| Age | Commit message (Collapse) | Author |
|---|
|
Commit e97d86e ("T6617: T6618: vpn ipsec remote-access: fix profile generators")
added a bug when working with DiffieHellmanGroup, it started becoming a boolead
and no longer referencing the DH groups itself.
This has been fixed.
|
|
If this is unset, loading the iOS VPN profile will error out on the device
giving:
Profile Installation Failed
configuration is invalid:
Missing identity
My first assumption was an empty string in LocalIdentifier for IKE, but turned
out only adding this flag solved it.
This was made optional in commit e97d86e ("T6617: T6618: vpn ipsec
remote-access: fix profile generators") but got reverted now.
|
|
Calling "generate ipsec profile ios-remote-access rw remote ipsec.vyos.net name
VYOS-NET profile VYOS" in op-mode causes
File "/usr/share/vyos/templates/ipsec/ios_profile.j2", line 58, in top-level template code
{% if authentication.client_mode.startswith("eap") %}
^^^^^^^^^^^^^^^^^^^^^^^^^
jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'client_mode'
|
|
|
|
generation
In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed
support for multiple CAs when dealing with the generation of Apple IOS profiles.
This commit extends support to properly include the common name of the server
certificate issuer and all it's paren't CAs. A list of parent CAs is
automatically generated from the "PKI" subsystem content and embedded into the
resulting profile.
|
|
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates")
added support for multiple CA certificates which broke the OP mode command
to generate the IPSec profiles as it did not expect a list and was rather
working on a string.
Now multiple CAs can be rendered into the Apple IOS profile.
|
|
Commit bd4588827b ("ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer")
changed the CLI syntax of ipsec. This resulted in a node not renamed in the
op-mode generator when generating IKEv2 IPSec iOS configuration profiles.
|
|
|
