vyos-1x.git/data/templates/ipsec, branch T6674-circ-trigger VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) https://git.amelek.net/vyos/vyos-1x.git/atom?h=T6674-circ-trigger 2024-08-01T05:52:51+00:00 T6617: T6618: vpn ipsec remote-access: fix profile generators 2024-08-01T05:52:51+00:00 Lucas Christian lucas@lucasec.com 2024-07-30T06:22:05+00:00 urn:sha1:1171e3d359cc2718afc80fccfc99c7ecccf95dbd (cherry picked from commit e97d86e619e134f4dfda06efb7df4a3296d17b95) T6599: ipsec: support disabling rekey of CHILD_SA. 2024-07-22T10:28:04+00:00 Lucas Christian lucas@lucasec.com 2024-07-21T02:29:14+00:00 urn:sha1:842e4c20300de3e0ebeabdb5761d50a077cfbd27 Also adds support for life_bytes, life_packets, and DPD for remote-access connections. Changes behavior of remote-access esp-group lifetime setting to have parity with site-to-site connections. (cherry picked from commit fd5d7ff0b4fd69b248ecb29c6ec1f3cf844c41cf) op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation 2024-06-09T20:03:50+00:00 Christian Breunig christian@breunig.cc 2024-06-09T12:39:45+00:00 urn:sha1:d65f43589612c30dfaa5ce30aca5b8b48bf73211 In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed support for multiple CAs when dealing with the generation of Apple IOS profiles. This commit extends support to properly include the common name of the server certificate issuer and all it's paren't CAs. A list of parent CAs is automatically generated from the "PKI" subsystem content and embedded into the resulting profile. op-mode: ipsec: T6407: fix profile generation 2024-05-30T09:20:56+00:00 Christian Breunig christian@breunig.cc 2024-05-30T09:20:56+00:00 urn:sha1:e6fe6e50a5c817e18c453e7bc42bb2e1c4b17671 Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates") added support for multiple CA certificates which broke the OP mode command to generate the IPSec profiles as it did not expect a list and was rather working on a string. Now multiple CAs can be rendered into the Apple IOS profile. T6237: IPSec remote access VPN: ability to set EAP ID of clients 2024-04-21T20:59:56+00:00 Alex W embezzle.dev@proton.me 2024-04-21T20:59:56+00:00 urn:sha1:78ea623df20b44309cc6ac9848ed18e97fc4ed03 T5871: ipsec remote access VPN: specify "cacerts" for client auth. 2024-04-12T04:12:34+00:00 Lucas Christian lucas@lucasec.com 2023-12-29T06:08:36+00:00 urn:sha1:ecc83562b4d756cc50910561a3f52ec260aeb478 T5872: re-write exit hook to always regenerate config 2024-03-12T06:08:40+00:00 Lucas Christian lucas@lucasec.com 2024-03-10T18:39:19+00:00 urn:sha1:679b78356cbda4de15f96a7f22d4a98037dbeea4 T5872: fix ipsec dhclient exit hook 2024-03-10T18:40:23+00:00 Lucas Christian lucas@lucasec.com 2024-02-09T06:04:16+00:00 urn:sha1:cd8ef21f280f726955f537132e3fab2bcb3c286f T5872: ipsec remote access VPN: support dhcp-interface. 2024-03-10T18:40:23+00:00 Lucas Christian lucas@lucasec.com 2023-12-29T06:11:26+00:00 urn:sha1:f7834324d3d9edd7e161e7f2f3868452997c9c81 ipsec: T5998: add replay-windows setting 2024-02-03T12:01:02+00:00 Christian Breunig christian@breunig.cc 2024-02-02T19:44:29+00:00 urn:sha1:4d943d8fbf1253154897179b0e3ea2d93b898197 The replay_window for child SA will always be 32 (hence enabled). Add a CLI node to explicitly change this. * set vpn ipsec site-to-site peer <name> replay-window <0-2040>