diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-07-03 18:05:48 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-07-03 18:11:38 +0200 |
| commit | 32fab6c7c5a7d8ad926513fcc5a5c637b77769e3 (patch) | |
| tree | e8c08b8ef9df6490c622bbbc2e5be9e61695efdb | |
| parent | 094d79aee118a75898ef9b85a77f211e0eacd94d (diff) | |
| download | vyos-1x-32fab6c7c5a7d8ad926513fcc5a5c637b77769e3.tar.gz vyos-1x-32fab6c7c5a7d8ad926513fcc5a5c637b77769e3.zip | |
ipsec: T2816: provide esp and ike-group XML building block
| -rw-r--r-- | data/templates/ipsec/swanctl.conf.tmpl | 22 | ||||
| -rw-r--r-- | interface-definitions/include/ipsec/esp-group.xml.i | 10 | ||||
| -rw-r--r-- | interface-definitions/include/ipsec/ike-group.xml.i | 10 | ||||
| -rw-r--r-- | interface-definitions/vpn_ipsec.xml.in | 45 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_ipsec.py | 2 |
5 files changed, 49 insertions, 40 deletions
diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index cafe52e78..06fd8e8c2 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -13,6 +13,28 @@ connections { {{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} {% endfor %} {% endif %} +{% if remote_access is defined and remote_access is not none %} +{% set ike = ike_group[peer_conf.ike_group] %} + road_warrior { + proposals = {{ ike | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + local_addrs = 192.168.0.1 + local { + auth = eap-peap + certs = moonCert.pem + } + remote { + auth = eap-peap + } + send_certreq = no + children { + net { + local_ts = 10.1.0.0/16 + esp_proposals = {{ esp_group[peer_conf.default_esp_group] | get_esp_ike_cipher | join(',') }} + } + } + } +{% endif %} } secrets { diff --git a/interface-definitions/include/ipsec/esp-group.xml.i b/interface-definitions/include/ipsec/esp-group.xml.i new file mode 100644 index 000000000..5e5d8197b --- /dev/null +++ b/interface-definitions/include/ipsec/esp-group.xml.i @@ -0,0 +1,10 @@ +<!-- include start from ipsec/esp-group.xml.i --> +<leafNode name="esp-group"> + <properties> + <help>Encapsulating Security Payloads (ESP) group name</help> + <completionHelp> + <path>vpn ipsec esp-group</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/ipsec/ike-group.xml.i b/interface-definitions/include/ipsec/ike-group.xml.i new file mode 100644 index 000000000..f7649ed30 --- /dev/null +++ b/interface-definitions/include/ipsec/ike-group.xml.i @@ -0,0 +1,10 @@ +<!-- include start from ipsec/ike-group.xml.i --> +<leafNode name="ike-group"> + <properties> + <help>Internet Key Exchange (IKE) group name</help> + <completionHelp> + <path>vpn ipsec ike-group</path> + </completionHelp> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index fdd091dd9..c301703c3 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -701,22 +701,8 @@ </leafNode> </children> </node> - <leafNode name="esp-group"> - <properties> - <help>ESP group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec esp-group</path> - </completionHelp> - </properties> - </leafNode> - <leafNode name="ike-group"> - <properties> - <help>IKE group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec ike-group</path> - </completionHelp> - </properties> - </leafNode> + #include <include/ipsec/esp-group.xml.i> + #include <include/ipsec/ike-group.xml.i> </children> </tagNode> <node name="site-to-site"> @@ -878,14 +864,7 @@ </constraint> </properties> </leafNode> - <leafNode name="ike-group"> - <properties> - <help>Internet Key Exchange (IKE) group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec ike-group</path> - </completionHelp> - </properties> - </leafNode> + #include <include/ipsec/ike-group.xml.i> <leafNode name="ikev2-reauth"> <properties> <help>Re-authentication of the remote peer during an IKE re-key. IKEv2 option only</help> @@ -944,14 +923,7 @@ </properties> <children> #include <include/generic-disable-node.xml.i> - <leafNode name="esp-group"> - <properties> - <help>ESP group name</help> - <completionHelp> - <path>vpn ipsec esp-group</path> - </completionHelp> - </properties> - </leafNode> + #include <include/ipsec/esp-group.xml.i> <node name="local"> <properties> <help>Local parameters for interesting traffic</help> @@ -1041,14 +1013,7 @@ <help>VTI tunnel interface associated with this configuration [REQUIRED]</help> </properties> </leafNode> - <leafNode name="esp-group"> - <properties> - <help>ESP group name [REQUIRED]</help> - <completionHelp> - <path>vpn ipsec esp-group</path> - </completionHelp> - </properties> - </leafNode> + #include <include/ipsec/esp-group.xml.i> </children> </node> </children> diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index ff26f875a..d1b29ee9a 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -109,6 +109,8 @@ def get_config(config=None): get_first_key=True, no_tag_node_value_mangle=True) + import pprint + pprint.pprint(ipsec) return ipsec def get_rsa_local_key(ipsec): |