From 9471a9bac452c2c5600ef5d91dd842c8e084e8d6 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Thu, 26 Aug 2021 18:17:31 +0200
Subject: ipsec: T1210: support road-warrior IP assignment via RADIUS
 Framed-IP-Address

Extended CLI command: "set vpn ipsec remote-access connection rw pool" with a
"radius" option.
---
 src/conf_mode/vpn_ipsec.py | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

(limited to 'src/conf_mode/vpn_ipsec.py')

diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index d3065fc47..ff6090e22 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -286,20 +286,34 @@ def verify(ipsec):
                     if 'pre_shared_secret' not in ra_conf['authentication']:
                         raise ConfigError(f"Missing pre-shared-key on {name} remote-access config")
 
+                if 'client_mode' not in ra_conf['authentication']:
+                    raise ConfigError('Client authentication method is required!')
 
-                if 'client_mode' in ra_conf['authentication']:
-                    if ra_conf['authentication']['client_mode'] == 'eap-radius':
-                        if 'radius' not in ipsec['remote_access'] or 'server' not in ipsec['remote_access']['radius'] or len(ipsec['remote_access']['radius']['server']) == 0:
-                            raise ConfigError('RADIUS authentication requires at least one server')
+                if dict_search('authentication.client_mode', ra_conf) == 'eap-radius':
+                    if dict_search('remote_access.radius.server', ipsec) == None:
+                        raise ConfigError('RADIUS authentication requires at least one server')
 
                 if 'pool' in ra_conf:
+                    if {'dhcp', 'radius'} <= set(ra_conf['pool']):
+                        raise ConfigError(f'Can not use both DHCP and RADIUS for address allocation '\
+                                          f'at the same time for "{name}"!')
+
                     if 'dhcp' in ra_conf['pool'] and len(ra_conf['pool']) > 1:
-                        raise ConfigError(f'Can not use both DHCP and a predefined address pool for "{name}"!')
+                        raise ConfigError(f'Can not use DHCP and a predefined address pool for "{name}"!')
+
+                    if 'radius' in ra_conf['pool'] and len(ra_conf['pool']) > 1:
+                        raise ConfigError(f'Can not use RADIUS and a predefined address pool for "{name}"!')
 
                     for pool in ra_conf['pool']:
                         if pool == 'dhcp':
                             if dict_search('remote_access.dhcp.server', ipsec) == None:
                                 raise ConfigError('IPSec DHCP server is not configured!')
+                        elif pool == 'radius':
+                            if dict_search('remote_access.radius.server', ipsec) == None:
+                                raise ConfigError('IPSec RADIUS server is not configured!')
+
+                            if dict_search('authentication.client_mode', ra_conf) != 'eap-radius':
+                                raise ConfigError('RADIUS IP pool requires eap-radius client authentication!')
 
                         elif 'pool' not in ipsec['remote_access'] or pool not in ipsec['remote_access']['pool']:
                             raise ConfigError(f'Requested pool "{pool}" does not exist!')
-- 
cgit v1.2.3


From 3e85333ae7c53fc8b2ceae1d1788e795fd92c939 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Wed, 15 Sep 2021 19:14:37 +0200
Subject: ipsec: T3830: "authentication id|use-x509-id" are mutually exclusive

Manually set peer id and use-x509-id are mutually exclusive!
---
 data/templates/ipsec/swanctl/peer.tmpl | 2 +-
 src/conf_mode/vpn_ipsec.py             | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/conf_mode/vpn_ipsec.py')

diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index 5d69b3d66..98c09436c 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -31,7 +31,7 @@
         encap = yes
 {%   endif %}
         local {
-{%   if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
+{%   if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.id is not none %}
             id = "{{ peer_conf.authentication.id }}"
 {%   endif %}
             auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index ff6090e22..99b82ca2d 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -362,6 +362,9 @@ def verify(ipsec):
             if 'authentication' not in peer_conf or 'mode' not in peer_conf['authentication']:
                 raise ConfigError(f"Missing authentication on site-to-site peer {peer}")
 
+            if {'id', 'use_x509_id'} <= set(peer_conf['authentication']):
+                raise ConfigError(f"Manually set peer id and use-x509-id are mutually exclusive!")
+
             if peer_conf['authentication']['mode'] == 'x509':
                 if 'x509' not in peer_conf['authentication']:
                     raise ConfigError(f"Missing x509 settings on site-to-site peer {peer}")
-- 
cgit v1.2.3