From de318d8d25427a27c80206c16dc36c0021dfca2c Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sat, 31 Jan 2015 07:37:43 +0000 Subject: Allow users to specify aggressive mode for IKEv1 key exchanges Although strongly not recommended by the developers of strongSwan, sometimes remote VPN gateways requires this because of interop reasons or a network admin who doesn't have an idea on why aggressive mode is bad. --- templates/vpn/ipsec/ike-group/node.tag/mode/node.def | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 templates/vpn/ipsec/ike-group/node.tag/mode/node.def (limited to 'templates') diff --git a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def new file mode 100644 index 0000000..f302d3d --- /dev/null +++ b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def @@ -0,0 +1,6 @@ +help: IKEv1 Phase 1 Mode Selection +type: txt +default: "main" +syntax:expression: $VAR(@) in "main", "aggressive"; "must be main or aggressive" +val_help: main; Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default) +val_help: ikev2; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. -- cgit v1.2.3 From a64d08fe6cfbc6275c2682fbe92d4856334deec2 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Thu, 5 Feb 2015 06:26:36 +0000 Subject: Allow users to specify a custom file to be included with ipsec.conf --- scripts/vpn-config.pl | 10 ++++++++++ templates/vpn/ipsec/include-ipsec-conf/node.def | 2 ++ 2 files changed, 12 insertions(+) create mode 100644 templates/vpn/ipsec/include-ipsec-conf/node.def (limited to 'templates') diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index b974a5a..7dd18f1 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1160,6 +1160,16 @@ if ($vcVPN->exists('ipsec')) { } } } + + # + # Include a custom configuration file + # + my $custom_include = $vcVPN->returnValue("ipsec include-ipsec-conf"); + if (defined($custom_include)) { + if ( ! -e $custom_include ) { + vpn_die(["vpn","ipsec","include-ipsec-conf"],"$vpn_cfg_err The specified file for inclusion inside ipsec.conf does not exist."); + } + } if (-e '/etc/dmvpn.conf') { $genout .= "\ninclude /etc/dmvpn.conf\n"; } diff --git a/templates/vpn/ipsec/include-ipsec-conf/node.def b/templates/vpn/ipsec/include-ipsec-conf/node.def new file mode 100644 index 0000000..fc82a45 --- /dev/null +++ b/templates/vpn/ipsec/include-ipsec-conf/node.def @@ -0,0 +1,2 @@ +type: txt +help: Sets to include an additional configuration directive file for strongSwan. Use an absolute path to specify the included file. -- cgit v1.2.3 From cb76ae8fbdffa0c8dee28b95867776955806f025 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Thu, 5 Feb 2015 08:03:09 +0000 Subject: Update ipsec logging log-modes to point towards charon's loggers log-modes now expose charon's keywords instead of pluto's keywords. Refer to the strongSwan's manual to see what each specific logger does. --- scripts/vpn-config.pl | 18 ++++++++--------- templates/vpn/ipsec/logging/log-level/node.def | 5 +++++ templates/vpn/ipsec/logging/log-modes/node.def | 28 +++++++++++++++++--------- 3 files changed, 33 insertions(+), 18 deletions(-) create mode 100644 templates/vpn/ipsec/logging/log-level/node.def (limited to 'templates') diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 7dd18f1..89af400 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -306,23 +306,23 @@ if ($vcVPN->exists('ipsec')) { } # - # log-mode + # charon log-mode # my @logmodes = $vcVPN->returnValues('ipsec logging log-modes'); + my $charonloglevel = $vcVPN->returnValue('ipsec logging log-level'); if (@logmodes > 0) { my $debugmode = ''; + my $first_debug_mode = 1; + $genout .= "\tcharondebug=\""; foreach my $mode (@logmodes) { - if ($mode eq "all") { - $debugmode = "all"; - last; - } - if ($debugmode eq '') { - $debugmode = "$mode"; + if ($first_debug_mode) { + $first_debug_mode = 0; } else { - $debugmode .= " $mode"; + $genout .= ", "; } + $genout .= "$mode $charonloglevel"; } - $genout .= "\tplutodebug=\"$debugmode\"\n"; + $genout .= "\"\n"; } # Set plutoopts: diff --git a/templates/vpn/ipsec/logging/log-level/node.def b/templates/vpn/ipsec/logging/log-level/node.def new file mode 100644 index 0000000..54cf698 --- /dev/null +++ b/templates/vpn/ipsec/logging/log-level/node.def @@ -0,0 +1,5 @@ +help: strongSwan Logger Level +type: u32 +default: 1 +syntax:expression: ($VAR(@) >= 0 && $VAR(@) <= 2) ; "must be between levels 0-2" +val_help: u32:0-2; Logger Verbosity Level (default 0) diff --git a/templates/vpn/ipsec/logging/log-modes/node.def b/templates/vpn/ipsec/logging/log-modes/node.def index f0dd9f4..5662a4e 100644 --- a/templates/vpn/ipsec/logging/log-modes/node.def +++ b/templates/vpn/ipsec/logging/log-modes/node.def @@ -1,11 +1,21 @@ multi: -help: Log mode +help: Log mode. To see what each log mode exactly does, please refer to the strongSwan documentation type: txt -syntax:expression: $VAR(@) in "raw", "crypt", "parsing", "emitting", "control", "all", "private" ; "must be one of the following: raw, crypt, parsing, emitting, control, all, private" -val_help: raw; Debug log option for pluto -val_help: crypt; Debug log option for pluto -val_help: parsing; Debug log option for pluto -val_help: emitting; Debug log option for pluto -val_help: control; Debug log option for pluto -val_help: all; Debug log option for pluto -val_help: private; Debug log option for pluto +syntax:expression: $VAR(@) in "dmn", "mgr", "ike", "chd", "job", "cfg", "knl", "net", "asn", "enc", "lib", "esp", "tls", "tnc", "imc", "imv", "pts" ; "must be one of the following: dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts" +val_help: dmn; Debug log option for strongSwan +val_help: mgr; Debug log option for strongSwan +val_help: ike; Debug log option for strongSwan +val_help: chd; Debug log option for strongSwan +val_help: job; Debug log option for strongSwan +val_help: cfg; Debug log option for strongSwan +val_help: knl; Debug log option for strongSwan +val_help: net; Debug log option for strongSwan +val_help: asn; Debug log option for strongSwan +val_help: enc; Debug log option for strongSwan +val_help: lib; Debug log option for strongSwan +val_help: esp; Debug log option for strongSwan +val_help: tls; Debug log option for strongSwan +val_help: tnc; Debug log option for strongSwan +val_help: imc; Debug log option for strongSwan +val_help: imv; Debug log option for strongSwan +val_help: pts; Debug log option for strongSwan -- cgit v1.2.3 From 82c41cedf5a295ebd2ad28700c4c9a5c9b5a91d3 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sat, 7 Feb 2015 03:53:20 +0000 Subject: Remove the default value in ipsec ike-group $name mode Setting this to a default value breaks ikev2 configurations since aggressive mode is only applicable for ikev1 tunnels --- templates/vpn/ipsec/ike-group/node.tag/mode/node.def | 1 - 1 file changed, 1 deletion(-) (limited to 'templates') diff --git a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def index f302d3d..fad935f 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def @@ -1,6 +1,5 @@ help: IKEv1 Phase 1 Mode Selection type: txt -default: "main" syntax:expression: $VAR(@) in "main", "aggressive"; "must be main or aggressive" val_help: main; Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default) val_help: ikev2; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. -- cgit v1.2.3 From 832208422595261e1044890c18c16998a9aaf421 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Sun, 8 Feb 2015 07:21:25 +0000 Subject: Correct typo'd aggressive option Originally we meant aggressive, not ikev2 --- templates/vpn/ipsec/ike-group/node.tag/mode/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates') diff --git a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def index fad935f..2b67dad 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/mode/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/mode/node.def @@ -2,4 +2,4 @@ help: IKEv1 Phase 1 Mode Selection type: txt syntax:expression: $VAR(@) in "main", "aggressive"; "must be main or aggressive" val_help: main; Use Main mode for Key Exchanges in the IKEv1 Protocol (Recommended Default) -val_help: ikev2; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. +val_help: aggressive; Use Aggressive mode for Key Exchanges in the IKEv1 protocol - We do not recommend users to use aggressive mode as it is much more insecure compared to Main mode. -- cgit v1.2.3 From c6864b6ca7c18ab4ec248186e1310e46b7a97676 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Tue, 10 Feb 2015 01:05:30 +0000 Subject: Allow the user to force UDP encapsulation for a named peer This might help with strongSwan traversing through firewalls that filter proto 51, but not UDP traffic. --- scripts/vpn-config.pl | 13 +++++++++++++ .../site-to-site/peer/node.tag/force-encapsulation/node.def | 6 ++++++ 2 files changed, 19 insertions(+) create mode 100644 templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def (limited to 'templates') diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index ca685bd..0d5a63b 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -800,6 +800,19 @@ if ($vcVPN->exists('ipsec')) { $genout .= "\tdpdtimeout=$dpd_timeout" . "s\n"; $genout .= "\tdpdaction=$dpd_action\n"; } + + # + # Allow the user for force UDP encapsulation for the ESP + # payload. + # + my $forceencaps = $vcVPN->returnValue("ipsec site-to-site $peer force-encapsulation"); + if (defined($forceencaps)) { + if ($forceencaps eq 'enable') { + $genout .= "\tforceencaps=yes\n"; + } else { + $genout .= "\tforceencaps=no\n"; + } + } } # diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def new file mode 100644 index 0000000..0015add --- /dev/null +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def @@ -0,0 +1,6 @@ +help: Force UDP Encapsulation for ESP Payloads +type: txt +syntax:expression: $VAR(@) in "enable", "disable"; "Must be enable or disable" +val_help: enable; This endpoint will not force UDP encapsulation for this peer +val_help: disable; This endpoint will force UDP encapsulation for this peer + -- cgit v1.2.3 From bb0034b11cbb5797e5a3e820fd7c9416964f91eb Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Wed, 4 Nov 2015 21:43:44 -0800 Subject: Allow the user to include a custom ipsec.secrets file. This may be useful for scenarios where a user prefers to use an ECDSA key or implement an xauth IPSec RA server without having to code for the VyOS/EdgeOS platform. --- scripts/vpn-config.pl | 7 +++++++ templates/vpn/ipsec/include-ipsec-secrets/node.def | 2 ++ 2 files changed, 9 insertions(+) create mode 100644 templates/vpn/ipsec/include-ipsec-secrets/node.def (limited to 'templates') diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index dd14446..a238d20 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1119,12 +1119,19 @@ if ($vcVPN->exists('ipsec')) { # Include a custom configuration file # my $custom_include = $vcVPN->returnValue("ipsec include-ipsec-conf"); + my $custom_secrets = $vcVPN->returnValue("ipsec include-ipsec-secrets"); if (defined($custom_include)) { if ( ! -e $custom_include ) { vpn_die(["vpn","ipsec","include-ipsec-conf"],"$vpn_cfg_err The specified file for inclusion inside ipsec.conf does not exist."); } $genout .= "\ninclude $custom_include"; } + if (defined($custom_secrets)) { + if ( ! -e $custom_secrets) { + vpn_die(["vpn","ipsec","include-ipsec-secrets"],"$vpn_cfg_err The specified file for inclusion inside ipsec.secrets does not exist."); + } + $genout_secrets .= "\ninclude $custom_secrets\n"; + } if (-e '/etc/dmvpn.conf') { $genout .= "\ninclude /etc/dmvpn.conf\n"; } diff --git a/templates/vpn/ipsec/include-ipsec-secrets/node.def b/templates/vpn/ipsec/include-ipsec-secrets/node.def new file mode 100644 index 0000000..37b73e1 --- /dev/null +++ b/templates/vpn/ipsec/include-ipsec-secrets/node.def @@ -0,0 +1,2 @@ +type: txt +help: Sets to include an additional secrets file for strongSwan. Use an absolute path to specify the included file. -- cgit v1.2.3 From e35a282eef077d8cc91e8e5fd7b7a1dcf91750c4 Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Fri, 4 Dec 2015 23:49:35 -0500 Subject: Add ChaCha20 Poly1305 cipher as an available cipher for IKE exchanges. Starting with strongSwan 5.3.3, chacha20poly1305 is a supported cipher for IKE and ESP configurations with an IKEv2 configuration. --- .../vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def | 3 ++- .../vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'templates') diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def index 1c02803..05aa407 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def @@ -1,7 +1,8 @@ help: Encryption algorithm type: txt default: "aes128" -syntax:expression: $VAR(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des" +syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" val_help: aes128; AES-128 encryption (default) val_help: aes256; AES-256 encryption val_help: 3des; 3DES encryption +val_help: chacha20poly1305; ChaCha20-Poly1305 encryption diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def index 1c02803..05aa407 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def @@ -1,7 +1,8 @@ help: Encryption algorithm type: txt default: "aes128" -syntax:expression: $VAR(@) in "aes128", "aes256", "3des"; "must be aes128, or aes256, or 3des" +syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" val_help: aes128; AES-128 encryption (default) val_help: aes256; AES-256 encryption val_help: 3des; 3DES encryption +val_help: chacha20poly1305; ChaCha20-Poly1305 encryption -- cgit v1.2.3 From c9484a3906157a059b02c7619df4617ab8e2dee1 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Mon, 16 Feb 2015 08:34:18 +0100 Subject: Move execution of nhrp script to "end" of ipsec config so it executes on all changes made to the ipsec config --- templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def | 4 ---- templates/vpn/node.def | 1 + 2 files changed, 1 insertion(+), 4 deletions(-) (limited to 'templates') diff --git a/templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def b/templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def index cf3568b..a04f8cb 100644 --- a/templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def +++ b/templates/vpn/ipsec/profile/node.tag/bind/tunnel/node.def @@ -8,7 +8,3 @@ commit:expression: $VAR(../../ike-group/) != ""; "Must configure ike-group" commit:expression: $VAR(../../authentication/) != ""; "Must configure authentication" commit:expression: (`cli-shell-api returnValue interfaces tunnel $VAR(@) encapsulation` == "gre" && \ `cli-shell-api returnValue interfaces tunnel $VAR(@) remote-ip` == ""); "Must be mgre tunnel" - -end: - - sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --set_ipsec diff --git a/templates/vpn/node.def b/templates/vpn/node.def index c504aaa..7c6b56a 100644 --- a/templates/vpn/node.def +++ b/templates/vpn/node.def @@ -5,6 +5,7 @@ end:sudo /opt/vyatta/sbin/vyatta-vti-config.pl || exit 1 --config_file='/etc/dmvpn.conf' \ --secrets_file='/etc/dmvpn.secrets' \ --init_script='/etc/init.d/ipsec' || exit 1 + sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --set_ipsec || exit 1 sudo /opt/vyatta/sbin/vpn-config.pl \ --config_file='/etc/ipsec.conf' \ --secrets_file='/etc/ipsec.secrets' \ -- cgit v1.2.3 From fcab32f8c5cc416829dc054a41e578eae45951fa Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 4 May 2015 00:35:54 +0200 Subject: Bug #469: add options for AES-128/256-GCM mode. --- .../ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def | 4 +++- .../ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'templates') diff --git a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def index 05aa407..ba66828 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/proposal/node.tag/encryption/node.def @@ -1,8 +1,10 @@ help: Encryption algorithm type: txt default: "aes128" -syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" +syntax:expression: $VAR(@) in "aes128", "aes256", "aes128gcm128", "aes256gcm128", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" val_help: aes128; AES-128 encryption (default) val_help: aes256; AES-256 encryption +val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit +val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit val_help: 3des; 3DES encryption val_help: chacha20poly1305; ChaCha20-Poly1305 encryption diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def index 05aa407..ba66828 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/encryption/node.def @@ -1,8 +1,10 @@ help: Encryption algorithm type: txt default: "aes128" -syntax:expression: $VAR(@) in "aes128", "aes256", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" +syntax:expression: $VAR(@) in "aes128", "aes256", "aes128gcm128", "aes256gcm128", "3des", "chacha20poly1305"; "must be aes128, aes256, 3des, or chacha20poly1305" val_help: aes128; AES-128 encryption (default) val_help: aes256; AES-256 encryption +val_help: aes128gcm128; AES-128 encryption with Galois Counter Mode 128-bit +val_help: aes256gcm128; AES-256 encryption with Galois Counter Mode 128-bit val_help: 3des; 3DES encryption val_help: chacha20poly1305; ChaCha20-Poly1305 encryption -- cgit v1.2.3 From 5ee99ec9d5cca8c13804964eee23ce0b15578edf Mon Sep 17 00:00:00 2001 From: Jeff Leung Date: Fri, 29 Jan 2016 18:43:45 -0500 Subject: vyatta-cfg-vpn: Properly implement force-encapsulation and fix descriptions --- scripts/vpn-config.pl | 2 +- .../vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'templates') diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 4267564..6a9063f 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -817,7 +817,7 @@ if ($vcVPN->exists('ipsec')) { # Allow the user for force UDP encapsulation for the ESP # payload. # - my $forceencaps = $vcVPN->returnValue("ipsec site-to-site $peer force-encapsulation"); + my $forceencaps = $vcVPN->returnValue("ipsec site-to-site peer $peer force-encapsulation"); if (defined($forceencaps)) { if ($forceencaps eq 'enable') { $genout .= "\tforceencaps=yes\n"; diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def index 0015add..bc71729 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/force-encapsulation/node.def @@ -1,6 +1,6 @@ help: Force UDP Encapsulation for ESP Payloads type: txt syntax:expression: $VAR(@) in "enable", "disable"; "Must be enable or disable" -val_help: enable; This endpoint will not force UDP encapsulation for this peer -val_help: disable; This endpoint will force UDP encapsulation for this peer +val_help: enable; This endpoint will force UDP encapsulation for this peer +val_help: disable; This endpoint will not force UDP encapsulation for this peer -- cgit v1.2.3 From bbd5b2a113cb64c872142b236b35c650804271eb Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Tue, 9 Feb 2016 04:10:31 -0500 Subject: Use dhcp instead of dhcp3. --- Makefile.am | 4 ++-- scripts/vpn-config.pl | 2 +- .../vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'templates') diff --git a/Makefile.am b/Makefile.am index 7ae1717..ff81363 100644 --- a/Makefile.am +++ b/Makefile.am @@ -31,9 +31,9 @@ install-exec-hook: cd templates; $(cpiop) $(DESTDIR)$(cfgdir) mkdir -p $(DESTDIR)/etc/ppp/ip-up.d mkdir -p $(DESTDIR)/etc/ppp/ip-down.d - mkdir -p $(DESTDIR)/etc/dhcp3/dhclient-exit-hooks.d/ + mkdir -p $(DESTDIR)/etc/dhcp/dhclient-exit-hooks.d/ mkdir -p $(DESTDIR)/usr/lib/ipsec/ cp scripts/vpn-ppp-up $(DESTDIR)/etc/ppp/ip-up.d/ cp scripts/vpn-ppp-down $(DESTDIR)/etc/ppp/ip-down.d/ - cp scripts/ipsecd-dhclient-hook $(DESTDIR)/etc/dhcp3/dhclient-exit-hooks.d/ipsecd + cp scripts/ipsecd-dhclient-hook $(DESTDIR)/etc/dhcp/dhclient-exit-hooks.d/ipsecd cp scripts/vti-up-down $(DESTDIR)/usr/lib/ipsec/ diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 7d0289c..635c416 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1567,7 +1567,7 @@ sub dhcp_hook { /opt/vyatta/bin/sudo-users/vyatta-ipsec-dhcp.pl --interface=\"\$interface\" --new_ip=\"\$new_ip_address\" --reason=\"\$reason\" --old_ip=\"\$old_ip_address\" EOS } - my $hook = "/etc/dhcp3/dhclient-exit-hooks.d/ipsecd"; + my $hook = "/etc/dhcp/dhclient-exit-hooks.d/ipsecd"; open my $dhcp_hook, '>', $hook or die "cannot open $hook"; print ${dhcp_hook} $str; diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def index a25e076..026b175 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/dhcp-interface/node.def @@ -2,6 +2,6 @@ type: txt help: DHCP interface to listen on allowed: local -a array ; - array=( /var/lib/dhcp3/eth* /var/lib/dhcp3/br* /var/lib/dhcp3/bond* ) ; + array=( /var/lib/dhcp/eth* /var/lib/dhcp/br* /var/lib/dhcp/bond* ) ; echo -n ${array[@]##*/} -- cgit v1.2.3 From 8353f0f8fc746c69d6006e5bba9baf45afe16385 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Thu, 11 Feb 2016 08:54:39 -0500 Subject: Set default pfs and ike dh group. (required by strongswan charon) --- scripts/vpn-config.pl | 95 +++++++++------------- .../vpn/ipsec/esp-group/node.tag/pfs/node.def | 7 +- .../node.tag/proposal/node.tag/dh-group/node.def | 5 +- 3 files changed, 44 insertions(+), 63 deletions(-) (limited to 'templates') diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 5c00e08..5502156 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -928,6 +928,44 @@ if ($vcVPN->exists('ipsec')) { if (defined($encryption) && defined($hash)) { $genout .= "$encryption-$hash"; } + + # + # Perfect Forward Secrecy + # + my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); + if (defined($pfs)) { + if ($pfs eq 'dh-group2') { + $genout .= "-modp1024"; + } elsif ($pfs eq 'dh-group5') { + $genout .= "-modp1536"; + } elsif ($pfs eq 'dh-group14') { + $genout .= "-modp2048"; + } elsif ($pfs eq 'dh-group15') { + $genout .= "-modp3072"; + } elsif ($pfs eq 'dh-group16') { + $genout .= "-modp4096"; + } elsif ($pfs eq 'dh-group17') { + $genout .= "-modp6144"; + } elsif ($pfs eq 'dh-group18') { + $genout .= "-modp8192"; + } elsif ($pfs eq 'dh-group19') { + $genout .= "-ecp256"; + } elsif ($pfs eq 'dh-group20') { + $genout .= "-ecp384"; + } elsif ($pfs eq 'dh-group21') { + $genout .= "-ecp521"; + } elsif ($pfs eq 'dh-group22') { + $genout .= "-modp1024s160"; + } elsif ($pfs eq 'dh-group23') { + $genout .= "-modp2048s224"; + } elsif ($pfs eq 'dh-group24') { + $genout .= "-modp2048s256"; + } elsif ($pfs eq 'dh-group25') { + $genout .= "-ecp192"; + } elsif ($pfs eq 'dh-group26') { + $genout .= "-ecp224"; + } + } } $genout .= "!\n"; @@ -970,63 +1008,6 @@ if ($vcVPN->exists('ipsec')) { } $genout .= "\ttype=$espmode\n"; - # - # Perfect Forward Secrecy - # - my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); - if (defined($pfs)) { - if ($pfs eq 'enable') { - $genout .= "\tpfs=yes\n"; - } elsif ($pfs eq 'dh-group2') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1024\n"; - } elsif ($pfs eq 'dh-group5') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1536\n"; - } elsif ($pfs eq 'dh-group14') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048\n"; - } elsif ($pfs eq 'dh-group15') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp3072\n"; - } elsif ($pfs eq 'dh-group16') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp4096\n"; - } elsif ($pfs eq 'dh-group17') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp6144\n"; - } elsif ($pfs eq 'dh-group18') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp8192\n"; - } elsif ($pfs eq 'dh-group19') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp256\n"; - } elsif ($pfs eq 'dh-group20') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp384\n"; - } elsif ($pfs eq 'dh-group21') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp521\n"; - } elsif ($pfs eq 'dh-group22') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp1024s160\n"; - } elsif ($pfs eq 'dh-group23') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048s224\n"; - } elsif ($pfs eq 'dh-group24') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=modp2048s256\n"; - } elsif ($pfs eq 'dh-group25') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp192\n"; - } elsif ($pfs eq 'dh-group26') { - $genout .= "\tpfs=yes\n"; - $genout .= "\tpfsgroup=ecp224\n"; - } else { - $genout .= "\tpfs=no\n"; - } - } - # # Compression # diff --git a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def index 59a46ec..cda2169 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def @@ -1,11 +1,10 @@ help: ESP Perfect Forward Secrecy type: txt -default: "enable" -syntax:expression: $VAR(@) in "enable", "disable", "dh-group2", "dh-group5", "dh-group14", "dh-group15", "dh-group16", "dh-group17", "dh-group18", "dh-group19", "dh-group20", "dh-group21", "dh-group22", "dh-group23", "dh-group24", "dh-group25", "dh-group26"; "must be enable, disable, dh-group2, dh-group5, dh-group14, dh-group15, dh-group16, dh-group17, dh-group18, dh-group19, dh-group20, dh-group21, dh-group22, dh-group23, dh-group24, dh-group25 or dh-group26" -val_help: enable; Enable PFS. Use ike-group's dh-group (default) +default: "dh-group14" +syntax:expression: $VAR(@) in "disable", "dh-group2", "dh-group5", "dh-group14", "dh-group15", "dh-group16", "dh-group17", "dh-group18", "dh-group19", "dh-group20", "dh-group21", "dh-group22", "dh-group23", "dh-group24", "dh-group25", "dh-group26"; "must be enable, disable, dh-group2, dh-group5, dh-group14, dh-group15, dh-group16, dh-group17, dh-group18, dh-group19, dh-group20, dh-group21, dh-group22, dh-group23, dh-group24, dh-group25 or dh-group26" val_help: dh-group2; Enable PFS. Use Diffie-Hellman group 2 (modp1024) val_help: dh-group5; Enable PFS. Use Diffie-Hellman group 5 (modp1536) -val_help: dh-group14; Enable PFS. Use Diffie-Hellman group 14 (modp2048) +val_help: dh-group14; Enable PFS. Use Diffie-Hellman group 14 (modp2048) (default) val_help: dh-group15; Enable PFS. Use Diffie-Hellman group 15 (modp3072) val_help: dh-group16; Enable PFS. Use Diffie-Hellman group 16 (modp4096) val_help: dh-group17; Enable PFS. Use Diffie-Hellman group 17 (modp6144) diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def index 307dc09..3ff5646 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def @@ -1,9 +1,10 @@ -help: Diffie-Hellman (DH) key exchange group +help: Diffie-Hellman (DH) key exchange group [REQUIRED] type: u32 +default: 14 syntax:expression: ($VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 26)); "must be 2, 5 or 14 through 26" val_help: 2; DH group 2 (modp1024) val_help: 5; DH group 5 (modp1536) -val_help: 14; DH group 14 (modp2048) +val_help: 14; DH group 14 (modp2048) (default) val_help: 15; DH group 15 (modp3072) val_help: 16; DH group 16 (modp4096) val_help: 17; DH group 17 (modp6144) -- cgit v1.2.3 From 849551db87c42494d7c44fd463aebba003ba978e Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Thu, 11 Feb 2016 12:17:34 -0500 Subject: Revert "Set default pfs and ike dh group. (required by strongswan charon)" This reverts commit 8353f0f8fc746c69d6006e5bba9baf45afe16385. --- scripts/vpn-config.pl | 95 +++++++++++++--------- .../vpn/ipsec/esp-group/node.tag/pfs/node.def | 7 +- .../node.tag/proposal/node.tag/dh-group/node.def | 5 +- 3 files changed, 63 insertions(+), 44 deletions(-) (limited to 'templates') diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index 5502156..5c00e08 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -928,44 +928,6 @@ if ($vcVPN->exists('ipsec')) { if (defined($encryption) && defined($hash)) { $genout .= "$encryption-$hash"; } - - # - # Perfect Forward Secrecy - # - my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); - if (defined($pfs)) { - if ($pfs eq 'dh-group2') { - $genout .= "-modp1024"; - } elsif ($pfs eq 'dh-group5') { - $genout .= "-modp1536"; - } elsif ($pfs eq 'dh-group14') { - $genout .= "-modp2048"; - } elsif ($pfs eq 'dh-group15') { - $genout .= "-modp3072"; - } elsif ($pfs eq 'dh-group16') { - $genout .= "-modp4096"; - } elsif ($pfs eq 'dh-group17') { - $genout .= "-modp6144"; - } elsif ($pfs eq 'dh-group18') { - $genout .= "-modp8192"; - } elsif ($pfs eq 'dh-group19') { - $genout .= "-ecp256"; - } elsif ($pfs eq 'dh-group20') { - $genout .= "-ecp384"; - } elsif ($pfs eq 'dh-group21') { - $genout .= "-ecp521"; - } elsif ($pfs eq 'dh-group22') { - $genout .= "-modp1024s160"; - } elsif ($pfs eq 'dh-group23') { - $genout .= "-modp2048s224"; - } elsif ($pfs eq 'dh-group24') { - $genout .= "-modp2048s256"; - } elsif ($pfs eq 'dh-group25') { - $genout .= "-ecp192"; - } elsif ($pfs eq 'dh-group26') { - $genout .= "-ecp224"; - } - } } $genout .= "!\n"; @@ -1008,6 +970,63 @@ if ($vcVPN->exists('ipsec')) { } $genout .= "\ttype=$espmode\n"; + # + # Perfect Forward Secrecy + # + my $pfs = $vcVPN->returnValue("ipsec esp-group $esp_group pfs"); + if (defined($pfs)) { + if ($pfs eq 'enable') { + $genout .= "\tpfs=yes\n"; + } elsif ($pfs eq 'dh-group2') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp1024\n"; + } elsif ($pfs eq 'dh-group5') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp1536\n"; + } elsif ($pfs eq 'dh-group14') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp2048\n"; + } elsif ($pfs eq 'dh-group15') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp3072\n"; + } elsif ($pfs eq 'dh-group16') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp4096\n"; + } elsif ($pfs eq 'dh-group17') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp6144\n"; + } elsif ($pfs eq 'dh-group18') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp8192\n"; + } elsif ($pfs eq 'dh-group19') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp256\n"; + } elsif ($pfs eq 'dh-group20') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp384\n"; + } elsif ($pfs eq 'dh-group21') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp521\n"; + } elsif ($pfs eq 'dh-group22') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp1024s160\n"; + } elsif ($pfs eq 'dh-group23') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp2048s224\n"; + } elsif ($pfs eq 'dh-group24') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=modp2048s256\n"; + } elsif ($pfs eq 'dh-group25') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp192\n"; + } elsif ($pfs eq 'dh-group26') { + $genout .= "\tpfs=yes\n"; + $genout .= "\tpfsgroup=ecp224\n"; + } else { + $genout .= "\tpfs=no\n"; + } + } + # # Compression # diff --git a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def index cda2169..59a46ec 100644 --- a/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def +++ b/templates/vpn/ipsec/esp-group/node.tag/pfs/node.def @@ -1,10 +1,11 @@ help: ESP Perfect Forward Secrecy type: txt -default: "dh-group14" -syntax:expression: $VAR(@) in "disable", "dh-group2", "dh-group5", "dh-group14", "dh-group15", "dh-group16", "dh-group17", "dh-group18", "dh-group19", "dh-group20", "dh-group21", "dh-group22", "dh-group23", "dh-group24", "dh-group25", "dh-group26"; "must be enable, disable, dh-group2, dh-group5, dh-group14, dh-group15, dh-group16, dh-group17, dh-group18, dh-group19, dh-group20, dh-group21, dh-group22, dh-group23, dh-group24, dh-group25 or dh-group26" +default: "enable" +syntax:expression: $VAR(@) in "enable", "disable", "dh-group2", "dh-group5", "dh-group14", "dh-group15", "dh-group16", "dh-group17", "dh-group18", "dh-group19", "dh-group20", "dh-group21", "dh-group22", "dh-group23", "dh-group24", "dh-group25", "dh-group26"; "must be enable, disable, dh-group2, dh-group5, dh-group14, dh-group15, dh-group16, dh-group17, dh-group18, dh-group19, dh-group20, dh-group21, dh-group22, dh-group23, dh-group24, dh-group25 or dh-group26" +val_help: enable; Enable PFS. Use ike-group's dh-group (default) val_help: dh-group2; Enable PFS. Use Diffie-Hellman group 2 (modp1024) val_help: dh-group5; Enable PFS. Use Diffie-Hellman group 5 (modp1536) -val_help: dh-group14; Enable PFS. Use Diffie-Hellman group 14 (modp2048) (default) +val_help: dh-group14; Enable PFS. Use Diffie-Hellman group 14 (modp2048) val_help: dh-group15; Enable PFS. Use Diffie-Hellman group 15 (modp3072) val_help: dh-group16; Enable PFS. Use Diffie-Hellman group 16 (modp4096) val_help: dh-group17; Enable PFS. Use Diffie-Hellman group 17 (modp6144) diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def index 3ff5646..307dc09 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def @@ -1,10 +1,9 @@ -help: Diffie-Hellman (DH) key exchange group [REQUIRED] +help: Diffie-Hellman (DH) key exchange group type: u32 -default: 14 syntax:expression: ($VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 26)); "must be 2, 5 or 14 through 26" val_help: 2; DH group 2 (modp1024) val_help: 5; DH group 5 (modp1536) -val_help: 14; DH group 14 (modp2048) (default) +val_help: 14; DH group 14 (modp2048) val_help: 15; DH group 15 (modp3072) val_help: 16; DH group 16 (modp4096) val_help: 17; DH group 17 (modp6144) -- cgit v1.2.3 From 9118f812de63247b4d4ee9e4262d040090697bea Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Wed, 24 Feb 2016 07:46:58 -0500 Subject: remove reference to dmvpn.secrets and chang dmvpn.conf to swanctl.conf --- scripts/vpn-config.pl | 16 +++++----------- templates/vpn/node.def | 3 +-- 2 files changed, 6 insertions(+), 13 deletions(-) (limited to 'templates') diff --git a/scripts/vpn-config.pl b/scripts/vpn-config.pl index b913783..75d0e91 100755 --- a/scripts/vpn-config.pl +++ b/scripts/vpn-config.pl @@ -1146,17 +1146,11 @@ if ($vcVPN->exists('ipsec')) { } $genout .= "\ninclude $custom_include\n"; } - if (defined($custom_secrets)) { - if ( ! -e $custom_secrets) { - vpn_die(["vpn","ipsec","include-ipsec-secrets"],"$vpn_cfg_err The specified file for inclusion inside ipsec.secrets does not exist."); - } - $genout_secrets .= "\ninclude $custom_secrets\n"; - } - if (-e '/etc/dmvpn.conf') { - $genout .= "\ninclude /etc/dmvpn.conf\n"; - } - if (-e '/etc/dmvpn.secrets') { - $genout_secrets .= "\ninclude /etc/dmvpn.secrets\n"; + if (defined($custom_secrets)) { + if ( ! -e $custom_secrets) { + vpn_die(["vpn","ipsec","include-ipsec-secrets"],"$vpn_cfg_err The specified file for inclusion inside ipsec.secrets does not exist."); + } + $genout_secrets .= "\ninclude $custom_secrets\n"; } } else { diff --git a/templates/vpn/node.def b/templates/vpn/node.def index 7c6b56a..ae2d6a9 100644 --- a/templates/vpn/node.def +++ b/templates/vpn/node.def @@ -2,8 +2,7 @@ priority: 900 help: Virtual Private Network (VPN) end:sudo /opt/vyatta/sbin/vyatta-vti-config.pl || exit 1 sudo /opt/vyatta/sbin/dmvpn-config.pl \ - --config_file='/etc/dmvpn.conf' \ - --secrets_file='/etc/dmvpn.secrets' \ + --config_file='/etc/swanctl/swanctl.conf' \ --init_script='/etc/init.d/ipsec' || exit 1 sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --set_ipsec || exit 1 sudo /opt/vyatta/sbin/vpn-config.pl \ -- cgit v1.2.3 From ff15bdcdeda459bb7cf5de450d02ea2cee53041c Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Fri, 13 Oct 2017 01:35:59 +0200 Subject: T423: use listNodes rather than listActiveNodes to enable completion for uncommited IKE and ESP groups. --- .../vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def | 2 +- templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def | 2 +- .../ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) (limited to 'templates') diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def index f754c32..d389bab 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/default-esp-group/node.def @@ -1,4 +1,4 @@ help: Defult ESP group name type: txt -allowed: cli-shell-api listActiveNodes vpn ipsec esp-group +allowed: cli-shell-api listNodes vpn ipsec esp-group diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def index 343f1fb..146805c 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/ike-group/node.def @@ -1,3 +1,3 @@ help: Internet Key Exchange (IKE) group name [REQUIRED] type: txt -allowed: cli-shell-api listActiveNodes vpn ipsec ike-group +allowed: cli-shell-api listNodes vpn ipsec ike-group diff --git a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def index d773b96..16300c5 100644 --- a/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def +++ b/templates/vpn/ipsec/site-to-site/peer/node.tag/tunnel/node.tag/esp-group/node.def @@ -1,3 +1,3 @@ help: ESP group name type: txt -allowed: cli-shell-api listActiveNodes vpn ipsec esp-group +allowed: cli-shell-api listNodes vpn ipsec esp-group -- cgit v1.2.3 From 1d0a489519e0f67985b5b92ebaf2723b826aef20 Mon Sep 17 00:00:00 2001 From: unixninja92 Date: Tue, 20 Feb 2018 20:52:19 -0500 Subject: Lowered minimum DPD interval and timeout as per T542 --- .../ike-group/node.tag/dead-peer-detection/interval/node.def | 6 +++--- .../ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def | 8 +++----- 2 files changed, 6 insertions(+), 8 deletions(-) (limited to 'templates') diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def index 4fdebe9..e6175c9 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/interval/node.def @@ -1,5 +1,5 @@ help: Keep-alive interval -type: u32 +type: u32 default: 30 -syntax:expression: ($VAR(@) >= 15 && $VAR(@) <= 86400) ; "must be between 15-86400 seconds" -val_help: u32:15-86400; Keep-alive interval in seconds (default 30) +syntax:expression: ($VAR(@) >= 2 && $VAR(@) <= 86400) ; "must be between 2-86400 seconds" +val_help: u32:2-86400; Keep-alive interval in seconds (default 30) diff --git a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def index 939be1c..3378cb5 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/dead-peer-detection/timeout/node.def @@ -1,7 +1,5 @@ help: Keep-alive timeout -type: u32 +type: u32 default: 120 -syntax:expression: ($VAR(@) >= 30 && $VAR(@) <= 86400) ; "must be between 30-86400 seconds" -val_help: u32:30-86400; Keep-alive timeout in seconds (default 120) - - +syntax:expression: ($VAR(@) >= 10 && $VAR(@) <= 86400) ; "must be between 10-86400 seconds" +val_help: u32:10-86400; Keep-alive timeout in seconds (default 120) -- cgit v1.2.3 From 90daa5e2cf02ffd3fd5936b4f372f1e85ab62ef6 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 3 Jun 2018 05:32:19 +0200 Subject: T674: set DH group default in IKE groups to 2. Using the default: tag in the template for now, this issue should be addressed properly when we get to rewriting IPsec scripts. --- .../vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def | 1 + 1 file changed, 1 insertion(+) (limited to 'templates') diff --git a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def index 307dc09..32deb66 100644 --- a/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def +++ b/templates/vpn/ipsec/ike-group/node.tag/proposal/node.tag/dh-group/node.def @@ -1,5 +1,6 @@ help: Diffie-Hellman (DH) key exchange group type: u32 +default: 2 syntax:expression: ($VAR(@) == 2 || $VAR(@) == 5 || ($VAR(@) >= 14 && $VAR(@) <= 26)); "must be 2, 5 or 14 through 26" val_help: 2; DH group 2 (modp1024) val_help: 5; DH group 5 (modp1536) -- cgit v1.2.3