diff options
author | Christian Poessinger <christian@poessinger.com> | 2021-07-03 15:31:38 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2021-07-03 15:31:38 +0200 |
commit | a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a (patch) | |
tree | 7e44119b3054f54d18e216a8f63e84346e92073d | |
parent | 2d79a5000c8a02fd7570f629c3182fd55fdb8c86 (diff) | |
download | vyos-1x-a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a.tar.gz vyos-1x-a1abb118c9eb413f3c78cfb2077f9c0d4b443c3a.zip |
ipsec: T2816: rework IKE and ESP key assignment
Commit 2d79a500 ("ipsec: T2816: add Jinja2 converter for ESP/IKE groups to
string") added a Jinja2 helper function which can be used to transform VyOS CLI
ESP and IKE key proposals into a strongSwan compatible string cipher.
This commit changes the IPSec implementation to make use of this new Jinja2
filter fubction/Python helper. This is required base work for better automated
tests (smoketests) but also for an IKEv2 road-warrior setup.
-rw-r--r-- | data/templates/ipsec/swanctl.conf.tmpl | 34 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/peer.tmpl | 24 | ||||
-rw-r--r-- | data/templates/ipsec/swanctl/profile.tmpl | 13 | ||||
-rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 46 | ||||
-rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 5 | ||||
-rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 167 |
6 files changed, 105 insertions, 184 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index 116d62beb..cafe52e78 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -1,25 +1,17 @@ ### Autogenerated by vpn_ipsec.py ### - {% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %} {% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %} -{% if profile is defined or site_to_site is defined %} connections { -{% if profile is defined %} -{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} -{% set dmvpn_ike = ike_group[profile_conf.ike_group] %} -{% set dmvpn_esp = esp_group[profile_conf.esp_group] %} -{{ profile_tmpl.conn(name, profile_conf, dmvpn_ike, dmvpn_esp, ciphers) }} -{% endfor %} -{% endif %} -{% if site_to_site is defined and site_to_site.peer is defined %} -{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} -{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %} -{% set peer_ike = ike_group[peer_conf.ike_group] %} -{% set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %} -{% set auth_type = authby[peer_conf.authentication.mode] %} -{{ peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type) }} -{% endfor %} +{% if profile is defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} +{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if site_to_site is defined and site_to_site.peer is defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} +{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} +{% endfor %} {% endif %} } @@ -38,9 +30,9 @@ secrets { {% if site_to_site is defined and site_to_site.peer is defined %} {% set ns = namespace(local_key_set=False) %} {% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} -{% set peer_conn_name = peer.replace(".", "-").replace("@", "") %} +{% set peer_name = peer.replace(".", "-").replace("@", "") %} {% if peer_conf.authentication.mode == 'pre-shared-secret' %} - ike_{{ peer_conn_name }} { + ike_{{ peer_name }} { {% if peer_conf.local_address is defined %} id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} {% endif %} @@ -54,7 +46,7 @@ secrets { secret = "{{ peer_conf.authentication.pre_shared_secret }}" } {% elif peer_conf.authentication.mode == 'x509' %} - private_{{ peer_conn_name }} { + private_{{ peer_name }} { file = {{ peer_conf.authentication.x509.certificate }}.pem {% if peer_conf.authentication.x509.passphrase is defined %} secret = "{{ peer_conf.authentication.x509.passphrase }}" @@ -69,4 +61,4 @@ secrets { {% endfor %} {% endif %} } -{% endif %} + diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index 7cc3fa29f..0559d1dac 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -1,7 +1,10 @@ -{% macro conn(name, peer, peer_conf, ike, esp, ciphers, esp_group, auth_type) %} +{% macro conn(peer, peer_conf, ike_group, esp_group) %} +{% set name = peer.replace(".", "-").replace("@", "") %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[peer_conf.ike_group] %} peer_{{ name }} { - proposals = {{ ciphers.ike[peer_conf.ike_group] }} - version = {{ ike.key_exchange[4:] if ike.key_exchange is defined else "0" }} + proposals = {{ ike | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }} {% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %} @@ -31,9 +34,7 @@ {% if peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %} id = "{{ peer_conf.authentication.id }}" {% endif %} -{% if auth_type %} - auth = {{ auth_type }} -{% endif %} + auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} {% if peer_conf.authentication.mode == 'x509' %} certs = {{ peer_conf.authentication.x509.certificate }}.pem {% elif peer_conf.authentication.mode == 'rsa' %} @@ -46,9 +47,7 @@ {% elif peer[0:1] == '@' %} id = "{{ peer }}" {% endif %} -{% if auth_type %} - auth = {{ auth_type }} -{% endif %} + auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} {% if peer_conf.authentication.mode == 'rsa' %} pubkeys = {{ peer_conf.authentication.rsa_key_name }}.pub {% endif %} @@ -57,7 +56,7 @@ {% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %} {% set vti_esp = esp_group[peer_conf.vti.esp_group] if peer_conf.vti.esp_group is defined else None %} peer_{{ name }}_vti { - esp_proposals = {{ ciphers.esp[peer_conf.vti.esp_group] }} + esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }} local_ts = 0.0.0.0/0,::/0 remote_ts = 0.0.0.0/0,::/0 updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}" @@ -77,8 +76,7 @@ dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} {% endif %} } -{% endif %} -{% if peer_conf.tunnel is defined %} +{% elif peer_conf.tunnel is defined %} {% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} {% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is defined else peer_conf.default_esp_group %} {% set tunnel_esp = esp_group[tunnel_esp_name] %} @@ -88,7 +86,7 @@ {% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %} {% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} peer_{{ name }}_tunnel_{{ tunnel_id }} { - esp_proposals = {{ ciphers.esp[tunnel_esp_name] }} + esp_proposals = {{ esp_group[peer_conf.default_esp_group] | get_esp_ike_cipher | join(',') }} {% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} {% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %} {% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.tmpl index f6f6f4d70..0360972f6 100644 --- a/data/templates/ipsec/swanctl/profile.tmpl +++ b/data/templates/ipsec/swanctl/profile.tmpl @@ -1,9 +1,12 @@ -{% macro conn(name, profile_conf, ike, esp, ciphers) %} +{% macro conn(name, profile_conf, ike_group, esp_group) %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[profile_conf.ike_group] %} +{% set esp = esp_group[profile_conf.esp_group] %} {% if profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} {% for interface in profile_conf.bind.tunnel %} dmvpn-{{ name }}-{{ interface }} { - proposals = {{ ciphers.ike[profile_conf.ike_group] }} - version = {{ ike.key_exchange[4:] if ike.key_exchange is defined else "0" }} + proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} rekey_time = {{ ike.lifetime if ike.lifetime is defined else '28800' }}s keyingtries = 0 {% if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %} @@ -16,12 +19,12 @@ {% endif %} children { dmvpn { - esp_proposals = {{ ciphers.esp[profile_conf.esp_group] }} + esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }} rekey_time = {{ esp.lifetime if esp.lifetime is defined else '3600' }}s rand_time = 540s local_ts = dynamic[gre] remote_ts = dynamic[gre] - mode = {{ esp.mode if esp.mode is defined else "transport" }} + mode = {{ esp.mode if esp.mode is defined else 'transport' }} {% if ike.dead_peer_detection is defined and ike.dead_peer_detection.action is defined %} dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index f51c2fc92..6aff7bef5 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -92,95 +92,95 @@ </completionHelp> <valueHelp> <format>enable</format> - <description>Enable PFS. Use ike-groups dh-group (default)</description> + <description>Use Diffie-Hellman group 2 (modp1024) - default</description> </valueHelp> <valueHelp> <format>dh-group1</format> - <description>Enable PFS. Use Diffie-Hellman group 1 (modp768)</description> + <description>Use Diffie-Hellman group 1 (modp768)</description> </valueHelp> <valueHelp> <format>dh-group2</format> - <description>Enable PFS. Use Diffie-Hellman group 2 (modp1024)</description> + <description>Use Diffie-Hellman group 2 (modp1024)</description> </valueHelp> <valueHelp> <format>dh-group5</format> - <description>Enable PFS. Use Diffie-Hellman group 5 (modp1536)</description> + <description>Use Diffie-Hellman group 5 (modp1536)</description> </valueHelp> <valueHelp> <format>dh-group14</format> - <description>Enable PFS. Use Diffie-Hellman group 14 (modp2048)</description> + <description>Use Diffie-Hellman group 14 (modp2048)</description> </valueHelp> <valueHelp> <format>dh-group15</format> - <description>Enable PFS. Use Diffie-Hellman group 15 (modp3072)</description> + <description>Use Diffie-Hellman group 15 (modp3072)</description> </valueHelp> <valueHelp> <format>dh-group16</format> - <description>Enable PFS. Use Diffie-Hellman group 16 (modp4096)</description> + <description>Use Diffie-Hellman group 16 (modp4096)</description> </valueHelp> <valueHelp> <format>dh-group17</format> - <description>Enable PFS. Use Diffie-Hellman group 17 (modp6144)</description> + <description>Use Diffie-Hellman group 17 (modp6144)</description> </valueHelp> <valueHelp> <format>dh-group18</format> - <description>Enable PFS. Use Diffie-Hellman group 18 (modp8192)</description> + <description>Use Diffie-Hellman group 18 (modp8192)</description> </valueHelp> <valueHelp> <format>dh-group19</format> - <description>Enable PFS. Use Diffie-Hellman group 19 (ecp256)</description> + <description>Use Diffie-Hellman group 19 (ecp256)</description> </valueHelp> <valueHelp> <format>dh-group20</format> - <description>Enable PFS. Use Diffie-Hellman group 20 (ecp384)</description> + <description>Use Diffie-Hellman group 20 (ecp384)</description> </valueHelp> <valueHelp> <format>dh-group21</format> - <description>Enable PFS. Use Diffie-Hellman group 21 (ecp521)</description> + <description>Use Diffie-Hellman group 21 (ecp521)</description> </valueHelp> <valueHelp> <format>dh-group22</format> - <description>Enable PFS. Use Diffie-Hellman group 22 (modp1024s160)</description> + <description>Use Diffie-Hellman group 22 (modp1024s160)</description> </valueHelp> <valueHelp> <format>dh-group23</format> - <description>Enable PFS. Use Diffie-Hellman group 23 (modp2048s224)</description> + <description>Use Diffie-Hellman group 23 (modp2048s224)</description> </valueHelp> <valueHelp> <format>dh-group24</format> - <description>Enable PFS. Use Diffie-Hellman group 24 (modp2048s256)</description> + <description>Use Diffie-Hellman group 24 (modp2048s256)</description> </valueHelp> <valueHelp> <format>dh-group25</format> - <description>Enable PFS. Use Diffie-Hellman group 25 (ecp192)</description> + <description>Use Diffie-Hellman group 25 (ecp192)</description> </valueHelp> <valueHelp> <format>dh-group26</format> - <description>Enable PFS. Use Diffie-Hellman group 26 (ecp224)</description> + <description>Use Diffie-Hellman group 26 (ecp224)</description> </valueHelp> <valueHelp> <format>dh-group27</format> - <description>Enable PFS. Use Diffie-Hellman group 27 (ecp224bp)</description> + <description>Use Diffie-Hellman group 27 (ecp224bp)</description> </valueHelp> <valueHelp> <format>dh-group28</format> - <description>Enable PFS. Use Diffie-Hellman group 28 (ecp256bp)</description> + <description>Use Diffie-Hellman group 28 (ecp256bp)</description> </valueHelp> <valueHelp> <format>dh-group29</format> - <description>Enable PFS. Use Diffie-Hellman group 29 (ecp384bp)</description> + <description>Use Diffie-Hellman group 29 (ecp384bp)</description> </valueHelp> <valueHelp> <format>dh-group30</format> - <description>Enable PFS. Use Diffie-Hellman group 30 (ecp512bp)</description> + <description>Use Diffie-Hellman group 30 (ecp512bp)</description> </valueHelp> <valueHelp> <format>dh-group31</format> - <description>Enable PFS. Use Diffie-Hellman group 31 (curve25519)</description> + <description>Use Diffie-Hellman group 31 (curve25519)</description> </valueHelp> <valueHelp> <format>dh-group32</format> - <description>Enable PFS. Use Diffie-Hellman group 32 (curve448)</description> + <description>Use Diffie-Hellman group 32 (curve448)</description> </valueHelp> <valueHelp> <format>disable</format> diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 9c0ad2075..fda8b74b1 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -18,8 +18,9 @@ import os import unittest from base_vyostest_shim import VyOSUnitTestSHIM - -from vyos.util import call, process_named_running, read_file +from vyos.util import call +from vyos.util import process_named_running +from vyos.util import read_file ethernet_path = ['interfaces', 'ethernet'] tunnel_path = ['interfaces', 'tunnel'] diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index ce72ee094..e95a3e82d 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -39,46 +39,11 @@ from vyos import ConfigError from vyos import airbag airbag.enable() -authby_translate = { - 'pre-shared-secret': 'psk', - 'rsa': 'pubkey', - 'x509': 'pubkey' -} - -default_pfs = 'dh-group2' -pfs_translate = { - 'dh-group1' : 'modp768', - 'dh-group2' : 'modp1024', - 'dh-group5' : 'modp1536', - 'dh-group14' : 'modp2048', - 'dh-group15' : 'modp3072', - 'dh-group16' : 'modp4096', - 'dh-group17' : 'modp6144', - 'dh-group18' : 'modp8192', - 'dh-group19' : 'ecp256', - 'dh-group20' : 'ecp384', - 'dh-group21' : 'ecp512', - 'dh-group22' : 'modp1024s160', - 'dh-group23' : 'modp2048s224', - 'dh-group24' : 'modp2048s256', - 'dh-group25' : 'ecp192', - 'dh-group26' : 'ecp224', - 'dh-group27' : 'ecp224bp', - 'dh-group28' : 'ecp256bp', - 'dh-group29' : 'ecp384bp', - 'dh-group30' : 'ecp512bp', - 'dh-group31' : 'curve25519', - 'dh-group32' : 'curve448' -} - any_log_modes = [ 'dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn', 'enc', 'lib', 'esp', 'tls', 'tnc', 'imc', 'imv', 'pts' ] -ike_ciphers = {} -esp_ciphers = {} - dhcp_wait_attempts = 2 dhcp_wait_sleep = 1 @@ -113,52 +78,18 @@ def get_config(config=None): get_first_key=True, no_tag_node_value_mangle=True) ipsec['dhcp_no_address'] = {} - ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces', 'interface']) - ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access', 'ipsec-settings']) + ipsec['interface_change'] = leaf_node_changed(conf, base + ['ipsec-interfaces', + 'interface']) + ipsec['l2tp_exists'] = conf.exists(['vpn', 'l2tp', 'remote-access', + 'ipsec-settings']) ipsec['nhrp_exists'] = conf.exists(['protocols', 'nhrp', 'tunnel']) ipsec['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - ipsec['rsa_keys'] = conf.get_config_dict(['vpn', 'rsa-keys'], key_mangling=('-', '_'), - get_first_key=True, no_tag_node_value_mangle=True) - - default_ike_pfs = None - - if 'ike_group' in ipsec: - for group, ike_conf in ipsec['ike_group'].items(): - if 'proposal' in ike_conf: - ciphers = [] - for i in ike_conf['proposal']: - proposal = ike_conf['proposal'][i] - enc = proposal['encryption'] if 'encryption' in proposal else None - hash = proposal['hash'] if 'hash' in proposal else None - pfs = ('dh-group' + proposal['dh_group']) if 'dh_group' in proposal else default_pfs - - if not default_ike_pfs: - default_ike_pfs = pfs - - if enc and hash: - ciphers.append(f"{enc}-{hash}-{pfs_translate[pfs]}" if pfs else f"{enc}-{hash}") - ike_ciphers[group] = ','.join(ciphers) - - if 'esp_group' in ipsec: - for group, esp_conf in ipsec['esp_group'].items(): - pfs = esp_conf['pfs'] if 'pfs' in esp_conf else 'enable' - - if pfs == 'disable': - pfs = None - - if pfs == 'enable': - pfs = default_ike_pfs - - if 'proposal' in esp_conf: - ciphers = [] - for i in esp_conf['proposal']: - proposal = esp_conf['proposal'][i] - enc = proposal['encryption'] if 'encryption' in proposal else None - hash = proposal['hash'] if 'hash' in proposal else None - if enc and hash: - ciphers.append(f"{enc}-{hash}-{pfs_translate[pfs]}" if pfs else f"{enc}-{hash}") - esp_ciphers[group] = ','.join(ciphers) + get_first_key=True, + no_tag_node_value_mangle=True) + ipsec['rsa_keys'] = conf.get_config_dict(['vpn', 'rsa-keys'], + key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) return ipsec @@ -361,58 +292,54 @@ def generate(ipsec): os.unlink(config_file) return - data = {} - if ipsec: - if ipsec['dhcp_no_address']: - with open(DHCP_HOOK_IFLIST, 'w') as f: - f.write(" ".join(ipsec['dhcp_no_address'].values())) + if ipsec['dhcp_no_address']: + with open(DHCP_HOOK_IFLIST, 'w') as f: + f.write(" ".join(ipsec['dhcp_no_address'].values())) - data = ipsec - data['authby'] = authby_translate - data['ciphers'] = {'ike': ike_ciphers, 'esp': esp_ciphers} - data['rsa_local_key'] = verify_rsa_local_key(ipsec) + data = ipsec + data['rsa_local_key'] = verify_rsa_local_key(ipsec) - for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH]: - if not os.path.exists(path): - os.mkdir(path, mode=0o755) + for path in [swanctl_dir, CERT_PATH, CA_PATH, CRL_PATH]: + if not os.path.exists(path): + os.mkdir(path, mode=0o755) - if not os.path.exists(KEY_PATH): - os.mkdir(KEY_PATH, mode=0o700) + if not os.path.exists(KEY_PATH): + os.mkdir(KEY_PATH, mode=0o700) - if 'site_to_site' in data and 'peer' in data['site_to_site']: - for peer, peer_conf in ipsec['site_to_site']['peer'].items(): - if peer in ipsec['dhcp_no_address']: - continue + if 'site_to_site' in data and 'peer' in data['site_to_site']: + for peer, peer_conf in ipsec['site_to_site']['peer'].items(): + if peer in ipsec['dhcp_no_address']: + continue - if peer_conf['authentication']['mode'] == 'x509': - generate_pki_files(ipsec['pki'], peer_conf['authentication']['x509']) + if peer_conf['authentication']['mode'] == 'x509': + generate_pki_files(ipsec['pki'], peer_conf['authentication']['x509']) - local_ip = '' - if 'local_address' in peer_conf: - local_ip = peer_conf['local_address'] - elif 'dhcp_interface' in peer_conf: - local_ip = get_dhcp_address(peer_conf['dhcp_interface']) + local_ip = '' + if 'local_address' in peer_conf: + local_ip = peer_conf['local_address'] + elif 'dhcp_interface' in peer_conf: + local_ip = get_dhcp_address(peer_conf['dhcp_interface']) - data['site_to_site']['peer'][peer]['local_address'] = local_ip + data['site_to_site']['peer'][peer]['local_address'] = local_ip - if 'tunnel' in peer_conf: - for tunnel, tunnel_conf in peer_conf['tunnel'].items(): - local_prefixes = dict_search('local.prefix', tunnel_conf) - remote_prefixes = dict_search('remote.prefix', tunnel_conf) + if 'tunnel' in peer_conf: + for tunnel, tunnel_conf in peer_conf['tunnel'].items(): + local_prefixes = dict_search('local.prefix', tunnel_conf) + remote_prefixes = dict_search('remote.prefix', tunnel_conf) - if not local_prefixes or not remote_prefixes: - continue + if not local_prefixes or not remote_prefixes: + continue - passthrough = [] + passthrough = [] - for local_prefix in local_prefixes: - for remote_prefix in remote_prefixes: - local_net = ipaddress.ip_network(local_prefix) - remote_net = ipaddress.ip_network(remote_prefix) - if local_net.overlaps(remote_net): - passthrough.append(local_prefix) + for local_prefix in local_prefixes: + for remote_prefix in remote_prefixes: + local_net = ipaddress.ip_network(local_prefix) + remote_net = ipaddress.ip_network(remote_prefix) + if local_net.overlaps(remote_net): + passthrough.append(local_prefix) - data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough + data['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough if 'logging' in ipsec and 'log_modes' in ipsec['logging']: modes = ipsec['logging']['log_modes'] @@ -448,7 +375,7 @@ def apply(ipsec): if not ipsec: call('sudo /usr/sbin/ipsec stop') else: - should_start = ('profile' in ipsec or dict_search('site_to_site.peer', ipsec)) + should_start = 'profile' in ipsec or dict_search('site_to_site.peer', ipsec) if not process_named_running('charon') and should_start: args = f'--auto-update {ipsec["auto_update"]}' if 'auto_update' in ipsec else '' |