From b2bf1592189fb9298f2a68272418a132a73f37bf Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 3 Jul 2021 15:52:26 +0200 Subject: ipsec: T1210: T1251: IKEv2 road-warrior support set vpn ipsec esp-group ESP-RW compression 'disable' set vpn ipsec esp-group ESP-RW lifetime '3600' set vpn ipsec esp-group ESP-RW pfs 'disable' set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes256' set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' set vpn ipsec esp-group ESP-RW proposal 20 encryption 'aes256' set vpn ipsec esp-group ESP-RW proposal 20 hash 'sha1' set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' set vpn ipsec ike-group IKE-RW lifetime '10800' set vpn ipsec ike-group IKE-RW mobike 'enable' set vpn ipsec ike-group IKE-RW proposal 10 dh-group '2' set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes256' set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha1' set vpn ipsec ike-group IKE-RW proposal 20 dh-group '2' set vpn ipsec ike-group IKE-RW proposal 20 encryption 'aes128' set vpn ipsec ike-group IKE-RW proposal 20 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'dum0' set vpn ipsec remote-access rw authentication id 'vyos' set vpn ipsec remote-access rw authentication local-users username vyos password vyos set vpn ipsec remote-access rw authentication x509 ca-certificate 'peer_172-18-254-202' set vpn ipsec remote-access rw authentication x509 certificate 'peer_172-18-254-202' set vpn ipsec remote-access rw description 'asdf' set vpn ipsec remote-access rw esp-group 'ESP-RW' set vpn ipsec remote-access rw ike-group 'IKE-RW' --- data/templates/ipsec/swanctl.conf.tmpl | 18 ++++++++++++ data/templates/ipsec/swanctl/remote_access.tmpl | 37 +++++++++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 data/templates/ipsec/swanctl/remote_access.tmpl (limited to 'data') diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index cafe52e78..15c035688 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -1,6 +1,7 @@ ### Autogenerated by vpn_ipsec.py ### {% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %} {% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %} +{% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %} connections { {% if profile is defined %} @@ -13,6 +14,11 @@ connections { {{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} {% endfor %} {% endif %} +{% if remote_access is defined and remote_access is not none %} +{% for rw, rw_conf in remote_access.items() if rw_conf.disable is not defined %} +{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} } secrets { @@ -60,5 +66,17 @@ secrets { {% endif %} {% endfor %} {% endif %} +{% if remote_access is defined %} +{% for ra, ra_conf in remote_access.items() if remote_access is defined %} +{% if ra_conf.authentication is defined and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %} +{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %} + eap-{{ ra }}-{{ user }} { + secret = "{{ user_conf.password }}" + id-{{ ra }}-{{ user }} = "{{ user }}" + } +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} } diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl new file mode 100644 index 000000000..89f6e343e --- /dev/null +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -0,0 +1,37 @@ +{% macro conn(name, rw_conf, ike_group, esp_group) %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[rw_conf.ike_group] %} +{% set esp = esp_group[rw_conf.esp_group] %} + ra-{{ name }} { + remote_addrs = %any + local_addrs = %any + proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + send_certreq = no + rekey_time = {{ ike.lifetime }}s + keyingtries = 0 + local { + auth = pubkey +{% if rw_conf.authentication is defined and rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} + id = "{{ rw_conf.authentication.id }}" +{% endif %} +{% if rw_conf.authentication is defined and rw_conf.authentication.x509 is defined and rw_conf.authentication.x509.certificate is defined %} + certs = {{ rw_conf.authentication.x509.certificate }}.pem +{% endif %} + } + remote { + auth = eap-mschapv2 + id = %any + eap_id = %any + } + children { + ikev2-vpn { + esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }} + rekey_time = {{ esp.lifetime }}s + rand_time = 540s + local_ts = 0.0.0.0/0 + dpd_action = clear + } + } + } +{% endmacro %} -- cgit v1.2.3 From 79f1c891f3ae72fae3028f114e652225a082d9ef Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Sun, 4 Jul 2021 17:17:54 +0200 Subject: ipsec: T1210: T1251: extend ra config with address pools/traffic selectors --- data/templates/ipsec/swanctl.conf.tmpl | 14 +++ data/templates/ipsec/swanctl/remote_access.tmpl | 9 +- interface-definitions/vpn_ipsec.xml.in | 126 ++++++++++++++++++++++++ 3 files changed, 146 insertions(+), 3 deletions(-) (limited to 'data') diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index 15c035688..03f1e9942 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -21,6 +21,20 @@ connections { {% endif %} } +pools { +{% if remote_access is defined %} +{% for ra, ra_conf in remote_access.items() if remote_access is defined %} + ra-{{ ra }} { + addrs = {{ ra_conf.pool.prefix }} + dns = {{ ra_conf.pool.dns_server | join(",") }} +{% if ra_conf.pool.exclude is defined %} + split_exclude = {{ ra_conf.pool.exclude | join(",") }} +{% endif %} + } +{% endfor %} +{% endif %} +} + secrets { {% if profile is defined %} {% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl index 89f6e343e..004aace2e 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -4,12 +4,13 @@ {% set esp = esp_group[rw_conf.esp_group] %} ra-{{ name }} { remote_addrs = %any - local_addrs = %any + local_addrs = {{ rw_conf.local_address if rw_conf.local_address is defined else '%any' }} proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }} version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} send_certreq = no rekey_time = {{ ike.lifetime }}s keyingtries = 0 + pools = ra-{{ name }} local { auth = pubkey {% if rw_conf.authentication is defined and rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} @@ -21,7 +22,6 @@ } remote { auth = eap-mschapv2 - id = %any eap_id = %any } children { @@ -29,8 +29,11 @@ esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }} rekey_time = {{ esp.lifetime }}s rand_time = 540s - local_ts = 0.0.0.0/0 dpd_action = clear +{% set local_prefix = rw_conf.local_network.prefix if rw_conf.local_network is defined and rw_conf.local_network.prefix is defined else ['0.0.0.0/0', '::/0'] %} +{% set local_port = rw_conf.local_network.port if rw_conf.local_network is defined and rw_conf.local_network.port is defined else '' %} +{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} + local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} } } } diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index ef3b05e29..a9444ecc5 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -743,6 +743,132 @@ #include #include #include + + + IPv4 or IPv6 address of a local interface to use for VPN + + any + + + ipv4 + IPv4 address of a local interface for VPN + + + ipv6 + IPv6 address of a local interface for VPN + + + any + Allow any IPv4 address present on the system to be used for VPN + + + + + ^(any)$ + + + + + + Local traffic selectors + + + + + Any TCP or UDP port + + port name + Named port (any name in /etc/services, e.g., http) + + + u32:1-65535 + Numbered port + + + + + + Local IPv4 or IPv6 prefix + + ipv4 + Local IPv4 prefix + + + ipv6 + Local IPv6 prefix + + + + + + + + + + + + + IP address pool for remote-access users + + + + + Local IPv4 or IPv6 pool prefix exclusions + + ipv4 + Local IPv4 pool prefix exclusion + + + ipv6 + Local IPv6 pool prefix exclusion + + + + + + + + + + + Local IPv4 or IPv6 pool prefix + + ipv4 + Local IPv4 pool prefix + + + ipv6 + Local IPv6 pool prefix + + + + + + + + + + IPv4 or IPv6 DNS addresses for pool + + any + + + ipv4 + IPv4 DNS address for pool + + + ipv6 + IPv6 DNS address for pool + + + + + + + + + + Timeout to close connection if no data is transmitted -- cgit v1.2.3 From c8bf1deec9ce169f74049423ba21f6ef1360a3df Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 4 Jul 2021 20:57:15 +0200 Subject: ipsec: T1210: T1251: add remote-access "name-server" definition to pool config --- data/templates/ipsec/swanctl.conf.tmpl | 2 +- interface-definitions/vpn_ipsec.xml.in | 23 ++--------------------- 2 files changed, 3 insertions(+), 22 deletions(-) (limited to 'data') diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index 03f1e9942..0eda8479a 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -26,7 +26,7 @@ pools { {% for ra, ra_conf in remote_access.items() if remote_access is defined %} ra-{{ ra }} { addrs = {{ ra_conf.pool.prefix }} - dns = {{ ra_conf.pool.dns_server | join(",") }} + dns = {{ ra_conf.pool.name_server | join(",") }} {% if ra_conf.pool.exclude is defined %} split_exclude = {{ ra_conf.pool.exclude | join(",") }} {% endif %} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index bc802b39e..75fd6a92f 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -810,27 +810,8 @@ - - - IPv4 or IPv6 DNS addresses for pool - - any - - - ipv4 - IPv4 DNS address for pool - - - ipv6 - IPv6 DNS address for pool - - - - - - - - + + #include -- cgit v1.2.3 From 1c727bd25ef28fb729f66072f026be560978853d Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 4 Jul 2021 21:02:54 +0200 Subject: ipsec: T1210: T1251: add "local" traffic-selector include definition Used by both site2site and remote-access/road-warrior VPN connections. --- data/templates/ipsec/swanctl/remote_access.tmpl | 4 +- .../include/ipsec/local-traffic-selector.xml.i | 28 +++++++++++ interface-definitions/vpn_ipsec.xml.in | 54 +--------------------- 3 files changed, 32 insertions(+), 54 deletions(-) create mode 100644 interface-definitions/include/ipsec/local-traffic-selector.xml.i (limited to 'data') diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl index 004aace2e..a3a1cf0b2 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -30,8 +30,8 @@ rekey_time = {{ esp.lifetime }}s rand_time = 540s dpd_action = clear -{% set local_prefix = rw_conf.local_network.prefix if rw_conf.local_network is defined and rw_conf.local_network.prefix is defined else ['0.0.0.0/0', '::/0'] %} -{% set local_port = rw_conf.local_network.port if rw_conf.local_network is defined and rw_conf.local_network.port is defined else '' %} +{% set local_prefix = rw_conf.local.prefix if rw_conf.local is defined and rw_conf.local.prefix is defined else ['0.0.0.0/0', '::/0'] %} +{% set local_port = rw_conf.local.port if rw_conf.local is defined and rw_conf.local.port is defined else '' %} {% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} } diff --git a/interface-definitions/include/ipsec/local-traffic-selector.xml.i b/interface-definitions/include/ipsec/local-traffic-selector.xml.i new file mode 100644 index 000000000..d30a6d11a --- /dev/null +++ b/interface-definitions/include/ipsec/local-traffic-selector.xml.i @@ -0,0 +1,28 @@ + + + + Local parameters for interesting traffic + + + #include + + + Local IPv4 or IPv6 prefix + + ipv4 + Local IPv4 prefix + + + ipv6 + Local IPv6 prefix + + + + + + + + + + + diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 75fd6a92f..187bb1154 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -744,32 +744,7 @@ #include #include #include - - - Local traffic selectors - - - #include - - - Local IPv4 or IPv6 prefix - - ipv4 - Local IPv4 prefix - - - ipv6 - Local IPv6 prefix - - - - - - - - - - + #include IP address pool for remote-access users @@ -1008,32 +983,7 @@ #include #include - - - Local parameters for interesting traffic - - - #include - - - Local IPv4 or IPv6 prefix - - ipv4 - Local IPv4 prefix - - - ipv6 - Local IPv6 prefix - - - - - - - - - - + #include #include -- cgit v1.2.3