From 2e30fd044c830bddae7e4951b46b2346d7e3fbc0 Mon Sep 17 00:00:00 2001
From: Kim Hagen <khagen@multi-development.com>
Date: Mon, 16 Feb 2015 08:34:18 +0100
Subject: Move execution of nhrp script to "end" of ipsec config so it executes
 on all changes made to the ipsec config

---
 templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def | 4 ----
 templates/vpn/node.def                                    | 1 +
 2 files changed, 1 insertion(+), 4 deletions(-)

(limited to 'templates/vpn')

diff --git a/templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def b/templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def
index cf3568b..a04f8cb 100644
--- a/templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def
+++ b/templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def
@@ -8,7 +8,3 @@ commit:expression: $VAR(../../ike-group/) != ""; "Must configure ike-group"
 commit:expression: $VAR(../../authentication/) != ""; "Must configure authentication"
 commit:expression: (`cli-shell-api returnValue interfaces tunnel $VAR(@) encapsulation` == "gre" && \
 		   `cli-shell-api returnValue interfaces tunnel $VAR(@) remote-ip` == ""); "Must be mgre tunnel"
-
-end:
-
-    sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --set_ipsec 
diff --git a/templates/vpn/node.def b/templates/vpn/node.def
index c504aaa..7c6b56a 100644
--- a/templates/vpn/node.def
+++ b/templates/vpn/node.def
@@ -5,6 +5,7 @@ end:sudo /opt/vyatta/sbin/vyatta-vti-config.pl || exit 1
               --config_file='/etc/dmvpn.conf' \
               --secrets_file='/etc/dmvpn.secrets' \
               --init_script='/etc/init.d/ipsec' || exit 1
+    sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --set_ipsec || exit 1
     sudo /opt/vyatta/sbin/vpn-config.pl \
 	      --config_file='/etc/ipsec.conf' \
               --secrets_file='/etc/ipsec.secrets' \
-- 
cgit v1.2.3


From a914ffc44c888dc2591965c36363aa2a8de4a3bd Mon Sep 17 00:00:00 2001
From: Daniil Baturin <daniil@baturin.org>
Date: Mon, 4 May 2015 00:35:54 +0200
Subject: Bug #469: add options for AES-128/256-GCM mode.

---
 .../vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def | 3 +++
 .../vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def | 3 +++
 2 files changed, 6 insertions(+)

(limited to 'templates/vpn')

diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
index 1c02803..0e8fd2d 100644
--- a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
+++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def
@@ -2,6 +2,9 @@ help: Encryption algorithm
 type: txt
 default: "aes128"
 syntax:expression: $VAR(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des"
+syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "aes128gcm128", "aes256gcm128"; "must be aes128, or aes128gcm128, or aes256, or aes256gcm128, or 3des"
 val_help: aes128; AES-128 encryption (default)
 val_help: aes256; AES-256 encryption
+val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit
+val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit
 val_help: 3des; 3DES encryption
diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
index 1c02803..0e8fd2d 100644
--- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
+++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def
@@ -2,6 +2,9 @@ help: Encryption algorithm
 type: txt
 default: "aes128"
 syntax:expression: $VAR(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des"
+syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "aes128gcm128", "aes256gcm128"; "must be aes128, or aes128gcm128, or aes256, or aes256gcm128, or 3des"
 val_help: aes128; AES-128 encryption (default)
 val_help: aes256; AES-256 encryption
+val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit
+val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit
 val_help: 3des; 3DES encryption
-- 
cgit v1.2.3


From 5bfd6dcf50a76a9427141cc3d62f23f8be7f4543 Mon Sep 17 00:00:00 2001
From: Daniil Baturin <daniil@baturin.org>
Date: Sun, 14 Jun 2015 01:24:05 +0200
Subject: Bug #504: add an option for pulling IPsec local id from the cert.

---
 scripts/vpn-config.pl                              | 24 ++++++++++++++++++++--
 .../node.tag/authentication/use-x509-id/node.def   |  1 +
 2 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/use-x509-id/node.def

(limited to 'templates/vpn')

diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl
index 1a3943a..60b1f55 100755
--- a/scripts/vpn-config.pl
+++ b/scripts/vpn-config.pl
@@ -403,7 +403,22 @@ if ($vcVPN->exists('ipsec')) {
             $dhcp_if = $dhcp_if + 1;
             $lip = get_dhcp_addr($dhcp_iface, $peer);
         }
-        my $authid =$vcVPN->returnValue("ipsec site-to-site peer $peer authentication id");
+
+        # Get the local ID
+        my $authid = undef;
+        my $authidfromcert = undef;
+        if ($vcVPN->exists("ipsec site-to-site peer $peer authentication use-x509-id")) {
+            if ($vcVPN->exists("ipsec site-to-site peer $peer authentication id")) {
+                vpn_die(["vpn", "ipsec", "site-to-site", "peer", $peer], "Manually set peer id and use-x509-id are mutually exclusive");
+            }
+            else {
+                $authidfromcert = 1;
+            }
+        }
+        else {
+            $authid =$vcVPN->returnValue("ipsec site-to-site peer $peer authentication id");
+        }
+
         my $authremoteid = $vcVPN->returnValue("ipsec site-to-site peer $peer authentication remote-id");
         if ((!defined($lip) || $lip eq "") && (!defined($dhcp_iface) || $dhcp_iface eq "")) {
             vpn_die(["vpn","ipsec","site-to-site","peer",$peer,"local-address"],"$vpn_cfg_err No local-address specified for peer \"$peer\"\n");
@@ -528,7 +543,12 @@ if ($vcVPN->exists('ipsec')) {
                     $genout .= "\tleft=$lip\n";
                     $leftsourceip = "\tleftsourceip=$lip\n";
                 }
-                $genout .= "\tleftid=\"$authid\"\n" if defined $authid;
+                if (defined($authidfromcert)) {
+                    $genout .= "\tleftid=%fromcert\n";
+                }
+                else {
+                    $genout .= "\tleftid=\"$authid\"\n" if defined $authid;
+                }
             }
 
             # @SM Todo: must have explicit settings for VTI.
diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/use-x509-id/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/use-x509-id/node.def
new file mode 100644
index 0000000..95a90c1
--- /dev/null
+++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/authentication/use-x509-id/node.def
@@ -0,0 +1 @@
+help: Use certificate common name as ID
-- 
cgit v1.2.3