From bd4588827b563022ce5fb98b1345b787b9194176 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Wed, 10 Aug 2022 19:51:48 +0000
Subject: ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer

Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations

  - IKE changes:
      - replace 'ipsec ike-group <tag> mobike disable'
             => 'ipsec ike-group <tag> disable-mobike'
      - replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
             => 'ipsec ike-group <tag> ikev2-reauth'
  - ESP changes:
      - replace 'ipsec esp-group <tag> compression enable'
             => 'ipsec esp-group <tag> compression'
  - PEER changes:
      - replace: 'peer <tag> id xxx'
              => 'peer <tag> local-id xxx'
      - replace: 'peer <tag> force-encapsulation enable'
              => 'peer <tag> force-udp-encapsulation'
      - add option: 'peer <tag> remote-address x.x.x.x'

Add 'peer <name> remote-address <name>' via migration script
---
 src/conf_mode/vpn_ipsec.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'src/conf_mode/vpn_ipsec.py')

diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index bad9cfbd8..c0fe3ae5d 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -16,6 +16,7 @@
 
 import ipaddress
 import os
+import re
 
 from sys import exit
 from time import sleep
@@ -348,6 +349,14 @@ def verify(ipsec):
     if 'site_to_site' in ipsec and 'peer' in ipsec['site_to_site']:
         for peer, peer_conf in ipsec['site_to_site']['peer'].items():
             has_default_esp = False
+            # Peer name it is swanctl connection name and shouldn't contain dots or colons, T4118
+            if bool(re.search(':|\.', peer)):
+                raise ConfigError(f'Incorrect peer name "{peer}" '
+                                  f'Peer name can contain alpha-numeric letters, hyphen and underscore')
+
+            if 'remote_address' not in peer_conf:
+                print(f'You should set correct remote-address "peer {peer} remote-address x.x.x.x"\n')
+
             if 'default_esp_group' in peer_conf:
                 has_default_esp = True
                 if 'esp_group' not in ipsec or peer_conf['default_esp_group'] not in ipsec['esp_group']:
-- 
cgit v1.2.3