summaryrefslogtreecommitdiff
path: root/scripts
AgeCommit message (Collapse)Author
2020-01-20T1780 Adding IPSec IKE close-actionDmitriyEshenko
2019-03-14Fixes T1298 use vti tunnel with ipsec and dhcp.Kim
* make dhcp interface work for vti interfaces * clean up code, loger timeout use python api * change vti tunnel ip on new dhcp lease * only change ip on up and do not get non dhcp ip * fix error in function, include up-host and down-host
2019-01-21fix typo in dead-pear-detectionKim
2019-01-15fix typoKim Hagen
2019-01-15do not display connection header when there are no tunnels createdKim Hagen
2019-01-11Reference IPsec profile name in DMPN connection names for op mode.Daniil Baturin
2018-12-06Fix: T1048: [IPSec] Protocol all does not work in IPSec Tunnelhagbard
2018-11-13T1006: replace the is_valid_address.pl script with ipaddrcheck.Daniil Baturin
2018-08-08T767: cleanup vpn-config.pl - removal of KLIPSChristian Poessinger
Two IPsec kernel stacks are currently available: KLIPS and NETKEY. The Linux kernel NETKEY code is a rewrite from scratch of the KAME IPsec code. The KAME Project was a group effort of six companies in Japan to provide a free IPv6 and IPsec (for both IPv4 and IPv6) protocol stack implementation for variants of the BSD UNIX computer operating system. KLIPS is not a part of the Linux kernel. When using KLIPS, you must apply a patch to the kernel to support NAT-T. When using NETKEY, NAT-T support is already inside the kernel, and there is no need to patch the kernel. [1] KLIPS part has been removed as we always used the NETKEY path in the Perl script. [1]: https://www.linuxjournal.com/article/9916
2018-08-08T767: remove IPSEC deprecated keyword 'interfaces'Christian Poessinger
'interfaces' option no longer available in StrongSWAN as of their Wiki [1]. [1]: https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection
2018-08-05T628: delete the default route from the StrongSWAN table (220 hardcoded) for ↵Daniil Baturin
VTI connections
2017-10-31T126: charon listening on ALL interfaces(correct sorting)Taniadz
2017-10-27T126: charon listening on ALL interfaces(add ipsec restart)Taniadz
2017-10-25T126: charon listening on ALL interfaces( fix the style issues)Taniadz
2017-10-24T126: charon listening on ALL interfacesTaniadz
2017-03-23Fix VTI interface configuration to set both ikey and okeySylvain Munaut
Without this, the outgoing traffic is marked and encrypted but incoming traffic isn't properly forwarded to the VTI and just gets dropped. Partially Fixes T137 Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
2016-03-23load swanctl configuration on ipsec startUnicronNL
2016-03-16use 'dh-group' for first ike proposalUnicronNL
enable config for dead peer detection
2016-03-08add secret from config to swanctl.confUnicronNL
2016-02-24First version of new dmvpn script rewrite.Kim Hagen
2016-02-24remove reference to dmvpn.secrets and chang dmvpn.conf to swanctl.confKim Hagen
2016-02-11Merge branch 'lithium-strongswan5' of ↵Daniil Baturin
https://github.com/TriJetScud/vyatta-cfg-vpn into current
2016-02-11Revert "Remove charonstart an interfaces from ipsec.conf file, they are ↵Kim Hagen
depricated." This reverts commit fbddff7f2b6b485c93b5d3cf4d60a75f84c3a2b6.
2016-02-11Revert "Set default pfs and ike dh group. (required by strongswan charon)"Kim Hagen
This reverts commit 8353f0f8fc746c69d6006e5bba9baf45afe16385.
2016-02-11Set default pfs and ike dh group. (required by strongswan charon)Kim Hagen
2016-02-11Remove charonstart an interfaces from ipsec.conf file, they are depricated.Kim Hagen
2016-02-09Use dhcp instead of dhcp3.Kim Hagen
2016-01-29vyatta-cfg-vpn: Properly implement force-encapsulation and fix descriptionsJeff Leung
2015-12-06Merge branch 'lithium' into lithium-strongswan5Jeff Leung
Conflicts: templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def Get the GCM and ChaCha20+Poly1305 ciphers to play nice with each other
2015-12-05vyatta-cfg-vpn: validate peer address for vti based vpn connectionsAlex Harpin
Validate the peer address used for VTI based VPN connections to ensure only either an IPv4 or IPv6 address is used. Currently VTIs can only accept these for peer addresses, other values will fail with extraneous error messages, trap these earlier in the configuation commit process for now. Bug #359 http://bugzilla.vyos.net/show_bug.cgi?id=359
2015-12-05vyatta-cfg-vpn: validate local address for vti based vpn connectionsAlex Harpin
Validate the local address used for VTI based VPN connections to ensure only either an IPv4 or IPv6 address is used. Currently VTIs can only accept these for local addresses, other values will fail with extraneous error messages, trap these earlier in the configuation commit process for now. Bug #213 http://bugzilla.vyos.net/show_bug.cgi?id=213
2015-12-05vyatta-cfg-vpn: vti interfaces remain link down after ipsec sa renewalAlex Harpin
VTI interfaces can remain link down after IPSec SA expiry and renewal, leaving the actual IPSec tunnel up and active but the route relating to this VTI interface absent from the routing table; with the end result of no traffic passing through it without manual intervention. Earlier fixes for this issue in both bug #183 and bug #291 fixed one issue but introduced another, this commit fixes both scenarios. Bug #568 http://bugzilla.vyos.net/show_bug.cgi?id=568
2015-12-05vyatta-cfg-vpn: further tidy up of vyatta-vti-config.plAlex Harpin
Remove old comments and other minor tidying up / rearranging of scripts/vyatta-vti-config.pl
2015-12-05vyatta-cfg-vpn: formatting changes for style consistencyAlex Harpin
Perltidy run on scripts/vyatta-vti-config.pl to have consistent identation levels and style throughout.
2015-11-04Whitespace fixesJeff Leung
2015-11-04Allow the user to include a custom ipsec.secrets file.Jeff Leung
This may be useful for scenarios where a user prefers to use an ECDSA key or implement an xauth IPSec RA server without having to code for the VyOS/EdgeOS platform.
2015-11-04Actually implement custom ipsec.conf filesJeff Leung
2015-06-26vyatta-cfg-vpn: validate local address for vti based vpn connectionsAlex Harpin
Validate the local address used for VTI based VPN connections to ensure only either an IPv4 or IPv6 address is used. Currently VTIs can only accept these for local addresses, other values will fail with extraneous error messages, trap these earlier in the configuation commit process for now. Bug #213 http://bugzilla.vyos.net/show_bug.cgi?id=213
2015-06-22vyatta-cfg-vpn: validate peer address for vti based vpn connectionsAlex Harpin
Validate the peer address used for VTI based VPN connections to ensure only either an IPv4 or IPv6 address is used. Currently VTIs can only accept these for peer addresses, other values will fail with extraneous error messages, trap these earlier in the configuation commit process for now. Bug #359 http://bugzilla.vyos.net/show_bug.cgi?id=359
2015-06-18vyatta-cfg-vpn: vti interfaces remain link down after ipsec sa renewalAlex Harpin
VTI interfaces can remain link down after IPSec SA expiry and renewal, leaving the actual IPSec tunnel up and active but the route relating to this VTI interface absent from the routing table; with the end result of no traffic passing through it without manual intervention. Earlier fixes for this issue in both bug #183 and bug #291 fixed one issue but introduced another, this commit fixes both scenarios. Bug #568 http://bugzilla.vyos.net/show_bug.cgi?id=568
2015-06-17vyatta-cfg-vpn: further tidy up of vyatta-vti-config.plAlex Harpin
Remove old comments and other minor tidying up / rearranging of scripts/vyatta-vti-config.pl
2015-06-17vyatta-cfg-vpn: formatting changes for style consistencyAlex Harpin
Perltidy run on scripts/vyatta-vti-config.pl to have consistent identation levels and style throughout.
2015-06-14Bug #504: add an option for pulling IPsec local id from the cert.Daniil Baturin
2015-03-02Fix ipsec.secrets generation for PEM-formatted RSA key.Ryan Riske
2015-03-01Add support for RSA keys with strongSwan 5.2.xRyan Riske
strongSwan 5.2.x no longer recognizes keys in RFC 3110 format inlined in ipsec.conf and ipsec.secrets. We need to convert the local private key and peer public keys to PEM format, without changing the config templates or user-visible key formats. This patch will require the Debian packages 'libcrypt-openssl-bignum-perl' and 'libcrypt-openssl-rsa-perl' to be added to the system.
2015-02-13Remove the automatic generation of implicit connectionsJeff Leung
Since charon's existence, generating them is redundant and as a matter of fact causes issues with establishing multiple IKEv1 IPSec tunnels to the same peer.
2015-02-10Allow the user to force UDP encapsulation for a named peerJeff Leung
This might help with strongSwan traversing through firewalls that filter proto 51, but not UDP traffic.
2015-02-09Removing generation of leftsourceip= parameter in ipsec.confJeff Leung
As confirmed by Thermi in the strongSwan IRC channel inside freenode, this parameter should not have been generated for a S2S VPN setup. If leftsourceip= is specified on both ends in an IKEv1 S2S VPN tunnel, both ends will have charon hanging on MODE_CONFIG. This is because both ends are trying to ask an IP from the remote end which doesn't exist.
2015-02-08Slightly alter aggressive mode selection logicJeff Leung
If the user defines main mode, the config script will always enable aggressive mode. Fix the logic to correctly disable aggressive mode when main mode is asked for in IKEv1 connections.
2015-02-07Remove the code that generates our ipsec logger at runtimeJeff Leung
Since we're invoking the logger at runtime, there's really no point on keeping this codeblock
generated by cgit v1.2.3 (git 2.39.1) at 2025-09-07 02:38:15 +0000