From 4ef110fd2c501b718344c72d495ad7e16d2bd465 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 30 Dec 2023 23:25:20 +0100 Subject: T5474: establish common file name pattern for XML conf mode commands We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in --- interface-definitions/vpn_ipsec.xml.in | 1194 ++++++++++++++++++++++++++++++++ 1 file changed, 1194 insertions(+) create mode 100644 interface-definitions/vpn_ipsec.xml.in (limited to 'interface-definitions/vpn_ipsec.xml.in') diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in new file mode 100644 index 000000000..1847401b5 --- /dev/null +++ b/interface-definitions/vpn_ipsec.xml.in @@ -0,0 +1,1194 @@ + + + + + Virtual Private Network (VPN) + + + + + VPN IP security (IPsec) parameters + 901 + + + + + Authentication + + + + + Pre-shared key name + + + #include + + + ID for authentication + + txt + ID used for authentication + + + + + + + IKE pre-shared secret key + + txt + IKE pre-shared secret key + + + + + + + + + + Disable requirement for unique IDs in the Security Database + + + + + + Encapsulating Security Payload (ESP) group name + + + + + Enable ESP compression + + + + + + Security Association time to expire + + u32:30-86400 + SA lifetime in seconds + + + + + + 3600 + + + + Security Association byte count to expire + + u32:1024-26843545600000 + SA life in bytes + + + + + + + + + Security Association packet count to expire + + u32:1000-26843545600000 + SA life in packets + + + + + + + + + ESP mode + + tunnel transport + + + tunnel + Tunnel mode + + + transport + Transport mode + + + (tunnel|transport) + + + tunnel + + + + ESP Perfect Forward Secrecy + + enable dh-group1 dh-group2 dh-group5 dh-group14 dh-group15 dh-group16 dh-group17 dh-group18 dh-group19 dh-group20 dh-group21 dh-group22 dh-group23 dh-group24 dh-group25 dh-group26 dh-group27 dh-group28 dh-group29 dh-group30 dh-group31 dh-group32 disable + + + enable + Inherit Diffie-Hellman group from the IKE group + + + dh-group1 + Use Diffie-Hellman group 1 (modp768) + + + dh-group2 + Use Diffie-Hellman group 2 (modp1024) + + + dh-group5 + Use Diffie-Hellman group 5 (modp1536) + + + dh-group14 + Use Diffie-Hellman group 14 (modp2048) + + + dh-group15 + Use Diffie-Hellman group 15 (modp3072) + + + dh-group16 + Use Diffie-Hellman group 16 (modp4096) + + + dh-group17 + Use Diffie-Hellman group 17 (modp6144) + + + dh-group18 + Use Diffie-Hellman group 18 (modp8192) + + + dh-group19 + Use Diffie-Hellman group 19 (ecp256) + + + dh-group20 + Use Diffie-Hellman group 20 (ecp384) + + + dh-group21 + Use Diffie-Hellman group 21 (ecp521) + + + dh-group22 + Use Diffie-Hellman group 22 (modp1024s160) + + + dh-group23 + Use Diffie-Hellman group 23 (modp2048s224) + + + dh-group24 + Use Diffie-Hellman group 24 (modp2048s256) + + + dh-group25 + Use Diffie-Hellman group 25 (ecp192) + + + dh-group26 + Use Diffie-Hellman group 26 (ecp224) + + + dh-group27 + Use Diffie-Hellman group 27 (ecp224bp) + + + dh-group28 + Use Diffie-Hellman group 28 (ecp256bp) + + + dh-group29 + Use Diffie-Hellman group 29 (ecp384bp) + + + dh-group30 + Use Diffie-Hellman group 30 (ecp512bp) + + + dh-group31 + Use Diffie-Hellman group 31 (curve25519) + + + dh-group32 + Use Diffie-Hellman group 32 (curve448) + + + disable + Disable PFS + + + (enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable) + + + enable + + + + ESP group proposal + + u32:1-65535 + ESP group proposal number + + + + #include + #include + + + + + + + Internet Key Exchange (IKE) group name + + + + + Action to take if a child SA is unexpectedly closed + + none hold restart + + + none + Do nothing + + + hold + Attempt to re-negotiate when matching traffic is seen + + + restart + Attempt to re-negotiate the connection immediately + + + (none|hold|restart) + + + none + + + + Dead Peer Detection (DPD) + + + + + Keep-alive failure action + + hold clear restart + + + hold + Attempt to re-negotiate the connection when matching traffic is seen + + + clear + Remove the connection immediately + + + restart + Attempt to re-negotiate the connection immediately + + + (hold|clear|restart) + + + clear + + + + Keep-alive interval + + u32:2-86400 + Keep-alive interval in seconds + + + + + + 30 + + + + Dead Peer Detection keep-alive timeout (IKEv1 only) + + u32:2-86400 + Keep-alive timeout in seconds + + + + + + 120 + + + + + + Re-authentication of the remote peer during an IKE re-key (IKEv2 only) + + + + + + IKE version + + ikev1 ikev2 + + + ikev1 + Use IKEv1 for key exchange + + + ikev2 + Use IKEv2 for key exchange + + + (ikev1|ikev2) + + + + + + IKE lifetime + + u32:0-86400 + IKE lifetime in seconds + + + + + + 28800 + + + + Disable MOBIKE Support (IKEv2 only) + + + + + + IKEv1 phase 1 mode + + main aggressive + + + main + Use the main mode (recommended) + + + aggressive + Use the aggressive mode (insecure, not recommended) + + + (main|aggressive) + + + main + + + + IKE proposal + + u32:1-65535 + IKE group proposal + + + + + + dh-grouphelp + + 1 2 5 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 + + + 1 + Diffie-Hellman group 1 (modp768) + + + 2 + Diffie-Hellman group 2 (modp1024) + + + 5 + Diffie-Hellman group 5 (modp1536) + + + 14 + Diffie-Hellman group 14 (modp2048) + + + 15 + Diffie-Hellman group 15 (modp3072) + + + 16 + Diffie-Hellman group 16 (modp4096) + + + 17 + Diffie-Hellman group 17 (modp6144) + + + 18 + Diffie-Hellman group 18 (modp8192) + + + 19 + Diffie-Hellman group 19 (ecp256) + + + 20 + Diffie-Hellman group 20 (ecp384) + + + 21 + Diffie-Hellman group 21 (ecp521) + + + 22 + Diffie-Hellman group 22 (modp1024s160) + + + 23 + Diffie-Hellman group 23 (modp2048s224) + + + 24 + Diffie-Hellman group 24 (modp2048s256) + + + 25 + Diffie-Hellman group 25 (ecp192) + + + 26 + Diffie-Hellman group 26 (ecp224) + + + 27 + Diffie-Hellman group 27 (ecp224bp) + + + 28 + Diffie-Hellman group 28 (ecp256bp) + + + 29 + Diffie-Hellman group 29 (ecp384bp) + + + 30 + Diffie-Hellman group 30 (ecp512bp) + + + 31 + Diffie-Hellman group 31 (curve25519) + + + 32 + Diffie-Hellman group 32 (curve448) + + + (1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32) + + + 2 + + + + Pseudo-Random Functions + + prfmd5 prfsha1 prfaesxcbc prfaescmac prfsha256 prfsha384 prfsha512 + + + prfmd5 + MD5 PRF + + + prfsha1 + SHA1 PRF + + + prfaesxcbc + AES XCBC PRF + + + prfaescmac + AES CMAC PRF + + + prfsha256 + SHA2_256 PRF + + + prfsha384 + SHA2_384 PRF + + + prfsha512 + SHA2_512 PRF + + + (prfmd5|prfsha1|prfaesxcbc|prfaescmac|prfsha256|prfsha384|prfsha512) + + + + #include + #include + + + + + #include + + + IPsec logging + + + + + Global IPsec logging Level + + 0 + Very basic auditing logs (e.g., SA up/SA down) + + + 1 + Generic control flow with errors, a good default to see whats going on + + + 2 + More detailed debugging control flow + + + + + + 0 + + + + Subsystem logging levels + + dmn mgr ike chd job cfg knl net asn enc lib esp tls tnc imc imv pts any + + + dmn + Main daemon setup/cleanup/signal handling + + + mgr + IKE_SA manager, handling synchronization for IKE_SA access + + + ike + IKE_SA/ISAKMP SA + + + chd + CHILD_SA/IPsec SA + + + job + Jobs queuing/processing and thread pool management + + + cfg + Configuration management and plugins + + + knl + IPsec/Networking kernel interface + + + net + IKE network communication + + + asn + Low-level encoding/decoding (ASN.1, X.509 etc.) + + + enc + Packet encoding/decoding encryption/decryption operations + + + lib + libstrongswan library messages + + + esp + libipsec library messages + + + tls + libtls library messages + + + tnc + Trusted Network Connect + + + imc + Integrity Measurement Collector + + + imv + Integrity Measurement Verifier + + + pts + Platform Trust Service + + + any + Any subsystem + + + (dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any) + + + + + + + + + Global IPsec settings + + + + + Do not automatically install routes to remote networks + + + + + + Allow FlexVPN vendor ID payload (IKEv2 only) + + + + #include + + + Allow install virtual-ip addresses + + + + + + + + VPN IPsec profile + + txt + Profile name + + + [a-zA-Z][0-9a-zA-Z_-]+ + + Profile name must be alphanumeric and can contain hyphen(s) and underscore(s) + + + #include + + + Authentication + + + + + Authentication mode + + pre-shared-secret + + + pre-shared-secret + Use a pre-shared secret key + + + + #include + + + + + DMVPN tunnel configuration + + + + + Tunnel interface associated with this profile + + interfaces tunnel + + + txt + Associated interface to this profile + + + + + + + #include + #include + + + + + IKEv2 remote access VPN + + + + + IKEv2 VPN connection name + + txt + Connection name + + + [a-zA-Z][0-9a-zA-Z_-]+ + + Profile name must be alphanumeric and can contain hyphen(s) and underscore(s) + + + + + Authentication for remote access + + + #include + #include + + + Client authentication mode + + x509 eap-tls eap-mschapv2 eap-radius + + + x509 + Use IPsec x.509 certificate authentication + + + eap-tls + Use EAP-TLS authentication + + + eap-mschapv2 + Use EAP-MSCHAPv2 authentication + + + eap-radius + Use EAP-RADIUS authentication + + + (x509|eap-tls|eap-mschapv2|eap-radius) + + + eap-mschapv2 + + #include + + + Server authentication mode + + pre-shared-secret x509 + + + pre-shared-secret + Use a pre-shared secret key + + + x509 + Use x.509 certificate + + + (pre-shared-secret|x509) + + + x509 + + #include + + + #include + #include + #include + #include + #include + #include + + + Timeout to close connection if no data is transmitted + + u32:0 + Disable inactivity checks + + + u32:1-86400 + Timeout in seconds + + + + + + 28800 + + + + IP address pool + + vpn ipsec remote-access pool + dhcp radius + + + txt + Predefined IP pool name + + + dhcp + Forward requests for virtual IP addresses to a DHCP server + + + radius + Forward requests for virtual IP addresses to a RADIUS server + + + + + + + Connection uniqueness enforcement policy + + never keep replace + + + never + Never enforce connection uniqueness + + + keep + Reject new connection attempts if the same user already has an active connection + + + replace + Delete any existing connection if a new one for the same user gets established + + + (never|keep|replace) + + + + + + + + DHCP pool options for remote access + + + #include + + + DHCP server address + + ipv4 + DHCP server IPv4 address + + + + + + + + + + + IP address pool for remote access users + + + + + Local IPv4 or IPv6 pool prefix exclusions + + ipv4net + Local IPv4 pool prefix exclusion + + + ipv6net + Local IPv6 pool prefix exclusion + + + + + + + + + + + Local IPv4 or IPv6 pool prefix + + ipv4net + Local IPv4 pool prefix + + + ipv6net + Local IPv6 pool prefix + + + + + + + + #include + + + #include + + + #include + #include + + + #include + + + + + + + + + Site-to-site VPN + + + + + Connection name of the peer + + txt + Connection name of the peer + + + [-_a-zA-Z0-9|@]+ + + Peer connection name must be alphanumeric and can contain hyphen and underscores + + + #include + + + Peer authentication + + + #include + #include + #include + + + Authentication mode + + pre-shared-secret rsa x509 + + + pre-shared-secret + Use pre-shared secret key + + + rsa + Use RSA key + + + x509 + Use x.509 certificate + + + (pre-shared-secret|rsa|x509) + + + + + + ID for remote authentication + + txt + ID used for peer authentication + + + %any + + + + Use certificate common name as ID + + + + + + + + Connection type + + initiate respond none + + + initiate + Bring the connection up immediately + + + respond + Wait for the peer to initiate the connection + + + none + Load the connection only + + + (initiate|respond|none) + + + + + + Defult ESP group name + + vpn ipsec esp-group + + + + #include + #include + + + Force UDP encapsulation + + + + #include + + + Re-authentication of the remote peer during an IKE re-key (IKEv2 only) + + yes no inherit + + + yes + Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug + + + no + Disable remote host re-authenticaton during an IKE re-key. + + + inherit + Inherit the reauth configuration form your IKE-group + + + (yes|no|inherit) + + + + #include + #include + + + Peer tunnel + + u32 + Peer tunnel + + + + #include + #include + #include + #include + + + Priority for IPsec policy (lowest value more preferable) + + u32:1-100 + Priority for IPsec policy (lowest value more preferable) + + + + + + + + + Match remote addresses + + + #include + + + Remote IPv4 or IPv6 prefix + + ipv4net + Remote IPv4 prefix + + + ipv6net + Remote IPv6 prefix + + + + + + + + + + + + + + + Initiator request virtual-address from peer + + ipv4 + Request IPv4 address from peer + + + ipv6 + Request IPv6 address from peer + + + + + + + Virtual tunnel interface + + + + + VTI tunnel interface associated with this configuration + + interfaces vti + + + + #include + + + + + + + + + + + -- cgit v1.2.3