> - <format>tunnel</format> - <description>Tunnel mode (default)</description> - </valueHelp> - <valueHelp> - <format>transport</format> - <description>Transport mode</description> - </valueHelp> - <constraint> - <regex>^(tunnel|transport)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="pfs"> - <properties> - <help>ESP Perfect Forward Secrecy</help> - <completionHelp> - <list>enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable PFS. Use ike-groups dh-group (default)</description> - </valueHelp> - <valueHelp> - <format>dh-group1</format> - <description>Enable PFS. Use Diffie-Hellman group 1 (modp768)</description> - </valueHelp> - <valueHelp> - <format>dh-group2</format> - <description>Enable PFS. Use Diffie-Hellman group 2 (modp1024)</description> - </valueHelp> - <valueHelp> - <format>dh-group5</format> - <description>Enable PFS. Use Diffie-Hellman group 5 (modp1536)</description> - </valueHelp> - <valueHelp> - <format>dh-group14</format> - <description>Enable PFS. Use Diffie-Hellman group 14 (modp2048)</description> - </valueHelp> - <valueHelp> - <format>dh-group15</format> - <description>Enable PFS. Use Diffie-Hellman group 15 (modp3072)</description> - </valueHelp> - <valueHelp> - <format>dh-group16</format> - <description>Enable PFS. Use Diffie-Hellman group 16 (modp4096)</description> - </valueHelp> - <valueHelp> - <format>dh-group17</format> - <description>Enable PFS. Use Diffie-Hellman group 17 (modp6144)</description> - </valueHelp> - <valueHelp> - <format>dh-group18</format> - <description>Enable PFS. Use Diffie-Hellman group 18 (modp8192)</description> - </valueHelp> - <valueHelp> - <format>dh-group19</format> - <description>Enable PFS. Use Diffie-Hellman group 19 (ecp256)</description> - </valueHelp> - <valueHelp> - <format>dh-group20</format> - <description>Enable PFS. Use Diffie-Hellman group 20 (ecp384)</description> - </valueHelp> - <valueHelp> - <format>dh-group21</format> - <description>Enable PFS. Use Diffie-Hellman group 21 (ecp521)</description> - </valueHelp> - <valueHelp> - <format>dh-group22</format> - <description>Enable PFS. Use Diffie-Hellman group 22 (modp1024s160)</description> - </valueHelp> - <valueHelp> - <format>dh-group23</format> - <description>Enable PFS. Use Diffie-Hellman group 23 (modp2048s224)</description> - </valueHelp> - <valueHelp> - <format>dh-group24</format> - <description>Enable PFS. Use Diffie-Hellman group 24 (modp2048s256)</description> - </valueHelp> - <valueHelp> - <format>dh-group25</format> - <description>Enable PFS. Use Diffie-Hellman group 25 (ecp192)</description> - </valueHelp> - <valueHelp> - <format>dh-group26</format> - <description>Enable PFS. Use Diffie-Hellman group 26 (ecp224)</description> - </valueHelp> - <valueHelp> - <format>dh-group27</format> - <description>Enable PFS. Use Diffie-Hellman group 27 (ecp224bp)</description> - </valueHelp> - <valueHelp> - <format>dh-group28</format> - <description>Enable PFS. Use Diffie-Hellman group 28 (ecp256bp)</description> - </valueHelp> - <valueHelp> - <format>dh-group29</format> - <description>Enable PFS. Use Diffie-Hellman group 29 (ecp384bp)</description> - </valueHelp> - <valueHelp> - <format>dh-group30</format> - <description>Enable PFS. Use Diffie-Hellman group 30 (ecp512bp)</description> - </valueHelp> - <valueHelp> - <format>dh-group31</format> - <description>Enable PFS. Use Diffie-Hellman group 31 (curve25519)</description> - </valueHelp> - <valueHelp> - <format>dh-group32</format> - <description>Enable PFS. Use Diffie-Hellman group 32 (curve448)</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable PFS</description> - </valueHelp> - <constraint> - <regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex> - </constraint> - </properties> - </leafNode> - <tagNode name="proposal"> - <properties> - <help>ESP-group proposal [REQUIRED]</help> - <valueHelp> - <format>u32:1-65535</format> - <description>ESP-group proposal number</description> - </valueHelp> - </properties> - <children> - #include <include/vpn-ipsec-encryption.xml.i> - #include <include/vpn-ipsec-hash.xml.i> - </children> - </tagNode> - </children> - </tagNode> - <tagNode name="ike-group"> - <properties> - <help>Name of Internet Key Exchange (IKE) group</help> - </properties> - <children> - <leafNode name="close-action"> - <properties> - <help>close-action_help</help> - <completionHelp> - <list>none hold clear restart</list> - </completionHelp> - <valueHelp> - <format>none</format> - <description>Set action to none (default)</description> - </valueHelp> - <valueHelp> - <format>hold</format> - <description>Set action to hold</description> - </valueHelp> - <valueHelp> - <format>clear</format> - <description>Set action to clear</description> - </valueHelp> - <valueHelp> - <format>restart</format> - <description>Set action to restart</description> - </valueHelp> - <constraint> - <regex>^(none|hold|clear|restart)$</regex> - </constraint> - </properties> - </leafNode> - <node name="dead-peer-detection"> - <properties> - <help>Dead Peer Detection (DPD)</help> - </properties> - <children> - <leafNode name="action"> - <properties> - <help>Keep-alive failure action</help> - <completionHelp> - <list>hold clear restart</list> - </completionHelp> - <valueHelp> - <format>hold</format> - <description>Set action to hold (default)</description> - </valueHelp> - <valueHelp> - <format>clear</format> - <description>Set action to clear</description> - </valueHelp> - <valueHelp> - <format>restart</format> - <description>Set action to restart</description> - </valueHelp> - <constraint> - <regex>^(hold|clear|restart)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="interval"> - <properties> - <help>Keep-alive interval</help> - <valueHelp> - <format>u32:2-86400</format> - <description>Keep-alive interval in seconds (default 30)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 2-86400"/> - </constraint> - </properties> - </leafNode> - <leafNode name="timeout"> - <properties> - <help>Dead-Peer-Detection keep-alive timeout (IKEv1 only)</help> - <valueHelp> - <format>u32:2-86400</format> - <description>Keep-alive timeout in seconds (default 120)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 2-86400"/> - </constraint> - </properties> - </leafNode> - </children> - </node> - <leafNode name="ikev2-reauth"> - <properties> - <help>ikev2-reauth_help</help> - <completionHelp> - <list>yes no</list> - </completionHelp> - <valueHelp> - <format>yes</format> - <description>Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug</description> - </valueHelp> - <valueHelp> - <format>no</format> - <description>Disable remote host re-authenticaton during an IKE rekey. (Default)</description> - </valueHelp> - <constraint> - <regex>^(yes|no)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="key-exchange"> - <properties> - <help>Key Exchange Version</help> - <completionHelp> - <list>ikev1 ikev2</list> - </completionHelp> - <valueHelp> - <format>ikev1</format> - <description>Use IKEv1 for Key Exchange [DEFAULT]</description> - </valueHelp> - <valueHelp> - <format>ikev2</format> - <description>Use IKEv2 for Key Exchange</description> - </valueHelp> - <constraint> - <regex>^(ikev1|ikev2)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="lifetime"> - <properties> - <help>IKE lifetime</help> - <valueHelp> - <format>u32:30-86400</format> - <description>IKE lifetime in seconds (default 28800)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 30-86400"/> - </constraint> - </properties> - </leafNode> - <leafNode name="mobike"> - <properties> - <help>Enable MOBIKE Support. MOBIKE is only available for IKEv2.</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable MOBIKE (default for IKEv2)</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable MOBIKE</description> - </valueHelp> - <constraint> - <regex>^(enable|disable)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="mode"> - <properties> - <help>IKEv1 Phase 1 Mode Selection</help> - <completionHelp> - <list>main aggressive</list> - </completionHelp> - <valueHelp> - <format>main</format> - <description>Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default)</description> - </valueHelp> - <valueHelp> - <format>aggressive</format> - <description>Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode.</description> - </valueHelp> - <constraint> - <regex>^(main|aggressive)$</regex> - </constraint> - </properties> - </leafNode> - <tagNode name="proposal"> - <properties> - <help>proposal_help</help> - <valueHelp> - <format>u32:1-65535</format> - <description>IKE-group proposal</description> - </valueHelp> - </properties> - <children> - <leafNode name="dh-group"> - <properties> - <help>dh-grouphelp</help> - <completionHelp> - <list>1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32</list> - </completionHelp> - <valueHelp> - <format>1</format> - <description>Diffie-Hellman group 1 (modp768)</description> - </valueHelp> - <valueHelp> - <format>2</format> - <description>Diffie-Hellman group 2 (modp1024)</description> - </valueHelp> - <valueHelp> - <format>5</format> - <description>Diffie-Hellman group 5 (modp1536)</description> - </valueHelp> - <valueHelp> - <format>14</format> - <description>Diffie-Hellman group 14 (modp2048)</description> - </valueHelp> - <valueHelp> - <format>15</format> - <description>Diffie-Hellman group 15 (modp3072)</description> - </valueHelp> - <valueHelp> - <format>16</format> - <description>Diffie-Hellman group 16 (modp4096)</description> - </valueHelp> - <valueHelp> - <format>17</format> - <description>Diffie-Hellman group 17 (modp6144)</description> - </valueHelp> - <valueHelp> - <format>18</format> - <description>Diffie-Hellman group 18 (modp8192)</description> - </valueHelp> - <valueHelp> - <format>19</format> - <description>Diffie-Hellman group 19 (ecp256)</description> - </valueHelp> - <valueHelp> - <format>20</format> - <description>Diffie-Hellman group 20 (ecp384)</description> - </valueHelp> - <valueHelp> - <format>21</format> - <description>Diffie-Hellman group 21 (ecp521)</description> - </valueHelp> - <valueHelp> - <format>22</format> - <description>Diffie-Hellman group 22 (modp1024s160)</description> - </valueHelp> - <valueHelp> - <format>23</format> - <description>Diffie-Hellman group 23 (modp2048s224)</description> - </valueHelp> - <valueHelp> - <format>24</format> - <description>Diffie-Hellman group 24 (modp2048s256)</description> - </valueHelp> - <valueHelp> - <format>25</format> - <description>Diffie-Hellman group 25 (ecp192)</description> - </valueHelp> - <valueHelp> - <format>26</format> - <description>Diffie-Hellman group 26 (ecp224)</description> - </valueHelp> - <valueHelp> - <format>27</format> - <description>Diffie-Hellman group 27 (ecp224bp)</description> - </valueHelp> - <valueHelp> - <format>28</format> - <description>Diffie-Hellman group 28 (ecp256bp)</description> - </valueHelp> - <valueHelp> - <format>29</format> - <description>Diffie-Hellman group 29 (ecp384bp)</description> - </valueHelp> - <valueHelp> - <format>30</format> - <description>Diffie-Hellman group 30 (ecp512bp)</description> - </valueHelp> - <valueHelp> - <format>31</format> - <description>Diffie-Hellman group 31 (curve25519)</description> - </valueHelp> - <valueHelp> - <format>32</format> - <description>Diffie-Hellman group 32 (curve448)</description> - </valueHelp> - <constraint> - <regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex> - </constraint> - </properties> - </leafNode> - #include <include/vpn-ipsec-encryption.xml.i> - #include <include/vpn-ipsec-hash.xml.i> - </children> - </tagNode> - </children> - </tagNode> - <leafNode name="include-ipsec-conf"> - <properties> - <help>Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file</help> - </properties> - </leafNode> - <leafNode name="include-ipsec-secrets"> - <properties> - <help>Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file.</help> - </properties> - </leafNode> - <node name="ipsec-interfaces"> - <properties> - <help>Interface to use for VPN [REQUIRED]</help> - </properties> - <children> - <leafNode name="interface"> - <properties> - <help>IPsec interface [REQUIRED]</help> - <completionHelp> - <script>${vyos_completion_dir}/list_interfaces.py</script> - </completionHelp> - <multi/> - </properties> - </leafNode> - </children> - </node> - <node name="logging"> - <properties> - <help>IPsec logging</help> - </properties> - <children> - <leafNode name="log-level"> - <properties> - <help>strongSwan Logger Level</help> - <valueHelp> - <format>u32:0-2</format> - <description>Logger Verbosity Level (default 0)</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 0-2"/> - </constraint> - </properties> - </leafNode> - <leafNode name="log-modes"> - <properties> - <help>Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation</help> - <completionHelp> - <list>dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any</list> - </completionHelp> - <valueHelp> - <format>dmn</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>mgr</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>ike</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>chd</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>job</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>cfg</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>knl</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>net</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>asn</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>enc</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>lib</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>esp</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>tls</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>tnc</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>imc</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>imv</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>pts</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <valueHelp> - <format>any</format> - <description>Debug log option for strongSwan</description> - </valueHelp> - <constraint> - <regex>^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$</regex> - </constraint> - <multi/> - </properties> - </leafNode> - </children> - </node> - <node name="nat-networks"> - <properties> - <help>Network Address Translation (NAT) networks</help> - </properties> - <children> - <tagNode name="allowed-network"> - <properties> - <help>NAT networks to allow</help> - <valueHelp> - <format>ipv4net</format> - <description>NAT networks to allow</description> - </valueHelp> - <constraint> - <validator name="ip-prefix"/> - </constraint> - </properties> - <children> - <leafNode name="exclude"> - <properties> - <help>NAT networks to exclude from allowed-networks</help> - <valueHelp> - <format>ipv4net</format> - <description>NAT networks to exclude from allowed-networks</description> - </valueHelp> - <constraint> - <validator name="ip-prefix"/> - </constraint> - <multi/> - </properties> - </leafNode> - </children> - </tagNode> - </children> - </node> - <leafNode name="nat-traversal"> - <properties> - <help>Network Address Translation (NAT) traversal</help> - <completionHelp> - <list>disable enable</list> - </completionHelp> - <valueHelp> - <format>disable</format> - <description>Disable NAT-T</description> - </valueHelp> - <valueHelp> - <format>enable</format> - <description>Enable NAT-T</description> - </valueHelp> - <constraint> - <regex>^(disable|enable)$</regex> - </constraint> - </properties> - </leafNode> - <node name="options"> - <properties> - <help>Global IPsec settings</help> - </properties> - <children> - <leafNode name="disable-route-autoinstall"> - <properties> - <help>Do not automatically install routes to remote networks</help> - <valueless/> - </properties> - </leafNode> - </children> - </node> - <tagNode name="profile"> - <properties> - <help>VPN IPSec Profile</help> - </properties> - <children> - <node name="authentication"> - <properties> - <help>Authentication [REQUIRED]</help> - </properties> - <children> - <node name="mode"> - <properties> - <help>Authentication mode</help> - </properties> - <children> - <leafNode name="pre-shared-secret"> - <properties> - <help>Use pre-shared secret key</help> - <valueless/> - </properties> - </leafNode> - </children> - </node> - <leafNode name="pre-shared-secret"> - <properties> - <help>Pre-shared secret key</help> - <valueHelp> - <format>txt</format> - <description>Pre-shared secret key</description> - </valueHelp> - </properties> - </leafNode> - </children> - </node> - <node name="bind"> - <properties> - <help>DMVPN crypto configuration</help> - </properties> - <children> - <leafNode name="bind_child"> - <properties> - <help>bind_child_help</help> - <valueless/> - </properties> - </leafNode> - </children> - </node> - <leafNode name="esp-group"> - <properties> - <help>Esp group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec esp-group</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ike-group"> - <properties> - <help>Ike group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec ike-group</path> - </completionHelp> - </properties> - </leafNode> - </children> - </tagNode> - <node name="site-to-site"> - <properties> - <help>Site to site VPN</help> - </properties> - <children> - <tagNode name="peer"> - <properties> - <help>VPN peer</help> - <valueHelp> - <format>ipv4</format> - <description>IPv4 address of the peer</description> - </valueHelp> - <valueHelp> - <format>ipv6</format> - <description>IPv6 address of the peer</description> - </valueHelp> - <valueHelp> - <format>txt</format> - <description>Hostname of the peer</description> - </valueHelp> - <valueHelp> - <format><@text></format> - <description>ID of the peer</description> - </valueHelp> - </properties> - <children> - <node name="authentication"> - <properties> - <help>Peer authentication [REQUIRED]</help> - </properties> - <children> - <leafNode name="id"> - <properties> - <help>ID for peer authentication</help> - <valueHelp> - <format>txt</format> - <description>ID used for peer authentication</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="mode"> - <properties> - <help>Authentication mode</help> - <completionHelp> - <list>pre-shared-secret rsa x509</list> - </completionHelp> - <valueHelp> - <format>pre-shared-secret</format> - <description>pre-shared-secret_description</description> - </valueHelp> - <valueHelp> - <format>rsa</format> - <description>rsa_description</description> - </valueHelp> - <valueHelp> - <format>x509</format> - <description>x509_description</description> - </valueHelp> - <constraint> - <regex>^(pre-shared-secret|rsa|x509)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="pre-shared-secret"> - <properties> - <help>Pre-shared secret key</help> - <valueHelp> - <format>txt</format> - <description>Pre-shared secret key</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="remote-id"> - <properties> - <help>ID for remote authentication</help> - <valueHelp> - <format>txt</format> - <description>ID used for peer authentication</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="rsa-key-name"> - <properties> - <help>RSA key name</help> - </properties> - </leafNode> - <leafNode name="use-x509-id"> - <properties> - <help>Use certificate common name as ID</help> - <valueless/> - </properties> - </leafNode> - <node name="x509"> - <properties> - <help>X.509 certificate</help> - </properties> - <children> - #include <include/certificate.xml.i> - #include <include/certificate-ca.xml.i> - <leafNode name="crl-file"> - <properties> - <help>File containing the X.509 Certificate Revocation List (CRL)</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <node name="key"> - <properties> - <help>Key file and password to open it</help> - </properties> - <children> - <leafNode name="file"> - <properties> - <help>File containing the private key for the X.509 certificate for this host</help> - <valueHelp> - <format>txt</format> - <description>File in /config/auth</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="password"> - <properties> - <help>Password that protects the private key</help> - <valueHelp> - <format>txt</format> - <description>Password that protects the private key</description> - </valueHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </node> - </children> - </node> - <leafNode name="connection-type"> - <properties> - <help>Connection type</help> - <completionHelp> - <list>initiate respond</list> - </completionHelp> - <valueHelp> - <format>initiate</format> - <description>initiate_description</description> - </valueHelp> - <valueHelp> - <format>respond</format> - <description>respond_description</description> - </valueHelp> - <constraint> - <regex>^(initiate|respond)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="default-esp-group"> - <properties> - <help>Defult ESP group name</help> - </properties> - </leafNode> - <leafNode name="description"> - <properties> - <help>VPN peer description</help> - <valueless/> - </properties> - </leafNode> - <leafNode name="dhcp-interface"> - <properties> - <help>DHCP interface to listen on</help> - <valueless/> - </properties> - </leafNode> - <leafNode name="force-encapsulation"> - <properties> - <help>Force UDP Encapsulation for ESP Payloads</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>This endpoint will force UDP encapsulation for this peer</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>This endpoint will not force UDP encapsulation for this peer</description> - </valueHelp> - <constraint> - <regex>^(enable|disable)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="ike-group"> - <properties> - <help>Internet Key Exchange (IKE) group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec ike-group</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ikev2-reauth"> - <properties> - <help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help> - <completionHelp> - <list>yes no inherit</list> - </completionHelp> - <valueHelp> - <format>yes</format> - <description>Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug</description> - </valueHelp> - <valueHelp> - <format>no</format> - <description>Disable remote host re-authenticaton during an IKE re-key.</description> - </valueHelp> - <valueHelp> - <format>inherit</format> - <description>Inherit the reauth configuration form your IKE-group (Default)</description> - </valueHelp> - <constraint> - <regex>^(yes|no|inherit)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="local-address"> - <properties> - <help>IPv4 or IPv6 address of a local interface to use for VPN</help> - <completionHelp> - <list>any</list> - </completionHelp> - <valueHelp> - <format>ipv4</format> - <description>IPv4 address of a local interface for VPN</description> - </valueHelp> - <valueHelp> - <format>ipv6</format> - <description>IPv6 address of a local interface for VPN</description> - </valueHelp> - <valueHelp> - <format>any</format> - <description>Allow any IPv4 address present on the system to be used for VPN</description> - </valueHelp> - <constraint> - <validator name="ipv4-address"/> - <validator name="ipv6-address"/> - <regex>^(any)$</regex> - </constraint> - </properties> - </leafNode> - <tagNode name="tunnel"> - <properties> - <help>Peer tunnel [REQUIRED]</help> - <valueHelp> - <format>u32</format> - <description>Peer tunnel [REQUIRED]</description> - </valueHelp> - </properties> - <children> - <leafNode name="allow-nat-networks"> - <properties> - <help>Option to allow NAT networks</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable NAT networks</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable NAT networks (default)</description> - </valueHelp> - <constraint> - <regex>^(enable|disable)$</regex> - </constraint> - </properties> - </leafNode> - <leafNode name="allow-public-networks"> - <properties> - <help>Option to allow public networks</help> - <completionHelp> - <list>enable disable</list> - </completionHelp> - <valueHelp> - <format>enable</format> - <description>Enable public networks</description> - </valueHelp> - <valueHelp> - <format>disable</format> - <description>Disable public networks (default)</description> - </valueHelp> - <constraint> - <regex>^(enable|disable)$</regex> - </constraint> - </properties> - </leafNode> - #include <include/generic-disable-node.xml.i> - <leafNode name="esp-group"> - <properties> - <help>ESP group name</help> - <completionHelp> - <path>vpn ipsec esp-group</path> - </completionHelp> - </properties> - </leafNode> - <node name="local"> - <properties> - <help>Local parameters for interesting traffic</help> - </properties> - <children> - <leafNode name="port"> - <properties> - <help>Any TCP or UDP port</help> - <valueHelp> - <format>port name</format> - <description>Named port (any name in /etc/services, e.g., http)</description> - </valueHelp> - <valueHelp> - <format>u32:1-65535</format> - <description>Numbered port</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="prefix"> - <properties> - <help>Local IPv4 or IPv6 prefix</help> - <valueHelp> - <format>ipv4</format> - <description>Local IPv4 prefix</description> - </valueHelp> - <valueHelp> - <format>ipv6</format> - <description>Local IPv6 prefix</description> - </valueHelp> - <constraint> - <validator name="ipv4-prefix"/> - <validator name="ipv6-prefix"/> - </constraint> - </properties> - </leafNode> - </children> - </node> - <leafNode name="protocol"> - <properties> - <help>Protocol to encrypt</help> - <valueless/> - </properties> - </leafNode> - <node name="remote"> - <properties> - <help>Remote parameters for interesting traffic</help> - </properties> - <children> - <leafNode name="port"> - <properties> - <help>Any TCP or UDP port</help> - <valueHelp> - <format>port name</format> - <description>Named port (any name in /etc/services, e.g., http)</description> - </valueHelp> - <valueHelp> - <format>u32:1-65535</format> - <description>Numbered port</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="prefix"> - <properties> - <help>Remote IPv4 or IPv6 prefix</help> - <valueHelp> - <format>ipv4</format> - <description>Remote IPv4 prefix</description> - </valueHelp> - <valueHelp> - <format>ipv6</format> - <description>Remote IPv6 prefix</description> - </valueHelp> - <constraint> - <validator name="ipv4-prefix"/> - <validator name="ipv6-prefix"/> - </constraint> - </properties> - </leafNode> - </children> - </node> - </children> - </tagNode> - <node name="vti"> - <properties> - <help>Virtual tunnel interface [REQUIRED]</help> - </properties> - <children> - <leafNode name="bind"> - <properties> - <help>VTI tunnel interface associated with this configuration [REQUIRED]</help> - </properties> - </leafNode> - <leafNode name="esp-group"> - <properties> - <help>ESP group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec esp-group</path> - </completionHelp> - </properties> - </leafNode> - </children> - </node> - </children> - </tagNode> - </children> - </node> - </children> - </node> - </children> - </node> -</interfaceDefinition> diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py deleted file mode 100755 index 969266c30..000000000 --- a/src/conf_mode/vpn_ipsec.py +++ /dev/null @@ -1,67 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import os - -from sys import exit - -from vyos.config import Config -from vyos.template import render -from vyos.util import call -from vyos.util import dict_search -from vyos import ConfigError -from vyos import airbag -from pprint import pprint -airbag.enable() - -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['vpn', 'nipsec'] - if not conf.exists(base): - return None - - # retrieve common dictionary keys - ipsec = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) - return ipsec - -def verify(ipsec): - if not ipsec: - return None - -def generate(ipsec): - if not ipsec: - return None - - return ipsec - -def apply(ipsec): - if not ipsec: - return None - - pprint(ipsec) - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) |