diff options
| author | Christian Breunig <christian@breunig.cc> | 2023-01-19 08:07:49 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-19 08:07:49 +0100 |
| commit | 08949c6e85c6fe02bd702894748b41d600ee7d01 (patch) | |
| tree | 74bd5be05b2db07693ea30e12687e91cbab93690 | |
| parent | 56074c22eb7420bdaa12b41e42b61ef1d9583cd3 (diff) | |
| parent | 7a663a75dc8b2f9842b72a05e17240edb4008849 (diff) | |
| download | vyos-1x-08949c6e85c6fe02bd702894748b41d600ee7d01.tar.gz vyos-1x-08949c6e85c6fe02bd702894748b41d600ee7d01.zip | |
Merge pull request #1765 from aapostoliuk/T4925-sagitta
ipsec: T4925: Added PRF into IKE group
| -rw-r--r-- | interface-definitions/vpn-ipsec.xml.in | 39 | ||||
| -rw-r--r-- | python/vyos/template.py | 2 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 3 |
3 files changed, 43 insertions, 1 deletions
diff --git a/interface-definitions/vpn-ipsec.xml.in b/interface-definitions/vpn-ipsec.xml.in index fd74a51d7..fa12d999c 100644 --- a/interface-definitions/vpn-ipsec.xml.in +++ b/interface-definitions/vpn-ipsec.xml.in @@ -465,6 +465,45 @@ </properties> <defaultValue>2</defaultValue> </leafNode> + <leafNode name="prf"> + <properties> + <help>Pseudo-Random Functions</help> + <completionHelp> + <list>prfmd5 prfsha1 prfaesxcbc prfaescmac prfsha256 prfsha384 prfsha512</list> + </completionHelp> + <valueHelp> + <format>prfmd5</format> + <description>MD5 PRF</description> + </valueHelp> + <valueHelp> + <format>prfsha1</format> + <description>SHA1 PRF</description> + </valueHelp> + <valueHelp> + <format>prfaesxcbc</format> + <description>AES XCBC PRF</description> + </valueHelp> + <valueHelp> + <format>prfaescmac</format> + <description>AES CMAC PRF</description> + </valueHelp> + <valueHelp> + <format>prfsha256</format> + <description>SHA2_256 PRF</description> + </valueHelp> + <valueHelp> + <format>prfsha384</format> + <description>SHA2_384 PRF</description> + </valueHelp> + <valueHelp> + <format>prfsha512</format> + <description>SHA2_512 PRF</description> + </valueHelp> + <constraint> + <regex>(prfmd5|prfsha1|prfaesxcbc|prfaescmac|prfsha256|prfsha384|prfsha512)</regex> + </constraint> + </properties> + </leafNode> #include <include/vpn-ipsec-encryption.xml.i> #include <include/vpn-ipsec-hash.xml.i> </children> diff --git a/python/vyos/template.py b/python/vyos/template.py index 2a4135f9e..ce9983958 100644 --- a/python/vyos/template.py +++ b/python/vyos/template.py @@ -476,6 +476,8 @@ def get_esp_ike_cipher(group_config, ike_group=None): continue tmp = '{encryption}-{hash}'.format(**proposal) + if 'prf' in proposal: + tmp += '-' + proposal['prf'] if 'dh_group' in proposal: tmp += '-' + pfs_lut[ 'dh-group' + proposal['dh_group'] ] elif 'pfs' in group_config and group_config['pfs'] != 'disable': diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 46db0bbf5..03780c465 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -337,6 +337,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'dh-group', '2']) self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'encryption', 'aes256']) self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'hash', 'sha1']) + self.cli_set(base_path + ['ike-group', ike_group, 'proposal', '2', 'prf', 'prfsha1']) # Profile self.cli_set(base_path + ['profile', 'NHRPVPN', 'authentication', 'mode', 'pre-shared-secret']) @@ -349,7 +350,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): swanctl_conf = read_file(swanctl_file) swanctl_lines = [ - f'proposals = aes128-sha1-modp1024,aes256-sha1-modp1024', + f'proposals = aes128-sha1-modp1024,aes256-sha1-prfsha1-modp1024', f'version = 1', f'rekey_time = {ike_lifetime}s', f'rekey_time = {esp_lifetime}s', |