Age | Commit message (Collapse) | Author |
|
|
|
|
|
Peer name must not contain dots and colons, otherwise
swanct can't generate correct configuration for swanctl.conf
This is used in connection names and child SA names
Add filter 'dot_colon_to_dash' which replace dots and colons
|
|
Remote access IP pools can now be defined at a global level and referenced
in IPSec remote-access connections. To defined a pool use:
set vpn ipsec remote-access pool global-ipv4 name-server '172.16.1.1'
set vpn ipsec remote-access pool global-ipv4 prefix '192.168.0.0/24'
set vpn ipsec remote-access pool global-ipv6 name-server '2001:db8::1'
set vpn ipsec remote-access pool global-ipv6 prefix '2001:db8:1000::/64'
A connection can then reference the pool:
set vpn ipsec remote-access connection foo pool 'global-ipv4'
set vpn ipsec remote-access connection foo pool 'global-ipv6'
|
|
... this enables a dual-stack IKEv2 VPN deployment.
|
|
update to use PKI.
|
|
|
|
- Adds client/server authentication methods.
- Adds basic verification to remote-access.
- Adds DHCP pool and options to remote-access.
- Cleanup unused PKI files.
|
|
|
|
|
|
set vpn ipsec esp-group ESP-RW compression 'disable'
set vpn ipsec esp-group ESP-RW lifetime '3600'
set vpn ipsec esp-group ESP-RW pfs 'disable'
set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256'
set vpn ipsec esp-group ESP-RW proposal 20 encryption 'aes256'
set vpn ipsec esp-group ESP-RW proposal 20 hash 'sha1'
set vpn ipsec ike-group IKE-RW key-exchange 'ikev2'
set vpn ipsec ike-group IKE-RW lifetime '10800'
set vpn ipsec ike-group IKE-RW mobike 'enable'
set vpn ipsec ike-group IKE-RW proposal 10 dh-group '2'
set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE-RW proposal 20 dh-group '2'
set vpn ipsec ike-group IKE-RW proposal 20 encryption 'aes128'
set vpn ipsec ike-group IKE-RW proposal 20 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'dum0'
set vpn ipsec remote-access rw authentication id 'vyos'
set vpn ipsec remote-access rw authentication local-users username vyos password vyos
set vpn ipsec remote-access rw authentication x509 ca-certificate 'peer_172-18-254-202'
set vpn ipsec remote-access rw authentication x509 certificate 'peer_172-18-254-202'
set vpn ipsec remote-access rw description 'asdf'
set vpn ipsec remote-access rw esp-group 'ESP-RW'
set vpn ipsec remote-access rw ike-group 'IKE-RW'
|
|
Commit 32fab6c7c ("ipsec: T2816: provide esp and ike-group XML building block")
by accident added an IKEv2 road-warrior configuration to swanctl template.
The config blog was never activate as the CLI nodes are still missing. Still
unclean :(.
|
|
|
|
Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to
string") added a Jinja2 helper function which can be used to transform VyOS CLI
ESP and IKE key proposals into a strongSwan compatible string cipher.
This commit changes the IPSec implementation to make use of this new Jinja2
filter fubction/Python helper. This is required base work for better automated
tests (smoketests) but also for an IKEv2 road-warrior setup.
|
|
* use indent = 2
* prefer 'if foo.bar is defined' over 'if "bar" in foo'
|
|
* 'pki_ipsec' of https://github.com/sarthurdev/vyos-1x:
pki: ipsec: T3642: Update migration script to account for file permission issues
pki: ipsec: T3642: Migrate IPSec to use PKI configuration
pki: T3642: New PKI config and management
|
|
|
|
XFRM interfaces are similar to VTI devices in their basic functionality but
offer several advantages:
* No tunnel endpoint addresses have to be configured on the interfaces.
Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints,
this resolves issues with wildcard addresses (only one VTI with wildcard
endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and
easily allows SAs with multiple peers to share the same interface.
* Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on
the same interface (VTI devices only support one address family).
* IPsec modes other than tunnel are supported (VTI devices only support
tunnel mode).
* No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier
(XFRM interface ID) links policies and SAs with XFRM interfaces.
|
|
selectors, and selectors with VTI.
|
|
|
|
|