Age | Commit message (Collapse) | Author |
|
|
|
openvpn: T56: remove strict checks for tls cert-file and key-file
|
|
This makes the tls cert-file and key-file optional and allows for more
advanced configurations via "openvpn-option", such as pkcs11 or pkcs12
options.
|
|
|
|
Previously during migration if one had used interface routes, the VRF based
ones got not migrated.
The following "old" VyOS 1.3 configuration did not get migrated:
set protocols static interface-route 10.20.0.0/24 next-hop-interface eth2 next-hop-vrf 'blue'
set protocols static interface-route 10.30.0.0/24 next-hop-interface br10 next-hop-vrf 'red'
set protocols vrf blue static interface-route 10.0.0.0/24 next-hop-interface eth1 next-hop-vrf 'default'
set protocols vrf red static interface-route 10.0.0.0/24 next-hop-interface eth1 next-hop-vrf 'default'
set vrf name blue table '3000'
set vrf name mgmt table '1000'
set vrf name red table '2000'
It must get migrated to:
set protocols static route 10.20.0.0/24 interface eth2 vrf 'blue'
set protocols static route 10.30.0.0/24 interface br10 vrf 'red'
set vrf name blue protocols static route 10.0.0.0/24 interface eth1 vrf 'default'
set vrf name blue table '3000'
set vrf name mgmt table '1000'
set vrf name red protocols static route 10.0.0.0/24 interface eth1 vrf 'default'
set vrf name red table '2000'
|
|
|
|
|
|
Commit a5cd877a0a ("ipsec: T2816: Migrate ipsec-settings.xml.in and charon.conf
to vpn_ipsec.py") unfortunately removed the dictionary definition for "data"
which is required when running the l2tp handler script.
|
|
|
|
|
|
bridge: op-mode: T3667: Moving VLANs and modifying XML errors
|
|
|
|
|
|
bridge: op-mode: T3667: Fix command line errors
|
|
|
|
op-mode: brctl: T3667: Using bridge command structure instead of brctl
|
|
|
|
When waiting for processes that don't take long,
we need add an inotify watcher _before_ starting that process.
The pre-hook arguments allows the user to pass a () -> () anonymous function
to be called before adding a watch.
|
|
|
|
pki: T3642: Migrate rsa-keys to PKI configuration
|
|
|
|
pki: ipsec: T3642: T1210: T2816: Add SANs to generated certificates, more IPSec remote-access features and fixes
|
|
Also adds check for the charon socket instead of an arbitrary sleep()
|
|
- Adds client/server authentication methods.
- Adds basic verification to remote-access.
- Adds DHCP pool and options to remote-access.
- Cleanup unused PKI files.
|
|
|
|
vyos.util method `dict_search_args` to allow for dot characters in keys.
|
|
|
|
pki: T3642: Add standard extensions to generated certificates
|
|
|
|
Keep the vyos.util function clean and not pull in the rest of the world
when importing it.
|
|
ipsec: T1210: T1251: IKEv2 road-warrior support
|
|
|
|
|
|
Used by both site2site and remote-access/road-warrior VPN connections.
|
|
|
|
|
|
|
|
|
|
|
|
A certificate "type" can be auto derived from the certificate itself.
|
|
set vpn ipsec esp-group ESP-RW compression 'disable'
set vpn ipsec esp-group ESP-RW lifetime '3600'
set vpn ipsec esp-group ESP-RW pfs 'disable'
set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
set vpn ipsec esp-group ESP-RW proposal 20 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 20 hash 'sha1'
set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RW lifetime '10800'
set vpn ipsec ike-group IKE-RW mobike 'enable'
set vpn ipsec ike-group IKE-RW proposal 10 dh-group '2'
set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-RW proposal 20 dh-group '2'
set vpn ipsec ike-group IKE-RW proposal 20 encryption 'aes128'
set vpn ipsec ike-group IKE-RW proposal 20 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'dum0'
set vpn ipsec remote-access rw authentication id 'vyos'
set vpn ipsec remote-access rw authentication local-users username vyos password vyos
set vpn ipsec remote-access rw authentication x509 ca-certificate 'peer_172-18-254-202'
set vpn ipsec remote-access rw authentication x509 certificate 'peer_172-18-254-202'
set vpn ipsec remote-access rw description 'asdf'
set vpn ipsec remote-access rw esp-group 'ESP-RW'
set vpn ipsec remote-access rw ike-group 'IKE-RW'
|
|
Commit 32fab6c7c ("ipsec: T2816: provide esp and ike-group XML building block")
by accident added an IKEv2 road-warrior configuration to swanctl template.
The config blog was never activate as the CLI nodes are still missing. Still
unclean :(.
|
|
ipsec: T2816: Remove legacy vyatta code that references Openswan
|
|
|
|
This reverts commit fb1802111155b52c9d63a079e18127de76033678.
|
|
pki: T3642: Fix for correct method on encoding certificate request
|
|
|
|
|
|
|
|
|