From ecdc9b1f0bf47b762669d8600aaddc5cfa5ed206 Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Thu, 16 Mar 2023 12:33:18 +0200 Subject: ipsec: T5043: Rewritten and fixed 'reset vpn' commands 1. Rewritten CLI of 'reset vpn' commands. 2. Created 'reset vpn ipsec remote-access' commands to reset RA IKEv2 session. 3. Created 'reset vpn ipsec site-to-site all' command to reset all configured IPSec site-to-site peers sessions. 4. Rewritten 'reset vpn l2t|pptp|sstp' commands to new opmode style. --- data/op-mode-standardized.json | 1 + op-mode-definitions/reset-vpn.xml.in | 120 +++++++++++++++++------------------ op-mode-definitions/vpn-ipsec.xml.in | 97 +++++++++++++++++++--------- src/op_mode/ipsec.py | 81 ++++++++++++++++++++--- src/op_mode/reset_vpn.py | 75 ++++++++++------------ 5 files changed, 230 insertions(+), 144 deletions(-) diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json index 3b2599790..c7c67198e 100644 --- a/data/op-mode-standardized.json +++ b/data/op-mode-standardized.json @@ -17,6 +17,7 @@ "nhrp.py", "openconnect.py", "openvpn.py", +"reset_vpn.py", "route.py", "system.py", "ipsec.py", diff --git a/op-mode-definitions/reset-vpn.xml.in b/op-mode-definitions/reset-vpn.xml.in index 94ee1c7df..8de95d1cc 100644 --- a/op-mode-definitions/reset-vpn.xml.in +++ b/op-mode-definitions/reset-vpn.xml.in @@ -7,82 +7,78 @@ Reset Virtual Private Network (VPN) information - + - Reset remote access VPN connections + Reset L2TP server VPN sessions - Terminate all users current remote access VPN session(s) + Reset all L2TP server VPN sessions - - - - Terminate specified users current remote access VPN session(s) with specified protocol - - - - - Terminate all users current remote access VPN session(s) with L2TP protocol - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="all_users" --protocol="l2tp" - - - - Terminate all users current remote access VPN session(s) with PPTP protocol - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="all_users" --protocol="pptp" - - - - Terminate all users current remote access VPN session(s) with SSTP protocol - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="all_users" --protocol="sstp" - - - - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="all_users" + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="l2tp" - Terminate a remote access VPN interface + Reset specified interface on L2TP VPN server - sudo ${vyos_op_scripts_dir}/reset_vpn.py --interface="$5" + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="l2tp" --interface="$5" - Terminate specified users current remote access VPN session(s) + Reset specified user on L2TP VPN server - - - - Terminate specified users current remote access VPN session(s) with specified protocol - - - - - Terminate all users current remote access VPN session(s) with L2TP protocol - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="$5" --protocol="l2tp" - - - - Terminate all users current remote access VPN session(s) with PPTP protocol - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="$5" --protocol="pptp" - - - - Terminate all users current remote access VPN session(s) with SSTP protocol - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="$5" --protocol="sstp" - - - - - sudo ${vyos_op_scripts_dir}/reset_vpn.py --username="$5" + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="l2tp" --username="$5" + + + + + + Reset PPTP server VPN sessions + + + + + Reset all PPTP server VPN sessions + + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="pptp" + + + + Reset specified interface on PPTP VPN server + + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="pptp" --interface="$5" + + + + Reset specified user on PPTP VPN server + + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="pptp" --username="$5" + + + + + + Reset SSTP server VPN sessions + + + + + Reset all SSTP server VPN sessions + + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="sstp" + + + + Reset specified interface on SSTP VPN server + + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="sstp" --interface="$5" + + + + Reset specified user on SSTP VPN server + + sudo ${vyos_op_scripts_dir}/reset_vpn.py reset_conn --protocol="sstp" --username="$5" diff --git a/op-mode-definitions/vpn-ipsec.xml.in b/op-mode-definitions/vpn-ipsec.xml.in index ee006a2d5..5baaec7ce 100644 --- a/op-mode-definitions/vpn-ipsec.xml.in +++ b/op-mode-definitions/vpn-ipsec.xml.in @@ -7,49 +7,88 @@ Reset Virtual Private Network (VPN) information - + - Reset all tunnels for given peer - - vpn ipsec site-to-site peer - + Reset IPSec VPN sessions - + - Reset a specific tunnel for given peer + Reset all tunnels for given DMVPN profile - vpn ipsec site-to-site peer ${COMP_WORDS[3]} tunnel + vpn ipsec profile - sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$4" --tunnel="$6" + + + + Reset a specific tunnel for given DMVPN profile + + sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$6" --tunnel="$8" + + + sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$6" --tunnel="all" - + - Reset the VTI tunnel for given peer + Reset remote access IPSec VPN connections - sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$4" --tunnel="vti" + + + + Reset all users current remote access IPSec VPN sessions + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_ra + + + + Reset specified user current remote access IPsec VPN session(s) + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_ra --user="$6" + + - - sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$4" - - - - Reset all tunnels for given DMVPN profile - - vpn ipsec profile - - - - + - Reset a specific tunnel for given DMVPN profile + Reset site-to-site IPSec VPN connections - sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$4" --tunnel="$6" - + + + + Reset all site-to-site IPSec VPN sessions + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_all_peers + + + + Reset all tunnels for given peer + + vpn ipsec site-to-site peer + + + + + + Reset a specific tunnel for given peer + + vpn ipsec site-to-site peer ${COMP_WORDS[5]} tunnel + + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$6" --tunnel="$8" + + + + Reset the VTI tunnel for given peer + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$6" --tunnel="vti" + + + sudo ${vyos_op_scripts_dir}/ipsec.py reset_peer --peer="$6" + + + - sudo ${vyos_op_scripts_dir}/vpn_ipsec.py --action="reset-profile" --name="$4" --tunnel="all" - + diff --git a/src/op_mode/ipsec.py b/src/op_mode/ipsec.py index 8e76f4cc0..6acde08ea 100755 --- a/src/op_mode/ipsec.py +++ b/src/op_mode/ipsec.py @@ -13,7 +13,6 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . - import re import sys import typing @@ -24,6 +23,7 @@ from tabulate import tabulate from vyos.util import convert_data from vyos.util import seconds_to_human +from vyos.configquery import ConfigTreeQuery import vyos.opmode import vyos.ipsec @@ -401,30 +401,91 @@ def _get_childsa_id_list(ike_sas: list) -> list: return list_childsa_id +def _get_all_sitetosite_peers_name_list() -> list: + """ + Return site-to-site peers configuration + :return: site-to-site peers configuration + :rtype: list + """ + conf: ConfigTreeQuery = ConfigTreeQuery() + config_path = ['vpn', 'ipsec', 'site-to-site', 'peer'] + peers_config = conf.get_config_dict(config_path, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) + peers_list: list = [] + for name in peers_config: + peers_list.append(name) + return peers_list + + def reset_peer(peer: str, tunnel: typing.Optional[str] = None): # Convert tunnel to Strongwan format of CHILD_SA + tunnel_sw = None if tunnel: if tunnel.isnumeric(): - tunnel = f'{peer}-tunnel-{tunnel}' + tunnel_sw = f'{peer}-tunnel-{tunnel}' elif tunnel == 'vti': - tunnel = f'{peer}-vti' + tunnel_sw = f'{peer}-vti' try: - sa_list: list = vyos.ipsec.get_vici_sas_by_name(peer, tunnel) - + sa_list: list = vyos.ipsec.get_vici_sas_by_name(peer, tunnel_sw) if not sa_list: - raise vyos.opmode.IncorrectValue('Peer not found, aborting') + raise vyos.opmode.IncorrectValue( + f'Peer\'s {peer} SA(s) not found, aborting') if tunnel and sa_list: childsa_id_list: list = _get_childsa_id_list(sa_list) if not childsa_id_list: raise vyos.opmode.IncorrectValue( - 'Peer or tunnel(s) not found, aborting') - vyos.ipsec.terminate_vici_by_name(peer, tunnel) - print('Peer reset result: success') + f'Peer {peer} tunnel {tunnel} SA(s) not found, aborting') + vyos.ipsec.terminate_vici_by_name(peer, tunnel_sw) + print(f'Peer {peer} reset result: success') except (vyos.ipsec.ViciInitiateError) as err: raise vyos.opmode.UnconfiguredSubsystem(err) - except (vyos.ipsec.ViciInitiateError) as err: + except (vyos.ipsec.ViciCommandError) as err: raise vyos.opmode.IncorrectValue(err) +def reset_all_peers(): + sitetosite_list = _get_all_sitetosite_peers_name_list() + if sitetosite_list: + for peer_name in sitetosite_list: + try: + reset_peer(peer_name) + except (vyos.opmode.IncorrectValue) as err: + print(err) + print('Peers reset result: success') + else: + raise vyos.opmode.UnconfiguredSubsystem( + 'VPN IPSec site-to-site is not configured, aborting') + +def _get_ra_session_list_by_username(username: typing.Optional[str] = None): + """ + Return list of remote-access IKE_SAs uniqueids + :param username: + :type username: + :return: + :rtype: + """ + list_sa_id = [] + sa_list = vyos.ipsec.get_vici_sas() + for sa_val in sa_list: + for sa in sa_val.values(): + if 'remote-eap-id' in sa: + if username: + if username == sa['remote-eap-id'].decode(): + list_sa_id.append(sa['uniqueid'].decode()) + else: + list_sa_id.append(sa['uniqueid'].decode()) + return list_sa_id + + +def reset_ra(username: typing.Optional[str] = None): + #Reset remote-access ipsec sessions + if username: + list_sa_id = _get_ra_session_list_by_username(username) + else: + list_sa_id = _get_ra_session_list_by_username() + if list_sa_id: + vyos.ipsec.terminate_vici_ikeid_list(list_sa_id) + def show_sa(raw: bool): sa_data = _get_raw_data_sas() diff --git a/src/op_mode/reset_vpn.py b/src/op_mode/reset_vpn.py index 3a0ad941c..46195d6cd 100755 --- a/src/op_mode/reset_vpn.py +++ b/src/op_mode/reset_vpn.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2022-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -13,60 +13,49 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . - import sys -import argparse +import typing from vyos.util import run +import vyos.opmode + cmd_dict = { - 'cmd_base' : '/usr/bin/accel-cmd -p {} terminate {} {}', - 'vpn_types' : { - 'pptp' : 2003, - 'l2tp' : 2004, - 'sstp' : 2005 + 'cmd_base': '/usr/bin/accel-cmd -p {} terminate {} {}', + 'vpn_types': { + 'pptp': 2003, + 'l2tp': 2004, + 'sstp': 2005 } } -def terminate_sessions(username='', interface='', protocol=''): - # Reset vpn connections by username +def reset_conn(protocol: str, username: typing.Optional[str] = None, + interface: typing.Optional[str] = None): if protocol in cmd_dict['vpn_types']: - if username == "all_users": - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], 'all', '')) - else: - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], 'username', username)) - - # Reset vpn connections by ifname - elif interface: - for proto in cmd_dict['vpn_types']: - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][proto], 'if', interface)) - - elif username: - # Reset all vpn connections - if username == "all_users": - for proto in cmd_dict['vpn_types']: - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][proto], 'all', '')) + # Reset by Interface + if interface: + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], + 'if', interface)) + return + # Reset by username + if username: + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], + 'username', username)) + # Reset all else: - for proto in cmd_dict['vpn_types']: - run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][proto], 'username', username)) - -def main(): - #parese args - parser = argparse.ArgumentParser() - parser.add_argument('--username', help='Terminate by username (all_users used for disconnect all users)', required=False) - parser.add_argument('--interface', help='Terminate by interface', required=False) - parser.add_argument('--protocol', help='Set protocol (pptp|l2tp|sstp)', required=False) - args = parser.parse_args() - - if args.username or args.interface: - terminate_sessions(username=args.username, interface=args.interface, protocol=args.protocol) + run(cmd_dict['cmd_base'].format(cmd_dict['vpn_types'][protocol], + 'all', + '')) else: - print("Param --username or --interface required") - sys.exit(1) - - terminate_sessions() + vyos.opmode.IncorrectValue('Unknown VPN Protocol, aborting') if __name__ == '__main__': - main() + try: + res = vyos.opmode.run(sys.modules[__name__]) + if res: + print(res) + except (ValueError, vyos.opmode.Error) as e: + print(e) + sys.exit(1) -- cgit v1.2.3