VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) https://git.amelek.net/vyos/vyos-1x.git/atom?h=1.4.0-rc2 2023-12-30T21:58:26+00:00 2023-12-30T21:58:26+00:00 Lucas Christian lucas@lucasec.com 2023-12-29T06:07:07+00:00 urn:sha1:6cfcef98b8a8fbfa107ecfbb741cfb268ea8340f (cherry picked from commit 656934e85cee799dba5b495d143f6be445ac22d5) 2023-02-15T11:57:25+00:00 sarthurdev 965089+sarthurdev@users.noreply.github.com 2023-02-15T11:57:25+00:00 urn:sha1:45b16864b11ea49087ce4a279e2c0e741a97c0ee Not supported with swanctl 2023-01-26T11:28:03+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2023-01-17T11:04:08+00:00 urn:sha1:7ae0b404ad9fdefa856c7e450b224b47d854a4eb Rewrite strongswan IPsec authentication to reflect structure from swanctl.conf The most important change is that more than one local/remote ID in the same auth entry should be allowed replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' => 'ipsec authentication psk <tag> secret xxx' set vpn ipsec authentication psk <tag> id '192.0.2.1' set vpn ipsec authentication psk <tag> id '192.0.2.2' set vpn ipsec authentication psk <tag> secret 'xxx' set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1' set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2' Add template filter for Jinja2 'generate_uuid4' 2023-01-12T17:47:53+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2023-01-12T13:00:05+00:00 urn:sha1:01386606982352de7eb51f55acc11c6a58ed4cef If IPsec "peer <tag> authentication remote-id" is not set it should be "%any" by default https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote Set XML default value in use it in the python vpn_ipsec.py script 2022-11-21T18:42:41+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-11-21T18:42:41+00:00 urn:sha1:2ac4a8a5fed9db471b7ffac0f54e6741c6f87834 Remote TS for transport mode GRE must be remote-address and not peer name 2022-10-31T14:10:39+00:00 Christian Poessinger christian@poessinger.com 2022-10-31T14:09:58+00:00 urn:sha1:22c3dcbb01d731f0dab0ffefa2e5a0be7009baf1 This enabled users to also use 2FA/MFA authentication with a radius backend as there is enough time to enter the second factor. 2022-09-28T17:35:48+00:00 Christian Poessinger christian@poessinger.com 2022-09-28T17:33:40+00:00 urn:sha1:d5e84fab2e66fb4452516e3a5adc00c6ed772de1 Commit bd4588827b ("ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer") changed the CLI syntax of ipsec. This resulted in a node not renamed in the op-mode generator when generating IKEv2 IPSec iOS configuration profiles. 2022-09-20T18:32:57+00:00 Christian Poessinger christian@poessinger.com 2022-09-20T18:32:55+00:00 urn:sha1:2eb0ddc54ea8bf50f62cc381eb3356363194c6fd The "authentication id" option for road-warriors did not get migrated to the new local-id CLI node. This has been fixed. 2022-09-16T17:16:42+00:00 Daniil Baturin daniil@vyos.io 2022-09-16T17:16:42+00:00 urn:sha1:748dab43b87c3993bdd5c697e7b778ed7a8e48a1 ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer 2022-09-16T11:53:41+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2022-08-10T19:51:48+00:00 urn:sha1:bd4588827b563022ce5fb98b1345b787b9194176 Migration and Change boolean nodes "enable/disable" to disable-xxxx, enable-xxxx and just xxx for VPN IPsec configurations - IKE changes: - replace 'ipsec ike-group <tag> mobike disable' => 'ipsec ike-group <tag> disable-mobike' - replace 'ipsec ike-group <tag> ikev2-reauth yes|no' => 'ipsec ike-group <tag> ikev2-reauth' - ESP changes: - replace 'ipsec esp-group <tag> compression enable' => 'ipsec esp-group <tag> compression' - PEER changes: - replace: 'peer <tag> id xxx' => 'peer <tag> local-id xxx' - replace: 'peer <tag> force-encapsulation enable' => 'peer <tag> force-udp-encapsulation' - add option: 'peer <tag> remote-address x.x.x.x' Add 'peer <name> remote-address <name>' via migration script