diff options
10 files changed, 260 insertions, 204 deletions
diff --git a/lib/Vyatta/VPN/Util.pm b/lib/Vyatta/VPN/Util.pm index f7dc320..606178a 100755 --- a/lib/Vyatta/VPN/Util.pm +++ b/lib/Vyatta/VPN/Util.pm @@ -27,17 +27,21 @@ use strict; use warnings; our @EXPORT = qw(rsa_get_local_key_file LOCAL_KEY_FILE_DEFAULT rsa_get_local_pubkey - is_vpn_running vpn_debug enableICMP is_tcp_udp get_protocols conv_protocol); + rsa_convert_pubkey_pem is_vpn_running vpn_debug enableICMP is_tcp_udp + get_protocols conv_protocol); use base qw(Exporter); use Vyatta::Config; +use Crypt::OpenSSL::RSA; +use MIME::Base64; +use File::Copy; use POSIX qw(strftime); use constant LOCAL_KEY_FILE_DEFAULT => '/opt/vyatta/etc/config/ipsec.d/rsa-keys/localhost.key'; sub is_vpn_running { - return ( -e '/var/run/pluto.ctl'); + return ( -e '/var/run/charon.ctl'); } sub get_protocols { @@ -110,15 +114,57 @@ sub rsa_get_local_pubkey { my @raw_data=<$dat>; close($dat); + # PEM encoded private key + my $rsa = Crypt::OpenSSL::RSA->new_private_key(join("", @raw_data)); + if (defined $rsa) { + my ($n, $e) = $rsa->get_key_parameters(); + my $eb = $e->to_bin(); + return "0s" . encode_base64(pack("C", length($eb)) . $eb . $n->to_bin(), ''); + } + + # legacy private key format foreach my $line (@raw_data) { my $file_pubkey; if (($file_pubkey) = ($line =~ m/\s+\#pubkey=(\S+)/)) { + # Found a legacy private key; convert to PEM for strongSwan 5.2.x + my $key = join("", @raw_data); + $key =~ /^\s+Modulus:\s+0x([0-9a-fA-F]+)$/m; + my $n = Crypt::OpenSSL::Bignum->new_from_hex($1); + $key =~ /^\s+PublicExponent:\s+0x([0-9a-fA-F]+)$/m; + my $e = Crypt::OpenSSL::Bignum->new_from_hex($1); + $key =~ /^\s+PrivateExponent:\s+0x([0-9a-fA-F]+)$/m; + my $d = Crypt::OpenSSL::Bignum->new_from_hex($1); + $key =~ /^\s+Prime1:\s+0x([0-9a-fA-F]+)$/m; + my $p = Crypt::OpenSSL::Bignum->new_from_hex($1); + $key =~ /^\s+Prime2:\s+0x([0-9a-fA-F]+)$/m; + my $q = Crypt::OpenSSL::Bignum->new_from_hex($1); + + my $rsa = Crypt::OpenSSL::RSA->new_key_from_parameters($n, $e, $d, $p, $q); + if (defined $rsa) { + # write out PEM formatted key + move("$file", "$file.bak"); + open(my $priv, '>', "$file") + or return 0; + chmod 0600, $file; + print {$priv} $rsa->get_private_key_string(); + close($priv); + } return $file_pubkey; } } return 0; } +sub rsa_convert_pubkey_pem { + my $key = shift; + my $decoded = decode_base64(substr($key, 2)); + my $len = unpack("C", substr($decoded, 0, 1)); + my $e = Crypt::OpenSSL::Bignum->new_from_bin(substr($decoded, 1, $len)); + my $n = Crypt::OpenSSL::Bignum->new_from_bin(substr($decoded, 1 + $len)); + my $rsa = Crypt::OpenSSL::RSA->new_key_from_parameters($n, $e); + return $rsa->get_public_key_x509_string(); +} + sub vpn_debug { my $timestamp = strftime("%Y%m%d-%H:%M.%S", localtime); diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 635c416..b913783 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -37,7 +37,6 @@ use Vyatta::TypeChecker; use Vyatta::VPN::Util; use Getopt::Long; use Vyatta::Misc; -use NetAddr::IP; use Vyatta::VPN::vtiIntf; my $config_file; @@ -60,6 +59,7 @@ my $dhcp_if = 0; my $genout; my $genout_secrets; my %key_file_list; +my %public_keys; # Set $using_klips to 1 if kernel IPsec support is provided by KLIPS. # Set it to 0 us using NETKEY. @@ -212,12 +212,9 @@ if ($vcVPN->exists('ipsec')) { } # - # Version 2 + # Configuration of system wide options # - $genout .= "version 2.0\n"; - $genout .= "\n"; $genout .= "config setup\n"; - $genout .= "\tcharonstart=yes\n"; # # Interfaces @@ -308,26 +305,6 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\"\n"; } - # - # log-mode - # - my @logmodes = $vcVPN->returnValues('ipsec logging log-modes'); - if (@logmodes > 0) { - my $debugmode = ''; - foreach my $mode (@logmodes) { - if ($mode eq "all") { - $debugmode = "all"; - last; - } - if ($debugmode eq '') { - $debugmode = "$mode"; - } else { - $debugmode .= " $mode"; - } - } - $genout .= "\tplutodebug=\"$debugmode\"\n"; - } - # Set plutoopts: # Disable uniqreqids? # @@ -336,15 +313,6 @@ if ($vcVPN->exists('ipsec')) { } # - # Disable implicit connections - # - foreach my $conn (qw/clear clear-or-private private-or-clear private block packetdefault/){ - $genout .= "\n"; - $genout .= "conn $conn\n"; - $genout .= "\tauto=ignore\n"; - } - - # # Default keyengine is ikev1 # $genout .= "\n"; @@ -517,16 +485,6 @@ if ($vcVPN->exists('ipsec')) { $lip = get_dhcp_addr($dhcp_iface); } - # -> leftsourceip is the internal source IP to use in a tunnel - # -> we use leftsourceip to add a route to the rightsubnet - # only when rightsubnet is defined and is not 0.0.0.0/0. we do not - # want to add a vpn route for everything i.e. rightsubnet = 0.0.0.0/0 - # -> if leftsubnet is defined and is not 0.0.0.0/0; we try and find - # an interface on the system that has an IP address lying within - # the leftsubnet and use that as leftsourceip. if leftsubnet is not - # defined or is 0.0.0.0/0 then we use local-address as leftsourceip. - my $leftsourceip = undef; - # # Assign left and right to local and remote interfaces # @@ -537,11 +495,8 @@ if ($vcVPN->exists('ipsec')) { "for peer \"$peer\" $tunKeyword.\n"); } $genout .= "\tleft=%defaultroute\n"; - - # no need for leftsourceip as a defaultroute is must for this to work } else { $genout .= "\tleft=$lip\n"; - $leftsourceip = "\tleftsourceip=$lip\n"; } if (defined($authidfromcert)) { $genout .= "\tleftid=%fromcert\n"; @@ -597,19 +552,6 @@ if ($vcVPN->exists('ipsec')) { if (defined($leftsubnet)) { $genout .= "\tleftsubnet=$leftsubnet\n"; - if (!($leftsubnet eq '0.0.0.0/0')) { - my $localsubnet_object = new NetAddr::IP($leftsubnet); - - # leftsourceip should now be an IP on system lying within the leftsubnet - my @system_ips = Vyatta::Misc::getIP(undef, '4'); - foreach my $system_ip (@system_ips) { - my $systemip_object = new NetAddr::IP($system_ip); - if (CheckIfAddressInsideNetwork($systemip_object, $localsubnet_object)){ - my $sourceip = $systemip_object->addr(); - $leftsourceip = "\tleftsourceip=$sourceip\n"; - } - } - } } my $remotesubnet = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword remote prefix"); @@ -667,21 +609,8 @@ if ($vcVPN->exists('ipsec')) { } if (defined($rightsubnet)) { $genout .= "\trightsubnet=$rightsubnet\n"; - - # not adding vpn route if remote prefix is 0.0.0.0/0 - # user should add a route [default/static] manually - $leftsourceip = undef if $rightsubnet eq '0.0.0.0/0'; - if ($rightsubnet =~ /vhost:%priv/) { - - # can't add route when rightsubnet is not specific - $leftsourceip = undef; - } - } else { - $leftsourceip =undef; # no need for vpn route if rightsubnet not defined } - $genout .= $leftsourceip if defined $leftsourceip; - # # Protocol/port # @@ -784,39 +713,12 @@ if ($vcVPN->exists('ipsec')) { if (defined($encryption) && defined($hash)) { $genout .= "$encryption-$hash"; if (defined($dh_group)) { - if ($dh_group eq '2') { - $genout .= '-modp1024'; - } elsif ($dh_group eq '5') { - $genout .= '-modp1536'; - } elsif ($dh_group eq '14') { - $genout .= '-modp2048'; - } elsif ($dh_group eq '15') { - $genout .= '-modp3072'; - } elsif ($dh_group eq '16') { - $genout .= '-modp4096'; - } elsif ($dh_group eq '17') { - $genout .= '-modp6144'; - } elsif ($dh_group eq '18') { - $genout .= '-modp8192'; - } elsif ($dh_group eq '19') { - $genout .= '-ecp256'; - } elsif ($dh_group eq '20') { - $genout .= '-ecp384'; - } elsif ($dh_group eq '21') { - $genout .= '-ecp521'; - } elsif ($dh_group eq '22') { - $genout .= '-modp1024s160'; - } elsif ($dh_group eq '23') { - $genout .= '-modp2048s224'; - } elsif ($dh_group eq '24') { - $genout .= '-modp2048s256'; - } elsif ($dh_group eq '25') { - $genout .= '-ecp192'; - } elsif ($dh_group eq '26') { - $genout .= '-ecp224'; - } elsif ($dh_group ne '') { + my $cipher_out = get_dh_cipher_result($dh_group); + if ($cipher_out eq 'unknown') { vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"tunnel", $tunnel],"$vpn_cfg_err Invalid 'dh-group' $dh_group specified for ". "peer \"$peer\" $tunKeyword. Only 2, 5, or 14 through 26 accepted.\n"); + } else { + $genout .= "-$cipher_out"; } } } @@ -875,6 +777,21 @@ if ($vcVPN->exists('ipsec')) { } } + # + # Allow the user to specify aggressive mode for IKEv1 connections + # + my $aggressive_mode = $vcVPN->returnValue("ipsec ike-group $ike_group mode"); + + if (defined($aggressive_mode)) { + if (defined($key_exchange) && $key_exchange eq 'ikev2') { + vpn_die(["vpn","ipsec","ike-group", $ike_group, "mode"], "$vpn_cfg_err Selection of Main/Aggressive modes is only valid for IKEv1 configurations"); + } + if ($aggressive_mode eq 'aggressive') { + $genout .= "\taggressive=yes\n"; + } else { + $genout .= "\taggressive=no\n"; + } + } my $t_ikelifetime =$vcVPN->returnValue("ipsec ike-group $ike_group lifetime"); if (defined($t_ikelifetime) && $t_ikelifetime ne '') { $ikelifetime = $t_ikelifetime; @@ -895,6 +812,19 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\tdpdtimeout=$dpd_timeout" . "s\n"; $genout .= "\tdpdaction=$dpd_action\n"; } + + # + # Allow the user for force UDP encapsulation for the ESP + # payload. + # + my $forceencaps = $vcVPN->returnValue("ipsec site-to-site peer $peer force-encapsulation"); + if (defined($forceencaps)) { + if ($forceencaps eq 'enable') { + $genout .= "\tforceencaps=yes\n"; + } else { + $genout .= "\tforceencaps=no\n"; + } + } } # @@ -912,10 +842,11 @@ if ($vcVPN->exists('ipsec')) { foreach my $esp_proposal (@esp_proposals) { # - # Get encryption, hash + # Get encryption, hash and PFS group settings # my $encryption = $vcVPN->returnValue("ipsec esp-group $esp_group proposal $esp_proposal encryption"); my $hash = $vcVPN->returnValue("ipsec esp-group $esp_group proposal $esp_proposal hash"); + my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); # # Write separator if not first proposal @@ -925,12 +856,26 @@ if ($vcVPN->exists('ipsec')) { } else { $genout .= ","; } + if (defined($pfs)) { + if ($pfs eq 'enable') { + # Get the first IKE group's dh-group and use that as our PFS setting + my $default_pfs = $vcVPN->returnValue("ipsec ike-group $ike_group proposal 1 dh-group"); + $pfs = get_dh_cipher_result($default_pfs); + } elsif ($pfs eq 'disable') { + undef $pfs; + } else { + $pfs = get_dh_cipher_result($pfs); + } + } # # Write values # if (defined($encryption) && defined($hash)) { $genout .= "$encryption-$hash"; + if (defined($pfs)) { + $genout .= "-$pfs"; + } } } $genout .= "!\n"; @@ -975,63 +920,6 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\ttype=$espmode\n"; # - # Perfect Forward Secrecy - # - my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); - if (defined($pfs)) { - if ($pfs eq 'enable') { - $genout .= "\tpfs=yes\n"; - } elsif ($pfs eq 'dh-group2') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1024\n"; - } elsif ($pfs eq 'dh-group5') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1536\n"; - } elsif ($pfs eq 'dh-group14') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048\n"; - } elsif ($pfs eq 'dh-group15') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp3072\n"; - } elsif ($pfs eq 'dh-group16') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp4096\n"; - } elsif ($pfs eq 'dh-group17') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp6144\n"; - } elsif ($pfs eq 'dh-group18') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp8192\n"; - } elsif ($pfs eq 'dh-group19') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp256\n"; - } elsif ($pfs eq 'dh-group20') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp384\n"; - } elsif ($pfs eq 'dh-group21') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp521\n"; - } elsif ($pfs eq 'dh-group22') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1024s160\n"; - } elsif ($pfs eq 'dh-group23') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048s224\n"; - } elsif ($pfs eq 'dh-group24') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048s256\n"; - } elsif ($pfs eq 'dh-group25') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp192\n"; - } elsif ($pfs eq 'dh-group26') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp224\n"; - } else { - $genout .= "\tpfs=no\n"; - } - } - - # # Compression # my $compression =$vcVPN->returnValue("ipsec esp-group $esp_group compression"); @@ -1143,7 +1031,10 @@ if ($vcVPN->exists('ipsec')) { vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"authentication"],"$vpn_cfg_err Unable to determine local public key from local key". " file \"$local_key_file\" for peer \"$peer\".\n"); } else { - $genout .= "\tleftrsasigkey=\"$local_key\"\n"; + if (!defined($public_keys{localhost})) { + $public_keys{localhost} = $local_key; + $genout .= "\tleftsigkey=localhost.pub\n"; + } } my $rsa_key_name = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication rsa-key-name"); @@ -1156,13 +1047,16 @@ if ($vcVPN->exists('ipsec')) { vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"authentication"],"$vpn_cfg_err No remote key configured for rsa key name ". "\"$rsa_key_name\" that is specified for peer \"$peer\".\n"); } else { - $genout .= "\trightrsasigkey=\"$remote_key\"\n"; + if (!defined($public_keys{$rsa_key_name})) { + $public_keys{$rsa_key_name} = $remote_key; + $genout .= "\trightsigkey=$rsa_key_name.pub\n"; + } } } # Prevent duplicate includes for rsa keys. if (!defined($key_file_list{$local_key_file})) { $key_file_list{$local_key_file} = 1; - $genout_secrets .= "include $local_key_file\n"; + $genout_secrets .= ": RSA $local_key_file\n"; } } else { vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"authentication"],"$vpn_cfg_err Unknown authentication mode \"$auth_mode\" for peer ". @@ -1240,6 +1134,24 @@ if ($vcVPN->exists('ipsec')) { } } } + + # + # Include a custom configuration file + # + my $custom_include = $vcVPN->returnValue("ipsec include-ipsec-conf"); + my $custom_secrets = $vcVPN->returnValue("ipsec include-ipsec-secrets"); + if (defined($custom_include)) { + if ( ! -e $custom_include ) { + vpn_die(["vpn","ipsec","include-ipsec-conf"],"$vpn_cfg_err The specified file for inclusion inside ipsec.conf does not exist."); + } + $genout .= "\ninclude $custom_include\n"; + } + if (defined($custom_secrets)) { + if ( ! -e $custom_secrets) { + vpn_die(["vpn","ipsec","include-ipsec-secrets"],"$vpn_cfg_err The specified file for inclusion inside ipsec.secrets does not exist."); + } + $genout_secrets .= "\ninclude $custom_secrets\n"; + } if (-e '/etc/dmvpn.conf') { $genout .= "\ninclude /etc/dmvpn.conf\n"; } @@ -1279,13 +1191,13 @@ if ( $vcVPN->isDeleted('.') if (!enableICMP('1')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to re-enable ICMP redirects.\n"); } - write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if); + write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); } else { if (!enableICMP('0')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to disable ICMP redirects.\n"); } - write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if); + write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); # Assumming that if there was a local IP missmatch and clustering is enabled, # then the clustering scripts will take care of starting the VPN daemon. @@ -1308,8 +1220,31 @@ if ( $vcVPN->isDeleted('.') print "Re-starting IPsec daemon to deactivate auto-update...\n"; vpn_exec('ipsec restart >&/dev/null', 're-starting ipsec'); }else { + + # Grab the list of old peers and tunnels + my @tunnel_cfg_new = $vcVPN->listNodes('ipsec site-to-site peer'); + my @tunnel_cfg_old = $vcVPN->listOrigNodes('ipsec site-to-site peer'); + my @old_tunnels; + my %seen; + @seen{@tunnel_cfg_new} = (); + + # Find the old tunnels in previous configuration + foreach my $tunnel (@tunnel_cfg_old) { + push (@old_tunnels, $tunnel) unless exists $seen{$tunnel}; + } + + # Issue an ipsec down on the old tunnel since charon doesn't clean up + # connections removed from ipsec.conf + foreach my $old_peer (@old_tunnels) { + my @tunnels = $vcVPN->listOrigNodes("ipsec site-to-site peer $old_peer tunnel"); + foreach my $tunnel (@tunnels) + { + vpn_exec("ipsec down peer-$old_peer-tunnel-$tunnel", "Cleaning up site-to-site peer $old_peer at tunnel $tunnel"); + } + } + vpn_exec('ipsec rereadall >&/dev/null', 're-read secrets and certs'); - vpn_exec('ipsec update >&/dev/null', 'update changes to ipsec.conf'); + vpn_exec('ipsec reload >&/dev/null', 'reload changes to ipsec.conf'); } } else { if (!defined($update_interval)) { @@ -1318,6 +1253,24 @@ if ( $vcVPN->isDeleted('.') vpn_exec('ipsec start --auto-update '.$update_interval.' >&/dev/null','start ipsec with auto-update $update_interval'); } } + + # Activate any debugging options by + # calling ipsec stroke loglevel <source> <level> + my @logmodes = $vcVPN->returnValues('ipsec logging log-modes'); + my @oldmodes = $vcVPN->returnOrigValues('ipsec logging log-modes'); + my $charonloglevel = $vcVPN->returnValue('ipsec logging log-level'); + # Clean up any logging modes if present + if (@oldmodes > 0) { + foreach my $mode (@oldmodes) { + vpn_exec("ipsec stroke loglevel $mode 0", "Deactivating log source $mode"); + } + } + # Finally activate our new logger configuration + if (@logmodes > 0) { + foreach my $mode (@logmodes) { + vpn_exec("ipsec stroke loglevel $mode $charonloglevel", "Stroking log source $mode to loglevel $charonloglevel"); + } + } } } @@ -1333,7 +1286,7 @@ sub vpn_die { } sub write_config { - my ($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if) = @_; + my ($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_; open my $output_config, '>', $config_file or die "Can't open $config_file: $!"; @@ -1354,6 +1307,14 @@ sub write_config { print ${output_secrets} $genout_secrets; close $output_secrets; dhcp_hook($dhcp_if); + + for my $name (keys %public_keys) { + my $output_path = "/etc/ipsec.d/certs/$name.pub"; + open my $output_file, '>', $output_path + or die "Can't open $output_path: $!"; + print ${output_file} rsa_convert_pubkey_pem($public_keys{$name}); + close $output_file; + } } sub vpn_exec { @@ -1462,26 +1423,6 @@ sub hasLocalWildcard { return 0; } -sub CheckIfAddressInsideNetwork { - my ($address, $naipNetwork) = @_; - - if (!defined($address) || !defined($naipNetwork)) { - return 0; - } - - my $naipSM = new NetAddr::IP($address); - if (defined($naipSM)) { - my $subnetIA = $naipSM->network()->addr(); - my $naipIA = new NetAddr::IP($subnetIA, $naipSM->masklen()); - - if (defined($naipIA) && $naipNetwork->within($naipIA)) { - return 1; - } - } - - return 0; -} - sub get_x509 { my $peer = pop(@_); @@ -1574,4 +1515,43 @@ EOS close $dhcp_hook; } +sub get_dh_cipher_result { + my ($cipher) = @_; + my $ciph_out; + if ($cipher eq '2' || $cipher eq 'dh-group2') { + $ciph_out = 'modp1024'; + } elsif ($cipher eq '5' || $cipher eq 'dh-group5') { + $ciph_out = 'modp1536'; + } elsif ($cipher eq '14' || $cipher eq 'dh-group14') { + $ciph_out = 'modp2048'; + } elsif ($cipher eq '15' || $cipher eq 'dh-group15') { + $ciph_out = 'modp3072'; + } elsif ($cipher eq '16' || $cipher eq 'dh-group16') { + $ciph_out = 'modp4096'; + } elsif ($cipher eq '17' || $cipher eq 'dh-group17') { + $ciph_out = 'modp6144'; + } elsif ($cipher eq '18' || $cipher eq 'dh-group18') { + $ciph_out = 'modp8192'; + } elsif ($cipher eq '19' || $cipher eq 'dh-group19') { + $ciph_out = 'ecp256'; + } elsif ($cipher eq '20' || $cipher eq 'dh-group20') { + $ciph_out = 'ecp384'; + } elsif ($cipher eq '21' || $cipher eq 'dh-group21') { + $ciph_out = 'ecp521'; + } elsif ($cipher eq '22' || $cipher eq 'dh-group22') { + $ciph_out = 'modp1024s160'; + } elsif ($cipher eq '23' || $cipher eq 'dh-group23') { + $ciph_out = 'modp2048s224'; + } elsif ($cipher eq '24' || $cipher eq 'dh-group24') { + $ciph_out = 'modp2048s256'; + } elsif ($cipher eq '25' || $cipher eq 'dh-group25') { + $ciph_out = 'ecp192'; + } elsif ($cipher eq '26' || $cipher eq 'dh-group26') { + $ciph_out = 'ecp224'; + } else { + $ciph_out = 'unknown'; + } + return $ciph_out; +} + # end of file diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def index 0e8fd2d..ba66828 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def @@ -1,10 +1,10 @@ help: Encryption algorithm type: txt default: "aes128" -syntax:expression: $VAR(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des" -syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "aes128gcm128", "aes256gcm128"; "must be aes128, or aes128gcm128, or aes256, or aes256gcm128, or 3des" +syntax:expression: $VAR(@) in "aes128", "aes256", "aes128gcm128", "aes256gcm128", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" val_help: aes128; AES-128 encryption (default) val_help: aes256; AES-256 encryption val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit val_help: 3des; 3DES encryption +val_help: chacha20poly1305; ChaCha20-Poly1305 encryption diff --git a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def new file mode 100644 index 0000000..2b67dad --- /dev/null +++ b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def @@ -0,0 +1,5 @@ +help: IKEv1 Phase 1 Mode Selection +type: txt +syntax:expression: $VAR(@) in "main", "aggressive"; "must be main or aggressive" +val_help: main; Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default) +val_help: aggressive; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def index 0e8fd2d..ba66828 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def @@ -1,10 +1,10 @@ help: Encryption algorithm type: txt default: "aes128" -syntax:expression: $VAR(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des" -syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "aes128gcm128", "aes256gcm128"; "must be aes128, or aes128gcm128, or aes256, or aes256gcm128, or 3des" +syntax:expression: $VAR(@) in "aes128", "aes256", "aes128gcm128", "aes256gcm128", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" val_help: aes128; AES-128 encryption (default) val_help: aes256; AES-256 encryption val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit val_help: 3des; 3DES encryption +val_help: chacha20poly1305; ChaCha20-Poly1305 encryption diff --git a/templates/vpn/ipsec/include-ipsec-conf/node.def b/templates/vpn/ipsec/include-ipsec-conf/node.def new file mode 100644 index 0000000..fc82a45 --- /dev/null +++ b/templates/vpn/ipsec/include-ipsec-conf/node.def @@ -0,0 +1,2 @@ +type: txt +help: Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file. diff --git a/templates/vpn/ipsec/include-ipsec-secrets/node.def b/templates/vpn/ipsec/include-ipsec-secrets/node.def new file mode 100644 index 0000000..37b73e1 --- /dev/null +++ b/templates/vpn/ipsec/include-ipsec-secrets/node.def @@ -0,0 +1,2 @@ +type: txt +help: Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file. diff --git a/templates/vpn/ipsec/logging/log-level/node.def b/templates/vpn/ipsec/logging/log-level/node.def new file mode 100644 index 0000000..54cf698 --- /dev/null +++ b/templates/vpn/ipsec/logging/log-level/node.def @@ -0,0 +1,5 @@ +help: strongSwan Logger Level +type: u32 +default: 1 +syntax:expression: ($VAR(@) >= 0 && $VAR(@) <= 2) ; "must be between levels 0-2" +val_help: u32:0-2; Logger Verbosity Level (default 0) diff --git a/templates/vpn/ipsec/logging/log-modes/node.def b/templates/vpn/ipsec/logging/log-modes/node.def index f0dd9f4..5662a4e 100644 --- a/templates/vpn/ipsec/logging/log-modes/node.def +++ b/templates/vpn/ipsec/logging/log-modes/node.def @@ -1,11 +1,21 @@ multi: -help: Log mode +help: Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation type: txt -syntax:expression: $VAR(@) in "raw", "crypt", "parsing", "emitting", "control", "all", "private" ; "must be one of the following: raw, crypt, parsing, emitting, control, all, private" -val_help: raw; Debug log option for pluto -val_help: crypt; Debug log option for pluto -val_help: parsing; Debug log option for pluto -val_help: emitting; Debug log option for pluto -val_help: control; Debug log option for pluto -val_help: all; Debug log option for pluto -val_help: private; Debug log option for pluto +syntax:expression: $VAR(@) in "dmn", "mgr", "ike", "chd", "job", "cfg", "knl", "net", "asn", "enc", "lib", "esp", "tls", "tnc", "imc", "imv", "pts" ; "must be one of the following: dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts" +val_help: dmn; Debug log option for strongSwan +val_help: mgr; Debug log option for strongSwan +val_help: ike; Debug log option for strongSwan +val_help: chd; Debug log option for strongSwan +val_help: job; Debug log option for strongSwan +val_help: cfg; Debug log option for strongSwan +val_help: knl; Debug log option for strongSwan +val_help: net; Debug log option for strongSwan +val_help: asn; Debug log option for strongSwan +val_help: enc; Debug log option for strongSwan +val_help: lib; Debug log option for strongSwan +val_help: esp; Debug log option for strongSwan +val_help: tls; Debug log option for strongSwan +val_help: tnc; Debug log option for strongSwan +val_help: imc; Debug log option for strongSwan +val_help: imv; Debug log option for strongSwan +val_help: pts; Debug log option for strongSwan diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def new file mode 100644 index 0000000..bc71729 --- /dev/null +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def @@ -0,0 +1,6 @@ +help: Force UDP Encapsulation for ESP Payloads +type: txt +syntax:expression: $VAR(@) in "enable", "disable"; "Must be enable or disable" +val_help: enable; This endpoint will force UDP encapsulation for this peer +val_help: disable; This endpoint will not force UDP encapsulation for this peer + |