Age | Commit message (Collapse) | Author |
|
T4916: Rewrite IPsec peer authentication and psk migration
|
|
Some older VyOS 1.3 installations seem to use zero-length description fields.
Do not break them!
|
|
|
|
Adds CLI configuration options to configure RADIUS accounting for OpenConnect VPN sessions. This functionality cannot be used outside of the RADIUS OpenConnect VPN authentication mode
|
|
Rewrite strongswan IPsec authentication to reflect structure
from swanctl.conf
The most important change is that more than one local/remote ID in the
same auth entry should be allowed
replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx'
=> 'ipsec authentication psk <tag> secret xxx'
set vpn ipsec authentication psk <tag> id '192.0.2.1'
set vpn ipsec authentication psk <tag> id '192.0.2.2'
set vpn ipsec authentication psk <tag> secret 'xxx'
set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2'
Add template filter for Jinja2 'generate_uuid4'
|
|
|
|
T1297: VRRP: add garp options to vrrp
|
|
|
|
CLI expects ipv4net/ipv6net but the help strings only suggested it should be
ipv4/ipv6. This has been corrected.
|
|
Some ISPs seem to use the host-uniq flag to authenticate client equipment.
Add CLI option in VyOS to allow specification of the host-uniq flag.
set interfaces pppoe pppoeN host-uniq <value>
|
|
Whenever a container is used and a folder is mounted, this happenes as
read-write which is the default in Docker/Podman - so is the default in VyOS.
A new option is added "set container name foo volume mode <ro|rw>" to specify
explicitly if rw (default) or ro should be used for this mounted folder.
|
|
config-mgmt: T4942: rewrite vyatta-config-mgmt to Python/XML
|
|
|
|
|
|
|
|
|
|
ipsec: T4925: Added PRF into IKE group
|
|
T4857: SNMP: Implement FRR SNMP Recomendations
|
|
|
|
warning message
|
|
Added the possibility to configure Pseudo-Random Functions (PRF)
in IKE group
set vpn ipsec ike-group <Ike-grp> proposal <number> prf <PRF>
|
|
|
|
* Move CLI from "system ntp" -> "service ntp"
* Drop NTP server option preempt as not supported by chrony
|
|
If IPsec "peer <tag> authentication remote-id" is not set
it should be "%any" by default
https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote
Set XML default value in use it in the python vpn_ipsec.py script
|
|
No need to have two distinct include blocks as one superseeds the other. Also
this makes the entire behavior of "description" CLI node simpler.
|
|
|
|
|
|
T4883: add a description field for routing tables
|
|
|
|
|
|
|
|
T4904: keepalived virtual-server allow multiple ports with fwmark
|
|
|
|
Allow multiple ports for high-availability virtual-server
The current implementation allows balance only one "virtual" address
and port between between several "real servers"
Allow matching "fwmark" to set traffic which should be balanced
Allow to set port 0 (all traffic) if we use "fwmark"
Add health-check script
set high-availability virtual-server 203.0.113.1 fwmark '111'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 health-check script '/bin/true'
set high-availability virtual-server 203.0.113.1 real-server 192.0.2.11 port '0'
|
|
T4893: Add ppp-options ipv6-interface-id for L2TP
|
|
Set fq-codel as the default queuing discipline for the shaper traffic-policy if
queue-type has not been configured.
fq-codel has been the default qdisc for OpenWRT as well as systemd (and thus
various linux distributions) for a decent while now. It has proven itself to be
a highly effective qdisc for fighting bufferbloat whilst maintaining high link
utilization. The combination of HTB + fq-codel has also seen wide deployment
in cases when additional traffic classification and/or rate/burst management
is required.
This change will allow the configuration of a shaper traffic-policy with
suitable defaults, saving the pain of having to specify fq-codel as a
queue-type for every class.
|
|
|
|
|
|
|
|
Add ppp-options IPv6 interface id for vpn L2TP
- fixed or random interface identifier for IPv6
- peer interface identifier for IPv6
- whether to accept peer’s interface identifier
set vpn l2tp remote-access ppp-options ipv6-accept-peer-intf-id
set vpn l2tp remote-access ppp-options ipv6-intf-id 'random'
set vpn l2tp remote-access ppp-options ipv6-peer-intf-id 'calling-sid'
|
|
I use dummy interfaces in a VRF as source-interfaces for VXLAN in order to force VXLAN send underlay UDP traffic through the VRF where the dummy interface resides.
However dummy interface has no mtu option so it always gets an MTU of 1500. This will cause an error when the mtu of dummy is not large enough for the VXLAN traffic.
Adding this option in the config template will solve this.
|
|
|
|
Instead of hardcoding the default protocol as TCP in the Python script we shall
use the XML based defaultValue approach instead. This also automatically exports
the default to the CLI completion helper.
|
|
Move PPPoE-server ppp-options XML ipv6-intf-id to 'include'
section accel-ppp
It allows to use the same code for different accel-ppp services
|
|
|
|
|
|
move from vfs to overlay driver
The following pre iage upgrade script must be executed to have containers after
the reboot:
for pod in $(cli-shell-api listActiveNodes container name); do
systemctl stop vyos-container-${pod//\'}.service
done
sed -i 's/vfs/overlay/g' /etc/containers/storage.conf /usr/share/vyos/templates/container/storage.conf.j2
rm -rf /usr/lib/live/mount/persistence/container/storage/libpod
for pod in $(cli-shell-api listActiveNodes container name); do
image=$(cli-shell-api returnActiveValue container name ${pod//\'} image)
podman image pull $image
systemctl start vyos-container-${pod//\'}.service
done
for dir in vfs vfs-containers vfs-images vfs-layers; do
rm -rf /usr/lib/live/mount/persistence/container/storage/$dir
done
|
|
|
|
T4832: dhcp: Add IPv6-only dhcp option support (RFC 8925)
|
|
T4780: Firewall: add firewall groups in firewall. Extend matching cri…
|