summaryrefslogtreecommitdiff
path: root/interface-definitions/vpn_ipsec.xml.in
AgeCommit message (Collapse)Author
2021-07-25ipsec: T1210: add RADIUS authentication for remote-access IKEv2 VPNChristian Poessinger
set vpn ipsec remote-access connection rw authentication client-mode 'eap-radius' set vpn ipsec remote-access connection rw authentication id '192.0.2.1' set vpn ipsec remote-access connection rw authentication server-mode 'x509' set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CAcert_Class_3_Root' set vpn ipsec remote-access connection rw authentication x509 certificate 'vyos' set vpn ipsec remote-access connection rw esp-group 'ESP-RW' set vpn ipsec remote-access connection rw ike-group 'IKE-RW' set vpn ipsec remote-access connection rw local-address '192.0.2.1' set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' set vpn ipsec remote-access connection rw unique 'never' set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.0.2.2' set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.168.22.0/24' set vpn ipsec remote-access radius nas-identifier 'fooo' set vpn ipsec remote-access radius server 172.16.100.10 key 'secret'
2021-07-25ipsec: T1210: move DHCP server configuration unter remote-access nodeChristian Poessinger
As this is only related to remote-access, keeping it under "options" simply feels wrong.
2021-07-22ipsec: T2816: remove "auto-update" CLI optionChristian Poessinger
Update/refresh of DNS records is now handled internally by Strongswan.
2021-07-22xml: add building block for "local-users"Christian Poessinger
2021-07-19ipsec: T1210: add "unique" option to specify how to handle multiple connectionsChristian Poessinger
Connection uniqueness policy to enforce. To avoid multiple connections from the same user, a uniqueness policy can be enforced. * never: never enforce such a policy, even if a peer included INITIAL_CONTACT notification * keep: reject new connection attempts if the same user already has an active connection * replace: delete any existing connection if a new one for the same user gets established To compare connections for uniqueness, the remote IKE identity is used. If EAP or XAuth authentication is involved, the EAP-Identity or XAuth username is used to enforce the uniqueness policy instead.
2021-07-19ipsec: T1210: split out pool from remote-access configurationChristian Poessinger
Remote access IP pools can now be defined at a global level and referenced in IPSec remote-access connections. To defined a pool use: set vpn ipsec remote-access pool global-ipv4 name-server '172.16.1.1' set vpn ipsec remote-access pool global-ipv4 prefix '192.168.0.0/24' set vpn ipsec remote-access pool global-ipv6 name-server '2001:db8::1' set vpn ipsec remote-access pool global-ipv6 prefix '2001:db8:1000::/64' A connection can then reference the pool: set vpn ipsec remote-access connection foo pool 'global-ipv4' set vpn ipsec remote-access connection foo pool 'global-ipv6'
2021-07-18ipsec: T1210: remote-access pools can not hold both IPv4 and IPv6 prefixesChristian Poessinger
... this enables a dual-stack IKEv2 VPN deployment.
2021-07-17ipsec: T2816: migrate "ipsec interfaces" to "interface"Christian Poessinger
2021-07-17xml: provide common "pre-shared-secret" include blockChristian Poessinger
2021-07-17xml: provide common "dhcp-interface" include blockChristian Poessinger
2021-07-07pki: T3642: Migrate rsa-keys to PKI configurationsarthurdev
2021-07-05ipsec: T1210: T1251: Add more features to remote-access connectionssarthurdev
- Adds client/server authentication methods. - Adds basic verification to remote-access. - Adds DHCP pool and options to remote-access. - Cleanup unused PKI files.
2021-07-04ipsec: T2816: add completion helper for tunnel interfacesChristian Poessinger
2021-07-04ipsec: T1210: T1251: add "local" traffic-selector include definitionChristian Poessinger
Used by both site2site and remote-access/road-warrior VPN connections.
2021-07-04ipsec: T1210: T1251: add remote-access "name-server" definition to pool configChristian Poessinger
2021-07-04ipsec: T2816: add completion helper for VTI interfacesChristian Poessinger
2021-07-04ipsec: T2816: add include definition for ipsec local-addressChristian Poessinger
2021-07-04ipsec: T2816: use common building block/include for port definitionChristian Poessinger
2021-07-04ipsec: T1210: T1251: extend ra config with address pools/traffic selectorssarthurdev
2021-07-04ipsec: T1210: T1251: IKEv2 road-warrior supportChristian Poessinger
set vpn ipsec esp-group ESP-RW compression 'disable' set vpn ipsec esp-group ESP-RW lifetime '3600' set vpn ipsec esp-group ESP-RW pfs 'disable' set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes256' set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' set vpn ipsec esp-group ESP-RW proposal 20 encryption 'aes256' set vpn ipsec esp-group ESP-RW proposal 20 hash 'sha1' set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' set vpn ipsec ike-group IKE-RW lifetime '10800' set vpn ipsec ike-group IKE-RW mobike 'enable' set vpn ipsec ike-group IKE-RW proposal 10 dh-group '2' set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes256' set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha1' set vpn ipsec ike-group IKE-RW proposal 20 dh-group '2' set vpn ipsec ike-group IKE-RW proposal 20 encryption 'aes128' set vpn ipsec ike-group IKE-RW proposal 20 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'dum0' set vpn ipsec remote-access rw authentication id 'vyos' set vpn ipsec remote-access rw authentication local-users username vyos password vyos set vpn ipsec remote-access rw authentication x509 ca-certificate 'peer_172-18-254-202' set vpn ipsec remote-access rw authentication x509 certificate 'peer_172-18-254-202' set vpn ipsec remote-access rw description 'asdf' set vpn ipsec remote-access rw esp-group 'ESP-RW' set vpn ipsec remote-access rw ike-group 'IKE-RW'
2021-07-03ipsec: T2816: provide x509 certificate base auth building blocksChristian Poessinger
2021-07-03ipsec: T2816: provide esp and ike-group XML building blockChristian Poessinger
2021-07-03ipsec: T2816: rework log options for debuggingChristian Poessinger
Renamed CLI from "logging log-modes" to "log subsystem" and "logging log-level" to "log level". THat is more human firendly.
2021-07-03ipsec: T2816: remove default values from Jinja2 template and place them in XMLChristian Poessinger
VyOS has a known to work mechanism in supplying CLI default values into the Python configuration scripts. This commit removes hardcoded default values from the Jinja2 template and places them into the appropriate XML definitions. The big advantage is that the default value itself and the corresponding help string are located in the exact same file.
2021-07-03ipsec: T2816: rework IKE and ESP key assignmentChristian Poessinger
Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to string") added a Jinja2 helper function which can be used to transform VyOS CLI ESP and IKE key proposals into a strongSwan compatible string cipher. This commit changes the IPSec implementation to make use of this new Jinja2 filter fubction/Python helper. This is required base work for better automated tests (smoketests) but also for an IKEv2 road-warrior setup.
2021-07-02xml: provide building block for a generic description nodeChristian Poessinger
2021-06-29pki: ipsec: T3642: Migrate IPSec to use PKI configurationsarthurdev
2021-06-15ipsec: T2816: T645: T3613: Migrated IPsec to swanctl, includes multiple ↵sarthurdev
selectors, and selectors with VTI.
2021-06-12ipsec: T57: Support disable on peer, tunnel, dmvpn profilesarthurdev
2021-06-06ipsec: T3588: remove CLI options deprecated by strongSwanChristian Poessinger
- set vpn ipsec nat-traversal - set vpn ipsec nat-networks allowed-network
2021-06-05ipsec: T3093: drop superfluous top level priorityChristian Poessinger
2021-05-28ipsec: T2816: IPSec python rework, includes DMVPN and VTI supportSimon
2021-01-07xml: include: provide generic include for disable nodeChristian Poessinger
2020-12-29xml: T1466: provide common includes for SSL certificate CLI nodesChristian Poessinger
Gather all SSL certificate, ca and key nodes into a single representation of XML which can be #included into the XML definitions of the CLI interface to be rendered.
2020-12-27xml: fix valueHelp format stringsChristian Poessinger
A pre-defined list of common format strings to be used inside the <format> node of <valueHelp> is available from [1]. Adjust all currently in use <format> nodes to re-use the predefined strings over writing them on their own by even encapsulating the <> signs as &lt; and &gt;. [1]: https://github.com/vyos/vyatta-cfg/blob/5aec1a0429f2f/etc/bash_completion.d/vyatta-cfg#L515-L566
2020-12-12xml: use "u32:" keyword when identifying port rangesChristian Poessinger
This will render the completion help more nicely.
2020-12-01vpn: ipsec: T3093: add XML for vpn ipsec conf-modeViacheslav Hletenko