summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorNataliia Solomko <natalirs1985@gmail.com>2024-10-02 16:18:32 +0300
committerNataliia Solomko <natalirs1985@gmail.com>2024-10-02 17:13:31 +0300
commit34bbc3be98d20b7ce704cc498f070e70bf8f0213 (patch)
tree4e4f7a7f38234e155283f490cb8dcda1a1365bf5 /src
parent6b7159f2927f004320c77043d0c819a6b660806d (diff)
downloadvyos-1x-34bbc3be98d20b7ce704cc498f070e70bf8f0213.tar.gz
vyos-1x-34bbc3be98d20b7ce704cc498f070e70bf8f0213.zip
ipsec: T6101: Add validation for proposal option used in IKE group
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/vpn_ipsec.py13
1 files changed, 13 insertions, 0 deletions
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index ca0c3657f..e22b7550c 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -214,6 +214,19 @@ def verify(ipsec):
else:
verify_interface_exists(ipsec, interface)
+ # need to use a pseudo-random function (PRF) with an authenticated encryption algorithm.
+ # If a hash algorithm is defined then it will be mapped to an equivalent PRF
+ if 'ike_group' in ipsec:
+ for _, ike_config in ipsec['ike_group'].items():
+ for proposal, proposal_config in ike_config.get('proposal', {}).items():
+ if 'encryption' in proposal_config and 'prf' not in proposal_config:
+ # list of hash algorithms that cannot be mapped to an equivalent PRF
+ algs = ['aes128gmac', 'aes192gmac', 'aes256gmac', 'sha256_96']
+ if 'hash' in proposal_config and proposal_config['hash'] in algs:
+ raise ConfigError(
+ f"A PRF algorithm is mandatory in IKE proposal {proposal}"
+ )
+
if 'l2tp' in ipsec:
if 'esp_group' in ipsec['l2tp']:
if 'esp_group' not in ipsec or ipsec['l2tp']['esp_group'] not in ipsec['esp_group']: