From b2bf1592189fb9298f2a68272418a132a73f37bf Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 3 Jul 2021 15:52:26 +0200 Subject: ipsec: T1210: T1251: IKEv2 road-warrior support set vpn ipsec esp-group ESP-RW compression 'disable' set vpn ipsec esp-group ESP-RW lifetime '3600' set vpn ipsec esp-group ESP-RW pfs 'disable' set vpn ipsec esp-group ESP-RW proposal 10 encryption 'aes256' set vpn ipsec esp-group ESP-RW proposal 10 hash 'sha256' set vpn ipsec esp-group ESP-RW proposal 20 encryption 'aes256' set vpn ipsec esp-group ESP-RW proposal 20 hash 'sha1' set vpn ipsec ike-group IKE-RW key-exchange 'ikev2' set vpn ipsec ike-group IKE-RW lifetime '10800' set vpn ipsec ike-group IKE-RW mobike 'enable' set vpn ipsec ike-group IKE-RW proposal 10 dh-group '2' set vpn ipsec ike-group IKE-RW proposal 10 encryption 'aes256' set vpn ipsec ike-group IKE-RW proposal 10 hash 'sha1' set vpn ipsec ike-group IKE-RW proposal 20 dh-group '2' set vpn ipsec ike-group IKE-RW proposal 20 encryption 'aes128' set vpn ipsec ike-group IKE-RW proposal 20 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'dum0' set vpn ipsec remote-access rw authentication id 'vyos' set vpn ipsec remote-access rw authentication local-users username vyos password vyos set vpn ipsec remote-access rw authentication x509 ca-certificate 'peer_172-18-254-202' set vpn ipsec remote-access rw authentication x509 certificate 'peer_172-18-254-202' set vpn ipsec remote-access rw description 'asdf' set vpn ipsec remote-access rw esp-group 'ESP-RW' set vpn ipsec remote-access rw ike-group 'IKE-RW' --- interface-definitions/vpn_ipsec.xml.in | 53 ++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) (limited to 'interface-definitions') diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index ff60bb82f..ef3b05e29 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -705,6 +705,59 @@ #include + + + Remote access IKEv2 VPN + + + + + Authentication for remote access + + + #include + #include + + + Local user authentication for PPPoE server + + + + + User name for authentication + + + #include + + + Password for authentication + + + + + + + + + #include + #include + #include + #include + + + Timeout to close connection if no data is transmitted + + u32:10-86400 + Timeout in seconds (default 28800) + + + + + + 28800 + + + Site-to-site VPN -- cgit v1.2.3 From 79f1c891f3ae72fae3028f114e652225a082d9ef Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Sun, 4 Jul 2021 17:17:54 +0200 Subject: ipsec: T1210: T1251: extend ra config with address pools/traffic selectors --- data/templates/ipsec/swanctl.conf.tmpl | 14 +++ data/templates/ipsec/swanctl/remote_access.tmpl | 9 +- interface-definitions/vpn_ipsec.xml.in | 126 ++++++++++++++++++++++++ 3 files changed, 146 insertions(+), 3 deletions(-) (limited to 'interface-definitions') diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index 15c035688..03f1e9942 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -21,6 +21,20 @@ connections { {% endif %} } +pools { +{% if remote_access is defined %} +{% for ra, ra_conf in remote_access.items() if remote_access is defined %} + ra-{{ ra }} { + addrs = {{ ra_conf.pool.prefix }} + dns = {{ ra_conf.pool.dns_server | join(",") }} +{% if ra_conf.pool.exclude is defined %} + split_exclude = {{ ra_conf.pool.exclude | join(",") }} +{% endif %} + } +{% endfor %} +{% endif %} +} + secrets { {% if profile is defined %} {% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl index 89f6e343e..004aace2e 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -4,12 +4,13 @@ {% set esp = esp_group[rw_conf.esp_group] %} ra-{{ name }} { remote_addrs = %any - local_addrs = %any + local_addrs = {{ rw_conf.local_address if rw_conf.local_address is defined else '%any' }} proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }} version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} send_certreq = no rekey_time = {{ ike.lifetime }}s keyingtries = 0 + pools = ra-{{ name }} local { auth = pubkey {% if rw_conf.authentication is defined and rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} @@ -21,7 +22,6 @@ } remote { auth = eap-mschapv2 - id = %any eap_id = %any } children { @@ -29,8 +29,11 @@ esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }} rekey_time = {{ esp.lifetime }}s rand_time = 540s - local_ts = 0.0.0.0/0 dpd_action = clear +{% set local_prefix = rw_conf.local_network.prefix if rw_conf.local_network is defined and rw_conf.local_network.prefix is defined else ['0.0.0.0/0', '::/0'] %} +{% set local_port = rw_conf.local_network.port if rw_conf.local_network is defined and rw_conf.local_network.port is defined else '' %} +{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} + local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} } } } diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index ef3b05e29..a9444ecc5 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -743,6 +743,132 @@ #include #include #include + + + IPv4 or IPv6 address of a local interface to use for VPN + + any + + + ipv4 + IPv4 address of a local interface for VPN + + + ipv6 + IPv6 address of a local interface for VPN + + + any + Allow any IPv4 address present on the system to be used for VPN + + + + + ^(any)$ + + + + + + Local traffic selectors + + + + + Any TCP or UDP port + + port name + Named port (any name in /etc/services, e.g., http) + + + u32:1-65535 + Numbered port + + + + + + Local IPv4 or IPv6 prefix + + ipv4 + Local IPv4 prefix + + + ipv6 + Local IPv6 prefix + + + + + + + + + + + + + IP address pool for remote-access users + + + + + Local IPv4 or IPv6 pool prefix exclusions + + ipv4 + Local IPv4 pool prefix exclusion + + + ipv6 + Local IPv6 pool prefix exclusion + + + + + + + + + + + Local IPv4 or IPv6 pool prefix + + ipv4 + Local IPv4 pool prefix + + + ipv6 + Local IPv6 pool prefix + + + + + + + + + + IPv4 or IPv6 DNS addresses for pool + + any + + + ipv4 + IPv4 DNS address for pool + + + ipv6 + IPv6 DNS address for pool + + + + + + + + + + Timeout to close connection if no data is transmitted -- cgit v1.2.3 From a89554bae49d000daf3fb8deaf4af428c76d1ee9 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 4 Jul 2021 20:52:01 +0200 Subject: ipsec: T2816: use common building block/include for port definition --- interface-definitions/vpn_ipsec.xml.in | 42 +++------------------------------- 1 file changed, 3 insertions(+), 39 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index a9444ecc5..31ec3e744 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -773,19 +773,7 @@ Local traffic selectors - - - Any TCP or UDP port - - port name - Named port (any name in /etc/services, e.g., http) - - - u32:1-65535 - Numbered port - - - + #include Local IPv4 or IPv6 prefix @@ -1092,19 +1080,7 @@ Local parameters for interesting traffic - - - Any TCP or UDP port - - port name - Named port (any name in /etc/services, e.g., http) - - - u32:1-65535 - Numbered port - - - + #include Local IPv4 or IPv6 prefix @@ -1131,19 +1107,7 @@ Remote parameters for interesting traffic - - - Any TCP or UDP port - - port name - Named port (any name in /etc/services, e.g., http) - - - u32:1-65535 - Numbered port - - - + #include Remote IPv4 or IPv6 prefix -- cgit v1.2.3 From 3851818b7a2691f8cf016c4d15071cef8d235041 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 4 Jul 2021 20:52:36 +0200 Subject: ipsec: T2816: add include definition for ipsec local-address --- .../include/ipsec/local-address.xml.i | 27 +++++++++++ interface-definitions/vpn_ipsec.xml.in | 52 +--------------------- 2 files changed, 29 insertions(+), 50 deletions(-) create mode 100644 interface-definitions/include/ipsec/local-address.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/include/ipsec/local-address.xml.i b/interface-definitions/include/ipsec/local-address.xml.i new file mode 100644 index 000000000..2de6ecb1f --- /dev/null +++ b/interface-definitions/include/ipsec/local-address.xml.i @@ -0,0 +1,27 @@ + + + + IPv4 or IPv6 address of a local interface to use for VPN + + any + + + ipv4 + IPv4 address of a local interface for VPN + + + ipv6 + IPv6 address of a local interface for VPN + + + any + Allow any IPv4 address present on the system to be used for VPN + + + + + ^(any)$ + + + + diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 31ec3e744..157d5ba59 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -743,31 +743,7 @@ #include #include #include - - - IPv4 or IPv6 address of a local interface to use for VPN - - any - - - ipv4 - IPv4 address of a local interface for VPN - - - ipv6 - IPv6 address of a local interface for VPN - - - any - Allow any IPv4 address present on the system to be used for VPN - - - - - ^(any)$ - - - + #include Local traffic selectors @@ -1039,31 +1015,7 @@ - - - IPv4 or IPv6 address of a local interface to use for VPN - - any - - - ipv4 - IPv4 address of a local interface for VPN - - - ipv6 - IPv6 address of a local interface for VPN - - - any - Allow any IPv4 address present on the system to be used for VPN - - - - - ^(any)$ - - - + #include Peer tunnel [REQUIRED] -- cgit v1.2.3 From b16827699604b3aa1f222c76a4cf80e9011974aa Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 4 Jul 2021 20:52:42 +0200 Subject: ipsec: T2816: add completion helper for VTI interfaces --- interface-definitions/vpn_ipsec.xml.in | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'interface-definitions') diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 157d5ba59..bc802b39e 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -1089,7 +1089,10 @@ - VTI tunnel interface associated with this configuration [REQUIRED] + VTI tunnel interface associated with this configuration + + interfaces vti + #include -- cgit v1.2.3 From c8bf1deec9ce169f74049423ba21f6ef1360a3df Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 4 Jul 2021 20:57:15 +0200 Subject: ipsec: T1210: T1251: add remote-access "name-server" definition to pool config --- data/templates/ipsec/swanctl.conf.tmpl | 2 +- interface-definitions/vpn_ipsec.xml.in | 23 ++--------------------- 2 files changed, 3 insertions(+), 22 deletions(-) (limited to 'interface-definitions') diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index 03f1e9942..0eda8479a 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -26,7 +26,7 @@ pools { {% for ra, ra_conf in remote_access.items() if remote_access is defined %} ra-{{ ra }} { addrs = {{ ra_conf.pool.prefix }} - dns = {{ ra_conf.pool.dns_server | join(",") }} + dns = {{ ra_conf.pool.name_server | join(",") }} {% if ra_conf.pool.exclude is defined %} split_exclude = {{ ra_conf.pool.exclude | join(",") }} {% endif %} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index bc802b39e..75fd6a92f 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -810,27 +810,8 @@ - - - IPv4 or IPv6 DNS addresses for pool - - any - - - ipv4 - IPv4 DNS address for pool - - - ipv6 - IPv6 DNS address for pool - - - - - - - - + + #include -- cgit v1.2.3 From 1c727bd25ef28fb729f66072f026be560978853d Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 4 Jul 2021 21:02:54 +0200 Subject: ipsec: T1210: T1251: add "local" traffic-selector include definition Used by both site2site and remote-access/road-warrior VPN connections. --- data/templates/ipsec/swanctl/remote_access.tmpl | 4 +- .../include/ipsec/local-traffic-selector.xml.i | 28 +++++++++++ interface-definitions/vpn_ipsec.xml.in | 54 +--------------------- 3 files changed, 32 insertions(+), 54 deletions(-) create mode 100644 interface-definitions/include/ipsec/local-traffic-selector.xml.i (limited to 'interface-definitions') diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl index 004aace2e..a3a1cf0b2 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -30,8 +30,8 @@ rekey_time = {{ esp.lifetime }}s rand_time = 540s dpd_action = clear -{% set local_prefix = rw_conf.local_network.prefix if rw_conf.local_network is defined and rw_conf.local_network.prefix is defined else ['0.0.0.0/0', '::/0'] %} -{% set local_port = rw_conf.local_network.port if rw_conf.local_network is defined and rw_conf.local_network.port is defined else '' %} +{% set local_prefix = rw_conf.local.prefix if rw_conf.local is defined and rw_conf.local.prefix is defined else ['0.0.0.0/0', '::/0'] %} +{% set local_port = rw_conf.local.port if rw_conf.local is defined and rw_conf.local.port is defined else '' %} {% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} } diff --git a/interface-definitions/include/ipsec/local-traffic-selector.xml.i b/interface-definitions/include/ipsec/local-traffic-selector.xml.i new file mode 100644 index 000000000..d30a6d11a --- /dev/null +++ b/interface-definitions/include/ipsec/local-traffic-selector.xml.i @@ -0,0 +1,28 @@ + + + + Local parameters for interesting traffic + + + #include + + + Local IPv4 or IPv6 prefix + + ipv4 + Local IPv4 prefix + + + ipv6 + Local IPv6 prefix + + + + + + + + + + + diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 75fd6a92f..187bb1154 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -744,32 +744,7 @@ #include #include #include - - - Local traffic selectors - - - #include - - - Local IPv4 or IPv6 prefix - - ipv4 - Local IPv4 prefix - - - ipv6 - Local IPv6 prefix - - - - - - - - - - + #include IP address pool for remote-access users @@ -1008,32 +983,7 @@ #include #include - - - Local parameters for interesting traffic - - - #include - - - Local IPv4 or IPv6 prefix - - ipv4 - Local IPv4 prefix - - - ipv6 - Local IPv6 prefix - - - - - - - - - - + #include #include -- cgit v1.2.3 From 40c6a0402511383d1fa1ddb8aca9d11765720471 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 4 Jul 2021 21:19:22 +0200 Subject: ipsec: T2816: add completion helper for tunnel interfaces --- interface-definitions/vpn_ipsec.xml.in | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'interface-definitions') diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index 187bb1154..f6b18d1d5 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -692,9 +692,12 @@ Tunnel interface associated with this configuration profile + + interfaces tunnel + txt - Tunnel interface associated with this configuration profile + Associated interface to this configuration profile -- cgit v1.2.3