From d72efb828bd9bb88a6fb6d219b2b1cb88406507e Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Tue, 27 Jan 2015 00:09:01 -0800 Subject: Removing charonstart from the config setup section In preperation of moving towards the strongSwan 5.x series, we are removing the legacy charonstart=yes parameter in ipsec.conf. Since strongSwan 5.0.0 pluto has been removed from the codebase and charon is now the main daemon that handles IKEv1 and IKEv2 connections. --- scripts/vpn-config.pl | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 1a3943a..5edd148 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -212,12 +212,9 @@ if ($vcVPN->exists('ipsec')) { } # - # Version 2 + # Configuration of system wide options # - $genout .= "version 2.0\n"; - $genout .= "\n"; $genout .= "config setup\n"; - $genout .= "\tcharonstart=yes\n"; # # Interfaces -- cgit v1.2.3 From c3240731283eb3128bf5654b3e4ffb1ae81a0718 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Tue, 27 Jan 2015 00:23:43 -0800 Subject: Add get_dh_cipher_result submodule By adding this submodule we can reduce the amount of code we need to maintain by having a single submodule that takes in a Diffie-Hellman group number and translates it to what strongSwan expects. --- scripts/vpn-config.pl | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 5edd148..bffe9a1 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1551,4 +1551,43 @@ EOS close $dhcp_hook; } +sub get_dh_cipher_result { + my ($cipher) = @_; + my $ciph_out; + if ($cipher eq '2' || $cipher eq 'dh-group2') { + $ciph_out = 'modp1024'; + } elsif ($cipher eq '5' || $cipher eq 'dh-group5') { + $ciph_out = 'modp1536'; + } elsif ($cipher eq '14' || $cipher eq 'dh-group14') { + $ciph_out = 'modp2048'; + } elsif ($cipher eq '15' || $cipher eq 'dh-group15') { + $ciph_out = 'modp3072'; + } elsif ($cipher eq '16' || $cipher eq 'dh-group16') { + $ciph_out = 'modp4096'; + } elsif ($cipher eq '17' || $cipher eq 'dh-group17') { + $ciph_out = 'modp6144'; + } elsif ($cipher eq '18' || $cipher eq 'dh-group18') { + $ciph_out = 'modp8192'; + } elsif ($cipher eq '19' || $cipher eq 'dh-group19') { + $ciph_out = 'ecp256'; + } elsif ($cipher eq '20' || $cipher eq 'dh-group20') { + $ciph_out = 'ecp384'; + } elsif ($cipher eq '21' || $cipher eq 'dh-group21') { + $ciph_out = 'ecp521'; + } elsif ($cipher eq '22' || $cipher eq 'dh-group22') { + $ciph_out = 'modp1024s160'; + } elsif ($cipher eq '23' || $cipher eq 'dh-group23') { + $ciph_out = 'modp2048s224'; + } elsif ($cipher eq '24' || $cipher eq 'dh-group24') { + $ciph_out = 'modp2048s256'; + } elsif ($cipher eq '25' || $cipher eq 'dh-group25') { + $ciph_out = 'ecp192'; + } elsif ($cipher eq '26' || $cipher eq 'dh-group26') { + $ciph_out = 'ecp224'; + } else { + $ciph_out = 'unknown'; + } + return $ciph_out; +} + # end of file -- cgit v1.2.3 From 9587a7eb06ecef9610260657d98736d8286feab0 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Tue, 27 Jan 2015 00:27:28 -0800 Subject: Have the IKE parameter parser to use our new get_dh_cipher_result submodule The IKE parameter parser now uses the new get_dh_cipher_result submodule instead of the old if/else/elseif logic that was hardcoded to the parser. This should help ease developers adding new Diffie-Hellman groups if there are any in the future. --- scripts/vpn-config.pl | 35 ++++------------------------------- 1 file changed, 4 insertions(+), 31 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index bffe9a1..8227d90 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -761,39 +761,12 @@ if ($vcVPN->exists('ipsec')) { if (defined($encryption) && defined($hash)) { $genout .= "$encryption-$hash"; if (defined($dh_group)) { - if ($dh_group eq '2') { - $genout .= '-modp1024'; - } elsif ($dh_group eq '5') { - $genout .= '-modp1536'; - } elsif ($dh_group eq '14') { - $genout .= '-modp2048'; - } elsif ($dh_group eq '15') { - $genout .= '-modp3072'; - } elsif ($dh_group eq '16') { - $genout .= '-modp4096'; - } elsif ($dh_group eq '17') { - $genout .= '-modp6144'; - } elsif ($dh_group eq '18') { - $genout .= '-modp8192'; - } elsif ($dh_group eq '19') { - $genout .= '-ecp256'; - } elsif ($dh_group eq '20') { - $genout .= '-ecp384'; - } elsif ($dh_group eq '21') { - $genout .= '-ecp521'; - } elsif ($dh_group eq '22') { - $genout .= '-modp1024s160'; - } elsif ($dh_group eq '23') { - $genout .= '-modp2048s224'; - } elsif ($dh_group eq '24') { - $genout .= '-modp2048s256'; - } elsif ($dh_group eq '25') { - $genout .= '-ecp192'; - } elsif ($dh_group eq '26') { - $genout .= '-ecp224'; - } elsif ($dh_group ne '') { + my $cipher_out = get_dh_cipher_result($dh_group); + if ($cipher_out eq 'unknown') { vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"tunnel", $tunnel],"$vpn_cfg_err Invalid 'dh-group' $dh_group specified for ". "peer \"$peer\" $tunKeyword. Only 2, 5, or 14 through 26 accepted.\n"); + } else { + $genout .= "-$cipher_out"; } } } -- cgit v1.2.3 From d1618604bde40ae38ba3b587e655f16948212917 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Tue, 27 Jan 2015 00:45:15 -0800 Subject: Generate PFS group settings alongside with our ESP settings Since strongSwan 5.0.0, defining the PFS group settings has moved in the esp= parameter. If PFS is simply enabled, it will use the first IKE proposal's dh-group as the PFS group. --- scripts/vpn-config.pl | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 8227d90..dfc9e97 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -862,10 +862,11 @@ if ($vcVPN->exists('ipsec')) { foreach my $esp_proposal (@esp_proposals) { # - # Get encryption, hash + # Get encryption, hash and PFS group settings # my $encryption = $vcVPN->returnValue("ipsec esp-group $esp_group proposal $esp_proposal encryption"); my $hash = $vcVPN->returnValue("ipsec esp-group $esp_group proposal $esp_proposal hash"); + my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); # # Write separator if not first proposal @@ -875,12 +876,26 @@ if ($vcVPN->exists('ipsec')) { } else { $genout .= ","; } + if (defined($pfs)) { + if ($pfs eq 'enable') { + # Get the first IKE group's dh-group and use that as our PFS setting + my $default_pfs = $vcVPN->returnValue("ipsec ike-group $ike_group proposal 1 dh-group"); + $pfs = get_dh_cipher_result($default_pfs); + } elsif ($pfs eq 'disable') { + undef $pfs; + } else { + $pfs = get_dh_cipher_result($pfs); + } + } # # Write values # if (defined($encryption) && defined($hash)) { $genout .= "$encryption-$hash"; + if (defined($pfs)) { + $genout .= "-$pfs"; + } } } $genout .= "!\n"; -- cgit v1.2.3 From 9d20c1dc27d91e362e79221dd773dd9418d5af99 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Tue, 27 Jan 2015 00:51:46 -0800 Subject: Removing pfs and pfsgroup parameter generation In strongSwan 5.0.0 and later series, pfs= and pfsgroup= parameters have now been removed. --- scripts/vpn-config.pl | 57 --------------------------------------------------- 1 file changed, 57 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index dfc9e97..725f945 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -939,63 +939,6 @@ if ($vcVPN->exists('ipsec')) { } $genout .= "\ttype=$espmode\n"; - # - # Perfect Forward Secrecy - # - my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); - if (defined($pfs)) { - if ($pfs eq 'enable') { - $genout .= "\tpfs=yes\n"; - } elsif ($pfs eq 'dh-group2') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1024\n"; - } elsif ($pfs eq 'dh-group5') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1536\n"; - } elsif ($pfs eq 'dh-group14') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048\n"; - } elsif ($pfs eq 'dh-group15') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp3072\n"; - } elsif ($pfs eq 'dh-group16') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp4096\n"; - } elsif ($pfs eq 'dh-group17') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp6144\n"; - } elsif ($pfs eq 'dh-group18') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp8192\n"; - } elsif ($pfs eq 'dh-group19') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp256\n"; - } elsif ($pfs eq 'dh-group20') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp384\n"; - } elsif ($pfs eq 'dh-group21') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp521\n"; - } elsif ($pfs eq 'dh-group22') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1024s160\n"; - } elsif ($pfs eq 'dh-group23') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048s224\n"; - } elsif ($pfs eq 'dh-group24') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048s256\n"; - } elsif ($pfs eq 'dh-group25') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp192\n"; - } elsif ($pfs eq 'dh-group26') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp224\n"; - } else { - $genout .= "\tpfs=no\n"; - } - } - # # Compression # -- cgit v1.2.3 From de318d8d25427a27c80206c16dc36c0021dfca2c Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sat, 31 Jan 2015 07:37:43 +0000 Subject: Allow users to specify aggressive mode for IKEv1 key exchanges Although strongly not recommended by the developers of strongSwan, sometimes remote VPN gateways requires this because of interop reasons or a network admin who doesn't have an idea on why aggressive mode is bad. --- scripts/vpn-config.pl | 12 ++++++++++++ templates/vpn/ipsec/ike-group/node.tag/mode/node.def | 6 ++++++ 2 files changed, 18 insertions(+) create mode 100644 templates/vpn/ipsec/ike-group/node.tag/mode/node.def diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 725f945..b974a5a 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -825,6 +825,18 @@ if ($vcVPN->exists('ipsec')) { } } + # + # Allow the user to specify aggressive mode for IKEv1 connections + # + my $aggressive_mode = $vcVPN->returnValue("ipsec ike-group $ike_group mode"); + + if (defined($aggressive_mode)) { + if (defined($key_exchange) && $key_exchange eq 'ikev2') { + vpn_die(["vpn","ipsec","ike-group", $ike_group, "mode"], "$vpn_cfg_err Selection of Main/Aggressive modes is only valid for IKEv1 configurations"); + } else { + $genout .= "\taggressive=yes\n"; + } + } my $t_ikelifetime =$vcVPN->returnValue("ipsec ike-group $ike_group lifetime"); if (defined($t_ikelifetime) && $t_ikelifetime ne '') { $ikelifetime = $t_ikelifetime; diff --git a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def new file mode 100644 index 0000000..f302d3d --- /dev/null +++ b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def @@ -0,0 +1,6 @@ +help: IKEv1 Phase 1 Mode Selection +type: txt +default: "main" +syntax:expression: $VAR(@) in "main", "aggressive"; "must be main or aggressive" +val_help: main; Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default) +val_help: ikev2; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. -- cgit v1.2.3 From a64d08fe6cfbc6275c2682fbe92d4856334deec2 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Thu, 5 Feb 2015 06:26:36 +0000 Subject: Allow users to specify a custom file to be included with ipsec.conf --- scripts/vpn-config.pl | 10 ++++++++++ templates/vpn/ipsec/include-ipsec-conf/node.def | 2 ++ 2 files changed, 12 insertions(+) create mode 100644 templates/vpn/ipsec/include-ipsec-conf/node.def diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index b974a5a..7dd18f1 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1160,6 +1160,16 @@ if ($vcVPN->exists('ipsec')) { } } } + + # + # Include a custom configuration file + # + my $custom_include = $vcVPN->returnValue("ipsec include-ipsec-conf"); + if (defined($custom_include)) { + if ( ! -e $custom_include ) { + vpn_die(["vpn","ipsec","include-ipsec-conf"],"$vpn_cfg_err The specified file for inclusion inside ipsec.conf does not exist."); + } + } if (-e '/etc/dmvpn.conf') { $genout .= "\ninclude /etc/dmvpn.conf\n"; } diff --git a/templates/vpn/ipsec/include-ipsec-conf/node.def b/templates/vpn/ipsec/include-ipsec-conf/node.def new file mode 100644 index 0000000..fc82a45 --- /dev/null +++ b/templates/vpn/ipsec/include-ipsec-conf/node.def @@ -0,0 +1,2 @@ +type: txt +help: Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file. -- cgit v1.2.3 From cb76ae8fbdffa0c8dee28b95867776955806f025 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Thu, 5 Feb 2015 08:03:09 +0000 Subject: Update ipsec logging log-modes to point towards charon's loggers log-modes now expose charon's keywords instead of pluto's keywords. Refer to the strongSwan's manual to see what each specific logger does. --- scripts/vpn-config.pl | 18 ++++++++--------- templates/vpn/ipsec/logging/log-level/node.def | 5 +++++ templates/vpn/ipsec/logging/log-modes/node.def | 28 +++++++++++++++++--------- 3 files changed, 33 insertions(+), 18 deletions(-) create mode 100644 templates/vpn/ipsec/logging/log-level/node.def diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 7dd18f1..89af400 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -306,23 +306,23 @@ if ($vcVPN->exists('ipsec')) { } # - # log-mode + # charon log-mode # my @logmodes = $vcVPN->returnValues('ipsec logging log-modes'); + my $charonloglevel = $vcVPN->returnValue('ipsec logging log-level'); if (@logmodes > 0) { my $debugmode = ''; + my $first_debug_mode = 1; + $genout .= "\tcharondebug=\""; foreach my $mode (@logmodes) { - if ($mode eq "all") { - $debugmode = "all"; - last; - } - if ($debugmode eq '') { - $debugmode = "$mode"; + if ($first_debug_mode) { + $first_debug_mode = 0; } else { - $debugmode .= " $mode"; + $genout .= ", "; } + $genout .= "$mode $charonloglevel"; } - $genout .= "\tplutodebug=\"$debugmode\"\n"; + $genout .= "\"\n"; } # Set plutoopts: diff --git a/templates/vpn/ipsec/logging/log-level/node.def b/templates/vpn/ipsec/logging/log-level/node.def new file mode 100644 index 0000000..54cf698 --- /dev/null +++ b/templates/vpn/ipsec/logging/log-level/node.def @@ -0,0 +1,5 @@ +help: strongSwan Logger Level +type: u32 +default: 1 +syntax:expression: ($VAR(@) >= 0 && $VAR(@) <= 2) ; "must be between levels 0-2" +val_help: u32:0-2; Logger Verbosity Level (default 0) diff --git a/templates/vpn/ipsec/logging/log-modes/node.def b/templates/vpn/ipsec/logging/log-modes/node.def index f0dd9f4..5662a4e 100644 --- a/templates/vpn/ipsec/logging/log-modes/node.def +++ b/templates/vpn/ipsec/logging/log-modes/node.def @@ -1,11 +1,21 @@ multi: -help: Log mode +help: Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation type: txt -syntax:expression: $VAR(@) in "raw", "crypt", "parsing", "emitting", "control", "all", "private" ; "must be one of the following: raw, crypt, parsing, emitting, control, all, private" -val_help: raw; Debug log option for pluto -val_help: crypt; Debug log option for pluto -val_help: parsing; Debug log option for pluto -val_help: emitting; Debug log option for pluto -val_help: control; Debug log option for pluto -val_help: all; Debug log option for pluto -val_help: private; Debug log option for pluto +syntax:expression: $VAR(@) in "dmn", "mgr", "ike", "chd", "job", "cfg", "knl", "net", "asn", "enc", "lib", "esp", "tls", "tnc", "imc", "imv", "pts" ; "must be one of the following: dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts" +val_help: dmn; Debug log option for strongSwan +val_help: mgr; Debug log option for strongSwan +val_help: ike; Debug log option for strongSwan +val_help: chd; Debug log option for strongSwan +val_help: job; Debug log option for strongSwan +val_help: cfg; Debug log option for strongSwan +val_help: knl; Debug log option for strongSwan +val_help: net; Debug log option for strongSwan +val_help: asn; Debug log option for strongSwan +val_help: enc; Debug log option for strongSwan +val_help: lib; Debug log option for strongSwan +val_help: esp; Debug log option for strongSwan +val_help: tls; Debug log option for strongSwan +val_help: tnc; Debug log option for strongSwan +val_help: imc; Debug log option for strongSwan +val_help: imv; Debug log option for strongSwan +val_help: pts; Debug log option for strongSwan -- cgit v1.2.3 From 91f54b8d8ca8565371006beb38e978c726192188 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Fri, 6 Feb 2015 04:58:00 +0000 Subject: Use ipsec reload instead of update For some odd reason doing an ipsec update does not make charon pick up any newly created tunnels. However doing an ipsec reload updates all newly created tunnels correctly. --- scripts/vpn-config.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 89af400..c0c2084 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1239,7 +1239,7 @@ if ( $vcVPN->isDeleted('.') vpn_exec('ipsec restart >&/dev/null', 're-starting ipsec'); }else { vpn_exec('ipsec rereadall >&/dev/null', 're-read secrets and certs'); - vpn_exec('ipsec update >&/dev/null', 'update changes to ipsec.conf'); + vpn_exec('ipsec reload >&/dev/null', 'reload changes to ipsec.conf'); } } else { if (!defined($update_interval)) { -- cgit v1.2.3 From 82c41cedf5a295ebd2ad28700c4c9a5c9b5a91d3 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sat, 7 Feb 2015 03:53:20 +0000 Subject: Remove the default value in ipsec ike-group $name mode Setting this to a default value breaks ikev2 configurations since aggressive mode is only applicable for ikev1 tunnels --- templates/vpn/ipsec/ike-group/node.tag/mode/node.def | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def index f302d3d..fad935f 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def @@ -1,6 +1,5 @@ help: IKEv1 Phase 1 Mode Selection type: txt -default: "main" syntax:expression: $VAR(@) in "main", "aggressive"; "must be main or aggressive" val_help: main; Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default) val_help: ikev2; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. -- cgit v1.2.3 From 29666fa797d4cd62fbfc7fb9f8532f36196e78cc Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sat, 7 Feb 2015 06:32:31 +0000 Subject: Update references from pluto.ctl to charon.ctl This needs to be updated or VPN configurations won't be properly handled on subsequent updates. --- lib/Vyatta/VPN/Util.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Vyatta/VPN/Util.pm b/lib/Vyatta/VPN/Util.pm index f7dc320..a40cc90 100755 --- a/lib/Vyatta/VPN/Util.pm +++ b/lib/Vyatta/VPN/Util.pm @@ -37,7 +37,7 @@ use constant LOCAL_KEY_FILE_DEFAULT => '/opt/vyatta/etc/config/ipsec.d/rsa-keys/localhost.key'; sub is_vpn_running { - return ( -e '/var/run/pluto.ctl'); + return ( -e '/var/run/charon.ctl'); } sub get_protocols { -- cgit v1.2.3 From 8852024ad3e33f30c893d02c31031393080ab816 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sat, 7 Feb 2015 06:35:24 +0000 Subject: Properly clean up site-to-site tunnels on removal strongSwan's charon by design maintains all established connections regardless, even if the connection's profile has been deleted from ipsec.conf. This change will grab a list of old tunnels from the old configuration and clean up old tunnels that are not present in the new configuration. --- scripts/vpn-config.pl | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index c0c2084..614e163 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1238,6 +1238,29 @@ if ( $vcVPN->isDeleted('.') print "Re-starting IPsec daemon to deactivate auto-update...\n"; vpn_exec('ipsec restart >&/dev/null', 're-starting ipsec'); }else { + + # Grab the list of old peers and tunnels + my @tunnel_cfg_new = $vcVPN->listNodes('ipsec site-to-site peer'); + my @tunnel_cfg_old = $vcVPN->listOrigNodes('ipsec site-to-site peer'); + my @old_tunnels; + my %seen; + @seen{@tunnel_cfg_new} = (); + + # Find the old tunnels in previous configuration + foreach my $tunnel (@tunnel_cfg_old) { + push (@old_tunnels, $tunnel) unless exists $seen{$tunnel}; + } + + # Issue an ipsec down on the old tunnel since charon doesn't clean up + # connections removed from ipsec.conf + foreach my $old_peer (@old_tunnels) { + my @tunnels = $vcVPN->listOrigNodes("ipsec site-to-site peer $old_peer tunnel"); + foreach my $tunnel (@tunnels) + { + vpn_exec("ipsec down peer-$old_peer-tunnel-$tunnel", "Cleaning up site-to-site peer $old_peer at tunnel $tunnel"); + } + } + vpn_exec('ipsec rereadall >&/dev/null', 're-read secrets and certs'); vpn_exec('ipsec reload >&/dev/null', 'reload changes to ipsec.conf'); } -- cgit v1.2.3 From 0e4aed338c5a72b93931f7e16afae4246347be6a Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sat, 7 Feb 2015 20:11:27 +0000 Subject: Configure the ipsec debug logger at runtime Instead of configuring the ipsec logger at config time, configure it at runtime. The codeblock that generated the logger will be removed in a subsequent commit --- scripts/vpn-config.pl | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 614e163..15a437b 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1271,6 +1271,24 @@ if ( $vcVPN->isDeleted('.') vpn_exec('ipsec start --auto-update '.$update_interval.' >&/dev/null','start ipsec with auto-update $update_interval'); } } + + # Activate any debugging options by + # calling ipsec stroke loglevel + my @logmodes = $vcVPN->returnValues('ipsec logging log-modes'); + my @oldmodes = $vcVPN->returnOrigValues('ipsec logging log-modes'); + my $charonloglevel = $vcVPN->returnValue('ipsec logging log-level'); + # Clean up any logging modes if present + if (@oldmodes > 0) { + foreach my $mode (@oldmodes) { + vpn_exec("ipsec stroke loglevel $mode 0", "Deactivating log source $mode"); + } + } + # Finally activate our new logger configuration + if (@logmodes > 0) { + foreach my $mode (@logmodes) { + vpn_exec("ipsec stroke loglevel $mode $charonloglevel", "Stroking log source $mode to loglevel $charonloglevel"); + } + } } } -- cgit v1.2.3 From 3a343f34372c4d2a920758161b864d74c685f570 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sat, 7 Feb 2015 20:13:35 +0000 Subject: Remove the code that generates our ipsec logger at runtime Since we're invoking the logger at runtime, there's really no point on keeping this codeblock --- scripts/vpn-config.pl | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 15a437b..613f40f 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -305,26 +305,6 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\"\n"; } - # - # charon log-mode - # - my @logmodes = $vcVPN->returnValues('ipsec logging log-modes'); - my $charonloglevel = $vcVPN->returnValue('ipsec logging log-level'); - if (@logmodes > 0) { - my $debugmode = ''; - my $first_debug_mode = 1; - $genout .= "\tcharondebug=\""; - foreach my $mode (@logmodes) { - if ($first_debug_mode) { - $first_debug_mode = 0; - } else { - $genout .= ", "; - } - $genout .= "$mode $charonloglevel"; - } - $genout .= "\"\n"; - } - # Set plutoopts: # Disable uniqreqids? # -- cgit v1.2.3 From 832208422595261e1044890c18c16998a9aaf421 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sun, 8 Feb 2015 07:21:25 +0000 Subject: Correct typo'd aggressive option Originally we meant aggressive, not ikev2 --- templates/vpn/ipsec/ike-group/node.tag/mode/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def index fad935f..2b67dad 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def @@ -2,4 +2,4 @@ help: IKEv1 Phase 1 Mode Selection type: txt syntax:expression: $VAR(@) in "main", "aggressive"; "must be main or aggressive" val_help: main; Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default) -val_help: ikev2; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. +val_help: aggressive; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. -- cgit v1.2.3 From 6b652b14199b748089f50bc417b7866300cd0a2f Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sun, 8 Feb 2015 08:12:09 +0000 Subject: Slightly alter aggressive mode selection logic If the user defines main mode, the config script will always enable aggressive mode. Fix the logic to correctly disable aggressive mode when main mode is asked for in IKEv1 connections. --- scripts/vpn-config.pl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 613f40f..41e2a35 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -813,8 +813,11 @@ if ($vcVPN->exists('ipsec')) { if (defined($aggressive_mode)) { if (defined($key_exchange) && $key_exchange eq 'ikev2') { vpn_die(["vpn","ipsec","ike-group", $ike_group, "mode"], "$vpn_cfg_err Selection of Main/Aggressive modes is only valid for IKEv1 configurations"); - } else { + } + if ($aggressive_mode eq 'aggressive') { $genout .= "\taggressive=yes\n"; + } else { + $genout .= "\taggressive=no\n"; } } my $t_ikelifetime =$vcVPN->returnValue("ipsec ike-group $ike_group lifetime"); -- cgit v1.2.3 From a69985d6853537d296027be5d2d1c44d73fbeccc Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Mon, 9 Feb 2015 07:30:14 +0000 Subject: Removing generation of leftsourceip= parameter in ipsec.conf As confirmed by Thermi in the strongSwan IRC channel inside freenode, this parameter should not have been generated for a S2S VPN setup. If leftsourceip= is specified on both ends in an IKEv1 S2S VPN tunnel, both ends will have charon hanging on MODE_CONFIG. This is because both ends are trying to ask an IP from the remote end which doesn't exist. --- scripts/vpn-config.pl | 60 --------------------------------------------------- 1 file changed, 60 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 41e2a35..ca685bd 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -37,7 +37,6 @@ use Vyatta::TypeChecker; use Vyatta::VPN::Util; use Getopt::Long; use Vyatta::Misc; -use NetAddr::IP; use Vyatta::VPN::vtiIntf; my $config_file; @@ -479,16 +478,6 @@ if ($vcVPN->exists('ipsec')) { $lip = get_dhcp_addr($dhcp_iface); } - # -> leftsourceip is the internal source IP to use in a tunnel - # -> we use leftsourceip to add a route to the rightsubnet - # only when rightsubnet is defined and is not 0.0.0.0/0. we do not - # want to add a vpn route for everything i.e. rightsubnet = 0.0.0.0/0 - # -> if leftsubnet is defined and is not 0.0.0.0/0; we try and find - # an interface on the system that has an IP address lying within - # the leftsubnet and use that as leftsourceip. if leftsubnet is not - # defined or is 0.0.0.0/0 then we use local-address as leftsourceip. - my $leftsourceip = undef; - # # Assign left and right to local and remote interfaces # @@ -499,11 +488,8 @@ if ($vcVPN->exists('ipsec')) { "for peer \"$peer\" $tunKeyword.\n"); } $genout .= "\tleft=%defaultroute\n"; - - # no need for leftsourceip as a defaultroute is must for this to work } else { $genout .= "\tleft=$lip\n"; - $leftsourceip = "\tleftsourceip=$lip\n"; } $genout .= "\tleftid=\"$authid\"\n" if defined $authid; } @@ -554,19 +540,6 @@ if ($vcVPN->exists('ipsec')) { if (defined($leftsubnet)) { $genout .= "\tleftsubnet=$leftsubnet\n"; - if (!($leftsubnet eq '0.0.0.0/0')) { - my $localsubnet_object = new NetAddr::IP($leftsubnet); - - # leftsourceip should now be an IP on system lying within the leftsubnet - my @system_ips = Vyatta::Misc::getIP(undef, '4'); - foreach my $system_ip (@system_ips) { - my $systemip_object = new NetAddr::IP($system_ip); - if (CheckIfAddressInsideNetwork($systemip_object, $localsubnet_object)){ - my $sourceip = $systemip_object->addr(); - $leftsourceip = "\tleftsourceip=$sourceip\n"; - } - } - } } my $remotesubnet = $vcVPN->returnValue("ipsec site-to-site peer $peer $tunKeyword remote prefix"); @@ -624,21 +597,8 @@ if ($vcVPN->exists('ipsec')) { } if (defined($rightsubnet)) { $genout .= "\trightsubnet=$rightsubnet\n"; - - # not adding vpn route if remote prefix is 0.0.0.0/0 - # user should add a route [default/static] manually - $leftsourceip = undef if $rightsubnet eq '0.0.0.0/0'; - if ($rightsubnet =~ /vhost:%priv/) { - - # can't add route when rightsubnet is not specific - $leftsourceip = undef; - } - } else { - $leftsourceip =undef; # no need for vpn route if rightsubnet not defined } - $genout .= $leftsourceip if defined $leftsourceip; - # # Protocol/port # @@ -1416,26 +1376,6 @@ sub hasLocalWildcard { return 0; } -sub CheckIfAddressInsideNetwork { - my ($address, $naipNetwork) = @_; - - if (!defined($address) || !defined($naipNetwork)) { - return 0; - } - - my $naipSM = new NetAddr::IP($address); - if (defined($naipSM)) { - my $subnetIA = $naipSM->network()->addr(); - my $naipIA = new NetAddr::IP($subnetIA, $naipSM->masklen()); - - if (defined($naipIA) && $naipNetwork->within($naipIA)) { - return 1; - } - } - - return 0; -} - sub get_x509 { my $peer = pop(@_); -- cgit v1.2.3 From c6864b6ca7c18ab4ec248186e1310e46b7a97676 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Tue, 10 Feb 2015 01:05:30 +0000 Subject: Allow the user to force UDP encapsulation for a named peer This might help with strongSwan traversing through firewalls that filter proto 51, but not UDP traffic. --- scripts/vpn-config.pl | 13 +++++++++++++ .../site-to-site/peer/node.tag/force-encapsulation/node.def | 6 ++++++ 2 files changed, 19 insertions(+) create mode 100644 templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index ca685bd..0d5a63b 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -800,6 +800,19 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\tdpdtimeout=$dpd_timeout" . "s\n"; $genout .= "\tdpdaction=$dpd_action\n"; } + + # + # Allow the user for force UDP encapsulation for the ESP + # payload. + # + my $forceencaps = $vcVPN->returnValue("ipsec site-to-site $peer force-encapsulation"); + if (defined($forceencaps)) { + if ($forceencaps eq 'enable') { + $genout .= "\tforceencaps=yes\n"; + } else { + $genout .= "\tforceencaps=no\n"; + } + } } # diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def new file mode 100644 index 0000000..0015add --- /dev/null +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def @@ -0,0 +1,6 @@ +help: Force UDP Encapsulation for ESP Payloads +type: txt +syntax:expression: $VAR(@) in "enable", "disable"; "Must be enable or disable" +val_help: enable; This endpoint will not force UDP encapsulation for this peer +val_help: disable; This endpoint will force UDP encapsulation for this peer + -- cgit v1.2.3 From 7d94dd6e4d32eef9cea4a4f7270b0ea0d895dd12 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Fri, 13 Feb 2015 19:25:54 +0000 Subject: Remove the automatic generation of implicit connections Since charon's existence, generating them is redundant and as a matter of fact causes issues with establishing multiple IKEv1 IPSec tunnels to the same peer. --- scripts/vpn-config.pl | 9 --------- 1 file changed, 9 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 0d5a63b..dd5da34 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -311,15 +311,6 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\tdisableuniqreqids=yes\n"; } - # - # Disable implicit connections - # - foreach my $conn (qw/clear clear-or-private private-or-clear private block packetdefault/){ - $genout .= "\n"; - $genout .= "conn $conn\n"; - $genout .= "\tauto=ignore\n"; - } - # # Default keyengine is ikev1 # -- cgit v1.2.3 From 7c6c1e2073207612a2d819471bc680564c945cc7 Mon Sep 17 00:00:00 2001 From: Ryan Riske Date: Sun, 1 Mar 2015 20:23:07 -0600 Subject: Add support for RSA keys with strongSwan 5.2.x strongSwan 5.2.x no longer recognizes keys in RFC 3110 format inlined in ipsec.conf and ipsec.secrets. We need to convert the local private key and peer public keys to PEM format, without changing the config templates or user-visible key formats. This patch will require the Debian packages 'libcrypt-openssl-bignum-perl' and 'libcrypt-openssl-rsa-perl' to be added to the system. --- lib/Vyatta/VPN/Util.pm | 48 +++++++++++++++++++++++++++++++++++++++++++++++- scripts/vpn-config.pl | 25 ++++++++++++++++++++----- 2 files changed, 67 insertions(+), 6 deletions(-) diff --git a/lib/Vyatta/VPN/Util.pm b/lib/Vyatta/VPN/Util.pm index a40cc90..65877b0 100755 --- a/lib/Vyatta/VPN/Util.pm +++ b/lib/Vyatta/VPN/Util.pm @@ -27,10 +27,14 @@ use strict; use warnings; our @EXPORT = qw(rsa_get_local_key_file LOCAL_KEY_FILE_DEFAULT rsa_get_local_pubkey - is_vpn_running vpn_debug enableICMP is_tcp_udp get_protocols conv_protocol); + rsa_convert_pubkey_pem is_vpn_running vpn_debug enableICMP is_tcp_udp + get_protocols conv_protocol); use base qw(Exporter); use Vyatta::Config; +use Crypt::OpenSSL::RSA; +use MIME::Base64; +use File::Copy; use POSIX qw(strftime); use constant LOCAL_KEY_FILE_DEFAULT @@ -110,15 +114,57 @@ sub rsa_get_local_pubkey { my @raw_data=<$dat>; close($dat); + # PEM encoded private key + my $rsa = Crypt::OpenSSL::RSA->new_private_key(join("", @raw_data)); + if (defined $rsa) { + my ($n, $e) = $rsa->get_key_parameters(); + my $eb = $e->to_bin(); + return "0s" . encode_base64(pack("C", length($eb)) . $eb . $n->to_bin(), ''); + } + + # legacy private key format foreach my $line (@raw_data) { my $file_pubkey; if (($file_pubkey) = ($line =~ m/\s+\#pubkey=(\S+)/)) { + # Found a legacy private key; convert to PEM for strongSwan 5.2.x + my $key = join("", @raw_data); + $key =~ /^\s+Modulus:\s+0x([0-9a-fA-F]+)$/m; + my $n = Crypt::OpenSSL::Bignum->new_from_hex($1); + $key =~ /^\s+PublicExponent:\s+0x([0-9a-fA-F]+)$/m; + my $e = Crypt::OpenSSL::Bignum->new_from_hex($1); + $key =~ /^\s+PrivateExponent:\s+0x([0-9a-fA-F]+)$/m; + my $d = Crypt::OpenSSL::Bignum->new_from_hex($1); + $key =~ /^\s+Prime1:\s+0x([0-9a-fA-F]+)$/m; + my $p = Crypt::OpenSSL::Bignum->new_from_hex($1); + $key =~ /^\s+Prime2:\s+0x([0-9a-fA-F]+)$/m; + my $q = Crypt::OpenSSL::Bignum->new_from_hex($1); + + my $rsa = Crypt::OpenSSL::RSA->new_key_from_parameters($n, $e, $d, $p, $q); + if (defined $rsa) { + # write out PEM formatted key + move("$file", "$file.bak"); + open(my $priv, '>', "$file") + or return 0; + chmod 0600, $file; + print {$priv} $rsa->get_private_key_string(); + close($priv); + } return $file_pubkey; } } return 0; } +sub rsa_convert_pubkey_pem { + my $key = shift; + my $decoded = decode_base64($key); + my $len = unpack("C", substr($decoded, 0, 1)); + my $e = Crypt::OpenSSL::Bignum->new_from_bin(substr($decoded, 1, $len)); + my $n = Crypt::OpenSSL::Bignum->new_from_bin(substr($decoded, 1 + $len)); + my $rsa = Crypt::OpenSSL::RSA->new_key_from_parameters($n, $e); + return $rsa->get_public_key_x509_string(); +} + sub vpn_debug { my $timestamp = strftime("%Y%m%d-%H:%M.%S", localtime); diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index dd5da34..c7e227c 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -59,6 +59,7 @@ my $dhcp_if = 0; my $genout; my $genout_secrets; my %key_file_list; +my %public_keys; # Set $using_klips to 1 if kernel IPsec support is provided by KLIPS. # Set it to 0 us using NETKEY. @@ -1010,7 +1011,10 @@ if ($vcVPN->exists('ipsec')) { vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"authentication"],"$vpn_cfg_err Unable to determine local public key from local key". " file \"$local_key_file\" for peer \"$peer\".\n"); } else { - $genout .= "\tleftrsasigkey=\"$local_key\"\n"; + if (!defined($public_keys{localhost})) { + $public_keys{localhost} = $local_key; + $genout .= "\tleftsigkey=localhost.pub\n"; + } } my $rsa_key_name = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication rsa-key-name"); @@ -1023,7 +1027,10 @@ if ($vcVPN->exists('ipsec')) { vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"authentication"],"$vpn_cfg_err No remote key configured for rsa key name ". "\"$rsa_key_name\" that is specified for peer \"$peer\".\n"); } else { - $genout .= "\trightrsasigkey=\"$remote_key\"\n"; + if (!defined($public_keys{$rsa_key_name})) { + $public_keys{$rsa_key_name} = $remote_key; + $genout .= "\trightsigkey=$rsa_key_name.pub\n"; + } } } # Prevent duplicate includes for rsa keys. @@ -1156,13 +1163,13 @@ if ( $vcVPN->isDeleted('.') if (!enableICMP('1')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to re-enable ICMP redirects.\n"); } - write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if); + write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); } else { if (!enableICMP('0')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to disable ICMP redirects.\n"); } - write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if); + write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); # Assumming that if there was a local IP missmatch and clustering is enabled, # then the clustering scripts will take care of starting the VPN daemon. @@ -1251,7 +1258,7 @@ sub vpn_die { } sub write_config { - my ($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if) = @_; + my ($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_; open my $output_config, '>', $config_file or die "Can't open $config_file: $!"; @@ -1272,6 +1279,14 @@ sub write_config { print ${output_secrets} $genout_secrets; close $output_secrets; dhcp_hook($dhcp_if); + + for my $name (keys %public_keys) { + my $output_path = "/etc/ipsec.d/certs/$name.pub"; + open my $output_file, '>', $output_path + or die "Can't open $output_path: $!"; + print ${output_file} rsa_convert_pubkey_pem($public_keys{$name}); + close $output_file; + } } sub vpn_exec { -- cgit v1.2.3 From 57d284aded5003468dee946f906bf88f09a79d5a Mon Sep 17 00:00:00 2001 From: Ryan Riske Date: Sun, 1 Mar 2015 21:28:00 -0600 Subject: Exclude '0s' from public key string input in rsa_convert_pubkey_pem --- lib/Vyatta/VPN/Util.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Vyatta/VPN/Util.pm b/lib/Vyatta/VPN/Util.pm index 65877b0..606178a 100755 --- a/lib/Vyatta/VPN/Util.pm +++ b/lib/Vyatta/VPN/Util.pm @@ -157,7 +157,7 @@ sub rsa_get_local_pubkey { sub rsa_convert_pubkey_pem { my $key = shift; - my $decoded = decode_base64($key); + my $decoded = decode_base64(substr($key, 2)); my $len = unpack("C", substr($decoded, 0, 1)); my $e = Crypt::OpenSSL::Bignum->new_from_bin(substr($decoded, 1, $len)); my $n = Crypt::OpenSSL::Bignum->new_from_bin(substr($decoded, 1 + $len)); -- cgit v1.2.3 From 6656e3ae1a2e9a1b4bb7d8eecf320f840b6837c2 Mon Sep 17 00:00:00 2001 From: Ryan Riske Date: Mon, 2 Mar 2015 13:26:19 -0600 Subject: Fix ipsec.secrets generation for PEM-formatted RSA key. --- scripts/vpn-config.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index c7e227c..23d97d7 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1036,7 +1036,7 @@ if ($vcVPN->exists('ipsec')) { # Prevent duplicate includes for rsa keys. if (!defined($key_file_list{$local_key_file})) { $key_file_list{$local_key_file} = 1; - $genout_secrets .= "include $local_key_file\n"; + $genout_secrets .= ": RSA $local_key_file\n"; } } else { vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"authentication"],"$vpn_cfg_err Unknown authentication mode \"$auth_mode\" for peer ". -- cgit v1.2.3 From 8aa86bf3a045c51bae264a5716dd3d9c1063411e Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Wed, 4 Nov 2015 21:38:56 -0800 Subject: Actually implement custom ipsec.conf files --- scripts/vpn-config.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 23d97d7..dd14446 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1123,6 +1123,7 @@ if ($vcVPN->exists('ipsec')) { if ( ! -e $custom_include ) { vpn_die(["vpn","ipsec","include-ipsec-conf"],"$vpn_cfg_err The specified file for inclusion inside ipsec.conf does not exist."); } + $genout .= "\ninclude $custom_include"; } if (-e '/etc/dmvpn.conf') { $genout .= "\ninclude /etc/dmvpn.conf\n"; -- cgit v1.2.3 From bb0034b11cbb5797e5a3e820fd7c9416964f91eb Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Wed, 4 Nov 2015 21:43:44 -0800 Subject: Allow the user to include a custom ipsec.secrets file. This may be useful for scenarios where a user prefers to use an ECDSA key or implement an xauth IPSec RA server without having to code for the VyOS/EdgeOS platform. --- scripts/vpn-config.pl | 7 +++++++ templates/vpn/ipsec/include-ipsec-secrets/node.def | 2 ++ 2 files changed, 9 insertions(+) create mode 100644 templates/vpn/ipsec/include-ipsec-secrets/node.def diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index dd14446..a238d20 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1119,12 +1119,19 @@ if ($vcVPN->exists('ipsec')) { # Include a custom configuration file # my $custom_include = $vcVPN->returnValue("ipsec include-ipsec-conf"); + my $custom_secrets = $vcVPN->returnValue("ipsec include-ipsec-secrets"); if (defined($custom_include)) { if ( ! -e $custom_include ) { vpn_die(["vpn","ipsec","include-ipsec-conf"],"$vpn_cfg_err The specified file for inclusion inside ipsec.conf does not exist."); } $genout .= "\ninclude $custom_include"; } + if (defined($custom_secrets)) { + if ( ! -e $custom_secrets) { + vpn_die(["vpn","ipsec","include-ipsec-secrets"],"$vpn_cfg_err The specified file for inclusion inside ipsec.secrets does not exist."); + } + $genout_secrets .= "\ninclude $custom_secrets\n"; + } if (-e '/etc/dmvpn.conf') { $genout .= "\ninclude /etc/dmvpn.conf\n"; } diff --git a/templates/vpn/ipsec/include-ipsec-secrets/node.def b/templates/vpn/ipsec/include-ipsec-secrets/node.def new file mode 100644 index 0000000..37b73e1 --- /dev/null +++ b/templates/vpn/ipsec/include-ipsec-secrets/node.def @@ -0,0 +1,2 @@ +type: txt +help: Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file. -- cgit v1.2.3 From f179c69fcfd84d4889aec93bf87fdb265106f29e Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Wed, 4 Nov 2015 21:46:58 -0800 Subject: Whitespace fixes --- scripts/vpn-config.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index a238d20..bb7b667 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1124,7 +1124,7 @@ if ($vcVPN->exists('ipsec')) { if ( ! -e $custom_include ) { vpn_die(["vpn","ipsec","include-ipsec-conf"],"$vpn_cfg_err The specified file for inclusion inside ipsec.conf does not exist."); } - $genout .= "\ninclude $custom_include"; + $genout .= "\ninclude $custom_include\n"; } if (defined($custom_secrets)) { if ( ! -e $custom_secrets) { -- cgit v1.2.3 From e35a282eef077d8cc91e8e5fd7b7a1dcf91750c4 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Fri, 4 Dec 2015 23:49:35 -0500 Subject: Add ChaCha20 Poly1305 cipher as an available cipher for IKE exchanges. Starting with strongSwan 5.3.3, chacha20poly1305 is a supported cipher for IKE and ESP configurations with an IKEv2 configuration. --- .../vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def | 3 ++- .../vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def index 1c02803..05aa407 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def @@ -1,7 +1,8 @@ help: Encryption algorithm type: txt default: "aes128" -syntax:expression: $VAR(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des" +syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" val_help: aes128; AES-128 encryption (default) val_help: aes256; AES-256 encryption val_help: 3des; 3DES encryption +val_help: chacha20poly1305; ChaCha20-Poly1305 encryption diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def index 1c02803..05aa407 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def @@ -1,7 +1,8 @@ help: Encryption algorithm type: txt default: "aes128" -syntax:expression: $VAR(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des" +syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" val_help: aes128; AES-128 encryption (default) val_help: aes256; AES-256 encryption val_help: 3des; 3DES encryption +val_help: chacha20poly1305; ChaCha20-Poly1305 encryption -- cgit v1.2.3 From c9484a3906157a059b02c7619df4617ab8e2dee1 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Mon, 16 Feb 2015 08:34:18 +0100 Subject: Move execution of nhrp script to "end" of ipsec config so it executes on all changes made to the ipsec config --- templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def | 4 ---- templates/vpn/node.def | 1 + 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def b/templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def index cf3568b..a04f8cb 100644 --- a/templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def +++ b/templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def @@ -8,7 +8,3 @@ commit:expression: $VAR(../../ike-group/) != ""; "Must configure ike-group" commit:expression: $VAR(../../authentication/) != ""; "Must configure authentication" commit:expression: (`cli-shell-api returnValue interfaces tunnel $VAR(@) encapsulation` == "gre" && \ `cli-shell-api returnValue interfaces tunnel $VAR(@) remote-ip` == ""); "Must be mgre tunnel" - -end: - - sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --set_ipsec diff --git a/templates/vpn/node.def b/templates/vpn/node.def index c504aaa..7c6b56a 100644 --- a/templates/vpn/node.def +++ b/templates/vpn/node.def @@ -5,6 +5,7 @@ end:sudo /opt/vyatta/sbin/vyatta-vti-config.pl || exit 1 --config_file='/etc/dmvpn.conf' \ --secrets_file='/etc/dmvpn.secrets' \ --init_script='/etc/init.d/ipsec' || exit 1 + sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --set_ipsec || exit 1 sudo /opt/vyatta/sbin/vpn-config.pl \ --config_file='/etc/ipsec.conf' \ --secrets_file='/etc/ipsec.secrets' \ -- cgit v1.2.3 From fcab32f8c5cc416829dc054a41e578eae45951fa Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 4 May 2015 00:35:54 +0200 Subject: Bug #469: add options for AES-128/256-GCM mode. --- .../ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def | 4 +++- .../ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def index 05aa407..ba66828 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def @@ -1,8 +1,10 @@ help: Encryption algorithm type: txt default: "aes128" -syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" +syntax:expression: $VAR(@) in "aes128", "aes256", "aes128gcm128", "aes256gcm128", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" val_help: aes128; AES-128 encryption (default) val_help: aes256; AES-256 encryption +val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit +val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit val_help: 3des; 3DES encryption val_help: chacha20poly1305; ChaCha20-Poly1305 encryption diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def index 05aa407..ba66828 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def @@ -1,8 +1,10 @@ help: Encryption algorithm type: txt default: "aes128" -syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" +syntax:expression: $VAR(@) in "aes128", "aes256", "aes128gcm128", "aes256gcm128", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" val_help: aes128; AES-128 encryption (default) val_help: aes256; AES-256 encryption +val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit +val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit val_help: 3des; 3DES encryption val_help: chacha20poly1305; ChaCha20-Poly1305 encryption -- cgit v1.2.3 From 133cf61f7abee867dc6b7007c077254ec8ba1443 Mon Sep 17 00:00:00 2001 From: Alex Harpin Date: Wed, 17 Jun 2015 07:37:18 +0100 Subject: vyatta-cfg-vpn: formatting changes for style consistency Perltidy run on scripts/vyatta-vti-config.pl to have consistent identation levels and style throughout. --- scripts/vyatta-vti-config.pl | 229 ++++++++++++++++++++++--------------------- 1 file changed, 115 insertions(+), 114 deletions(-) diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl index ba2cbcc..758418a 100755 --- a/scripts/vyatta-vti-config.pl +++ b/scripts/vyatta-vti-config.pl @@ -37,7 +37,6 @@ use lib "/opt/vyatta/share/perl5"; use Getopt::Long; use Vyatta::VPN::vtiIntf; - my $vti_cfg_err = "VPN VTI configuration error:"; my $gencmds = ""; my $result = 0; @@ -53,16 +52,17 @@ GetOptions( "checkref" => \$checkref, ); - # # --updown intfName --action=[up|down] # if ($updown ne '') { - if (!(defined $intfName) || $intfName eq '' ) { + if (!(defined $intfName) || $intfName eq '') { + # invalid exit -1; } - if (!(defined $action) || $action eq '' ) { + if (!(defined $action) || $action eq '') { + # invalid exit -1; } @@ -74,8 +74,9 @@ if ($updown ne '') { # --checkref --intf= # Return 1 if the interface reference exits. # -if ($checkref ne '' ) { - if (!(defined $intfName) || $intfName eq '' ) { +if ($checkref ne '') { + if (!(defined $intfName) || $intfName eq '') { + # invalid exit -1; } @@ -98,129 +99,128 @@ my $vcVPN = new Vyatta::Config(); $vcVPN->setLevel('vpn'); $vcIntf->setLevel('interfaces'); -if (!$vcVPN->exists('ipsec') ) { +if (!$vcVPN->exists('ipsec')) { cleanupVtiNotConfigured(); $result = execGenCmds(); exit $result; } -if (!$vcVPN->exists('ipsec site-to-site') ) { +if (!$vcVPN->exists('ipsec site-to-site')) { cleanupVtiNotConfigured(); $result = execGenCmds(); exit $result; } - my %binds = (); - my %vtiVpns = (); - my @peers = $vcVPN->listNodes('ipsec site-to-site peer'); - foreach my $peer (@peers) { - if (! $vcVPN->exists("ipsec site-to-site peer $peer vti")) { - next; - } - # - # we have the vti configured. - # - my $mark; - my $lip = $vcVPN->returnValue("ipsec site-to-site peer $peer local-address"); - my $tunName = $vcVPN->returnValue("ipsec site-to-site peer $peer vti bind"); - my $change = 0; - - # Check local address is valid. - if (!defined($lip)) { - print STDERR "$vti_cfg_err local-address not defined.\n"; - exit -1; - } +my %binds = (); +my %vtiVpns = (); +my @peers = $vcVPN->listNodes('ipsec site-to-site peer'); +foreach my $peer (@peers) { + if (!$vcVPN->exists("ipsec site-to-site peer $peer vti")) { + next; + } + # + # we have the vti configured. + # + my $mark; + my $lip = $vcVPN->returnValue("ipsec site-to-site peer $peer local-address"); + my $tunName = $vcVPN->returnValue("ipsec site-to-site peer $peer vti bind"); + my $change = 0; + + # Check local address is valid. + if (!defined($lip)) { + print STDERR "$vti_cfg_err local-address not defined.\n"; + exit -1; + } - if ($lip eq "" || $lip eq "0.0.0.0") { - print STDERR "$vti_cfg_err Invalid local-address \"$lip\".\n"; - exit -1; - } - # Check tunName is valid. - if (!defined($tunName) || $tunName eq "" || ! $vcIntf->exists("vti $tunName") ) { - if (defined($tunName)) { - vti_die(["vpn","ipsec","site-to-site","peer",$peer,"vti","bind"], - "Invalid tunnel name vti \"$tunName\".\n"); - } else { - vti_die(["vpn","ipsec","site-to-site","peer",$peer,"vti","bind"], - "tunnel name is empty.\n"); - } - } - $vtiVpns{ $tunName } = 1; + if ($lip eq "" || $lip eq "0.0.0.0") { + print STDERR "$vti_cfg_err Invalid local-address \"$lip\".\n"; + exit -1; + } - if (exists $binds{ $tunName }) { - vti_die(["vpn","ipsec","site-to-site","peer",$peer,"vti","bind"], - "vti bind $tunName already used.\n"); + # Check tunName is valid. + if (!defined($tunName) || $tunName eq "" || !$vcIntf->exists("vti $tunName")) { + if (defined($tunName)) { + vti_die(["vpn","ipsec","site-to-site","peer",$peer,"vti","bind"],"Invalid tunnel name vti \"$tunName\".\n"); } else { - $binds{ $tunName } = 1; + vti_die(["vpn","ipsec","site-to-site","peer",$peer,"vti","bind"],"tunnel name is empty.\n"); } + } + $vtiVpns{$tunName} = 1; - $gencmds .= "# For peer $peer local $lip, $tunName.\n"; - # - # Get the tunnel parameters. - # - # ip address's - my @tunIPs = $vcIntf->returnValues("vti $tunName address"); - # mtu - my $mtu = $vcIntf->returnValue("vti $tunName mtu"); - if (!defined($mtu) || $mtu eq "") { - $mtu = 1500; - } - #my $exists = `ls -l /sys/class/net/$tunName &> /dev/null`; - - # description. - my $description = $vcIntf->returnValue("vti $tunName description"); - - # Check if the tunnel exists already: by tunnel addresses. - my $vtiPresent = vtiIntf::isVtinamepresent($peer, $lip); - if (defined($vtiPresent) && !($vtiPresent eq "")) { - if ($vtiPresent ne $tunName) { - # Binding changed. - my $currMark = vtiIntf::isVtimarkpresent($peer, $lip); - $gencmds .= "sudo /sbin/ip link delete $vtiPresent type vti &> /dev/null\n"; - vtiIntf::deleteVtibyname($vtiPresent); - $change = 1; - } - } + if (exists $binds{$tunName}) { + vti_die(["vpn","ipsec","site-to-site","peer",$peer,"vti","bind"],"vti bind $tunName already used.\n"); + } else { + $binds{$tunName} = 1; + } - my $existingMark = vtiIntf::isVtimarkpresent($peer, $lip); - if (defined($existingMark) && !($existingMark eq "")) { - $mark = $existingMark; - } else { - $mark = vtiIntf::allocVtiMark(); - if ($mark == 0) { - vti_die(["vpn","ipsec","site-to-site","peer",$peer,"vti"], - "vti failed to create (not able to allocate a mark)\n"); - } + $gencmds .= "# For peer $peer local $lip, $tunName.\n"; + # + # Get the tunnel parameters. + # + # ip address's + my @tunIPs = $vcIntf->returnValues("vti $tunName address"); + + # mtu + my $mtu = $vcIntf->returnValue("vti $tunName mtu"); + if (!defined($mtu) || $mtu eq "") { + $mtu = 1500; + } + + #my $exists = `ls -l /sys/class/net/$tunName &> /dev/null`; + + # description. + my $description = $vcIntf->returnValue("vti $tunName description"); + + # Check if the tunnel exists already: by tunnel addresses. + my $vtiPresent = vtiIntf::isVtinamepresent($peer, $lip); + if (defined($vtiPresent) && !($vtiPresent eq "")) { + if ($vtiPresent ne $tunName) { + + # Binding changed. + my $currMark = vtiIntf::isVtimarkpresent($peer, $lip); + $gencmds .= "sudo /sbin/ip link delete $vtiPresent type vti &> /dev/null\n"; + vtiIntf::deleteVtibyname($vtiPresent); $change = 1; } + } - vtiIntf::deleteVtinamepresent($peer, $lip); - vtiIntf::deleteVtibyname($tunName); - if ($change eq 0) { - next; + my $existingMark = vtiIntf::isVtimarkpresent($peer, $lip); + if (defined($existingMark) && !($existingMark eq "")) { + $mark = $existingMark; + } else { + $mark = vtiIntf::allocVtiMark(); + if ($mark == 0) { + vti_die(["vpn","ipsec","site-to-site","peer",$peer,"vti"],"vti failed to create (not able to allocate a mark)\n"); } + $change = 1; + } - # - # Set the configuration into the output string. - # - # By default we delete the tunnel... - my $genmark = $mark; - $gencmds .= "sudo /sbin/ip link delete $tunName type vti &> /dev/null\n"; - $gencmds .= "sudo /sbin/ip link add $tunName type vti local $lip remote $peer okey $genmark\n"; - foreach my $tunIP (@tunIPs) { - $gencmds .= "sudo /sbin/ip addr add $tunIP dev $tunName\n"; - } - $gencmds .= "sudo /sbin/ip link set $tunName mtu $mtu\n"; + vtiIntf::deleteVtinamepresent($peer, $lip); + vtiIntf::deleteVtibyname($tunName); + if ($change eq 0) { + next; + } - if (defined($description)) { - $gencmds .= "if [ -d /sys/class/net/$tunName ] ; then\n\tsudo echo \"$description\" > /sys/class/net/$tunName/ifalias\nfi\n"; - } + # + # Set the configuration into the output string. + # + # By default we delete the tunnel... + my $genmark = $mark; + $gencmds .= "sudo /sbin/ip link delete $tunName type vti &> /dev/null\n"; + $gencmds .= "sudo /sbin/ip link add $tunName type vti local $lip remote $peer okey $genmark\n"; + foreach my $tunIP (@tunIPs) { + $gencmds .= "sudo /sbin/ip addr add $tunIP dev $tunName\n"; } + $gencmds .= "sudo /sbin/ip link set $tunName mtu $mtu\n"; - cleanupVtiNotConfigured(); - checkUnrefIntfVti($vcIntf, %vtiVpns); - $result = execGenCmds(); - exit $result; + if (defined($description)) { + $gencmds .= "if [ -d /sys/class/net/$tunName ] ; then\n\tsudo echo \"$description\" > /sys/class/net/$tunName/ifalias\nfi\n"; + } +} +cleanupVtiNotConfigured(); +checkUnrefIntfVti($vcIntf, %vtiVpns); +$result = execGenCmds(); +exit $result; # # Handle VTI tunnel state based on input from strongswan and configuration. @@ -231,7 +231,7 @@ sub vti_handle_updown { my $vcIntf = new Vyatta::Config(); $vcIntf->setLevel('interfaces'); my $disabled = $vcIntf->existsOrig("vti $intfName disabled"); - if (!defined($disabled) || ! $disabled) { + if (!defined($disabled) || !$disabled) { system("sudo /sbin/ip link set $intfName $action\n"); } } @@ -246,10 +246,10 @@ sub vti_check_reference { return 0; } foreach my $peer (@peers) { - if (! $vcVPN->exists("peer $peer vti")) { + if (!$vcVPN->exists("peer $peer vti")) { next; } - if ( $vcVPN->exists("peer $peer vti bind $intfName")) { + if ($vcVPN->exists("peer $peer vti bind $intfName")) { return 1; } } @@ -257,18 +257,19 @@ sub vti_check_reference { } sub cleanupVtiNotConfigured { + # for all remaining entries in the Vtinamepresent hash # remove them from the system. my $localVtiNames = vtiIntf::getVtiNames(); my $localVtibyNames = vtiIntf::getVtibyNames(); - while (my ($tunKey, $presentVtiName) = each(%$localVtiNames) ) { + while (my ($tunKey, $presentVtiName) = each(%$localVtiNames)) { my ($remote, $local) = vtiIntf::extractRemoteLocal($tunKey); my $existingMark = vtiIntf::isVtimarkpresent($remote, $local); $gencmds .= "# For peer $remote local $local.\n"; vtiIntf::freeVtiMark($existingMark); } for my $name (keys %$localVtibyNames) { - $gencmds .= "#For tunnel name $name.\n"; + $gencmds .= "#For tunnel name $name.\n"; $gencmds .= "sudo /sbin/ip link delete $name type vti &> /dev/null\n"; } } @@ -290,9 +291,9 @@ sub execGenCmds { } sub vti_die { - my (@path,$msg) = @_; - Vyatta::Config::outputError(@path, $msg); - exit 1; + my (@path,$msg) = @_; + Vyatta::Config::outputError(@path, $msg); + exit 1; } # @@ -306,7 +307,7 @@ sub checkUnrefIntfVti { my @vtiIntfs = $vcIntf->listNodes("vti"); foreach my $tunName (@vtiIntfs) { - if ( ! exists($vtiVpns{ $tunName }) ) { + if (!exists($vtiVpns{$tunName})) { print STDOUT "Warning: [interface vti $tunName] defined but not used under VPN configuration\n"; } } -- cgit v1.2.3 From 013fd2ac5dc2cd426d85e850496bb826cb483109 Mon Sep 17 00:00:00 2001 From: Alex Harpin Date: Wed, 17 Jun 2015 23:59:04 +0100 Subject: vyatta-cfg-vpn: further tidy up of vyatta-vti-config.pl Remove old comments and other minor tidying up / rearranging of scripts/vyatta-vti-config.pl --- scripts/vyatta-vti-config.pl | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl index 758418a..980724c 100755 --- a/scripts/vyatta-vti-config.pl +++ b/scripts/vyatta-vti-config.pl @@ -36,6 +36,7 @@ use lib "/opt/vyatta/share/perl5"; use Getopt::Long; use Vyatta::VPN::vtiIntf; +use Vyatta::Config; my $vti_cfg_err = "VPN VTI configuration error:"; my $gencmds = ""; @@ -57,12 +58,10 @@ GetOptions( # if ($updown ne '') { if (!(defined $intfName) || $intfName eq '') { - # invalid exit -1; } if (!(defined $action) || $action eq '') { - # invalid exit -1; } @@ -76,7 +75,6 @@ if ($updown ne '') { # if ($checkref ne '') { if (!(defined $intfName) || $intfName eq '') { - # invalid exit -1; } @@ -84,16 +82,14 @@ if ($checkref ne '') { exit $rval; } -### +# # Following code is to configure the vti. # - vtiIntf::discoverVtiIntfs(); # # Prepare Vyatta::Config object # -use Vyatta::Config; my $vcIntf = new Vyatta::Config(); my $vcVPN = new Vyatta::Config(); $vcVPN->setLevel('vpn'); @@ -165,8 +161,6 @@ foreach my $peer (@peers) { $mtu = 1500; } - #my $exists = `ls -l /sys/class/net/$tunName &> /dev/null`; - # description. my $description = $vcIntf->returnValue("vti $tunName description"); @@ -227,7 +221,6 @@ exit $result; # sub vti_handle_updown { my ($intfName, $action) = @_; - use Vyatta::Config; my $vcIntf = new Vyatta::Config(); $vcIntf->setLevel('interfaces'); my $disabled = $vcIntf->existsOrig("vti $intfName disabled"); @@ -238,7 +231,6 @@ sub vti_handle_updown { sub vti_check_reference { my ($intfName) = @_; - use Vyatta::Config; my $vcVPN = new Vyatta::Config(); $vcVPN->setLevel('vpn ipsec site-to-site'); my @peers = $vcVPN->listNodes('peer'); -- cgit v1.2.3 From 9254caf8bd4d8dfc0e76f1eb5958e6ebcdf1032d Mon Sep 17 00:00:00 2001 From: Alex Harpin Date: Thu, 18 Jun 2015 07:42:01 +0100 Subject: vyatta-cfg-vpn: vti interfaces remain link down after ipsec sa renewal VTI interfaces can remain link down after IPSec SA expiry and renewal, leaving the actual IPSec tunnel up and active but the route relating to this VTI interface absent from the routing table; with the end result of no traffic passing through it without manual intervention. Earlier fixes for this issue in both bug #183 and bug #291 fixed one issue but introduced another, this commit fixes both scenarios. Bug #568 http://bugzilla.vyos.net/show_bug.cgi?id=568 --- scripts/vti-up-down | 2 +- scripts/vyatta-vti-config.pl | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/scripts/vti-up-down b/scripts/vti-up-down index 60fc191..378cb6e 100755 --- a/scripts/vti-up-down +++ b/scripts/vti-up-down @@ -5,7 +5,7 @@ source /etc/default/vyatta source /etc/default/locale case "$PLUTO_VERB" in -route-client) +route-client | up-client) /opt/vyatta/sbin/vyatta-vti-config.pl --updown --intf=$1 --action=up ;; down-client) diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl index 980724c..23bead1 100755 --- a/scripts/vyatta-vti-config.pl +++ b/scripts/vyatta-vti-config.pl @@ -37,6 +37,7 @@ use lib "/opt/vyatta/share/perl5"; use Getopt::Long; use Vyatta::VPN::vtiIntf; use Vyatta::Config; +use Vyatta::Misc; my $vti_cfg_err = "VPN VTI configuration error:"; my $gencmds = ""; @@ -225,7 +226,11 @@ sub vti_handle_updown { $vcIntf->setLevel('interfaces'); my $disabled = $vcIntf->existsOrig("vti $intfName disabled"); if (!defined($disabled) || !$disabled) { - system("sudo /sbin/ip link set $intfName $action\n"); + my $vtiInterface = new Vyatta::Interface($intfName); + my $state = $vtiInterface->up(); + if (!($state && ($action eq "up"))) { + system("sudo /sbin/ip link set $intfName $action\n"); + } } } -- cgit v1.2.3 From 33140773880aa3f4a94426c35c667096259d9c3d Mon Sep 17 00:00:00 2001 From: Alex Harpin Date: Fri, 26 Jun 2015 17:11:52 +0100 Subject: vyatta-cfg-vpn: validate local address for vti based vpn connections Validate the local address used for VTI based VPN connections to ensure only either an IPv4 or IPv6 address is used. Currently VTIs can only accept these for local addresses, other values will fail with extraneous error messages, trap these earlier in the configuation commit process for now. Bug #213 http://bugzilla.vyos.net/show_bug.cgi?id=213 --- scripts/vyatta-vti-config.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl index 23bead1..042ef3b 100755 --- a/scripts/vyatta-vti-config.pl +++ b/scripts/vyatta-vti-config.pl @@ -128,8 +128,8 @@ foreach my $peer (@peers) { exit -1; } - if ($lip eq "" || $lip eq "0.0.0.0") { - print STDERR "$vti_cfg_err Invalid local-address \"$lip\".\n"; + if (!(validateType('ipv4', $lip, 'quiet') || validateType('ipv6', $lip, 'quiet')) || ($lip eq '0.0.0.0')) { + print STDERR "$vti_cfg_err Invalid local-address \"$lip\", an ip address must be specified for VTIs.\n"; exit -1; } -- cgit v1.2.3 From 209d0ae7650cb76a18feedaf75052eb03036c184 Mon Sep 17 00:00:00 2001 From: Alex Harpin Date: Mon, 22 Jun 2015 08:03:30 +0100 Subject: vyatta-cfg-vpn: validate peer address for vti based vpn connections Validate the peer address used for VTI based VPN connections to ensure only either an IPv4 or IPv6 address is used. Currently VTIs can only accept these for peer addresses, other values will fail with extraneous error messages, trap these earlier in the configuation commit process for now. Bug #359 http://bugzilla.vyos.net/show_bug.cgi?id=359 --- scripts/vpn-config.pl | 2 +- scripts/vyatta-vti-config.pl | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index bb7b667..3f953b3 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -509,7 +509,7 @@ if ($vcVPN->exists('ipsec')) { or $any_peer == 1) { if ($isVti) { - vpn_die(["vpn","ipsec","site-to-site","peer",$peer],"$vpn_cfg_err The \"$peer\" is invalid ". "ip address must be specified for $tunKeyword.\n"); + vpn_die(["vpn","ipsec","site-to-site","peer",$peer],"$vpn_cfg_err The peer \"$peer\" is invalid, an ip address must be specified for $tunKeyword.\n"); } $right = '%any'; $any_peer = 1; diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl index 042ef3b..fbfad64 100755 --- a/scripts/vyatta-vti-config.pl +++ b/scripts/vyatta-vti-config.pl @@ -38,6 +38,7 @@ use Getopt::Long; use Vyatta::VPN::vtiIntf; use Vyatta::Config; use Vyatta::Misc; +use Vyatta::TypeChecker; my $vti_cfg_err = "VPN VTI configuration error:"; my $gencmds = ""; @@ -114,6 +115,11 @@ foreach my $peer (@peers) { if (!$vcVPN->exists("ipsec site-to-site peer $peer vti")) { next; } + + if (!(validateType('ipv4', $peer, 'quiet') || validateType('ipv6', $peer, 'quiet')) || ($peer eq '0.0.0.0')) { + vti_die(["vpn","ipsec","site-to-site","peer",$peer],"$vti_cfg_err The peer \"$peer\" is invalid, an ip address must be specified for VTIs.\n"); + } + # # we have the vti configured. # -- cgit v1.2.3 From cf093a78ecae246c52be0ad39ac894013aa2adfd Mon Sep 17 00:00:00 2001 From: Thomas Jepp Date: Wed, 16 Dec 2015 22:19:17 +0000 Subject: Fix build depends. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index cdc5e36..5605529 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: vyatta-cfg-vpn Section: contrib/net Priority: extra Maintainer: VyOS Package Maintainers -Build-Depends: debhelper (>= 5), autotools-dev, libnfnetlink-dev +Build-Depends: debhelper (>= 5), autotools-dev, libnfnetlink-dev, autoconf, automake, cpio Standards-Version: 3.7.2 Package: vyatta-cfg-vpn -- cgit v1.2.3 From d6bb593aa88a8ffbd4eeb46e1e96b4a6dcb3fb16 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Sun, 24 Jan 2016 15:05:05 -0500 Subject: 0.12.105+vyos2+current1 --- debian/changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/debian/changelog b/debian/changelog index 113c0a4..79226e1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +vyatta-cfg-vpn (0.12.105+vyos2+current1) unstable; urgency=medium + + [ Thomas Jepp ] + * Fix build depends. + + [ Kim Hagen ] + + -- Kim Hagen Sun, 24 Jan 2016 15:04:53 -0500 + vyatta-cfg-vpn (0.12.105+vyos2+lithium17) unstable; urgency=low [ Alex Harpin ] -- cgit v1.2.3 From 28cb3d1d5b62595f3c033b85029132fec11b3c2d Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 25 Jan 2016 14:14:16 +0100 Subject: Remove dependency on vyatta-ipsec for migration to upstream strongswan. Update standards version and description. --- debian/control | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/debian/control b/debian/control index 5605529..605e073 100644 --- a/debian/control +++ b/debian/control @@ -3,14 +3,14 @@ Section: contrib/net Priority: extra Maintainer: VyOS Package Maintainers Build-Depends: debhelper (>= 5), autotools-dev, libnfnetlink-dev, autoconf, automake, cpio -Standards-Version: 3.7.2 +Standards-Version: 3.9.1 Package: vyatta-cfg-vpn Architecture: any Depends: perl, vyatta-cfg (>= 0.15.33), vyatta-bash | bash (>= 3.1), - vyatta-ipsec, + strongswan (>= 5.2), libc6 (>= 2.7-6) -Description: VyOS VPN configuration templates/scripts - VyOS VPN configuration templates and scripts. +Description: VyOS IPsec VPN configuration templates/scripts + VyOS IPsec VPN configuration templates and scripts. -- cgit v1.2.3 From b558c886bf89e0fdf88ee991dc88d45f3b8dc95d Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 25 Jan 2016 14:15:24 +0100 Subject: 0.12.105+vyos2+current2 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 79226e1..a0dcfed 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vyatta-cfg-vpn (0.12.105+vyos2+current2) unstable; urgency=low + + * Remove dependency on vyatta-ipsec for migration to upstream + strongswan. + + -- Daniil Baturin Mon, 25 Jan 2016 14:15:24 +0100 + vyatta-cfg-vpn (0.12.105+vyos2+current1) unstable; urgency=medium [ Thomas Jepp ] -- cgit v1.2.3 From 5ee99ec9d5cca8c13804964eee23ce0b15578edf Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Fri, 29 Jan 2016 18:43:45 -0500 Subject: vyatta-cfg-vpn: Properly implement force-encapsulation and fix descriptions --- scripts/vpn-config.pl | 2 +- .../vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 4267564..6a9063f 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -817,7 +817,7 @@ if ($vcVPN->exists('ipsec')) { # Allow the user for force UDP encapsulation for the ESP # payload. # - my $forceencaps = $vcVPN->returnValue("ipsec site-to-site $peer force-encapsulation"); + my $forceencaps = $vcVPN->returnValue("ipsec site-to-site peer $peer force-encapsulation"); if (defined($forceencaps)) { if ($forceencaps eq 'enable') { $genout .= "\tforceencaps=yes\n"; diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def index 0015add..bc71729 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def @@ -1,6 +1,6 @@ help: Force UDP Encapsulation for ESP Payloads type: txt syntax:expression: $VAR(@) in "enable", "disable"; "Must be enable or disable" -val_help: enable; This endpoint will not force UDP encapsulation for this peer -val_help: disable; This endpoint will force UDP encapsulation for this peer +val_help: enable; This endpoint will force UDP encapsulation for this peer +val_help: disable; This endpoint will not force UDP encapsulation for this peer -- cgit v1.2.3 From bbd5b2a113cb64c872142b236b35c650804271eb Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Tue, 9 Feb 2016 04:10:31 -0500 Subject: Use dhcp instead of dhcp3. --- Makefile.am | 4 ++-- scripts/vpn-config.pl | 2 +- .../vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile.am b/Makefile.am index 7ae1717..ff81363 100644 --- a/Makefile.am +++ b/Makefile.am @@ -31,9 +31,9 @@ install-exec-hook: cd templates; $(cpiop) $(DESTDIR)$(cfgdir) mkdir -p $(DESTDIR)/etc/ppp/ip-up.d mkdir -p $(DESTDIR)/etc/ppp/ip-down.d - mkdir -p $(DESTDIR)/etc/dhcp3/dhclient-exit-hooks.d/ + mkdir -p $(DESTDIR)/etc/dhcp/dhclient-exit-hooks.d/ mkdir -p $(DESTDIR)/usr/lib/ipsec/ cp scripts/vpn-ppp-up $(DESTDIR)/etc/ppp/ip-up.d/ cp scripts/vpn-ppp-down $(DESTDIR)/etc/ppp/ip-down.d/ - cp scripts/ipsecd-dhclient-hook $(DESTDIR)/etc/dhcp3/dhclient-exit-hooks.d/ipsecd + cp scripts/ipsecd-dhclient-hook $(DESTDIR)/etc/dhcp/dhclient-exit-hooks.d/ipsecd cp scripts/vti-up-down $(DESTDIR)/usr/lib/ipsec/ diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 7d0289c..635c416 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1567,7 +1567,7 @@ sub dhcp_hook { /opt/vyatta/bin/sudo-users/vyatta-ipsec-dhcp.pl --interface=\"\$interface\" --new_ip=\"\$new_ip_address\" --reason=\"\$reason\" --old_ip=\"\$old_ip_address\" EOS } - my $hook = "/etc/dhcp3/dhclient-exit-hooks.d/ipsecd"; + my $hook = "/etc/dhcp/dhclient-exit-hooks.d/ipsecd"; open my $dhcp_hook, '>', $hook or die "cannot open $hook"; print ${dhcp_hook} $str; diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def index a25e076..026b175 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def @@ -2,6 +2,6 @@ type: txt help: DHCP interface to listen on allowed: local -a array ; - array=( /var/lib/dhcp3/eth* /var/lib/dhcp3/br* /var/lib/dhcp3/bond* ) ; + array=( /var/lib/dhcp/eth* /var/lib/dhcp/br* /var/lib/dhcp/bond* ) ; echo -n ${array[@]##*/} -- cgit v1.2.3 From fbddff7f2b6b485c93b5d3cf4d60a75f84c3a2b6 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Thu, 11 Feb 2016 05:28:37 -0500 Subject: Remove charonstart an interfaces from ipsec.conf file, they are depricated. --- scripts/vpn-config.pl | 4 ---- 1 file changed, 4 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 635c416..5c00e08 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -217,7 +217,6 @@ if ($vcVPN->exists('ipsec')) { $genout .= "version 2.0\n"; $genout .= "\n"; $genout .= "config setup\n"; - $genout .= "\tcharonstart=yes\n"; # # Interfaces @@ -233,7 +232,6 @@ if ($vcVPN->exists('ipsec')) { # not used, though we do need to include the line and the keyword # "%none" to keep the IPsec setup code from defaulting the entry. if ($using_klips) { - $genout .= "\tinterfaces=\""; my $counter = 0; foreach my $interface (@interfaces) { if (!(-d "/sys/class/net/$interface")) { @@ -264,8 +262,6 @@ if ($vcVPN->exists('ipsec')) { ++$counter; } $genout .= '%defaultroute"'; - } else { - $genout .= 'interfaces="%none"'; } $genout .= "\n"; } -- cgit v1.2.3 From 8353f0f8fc746c69d6006e5bba9baf45afe16385 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Thu, 11 Feb 2016 08:54:39 -0500 Subject: Set default pfs and ike dh group. (required by strongswan charon) --- scripts/vpn-config.pl | 95 +++++++++------------- .../vpn/ipsec/esp-group/node.tag/pfs/node.def | 7 +- .../node.tag/proposal/node.tag/dh-group/node.def | 5 +- 3 files changed, 44 insertions(+), 63 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 5c00e08..5502156 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -928,6 +928,44 @@ if ($vcVPN->exists('ipsec')) { if (defined($encryption) && defined($hash)) { $genout .= "$encryption-$hash"; } + + # + # Perfect Forward Secrecy + # + my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); + if (defined($pfs)) { + if ($pfs eq 'dh-group2') { + $genout .= "-modp1024"; + } elsif ($pfs eq 'dh-group5') { + $genout .= "-modp1536"; + } elsif ($pfs eq 'dh-group14') { + $genout .= "-modp2048"; + } elsif ($pfs eq 'dh-group15') { + $genout .= "-modp3072"; + } elsif ($pfs eq 'dh-group16') { + $genout .= "-modp4096"; + } elsif ($pfs eq 'dh-group17') { + $genout .= "-modp6144"; + } elsif ($pfs eq 'dh-group18') { + $genout .= "-modp8192"; + } elsif ($pfs eq 'dh-group19') { + $genout .= "-ecp256"; + } elsif ($pfs eq 'dh-group20') { + $genout .= "-ecp384"; + } elsif ($pfs eq 'dh-group21') { + $genout .= "-ecp521"; + } elsif ($pfs eq 'dh-group22') { + $genout .= "-modp1024s160"; + } elsif ($pfs eq 'dh-group23') { + $genout .= "-modp2048s224"; + } elsif ($pfs eq 'dh-group24') { + $genout .= "-modp2048s256"; + } elsif ($pfs eq 'dh-group25') { + $genout .= "-ecp192"; + } elsif ($pfs eq 'dh-group26') { + $genout .= "-ecp224"; + } + } } $genout .= "!\n"; @@ -970,63 +1008,6 @@ if ($vcVPN->exists('ipsec')) { } $genout .= "\ttype=$espmode\n"; - # - # Perfect Forward Secrecy - # - my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); - if (defined($pfs)) { - if ($pfs eq 'enable') { - $genout .= "\tpfs=yes\n"; - } elsif ($pfs eq 'dh-group2') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1024\n"; - } elsif ($pfs eq 'dh-group5') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1536\n"; - } elsif ($pfs eq 'dh-group14') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048\n"; - } elsif ($pfs eq 'dh-group15') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp3072\n"; - } elsif ($pfs eq 'dh-group16') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp4096\n"; - } elsif ($pfs eq 'dh-group17') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp6144\n"; - } elsif ($pfs eq 'dh-group18') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp8192\n"; - } elsif ($pfs eq 'dh-group19') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp256\n"; - } elsif ($pfs eq 'dh-group20') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp384\n"; - } elsif ($pfs eq 'dh-group21') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp521\n"; - } elsif ($pfs eq 'dh-group22') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1024s160\n"; - } elsif ($pfs eq 'dh-group23') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048s224\n"; - } elsif ($pfs eq 'dh-group24') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048s256\n"; - } elsif ($pfs eq 'dh-group25') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp192\n"; - } elsif ($pfs eq 'dh-group26') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp224\n"; - } else { - $genout .= "\tpfs=no\n"; - } - } - # # Compression # diff --git a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def index 59a46ec..cda2169 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def @@ -1,11 +1,10 @@ help: ESP Perfect Forward Secrecy type: txt -default: "enable" -syntax:expression: $VAR(@) in "enable", "disable", "dh-group2", "dh-group5", "dh-group14", "dh-group15", "dh-group16", "dh-group17", "dh-group18", "dh-group19", "dh-group20", "dh-group21", "dh-group22", "dh-group23", "dh-group24", "dh-group25", "dh-group26"; "must be enable, disable, dh-group2, dh-group5, dh-group14, dh-group15, dh-group16, dh-group17, dh-group18, dh-group19, dh-group20, dh-group21, dh-group22, dh-group23, dh-group24, dh-group25 or dh-group26" -val_help: enable; Enable PFS. Use ike-group's dh-group (default) +default: "dh-group14" +syntax:expression: $VAR(@) in "disable", "dh-group2", "dh-group5", "dh-group14", "dh-group15", "dh-group16", "dh-group17", "dh-group18", "dh-group19", "dh-group20", "dh-group21", "dh-group22", "dh-group23", "dh-group24", "dh-group25", "dh-group26"; "must be enable, disable, dh-group2, dh-group5, dh-group14, dh-group15, dh-group16, dh-group17, dh-group18, dh-group19, dh-group20, dh-group21, dh-group22, dh-group23, dh-group24, dh-group25 or dh-group26" val_help: dh-group2; Enable PFS. Use Diffie-Hellman group 2 (modp1024) val_help: dh-group5; Enable PFS. Use Diffie-Hellman group 5 (modp1536) -val_help: dh-group14; Enable PFS. Use Diffie-Hellman group 14 (modp2048) +val_help: dh-group14; Enable PFS. Use Diffie-Hellman group 14 (modp2048) (default) val_help: dh-group15; Enable PFS. Use Diffie-Hellman group 15 (modp3072) val_help: dh-group16; Enable PFS. Use Diffie-Hellman group 16 (modp4096) val_help: dh-group17; Enable PFS. Use Diffie-Hellman group 17 (modp6144) diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def index 307dc09..3ff5646 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def @@ -1,9 +1,10 @@ -help: Diffie-Hellman (DH) key exchange group +help: Diffie-Hellman (DH) key exchange group [REQUIRED] type: u32 +default: 14 syntax:expression: ($VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 26)); "must be 2, 5 or 14 through 26" val_help: 2; DH group 2 (modp1024) val_help: 5; DH group 5 (modp1536) -val_help: 14; DH group 14 (modp2048) +val_help: 14; DH group 14 (modp2048) (default) val_help: 15; DH group 15 (modp3072) val_help: 16; DH group 16 (modp4096) val_help: 17; DH group 17 (modp6144) -- cgit v1.2.3 From 849551db87c42494d7c44fd463aebba003ba978e Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Thu, 11 Feb 2016 12:17:34 -0500 Subject: Revert "Set default pfs and ike dh group. (required by strongswan charon)" This reverts commit 8353f0f8fc746c69d6006e5bba9baf45afe16385. --- scripts/vpn-config.pl | 95 +++++++++++++--------- .../vpn/ipsec/esp-group/node.tag/pfs/node.def | 7 +- .../node.tag/proposal/node.tag/dh-group/node.def | 5 +- 3 files changed, 63 insertions(+), 44 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 5502156..5c00e08 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -928,44 +928,6 @@ if ($vcVPN->exists('ipsec')) { if (defined($encryption) && defined($hash)) { $genout .= "$encryption-$hash"; } - - # - # Perfect Forward Secrecy - # - my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); - if (defined($pfs)) { - if ($pfs eq 'dh-group2') { - $genout .= "-modp1024"; - } elsif ($pfs eq 'dh-group5') { - $genout .= "-modp1536"; - } elsif ($pfs eq 'dh-group14') { - $genout .= "-modp2048"; - } elsif ($pfs eq 'dh-group15') { - $genout .= "-modp3072"; - } elsif ($pfs eq 'dh-group16') { - $genout .= "-modp4096"; - } elsif ($pfs eq 'dh-group17') { - $genout .= "-modp6144"; - } elsif ($pfs eq 'dh-group18') { - $genout .= "-modp8192"; - } elsif ($pfs eq 'dh-group19') { - $genout .= "-ecp256"; - } elsif ($pfs eq 'dh-group20') { - $genout .= "-ecp384"; - } elsif ($pfs eq 'dh-group21') { - $genout .= "-ecp521"; - } elsif ($pfs eq 'dh-group22') { - $genout .= "-modp1024s160"; - } elsif ($pfs eq 'dh-group23') { - $genout .= "-modp2048s224"; - } elsif ($pfs eq 'dh-group24') { - $genout .= "-modp2048s256"; - } elsif ($pfs eq 'dh-group25') { - $genout .= "-ecp192"; - } elsif ($pfs eq 'dh-group26') { - $genout .= "-ecp224"; - } - } } $genout .= "!\n"; @@ -1008,6 +970,63 @@ if ($vcVPN->exists('ipsec')) { } $genout .= "\ttype=$espmode\n"; + # + # Perfect Forward Secrecy + # + my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); + if (defined($pfs)) { + if ($pfs eq 'enable') { + $genout .= "\tpfs=yes\n"; + } elsif ($pfs eq 'dh-group2') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp1024\n"; + } elsif ($pfs eq 'dh-group5') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp1536\n"; + } elsif ($pfs eq 'dh-group14') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp2048\n"; + } elsif ($pfs eq 'dh-group15') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp3072\n"; + } elsif ($pfs eq 'dh-group16') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp4096\n"; + } elsif ($pfs eq 'dh-group17') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp6144\n"; + } elsif ($pfs eq 'dh-group18') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp8192\n"; + } elsif ($pfs eq 'dh-group19') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp256\n"; + } elsif ($pfs eq 'dh-group20') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp384\n"; + } elsif ($pfs eq 'dh-group21') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp521\n"; + } elsif ($pfs eq 'dh-group22') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp1024s160\n"; + } elsif ($pfs eq 'dh-group23') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp2048s224\n"; + } elsif ($pfs eq 'dh-group24') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp2048s256\n"; + } elsif ($pfs eq 'dh-group25') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp192\n"; + } elsif ($pfs eq 'dh-group26') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp224\n"; + } else { + $genout .= "\tpfs=no\n"; + } + } + # # Compression # diff --git a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def index cda2169..59a46ec 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def @@ -1,10 +1,11 @@ help: ESP Perfect Forward Secrecy type: txt -default: "dh-group14" -syntax:expression: $VAR(@) in "disable", "dh-group2", "dh-group5", "dh-group14", "dh-group15", "dh-group16", "dh-group17", "dh-group18", "dh-group19", "dh-group20", "dh-group21", "dh-group22", "dh-group23", "dh-group24", "dh-group25", "dh-group26"; "must be enable, disable, dh-group2, dh-group5, dh-group14, dh-group15, dh-group16, dh-group17, dh-group18, dh-group19, dh-group20, dh-group21, dh-group22, dh-group23, dh-group24, dh-group25 or dh-group26" +default: "enable" +syntax:expression: $VAR(@) in "enable", "disable", "dh-group2", "dh-group5", "dh-group14", "dh-group15", "dh-group16", "dh-group17", "dh-group18", "dh-group19", "dh-group20", "dh-group21", "dh-group22", "dh-group23", "dh-group24", "dh-group25", "dh-group26"; "must be enable, disable, dh-group2, dh-group5, dh-group14, dh-group15, dh-group16, dh-group17, dh-group18, dh-group19, dh-group20, dh-group21, dh-group22, dh-group23, dh-group24, dh-group25 or dh-group26" +val_help: enable; Enable PFS. Use ike-group's dh-group (default) val_help: dh-group2; Enable PFS. Use Diffie-Hellman group 2 (modp1024) val_help: dh-group5; Enable PFS. Use Diffie-Hellman group 5 (modp1536) -val_help: dh-group14; Enable PFS. Use Diffie-Hellman group 14 (modp2048) (default) +val_help: dh-group14; Enable PFS. Use Diffie-Hellman group 14 (modp2048) val_help: dh-group15; Enable PFS. Use Diffie-Hellman group 15 (modp3072) val_help: dh-group16; Enable PFS. Use Diffie-Hellman group 16 (modp4096) val_help: dh-group17; Enable PFS. Use Diffie-Hellman group 17 (modp6144) diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def index 3ff5646..307dc09 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def @@ -1,10 +1,9 @@ -help: Diffie-Hellman (DH) key exchange group [REQUIRED] +help: Diffie-Hellman (DH) key exchange group type: u32 -default: 14 syntax:expression: ($VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 26)); "must be 2, 5 or 14 through 26" val_help: 2; DH group 2 (modp1024) val_help: 5; DH group 5 (modp1536) -val_help: 14; DH group 14 (modp2048) (default) +val_help: 14; DH group 14 (modp2048) val_help: 15; DH group 15 (modp3072) val_help: 16; DH group 16 (modp4096) val_help: 17; DH group 17 (modp6144) -- cgit v1.2.3 From 2cda998101aa8d83ab92e9d3d1abddf672ac2c2d Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Thu, 11 Feb 2016 12:17:51 -0500 Subject: Revert "Remove charonstart an interfaces from ipsec.conf file, they are depricated." This reverts commit fbddff7f2b6b485c93b5d3cf4d60a75f84c3a2b6. --- scripts/vpn-config.pl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 5c00e08..635c416 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -217,6 +217,7 @@ if ($vcVPN->exists('ipsec')) { $genout .= "version 2.0\n"; $genout .= "\n"; $genout .= "config setup\n"; + $genout .= "\tcharonstart=yes\n"; # # Interfaces @@ -232,6 +233,7 @@ if ($vcVPN->exists('ipsec')) { # not used, though we do need to include the line and the keyword # "%none" to keep the IPsec setup code from defaulting the entry. if ($using_klips) { + $genout .= "\tinterfaces=\""; my $counter = 0; foreach my $interface (@interfaces) { if (!(-d "/sys/class/net/$interface")) { @@ -262,6 +264,8 @@ if ($vcVPN->exists('ipsec')) { ++$counter; } $genout .= '%defaultroute"'; + } else { + $genout .= 'interfaces="%none"'; } $genout .= "\n"; } -- cgit v1.2.3 From 38ddb04edcf5d9a87edd7047ff3f2bce9bf0ba24 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Thu, 11 Feb 2016 12:34:31 -0500 Subject: Update the changelog. --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index a0dcfed..ff0149b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-vpn (0.12.105+vyos2+current3) unstable; urgency=medium + + * Merge StrongSWAN 5.x compatibility changes from Jeff Leung + + -- Thu, 11 Feb 2016 12:31:57 -0500 + vyatta-cfg-vpn (0.12.105+vyos2+current2) unstable; urgency=low * Remove dependency on vyatta-ipsec for migration to upstream -- cgit v1.2.3 From e6bde39b75eca1f4b30b7d4fa3c6eb9dd0100775 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Tue, 23 Feb 2016 03:59:49 -0500 Subject: Update vpn check file from "charon.ctl" to "charon.pid". --- lib/Vyatta/VPN/Util.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Vyatta/VPN/Util.pm b/lib/Vyatta/VPN/Util.pm index 606178a..315651e 100755 --- a/lib/Vyatta/VPN/Util.pm +++ b/lib/Vyatta/VPN/Util.pm @@ -41,7 +41,7 @@ use constant LOCAL_KEY_FILE_DEFAULT => '/opt/vyatta/etc/config/ipsec.d/rsa-keys/localhost.key'; sub is_vpn_running { - return ( -e '/var/run/charon.ctl'); + return ( -e '/var/run/charon.pid'); } sub get_protocols { -- cgit v1.2.3 From 9118f812de63247b4d4ee9e4262d040090697bea Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Wed, 24 Feb 2016 07:46:58 -0500 Subject: remove reference to dmvpn.secrets and chang dmvpn.conf to swanctl.conf --- scripts/vpn-config.pl | 16 +++++----------- templates/vpn/node.def | 3 +-- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index b913783..75d0e91 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1146,17 +1146,11 @@ if ($vcVPN->exists('ipsec')) { } $genout .= "\ninclude $custom_include\n"; } - if (defined($custom_secrets)) { - if ( ! -e $custom_secrets) { - vpn_die(["vpn","ipsec","include-ipsec-secrets"],"$vpn_cfg_err The specified file for inclusion inside ipsec.secrets does not exist."); - } - $genout_secrets .= "\ninclude $custom_secrets\n"; - } - if (-e '/etc/dmvpn.conf') { - $genout .= "\ninclude /etc/dmvpn.conf\n"; - } - if (-e '/etc/dmvpn.secrets') { - $genout_secrets .= "\ninclude /etc/dmvpn.secrets\n"; + if (defined($custom_secrets)) { + if ( ! -e $custom_secrets) { + vpn_die(["vpn","ipsec","include-ipsec-secrets"],"$vpn_cfg_err The specified file for inclusion inside ipsec.secrets does not exist."); + } + $genout_secrets .= "\ninclude $custom_secrets\n"; } } else { diff --git a/templates/vpn/node.def b/templates/vpn/node.def index 7c6b56a..ae2d6a9 100644 --- a/templates/vpn/node.def +++ b/templates/vpn/node.def @@ -2,8 +2,7 @@ priority: 900 help: Virtual Private Network (VPN) end:sudo /opt/vyatta/sbin/vyatta-vti-config.pl || exit 1 sudo /opt/vyatta/sbin/dmvpn-config.pl \ - --config_file='/etc/dmvpn.conf' \ - --secrets_file='/etc/dmvpn.secrets' \ + --config_file='/etc/swanctl/swanctl.conf' \ --init_script='/etc/init.d/ipsec' || exit 1 sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --set_ipsec || exit 1 sudo /opt/vyatta/sbin/vpn-config.pl \ -- cgit v1.2.3 From 984030a79c415ac5d4041db1bd638b86946871fd Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Wed, 24 Feb 2016 08:00:55 -0500 Subject: First version of new dmvpn script rewrite. --- scripts/dmvpn-config.pl | 1058 ++++++++++++++++++++--------------------------- 1 file changed, 459 insertions(+), 599 deletions(-) diff --git a/scripts/dmvpn-config.pl b/scripts/dmvpn-config.pl index 8a8c1ff..3bea3ec 100755 --- a/scripts/dmvpn-config.pl +++ b/scripts/dmvpn-config.pl @@ -21,36 +21,24 @@ use NetAddr::IP; use Vyatta::VPN::vtiIntf; my $config_file; -my $secrets_file; my $init_script; my $tunnel_context; my $tun_id; GetOptions( "config_file=s" => \$config_file, - "secrets_file=s" => \$secrets_file, "init_script=s" => \$init_script, "tunnel_context" => \$tunnel_context, "tun_id=s" => \$tun_id ); -my $CA_CERT_PATH = '/etc/ipsec.d/cacerts'; -my $CRL_PATH = '/etc/ipsec.d/crls'; -my $SERVER_CERT_PATH = '/etc/ipsec.d/certs'; -my $SERVER_KEY_PATH = '/etc/ipsec.d/private'; + my $LOGFILE = '/var/log/vyatta/ipsec.log'; my $vpn_cfg_err = "VPN configuration error:"; -my $clustering_ip = 0; -my $dhcp_if = 0; my $genout; -my $genout_secrets; my $dh_disable; -# Set $using_klips to 1 if kernel IPsec support is provided by KLIPS. -# Set it to 0 if using NETKEY. -my $using_klips = 0; - -$genout .= "# generated by $0\n\n"; -$genout_secrets .= "# generated by $0\n\n"; +$genout .= "# generated by $0\n\n"; +$genout .= "connections {\n"; # # Prepare Vyatta::Config object @@ -64,528 +52,370 @@ $vcVPN->setLevel('vpn'); # if it has not then exit my $ipsecstatus = $vcVPN->isChanged('ipsec'); if ( $ipsecstatus && $tunnel_context ) { - - # no sence to do same update twice, will be done via vpn context - exit 0; + # no sence to do same update twice, will be done via vpn context + exit 0; } if ( !$ipsecstatus ) { - my $tun_ip_changed = 0; - my @tuns = $vc->listNodes('interfaces tunnel'); - my @profs = $vcVPN->listNodes('ipsec profile'); - foreach my $prof (@profs) { - my @tuns = $vcVPN->listNodes("ipsec profile $prof bind tunnel"); - foreach my $tun (@tuns) { - my $lip_old = - $vc->returnOrigValue("interfaces tunnel $tun local-ip"); - my $lip_new = $vc->returnValue("interfaces tunnel $tun local-ip"); - if ( !( "$lip_old" eq "$lip_new" ) ) { - if ($tun_ip_changed) { - - # tunnel $tun_id is not the last tunnel with updated local-ip, so skip + my $tun_ip_changed = 0; + my @tuns = $vc->listNodes('interfaces tunnel'); + my @profs = $vcVPN->listNodes('ipsec profile'); + foreach my $prof (@profs) { + my @tuns = $vcVPN->listNodes("ipsec profile $prof bind tunnel"); + foreach my $tun (@tuns) { + my $lip_old = $vc->returnOrigValue("interfaces tunnel $tun local-ip"); + my $lip_new = $vc->returnValue("interfaces tunnel $tun local-ip"); + if ( !( "$lip_old" eq "$lip_new" ) ) { + if ($tun_ip_changed) { + # tunnel $tun_id is not the last tunnel with updated local-ip, so skip exit 0; - } - if ( "$tun" eq "$tun_id" ) { - $tun_ip_changed = 1; - } - } - } - } - if ( !$tun_ip_changed ) { - exit 0; - } + } + if ( "$tun" eq "$tun_id" ) { + $tun_ip_changed = 1; + } + } + } + } + if ( !$tun_ip_changed ) { + exit 0; + } } if ( $vcVPN->exists('ipsec') ) { - - # - # Connection configurations - # - my @profiles = $vcVPN->listNodes('ipsec profile'); - my $prev_profile = ""; - foreach my $profile (@profiles) { - my $profile_ike_group = - $vcVPN->returnValue("ipsec profile $profile ike-group"); - if ( !defined($profile_ike_group) || $profile_ike_group eq '' ) { - vpn_die( - [ "vpn", "ipsec", "profile", $profile, "ike-group" ], -"$vpn_cfg_err No IKE group specified for profile \"$profile\".\n" - ); - } - elsif ( !$vcVPN->exists("ipsec ike-group $profile_ike_group") ) { - vpn_die( - [ "vpn", "ipsec", "profile", $profile, "ike-group" ], -"$vpn_cfg_err The IKE group \"$profile_ike_group\" specified for profile " - . "\"$profile\" has not been configured.\n" - ); - } - - my $authid = - $vcVPN->returnValue("ipsec profile $profile authentication id"); - - # - # ESP group - # - my $profile_esp_group = - $vcVPN->returnValue("ipsec profile $profile esp-group"); - if ( !defined($profile_esp_group) || $profile_esp_group eq '' ) { - vpn_die( - [ "vpn", "ipsec", "profile", $profile, "esp-group" ], -"$vpn_cfg_err No ESP group specified for profile \"$profile\".\n" - ); - } - elsif ( !$vcVPN->exists("ipsec esp-group $profile_esp_group") ) { - vpn_die( - [ "vpn", "ipsec", "profile", $profile, "esp-group" ], - "$vpn_cfg_err The ESP group \"$profile_esp_group\" specified " - . "for profile \"$profile\" has not been configured.\n" - ); - } - - # - # Authentication mode - # - # - # Write shared secrets to ipsec.secrets - # - my $auth_mode = - $vcVPN->returnValue("ipsec profile $profile authentication mode"); - my $psk = ''; - if ( !defined($auth_mode) || $auth_mode eq '' ) { - vpn_die( - [ "vpn", "ipsec", "profile", $profile, "authentication" ], -"$vpn_cfg_err No authentication mode for profile \"$profile\" specified.\n" - ); - } - elsif ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) ) { - $psk = $vcVPN->returnValue( - "ipsec profile $profile authentication pre-shared-secret"); - my $orig_psk = $vcVPN->returnOrigValue( - "ipsec profile $profile authentication pre-shared-secret"); - $orig_psk = "" if ( !defined($orig_psk) ); - if ( $psk ne $orig_psk && $orig_psk ne "" ) { - print -"WARNING: The pre-shared-secret will not be updated until the next re-keying interval\n"; - print "To force the key change use: 'reset vpn ipsec-peer'\n"; - } - if ( !defined($psk) || $psk eq '' ) { - vpn_die( - [ "vpn", "ipsec", "profile", $profile, "authentication" ], -"$vpn_cfg_err No 'pre-shared-secret' specified for profile \"$profile\"" - . " while 'pre-shared-secret' authentication mode is specified.\n" - ); - } - } - else { - vpn_die( - [ "vpn", "ipsec", "profile", $profile, "authentication" ], -"$vpn_cfg_err Unknown/unsupported authentication mode \"$auth_mode\" for profile " - . "\"$profile\" specified.\n" - ); - } - - my @tunnels = $vcVPN->listNodes("ipsec profile $profile bind tunnel"); - - foreach my $tunnel (@tunnels) { - - # - # Check whether this tunnel is already in some profile - # - foreach my $prof (@profiles) { - if ( $prof != $profile ) { - if ( - $vcVPN->exists( - "ipsec profile $prof bind tunnel $tunnel") - ) + # + # Connection configurations + # + my @profiles = $vcVPN->listNodes('ipsec profile'); + my $prev_profile = ""; + foreach my $profile (@profiles) { + my $profile_ike_group = $vcVPN->returnValue("ipsec profile $profile ike-group"); + if ( !defined($profile_ike_group) || $profile_ike_group eq '' ) { + vpn_die([ "vpn", "ipsec", "profile", $profile, "ike-group" ], + "$vpn_cfg_err No IKE group specified for profile \"$profile\".\n"); + } + elsif ( !$vcVPN->exists("ipsec ike-group $profile_ike_group") ) { + vpn_die([ "vpn", "ipsec", "profile", $profile, "ike-group" ], + "$vpn_cfg_err The IKE group \"$profile_ike_group\" specified for profile " + . "\"$profile\" has not been configured.\n"); + } + + my $authid = $vcVPN->returnValue("ipsec profile $profile authentication id"); + + # + # ESP group + # + my $profile_esp_group = $vcVPN->returnValue("ipsec profile $profile esp-group"); + if ( !defined($profile_esp_group) || $profile_esp_group eq '' ) { + vpn_die([ "vpn", "ipsec", "profile", $profile, "esp-group" ], + "$vpn_cfg_err No ESP group specified for profile \"$profile\".\n"); + } + elsif ( !$vcVPN->exists("ipsec esp-group $profile_esp_group") ) { + vpn_die([ "vpn", "ipsec", "profile", $profile, "esp-group" ], + "$vpn_cfg_err The ESP group \"$profile_esp_group\" specified " + . "for profile \"$profile\" has not been configured.\n"); + } + + # + # Authentication mode + # + # + # Write shared secrets to ipsec.secrets + # + my $auth_mode = $vcVPN->returnValue("ipsec profile $profile authentication mode"); + my $psk = ''; + if ( !defined($auth_mode) || $auth_mode eq '' ) { + vpn_die([ "vpn", "ipsec", "profile", $profile, "authentication" ], + "$vpn_cfg_err No authentication mode for profile \"$profile\" specified.\n"); + } + elsif ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) ) { + $psk = $vcVPN->returnValue("ipsec profile $profile authentication pre-shared-secret"); + my $orig_psk = $vcVPN->returnOrigValue("ipsec profile $profile authentication pre-shared-secret"); + $orig_psk = "" if ( !defined($orig_psk) ); + if ( $psk ne $orig_psk && $orig_psk ne "" ) { + print "WARNING: The pre-shared-secret will not be updated until the next re-keying interval\n"; + print "To force the key change use: 'reset vpn ipsec-peer'\n"; + } + if ( !defined($psk) || $psk eq '' ) { + vpn_die([ "vpn", "ipsec", "profile", $profile, "authentication" ], + "$vpn_cfg_err No 'pre-shared-secret' specified for profile \"$profile\"" + . " while 'pre-shared-secret' authentication mode is specified.\n"); + } + } + else { + vpn_die([ "vpn", "ipsec", "profile", $profile, "authentication" ], + "$vpn_cfg_err Unknown/unsupported authentication mode \"$auth_mode\" for profile " + . "\"$profile\" specified.\n"); + } + + my @tunnels = $vcVPN->listNodes("ipsec profile $profile bind tunnel"); + + foreach my $tunnel (@tunnels) { + # + # Check whether this tunnel is already in some profile + # + foreach my $prof (@profiles) { + if ( $prof != $profile ) { + if ($vcVPN->exists("ipsec profile $prof bind tunnel $tunnel")) { - vpn_die( - [ - "vpn", "ipsec", "profile", $profile, - "bind", "tunnel", $tunnel - ], -"$vpn_cfg_err Tunnel \"$tunnel\" is already configured in profile \"$prof\"." - ); - } - } - } - - my $needs_passthrough = 'false'; - my $tunKeyword = 'tunnel ' . "$tunnel"; - - my $conn_head = "conn vpnprof-tunnel-$tunnel\n"; - $genout .= $conn_head; - - my $lip = $vc->returnValue("interfaces tunnel $tunnel local-ip"); - my $leftsourceip = undef; - - $genout .= "\tleft=$lip\n"; - $leftsourceip = "\tleftsourceip=$lip\n"; - $genout .= "\tleftid=$authid\n" if defined $authid; - - my $right = '%any'; - my $any_peer = 1; - - $genout .= "\tright=$right\n"; - if ($any_peer) { - $genout .= "\trekey=no\n"; - } - - # - # Protocol/port - # - my $protocol = "gre"; - my $lprotoport = ''; - if ( defined($protocol) ) { - $lprotoport .= $protocol; - } - if ( not( $lprotoport eq '' ) ) { - $genout .= "\tleftprotoport=$lprotoport\n"; - } - - my $rprotoport = ''; - if ( defined($protocol) ) { - $rprotoport .= $protocol; - } - if ( not( $rprotoport eq '' ) ) { - $genout .= "\trightprotoport=$rprotoport\n"; - } - - # - # Write IKE configuration from group - # - my $ikelifetime = IKELIFETIME_DEFAULT; - $genout .= "\tike="; - my $ike_group = - $vcVPN->returnValue("ipsec profile $profile ike-group"); - if ( defined($ike_group) && $ike_group ne '' ) { - my @ike_proposals = - $vcVPN->listNodes("ipsec ike-group $ike_group proposal"); - - my $first_ike_proposal = 1; - foreach my $ike_proposal (@ike_proposals) { - - # - # Get encryption, hash & Diffie-Hellman key size - # - my $encryption = $vcVPN->returnValue( -"ipsec ike-group $ike_group proposal $ike_proposal encryption" - ); - my $hash = $vcVPN->returnValue( - "ipsec ike-group $ike_group proposal $ike_proposal hash" - ); - my $dh_group = $vcVPN->returnValue( -"ipsec ike-group $ike_group proposal $ike_proposal dh-group" - ); - - if ( defined($dh_group) ) { - $dh_disable = 1; - } - - # - # Write separator if not first proposal - # - if ($first_ike_proposal) { - $first_ike_proposal = 0; - } - else { - $genout .= ","; - } - - # - # Write values - # - if ( defined($encryption) && defined($hash) ) { - $genout .= "$encryption-$hash"; - if ( defined($dh_group) ) { - if ($dh_group eq '2') { - $genout .= '-modp1024'; - } elsif ($dh_group eq '5') { - $genout .= '-modp1536'; - } elsif ($dh_group eq '14') { - $genout .= '-modp2048'; - } elsif ($dh_group eq '15') { - $genout .= '-modp3072'; - } elsif ($dh_group eq '16') { - $genout .= '-modp4096'; - } elsif ($dh_group eq '17') { - $genout .= '-modp6144'; - } elsif ($dh_group eq '18') { - $genout .= '-modp8192'; - } elsif ($dh_group eq '19') { - $genout .= '-ecp256'; - } elsif ($dh_group eq '20') { - $genout .= '-ecp384'; - } elsif ($dh_group eq '21') { - $genout .= '-ecp521'; - } elsif ($dh_group eq '22') { - $genout .= '-modp1024s160'; - } elsif ($dh_group eq '23') { - $genout .= '-modp2048s224'; - } elsif ($dh_group eq '24') { - $genout .= '-modp2048s256'; - } elsif ($dh_group eq '25') { - $genout .= '-ecp192'; - } elsif ($dh_group eq '26') { - $genout .= '-ecp224'; - } - elsif ( $dh_group ne '' ) { - vpn_die(["vpn","ipsec","profile", $profile,"bind","tunnel", $tunnel],"$vpn_cfg_err Invalid 'dh-group' $dh_group specified in ". - "profile \"$profile\" for $tunKeyword. Only 2, 5, or 14 through 26 accepted.\n"); - } - } - } - } - - #why we always set strict mode? - $genout .= "!\n"; - - my $t_ikelifetime = - $vcVPN->returnValue("ipsec ike-group $ike_group lifetime"); - if ( defined($t_ikelifetime) && $t_ikelifetime ne '' ) { - $ikelifetime = $t_ikelifetime; - } - $genout .= "\tikelifetime=$ikelifetime" . "s\n"; - - # - # Check for Dead Peer Detection DPD - # - my $dpd_interval = $vcVPN->returnValue( - "ipsec ike-group $ike_group dead-peer-detection interval"); - my $dpd_timeout = $vcVPN->returnValue( - "ipsec ike-group $ike_group dead-peer-detection timeout"); - my $dpd_action = $vcVPN->returnValue( - "ipsec ike-group $ike_group dead-peer-detection action"); - if ( defined($dpd_interval) - && defined($dpd_timeout) - && defined($dpd_action) ) - { - $genout .= "\tdpddelay=$dpd_interval" . "s\n"; - $genout .= "\tdpdtimeout=$dpd_timeout" . "s\n"; - $genout .= "\tdpdaction=$dpd_action\n"; - } - } - - # - # Write ESP configuration from group - # - my $esplifetime = ESPLIFETIME_DEFAULT; - $genout .= "\tesp="; - my $esp_group = - $vcVPN->returnValue("ipsec profile $profile esp-group"); - if ( defined($esp_group) && $esp_group ne '' ) { - my @esp_proposals = - $vcVPN->listNodes("ipsec esp-group $esp_group proposal"); - my $first_esp_proposal = 1; - foreach my $esp_proposal (@esp_proposals) { - - # - # Get encryption, hash - # - my $encryption = $vcVPN->returnValue( -"ipsec esp-group $esp_group proposal $esp_proposal encryption" - ); - my $hash = $vcVPN->returnValue( - "ipsec esp-group $esp_group proposal $esp_proposal hash" - ); - - # - # Write separator if not first proposal - # - if ($first_esp_proposal) { - $first_esp_proposal = 0; - } - else { - $genout .= ","; - } - - # - # Write values - # - if ( defined($encryption) && defined($hash) ) { + vpn_die(["vpn", "ipsec", "profile", $profile,"bind", "tunnel", $tunnel], + "$vpn_cfg_err Tunnel \"$tunnel\" is already configured in profile \"$prof\"."); + } + } + } + + my $needs_passthrough = 'false'; + my $tunKeyword = 'tunnel ' . "$tunnel"; + + my $conn_head = "\tvpnprof-dmvpn-$tunnel {\n"; + $genout .= $conn_head; + + my $lip = $vc->returnValue("interfaces tunnel $tunnel local-ip"); + my $leftsourceip = undef; + + # + # Write IKE configuration from group + # + my $ikelifetime = IKELIFETIME_DEFAULT; + $genout .= "\t\tproposals = "; + my $ike_group = $vcVPN->returnValue("ipsec profile $profile ike-group"); + if ( defined($ike_group) && $ike_group ne '' ) { + my @ike_proposals = $vcVPN->listNodes("ipsec ike-group $ike_group proposal"); + my $first_ike_proposal = 1; + foreach my $ike_proposal (@ike_proposals) { + # + # Get encryption, hash & Diffie-Hellman key size + # + my $encryption = $vcVPN->returnValue("ipsec ike-group $ike_group proposal $ike_proposal encryption"); + my $hash = $vcVPN->returnValue("ipsec ike-group $ike_group proposal $ike_proposal hash"); + my $dh_group = $vcVPN->returnValue("ipsec ike-group $ike_group proposal $ike_proposal dh-group"); + + if ( defined($dh_group) ) { + $dh_disable = 1; + } + + # + # Write separator if not first proposal + # + if ($first_ike_proposal) { + $first_ike_proposal = 0; + } + else { + $genout .= ","; + } + + # + # Write values + # + if ( defined($encryption) && defined($hash) ) { $genout .= "$encryption-$hash"; - } - } - $genout .= "!\n"; - - my $t_esplifetime = - $vcVPN->returnValue("ipsec esp-group $esp_group lifetime"); - if ( defined($t_esplifetime) && $t_esplifetime ne '' ) { - $esplifetime = $t_esplifetime; - } - $genout .= "\tkeylife=$esplifetime" . "s\n"; - - my $lower_lifetime = $ikelifetime; - if ( $esplifetime < $ikelifetime ) { - $lower_lifetime = $esplifetime; - } - - # - # The lifetime values need to be greater than: - # rekeymargin*(100+rekeyfuzz)/100 - # - my $rekeymargin = REKEYMARGIN_DEFAULT; - if ( $lower_lifetime <= ( 2 * $rekeymargin ) ) { - $rekeymargin = int( $lower_lifetime / 2 ) - 1; - } - $genout .= "\trekeymargin=$rekeymargin" . "s\n"; - - # - # Mode (tunnel or transport) - # - my $espmode = - $vcVPN->returnValue("ipsec esp-group $esp_group mode"); - if ( !defined($espmode) || $espmode eq '' ) { - $espmode = "tunnel"; - } - $genout .= "\ttype=$espmode\n"; - - # - # Perfect Forward Secrecy - # - my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); - if (defined($pfs)) { - if ( $pfs eq 'enable' && defined($dh_disable) ) { - $genout .= "\tpfs=yes\n"; - } elsif ($pfs eq 'dh-group2') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1024\n"; - } elsif ($pfs eq 'dh-group5') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1536\n"; - } elsif ($pfs eq 'dh-group14') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048\n"; - } elsif ($pfs eq 'dh-group15') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp3072\n"; - } elsif ($pfs eq 'dh-group16') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp4096\n"; - } elsif ($pfs eq 'dh-group17') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp6144\n"; - } elsif ($pfs eq 'dh-group18') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp8192\n"; - } elsif ($pfs eq 'dh-group19') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp256\n"; - } elsif ($pfs eq 'dh-group20') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp384\n"; - } elsif ($pfs eq 'dh-group21') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp521\n"; - } elsif ($pfs eq 'dh-group22') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1024s160\n"; - } elsif ($pfs eq 'dh-group23') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048s224\n"; - } elsif ($pfs eq 'dh-group24') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048s256\n"; - } elsif ($pfs eq 'dh-group25') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp192\n"; - } elsif ($pfs eq 'dh-group26') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp224\n"; - } else { - $genout .= "\tpfs=no\n"; - } - } - - # - # Compression - # - my $compression = - $vcVPN->returnValue("ipsec esp-group $esp_group compression"); - if ( defined($compression) ) { - if ( $compression eq 'enable' ) { - $genout .= "\tcompress=yes\n"; - } - else { - $genout .= "\tcompress=no\n"; - } - } - } - - # - # Authentication - # - $right = '%any'; - if ( not( $prev_profile eq $profile ) ) { - $genout_secrets .= "\n$lip $right "; - if ( defined($authid) ) { - $genout_secrets .= "$authid "; - } - $genout_secrets .= ": PSK \"$psk\" "; - } - $prev_profile = $profile; - if ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) ) - { - $genout .= "\tauthby=secret\n"; - } - - # - # Start automatically - # - if ($any_peer) { - $genout .= "\tauto=add\n"; - $genout .= "\tkeyingtries=%forever\n"; - } - else { - $genout .= "\tauto=start\n"; - } - $genout .= "#$conn_head"; # to identify end of connection definition - # used by clear vpn op-mode command - } - } - + if ( defined($dh_group) ) { + my $cipher_out = get_dh_cipher_result($dh_group); + if ($cipher_out eq 'unknown') { + vpn_die(["vpn","ipsec","profile", $profile,"bind","tunnel", $tunnel],"$vpn_cfg_err Invalid 'dh-group' $dh_group specified in ". + "profile \"$profile\" for $tunKeyword. Only 2, 5, or 14 through 26 accepted.\n"); + } else { + $genout .= "-$cipher_out"; + } + } + } + } + + #why we always set strict mode? + $genout .= "\n"; + + my $t_ikelifetime = $vcVPN->returnValue("ipsec ike-group $ike_group lifetime"); + if ( defined($t_ikelifetime) && $t_ikelifetime ne '' ) { + $ikelifetime = $t_ikelifetime; + } + $genout .= "\t\treauth_time = $ikelifetime" . "s\n"; + + # + # Check for Dead Peer Detection DPD + # + my $dpd_interval = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection interval"); + my $dpd_timeout = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection timeout"); + my $dpd_action = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection action"); + if ( defined($dpd_interval) && defined($dpd_timeout) && defined($dpd_action) ) { + $genout .= "\tdpddelay=$dpd_interval" . "s\n"; + $genout .= "\tdpdtimeout=$dpd_timeout" . "s\n"; + $genout .= "\tdpdaction=$dpd_action\n"; + } + } + + $genout .= "\t\tkeyingtries = 0\n"; + + # + # Authentication + # + $genout .="\t\tlocal {\n"; + if ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) ) { + $genout .= "\t\t\tauth = psk\n"; + } + $genout .="\t\t}\n"; + $genout .="\t\tremote {\n"; + if ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) ) { + $genout .= "\t\t\tauth = psk\n"; + } + $genout .="\t\t}\n"; + + # + # Write ESP configuration from group + # + $genout .="\t\tchildren {\n"; + $genout .="\t\t\tdmvpn {\n"; + my $esplifetime = ESPLIFETIME_DEFAULT; + $genout .= "\t\t\t\tesp_proposals = "; + my $esp_group = $vcVPN->returnValue("ipsec profile $profile esp-group"); + if ( defined($esp_group) && $esp_group ne '' ) { + my @esp_proposals = $vcVPN->listNodes("ipsec esp-group $esp_group proposal"); + my $first_esp_proposal = 1; + foreach my $esp_proposal (@esp_proposals) { + # + # Get encryption, hash + # + my $encryption = $vcVPN->returnValue("ipsec esp-group $esp_group proposal $esp_proposal encryption"); + my $hash = $vcVPN->returnValue("ipsec esp-group $esp_group proposal $esp_proposal hash"); + my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); + + # + # Write separator if not first proposal + # + if ($first_esp_proposal) { + $first_esp_proposal = 0; + } + else { + $genout .= ","; + } + if (defined($pfs)) { + if ($pfs eq 'enable') { + # Get the first IKE group's dh-group and use that as our PFS setting + my $default_pfs = $vcVPN->returnValue("ipsec ike-group $ike_group proposal 1 dh-group"); + $pfs = get_dh_cipher_result($default_pfs); + } elsif ($pfs eq 'disable') { + undef $pfs; + } else { + $pfs = get_dh_cipher_result($pfs); + } + } + + # + # Write values + # + if ( defined($encryption) && defined($hash) ) { + $genout .= "$encryption-$hash"; + if (defined($pfs)) { + $genout .= "-$pfs"; + } + } + } + $genout .= "\n"; + + my $t_esplifetime = $vcVPN->returnValue("ipsec esp-group $esp_group lifetime"); + if ( defined($t_esplifetime) && $t_esplifetime ne '' ) { + $esplifetime = $t_esplifetime; + } + $genout .= "\t\t\t\trekey_time=$esplifetime" . "s\n"; + + my $lower_lifetime = $ikelifetime; + if ( $esplifetime < $ikelifetime ) { + $lower_lifetime = $esplifetime; + } + + # + # The lifetime values need to be greater than: + # rekeymargin*(100+rekeyfuzz)/100 + # + my $rekeymargin = REKEYMARGIN_DEFAULT; + if ( $lower_lifetime <= ( 2 * $rekeymargin ) ) { + $rekeymargin = int( $lower_lifetime / 2 ) - 1; + } + $genout .= "\t\t\t\trand_time=$rekeymargin" . "s\n"; + + # + # Protocol/port + # + my $protocol = "gre"; + my $lprotoport = ''; + if ( defined($protocol) ) { + $lprotoport .= $protocol; + } + if ( not( $lprotoport eq '' ) ) { + $genout .= "\t\t\t\tlocal_ts = dynamic[$lprotoport]\n"; + } + + my $rprotoport = ''; + if ( defined($protocol) ) { + $rprotoport .= $protocol; + } + if ( not( $rprotoport eq '' ) ) { + $genout .= "\t\t\t\tremote_ts = dynamic[$rprotoport]\n"; + } + + # + # Mode (tunnel or transport) + # + my $espmode = $vcVPN->returnValue("ipsec esp-group $esp_group mode"); + if ( !defined($espmode) || $espmode eq '' ) { + $espmode = "transport"; + } + $genout .= "\t\t\t\tmode = $espmode\n"; + + # + # Compression + # + my $compression = $vcVPN->returnValue("ipsec esp-group $esp_group compression"); + if ( defined($compression) ) { + if ( $compression eq 'enable' ) { + $genout .= "\t\t\t\tipcomp=yes\n"; + } + } + } + + $genout .= "\t\t\t}\n"; + $genout .= "\t\t}\n"; + $genout .= "\t}\n"; # to identify end of connection definition + # used by clear vpn op-mode command + } + } + $genout .= "}\n"; + $genout .= "secrets {\n"; + $genout .= "\tike-dmvpn {\n"; + $genout .= "\t\tsecret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx\n"; + $genout .= "\t}\n"; + $genout .= "}\n"; } else { - - # - # remove any previous config lines, so that when "clear vpn ipsec-process" - # is called it won't find the vyatta keyword and therefore will not try - # to start the ipsec process. - # - $genout = ''; - $genout .= "# No VPN configuration exists.\n"; - $genout_secrets .= "# No VPN configuration exists.\n"; + # + # remove any previous config lines, so that when "clear vpn ipsec-process" + # is called it won't find the vyatta keyword and therefore will not try + # to start the ipsec process. + # + $genout = ''; + $genout .= "# No VPN configuration exists.\n"; } -if ( - !( - defined($config_file) - && ( $config_file ne '' ) - && defined($secrets_file) - && ( $secrets_file ne '' ) - ) - ) -{ - print "Regular config file output would be:\n\n$genout\n\n"; - print "Secrets config file output would be:\n\n$genout_secrets\n\n"; - exit(0); +if (!(defined($config_file) && ( $config_file ne '' ))) { + print "Regular config file output would be:\n\n$genout\n\n"; + exit(0); } -write_config( $genout, $config_file, $genout_secrets, $secrets_file ); +write_config( $genout, $config_file); my $update_interval = $vcVPN->returnValue("ipsec auto-update"); my $update_interval_orig = $vcVPN->returnOrigValue("ipsec auto-update"); $update_interval_orig = 0 if !defined($update_interval_orig); if ( is_vpn_running() ) { - vpn_exec( 'ipsec rereadall >&/dev/null', 're-read secrets and certs' ); - vpn_exec( 'ipsec update >&/dev/null', 'update changes to ipsec.conf' ); + vpn_exec( 'ipsec rereadall >&/dev/null', 're-read secrets and certs' ); + vpn_exec( 'ipsec reload >&/dev/null', 'reload changes to ipsec.conf' ); + vpn_exec( 'swanctl -q >&/dev/null', 'reload changes to swanctl.conf' ); } else { - if ( !defined($update_interval) ) { - vpn_exec( 'ipsec start >&/dev/null', 'start ipsec' ); - } - else { - vpn_exec( - 'ipsec start --auto-update ' . $update_interval . ' >&/dev/null', - 'start ipsec with auto-update $update_interval' ); - } + if ( !defined($update_interval) ) { + vpn_exec( 'ipsec start >&/dev/null', 'start ipsec' ); + } + else { + vpn_exec( + 'ipsec start --auto-update ' . $update_interval . ' >&/dev/null', + 'start ipsec with auto-update $update_interval' ); + } } # @@ -594,101 +424,131 @@ else { exit 0; sub vpn_die { - my ( @path, $msg ) = @_; - Vyatta::Config::outputError( @path, $msg ); - exit 1; + my ( @path, $msg ) = @_; + Vyatta::Config::outputError( @path, $msg ); + exit 1; } sub write_config { - my ( $genout, $config_file, $genout_secrets, $secrets_file ) = @_; - - open my $output_config, '>', $config_file - or die "Can't open $config_file: $!"; - print ${output_config} $genout; - close $output_config; + my ( $genout, $config_file) = @_; - open my $output_secrets, '>', $secrets_file - or die "Can't open $secrets_file: $!"; - print ${output_secrets} $genout_secrets; - close $output_secrets; + open my $output_config, '>', $config_file + or die "Can't open $config_file: $!"; + print ${output_config} $genout; + close $output_config; } sub vpn_exec { - my ( $command, $desc ) = @_; - - open my $logf, '>>', $LOGFILE - or die "Can't open $LOGFILE: $!"; - - use POSIX; - my $timestamp = strftime( "%Y-%m-%d %H:%M.%S", localtime ); - - print ${logf} "$timestamp\nExecuting: $command\nDescription: $desc\n"; - - my $cmd_out = qx($command); - my $rval = ( $? >> 8 ); - print ${logf} "Output:\n$cmd_out\n---\n"; - print ${logf} "Return code: $rval\n"; - if ($rval) { - if ( $command =~ /^ipsec.*--asynchronous$/ - && ( $rval == 104 || $rval == 29 ) ) - { - print ${logf} "OK when bringing up VPN connection\n"; - } - else { - - # - # We use to consider the commit failed if we got a error - # from the call to ipsec, but this causes the configuration - # to not get included in the running config. Now that - # we support dynamic interface/address (e.g. dhcp, pppoe) - # we want a valid config to get committed even if the - # interface doesn't exist yet. That way we can use - # "clear vpn ipsec-process" to bring up the tunnel once - # the interface is instantiated. For pppoe we will add - # a script to /etc/ppp/ip-up.d to bring up the vpn - # tunnel. - # - print ${logf} - "VPN commit error. Unable to $desc, received error code $?\n"; - - # - # code 768 is for a syntax error in the secrets file - # this happens when a dhcp interface is configured - # but no address is assigned yet. - # only the line that has the syntax error is not loaded - # So we can safely ignore this error since our code generates - # secrets file. - # - if ( $? ne '768' ) { - print "Warning: unable to [$desc], received error code $?\n"; - print "$cmd_out\n"; - } - } - } - print ${logf} "---\n\n"; - close $logf; + my ( $command, $desc ) = @_; + + open my $logf, '>>', $LOGFILE + or die "Can't open $LOGFILE: $!"; + + use POSIX; + my $timestamp = strftime( "%Y-%m-%d %H:%M.%S", localtime ); + + print ${logf} "$timestamp\nExecuting: $command\nDescription: $desc\n"; + + my $cmd_out = qx($command); + my $rval = ( $? >> 8 ); + print ${logf} "Output:\n$cmd_out\n---\n"; + print ${logf} "Return code: $rval\n"; + if ($rval) { + if ( $command =~ /^ipsec.*--asynchronous$/ && ( $rval == 104 || $rval == 29 ) ) { + print ${logf} "OK when bringing up VPN connection\n"; + } + else { + # + # We use to consider the commit failed if we got a error + # from the call to ipsec, but this causes the configuration + # to not get included in the running config. Now that + # we support dynamic interface/address (e.g. dhcp, pppoe) + # we want a valid config to get committed even if the + # interface doesn't exist yet. That way we can use + # "clear vpn ipsec-process" to bring up the tunnel once + # the interface is instantiated. For pppoe we will add + # a script to /etc/ppp/ip-up.d to bring up the vpn + # tunnel. + # + print ${logf} "VPN commit error. Unable to $desc, received error code $?\n"; + + # + # code 768 is for a syntax error in the secrets file + # this happens when a dhcp interface is configured + # but no address is assigned yet. + # only the line that has the syntax error is not loaded + # So we can safely ignore this error since our code generates + # secrets file. + # + if ( $? ne '768' ) { + print "Warning: unable to [$desc], received error code $?\n"; + print "$cmd_out\n"; + } + } + } + print ${logf} "---\n\n"; + close $logf; } sub printTree { - my ( $vc, $path, $depth ) = @_; - - my @children = $vc->listNodes($path); - foreach my $child (@children) { - print ' ' x $depth; - print $child . "\n"; - printTree( $vc, "$path $child", $depth + 1 ); - } + my ( $vc, $path, $depth ) = @_; + + my @children = $vc->listNodes($path); + foreach my $child (@children) { + print ' ' x $depth; + print $child . "\n"; + printTree( $vc, "$path $child", $depth + 1 ); + } } sub printTreeOrig { - my ( $vc, $path, $depth ) = @_; - - my @children = $vc->listOrigNodes($path); - foreach my $child (@children) { - print ' ' x $depth; - print $child . "\n"; - printTreeOrig( $vc, "$path $child", $depth + 1 ); - } + my ( $vc, $path, $depth ) = @_; + + my @children = $vc->listOrigNodes($path); + foreach my $child (@children) { + print ' ' x $depth; + print $child . "\n"; + printTreeOrig( $vc, "$path $child", $depth + 1 ); + } +} + +sub get_dh_cipher_result { + my ($cipher) = @_; + my $ciph_out; + if ($cipher eq '2' || $cipher eq 'dh-group2') { + $ciph_out = 'modp1024'; + } elsif ($cipher eq '5' || $cipher eq 'dh-group5') { + $ciph_out = 'modp1536'; + } elsif ($cipher eq '14' || $cipher eq 'dh-group14') { + $ciph_out = 'modp2048'; + } elsif ($cipher eq '15' || $cipher eq 'dh-group15') { + $ciph_out = 'modp3072'; + } elsif ($cipher eq '16' || $cipher eq 'dh-group16') { + $ciph_out = 'modp4096'; + } elsif ($cipher eq '17' || $cipher eq 'dh-group17') { + $ciph_out = 'modp6144'; + } elsif ($cipher eq '18' || $cipher eq 'dh-group18') { + $ciph_out = 'modp8192'; + } elsif ($cipher eq '19' || $cipher eq 'dh-group19') { + $ciph_out = 'ecp256'; + } elsif ($cipher eq '20' || $cipher eq 'dh-group20') { + $ciph_out = 'ecp384'; + } elsif ($cipher eq '21' || $cipher eq 'dh-group21') { + $ciph_out = 'ecp521'; + } elsif ($cipher eq '22' || $cipher eq 'dh-group22') { + $ciph_out = 'modp1024s160'; + } elsif ($cipher eq '23' || $cipher eq 'dh-group23') { + $ciph_out = 'modp2048s224'; + } elsif ($cipher eq '24' || $cipher eq 'dh-group24') { + $ciph_out = 'modp2048s256'; + } elsif ($cipher eq '25' || $cipher eq 'dh-group25') { + $ciph_out = 'ecp192'; + } elsif ($cipher eq '26' || $cipher eq 'dh-group26') { + $ciph_out = 'ecp224'; + } else { + $ciph_out = 'unknown'; + } + return $ciph_out; } # end of file -- cgit v1.2.3 From c27d2596db3acd27b8beaded9502cc48afb20c27 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Thu, 25 Feb 2016 06:24:54 -0500 Subject: add libcrypt-openssl-rsa-perl dependency --- debian/control | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/control b/debian/control index 605e073..91189e4 100644 --- a/debian/control +++ b/debian/control @@ -11,6 +11,7 @@ Depends: perl, vyatta-cfg (>= 0.15.33), vyatta-bash | bash (>= 3.1), strongswan (>= 5.2), + libcrypt-openssl-rsa-perl, libc6 (>= 2.7-6) Description: VyOS IPsec VPN configuration templates/scripts VyOS IPsec VPN configuration templates and scripts. -- cgit v1.2.3 From ce7363f43a0eedfd42c5df5753ded95f648f0108 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Mon, 7 Mar 2016 03:40:54 -0500 Subject: add dependencies needed for dmvpn configuration --- debian/control | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/control b/debian/control index 91189e4..81860fb 100644 --- a/debian/control +++ b/debian/control @@ -11,6 +11,8 @@ Depends: perl, vyatta-cfg (>= 0.15.33), vyatta-bash | bash (>= 3.1), strongswan (>= 5.2), + strongswan-libvici (>= 5.2), + strongswan-swanctl (>= 5.2), libcrypt-openssl-rsa-perl, libc6 (>= 2.7-6) Description: VyOS IPsec VPN configuration templates/scripts -- cgit v1.2.3 From b5deaca6cebe4ea23f818e2db9447071a6531c0c Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Tue, 8 Mar 2016 15:10:21 +0100 Subject: add secret from config to swanctl.conf --- scripts/dmvpn-config.pl | 77 ++++++++++++++++++++++++++++++------------------- 1 file changed, 48 insertions(+), 29 deletions(-) diff --git a/scripts/dmvpn-config.pl b/scripts/dmvpn-config.pl index 3bea3ec..5eaa41b 100755 --- a/scripts/dmvpn-config.pl +++ b/scripts/dmvpn-config.pl @@ -97,8 +97,6 @@ if ( $vcVPN->exists('ipsec') ) { . "\"$profile\" has not been configured.\n"); } - my $authid = $vcVPN->returnValue("ipsec profile $profile authentication id"); - # # ESP group # @@ -114,39 +112,46 @@ if ( $vcVPN->exists('ipsec') ) { } # - # Authentication mode - # - # - # Write shared secrets to ipsec.secrets - # + # Authentication mode + # + # + # Write shared secrets to ipsec.secrets + # my $auth_mode = $vcVPN->returnValue("ipsec profile $profile authentication mode"); my $psk = ''; if ( !defined($auth_mode) || $auth_mode eq '' ) { - vpn_die([ "vpn", "ipsec", "profile", $profile, "authentication" ], - "$vpn_cfg_err No authentication mode for profile \"$profile\" specified.\n"); + vpn_die( + [ "vpn", "ipsec", "profile", $profile, "authentication" ], + "$vpn_cfg_err No authentication mode for profile \"$profile\" specified.\n" + ); } elsif ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) ) { - $psk = $vcVPN->returnValue("ipsec profile $profile authentication pre-shared-secret"); - my $orig_psk = $vcVPN->returnOrigValue("ipsec profile $profile authentication pre-shared-secret"); + $psk = $vcVPN->returnValue( + "ipsec profile $profile authentication pre-shared-secret"); + my $orig_psk = $vcVPN->returnOrigValue( + "ipsec profile $profile authentication pre-shared-secret"); $orig_psk = "" if ( !defined($orig_psk) ); if ( $psk ne $orig_psk && $orig_psk ne "" ) { print "WARNING: The pre-shared-secret will not be updated until the next re-keying interval\n"; print "To force the key change use: 'reset vpn ipsec-peer'\n"; } if ( !defined($psk) || $psk eq '' ) { - vpn_die([ "vpn", "ipsec", "profile", $profile, "authentication" ], - "$vpn_cfg_err No 'pre-shared-secret' specified for profile \"$profile\"" - . " while 'pre-shared-secret' authentication mode is specified.\n"); + vpn_die( + [ "vpn", "ipsec", "profile", $profile, "authentication" ], + "$vpn_cfg_err No 'pre-shared-secret' specified for profile \"$profile\"" + . " while 'pre-shared-secret' authentication mode is specified.\n" + ); } } else { - vpn_die([ "vpn", "ipsec", "profile", $profile, "authentication" ], - "$vpn_cfg_err Unknown/unsupported authentication mode \"$auth_mode\" for profile " - . "\"$profile\" specified.\n"); + vpn_die( + [ "vpn", "ipsec", "profile", $profile, "authentication" ], + "$vpn_cfg_err Unknown/unsupported authentication mode \"$auth_mode\" for profile " + . "\"$profile\" specified.\n" + ); } my @tunnels = $vcVPN->listNodes("ipsec profile $profile bind tunnel"); - foreach my $tunnel (@tunnels) { # # Check whether this tunnel is already in some profile @@ -231,9 +236,9 @@ if ( $vcVPN->exists('ipsec') ) { # Check for Dead Peer Detection DPD # my $dpd_interval = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection interval"); - my $dpd_timeout = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection timeout"); - my $dpd_action = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection action"); - if ( defined($dpd_interval) && defined($dpd_timeout) && defined($dpd_action) ) { + my $dpd_timeout = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection timeout"); + my $dpd_action = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection action"); + if ( defined($dpd_interval) && defined($dpd_timeout) && defined($dpd_action) ) { $genout .= "\tdpddelay=$dpd_interval" . "s\n"; $genout .= "\tdpdtimeout=$dpd_timeout" . "s\n"; $genout .= "\tdpdaction=$dpd_action\n"; @@ -374,13 +379,28 @@ if ( $vcVPN->exists('ipsec') ) { $genout .= "\t}\n"; # to identify end of connection definition # used by clear vpn op-mode command } + $genout .= "}\n"; + $genout .= "secrets {\n"; + my @tunnels = $vcVPN->listNodes("ipsec profile $profile bind tunnel"); + foreach my $tunnel (@tunnels) { + # + # Check whether this tunnel is already in some profile + # + foreach my $prof (@profiles) { + if ( $prof != $profile ) { + if ($vcVPN->exists("ipsec profile $prof bind tunnel $tunnel")){ + vpn_die(["vpn", "ipsec", "profile", $profile,"bind", "tunnel", $tunnel], + "$vpn_cfg_err Tunnel \"$tunnel\" is already configured in profile \"$prof\"."); + } + } + } + my $ike_id = "\tike-dmvpn-$tunnel {\n"; + $genout .= $ike_id; + $genout .= "\t\tsecret = $psk\n"; + $genout .= "\t}\n"; + } + $genout .= "}\n"; } - $genout .= "}\n"; - $genout .= "secrets {\n"; - $genout .= "\tike-dmvpn {\n"; - $genout .= "\t\tsecret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx\n"; - $genout .= "\t}\n"; - $genout .= "}\n"; } else { # @@ -533,7 +553,7 @@ sub get_dh_cipher_result { $ciph_out = 'ecp256'; } elsif ($cipher eq '20' || $cipher eq 'dh-group20') { $ciph_out = 'ecp384'; - } elsif ($cipher eq '21' || $cipher eq 'dh-group21') { + } elsif ($cipher eq '21' || $cipher eq 'dh-group21') { $ciph_out = 'ecp521'; } elsif ($cipher eq '22' || $cipher eq 'dh-group22') { $ciph_out = 'modp1024s160'; @@ -550,5 +570,4 @@ sub get_dh_cipher_result { } return $ciph_out; } - # end of file -- cgit v1.2.3 From 82b5e5a3763affe18d77f707f614ccc56d0c84d6 Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Wed, 16 Mar 2016 11:02:26 +0100 Subject: use 'dh-group' for first ike proposal enable config for dead peer detection --- scripts/dmvpn-config.pl | 111 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 86 insertions(+), 25 deletions(-) diff --git a/scripts/dmvpn-config.pl b/scripts/dmvpn-config.pl index 5eaa41b..5052211 100755 --- a/scripts/dmvpn-config.pl +++ b/scripts/dmvpn-config.pl @@ -112,11 +112,11 @@ if ( $vcVPN->exists('ipsec') ) { } # - # Authentication mode - # - # - # Write shared secrets to ipsec.secrets - # + # Authentication mode + # + # + # Write shared secrets to ipsec.secrets + # my $auth_mode = $vcVPN->returnValue("ipsec profile $profile authentication mode"); my $psk = ''; if ( !defined($auth_mode) || $auth_mode eq '' ) { @@ -125,11 +125,9 @@ if ( $vcVPN->exists('ipsec') ) { "$vpn_cfg_err No authentication mode for profile \"$profile\" specified.\n" ); } - elsif ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) ) { - $psk = $vcVPN->returnValue( - "ipsec profile $profile authentication pre-shared-secret"); - my $orig_psk = $vcVPN->returnOrigValue( - "ipsec profile $profile authentication pre-shared-secret"); + elsif ( defined($auth_mode) && ( $auth_mode eq 'pre-shared-secret' ) ) { + $psk = $vcVPN->returnValue("ipsec profile $profile authentication pre-shared-secret"); + my $orig_psk = $vcVPN->returnOrigValue("ipsec profile $profile authentication pre-shared-secret"); $orig_psk = "" if ( !defined($orig_psk) ); if ( $psk ne $orig_psk && $orig_psk ne "" ) { print "WARNING: The pre-shared-secret will not be updated until the next re-keying interval\n"; @@ -158,7 +156,7 @@ if ( $vcVPN->exists('ipsec') ) { # foreach my $prof (@profiles) { if ( $prof != $profile ) { - if ($vcVPN->exists("ipsec profile $prof bind tunnel $tunnel")) + if ( $vcVPN->exists("ipsec profile $prof bind tunnel $tunnel") ) { vpn_die(["vpn", "ipsec", "profile", $profile,"bind", "tunnel", $tunnel], "$vpn_cfg_err Tunnel \"$tunnel\" is already configured in profile \"$prof\"."); @@ -200,6 +198,10 @@ if ( $vcVPN->exists('ipsec') ) { # Write separator if not first proposal # if ($first_ike_proposal) { + if ( !defined($dh_group) ) { + vpn_die(["vpn","ipsec","profile", $profile,"bind","tunnel", $tunnel],"$vpn_cfg_err 'dh-group' must be specified in ". + "ike-group \"$ike_group\" proposal \"$ike_proposal\" dh-group. \n"); + } $first_ike_proposal = 0; } else { @@ -210,7 +212,7 @@ if ( $vcVPN->exists('ipsec') ) { # Write values # if ( defined($encryption) && defined($hash) ) { - $genout .= "$encryption-$hash"; + $genout .= "$encryption-$hash"; if ( defined($dh_group) ) { my $cipher_out = get_dh_cipher_result($dh_group); if ($cipher_out eq 'unknown') { @@ -222,15 +224,59 @@ if ( $vcVPN->exists('ipsec') ) { } } } - - #why we always set strict mode? $genout .= "\n"; + + # + # Get IKE version setting + # + my $key_exchange = $vcVPN->returnValue("ipsec ike-group $ike_group key-exchange"); + if ( defined($key_exchange) ) { + if ( $key_exchange eq 'ikev1' ) { + $genout .= "\t\tversion = 1\n"; + } + if ( $key_exchange eq 'ikev2' ) { + $genout .= "\t\tversion = 2\n"; + } + }else { + $genout .= "\t\tversion = 0\n"; + } + # + # Get ikev2-reauth configuration + # Check IKE Lifetime + # + my $ikev2_group_reauth = $vcVPN->returnValue("ipsec ike-group $ike_group ikev2-reauth"); my $t_ikelifetime = $vcVPN->returnValue("ipsec ike-group $ike_group lifetime"); if ( defined($t_ikelifetime) && $t_ikelifetime ne '' ) { $ikelifetime = $t_ikelifetime; } - $genout .= "\t\treauth_time = $ikelifetime" . "s\n"; + if ( defined($ikev2_group_reauth) ) { + if ( $ikev2_group_reauth eq 'yes' && defined($ikelifetime) ) { + $genout .= "\t\treauth_time = $ikelifetime" . "s\n"; + }else { + $genout .= "\t\trekey_time = $ikelifetime" . "s\n"; + } + } else { + $genout .= "\t\trekey_time = $ikelifetime" . "s\n"; + } + + # + # Allow the user to disable MOBIKE for IKEv2 connections + # + my $mob_ike = $vcVPN->returnValue("ipsec ike-group $ike_group mobike"); + + if (defined($mob_ike)) { + if (defined($key_exchange) && $key_exchange eq 'ikev2') { + if ($mob_ike eq 'enable') { + $genout .= "\t\tmobike = yes"; + } + if ($mob_ike eq 'disable') { + $genout .= "\t\tmobike = no"; + } + }else { + $genout .= "\t\tmobike = no"; + } + } # # Check for Dead Peer Detection DPD @@ -238,10 +284,9 @@ if ( $vcVPN->exists('ipsec') ) { my $dpd_interval = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection interval"); my $dpd_timeout = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection timeout"); my $dpd_action = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection action"); - if ( defined($dpd_interval) && defined($dpd_timeout) && defined($dpd_action) ) { - $genout .= "\tdpddelay=$dpd_interval" . "s\n"; - $genout .= "\tdpdtimeout=$dpd_timeout" . "s\n"; - $genout .= "\tdpdaction=$dpd_action\n"; + if ( defined($dpd_interval) && defined($dpd_timeout) && defined($dpd_action) ) { + $genout .= "\t\tdpd_delay = $dpd_interval" . "s\n"; + $genout .= "\t\tdpd_timeou = $dpd_timeout" . "s\n"; } } @@ -294,6 +339,10 @@ if ( $vcVPN->exists('ipsec') ) { # Get the first IKE group's dh-group and use that as our PFS setting my $default_pfs = $vcVPN->returnValue("ipsec ike-group $ike_group proposal 1 dh-group"); $pfs = get_dh_cipher_result($default_pfs); + if ( !defined($default_pfs) && $pfs eq 'unknown' ) { + vpn_die(["vpn","ipsec","profile", $profile,"bind","tunnel", $tunnel],"$vpn_cfg_err 'pfs enabled' needs 'dh-group' specified in ". + "ike-group \"$ike_group\" proposal 1 dh-group. \n"); + } } elsif ($pfs eq 'disable') { undef $pfs; } else { @@ -317,23 +366,23 @@ if ( $vcVPN->exists('ipsec') ) { if ( defined($t_esplifetime) && $t_esplifetime ne '' ) { $esplifetime = $t_esplifetime; } - $genout .= "\t\t\t\trekey_time=$esplifetime" . "s\n"; + $genout .= "\t\t\t\trekey_time = $esplifetime" . "s\n"; my $lower_lifetime = $ikelifetime; if ( $esplifetime < $ikelifetime ) { $lower_lifetime = $esplifetime; } - + # # The lifetime values need to be greater than: # rekeymargin*(100+rekeyfuzz)/100 # my $rekeymargin = REKEYMARGIN_DEFAULT; - if ( $lower_lifetime <= ( 2 * $rekeymargin ) ) { - $rekeymargin = int( $lower_lifetime / 2 ) - 1; + if ($lower_lifetime <= (2 * $rekeymargin)) { + $rekeymargin = int($lower_lifetime / 2) - 1; } - $genout .= "\t\t\t\trand_time=$rekeymargin" . "s\n"; - + $genout .= "\t\t\t\trand_time = $rekeymargin" . "s\n"; + # # Protocol/port # @@ -362,6 +411,18 @@ if ( $vcVPN->exists('ipsec') ) { $espmode = "transport"; } $genout .= "\t\t\t\tmode = $espmode\n"; + + # + # Check for Dead Peer Detection DPD + # + my $dpd_interval = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection interval"); + my $dpd_timeout = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection timeout"); + my $dpd_action = $vcVPN->returnValue("ipsec ike-group $ike_group dead-peer-detection action"); + if ( defined($dpd_interval) && defined($dpd_timeout) && defined($dpd_action) ) { + + $genout .= "\t\t\t\tdpd_action = $dpd_action\n"; + } + # # Compression -- cgit v1.2.3 From 7308178f1b9925064b728a53d79bbdcaef6eaf20 Mon Sep 17 00:00:00 2001 From: UnicronNL Date: Wed, 23 Mar 2016 13:10:43 +0100 Subject: load swanctl configuration on ipsec start --- scripts/dmvpn-config.pl | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/scripts/dmvpn-config.pl b/scripts/dmvpn-config.pl index 5052211..6fa180d 100755 --- a/scripts/dmvpn-config.pl +++ b/scripts/dmvpn-config.pl @@ -491,11 +491,35 @@ if ( is_vpn_running() ) { else { if ( !defined($update_interval) ) { vpn_exec( 'ipsec start >&/dev/null', 'start ipsec' ); + my $counter = 10; + while($counter > 0){ + if (-e "/var/run/charon.pid") { + vpn_exec( 'swanctl -q >&/dev/null', 'reload changes to swanctl.conf' ); + last; + } + $counter--; + sleep(1); + if($counter == 0){ + vpn_die("$vpn_cfg_err Ipsec is not running."); + } + } } else { vpn_exec( 'ipsec start --auto-update ' . $update_interval . ' >&/dev/null', 'start ipsec with auto-update $update_interval' ); + my $counter = 10; + while($counter > 0){ + if (-e "/var/run/charon.pid") { + vpn_exec( 'swanctl -q >&/dev/null', 'reload changes to swanctl.conf' ); + last; + } + $counter--; + sleep(1); + if($counter == 0){ + vpn_die("$vpn_cfg_err Ipsec is not running."); + } + } } } -- cgit v1.2.3 From 0ff779958f9c8951bb7e3e866ca52bc70b470fa9 Mon Sep 17 00:00:00 2001 From: Paul Gear Date: Thu, 2 Mar 2017 22:26:34 +1000 Subject: Add missingok to logrotate for ipsec If this is not present, it causes hourly messages in /var/log/messages like this: Mar 2 19:17:01 vyos /USR/SBIN/CRON[9140]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Mar 2 19:17:01 vyos /USR/SBIN/CRON[9138]: (CRON) error (grandchild #9140 failed with exit status 1) Mar 2 19:17:01 vyos /USR/SBIN/CRON[9138]: (CRON) info (No MTA installed, discarding output) This is because cron wants to produce output like the following when ipsec.log is not present: /etc/cron.hourly/vyatta-logrotate-hourly: error: stat of /var/log/vyatta/ipsec.log failed: No such file or directory run-parts: /etc/cron.hourly/vyatta-logrotate-hourly exited with return code 1 --- etc/logrotate.d/vyatta-ipsec-logs | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/logrotate.d/vyatta-ipsec-logs b/etc/logrotate.d/vyatta-ipsec-logs index fe3c83d..bc4caa5 100644 --- a/etc/logrotate.d/vyatta-ipsec-logs +++ b/etc/logrotate.d/vyatta-ipsec-logs @@ -1,5 +1,6 @@ /var/log/vyatta/ipsec.log { + missingok nocompress size 1M rotate 2 -- cgit v1.2.3 From 4e78db594120375843a981eae43d87edc873177a Mon Sep 17 00:00:00 2001 From: Sylvain Munaut Date: Thu, 23 Mar 2017 22:16:18 +0100 Subject: Fix VTI interface configuration to set both ikey and okey Without this, the outgoing traffic is marked and encrypted but incoming traffic isn't properly forwarded to the VTI and just gets dropped. Partially Fixes T137 Signed-off-by: Sylvain Munaut --- lib/Vyatta/VPN/vtiIntf.pm | 2 +- scripts/vyatta-vti-config.pl | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/Vyatta/VPN/vtiIntf.pm b/lib/Vyatta/VPN/vtiIntf.pm index daec058..4e52fff 100755 --- a/lib/Vyatta/VPN/vtiIntf.pm +++ b/lib/Vyatta/VPN/vtiIntf.pm @@ -70,7 +70,7 @@ sub parseVtiTun { if ($tunop =~ m/local ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/) { $local = $1; } - if ($tunop =~ m/okey ([0-9\.]+)/) { + if ($tunop =~ m/key ([0-9\.]+)/) { $mark = $1; } return($remote, $local, $tunName, $mark); diff --git a/scripts/vyatta-vti-config.pl b/scripts/vyatta-vti-config.pl index fbfad64..81abf97 100755 --- a/scripts/vyatta-vti-config.pl +++ b/scripts/vyatta-vti-config.pl @@ -25,7 +25,7 @@ # # For each VTI tunnel (vpn ipsec site-to-site peer ip-address sti); find the vti tunnel, local address, mark. # Find the corresponding tunnel (interfaces vti vtiXXX), tunnel address, disable, mtu -# if not configured: ip tunnel add vtiXXX mode esp local $local remote $remote i_key $mark +# if not configured: ip tunnel add vtiXXX mode esp local $local remote $remote ikey $mark okey $mark # if (mtu): configure mtu # if (tunnel-addres): configur ip link vtiXXX address # if (!disable): enable the interface. @@ -207,7 +207,7 @@ foreach my $peer (@peers) { # By default we delete the tunnel... my $genmark = $mark; $gencmds .= "sudo /sbin/ip link delete $tunName type vti &> /dev/null\n"; - $gencmds .= "sudo /sbin/ip link add $tunName type vti local $lip remote $peer okey $genmark\n"; + $gencmds .= "sudo /sbin/ip link add $tunName type vti local $lip remote $peer okey $genmark ikey $genmark\n"; foreach my $tunIP (@tunIPs) { $gencmds .= "sudo /sbin/ip addr add $tunIP dev $tunName\n"; } -- cgit v1.2.3 From ff15bdcdeda459bb7cf5de450d02ea2cee53041c Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Fri, 13 Oct 2017 01:35:59 +0200 Subject: T423: use listNodes rather than listActiveNodes to enable completion for uncommited IKE and ESP groups. --- .../vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def | 2 +- templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def | 2 +- .../ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def index f754c32..d389bab 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def @@ -1,4 +1,4 @@ help: Defult ESP group name type: txt -allowed: cli-shell-api listActiveNodes vpn ipsec esp-group +allowed: cli-shell-api listNodes vpn ipsec esp-group diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def index 343f1fb..146805c 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def @@ -1,3 +1,3 @@ help: Internet Key Exchange (IKE) group name [REQUIRED] type: txt -allowed: cli-shell-api listActiveNodes vpn ipsec ike-group +allowed: cli-shell-api listNodes vpn ipsec ike-group diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def index d773b96..16300c5 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def @@ -1,3 +1,3 @@ help: ESP group name type: txt -allowed: cli-shell-api listActiveNodes vpn ipsec esp-group +allowed: cli-shell-api listNodes vpn ipsec esp-group -- cgit v1.2.3 From 60960c1c891d99d2fe10aa0daa5367e31833cb25 Mon Sep 17 00:00:00 2001 From: Taniadz Date: Tue, 24 Oct 2017 11:48:36 +0300 Subject: T126: charon listening on ALL interfaces --- scripts/vpn-config.pl | 51 ++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 15 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 75d0e91..c1348ed 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -52,12 +52,14 @@ my $CRL_PATH = '/etc/ipsec.d/crls'; my $SERVER_CERT_PATH = '/etc/ipsec.d/certs'; my $SERVER_KEY_PATH = '/etc/ipsec.d/private'; my $LOGFILE = '/var/log/vyatta/ipsec.log'; +my $STRONGSWAN = '/etc/strongswan.d/interfaces_use.conf'; my $vpn_cfg_err = "VPN configuration error:"; my $clustering_ip = 0; my $dhcp_if = 0; my $genout; my $genout_secrets; +my $interfaces_use; my %key_file_list; my %public_keys; @@ -67,6 +69,7 @@ my $using_klips = 0; $genout .= "# generated by $0\n\n"; $genout_secrets .= "# generated by $0\n\n"; +$interfaces_use .= "# generated by $0\n\n"; # # Prepare Vyatta::Config object @@ -215,15 +218,23 @@ if ($vcVPN->exists('ipsec')) { # Configuration of system wide options # $genout .= "config setup\n"; + $interfaces_use .= "charon {\n\t"; # # Interfaces # my @interfaces = $vcVPN->returnValues('ipsec ipsec-interfaces interface'); - if (@interfaces == 0) { - #*THIS CHECK'S ALSO USED BY OP-MODE CMNDS TO CHECK IF IPSEC IS CONFIGURED*# - vpn_die(["vpn", "ipsec","ipsec-interfaces"],"$vpn_cfg_err No IPSEC interfaces specified.\n"); - } else { + if (scalar(@interfaces) > 0) { + + $interfaces_use .= "interfaces_use = "; + foreach my $interface (@interfaces) { + if (!(-d "/sys/class/net/$interface")) { + next; + } + $interfaces_use .= "$interface, "; + } + $interfaces_use .= "\n}"; + # We need to generate an "interfaces=..." entry in the setup section # only if the underlying IPsec kernel code we are using is KLIPS. # If we are using NETKEY, the "interfaces=..." entry is essentially @@ -249,7 +260,8 @@ if ($vcVPN->exists('ipsec')) { $genout .= '%defaultroute'; } $genout .= "\"\n"; - } else { + } + else { my $counter = 0; $genout .= "\t"; if (hasLocalWildcard($vcVPN, 0)) { @@ -261,11 +273,14 @@ if ($vcVPN->exists('ipsec')) { ++$counter; } $genout .= '%defaultroute"'; - } else { + } + else { $genout .= 'interfaces="%none"'; } $genout .= "\n"; + } + } # @@ -785,7 +800,7 @@ if ($vcVPN->exists('ipsec')) { if (defined($aggressive_mode)) { if (defined($key_exchange) && $key_exchange eq 'ikev2') { vpn_die(["vpn","ipsec","ike-group", $ike_group, "mode"], "$vpn_cfg_err Selection of Main/Aggressive modes is only valid for IKEv1 configurations"); - } + } if ($aggressive_mode eq 'aggressive') { $genout .= "\taggressive=yes\n"; } else { @@ -812,7 +827,7 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\tdpdtimeout=$dpd_timeout" . "s\n"; $genout .= "\tdpdaction=$dpd_action\n"; } - + # # Allow the user for force UDP encapsulation for the ESP # payload. @@ -1134,7 +1149,7 @@ if ($vcVPN->exists('ipsec')) { } } } - + # # Include a custom configuration file # @@ -1147,7 +1162,7 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\ninclude $custom_include\n"; } if (defined($custom_secrets)) { - if ( ! -e $custom_secrets) { + if ( ! -e $custom_secrets) { vpn_die(["vpn","ipsec","include-ipsec-secrets"],"$vpn_cfg_err The specified file for inclusion inside ipsec.secrets does not exist."); } $genout_secrets .= "\ninclude $custom_secrets\n"; @@ -1185,13 +1200,13 @@ if ( $vcVPN->isDeleted('.') if (!enableICMP('1')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to re-enable ICMP redirects.\n"); } - write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); + write_config($genout, $interfaces_use, $STRONGSWAN, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); } else { if (!enableICMP('0')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to disable ICMP redirects.\n"); } - write_config($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); + write_config($genout, $interfaces_use, $STRONGSWAN, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); # Assumming that if there was a local IP missmatch and clustering is enabled, # then the clustering scripts will take care of starting the VPN daemon. @@ -1226,7 +1241,7 @@ if ( $vcVPN->isDeleted('.') foreach my $tunnel (@tunnel_cfg_old) { push (@old_tunnels, $tunnel) unless exists $seen{$tunnel}; } - + # Issue an ipsec down on the old tunnel since charon doesn't clean up # connections removed from ipsec.conf foreach my $old_peer (@old_tunnels) { @@ -1247,7 +1262,7 @@ if ( $vcVPN->isDeleted('.') vpn_exec('ipsec start --auto-update '.$update_interval.' >&/dev/null','start ipsec with auto-update $update_interval'); } } - + # Activate any debugging options by # calling ipsec stroke loglevel my @logmodes = $vcVPN->returnValues('ipsec logging log-modes'); @@ -1280,13 +1295,19 @@ sub vpn_die { } sub write_config { - my ($genout, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_; + my ($genout, $interfaces_use, $STRONGSWAN, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_; open my $output_config, '>', $config_file or die "Can't open $config_file: $!"; print ${output_config} $genout; close $output_config; + + open my $strong_config, '>', $STRONGSWAN + or die "Can't open $STRONGSWAN: $!"; + print ${strong_config} $interfaces_use; + close $strong_config; + my @lines = split("\n", $genout_secrets); my @any = grep(/%any/, @lines); if (scalar(@any) > 0) { -- cgit v1.2.3 From 55d30fb7a0cf3e794cacef8210590297c37373c2 Mon Sep 17 00:00:00 2001 From: Taniadz Date: Wed, 25 Oct 2017 14:42:41 +0300 Subject: T126: charon listening on ALL interfaces( fix the style issues) --- scripts/vpn-config.pl | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index c1348ed..b6f3b5d 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -52,7 +52,7 @@ my $CRL_PATH = '/etc/ipsec.d/crls'; my $SERVER_CERT_PATH = '/etc/ipsec.d/certs'; my $SERVER_KEY_PATH = '/etc/ipsec.d/private'; my $LOGFILE = '/var/log/vyatta/ipsec.log'; -my $STRONGSWAN = '/etc/strongswan.d/interfaces_use.conf'; +my $STRONGSWAN_INTF_CONFIG = '/etc/strongswan.d/interfaces_use.conf'; my $vpn_cfg_err = "VPN configuration error:"; my $clustering_ip = 0; @@ -218,7 +218,7 @@ if ($vcVPN->exists('ipsec')) { # Configuration of system wide options # $genout .= "config setup\n"; - $interfaces_use .= "charon {\n\t"; + # # Interfaces @@ -226,10 +226,10 @@ if ($vcVPN->exists('ipsec')) { my @interfaces = $vcVPN->returnValues('ipsec ipsec-interfaces interface'); if (scalar(@interfaces) > 0) { - $interfaces_use .= "interfaces_use = "; + $interfaces_use .= "charon {\n\tinterfaces_use = "; foreach my $interface (@interfaces) { if (!(-d "/sys/class/net/$interface")) { - next; + print "Warning: unable to configure non-existent interface\n"; } $interfaces_use .= "$interface, "; } @@ -281,8 +281,10 @@ if ($vcVPN->exists('ipsec')) { } - } + } else { + $interfaces_use .= ""; + } # # NAT traversal # @@ -1200,13 +1202,13 @@ if ( $vcVPN->isDeleted('.') if (!enableICMP('1')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to re-enable ICMP redirects.\n"); } - write_config($genout, $interfaces_use, $STRONGSWAN, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); + write_config($genout, $interfaces_use, $STRONGSWAN_INTF_CONFIG, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); } else { if (!enableICMP('0')) { vpn_die(["vpn","ipsec"],"VPN commit error. Unable to disable ICMP redirects.\n"); } - write_config($genout, $interfaces_use, $STRONGSWAN, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); + write_config($genout, $interfaces_use, $STRONGSWAN_INTF_CONFIG, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys); # Assumming that if there was a local IP missmatch and clustering is enabled, # then the clustering scripts will take care of starting the VPN daemon. @@ -1295,7 +1297,7 @@ sub vpn_die { } sub write_config { - my ($genout, $interfaces_use, $STRONGSWAN, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_; + my ($genout, $interfaces_use, $STRONGSWAN_INTF_CONFIG, $config_file, $genout_secrets, $secrets_file, $dhcp_if, %public_keys) = @_; open my $output_config, '>', $config_file or die "Can't open $config_file: $!"; @@ -1303,8 +1305,8 @@ sub write_config { close $output_config; - open my $strong_config, '>', $STRONGSWAN - or die "Can't open $STRONGSWAN: $!"; + open my $strong_config, '>', $STRONGSWAN_INTF_CONFIG + or die "Can't open $STRONGSWAN_INTF_CONFIG: $!"; print ${strong_config} $interfaces_use; close $strong_config; -- cgit v1.2.3 From d0e7c861ed20d871d71efd46caf517bbee8c1a69 Mon Sep 17 00:00:00 2001 From: Taniadz Date: Fri, 27 Oct 2017 11:56:38 +0300 Subject: T126: charon listening on ALL interfaces(add ipsec restart) --- scripts/vpn-config.pl | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index b6f3b5d..95c783e 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1253,9 +1253,14 @@ if ( $vcVPN->isDeleted('.') vpn_exec("ipsec down peer-$old_peer-tunnel-$tunnel", "Cleaning up site-to-site peer $old_peer at tunnel $tunnel"); } } - - vpn_exec('ipsec rereadall >&/dev/null', 're-read secrets and certs'); - vpn_exec('ipsec reload >&/dev/null', 'reload changes to ipsec.conf'); + my @working_interfaces = $vcVPN->returnValues("ipsec ipsec-interfaces interface"); + my @active_interfaces = $vcVPN->returnOrigValues("ipsec ipsec-interfaces interface"); + if (@working_interfaces != @active_interfaces) { + vpn_exec('ipsec restart >&/dev/null', 're-starting ipsec'); + }else { + vpn_exec('ipsec rereadall >&/dev/null', 're-read secrets and certs'); + vpn_exec('ipsec reload >&/dev/null', 'reload changes to ipsec.conf'); + } } } else { if (!defined($update_interval)) { -- cgit v1.2.3 From b53019e4bf1b51b40cefc263479ee0531341cb78 Mon Sep 17 00:00:00 2001 From: Taniadz Date: Tue, 31 Oct 2017 15:52:47 +0200 Subject: T126: charon listening on ALL interfaces(correct sorting) --- scripts/vpn-config.pl | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 95c783e..071b3b8 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1253,9 +1253,24 @@ if ( $vcVPN->isDeleted('.') vpn_exec("ipsec down peer-$old_peer-tunnel-$tunnel", "Cleaning up site-to-site peer $old_peer at tunnel $tunnel"); } } + # Check if returnValues equals returnOrigValues for ipsec-interfaces and restart if they are not equal + my $equals = 1; my @working_interfaces = $vcVPN->returnValues("ipsec ipsec-interfaces interface"); my @active_interfaces = $vcVPN->returnOrigValues("ipsec ipsec-interfaces interface"); - if (@working_interfaces != @active_interfaces) { + if (scalar(@working_interfaces) != scalar(@active_interfaces)){ + $equals = 0; + } + else { + my @sorted_working = sort @working_interfaces; + my @sorted_active = sort @active_interfaces; + foreach (my $i = 0; $i < @sorted_working; $i++) { + if ($sorted_working[$i] ne $sorted_active[$i]) { + $equals = 0; + last; + } + } + } + if ($equals == 0) { vpn_exec('ipsec restart >&/dev/null', 're-starting ipsec'); }else { vpn_exec('ipsec rereadall >&/dev/null', 're-read secrets and certs'); -- cgit v1.2.3 From 1d0a489519e0f67985b5b92ebaf2723b826aef20 Mon Sep 17 00:00:00 2001 From: unixninja92 Date: Tue, 20 Feb 2018 20:52:19 -0500 Subject: Lowered minimum DPD interval and timeout as per T542 --- .../ike-group/node.tag/dead-peer-detection/interval/node.def | 6 +++--- .../ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def | 8 +++----- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def index 4fdebe9..e6175c9 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def @@ -1,5 +1,5 @@ help: Keep-alive interval -type: u32 +type: u32 default: 30 -syntax:expression: ($VAR(@) >= 15 && $VAR(@) <= 86400) ; "must be between 15-86400 seconds" -val_help: u32:15-86400; Keep-alive interval in seconds (default 30) +syntax:expression: ($VAR(@) >= 2 && $VAR(@) <= 86400) ; "must be between 2-86400 seconds" +val_help: u32:2-86400; Keep-alive interval in seconds (default 30) diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def index 939be1c..3378cb5 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def @@ -1,7 +1,5 @@ help: Keep-alive timeout -type: u32 +type: u32 default: 120 -syntax:expression: ($VAR(@) >= 30 && $VAR(@) <= 86400) ; "must be between 30-86400 seconds" -val_help: u32:30-86400; Keep-alive timeout in seconds (default 120) - - +syntax:expression: ($VAR(@) >= 10 && $VAR(@) <= 86400) ; "must be between 10-86400 seconds" +val_help: u32:10-86400; Keep-alive timeout in seconds (default 120) -- cgit v1.2.3 From 21547cc288d60c6e44268a4ef39ad71120bbfb8b Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sat, 2 Jun 2018 03:04:17 +0200 Subject: T675: for downgrading strongswan to 5.5, remove explicit dependency on libvici. In 5.5 from stretch, it's inside the swanctl package. In 5.6 from sid, the swanctl package depends on it so we don't need to mention it explicitly anyway. --- debian/control | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/control b/debian/control index 81860fb..d0dc7bc 100644 --- a/debian/control +++ b/debian/control @@ -11,7 +11,6 @@ Depends: perl, vyatta-cfg (>= 0.15.33), vyatta-bash | bash (>= 3.1), strongswan (>= 5.2), - strongswan-libvici (>= 5.2), strongswan-swanctl (>= 5.2), libcrypt-openssl-rsa-perl, libc6 (>= 2.7-6) -- cgit v1.2.3 From 90daa5e2cf02ffd3fd5936b4f372f1e85ab62ef6 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 3 Jun 2018 05:32:19 +0200 Subject: T674: set DH group default in IKE groups to 2. Using the default: tag in the template for now, this issue should be addressed properly when we get to rewriting IPsec scripts. --- .../vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def index 307dc09..32deb66 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def @@ -1,5 +1,6 @@ help: Diffie-Hellman (DH) key exchange group type: u32 +default: 2 syntax:expression: ($VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 26)); "must be 2, 5 or 14 through 26" val_help: 2; DH group 2 (modp1024) val_help: 5; DH group 5 (modp1536) -- cgit v1.2.3