Age | Commit message (Collapse) | Author |
|
* 'pki_ipsec' of https://github.com/sarthurdev/vyos-1x:
pki: ipsec: T3642: Update migration script to account for file permission issues
pki: ipsec: T3642: Migrate IPSec to use PKI configuration
pki: T3642: New PKI config and management
|
|
Commit a6b526fd982 ("ipsec: T3643: us vyos.util.copy_file() over raw UNIX cp
command") used a new helper to copy the x509 certificate files, but it also
added a bug where the certificate key file was copied to the wrong location.
This has been fixed and the corect path is used again.
|
|
|
|
XFRM interfaces are similar to VTI devices in their basic functionality but
offer several advantages:
* No tunnel endpoint addresses have to be configured on the interfaces.
Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints,
this resolves issues with wildcard addresses (only one VTI with wildcard
endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and
easily allows SAs with multiple peers to share the same interface.
* Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on
the same interface (VTI devices only support one address family).
* IPsec modes other than tunnel are supported (VTI devices only support
tunnel mode).
* No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier
(XFRM interface ID) links policies and SAs with XFRM interfaces.
|
|
|
|
|
|
This reverts commit 95bbbb8bed92a60a320ff255c8b8656145f3c540.
|
|
This is the completion of commit 50a742b5 ("IPSec: T3643: Fix path for
swanctl.conf file") that moves the generated swanctl file from non-volatile to
a volatile (tmpfs backed) storage like we do for all out configuration files.
Thus it is ensured after a reboot or service deprecation there are no accidential
leftovers from previous configurations stored on the system.
|
|
selectors, and selectors with VTI.
|
|
|
|
dhcp-interface
|
|
nhrp: T3599: Migrate NHRP to XML/Python
|
|
|
|
|
|
|
|
|
|
We do not need to query the actual configuration if the VTI peer is configured
or not. This can be done in a much more simples way by just checking if the
desired interface exists on the running system.
This is safe to do as the VTI priority is less then IPSec.
|
|
|
|
|
|
|
|
|
|
|