Age | Commit message (Collapse) | Author |
|
Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to
string") added a Jinja2 helper function which can be used to transform VyOS CLI
ESP and IKE key proposals into a strongSwan compatible string cipher.
This commit changes the IPSec implementation to make use of this new Jinja2
filter fubction/Python helper. This is required base work for better automated
tests (smoketests) but also for an IKEv2 road-warrior setup.
|
|
|
|
Remove python3-crypto dependency.
|
|
The IPSec ceritifcate handling is now done by storing the CA key inside the
running configuration.
|
|
* 'pki_ipsec' of https://github.com/sarthurdev/vyos-1x:
pki: ipsec: T3642: Update migration script to account for file permission issues
pki: ipsec: T3642: Migrate IPSec to use PKI configuration
pki: T3642: New PKI config and management
|
|
Commit a6b526fd982 ("ipsec: T3643: us vyos.util.copy_file() over raw UNIX cp
command") used a new helper to copy the x509 certificate files, but it also
added a bug where the certificate key file was copied to the wrong location.
This has been fixed and the corect path is used again.
|
|
|
|
|
|
XFRM interfaces are similar to VTI devices in their basic functionality but
offer several advantages:
* No tunnel endpoint addresses have to be configured on the interfaces.
Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints,
this resolves issues with wildcard addresses (only one VTI with wildcard
endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and
easily allows SAs with multiple peers to share the same interface.
* Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on
the same interface (VTI devices only support one address family).
* IPsec modes other than tunnel are supported (VTI devices only support
tunnel mode).
* No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier
(XFRM interface ID) links policies and SAs with XFRM interfaces.
|
|
The "v6only" CLI tree was not taken into account during validation.
vyos@vyos:~$ show configuration commands | grep bgp
set protocols bgp local-as '200'
set protocols bgp neighbor eth0.204 address-family ipv6-unicast
set protocols bgp neighbor eth0.204 interface v6only remote-as '100'
vyos@vyos:~$ show bgp ipv6 sum
IPv6 Unicast Summary:
BGP router identifier 172.18.254.201, local AS number 200 vrf-id 0
BGP table version 0
RIB entries 0, using 0 bytes of memory
Peers 1, using 21 KiB of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt
eth0.204 4 100 99 99 0 0 0 01:35:07 0 0
Total number of neighbors 1
|
|
|
|
|
|
|
|
This reverts commit 95bbbb8bed92a60a320ff255c8b8656145f3c540.
|
|
|
|
This is the completion of commit 50a742b5 ("IPSec: T3643: Fix path for
swanctl.conf file") that moves the generated swanctl file from non-volatile to
a volatile (tmpfs backed) storage like we do for all out configuration files.
Thus it is ensured after a reboot or service deprecation there are no accidential
leftovers from previous configurations stored on the system.
|
|
|
|
mdns: vrrp: T3635: Add ability to use mDNS repeater with VRRP
|
|
because of typo
change from `bind_to_all` to `bind-to-all`
refer: interface-definitions/vrf.xml.in
|
|
|
|
|
|
selectors, and selectors with VTI.
|
|
(cherry picked from commit 1eb6aee88f411127175fdab031d896af1e1adbc3)
|
|
Some APNs require a username/password. Add CLI nodes (matching the PPPoE
syntax) for client authentication.
One APN would be the IPv4/IPv6 APN from Deutsche Telekom (Germany)
APN Name: Telekom Internet IPv6
APN: internet.v6.telekom
Benutzername: telekom
Passwort: tm
(cherry picked from commit c667a45a8fb06cb76c907348c4f1e3ec708b6e03)
|
|
A validator is missing checking that if authentication is used on a PPPoE
interface, both username and password are set.
(cherry picked from commit 0361c3ac449f183476f7aee31439417d9f7f8012)
|
|
|
|
|
|
dhcp-interface
|
|
Fix for containers and newtorks names with hyphen in names.
We shouldn't mangle tagNode values.
|
|
nhrp: T3599: Migrate NHRP to XML/Python
|
|
|
|
ipsec: T2816: Fix typo from refactor
|
|
|
|
|
|
(cherry picked from commit 95cc2e4b4c11414cc71749af12abb575e96e5bd4)
|
|
Some application layer gateway (ALG) modules can be disabled during runtime
if requireq.
|
|
|
|
|
|
We do not need to query the actual configuration if the VTI peer is configured
or not. This can be done in a much more simples way by just checking if the
desired interface exists on the running system.
This is safe to do as the VTI priority is less then IPSec.
|
|
|
|
|
|
|
|
|
|
|
|
No need to call .keys() on a dict when searching for a key. Also drop the
unused "import os" call.
|
|
|
|
set service dhcp-server shared-network-name NET01 authoritative
set service dhcp-server shared-network-name NET01 subnet 10.0.0.0/24 default-router '10.0.0.1'
set service dhcp-server shared-network-name NET01 subnet 10.0.0.0/24 lease '86400'
set service dhcp-server shared-network-name NET01 subnet 10.0.0.0/24 range RNG01 start '10.0.0.60'
set service dhcp-server shared-network-name NET01 subnet 10.0.0.0/24 range RNG01 stop '10.0.0.70'
set service dhcp-server shared-network-name NET01 subnet 10.0.0.0/24 range RNG02 start '10.0.0.55'
set service dhcp-server shared-network-name NET01 subnet 10.0.0.0/24 range RNG02 stop '10.0.0.65'
Will result in a dhcpd.conf:
shared-network NET01 {
authoritative;
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
default-lease-time 86400;
max-lease-time 86400;
range 10.0.0.60 10.0.0.70;
range 10.0.0.55 10.0.0.65;
}
on commit {
set shared-networkname = "NET01";
}
}
This is not allowed by ISC DHCPd:
dhcpd[3307]: /run/dhcp-server/dhcpd.conf line 25: lease 10.0.0.63 is declared twice!
dhcpd[3307]: range 10.0.0.55 10.0.0.65;
|
|
* t3579-conntrack:
conntrack: T3535: add conntrack-sync supported vyos-configd services
conntrack: T3579: initial implementation with XML and Python
|
|
|
|
Add XML for configuration mode firewall. Used for future rewriting it to Python style.
|