veeos-1x.git/data/templates/ipsec, branch current VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos-contrib/veeos-1x.git) https://git.amelek.net/vyos-contrib/veeos-1x.git/atom?h=current 2025-04-17T09:45:46+00:00 T7343: IPsec add traffic-selector handling for VTI interfaces 2025-04-17T09:45:46+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2025-04-12T08:45:16+00:00 urn:sha1:41ba7fc5c7edbaca6ff149818aa5689b3ac3c097 Allow to set traffic-selector for VTI interfaces We can set several local and remote IPv4 and IPv6 prefixes ``` set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix 0.0.0.0/0 set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix :/0 set vpn ipsec site-to-site peer P1 vti traffic-selector remote prefix 192.0.2.0/24 ``` T7290: Fix VPN IPsec log level processing 2025-04-02T11:51:49+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2025-04-02T11:00:30+00:00 urn:sha1:453c5e6dc90f3dc15d697884625195abd445b8ab Fix the IPsec log level option processing set vpn ipsec log level '2' Render Jinja2 template to generate correct log for IPsec for the file /etc/strongswan.d/charon-systemd.conf ipsec: T7225: fix dynamic generation of IKE DiffieHellmanGroup in iOS profile 2025-03-06T21:53:05+00:00 Christian Breunig christian@breunig.cc 2025-03-06T21:53:05+00:00 urn:sha1:c31df5a5b5c1d1dfee063fe63a610c8bf71271f0 Commit e97d86e ("T6617: T6618: vpn ipsec remote-access: fix profile generators") added a bug when working with DiffieHellmanGroup, it started becoming a boolead and no longer referencing the DH groups itself. This has been fixed. ipsec: T7225: iOS18+ always requires ExtendedAuthEnabled to be set 2025-03-06T21:52:31+00:00 Christian Breunig christian@breunig.cc 2025-03-06T21:52:31+00:00 urn:sha1:117e9edef844492ff5fd608036a4fecede337f45 If this is unset, loading the iOS VPN profile will error out on the device giving: Profile Installation Failed configuration is invalid: Missing identity My first assumption was an empty string in LocalIdentifier for IKE, but turned out only adding this flag solved it. This was made optional in commit e97d86e ("T6617: T6618: vpn ipsec remote-access: fix profile generators") but got reverted now. ipsec: T7225: "generate ipsec profile ios-remote-access" throws UndefinedError 2025-03-06T15:35:08+00:00 Christian Breunig christian@breunig.cc 2025-03-06T15:35:08+00:00 urn:sha1:c3a7fdc5cc75949361915db73fbac107ee53edd9 Calling "generate ipsec profile ios-remote-access rw remote ipsec.vyos.net name VYOS-NET profile VYOS" in op-mode causes File "/usr/share/vyos/templates/ipsec/ios_profile.j2", line 58, in top-level template code {% if authentication.client_mode.startswith("eap") %} ^^^^^^^^^^^^^^^^^^^^^^^^^ jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'client_mode' nhrp: T2326: NHRP migration to FRR 2025-01-09T16:24:15+00:00 aapostoliuk a.apostoliuk@vyos.io 2024-08-09T15:08:56+00:00 urn:sha1:5e8307bf3a7f816193ca9da8cb290d57bbb375f2 NHRP migration to FRR T264: IPsec add base64 encoded secret-type feature 2024-11-21T13:34:51+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2024-11-19T17:44:58+00:00 urn:sha1:5c7647bcc242d4b26cd9afdde1f084ef93916727 Add the ability to configure base64 encoded passwords for VPN IPSec site-to-site peers authentication psk PSK secret 'xxxxx==' authentication psk PSK secret-type <base64|plaintext> Merge pull request #3221 from lucasec/t5873 2024-08-01T11:08:36+00:00 Christian Breunig christian@breunig.cc 2024-08-01T11:08:36+00:00 urn:sha1:962ead698e191ff413aaa1585270dfed48100547 T5873: ipsec remote access VPN: support VTI interfaces. T6617: T6618: vpn ipsec remote-access: fix profile generators 2024-07-30T07:16:59+00:00 Lucas Christian lucas@lucasec.com 2024-07-30T06:22:05+00:00 urn:sha1:e97d86e619e134f4dfda06efb7df4a3296d17b95 T5873: vpn ipsec remote-access: improve child ESP session naming 2024-07-27T01:26:30+00:00 Lucas Christian lucas@lucasec.com 2024-07-07T10:19:02+00:00 urn:sha1:50cf1746d3ab5e3666a3e502c67d7d853ae7f932