From bd4588827b563022ce5fb98b1345b787b9194176 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Wed, 10 Aug 2022 19:51:48 +0000
Subject: ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer

Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations

  - IKE changes:
      - replace 'ipsec ike-group <tag> mobike disable'
             => 'ipsec ike-group <tag> disable-mobike'
      - replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
             => 'ipsec ike-group <tag> ikev2-reauth'
  - ESP changes:
      - replace 'ipsec esp-group <tag> compression enable'
             => 'ipsec esp-group <tag> compression'
  - PEER changes:
      - replace: 'peer <tag> id xxx'
              => 'peer <tag> local-id xxx'
      - replace: 'peer <tag> force-encapsulation enable'
              => 'peer <tag> force-udp-encapsulation'
      - add option: 'peer <tag> remote-address x.x.x.x'

Add 'peer <name> remote-address <name>' via migration script
---
 .../include/ipsec/authentication-id.xml.i          |  6 +-
 .../include/ipsec/remote-address.xml.i             | 30 +++++++
 .../include/version/ipsec-version.xml.i            |  2 +-
 interface-definitions/vpn-ipsec.xml.in             | 93 ++++------------------
 4 files changed, 50 insertions(+), 81 deletions(-)
 create mode 100644 interface-definitions/include/ipsec/remote-address.xml.i

(limited to 'interface-definitions')

diff --git a/interface-definitions/include/ipsec/authentication-id.xml.i b/interface-definitions/include/ipsec/authentication-id.xml.i
index 4967782ec..4e0b848c3 100644
--- a/interface-definitions/include/ipsec/authentication-id.xml.i
+++ b/interface-definitions/include/ipsec/authentication-id.xml.i
@@ -1,10 +1,10 @@
 <!-- include start from ipsec/authentication-id.xml.i -->
-<leafNode name="id">
+<leafNode name="local-id">
   <properties>
-    <help>ID for peer authentication</help>
+    <help>Local ID for peer authentication</help>
     <valueHelp>
       <format>txt</format>
-      <description>ID used for peer authentication</description>
+      <description>Local ID used for peer authentication</description>
     </valueHelp>
   </properties>
 </leafNode>
diff --git a/interface-definitions/include/ipsec/remote-address.xml.i b/interface-definitions/include/ipsec/remote-address.xml.i
new file mode 100644
index 000000000..ba96290d0
--- /dev/null
+++ b/interface-definitions/include/ipsec/remote-address.xml.i
@@ -0,0 +1,30 @@
+<!-- include start from ipsec/remote-address.xml.i -->
+<leafNode name="remote-address">
+  <properties>
+    <help>IPv4 or IPv6 address of the remote peer</help>
+    <valueHelp>
+      <format>ipv4</format>
+      <description>IPv4 address of the remote peer</description>
+    </valueHelp>
+    <valueHelp>
+      <format>ipv6</format>
+      <description>IPv6 address of the remote peer</description>
+    </valueHelp>
+    <valueHelp>
+      <format>hostname</format>
+      <description>Fully qualified domain name of the remote peer</description>
+    </valueHelp>
+    <valueHelp>
+      <format>any</format>
+      <description>Allow any IP address of the remote peer</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ipv4-address"/>
+      <validator name="ipv6-address"/>
+      <validator name="fqdn"/>
+      <regex>(any)</regex>
+    </constraint>
+    <multi/>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/version/ipsec-version.xml.i b/interface-definitions/include/version/ipsec-version.xml.i
index 59295cc91..1c978e8e6 100644
--- a/interface-definitions/include/version/ipsec-version.xml.i
+++ b/interface-definitions/include/version/ipsec-version.xml.i
@@ -1,3 +1,3 @@
 <!-- include start from include/version/ipsec-version.xml.i -->
-<syntaxVersion component='ipsec' version='9'></syntaxVersion>
+<syntaxVersion component='ipsec' version='10'></syntaxVersion>
 <!-- include end -->
diff --git a/interface-definitions/vpn-ipsec.xml.in b/interface-definitions/vpn-ipsec.xml.in
index d36fbb024..5887a349f 100644
--- a/interface-definitions/vpn-ipsec.xml.in
+++ b/interface-definitions/vpn-ipsec.xml.in
@@ -24,23 +24,9 @@
             <children>
               <leafNode name="compression">
                 <properties>
-                  <help>ESP compression</help>
-                  <completionHelp>
-                    <list>disable enable</list>
-                  </completionHelp>
-                  <valueHelp>
-                    <format>disable</format>
-                    <description>Disable ESP compression</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>enable</format>
-                    <description>Enable ESP compression</description>
-                  </valueHelp>
-                  <constraint>
-                    <regex>(disable|enable)</regex>
-                  </constraint>
+                  <help>Enable ESP compression</help>
+                  <valueless/>
                 </properties>
-                <defaultValue>disable</defaultValue>
               </leafNode>
               <leafNode name="lifetime">
                 <properties>
@@ -309,20 +295,7 @@
               <leafNode name="ikev2-reauth">
                 <properties>
                   <help>Re-authentication of the remote peer during an IKE re-key (IKEv2 only)</help>
-                  <completionHelp>
-                    <list>yes no</list>
-                  </completionHelp>
-                  <valueHelp>
-                    <format>yes</format>
-                    <description>Enable remote host re-authentication during an IKE rekey (currently broken due to a strongswan bug)</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>no</format>
-                    <description>Disable remote host re-authenticaton during an IKE rekey</description>
-                  </valueHelp>
-                  <constraint>
-                    <regex>(yes|no)</regex>
-                  </constraint>
+                  <valueless/>
                 </properties>
               </leafNode>
               <leafNode name="key-exchange">
@@ -357,25 +330,11 @@
                 </properties>
                 <defaultValue>28800</defaultValue>
               </leafNode>
-              <leafNode name="mobike">
+              <leafNode name="disable-mobike">
                 <properties>
-                  <help>Enable MOBIKE Support (IKEv2 only)</help>
-                  <completionHelp>
-                    <list>enable disable</list>
-                  </completionHelp>
-                  <valueHelp>
-                    <format>enable</format>
-                    <description>Enable MOBIKE</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>disable</format>
-                    <description>Disable MOBIKE</description>
-                  </valueHelp>
-                  <constraint>
-                    <regex>(enable|disable)</regex>
-                  </constraint>
+                  <help>Disable MOBIKE Support (IKEv2 only)</help>
+                  <valueless/>
                 </properties>
-                <defaultValue>enable</defaultValue>
               </leafNode>
               <leafNode name="mode">
                 <properties>
@@ -929,23 +888,15 @@
             <children>
               <tagNode name="peer">
                 <properties>
-                  <help>VPN peer</help>
-                  <valueHelp>
-                    <format>ipv4</format>
-                    <description>IPv4 address of the peer</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>ipv6</format>
-                    <description>IPv6 address of the peer</description>
-                  </valueHelp>
+                  <help>Connection name of the peer</help>
                   <valueHelp>
                     <format>txt</format>
-                    <description>Hostname of the peer</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>&lt;@text&gt;</format>
-                    <description>ID of the peer</description>
+                    <description>Connection name of the peer</description>
                   </valueHelp>
+                  <constraint>
+                    <regex>[-_a-zA-Z0-9|@]+</regex>
+                  </constraint>
+                  <constraintErrorMessage>Peer connection name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
                 </properties>
                 <children>
                   #include <include/generic-disable-node.xml.i>
@@ -1031,23 +982,10 @@
                   </leafNode>
                   #include <include/generic-description.xml.i>
                   #include <include/dhcp-interface.xml.i>
-                  <leafNode name="force-encapsulation">
+                  <leafNode name="force-udp-encapsulation">
                     <properties>
-                      <help>Force UDP Encapsulation for ESP payloads</help>
-                      <completionHelp>
-                        <list>enable disable</list>
-                      </completionHelp>
-                      <valueHelp>
-                        <format>enable</format>
-                        <description>Force UDP encapsulation</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>disable</format>
-                        <description>Do not force UDP encapsulation</description>
-                      </valueHelp>
-                      <constraint>
-                        <regex>(enable|disable)</regex>
-                      </constraint>
+                      <help>Force UDP encapsulation</help>
+                      <valueless/>
                     </properties>
                   </leafNode>
                   #include <include/ipsec/ike-group.xml.i>
@@ -1075,6 +1013,7 @@
                     </properties>
                   </leafNode>
                   #include <include/ipsec/local-address.xml.i>
+                  #include <include/ipsec/remote-address.xml.i>
                   <tagNode name="tunnel">
                     <properties>
                       <help>Peer tunnel</help>
-- 
cgit v1.2.3