diff options
| -rw-r--r-- | debian/changelog | 59 | ||||
| -rwxr-xr-x | debian/rules | 2 | ||||
| -rwxr-xr-x | scripts/vpn-config.pl | 24 | ||||
| -rw-r--r-- | templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/use-x509-id/node.def | 1 |
4 files changed, 83 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index 65b08ae..113c0a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,62 @@ +vyatta-cfg-vpn (0.12.105+vyos2+lithium17) unstable; urgency=low + + [ Alex Harpin ] + * vyatta-cfg-vpn: validate local address for vti based vpn connections + + -- Alex Harpin <development@landsofshadow.co.uk> Sun, 28 Jun 2015 13:44:16 +0100 + +vyatta-cfg-vpn (0.12.105+vyos2+lithium16) unstable; urgency=low + + [ Alex Harpin ] + * vyatta-cfg-vpn: validate peer address for vti based vpn connections + + -- Alex Harpin <development@landsofshadow.co.uk> Fri, 26 Jun 2015 07:51:33 +0100 + +vyatta-cfg-vpn (0.12.105+vyos2+lithium15) unstable; urgency=low + + [ Alex Harpin ] + * vyatta-cfg-vpn: formatting changes for style consistency + * vyatta-cfg-vpn: further tidy up of vyatta-vti-config.pl + * vyatta-cfg-vpn: vti interfaces remain link down after ipsec sa renewal + + -- Alex Harpin <development@landsofshadow.co.uk> Thu, 18 Jun 2015 07:44:43 +0100 + +vyatta-cfg-vpn (0.12.105+vyos2+lithium14) unstable; urgency=low + + * vyatta-cfg-vpn: update dh_gencontrol with new development build flag + + -- Alex Harpin <development@landsofshadow.co.uk> Tue, 16 Jun 2015 19:35:00 +0100 + +vyatta-cfg-vpn (0.12.105+vyos2+lithium13) unstable; urgency=low + + * Bug #504: add an option for pulling IPsec local id from the cert. + + -- Daniil Baturin <daniil@baturin.org> Sun, 14 Jun 2015 01:53:07 +0200 + +vyatta-cfg-vpn (0.12.105+vyos2+lithium12) unstable; urgency=low + + * Bug #469: add options for AES-128/256-GCM mode. + + -- Daniil Baturin <daniil@baturin.org> Mon, 04 May 2015 00:37:05 +0200 + +vyatta-cfg-vpn (0.12.105+vyos2+lithium11) unstable; urgency=low + + [ Kim Hagen ] + * Move execution of nhrp script to "end" of ipsec config + + [ Alex Harpin ] + + -- Alex Harpin <development@landsofshadow.co.uk> Thu, 02 Apr 2015 21:53:48 +0100 + +vyatta-cfg-vpn (0.12.105+vyos2+lithium10) unstable; urgency=low + + [ Kim Hagen ] + * Bug #367 - DMVPN Testing, but I do not see ESP traffic. + + [ Alex Harpin ] + + -- Alex Harpin <development@landsofshadow.co.uk> Mon, 09 Feb 2015 22:23:51 +0000 + vyatta-cfg-vpn (0.12.105+vyos2+lithium9) unstable; urgency=low * Remove @ from the id/remote-id help string. It was never required. diff --git a/debian/rules b/debian/rules index dde505a..c787477 100755 --- a/debian/rules +++ b/debian/rules @@ -88,7 +88,7 @@ binary-arch: build install dh_compress dh_fixperms dh_installdeb - if [ -f "../.VYATTA_DEV_BUILD" ]; then \ + if [ -f "../.VYOS_DEV_BUILD" ]; then \ dh_gencontrol -- -v999.dev; \ else \ dh_gencontrol; \ diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 3f953b3..4267564 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -371,7 +371,22 @@ if ($vcVPN->exists('ipsec')) { $dhcp_if = $dhcp_if + 1; $lip = get_dhcp_addr($dhcp_iface, $peer); } - my $authid =$vcVPN->returnValue("ipsec site-to-site peer $peer authentication id"); + + # Get the local ID + my $authid = undef; + my $authidfromcert = undef; + if ($vcVPN->exists("ipsec site-to-site peer $peer authentication use-x509-id")) { + if ($vcVPN->exists("ipsec site-to-site peer $peer authentication id")) { + vpn_die(["vpn", "ipsec", "site-to-site", "peer", $peer], "Manually set peer id and use-x509-id are mutually exclusive"); + } + else { + $authidfromcert = 1; + } + } + else { + $authid =$vcVPN->returnValue("ipsec site-to-site peer $peer authentication id"); + } + my $authremoteid = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication remote-id"); if ((!defined($lip) || $lip eq "") && (!defined($dhcp_iface) || $dhcp_iface eq "")) { vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"local-address"],"$vpn_cfg_err No local-address specified for peer \"$peer\"\n"); @@ -483,7 +498,12 @@ if ($vcVPN->exists('ipsec')) { } else { $genout .= "\tleft=$lip\n"; } - $genout .= "\tleftid=\"$authid\"\n" if defined $authid; + if (defined($authidfromcert)) { + $genout .= "\tleftid=%fromcert\n"; + } + else { + $genout .= "\tleftid=\"$authid\"\n" if defined $authid; + } } # @SM Todo: must have explicit settings for VTI. diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/use-x509-id/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/use-x509-id/node.def new file mode 100644 index 0000000..95a90c1 --- /dev/null +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/use-x509-id/node.def @@ -0,0 +1 @@ +help: Use certificate common name as ID |